Privilege elevation and delegation management: Self-service privilege elevation

We’re happy to announce the latest version of PAM360 now supports self-service privilege elevation with application whitelisting capabilities. Before exploring the feature in-depth, let’s start with the fundamentals.

Privilege elevation and delegation management (PEDM) is a subclass of privileged access management (PAM), which includes essential security mechanisms to help admins issue time- and requirement-based access to critical resources and applications. Any elevated access to these resources is granted only for a stipulated period after verifying and approving user requests. Once this period is over, users are stripped of their administrative rights and the credentials to business-sensitive applications are rotated to prevent misuse or unauthorized access in the future. Learn more about the essentials of PEDM.

How does PAM360 encapsulate PEDM controls?

PAM360 primarily offers an agentless mode of PEDM, also known as just-in-time privilege elevation, where users are granted elevated access to target systems by elevating them into local security groups temporarily, and these users are reverted to their original, minimal privileges when their request period ends. As for domain user accounts, they can be temporarily elevated into domain security groups using the integration with ManageEngine ADManager Plus.

Self-service privilege elevation for fine-grained access to critical applications

Our latest feature, self-service privilege elevation, includes additional security controls to help administrative users configure privilege elevation controls for select applications running on remote resources. This function entails installing and configuring the self-service privilege elevation (SSPE) agent on target endpoints, after which users can log in to endpoints and run the allowlisted applications directly as a PAM360 Privileged Account, which comes with elevated privileges.

SSPE provides elevated access to certain allowlisted applications (CMD, EXE, MSI, MSC, and BAT) for Windows and Windows domain accounts without requiring any privileged account credentials.

Using SSPE, users can perform administrative actions on endpoints for a designated period, which ensures that the elevated privileges are applicable only to the intended tasks.

A couple of good use cases include:

  • UI designers who need to install and run a wireframe application on a remote endpoint but do not have sufficient privileges to do so can use SSPE to execute the application’s installer file.

  • Database admins who wish to perform a search operation on a PostgreSQL instance but do not have administrative privileges to access the endpoint in which the database instance is installed can use SSPE to run their search query as a PAM360 Privileged Account.

Follow our release updates to stay on top of product enhancements regularly. You can also try a free, 30-day trial of ManageEngine PAM360 to gain a hands-on experience.

Want to learn how you can use PAM360 to solve your day-to-day privileged access security use cases and challenges? Sign up for our free PAM Masterclass Training Series today!

Srilekha Veena Sankaran
Marketing Analyst