Privileged Access Manager FAQs

 

What is a privileged account?

Privileged accounts are root and system administrator accounts

Will sessions be recorded when a privileged account is access by someone other than the system owner?

Service owners can check out privileged accounts without workflow or recording of the session. Anyone who is granted access to a privileged account through workflow, will be connected to the system without the password being given to them (e.g. SSH or RDP) and the session will be recorded.

Is there redundancy for the PAM application?

Yes. There are currently two geographically dispersed and replicated PAM servers

Can I use PAM on a MAC?

All users regardless of their OS, should connect to the terminal servers (ead-rdsp1.ead.ubc.ca and ead-rdsp2.ead.ubc.ca) when using the pam.it.ubc.ca application

Can a system owner delegate authorization when they are away?

Yes, Instruction will be in user documentation.

Is PAM logging and auditing user access?

Yes, all access will be logged, audited, and can be reported on.

Do system owners have to go through workflow to get access to privileged accounts?

No, system owners can automatically checkout a privileged account without going through workflow.

What accounts are managed by PAM?

The first release of PAM will manage Administrator on a Windows system and sysadmin and root on a Linux System. PAM has a broad variety of connectors to manage almost any privileged account. Future releases will manage a variety of other accounts such as EAD service accounts, Cisco devices, passwords in scripts, etc.