@vivekbksingh Thank you for being so patient and waiting long for the answer. I will explain the process below.
Scenario 1 : For target systems like AWS, GCP, Azure AD (Entra Directory), Salesforce, etc. where roles are created and managed
- As you may already know, for these target systems you can import the roles into Saviynt in the form of entitlements
- These entitlements can then be requested in two different ways : IGA request & PAM Request
- As this question is on PAM, I will keep this to PAM
- For any such roles to be made requestable through PAM interface, a corresponding Emergency Access Role (also called as Firefighter Role) has to be created
- Emergency Access Role in Saviynt can be mapped to 1 or more Role type entitlements of the target
- Once configured, these roles can be requested via the "select role" option against the application (endpoint) in PAM request interface. Example given below for Azure AD
Scenario 2 : For target systems like Active Directory where Groups are available
- For these target systems as well, you will perform the same steps as above except that you will map the Emergency Access Role to AD Group(s)
Scenario 3 : For Unix, Windows and DB Workloads
- For these target types, the "Select Role" option is not available in PAM interface by default. However, you can enable the option by modifying "
@vivekbksingh Thank you for being so patient and waiting long for the answer. I will explain the process below.
Scenario 1 : For target systems like AWS, GCP, Azure AD (Entra Directory), Salesforce, etc. where roles are created and managed
- As you may already know, for these target systems you can import the roles into Saviynt in the form of entitlements
- These entitlements can then be requested in two different ways : IGA request & PAM Request
- As this question is on PAM, I will keep this to PAM
- For any such roles to be made requestable through PAM interface, a corresponding Emergency Access Role (also called as Firefighter Role) has to be created
- Emergency Access Role in Saviynt can be mapped to 1 or more Role type entitlements of the target
- Once configured, these roles can be requested via the "select role" option against the application (endpoint) in PAM request interface. Example given below for Azure AD
Scenario 2 : For target systems like Active Directory where Groups are available
- For these target systems as well, you will perform the same steps as above except that you will map the Emergency Access Role to AD Group(s)
Scenario 3 : For Unix, Windows and DB Workloads
- For these target types, the "Select Role" option is not available in PAM interface by default. However, you can enable the option by modifying "Applications Enabled for PAM Request" option in Global Config -> PAM. I can provide fruther details on this if required but I have not seen this used anywhere so far
- And rest of the steps would be the same as given in Scenario 1 where Emergency access roles are created using the entitlements of the targets (groups for Unix and Windows and Roles for DB)
Now, the important point to note here is that Requesting these roles will result in adding the underlying entitlement to the logged in user's personal account on the target. If you are looking to launch privilege session to the target post gaining access to the Emergency Access role, the user's personal account should be onboarded for PAM.
Finally, in the AD scenario you asked for, this is what would happen:
- Request for a FFID (Emergency Access) role on AD Endpoint. The FFID Role will have the required AD Group added as en entitlement
- Once FFID role access is provisioned, request for RDP launch option using your personal account in AD
- Navigate to "Privilege Sessions", click on "Access", provide the ip address/host name of the domain joined windows machine and launch rdp session
I hope this clarifies. Please let me know in case of any further questions.
Thanks
Nagesh K
