Split View and Secret Co-ownership
To comply with specific security policies, maintain regulatory compliance and enforce segregation of duty, it may become a business requirement to ensure that no single user has access to the entire secret, password or parameter within a record.
Some refer to this functionality as the “Two-person rule” because it requires one user to retrieve the first part of a password and a second (or more) user to retrieve the remainder, thus requiring two people to construct the full password.
In Privileged Access Management, we call this “Split View” and when enabled, the Unlock option will either reveal the first part of the record’s password or the second part based on your configuration.
This prevents a single PAM user from ever being able to Unlock the complete password for a record.
Configure
To configure Split View:
- Login to the System as a System Administrator.
- Navigate to Administration > Settings > Parameters.
- Locate the option Split View Role and select one of the available options.
- Disabled: When selected, the Split View functionality is disabled.
- First Part: When selected, the users assigned the Global Role Split View will reveal only the first part of the value when using the Unlock option.
- Last Part: When selected, the users assigned the Global Role Split View will reveal only the last part of the value when using the Unlock option.
- Click the Save button for this option.
- Navigate to Administration > Global Roles.
- Click the Add button, add a Principal(s) and assign the Global Role Split View.
- Click Select button to complete this role assignment.
- Split View is now enabled.
Note that the user(s) or group(s) assigned this role will reveal either the first or last part of the value in the unlocked field. All other PAM users not assigned this role will reveal the remaining part of the value.
Test
To test Split View:
- Login to the System as a user with the Global Role Split View.
- Open a record with a Password field and click the Unlock button.
- The password will be revealed as shown below.
- Logout and then login to the System as a user without the Global Role Split View.
- Open the same record and click the Unlock button.
- The other portion of the password will now be revealed to this user.
- For comparison, here is the full, non-split, password used in this example.
Please note that the partial password is displayed by splitting the full value into two equal parts, defining the split with a pipe (|) character, with the remaining concealed password displayed as asterisks (***). The pipe character appears in both halves of the split and is not part of the password itself.
Note the use of the pipe (|) is only to define the split and is not an actual character in the password.
Consideration
For Consideration when Enabling Split View:
- The Split View functionality is only applied to a record’s Unlock option.
- When Split View is enabled, it is applied to all System users with at least the Unlock permission to a record.
Editors, Owners and System Administrators will be able to view the full, non-split password in both the Edit and Change History views of the record.