6.4 Emergency Access Requests

When a user requires access to privileged session, database server, or to any application server but do not have rules defined, then they can request for an emergency access. The Emergency Access feature helps the users to get access to any privileged session or application for a specific duration by creating an emergency access request. An administrator of Privileged Account Manager can create rules for a user for permanent access but for emergency access the administrator need not create any rule.

A user requests for access and administrator approves or denies the request. Administrator monitors all the requests and can revoke the approved request if there is any malicious activity detected. Privileged Account Manager audits all the activities done by the user.

6.4.1 Configuring Emergency Access Settings

To configure emergency access settings, perform the following:

On the home page of the console click Settings > Server Settings > Access Requests.
Configure the following settings:

Delete Request After: Select the number of days after which the request gets deleted. The requests that are in the expired, revoked or denied state are deleted. All the approved but not expired, and the pending requests are not deleted.

Allow Grace Period of: Select the extra time period that a user is allowed, after the approved time period expires. User is notified about the expiry time so, grace period gives some time to the user to check in the password or end the session. For example, if an administrator has approved a request for an hour and configures this setting for 15 minutes, then the user can access the session or application for 1 hour 15 minutes.

Disconnect after grace period: Select this check box if you want to disconnect the connection after the grace period expires.

6.4.2 Managing Emergency Access Requests

You can analyze a user’s requests to access applications and then either grant access for a specific duration or deny the request.

If you detect any malicious activity on a resource after you grant access, you can revoke a user’s access to the resource. If you revoke a request while a user is accessing a resource, the user can continue to use the resource until the session is disconnected. However, the user will not be able to start a new session to the resource.

Settings such as the email ID to which requests are sent to, the duration after which a request must be deleted, and so on are configured by default. To change the default settings, see Configuring Emergency Access Settings.

NOTE:You cannot approve a request if a user is in the Blocked Users user group. For more information about removing a user from the Blocked Users user group, see Blocked Users.

To approve a request:

Select a pending request from > Requests. All or PENDING.
Click Approve.

Perform the following based on the type of privileged access:

For more information on the completing the prerequisites in Credential Vault, see Section 9.0, Integration with External Services.

Request Type	Actions
Windows	Connection Type: Select SSO when you need privileged single sign on access to Windows. When you select this option you get single sign on access through Privileged Account Manager proxy as well as Privileged Account Manager credential provider. Select Direct Access when you want to access the Windows directly using the server credentials.
Windows Web Access	Connection Type: Select the application or computer you want to access. Select Web Access when you want to access the Windows directly using the server credentials. Select > Active Sessions to view the active sessions.
SSH/Telnet	Connection Type: Select SSH or Telnet based on the connection method the target system supports. Enable X11: Select this option to get X11 application access through SSH.
SSH Web Access	Connection Type: Select SSH or Telnet based on the connection method the target system supports. Select > Active Sessions to view the active session.
Privileged Shell	In Credential Vault: Register the target machine for which the request is sent, as an agent. Set up the user’s account on the target machine. Specify the required Run User. Specify the name of the user as whom a requesting user can start the session. For example, if the requesting user wants to run the session as root, specify Run User as root.
Database	Database: Select the database you want to access. Password Checkout: Select this option to check out credentials to access the database. Database Access: Select this option when you know the credentials to access the database but you need access to the database through Privileged Account Manager proxy.
Applications	In Credential Vault, configure the Resources for the required application. To share the application’s host details with the user as a part of the approval comment, select the Send Run Host ID to the User check box.
Application SSO	In Credential Vault, add the application credential for application SSO using RemoteApp mode or direct access mode. Based on the type of application SSO modes, do one of the following: RemoteApp Mode Select RemoteApp and select the required credential. Select the domain user created for SSO. For more information about creating users, see Creating an Active Directory User. Select the application credential for SSO. (Conditional) Select Video Offload to convert session images to video in a video off-load server. Direct Access Mode Clear the RemoteApp check box. Select the application credential for SSO. Select Video Offload to convert session images to videos in a video off-load server. Create direct RDP and run as privileged user rules. For more information on creating these rules, see Adding a Direct RDP Rule and Adding a Rule to Run Application as a Privileged User.
Application SSO Web Access	Connection Type: Select the application or computer you want to access. Select Web Access when you want to access the Windows directly using the server credentials. Select > Active Sessions to access the active session.
Application Credential	Application: Select the application for which you want to get the credentials.

Click Approve.

6.4.3 Creating Emergency Access Requests

To create an emergency access request:

From > Requests > New Request.
Select the required target.

Configure the following based on the selected target:

Target	Actions
Windows	Select the Connection Type as follows: Select the SSO when you need privileged single sign on access to Windows. When you select this option you get single sign on access through PAM proxy as well as PAM credential provider. Select Direct Access to access Windows directly using the server credentials.
SSH/Telnet	Select the Connection Type as SSH or Telnet based on the connection method the target system supports.
Database	Select the required database. Select Credential Checkout to check out credentials to access the database. Select Database Access when you know the credentials to access the database but you need access to the database through PAM proxy.
Privileged Shell	Choose this option to get elevated access to the UNIX/Linux workstation using your local credentials.
Application SSO	Select this option if you need SSO access to an application or a Windows machine.
Application Credential	Select this option if you need credentials to access an application.

Specify the following details for all the target resources:
1. Specify the hostname or IP address of the target resource which you want to access, wherever applicable.
2. Select Normal User to access the resource without any privileges or select Super User when you want privileged access to the resource.
3. Specify the duration for which you want access to the resource.
4. Specify the email address for receiving notification about the status of the request.
Click Create.

You will receive an email notification after a request is created. Whenever the status of the request changes, you will receive a notification and an email.
From Requests to view emergency requests.