12/09/2022 05:28 AM
For our customer, being able to seperate admin accounts access from a secure admin environment is a mandatory requirement. They use PAW workstations and restrict adminsitrative access from only these devices.
In the CPAM FAQ this is probably what we need but the answer says that this is not possible. Are there any plans to add this as a feature as many govt and defence client have this requirement of seperation of Admin accounts vs normal accounts
The idea being that PAM SAV roles are visible only if you login with admin acounts via the CPAM URL and only normal user access is visible when logging on via the IGA URL
Alternatively does the below option allow assigning SAV roles to end user accounts vs admin accounts for the same user?
Is it possible to have separate URLs for IGA and CPAM (users can access CPAM with different username and password) when both are configured in the same environment?
No. However, you can configure SAV roles for normal end users so that they do not have access to CPAM features in the EIC user interface.
12/09/2022 10:16 AM
Hey as mentioned in FAQ I don't think different URL for IGA and CPAM is possible unless Saviynt treats this as enhancement.
Not sure if understood your use case properly but let try to put the solutions based on my understanding
If your use case is to show PAM features only to specific set of users
Then you have can configure all PAM features in one SAV and add that SAV Role to specific people who needs it.
If your use case is to show specific privileged endpoints to set of users
Then configure respective endpoints with Access Query where you can define the logic on what basis you want the endpoint to show up to users
If your use case is to show specific accounts to set of users
Then configure accountVisibilityControl which can control visibility of accounts on an endpoints to specific users based on logic you defined
Hope this helps if none of the use cases match with what you want to achieve then can you please explain your use case so that I can respond with the solution/alternative accordingly
12/11/2022 01:27 PM
Thanks for the detailed response.
The use case is to ensure that logins for privilege users are coming from only a specific set of trusted administrator workstation.
To clarify further, normal account is abc123, this is used for day to day activity including browsing and email access on regular workstation and mobile devices.
The admin account is admin-abc123. This account is only used for admin functions and should only be used on separate secure administrator workstations which segmented from normal user workstation
Good outcome would be:
1. When user logs in with abc123 account they say non-PAM SAV roles
2. IF same user logs in with their admin-abc123 account then they see PAM SAV roles
At present, even if we restrict PAM roles, a user can login with abc123 account and launch PAM sessions. Customer wants to allow PAM sessions to be launched only if the user is logging on from this secure workstation or subnet. Azure AD conditional access policies are usually used for restricting access to a particular device, but this doesn't stop a user logging in with their normal account (abc123) and launch PAM sessions.
This is basically to align with the "clean source principle" of accessing any admin sessions from a secure desktop.
12/12/2022 03:43 PM
Good outcome would be:
1. When user logs in with abc123 account they say non-PAM SAV roles
2. IF same user logs in with their admin-abc123 account then they see PAM SAV roles
Needed further clarification on above statement,
At present, even if we restrict PAM roles, a user can login with abc123 account and launch PAM sessions. Customer wants to allow PAM sessions to be launched only if the user is logging on from this secure workstation or subnet. Azure AD conditional access policies are usually used for restricting access to a particular device, but this doesn't stop a user logging in with their normal account (abc123) and launch PAM sessions
On above statement, If user abc123 logins to Saviynt with End User Role(which doesn't have any PAM features) then he won't be able see any PAM features and hence he won't be able to launch any PAM sessions.
12/14/2022 10:21 PM
Needed further clarification on above statement,
On above statement, If user abc123 logins to Saviynt with End User Role(which doesn't have any PAM features) then he won't be able see any PAM features and hence he won't be able to launch any PAM sessions.
Agree, but if the admin and normal accoutns are both associated with one identity then they see both roles. Only way we found to seperate that is to have two seperate identities and then we can enforce that.
If this is the best approach to achive this, will there a way to easily do correlation between two related identities like in this use case.
The idea being if the person leaves, then both their normal identity and admin identity id deleted.
Thanks for all your help so far.