This article provides further information using Secret Server. For information on what is a Privileged Access Management System (PAM) or why Implement a Privileged Access Management System (PAM) review the help article General Information on Secret Server.
Approval
When a secret is created, you can go to the security tab of that secret and enable the Approval feature which requires users to get approval before being able to access the secret. You can then define which users need to request approval, the workflow steps of the approval, and assign which users can grant approval. All approval requests are in the Inbox section for users assigned as approvers. Users can also request more time once their initial access is approved by an approver.
Why Implement a Privileged Access Management System (PAM)?
With the growth of the cyber world there is a growth in cyber-attacks specifically account based attacks. If one administrative account is compromised an attacker could have access to shut down critical resources. This is why PAM is so pivotal in adding that extra layer of account security. PAM helps against:
- Lack of visibility and awareness of privileged users, elevated access, accounts, assets, and credentials
Revoke approval
To revoke a user's granted approval to a secret an assigned approver can go to into the inbox, click on the drop down of the pending review tab and click on the approval tab to see the history of approvals and revoke any active approvals.
Check Out
Along with the approval feature there is also the Check Out feature that can be found in the security tab of a secret and when enabled will require a user to check out a secret before they can access it. This allows only one user at a time to have access to that secret. When enabling this feature, you can set a custom time of how long you would like a Check Out to last. A user can Check In a secret at any time once they checked it out. If both Approval and Check Out are enabled a user must gain approval from an approver before they have the option to check the secret out.
Secret Deactivation
To deactivate a secret, you no longer wish to use (If a secret needs to be erased, the administrator must erase the secret) Navigate to the dashboard where there is a list of secrets created. Check the box to the left of the secret. Once the box is checked, a message will pop up at the bottom of the dashboard with a button called Bulk Actions. A new menu box with pop up and there the deactivate button will be found. If you do not have permission to re-activate an account, contact the administrator.
Technical Links