Requiring re-authentication to run commands

After successful authentication during the login process, you can control whether running a command in a restricted shell or using elevated privileges requires re-authentication or not. If you want to require re-authentication, select the authentication rules to apply. When defining the rights for executing commands, you can select from the following authentication options:

  • No re-authentication required

    Select this option to allow users to run the command without any additional authentication.

  • Re-authenticate current user

    Select this option to require the user to be re-authenticated before running the command using their own credentials. If you select this option, you can also specify whether re‑authentication requires the user to provide their password, requires their password and another form of authentication, or requires multi-factor authentication as determined by the authentication profile configured in Privileged Access Service, which might or might not involve providing a password.

    If you select both Use password and Require multi-factor authentication for login, users are prompted to type their password and provide another form of authentication before the command is executed. If you have configured the authentication profile to accept more than one type of authentication challenge, users are prompted to select the authentication method to continue.

  • Re-authenticate using the target user’s password.

    Select this option to require the user to be re-authenticated before running the command using the target run-as user’s credentials.