IAM Business Accelerator for Privileged Identity Scenarios - Application Admins need Ad-hoc privileged access

Privileged Identity Scenario 2: Application Admins need Ad-hoc privileged access

Summary

To ensure accountability (who did what using which ID?), reduce risk of sabotage by external and internal threats, and maintain compliance (government, industry-specific, business regulations) of the privileged and shared identities, it is important that organization analyze their distribution and use of privileged identities, implement a solution to ensure only privileged and authorized user get access to the identity, only for the time duration that they need it, and that the solution provides sufficient tracking, reporting, and auditing capabilities to demonstrate compliance.

This series of documents describe various Privileged Identity scenarios and how it can be addressed using IBM solution.

This particular document describes implementation details for scenario 2: Application Admins need Ad-hoc privileged access.

1. Introduction

IBM Security Privileged Identity Manager provides a solution for organizations that helps protect, manage and track privileged IDs. Its key capabilities include:

· Centralized administration, secure access, and storage of privileged shared account credentials.

· Role-based access control for shared accounts.

· Lifecycle management of shared accounts ownership.

· Ability to change password on every check in.

· Single sign-on through automated check-out and check-in of shared credentials.

· Auditing of shared credentials access events.

· Integration with the broader Identity and Access Management Governance portfolio.

 

Most organizations do well with a blend of individual and shared privileged IDs that offer the optimal combination of security, convenience, and productivity.

 

Refer to section “Privileged IDs and why they are a problem” of IBM Security Privileged Identity Manager Technical White Paper for more details about the challenges and risks with these approaches.

 

Addressing Privileged Identity Scenarios using IBM Security Privileged Identity Manager White Paper describes the scenarios and their deployment models at a high level. This document will describe the first scenario, its deployment models and how it can be implemented using IBM solution.

2. Scenario: Application Admins need Ad-hoc privileged access

Customer has a number of Enterprise servers hosting apps (e.g. database), where the owners of the servers are different from the administrators of the apps running on the hosts.

These app admins need occasional access to the servers to perform certain tasks (restart services, patch software, restart server, etc) that require a limited set of privileges.

The actual owner(s) of the servers is responsible for setting up shared accounts (with limited privileges) on each server to be used by one or more groups of app admins. He does not want to keep track who is an app admin, but he does want to approve the access when app admin check out the shared account. He wants the app admins to enter a justification and ticket number associated with the chjck out request. He later wants to be able to review audit logs of who used which account over which period of time.

The security admin is responsible for maintaining/tracking which employees hold which app admin roles.

3. Scenario Implementation

3.1 Before you begin

Refer to the “IAM Business Accelerator for Privileged Identity Scenarios - Install and configuration guide for Privileged Identity Manager deploymentfor personas, details about protected resources, install and basic configuration steps. This article describes additional configuration and setup required for this scenario.

 

3.2 Deployment Environment

3.2.1 Personas

Jason: System owner and System Admin

Phillip: Application Admin

Antonio: Manager of IT Support department

3.2.2 Protected resources and accounts

Following Privileged account will be request by application administrators:

· appAdmin

 

3.3 High level implementation details

For high level implementation details, see the “2.2 Scenario 2: Application Administrators need Ad-hoc privileged access” of Addressing Privileged Identity Scenarios using IBM Security Privileged Identity Manager White Paper

 

3.4 High level scenario flow

1. Phillip checks out the appAdmin id by specifying a justification and ticket number

2. Jason gets notified via email. He approves the request.

3. After approval, Phillip gets notified. He views the password and logs into the Windows System. He checks in the id after he is done.

4. Password is automatically changed after check in

3.5 Additional Configuration

This section provides step by step information about the required configuration.

1. Adopt Windows Server account and add to Credential Vault

2. Setup Shared Access Policy

3. Customize checkout operation with approval

4. Customize the checkout form with ticket number

5. Customize checkout operation with ticket number as an additional attribute



1. Adopt Windows Server account and add to Credential Vault

Adopt the appAdmin account and adding it to the credential vault.

o Login to ISIM Console as an administrator (ITIM Manager).

o Go to 'Manage Services'. Select 'Accounts...” option from the context menu of service 'Enterprise Windows Local Server' and look for 'appAdmin' account

o Select 'Assign to user...' option from the context menu of account 'appAdmin'

o Select user 'Jason' from users table and click 'Continue'

o Select 'System' as the ownership type for the account and click continue and then confirm the updates on confirmation screen

o Again check accounts on 'Enterprise Windows Local Server' and search for 'appAdmin'. Select 'Add to Vault...' option from the context menu. This will take you to 'Add Credential to Vault' page.

o Use option 'Automatically generate a new password. This is the preferred option.' and 'Require the checkin and checkout process for shared IDs'

o Set 'Maximum Checkout Duration' to 1 hr

o Keep other parameter values to default and click 'Continue'

o Provide some 'Justification' and click 'Submit'

 

2. Setup Shared Access policy

Create a shared access policy 'Application Admins Shared ID policy'

o Login to ISIM Console as an administrator (ITIM Manager)

o Go to 'Manage Shared Access' → 'Manage Share Access Policy' and click 'Create' button.

o Create a shared access policy as descried in following steps

§ 'General Information' tab

· Policy name - 'Application Admins Shared ID policy'

· Description - 'Use Application Admin Shared IDs allowed only for application developers and cron jobs''

· Policy status – 'Enabled'

· Business Unit - JK Enterprises

· Make policy available to credentials and credential pools in - 'This business unit and its subunits' and Click 'Members'

§ 'Members' tab

· Member Type – all

§ 'Entitlements' tab

· Entitlements - add 'appAdmin'

o Click 'Finish' to create a shared access policy.

 

 

3. Customize checkout operation with approval

Log-in to ISIM Console as an administrator (ITIM Manager) and perform following steps:

Select Configure System ->Manage Operations. Select Global level under Operation Level and click Add. Make note of the name you assign to this operation. This name will be set in the Shared Access Module default setting later.

In the operation level properties dialog, add relevant data for credential, credential lease, account and person in the Input Parameters section:

The complete set of relevant data required for the operation is shown below.

 

Add an Approver Node to this workflow.

Double click on the Approver Node to launch its properties dial. Following properties are set for the approver node (Note the participant and Entity Type parameters):

 

Now, add an Extension Node to this workflow.

From the extension node properties dialog, select checkout extension. Map the required input parameters to the checkout operation relevant data. If you do not see the checkout extension in the extension drop down list, you do not have the Shared Access Module enabled.



 

Now join all the workflow elements as shown following:

 

Make sure that transition line from "CheckOutApproval" node to "CheckoutOperation" node is having Condition value set to "Approved".

Make sure that transition line from "CheckOutApproval" node to "End" node is having Condition value set to "Rejected".

Once all the changes are mode, click on "Update" button.

Click "Apply" and then "Ok".

Steps to associate custom checkout operation:

  1. Log-in to ISIM Admin Console.
  2. Go to "Manage Shared Access" => "Configure Credential Default Settings"
  3. Expand the section "Check Out Operation"
  4. Specify the check out operation that was mentioned while implementing custom checkout operation (as per the previous section).
  5. Click Submit.

All the steps mentioned above configures a custom checkout operation containing an approval workflow before credential is checked-out.

 

4. Customize the checkout form with ticket number

  1. Login to ISIM console as an Administrator (ITIM Manager).
  2. Under Configure Systems, Click Design Forms.
  3. From the left-hand side list of entities, double click on "Credential Lease".
  4. Click on "Credential lease" form.
  5. From the right-hand side Attribute list, double click on "ercustomattribute1" to add this attribute on the form.
  6. Rename the attribute name as "Ticket Number" from its Properties window on right-hand side.
  7. Save the change made on the form and close form designer
  8. From <ISIM_HOME>/data location, open CustomLabels.properties file in an editor.
  9. Search for "ercustomattribute1" attribute and set its value to "Ticket Number"
  10. Repeat steps 8 and 9 for CustomLabels_en.properties file from <ISIM_HOME>/data location.
  11. Restart ISIM server.

Snap-shot of the customized Credential Lease form:

 

5. Customize checkout operation with ticket number as an additional attribute

Log-in to ISIM Console as an administrator and perform following steps:

Select Configure System ->Manage Operations and select the customized checkout operation.

Double click on the Approver Node to launch its properties dial.

Click on the Notification tab of the approver node. Modify its Text script to set customized "description" text, "Ticket Number" as well as "Justification" text to be displayed when approval request is seen by Jason from ISIM SelfCare UI.

 

Now click on the XHTML tab for setting the e-mail notification contents to have "Description", "Ticket Number" and "Justification" texts to be displayed in the approval email.

 

Once all the changes are mode, click on "Update" button.

Click "Apply" and then "Ok".

All the steps mentioned above configures a Ticket Number as an additional custom attribute associated with custom checkout operation containing an approval workflow.

 

3.6 Limitations

Customized checkout process (approval, email notifications etc.) is skipped in the automated mode.

4. Scenario playbook

1. Phillip checks out the appAdmin id by specifying a justification and ticket number

1. Log-in to ISIM Self Service UI with user as Phillip.

2. Select "Check out credential" from My Shared Access section.

3. Select appAdmin credential from the list

4. Specify Justification details and Ticket number.

5. Click Checkout.

6. Click on “View My Requests” to review the request status. It should be in “in Process” state.

7. Logout from Self care UI.

 

2. Jason gets notified via email. He approves the request.

1. Jason gets an email and clicks on the URL in the email to approve the request

2. Alternatively, login to ISIM Self Service UI as Jason and select “Approve and review requests”.

3. Review the request details (requestee, subject, justification, ticket number, etc).

4. Enter a comment and approve the request.

3. After approval, Phillip gets notified. He views the password and logs into the Windows System. He checks in the id after he is done.

1. Phillip gets an email

2. Log-in to ISIM Self Service UI with user as Phillip.

3. Select "View Password” from My Shared Access section.

4. Select appAdmin credential from the list

5. Note down/copy the password and logout.

6. Phillip can login to Windows Server using appAdmin id and password

7. To check in id, login to ISIM Self Service UI as Phillip

8. Select “Check in Credential” from My Shared Access section

9. Select the appAdmin id and click on “Checkin”

10. Click “Submit” on the confirmation page

 

4. Password is automatically changed after check in

1. Phillip tries to login again to Windows Server using appAdmin id and old password. Login fails.

5. Audits and Reports

Check out and check in activities of credentials and credential pools are audited and can be seen in “Shared Access History” reports. Some custom report examples for shared access objects are available on the following link.

http://pic.dhe.ibm.com/infocenter/tivihelp/v2r1/index.jsp?topic=%2Fcom.ibm.isim.doc_6.0%2Fadmin%2Fcpt%2Fcpt_ic_admin_abt_shrdaccess_obj.htm

 

Information on IBM Security Privileged Identity Management reports is available on following link.

http://pic.dhe.ibm.com/infocenter/tivihelp/v2r1/index.jsp?topic=%2Fcom.ibm.ispim.doc_10%2FPim_Guide%2Fconcepts%2Fc_types_reports.html

6. Resources

  1. Addressing Privileged Identity Scenarios using IBM Security Privileged Identity Manager White Paper

    https://www.ibm.com/developerworks/mydeveloperworks/wikis/home/wiki/Wc42dcb83bbad_485d_a112_1d03408e24c0/page/IBM%20Security%20Privileged%20Identity%20Manager%20Scenarios%20White%20Paper
  2. IBM Security Privileged Identity Manager Technical White Paper

    https://www.ibm.com/developerworks/mydeveloperworks/wikis/home/wiki/Wc42dcb83bbad_485d_a112_1d03408e24c0/page/IBM%20Security%20Privileged%20Identity%20Manager%20Technical%20White%20Paper
  3. IAM Business Accelerator for Privileged Identity Scenarios - Install and configuration guide for Privileged Identity Manager deployment

    https://www.ibm.com/developerworks/mydeveloperworks/wikis/home?lang=en#/wiki/Wc42dcb83bbad_485d_a112_1d03408e24c0/page/IAM%20Business%20Accelerator%20for%20Privileged%20Identity%20Scenarios%20-%20Install%20and%20configuration%20guide%20for%20Privileged%20Identity%20Manager%20deployment

  4. IAM Business Accelerator for Privileged Identity Scenarios - Pool of delegated administrators or help desk users accessing privileged IDs

    https://www.ibm.com/developerworks/mydeveloperworks/wikis/home?lang=en#/wiki/Wc42dcb83bbad_485d_a112_1d03408e24c0/page/IAM%20Business%20Accelerator%20for%20Privileged%20Identity%20Scenarios%20-%20Pool%20of%20delegated%20administrators%20or%20help%20desk%20users%20accessing%20privileged%20IDs

  5. IAM Business Accelerator for Privileged Identity Scenarios - Administrators accessing emergency privileged IDs

    https://www.ibm.com/developerworks/mydeveloperworks/wikis/home?lang=en#/wiki/Wc42dcb83bbad_485d_a112_1d03408e24c0/page/IAM%20Business%20Accelerator%20for%20Privileged%20Identity%20Scenarios%20-%20Administrators%20accessing%20emergency%20privileged%20IDs

  6. IAM Business Accelerator for Privileged Identity Scenarios - Applications or cron jobs need access to privileged IDs

    https://www.ibm.com/developerworks/mydeveloperworks/wikis/home?lang=en#/wiki/Wc42dcb83bbad_485d_a112_1d03408e24c0/page/IAM%20Business%20Accelerator%20for%20Privileged%20Identity%20Scenarios%20-%20Applications%20or%20cron%20jobs%20need%20access%20to%20privileged%20IDs

  7. IAM Business Accelerator for Privileged Identity Scenarios - Multiple Network Administrators need to share single superuser account to network device

    https://www.ibm.com/developerworks/mydeveloperworks/wikis/home?lang=en#/wiki/Wc42dcb83bbad_485d_a112_1d03408e24c0/page/IAM%20Business%20Accelerator%20for%20Privileged%20Identity%20Scenarios%20-%20Multiple%20Network%20Administrators%20need%20to%20share%20single%20superuser%20account%20to%20network%20device

  8. IBM Security Privileged Identity Manager Information Center

    http://pic.dhe.ibm.com/infocenter/tivihelp/v2r1/topic/com.ibm.ispim.doc_10/ic-homepage.html

  9. IBM Security Identity Manager Information Center

    http://pic.dhe.ibm.com/infocenter/tivihelp/v2r1/topic/com.ibm.isim.doc_6.0/ic-homepage.htm

  10. IBM Security Access Manager for Enterprise Single Sign-On Information Center

    http://pic.dhe.ibm.com/infocenter/tivihelp/v2r1/topic/com.ibm.itamesso.doc/ic-homepage.html

  11. Adapters for IBM Security Identity Manager

    http://www-01.ibm.com/support/docview.wss?uid=swg21599053

 

7. For more information

To learn more about IBM security solutions, please contact your IBM representative or IBM Business Partner, or visit: ibm.com/security
 

For IBM Identity and Access Management Services for identity assessment and strategy visit the following website: ibm.com/services/security