Can I force PAM to require more than one approver in the Password View Policy definition?

book

Article ID: 131218

calendar_today

Updated On:

Products

CA Privileged Access Manager - Cloakware Password Authority (PA) PAM SAFENET LUNA HSM CA Privileged Access Manager (PAM)

Issue/Introduction

Due to internal security policies, some installations may require that two or more people approve the "password view/use" request to make it available to the requester user.
This document deals with this scenario when PAM is involved.

Can I force PAM to require more than one approver in the Password View Policy definition?

Environment

Any PAM server version up to the current one (at the moment of the creation of this document is version 3.2.4).

Resolution

Unfortunately, it is not currently possible to do it with the present PAM server versions (up to 3.2.4), as we can currently only enforce a SINGLE admin approval (not 2 or more admin approvals).

Here below are the 3 different processes that could come into play in the current PAM version:
  1. Standard password use/view: Just use/view password, No additional requirements. The user is allowed to view the password without any condition.
  2. Re-authenticate on password view/use: The User is required to input their own password again during checkout (first authentication is PAM Login, 2nd authentication is the authorization prompt when using Password). This helps if someone walks away from an unlocked workstation while logged into PAM.
  3. Dual Authorization: Sends a request to all admins listed in config, but ONLY 1 authorization is required to allow this. There is currently NO way to specify that 2 or more approvals are required. If 2 or more approvals are needed then that would require an enhancement.

Additional Information

See also: