Imprivata Privileged Access Management Product Update 2.3.201812162247
December 16, 2018
PAM Update: Adds workflow restrictions enforcement for the sensitive admin functions and task execution with dependencies
Highlights of this update include enforcement of workflow restrictions for the sensitive administration functions and object level permissions and workflow configuration as well as the option to trigger task execution for dependent records.
Added the option to enforce workflow restrictions for the sensitive administration functions
This function allows several useful scenarios about the management of PAM configuration.
First, the function enables dual control option for the sensitive PAM administration functions preventing a single individual to have master access to all system data.
The function will request a peering administrator to approve any action of the other administrator that would allow unsanctioned privileged access.
The other use of this function is to delegate system maintenance to a group of administrators while preventing them to access sensitive data and privileged accounts managed by the system (or require the peer- or management- approval or notification) including the option to change object permission and workflow scheme to enable such access.
Added the option to enforce workflow restrictions for folder and record-level permissions and workflow bindings to delegate Administration roles to object management
This function allows restricting object owners to certain operations.
It allows, for instance, to block access to a password or to a system itself for users with permissions to create new records of folders.
The other use of this system is to delegate the system administrator role to a group or a user with limited access to certain areas (vault or folder) of the application.
Added the option to trigger task execution for dependent records after successful completion of the task executed for a master record
This option allows triggering dependent records tasks after successful completion of the master record task.
The typical use of this function is to update the domain-based service account in service configurations of multiple computers on the domain after changing the password of this service account.
The task _Windows Remote Reset Dependent Services_ is also added to the list of out-of-the-box tasks to better support this option.
This function is based on the referenced records concept selecting dependent records as all records referencing the master record or the record referenced by the master record.
The trigger condition is defined in the master record script as the following line that is treated as a command by PowerShell scripting where _Script Name to Trigger_ is the script name of the dependent task:
#XTAM TRIGGER REF Script Name to Trigger