Just-in-time Access through Approval Workflows¶
You can establish an additional layer of security for sensitive accounts by enforcing your users to go through approval workflows. This also serves as just-in-time access provisioning mechanism. Whenever the passwords of such accounts are to be accessed, users will have to raise a request and select administrators or account managers, who are designated as Approvers and will grant time-limited access. At the end of the usage period, the password will be automatically reset.
This feature comes with adequate provisions to handle various scenarios such as obtaining permission in advance, granting automated approvals, etc.
Configuring approval workflow¶
Navigate to the Accounts section in the GUI, click the required account, click the Approval Workflow tab in the right pane.
Designate Approvers
Securden lets you designate up to 3 levels of approvers for each account. You need to specify the names of the users/user groups who can approve the password requests for the selected account.
Exclusion List
If you wish to exclude certain users from going through the approval workflow to gain access to the account, you can specify the user/user group under the exclusion list. The added users will be granted direct access to the password.
Configure Automatic Approval
If you have certain working hours where you want to allow users to get instant access to an account bypassing the approval workflow, automatic approval of access request can be configured. You may specify the time interval in which all access requests will be automatically approved.
Managing Access Requests¶
Navigate to Admin >> Approval Workflow section in the GUI. You will receive notifications through email when someone raises a request. - Before verifying the request, you may also verify the justification provided by the requester. If it is satisfactory, you can go ahead and approve.
- When approving, you have the option to approve it as it is for the time duration requested by the user OR you can grant access at any time duration you deem fit. You may also record your comments in the Reason field for reference in the future.
- You also have the option to randomize the underlying password after use by the user by selecting the option Reset Password After Use.
- Once you approve the request, the entry moves to the To Be Used section. That means the user is yet to start using the access.
- Once the user starts using the access, the entry moves to the In Use section.
- Even after approving a request, you can still control and edit access parameters irrespective of the entry being in the To Be Used or In Use section.
- You can terminate ongoing access from the In Use section by clicking on the Revoke Access button.
Important
- Once a user starts accessing the application after receiving approval, concurrent controls kick in. No other user, including the administrator, super administrator, and account owner, would be able to access the application until the access is surrendered or terminated, or expired. If another user attempts to access the account in use, they will see the message In exclusive use by another user.
- If the periodic password reset is configured for an account and at the time of the reset execution the account is used by a user, in this scenario the password reset task will not be executed for the account.