This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

PAM 4.3 - Credentials check-out for personal privileged account: Best Practice

Dear Community,

PAM 4.3 on Linux.

We have the following requirement:

  • Users typically have two accounts
    • Personal standard user account, e.g. usr_psmitsh (for daily business tasks)
    • Personal privileged account, e.g. adm_psmith (for privileged / administrative tasks, e.g. AD delegated admin account)
  • Users with such a privileged account should log in to the PAM User Portal with the default user usr_psmith and then be able to check out the credentials of adm_psmith for privileged tasks.
  • After completing the privileged tasks, the users check back in the credentials.

 

I know the basic functionality of credential management in PAM and the check-in/check-out per se works fine. We can also automatically create the hosts/credentials in PAM. But we are struggling on how to set up the policies/rules efficiently.

What would be the "best practice" approach to setting up policies (access control) so that users who have a personal privileged account can then "automatically" check out the credentials in the portal? From what I have seen so far regarding access control policies, these are rather "static" in nature and we would need a dedicated policy/assignment per user so that only the personal privileged account is selectable in the portal.

Do you have any ideas on how to set this up more efficiently? Alternative approaches are very welcome too, if there is a better way of doing things.

Thanks and best regards,

Philipp