Requesting login access

Users who are assigned to a role with the appropriate administrative rights can see the systems, domains, databases, and accounts where they have View permission in the Privileged Access Service.

What you can do when you select a system, domain, database, or account will depend on the additional permissions you have been granted. For example, if you don’t have the Login permission granted, you cannot log on to target systems using stored account information. However, if one or more accounts are configured to use a “request and approval” workflow, you might be able to request access to a target system. Your request is sent to a designated user or member of a designated role for approval. It is at the approver’s discretion to approve or reject your request, and if approved, to grant you permanent or temporary Login permission.

If your request is approved and you are only temporarily granted the Login permission, you will have a limited period of time in which to log on to the selected system using the selected account. If you are granted temporary Login permission, you can continue to use the session on the target system after the approved period of time expires. If you exit the session, however, and attempt to log on after the temporarily approved period expires, you must submit a new access request.

To request login access:

  1. In the Admin Portal, click Resources, then click Systems, Domains, or Accounts to locate the account combination to which you want to request access.

    For example:

    • Click Systems if you want to search or filter the systems listed based on the system name or system type.
    • Click Domains if you want to search or filter the domains to which you want access.
    • Click Accounts if you want to search or filter the accounts listed by account name or check the account health before requesting access.
  2. Select the account you want to use to log on to the target system or domain.

    Depending on how you navigate to the Actions menu, you can request access to an account in one of two ways:

    • If you open the Actions menu for a system, you can click Select/Request Account to search for and select the account you want to use.
    • If you open the Actions menu for a specific account, you can click Request Login to request access to that account.
  3. Type the business reason for requesting permission to log on to the selected system using the stored account information.

  4. Select whether you are requesting permanent access or access during a specific window of time.

    If you select Windowed access, specify the start date and time and the end data and time.

  5. Click Submit.

    An email notification of your request is sent directly to the designated approver and your request will be displayed on the Requests tab in the Admin Portal.

  6. Click the Requests tab to see the status of your request.

    You will also receive an email notification when you request is approved or denied. If your request is approved and you have been granted temporary access, you will have a limited time to select the system and account combination and the Login action. If you have been granted temporary access and the approval period expires before you log on, you can submit a new request.

Maintaining an active session after approval

If your request is approved and you log on successfully before a temporary approval period expires, there’s no time limit on your active session. However, an administrator with the appropriate permission can terminate the session.

In addition, you can log on multiple times during the approval period, if needed. For example, if you must restart a computer multiple times for maintenance—such as the installation or removal of software—you can do so until the request temporary approval period expires.

If you expect maintenance to require you to log on multiple times, you might want to request access for a specific window of time such as over a weekend or during a period when you know there will be little network activity.