Announcing the SAVIYNT KNOWLEDGE EXCHANGE unifying the Saviynt forums, documentation, training, and more in a single search tool across platforms. Click HERE to read the Announcement.

CPAM: Seperation of administrator access vs end user access to Saviynt Portal

ejazr
New Contributor
New Contributor

For our customer, being able to seperate admin accounts access from a secure admin environment is a mandatory requirement. They use PAW workstations and restrict adminsitrative access from only these devices. 

 

In the CPAM FAQ this is probably what we need but the answer says that this is not possible. Are there any plans to add this as a feature as many govt and defence client have this requirement of seperation of Admin accounts vs normal accounts

The idea being that PAM SAV roles are visible only if you login with admin acounts via the  CPAM URL and only normal user access is visible when logging on via the IGA URL

Alternatively does the below option allow assigning SAV roles to end user accounts vs admin accounts for the same user?

Is it possible to have separate URLs for IGA and CPAM (users can access CPAM with different username and password) when both are configured in the same environment?
No. However, you can configure SAV roles for normal end users so that they do not have access to CPAM features in the EIC user interface.

PAM Frequently Asked Questions (saviyntcloud.com)

4 REPLIES 4

sk
All-Star
All-Star

Hey as mentioned in FAQ I don't think different URL for IGA and CPAM is possible unless Saviynt treats this as enhancement.

Not sure if understood your use case properly but let try to put the solutions based on my understanding

If your use case is to show PAM features only to specific set of users

Then you have can configure all PAM features in one SAV  and add that SAV Role to specific people who needs it.

If your use case is to show specific privileged endpoints to set of users

Then configure respective endpoints with Access Query where you can define the logic on what basis you want the endpoint to show up to users

If your use case is to show specific accounts to set of users

Then configure accountVisibilityControl which can control visibility of accounts on an endpoints  to specific users based on logic you defined

Hope this helps if none of the use cases match with what you want to achieve then can you please explain your use case so that I can respond with the solution/alternative accordingly


Regards,
Saathvik
If this reply answered your question, please Accept As Solution and give Kudos to help others facing similar issue.

ejazr
New Contributor
New Contributor

Thanks for the detailed response.

The use case is to ensure that logins for privilege users are coming from only a specific set of trusted administrator workstation.

To clarify further, normal account is abc123, this is used for day to day activity including browsing and email access on regular workstation and mobile devices.
The admin account is admin-abc123. This account is only used for admin functions and should only be used on separate secure administrator workstations which segmented from normal user workstation

Good outcome would be:
1. When user logs in with abc123 account they say non-PAM SAV roles
2. IF same user logs in with their admin-abc123 account then they see PAM SAV roles

At present, even if we restrict PAM roles, a user can login with abc123 account and launch PAM sessions. Customer wants to allow PAM sessions to be launched only if the user is logging on from this secure workstation or subnet. Azure AD conditional access policies are usually used for restricting access to a particular device, but this doesn't stop a user logging in with their normal account (abc123) and launch PAM sessions.

This is basically to align with the "clean source principle" of accessing any admin sessions from a secure desktop.

Good outcome would be:
1. When user logs in with abc123 account they say non-PAM SAV roles
2. IF same user logs in with their admin-abc123 account then they see PAM SAV roles

Needed further clarification on above statement,

  • Are saying user will have two identities in Saviynt(abc123 & admin-abc123)?
  • And you are expecting them to use abc123 identity to login to Saviynt and use non PAM Features?
  • Similarly you are expecting them to use admin-abc123 identity to login to Saviynt and Use PAM Features and this login should only allowed from a specific set of trusted administrator workstation.?

 

At present, even if we restrict PAM roles, a user can login with abc123 account and launch PAM sessions. Customer wants to allow PAM sessions to be launched only if the user is logging on from this secure workstation or subnet. Azure AD conditional access policies are usually used for restricting access to a particular device, but this doesn't stop a user logging in with their normal account (abc123) and launch PAM sessions

On above statement, If user abc123 logins to Saviynt with End User Role(which doesn't have any PAM features) then he won't be able see any PAM features and hence he won't be able to launch any PAM sessions.


Regards,
Saathvik
If this reply answered your question, please Accept As Solution and give Kudos to help others facing similar issue.

ejazr
New Contributor
New Contributor

Needed further clarification on above statement,

  • Are saying user will have two identities in Saviynt(abc123 & admin-abc123)?
    I was hoping to avoid this, but it looks like this is what we have to do to separate the SAV roles for PAM and end user. The challenge is there is no out of the box features to correlate and relate two identities together. But happy to be corrected. Do we need to separate identities created to provide this seperation or can we do that with one identity and two seprate accounts within that identity?
  • And you are expecting them to use abc123 identity to login to Saviynt and use non PAM Features?
    Yes, but if we can do two separate accounts under the one identity that would be even better

  • Similarly you are expecting them to use admin-abc123 identity to login to Saviynt and Use PAM Features and this login should only allowed from a specific set of trusted administrator workstation.?
    Yes, that is correct. These are Azure AD accounts being used for SSO / SAML authentication

On above statement, If user abc123 logins to Saviynt with End User Role(which doesn't have any PAM features) then he won't be able see any PAM features and hence he won't be able to launch any PAM sessions.

Agree, but if the admin and normal accoutns are both associated with one identity then they see both roles. Only way we found to seperate that is to have two seperate identities and then we can enforce that. 
If this is the best approach to achive this, will there a way to easily do correlation between two related identities like in this use case.

The idea being if the person leaves, then both their normal identity and admin identity id deleted.

Thanks for all your help so far.