Privileged Access Management: PAM roles with time span and future requests (Part 2)
September 25, 2015 Leave a comment
Here is part 2 where I will be covering the following features:
- PAM role with time span limits (e.g. 08:00 to 17:00)
- PAM role with a specific request time (requests in future)
First make sure that the server running PAM components and the MIM service/portal have the correct time zone setting. You can check that in MIM portal under: Administration -> Portal Configuration -> Timezone
Currently the time restrictions are only working on time values not dates, so you cannot exclude weekend days for example. Only restrictions like 8:00 to 17:00 (or 8:00 am to 5:00 pm) are possible.
The supported way to set a time span rule on a PAM role is through PowerShell:
Import-Module MIMPAM $pamrole = Get-PAMRole "SQLAdmins" Set-PAMRole -Role $pamrole -AvailabilityWindowEnabled $true -AvailableFrom "08:00" -AvailableTo "17:00"
After setting up this configuration it looks in PAM Sample Portal like this:
If you are trying to request that role outside this business hours you will get an error message:
There is also an error entry in the event log:
You can also view and edit PAM role through the MIM Portal, however in to be supported you should manage PAM roles via PowerShell as you may facing issues when editing values in portal. But changing the time span values on PAM role works without any issues in my test lab.
Even there is the month, day, year in that attribute, these values are not evaluated, online the time is relevant when checking the requests. You can test this by entering a date in the past and will see you still can request the role. Hope that will be extened in future to also allow enable/disable specific days of week.
Last but not least you can also request PAM roles for future use, simply select a specific date in future when requesting a role. The request will be hold in PAM and active the role to the given date and time:
If PAM role with request in future will have approvals enabled, the approval workflow is triggered directly, but the PAM role will become active at the time you requested. I could imagine a scenario where a approver is not available at the time when a requestor needs the role so he can approve the role for using tomorrow for example.