Connection Access Control
Access Manager Plus provides an access control workflow mechanism that allows users to restrict access to the connections added by them. When the access control is in place, no user other than the one who added the particular connection will be able to view the passwords or launch a remote connection unless their access request is approved by the owner.
- How does the Connection Access Control mechanism work?
- How to implement Access Control for connections?
- Precedence for modifying connection settings for a shared connection
- Use case scenarios
- Glossary of terminologies
1. How does the Connection Access Control Mechanism Work?
Once access control is enforced for a connection, the following workflow is invoked for connection access attempts made by the users.
- An Administrator or a Standard User enables Access Control for a connection added by them from the 'Manage' tab.
- The user sends a request to access the connection.
- The request is forwarded to the connection owner for approval. If more users require access to the same connection, all the requests will be queued up for approval.
- The administrator views the request from the 'Admin' tab or the 'Notifications' panel.
- The request, if rejected by the owner, becomes void.
- The request, approved by the administrator, will enable the user to initiate a remote session for the connection.
- A connection password checked out by the user will be available for their use only for the period stipulated by the connection owner. The next user can access the connection only after the previous user's access time ends.
- The Administrator can revoke the connection access of a user at any time.
- The Administrator can hide the plain text view of the connection password from the user by disabling the option 'Allow plain text view of passwords, if auto logon is configured' under 'Admin >> Server Settings >> General Settings'. To know more, see General Settings.
- Users with temporary exclusive access to a connection can be enforced to provide a reason using the option 'Enforce users to provide a reason for password retrieval' under 'Admin >> Server Settings >> General Settings'. To know more, see General Settings.
1.1 Precedence for Viewing Password of a Connection in Plaintext
- Administrators can view the password of a connection in plain text regardless of whether the Allow plain text view of passwords option is enabled under General settings or at the user group level.
- A Standard user can view the password of a shared connection in plain text only when - the Allow plain text view of passwords if auto logon is configured option is enabled under both General settings and for the user group which contains the user. Please note that the user cannot view the password of both owned and shared connections in plaintext if the option is disabled in even one of the above places.
2. How to Implement Access Control for Connections?
To enable access control for a new connection, first, follow the instructions specified here to add a new connection.
Once you have added a connection, follow the steps below to configure access control settings for them:
- Navigate to the Manage tab.
- To implement access control for multiple connections, select all connections for which you wish to enforce access control in bulk, click the More Actions menu and choose Configure Access Control.
- To implement access control for a single connection, click Actions >> Configure Access Control beside the required connection.
- In the Configure Access Control dialog box that opens, there are three tabs available:
- Excluded Users
- Miscellaneous Settings
- Auto Approval
i. Excluded Users
Exclude a set of users or user groups from the request-release workflow using this option. The excluded users will be able to access passwords directly without raising connection access requests.
ii. Miscellaneous Settings
- Enforce users to provide a reason for password retrieval: Use this option to mandate users to provide a reason when they try to retrieve a password in plain text by clicking the asterisks. This is useful for auditing purposes.
- Send a reminder email to the owners asking to process the password access request before X minutes of the stipulated time: Use this option to set a time at which a reminder email will be sent to the connection owner about the access request that is yet to be approved. Access Manager Plus will send the reminder email at the specified number of minutes before the void time.
- Post the allowed access time, provide a grace time of X minutes to the user: Enable this option to provide a grace time of up to 60 minutes to the user, after the connection access time ends.
- Check in the password automatically after X hours of the approved time: Use this option to specify the exact time after which the password will be checked in automatically and will no longer be available for use.
- Make the requests void after X hours, if not approved: Use this option to specify the maximum time, in hours, after which a pending connection access request will become void if the connection owner does not approve.
- Allow the password access to remain exclusive for a maximum of X minutes: Select this option to enforce concurrency controls for password access. During this specified time, the password is made available for the exclusive use of a particular user and no one else, including the connection owner, is allowed to view the password. By default, the password will remain exclusive for the specified amount of time. However, you can modify it to the desired value. For example, if you specify the time period as two hours, the password will be made available exclusively for that user for two hours. Others cannot view the password during that time. After the specified time, the password access will be void and will not be available to the user and other users will be able to view the passwords. If you specify the value as '0' hours, the password will remain exclusive for an unlimited number of hours.
iii. Auto Approval
Access Manager Plus provides the option to set automatic approval of password access requests. This auto-approval feature will be handy during the times when the connection owner may not be available to approve access requests for users. There are three ways in which connections owners can set up auto-approval:
- Automatically approve the access requests of all raised requests: If this option is selected, all requests will be auto-approved without the connection owner's intervention.
- Set an approval time frame by choosing specific days and/or times. All connection access requests that are raised within this time frame will be auto-approved and the connection owner will be notified. For example, you can set auto-approval for all requests raised between 2 PM to 3 PM on Saturday. You can set upto 3 approval time frames for a single day. Except for the automatic nature of approval, all other aspects of this feature will follow the access control workflow.
- Approve access requests by validating the service request ticket ID: This option works if ticketing system integration is enabled by the administrator. If this option is selected, user will be prompted to enter the ticket ID. if the ticket ID entered is valid, then the user will be able to access the connection without sending an access request. However, please note that if the administrator has enabled the Allow users to retrieve password without ticket ID option in the General Settings, then the user will not be prompted to enter a ticket ID.
Once you have configured the necessary options for setting up the access control workflow for a connection, click Save & Activate. To deactivate access control for a connection for which access control is already configured, click the Deactivate option in this window.
3. Precedence for Modifying Connection Settings for a Shared Connection
In general, any user can modify the connection settings of a particular connection from the Actions drop-down, except for the Connection Access Control settings,which can be configured only by the connection owner, for security reasons.
There are two ways the administrators can restrict other users from modifying the access control settings of a shared connection:
- Through General Settings
- Through User Group Privilege Settings
User settings applied by the administrator in the General Settings section take higher precedence over the user-level settings applied for a particular user group that contains the user. However, the precedence level of these settings changes when connection access control is applied. If a specific shared connection is locked using connection access control, it can affect the user's privilege to modify the connection settings using the Actions drop-down.
3.1 Cases in Which a Standard User Can Modify Connection Access Control Settings
There are only two scenarios in which a user can modify the settings of a shared connection via the Actions drop-down. Read on to learn about the specific conditions required for a user to be able to do so.
Consider User A, who is a part of the user group named Sales Team. The settings applied at a user group level will affect how User A interacts with the connections shared to them. Let's assume CHNQATEST-01 as the connection shared to User A.
Scenario 1:
Consider User A as a part of a user group named Sales Team. Connection access control is enabled for CHNQATEST-01 and User A is part of the Excluded Users list for this connection, therefore exempted from the connection access control workflow.
In this case, if the administrator has enabled the Allow plain text view of passwords, if auto logon is configured option in both General Settings and at a user group level for Sales Team, then User A can modify the connection settings of CHNQATEST-01 from the Actions drop-down.
Scenario 2:
The administrator has enabled the Allow plain text view of passwords, if auto logon is configured option in both General Settings and at a user group level for Sales Team, but connection access control settings are disabled for CHNQATEST-01.
In this case, User A can modify the connection settings of CHNQATEST-01 from the Actions drop-down.
3.2 Cases in Which a Standard User Cannot Modify Connection Access Control Settings
The following are possible combinations of use cases in which a standard user cannot modify the settings of a shared connection via the Actions drop-down.
Scenario 1:
- The Allow plain text view of passwords, if auto logon is configured option is enabled in General Settings and for the user group Sales Team.
- Connection access control is enabled for CHNQATEST-01.
- User A is not part of the Excluded Users list for the shared connection CHNQATEST-01.
In this case, User A cannot modify the connection settings of CHNQATEST-01 from the Actions drop-down.
Scenario 2:
- The Allow plain text view of passwords, if auto logon is configured option is enabled in General Settings, but the option is disabled for the user group Sales Team.
- Connection access control is enabled for CHNQATEST-01.
- User A is a part of the Excluded Users list for the shared connection CHNQATEST-01.
In this case, User A cannot modify the connection settings of CHNQATEST-01 from the Actions drop-down.
Scenario 3:
- The Allow plain text view of passwords, if auto logon is configured option is enabled in General Settings, but the option is disabled for the user group Sales Team.
- Connection access control is enabled for CHNQATEST-01.
- User A is not a part of the Excluded Users list for the shared connection CHNQATEST-01.
In this case, User A cannot modify the connection settings of CHNQATEST-01 from the Actions drop-down.
Scenario 4:
- The Allow plain text view of passwords, if auto logon is configured option is enabled in General Settings, but the option is disabled for the user group Sales Team.
- Connection access control is disabled for the shared connection CHNQATEST-01.
In this case, User A cannot modify the connection settings of CHNQATEST-01 from the Actions drop-down.
Scenario 5:
- The Allow plain text view of passwords, if auto logon is configured option is disabled in General Settings, but the option is enabled for the user group Sales Team.
- Connection access control is enabled for CHNQATEST-01.
- User A is part of Excluded Users list for CHNQATEST-01.
In this case, User A cannot modify the connection settings of CHNQATEST-01 from the Actions drop-down.
Scenario 6:
- The Allow plain text view of passwords, if auto logon is configured option is disabled in General Settings, but the option is enabled for the user group Sales Team.
- Connection access control is enabled for CHNQATEST-01.
- User A is not a part of Excluded Users list for CHNQATEST-01.
In this case, User A cannot modify the connection settings of CHNQATEST-01 from the Actions drop-down.
Scenario 7:
- The Allow plain text view of passwords, if auto logon is configured option is disabled in General Settings, but the option is enabled for the user group Sales Team.
- Connection access control is disabled for CHNQATEST-01.
In this case, User A cannot modify the connection settings of CHNQATEST-01 from the Actions drop-down.
Scenario 8:
The Allow plain text view of passwords, if auto logon is configured option is disabled in both General Settings and for the user group Sales Team.
- Connection access control is enabled for CHNQATEST-01.
- User A is a part of Excluded Users list for CHNQATEST-01.
In this case, User A cannot modify the connection settings of CHNQATEST-01 from the Actions drop-down.
Scenario 9:
- The Allow plain text view of passwords, if auto logon is configured option is disabled in both General Settings and for the user group Sales Team.
- Connection access control is enabled for CHNQATEST-01.
- User A is not a part of Excluded Users list for CHNQATEST-01.
In this case, User A cannot modify the connection settings of CHNQATEST-01 from the Actions drop-down.
Scenario 10:
- The Allow plain text view of passwords, if auto logon is configured option is disabled both in General Settings and for the user group Sales Team.
- Connection access control is disabled for CHNQATEST-01.
In this case, User A cannot modify the connection settings of CHNQATEST-01 from the Actions drop-down.
4. Use Case Scenarios
Following are some of the use case scenarios in which access control workflow will be useful in an organization.
Case 1: User Requesting Access to View a Password
To access a connection protected by the access control workflow, a user will have to request the administrator to grant permission to view the connection.
Steps To Make a Connection Request:
- Navigate to the Manage tab or the Connections tab to view all the available connections listed in the display area.
- Click Request beside the desired connection to request the administrator to grant permission for accessing the connection.
- In the new pop-up form that opens, enter a reason to access the connection. This option will appear only if the administrator has enforced users to provide a reason for retrieval under the General Settings, or the Miscellaneous tab while configuring access control.
- Once the administrator approves your request, you will be allowed to use the connection. Till then, the status will be Waiting for approval.
- Once the administrator approves the request, the status will change to Check Out. To gain access to the connection, click Check Out. Please note that the Check Out button will be enabled only during the approved access time. Exclusive access to the connection will be granted for the stipulated amount of time set by the connection owner.
- Click Save. Now, you will be allowed to access the connection.
Case 2: Administrator Approving a Connection Request
If you're an administrator and a user has requested your approval to view a connection, you will receive an email notification about the request. You can view all the requests pending your approval from the Admin tab.
To Approve a Request:- Navigate to Admin >> Session Settings >> Connection Access Requests.
- Click Process Request beside a request to allow the user to view the connection. Once you do this, a new window will open where the administrator can approve or reject the access request.
- Immediately after you approve the request, the status of the link will change to Yet to Use, indicating that the user is yet to check out the password and start using the connection.
- Once the user checked out the password, the status will change to In Use.
Note: If a connection access request is rejected by an admin in the above scenario, the request will be removed from the queue.
Case 3: User Completes their Password Usage
The crux of the access control mechanism is that the user will be allowed only temporary access to connections. So, once the user finishes their work, they can give up the access.
To Give Up Access to the Password:- Click the Check In button beside the connection name. Now the connection access will be checked back into the system and the status will change as Request again.
- You will no longer be able to view the password and access the connection. In case, you require access again, you will have to go through the Request-Release process again.
Case 4: Administrator Forcefully Checks In the Password
Access control mechanism allows exclusive access privilege to a user for a specified time period. During this period, no one else will be allowed to access the connection. In case an emergency arises to revoke the exclusive permission to the user, administrator can forcefully check in the password and revoke access at any point of time.
To Forcefully Check In a Password:
- Go to Admin >> Session Settings >> Connection Access Requests
- Click Check in beside the specific request to revoke the user's access permission. Once you do this, user will not be allowed to access the connection. The connection access request will also vanish from the list.
5. Glossary of Terminologies
Term | Description |
---|---|
Request |
The user has to make a request to access the connection. |
Waiting for Approval |
User's connection release request is pending with administrator(s) for approval. |
Check Out |
Administrator has approved the request and the user can access the connection. |
Approve/Reject |
Administrator can either approve or reject the connection request. |
Yet to Use |
Indicates that the user is yet to view the connection released by the administrator. |
In Use |
Connection is being used exclusively by a user. |
Check In |
Giving up/revoking connection access. |