Announcing the Saviynt Knowledge Exchange unifying the Saviynt forums, documentation, training,
and more in a single search tool across platforms. Read the announcement here.

Need to test the Break glass process for CPAM

Diwakar
Regular Contributor
Regular Contributor

We wanted to test the Break glass process for CPAM, we have few queries. Please help to clarify:

1. Under what situation Break glass instance is required. Is it when primary vault is not reachable? or Saviynt UI is down?

2.If Saviynt UI is down how end users will access the servers that are onboarded to CPAM?

3.From our side what are the pre-requisites that we need to ensure before initiating break glass process?

4.In our case password rotation feature is still not working? Will break glass process will work for us?

 

4 REPLIES 4

sudeshjaiswal
Saviynt Employee
Saviynt Employee

Hello @Diwakar,

1. Under what situation Break glass instance is required. Is it when primary vault is not reachable? or Saviynt UI is down?

A Break Glass instance is typically required in emergency situations where standard access is compromised. This could be when the primary vault is not reachable, the Saviynt UI is down, or during a system outage, cyberattack, or system failure any of the above case.

https://docs.saviyntcloud.com/bundle/CPAM-Admin-Guide-v23x/page/Content/J-Break-Glass/Setting-Up-Bre... 

2.If Saviynt UI is down how end users will access the servers that are onboarded to CPAM?

If the Saviynt Application UI is down, you can use the out-of-the-box analytic control named "PAM Controlled Endpoints," which can be scheduled to run periodically, such as every hour, and email the list of endpoint and account information.

3.From our side what are the pre-requisites that we need to ensure before initiating break glass process?

The Saviynt DevOps team will share shards with the client, and the client Admin team will distribute these shards to different individuals. During a screenshare session, each shard holder will enter their shard when prompted on the screen, ensuring secure and coordinated access to the necessary information.

4.In our case password rotation feature is still not working? Will break glass process will work for us?

The Break Glass process is designed to provide access in emergency situations and is independent of the password rotation feature. Therefore, even if the password rotation feature is not working, the Break Glass process should still function.
Once the Saviynt UI becomes available, inform Saviynt Cloudops so they can revoke all access to the instance. If only a few credentials have been accessed, you can reset the passwords for individual accounts using the "reset password for service accounts" option.
For a larger number of accessed credentials, you can trigger the password rotation jar by adjusting the "Expire After" value in the password policy.
Note that this action will rotate all applicable credentials, regardless of whether they were accessed during BreakGlass.

For ref:- CPAM : Questions regarding Saviynt Break Glass pro... - Saviynt Forums - 30994 

Thanks.

If you find the above response useful, Kindly Mark it as "Accept As Solution".

Diwakar
Regular Contributor
Regular Contributor

@sudeshjaiswal Thanks for the information. We have another query on below pointer:

2.If Saviynt UI is down how end users will access the servers that are onboarded to CPAM? We are using JIT to access the servers onboarded to CPAM, so in that case how to access the servers through JIT if UI itself is down and not accessible.

As you mentioned out-of-the-box analytic control "PAM Controlled Endpoints," will only send the list of endpoint and account information through email but how to access the same if UI is not working?

Is break glass instance will also provide the secondary Saviynt UI or its only restricted to provide the secondary vault when primary vault is not working!

Thanks,

Diwakar.

@Diwakar : When UI down you are expected to access the VM outside Saviynt. And details in the report will help you extract the credentials from Vault using break glass process detailed in Break-Glass-Process which you can use to connect to server externally 


Regards,
Saathvik
If this reply answered your question, please Accept As Solution and give Kudos to help others facing similar issue.

Diwakar
Regular Contributor
Regular Contributor
  • @Saathvik @sudeshjaiswal We are using credential-less based process to access the onprem servers through JIT onboarded to CPAM. Please let me know how much break-glass process is relevant to our case.
  • Also, is break glass instance will also provide the secondary Saviynt UI or its only restricted to provide the secondary vault when primary vault is not working!

Please help to address these two queries!

Thanks,

Diwakar.