Jump to content

Using PasswordState for JIT/JEA PAM


hamsteropera
 Share

Recommended Posts

We are looking to do some sort of PAM solution at our organisation for privileged accounts in AD (Domain Admins etc). Ideally we would want to do something like how PAM works in Microsoft Identity Manger. Eg you have an admin account in the domain (eg sally_admin) which is elevated on request, with automated time limits, to give it privileges as and when it is needed by adding it to the relevant group(s) in AD.

We already use PasswordState as our password vault. It doesn't seem to have this capability out of the box to do 'just in time' elevation, but is there any way we can get it to work like that? I was wondering about using custom Password Reset scripts that also manipulate groups but that feels like a bit of a bodge.

Alternatively, I think the PasswordState native approach to achieve something comparable would be to have multiple service accounts that people use, each with the privileges assigned permanently. Either generic shared ones, or issue multiple accounts per-user. The passwords would then be reset when the account is checked in. I would possibly update the reset script to also disable the account. Eg
sys-accountoperator1
sys-accountoperator2
sys- serveroperator1
etc

Have I got all that right? Just wondering whether anyone has done something similar in PasswordState and has any thoughts about the best way to do it.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

×
×
  • Create New...