Comprehensive privileged account management
Grant only the privileges users need, when they need them
Privileged Account Manager delivers privileged user control, tracking and auditing for all credential-based systems, including:
- Applications (e.g. SAP System)
- Databases (e.g. Microsoft SQL database, Oracle DBMS)
- Cloud services (e.g. Salesforce.com)
- Secure Keys (e.g. Office license keys)
- UNIX, Linux and Windows platforms
- Virtual servers (e.g. VMWare ESXi)
With Privileged Account Manager, you centrally define rules for allowing or denying user activity based on a combination of user name, typed command, host name and time (who, what, where and when).
By managing account privileges in this way, you can control what commands users are authorized to run, at what time, and from what location. And since all user activity is recorded, you can quickly identify suspicious activity and take immediate preventative action.
How Privileged Account Manager works for operating systems
- UNIX, Linux and Windows commands submitted by the system administrators are captured by the Command Control Agent, and passed to the Command Control Manager.
- The commands are validated against the rule database to determine authorization. During this process, the commands, the submit user, the host, the run host requested and the date/time are correlated with existing rules in the database. If authorized to run, the command is executed on the target host.
- The result of the authorization is sent to the event log.
- The signed data with its authorization is sent back to the Command Control Agent.
- If authorized, the Command Control Agent forwards the data to the target host, which executes the command with the relevant permissions.
- If the session capture feature is enabled, all data transferred between the application and user terminal is logged to the audit system.
How Privileged Account Manager works for applications
- The user requests for an application access with sufficient reasoning and for a specific duration of time.
- Command Control validates the user’s application access against the rule database to determine authorization, following the same process as described in the “How Privileged Account Manager works for operating systems” description above.
- The user can now check-out the credential and will be able to view a temporary credential.
- The user can now access the system and perform activities using the credential.
- Once activities are complete, the credential must be checked-in by the user.
- Once check-in is complete, the credential vault will reset the password in the target system so that the user may not access it again.
- All of these activities are audited.