@jdfranco Yes, this is possible. One of the common examples is the usage of a- (a dash) accounts in Active Directory. These are personal accounts unique to each user and are usually assigned to the server admins
Before looking at how to implement this use case, here is an important aspect to verify :
- How are these designated admin accounts that each user has identified? They should have a proper naming convention like a-<user's login id> or a-<user's firstname+lastname>
Having such naming convention makes it easier to implement this use case
Here is how it has to be implemented:
- Onboard your Active Directory to Saviynt CPAM and pam enable the admin accounts in scope
- Bootstrap your domain joined windows servers by mentioning the admin accounts alone in PAM_CONFIG (no local shared accounts should be mentioned in the config)
- Create a copy of the Out of the box analytical control "PAMDefaultUserAccountAccessControl" and customize it to show only the a- accounts applicable for the logged in user
- Mention this custom analytical control in PAM_CONFIG for Windows servers before onboarding your windows servers
- Make sure these unique admin accounts have access to the windows servers
modified query would look like this (modified part in bold)
select acc.accountkey as 'id', acc.name as 'name' from accounts acc where acc.endpointkey = ${endpointkey} and acc.accountconfig like '%\"pamState\"%ENABLED%' and acc.accountkey = IF('null'=${accountkey}, acc.accountkey, ${accountkey}) UNION select acc1.accountkey as 'id', acc1.NAME as 'name' from accounts acc1 inner join account_attributes accattrb on acc1.ACCOUNTKEY = accattrb.ACCOUNTKEY where accattrb.ATTRIBUTE_NAME = 'MEMBER_ENDPOINTKEY' and accattrb.ATTRIBUTE_VALUE = ${endpointkey} and acc1.accountconfig like '%\"pamState\"%ENABLED%' and (CONCAT('a-', ${username}) = acc.name and acc1.accountkey = IF('null'=${accountkey}, acc1.accountkey, ${accountkey});
Thanks,
Nagesh K
