Self-Service Privilege Elevation in PAM360

Self-Service Privilege Elevation allows end-users to perform highly privileged operations in remote sessions without relying on administrators for their approvals. The highly privileged operations include; installing applications, executing specific operations, executing commands, etc., that need administrator or root privileges, depending on the type of Operating System. The process involves configuring the selected accounts/resource with the allowed apps/scripts/commands shared with the end-users for their accessibility. Users with the administrator role control the overall configuration of Self-Service Privilege Elevation with predefined rules and policies.

Let us consider a case where an administrator has to allow a non-privileged user to install third-party applications or execute commands to access a particular directory for a specific period. It will be painful for the administrator when this has to be repeatedly done for multiple users. Here comes this elevation feature into play - it allows configuring users' operations with a privileged account, which lets users self-elevate privileges for a stipulated time until they complete their intended operations.

At the end of this document, you will have learned the following in detail:

1. Self-Service Privilege Elevation for Windows and Windows Domain
2. Self-Service Privilege Elevation for Linux
3. Troubleshooting Tips

1. Self-Service Privilege Elevation for Windows and Windows Domain
(This feature is applicable from build 5304 and later for C# Agent only)

PAM360 allows administrators to configure Self-Service Privilege Elevation to the target machines. This allows users to run certain types of files/applications (.cmd, .exe, .msc, .msi, and .bat) with elevated account privileges without sharing the password of the higher privilege account.

1.1 Setting up Self-Service Privilege Elevation

First, install C# agent with Self-Service Privilege Elevation in the target machine and follow the below steps:

1. Log in to PAM360 and navigate to Admin >> Manage >>Allowed Apps/Scripts. Here, all the applications that are allowed for Privilege Elevation are listed.
2. Click Add to add a new application/file to the list.
   1. In the Application/File List pop-up, enter the Application Name and Application File Name along with the extension (.cmd, .exe, .msc, .msi, and .bat).
   2. Mention the SHA256SUM Value of the application to be added. Click here to know how to get the hash value of a file/application or use this application.
   3. Click Save. You have successfully added the application to the Application/File List.
3. Now, navigate to Resources >> All My Passwords >> Resources to view the list of all the resources added in PAM360.
4. Click the Resource action icon against one of the owned resources and click Configure Self-Service Privilege Elevation.
   
   
   

   Note: The DNS name of the resource should not be empty.

5. In the pop-up that appears,
1. Select the Account Type.
2. If you choose the Account Type as Domain Account, select the Domain Name and Account Name. This will allow the user to run the files/applications using the selected Domain Account with elevated account privileges.
   
3. If you choose the Account Type as Local Account, select the Account Name.
   

Notes:

1. Here, selected account will be used for Self-Service Elevation in the Agent installed resources.
2. When access control is enabled for an account in the resource where Self-Service Privilege Elevation is configured, Self-Service Privilege Elevation will take precedence over password access control.

6. Mention the name of the files/applications that the user is allowed to access with elevated account privileges under Allowed Apps/Files.
   (Example: cmd.exe, services.msc, etc)
   

   Note: .exe, .msc, .msi, .cmd and .bat are the file types that are currently available for users to access with elevated account privileges.

7. Click Configure. Now, you have successfully configured Self-Service Privilege Elevation.
8. Click Clear to reset the configurations of Self-Service Privilege Elevation.
9. To delete an application from the Application/File List, navigate to Admin >> Manage >> Manage Applications. Select the desired application(s) and click Delete.
10. Navigate to Reports >> Query Reports >> Resources and search "Resources with self-service privilege elevation configuration" under Report Name to find all the resources configured with self-service privilege elevation.
11. Navigate to Reports >> Custom Reports to find two new custom reports namely:
• Authorized App Privilege Elevated
• Unauthorized App Elevation Triggered
These reports allow the administrators/users with privileges to generate reports based on authorized and unauthorized self-service elevation events. To know more about creating a custom report, click here.

1.2 Using Self-Service Privilege Elevation

1. Login as any user in a resource where you have configured Self-Service Privilege Elevation.
2. Right-click on the file/application (.exe, .msc, .msi, .cmd and .bat) which is configured by administrator to open as a privilege user and select Run as PAM360 Privileged Account.
   
3. In the pop-up that appears, mention the Reason for elevation(mandatory) and click Elevate.
   

Now, PAM360 will allow users to run the application/file in the elevated privilege chosen by the administrator.

2. Self-Service Privilege Elevation for Linux
(Applicable from build 5950 and later for Linux Agent only)

Self-Service Privilege Elevation in Linux environments allows users to execute privileged commands with an elevated account privilege without sharing the passwords of highly privileged user accounts.

Refer to the following links to know more about configuring the Self-Service Privilege Elevation in Linux-based environments:

2.1 Installing Linux Agent

2.2 Managing Commands and Command Groups

2.3 Configuring Self-Service Privilege Elevation

2.4 Using Self-Service Privilege Elevation in Linux

2.5 Audits and Reports of Self-Service Privilege Elevation

2.6 Self-Service Privilege Elevation Precedence in Real-Time

2.1 Installing Linux Agent

Refer to this section to install the Linux agent in the desired target Linux resource for which the Self-Service Privilege Elevation is to be configured.

2.2 Managing Commands and Command Groups

After completing the agent installation, log in to your PAM360 interface and create a command group with the set of required privileged commands for which the Self-Service Privilege Elevation is to be applied in the desired target accounts or resources.

Refer to this section to learn more about creating the commands and the command groups in PAM360.

2.3 Configuring Self-Service Privilege Elevation

Once you have done with the agent installation and the command group management, you can start configuring the Self-Service Privilege Elevation for the desired accounts or resources for elevated privileges without sharing access to the privileged accounts.
Do the steps that follow to configure an account or a resource with Self-Service Privilege Elevation:

i. Configuration at Account Level

1. Navigate to Resources >> All My Passwords >> Resources and click on the desired resource to view the list of all the available accounts in the resource.
   [or]
   Navigate to Resources >> All My Passwords >> Passwords.
2. Click the Account Actions dropdown against one of the owned/shared accounts and click Configure Self-Service Privilege Elevation.
   
3. In the window that opens:
   1. Provide the privileged account detail in the 'Run As' field.
      

      Note:
      The account added here will be used for the Self-Service Privilege Elevation to execute the privileged commands in the devices installed with the Linux agent.

   2. Select the sets of required command groups with the privileged commands.

      Note:
      Click on the link Available Command Groups. From the pop-up that opens, you will know in detail about the commands available in the respective command groups.

   3. Click Configure to complete the configuration of the Self-Service Privilege Elevation.
   4. Click Clear to revoke the Self-Service Privilege Elevation from the account.
      

ii. Configuration at Resource Level

1. Navigate to 'Resources >> All My Passwords >> Resources'.
2. Click the Resource Actions drop-down against one of the owned/shared accounts and click Configure Self-Service Privilege Elevation.
   
3. In the window that opens:
   1. Provide the privileged account detail in the 'Run As' field.
      

      Note: The account added here will be used for Self-Service Privilege Elevation to execute the privileged commands in the devices installed with the Linux agent.

   2. Select the sets of required command groups with the privileged commands.

      Note: Click on the link Available Command Groups. From the pop-up that opens, you will know in detail about the commands available in the respective command groups.

   3. Click Configure to complete the configuration of the Self-Service Privilege Elevation.
   4. Click Clear to revoke the Self-Service Privilege Elevation from the resource.

2.4 Using Self-Service Privilege Elevation in Linux

Now, users can execute privileged commands in the remote sessions of accounts configured with Self-Service Privilege Elevation. Do the steps that follow to execute the privilege commands mapped with a privileged user account for Self-Service Privilege Elevation.

i. From an Account Configured with SSH Command Control

1. Launch a remote session for an account configured with SSH command control and Self-Service Privilege Elevation.
2. In the session that opens, you will find a set of predefined allowed command lists associated with the logged-in SSH account.
3. Hover on the right pane and click on the execute icon under the Elevate & Execute list beside the desired privileged command to execute it in the launch SSH console.
   

Note:

1. Under the Elevate & Execute list, the commands configured with Self-Service Privilege Elevation alone will have an enabled execute icon.
2. The Self-Service Privilege Elevation feature cannot be utilized through external SSH clients when an account/resource is configured with SSH command control.

ii. From an Account Configured without SSH Command Control

1. Launch a remote session to the account configured with Self-Service Privilege Elevation from PAM360 or from any other external SSH client such as Remote Connect, PuTTY, etc.
2. Use the prefix "pamelevate" before commands that require privileged administrative action (e.g., pamelevate fdisk). The associated privileged commands will execute as long as the Self-Service Privilege Elevation is configured for the account.
   

   Note:
   If the command is not from the part of the configured command group (or) the "Run as" account user does not have the required privilege to execute the command, then you will not have permission for the privilege elevation to execute the command.

2.5 Audits and Reports of Self-Service Privilege Elevation

Navigate to Audit >> Resource Audit to check the trail of audits recorded during the process of Self-Service Privilege Elevation. From here, you will get the different types of audit information that include:

• Agent installation, modification of agent modules, etc.,
• Commands and command groups audits
• Configuration of Self-Service Privilege Elevation to an account or resources
• Unauthorized execution of commands

Navigate to Reports >> Query Reports. From here, you can generate query reports that include information such as:

• Command groups association at different levels,
• List of unauthorized command executions using the Self-Service Privilege Elevation (pamelevate).

Refer to this section to know more about query reports and management.

2.6 Self-Service Privilege Elevation Precedence in Real-Time

Case 1:
Account Configured with SSH Command Control and Self-Service Privilege Elevation

Consider the command "fdisk" configured in a command group of an account for which the user requires privilege elevation.
- Indicates that Self-Service Privilege Elevation or SSH command control is enabled.
- Indicates that Self-Service Privilege Elevation or SSH command control is disabled.

Self-Service Privilege Elevation	SSH Command Control	Elevation Result in PAM360 Session
Command "fdisk" configured	Command "fdisk" not configured	No Elevation The command "fdisk" will not be listed in the allowed command list for execution.
Command "fdisk" configured	Command "fdisk" configured	Allowed Elevation The command "fdisk" will be listed in the allowed command list with the option Elevate & Execute.
Command "fdisk" not configured	Command "fdisk" configured	No Elevation The command "fdisk" will be listed in the allowed command list without the Elevate & Execute option. Existing user privileges can be used to execute the command.
Command "fdisk" configured		Allowed Elevation Users can enter the command "fdisk" with the prefix "pamelevate" to execute it with the privileged elevation.
	Command "fdisk" configured	No Elevation The command "fdisk" will be listed in the allowed command list without the Elevate & Execute option. Existing user privileges can be used to execute the command.

Case 2:
Switching Self-Service Privilege Elevation between Configured User Accounts from the SSH Console

Consider the following users account with different configuration for the upcoming scenarios:

1. kate - Account listed in PAM360 and configured with Self-Service Privilege Elevation
2. marko - Account not listed in PAM360
3. lindsey - Account listed in PAM360 and not configured with Self-Service Privilege Elevation
4. paul - Account listed in PAM360 and configured with Self-Service Privilege Elevation with different sets of privileged commands.

Scenario 1:

If a user logs in to the account kate using PAM360 remote session and then changes internally to marko, which is not a PAM360 user account - then the current user account session does not allow Self-Service Privilege Elevation for the privileged commands configured in kate.

Scenario 2:

If a user logs in to the account kate using PAM360 remote session and then changes internally to lindsey, which is not configured with Self-Service Privilege Elevation - then the current user account session does not allow Self-Service Privilege Elevation for the privileged commands configured in kate.

Scenario 3:

If a user logs in to the account kate using PAM360 remote session and then changes internally to paul, which is configured with Self-Service Privilege Elevation for different sets of privileged commands - then the current user account session allows Self-Service Privilege Elevation for the privileged commands configured only in paul.

3. Troubleshooting Tips

1. Error: 'The directory name is invalid'

Issue: During the Self-Service Privilege Elevation (SSPE) to application, this error occurs when the application’s .exe file is located in user-specific folders such as Downloads or Documents, which are tied to the currently logged-in user.

Solution: To resolve this issue, the user needs to relocate the application's executable (.exe) file from user-specific folders like Downloads or Documents to a shared location accessible by all users on the system. Examples of such shared locations include the root directory of drives D: or E:. This ensures that the application can be accessed and elevated correctly during the Self-Service Privilege Elevation (SSPE) process, regardless of the currently logged-in user's profile.

2. Error: 'The requested operation requires elevation'
(The solution is applicable from build 7500 and above only)

Issue: During the Self-Service Privilege Elevation (SSPE) to application, this error occurs when Windows' default self-elevation process fails to trigger the User Account Control (UAC) pop-up, preventing privilege elevation.

Solution: Execute the application using PowerShell after adding the following system property in the Agent.conf file located in the PAM360 installation directory:
executeSSPEviaTerminal=cmd | powershell | false

cmd - elevates the application via Command Prompt.

powershell - elevates the application via PowerShell.

false - elevates the application using default SSPE to implementation.