Can I force PAM to require more than one approver in the Password View Policy definition?
search cancel

Can I force PAM to require more than one approver in the Password View Policy definition?

book

Article ID: 131218

calendar_today

Updated On:

Products

CA Privileged Access Manager - Cloakware Password Authority (PA) CA Privileged Access Manager (PAM)

Issue/Introduction

Due to internal security policies, some installations may require that two or more people approve the "password view/use" request to make it available to the requester user.
This document deals with this scenario when PAM is involved.

Can I force PAM to require more than one approver in the Password View Policy definition?

Environment

Applies to any PAM release as of July 2023.

Resolution

PAM server versions as of July 2023 only enforce a single admin approval, and this is not expected to change in the near future. An enhancement request to add such a feature had been opened in the past, but was rejected. It may get revisited due to renewed interest by customers.

PAM supports integration with service desks. With such an integration a password view policy can be configured to require the PAM user to supply a request ID, and PAM will allow the credential view only if the request is in one of the allowed states, such as Approved. The complexity of the approval process would then be controlled by the service desk implementation.

Alternatively the PAM user can be required to provide a ticket number in the approval request, and the PAM approver would use that ticket number to confirm that the requestor has the additional approvals required.

Powered by Wolken Software