PAM - Approval process only when using JiT Elevation, or choose between PAM accounts on RDP Connections.
PAM - Approval process only when using JiT Elevation, or choose between PAM accounts on RDP Connections.
4 votes
Requesting/Sharing my idea for Check out policies to include check out options for accounts with JiT elevation. Instead of having a PAM account notify approvers for both a standard account, and the JiT, have the option to auto-approve if standard, or notify approvers if JiT is selected for the account.
Another idea is to allow choosing between different PAM accounts for connecting to RDP connections within RDM, instead of just one PAM account.
Thank you!
All Comments (10)
Requesting/Sharing my idea for Check out policies to include check out options for accounts with JiT elevation. Instead of having a PAM account notify approvers for both a standard account, and the JiT, have the option to auto-approve if standard, or notify approvers if JiT is selected for the account.
Another idea is to allow choosing between different PAM accounts for connecting to RDP connections within RDM, instead of just one PAM account.
Thank you!
The first option is a good one. We use PAM to check out the admin-username account with limited rights, so no approval is necessary. However, when a user wants to become a domain admin, I can imagine that a JIT approval workflow would be the best approach.
Hello,
Thank you both for the request. I understand your request, and it makes sense. It is an improvement that I will suggest for our next development cycle, we will see how it fits with our priorities. We will post back here once we have an update.
Best regards,
François Dubois
Thanks Francois, I look forward to the release with the adjustment.
As well, I would love to see this functionality. We have a similar configuration to Freddy1, where named accounts with 'some' privilege are managed in our PAM vault. Giving them the disticnt ability to JIT elevate but requiring approval, or at miniumum, a Ticket ID, would be great.
Hello Jchilds,
Thank you for adding your interest. I just want to be sure that I understand correctly. When you said
or at minimum, a Ticket ID, would be great.
Do you mean that it could be useful to have the Ticket ID mandatory only if a user requests JIT elevation? If the user doesn't request a JIT elevation, the ticket would not be mandatory. Am I right?
Best regards,
François Dubois
Hello Jchilds,
Thank you for adding your interest. I just want to be sure that I understand correctly. When you said
or at minimum, a Ticket ID, would be great.
Do you mean that it could be useful to have the Ticket ID mandatory only if a user requests JIT elevation? If the user doesn't request a JIT elevation, the ticket would not be mandatory. Am I right?
Best regards,
Correct. In full, only requiring a mandatory field AND possibly approval when a user requests JIT elevation. Withough elevation neither would be required.
Thanks,
J
Hello,
Thank you for your answer and this addition. We will consider the ticket field as well when we work on that.
Best regards,
François Dubois
We would like to extend the request.
It would be great if it were possible to define a different workflow for a JIT release.
For example, the user checks out a password where no approval is required. If he gets the DomainAdmin via JIT, this requires an approval.
any news about this feature?
Hello,
We have modified the flow to account for conditional access policies that we are introducing, as well as privilege sets to limit groups allowed to JIT for certain users.
I think it would be appropriate to wait for comments on what is coming out in 2025.3 in a few months. I think that your concerns for JIT approval will be addressed
As for the ticket part, we havent modified it yet.
Best regards,
Maurice