Just-in-time privilege elevation is a model designed to limit the amount of time privileged access is enabled on a critical system. This allows administrators, users, applications, and scripts to access sensitive information only when required and only for the amount of time needed to complete the task.
This approach avoids giving users elevated privileges permanently, which can be a vector for abuse. A mature privileged access management system provisions automated elevation of privileges only when required and for the minimal amount of time required to complete the given task for any entity that needs privileged access.
PAM360 facilitates just-in-time access through its seamless integration with ManageEngine ADManager Plus—an Active Directory management and reporting solution. Through automated and controlled elevation of domain account privileges, PAM360 brings in time-based and resource-based restrictions for privileged access, tightening security while making the whole process hassle free.
PAM360's integration with ADManager Plus gives administrators control to map domain user accounts to specific security groups in Active Directory. This can be done by adding the Active Directory domain controller as a resource in PAM360 and then associating it with selected Active Directory security groups, which are fetched and displayed as a result of the integration between these products.
PAM360 provisions Windows domain users with elevated permissions, allowing them to inherit domain admin privileges based on a request-approval mechanism for a specific time frame. This orchestrated workflow, which is achieved through a set of predefined policy configurations, allows domain users to easily log in and perform privileged tasks on target systems using their own credentials. Once time runs out, permissions are automatically revoked, ensuring that the user no longer has privilege to access the critical system.
PAM360 also supports out-of-the-box local account privilege elevation for Windows resources. These additional, timeframe-based access restrictions to privileged systems help enterprises gain complete control over privileged access.
While the integration empowers PAM360 administrators to elevate permissions for domain accounts, it does not affect the control ADManager Plus has on user permissions. As a security precaution, the workflow is designed so that any changes made to the permission levels of domain users by ADManager Plus administrators override changes made in PAM360. This way, domain accounts are kept under complete control in ADManager Plus, preventing any unauthorized access.