none
MIM 2016 SP1 PAM request privileged on behalf RRS feed

  • Question

  • Hi colleagues,

    is it possible to request privileges using MIM PAM or the MS PAM Portal (Github) on behalf of a user?

    My idea is to have a unprivileged user logged in to a PAW and request privileged roles for his differen users in tier 0, tier 1 oder tier 2.

    As far as I understand the MIM PAM system I can only request privileged roles for my self (my priv user in the bastion forest), right?

    Maybe someone can help me with this question or push me into the right direction.

    Thanks

    Chris

    Thursday, August 30, 2018 2:08 PM

All replies

  • Hi (oder Hallo Christian), ;-)

    that is not possible with PAM not the GitHub Portal. It is because if the way the workflows for PAM are implemented in the MIM Service.

    I'm not sure if you can create you own workflows on that (its simple MIM Set/Workflow/MPR stuff by the way) but if it is, it will not be a supported way.

    When talking about the tiers you mentioned, are you thinking of stages like Dev,Test,Prod ?

    What about having only one PAM user that has permission in all that systems with separate PAM roles for each tier ? Using additional auth like MFA or Approval should cover the security thinks like that one big account that has rights everywhere.

    /Peter


    Peter Stapf - ExpertCircle GmbH - My blog: JustIDM.wordpress.com

    Thursday, August 30, 2018 6:21 PM
  • Hi (Hallo Peter, war ja klar, dass du antwortest :-)),

    thanks for your answer. When talking about the tiers I'm thinking about dfferent security levels refering to the following article.

    https://docs.microsoft.com/en-us/microsoft-identity-manager/pam/tier-model-for-partitioning-administrative-privileges

    Domain admins (tier 0)
    Server admins (tier 1)
    Standard user workstation (tier 2)

    In our case we might need to add an additional tier for server admins in customer specific Active Directory domains.

    When combining the privileged roles on a single user I think we can't make sure that a user can only have a single role at a time. e.g. he can not have domain admin and customer A server admin privileges at the same time.

    I'm thinking of running the portal/workflows simply with "runas" in Internet Explorer. Would that be an option?

    Thanks for your support.

    Chris

    Friday, August 31, 2018 6:32 AM
  • Hi Chris,

    ok, that one, I think it could be much easier to implement a kind of separation of duties (at the same time) than let a user elevate a role for another user.

    All you need is a custom workflow for an Authorization (like the MFA or approval one) that checks the current elevated role of a user. So kind of auto-approval where user is denied a tier 1 role if he already elevated a tier 0 role or something like that.

    Running a PAM role request (PS or Portal) as runas is the default method to activate the role as you need to request the role with the PAM user, not the original one.

    /Peter


    Peter Stapf - ExpertCircle GmbH - My blog: JustIDM.wordpress.com

    Friday, August 31, 2018 6:57 AM