Assigning policy-based access to users
Active Mapping based policy helps eliminate the misuse of privileged accounts by enforcing precise policies and controls. You can define and enforce rules based on who can access which accounts and under what conditions. You can define access policies by user groups and accounts group to increase security without compromising excessive privilege assignments.
Only administrators with administrator privileges can manage and edit the active mapping privilege configuration. Active Mapping is like an authorization engine for your PAM system.
The typical enterprise has a set of named privileged accounts for users and a set of shared and default privileged accounts and service accounts associated with multiple assets. Defining policies for handling such accounts can be painful and time consuming. This section provides guidelines for managing different types of privileged accounts.
This chapter contains the following:
Managing access to shared privileged accounts
Failing to manage shared passwords adequately can expose organizations to serious vulnerabilities, particularly in the case of shared or default privileged accounts like root and administrators. Keeping track of privileged users and shared access accounts is important for accountability. This section describes how you can manage access to shared privileged accounts with accountability and control.
Select the user group(s) you would like to link with the account group(s). Doing so will allow users to access the accounts available in the respective account group.
Use the option of 'View entitlements' to view the list of entitlements available to users as part of this mapping structure at a given point of time.
Managing access to named privileged accounts
It is recommended to use named privileged accounts for users. Sectona can handle auto assignment of accounts linking these accounts with the naming convention you use for privileged accounts in your normal operations.
For example, John who is a windows administrator uses a John.doe as an active directory account to authenticate to a personal computer and other resources in the environment. However John uses john.doe_admin account to perform privileged activities. Supposing all windows privileged accounts are part of the same group and you want to tag only respective user account with privileged accounts, use following techniques for defining such rules:
In the 'Active Mapping' section, click on 'New Active Mapping', define a rule name and description for this rule.
Select the user group(s) you would like to link with the account group(s). Doing so will allow users to access the account available in their respective account group(s).
Additionally, define the methodology for linking user accounts with their respective named privileged accounts. For example, %Username%_admin.
All Active mapping is enabled by default active when created.
Use the option of 'View entitlements' to view the list of entitlements available to users as part of this mapping structure at a given point of time.
Managing exclusive access to privileged accounts
It is quite often with a given administrative environment in any organizations that administrators are part of multiple groups and may require access to specific target servers/ devices with specific privilege accounts. Sectona handles this scenario seamlessly with its easy to configure 'Exclusive Only' option when configuring Active Mapping.
For example, John is part of the Windows Administrator group which has access to 10 Windows Servers as per Account Group. Being a part of L1 support team John needs to be given read-only access on 5 servers and complete administrative access on the remaining 5 servers. Such exclusivity to provide specific privilege account access to specific users can be provided with the 'Exclusive Only' option.
In the 'Active Mapping' section, click on 'New Active Mapping', define a rule name and description for this rule.
Select the user group(s) you would like to link with the account group(s). Select the 'Exclusive Only' option as doing so will make accounts of the respective group(s) available to the user(s) from user group(s).
Now select 'Exclusive Access' section, select the specific User group and Account group and click search. It will populate user(s) from the selected User group.
Select the specific user to whom you need to give specific account access on the target server/device.