02/23/2023 02:03 AM
02/27/2023 11:41 AM
Thanks for reaching out on Forums with your questions. Here are the responses:
1. In CPAM we make use of the Emergency Access Roles (also known as Firefighter Roles) to provide access to different entitlements on the target. These entitlements can be AD Groups, Azure Roles, AWS IAM Roles, AWS Groups, GCP roles, GCP Groups, etc. When users request for an Emergency Access Role, they get access to the underlying entitlements attached to the Emergency Access Role
2. Yes, Roles can be assigned to both local and domain accounts in different ways. For local accounts Roles are assigned directly whereas for Domain accounts (where you have SSO enabled for the target using Domain accounts) Roles are usually assigned via the AD Groups
3,4 and 5: User id that you use to login to CPAM Portal (Saviynt EIC) is different from the accounts present on the target system. Ex: your login id to Saviynt is PAMEndUser10. And this user has an account in each of AWS (IAMUser10), Azure(AzureADUser10), AD (ADUser10). All these accounts from different target system get associated with your Saviynt login (PAMEndUser10).
When you request for Roles from target systems, those roles get added to the accounts present on those Targets and not to your user id in Saviynt EIC
In some cases Organizations may chose to implement shared account access. In those cases, instead of creating an account for each user, there will be a shared account (ex: SharedAcct10) created on target and all users will request access using this shared account. By default this shared account will be avaiable for all users. However if you want to restrict access to only few selective users, you can use the account visibility feature to customize the implementation for your requirement