Imprivata Privileged Access Management Product Update 2.3.202005312314

May 31, 2020

PAM Update: Added SSH Agent Forwarding and optional time restrictions for access requests

This update adds support for SSH Agent Forwarding, configurable restrictions for access requests, location tracking for requestors, mouse triggered session events and streamlined deployment of HA and DR nodes.

Added support for SSH agent forwarding

The update adds support for SSH Agent Forwarding through high trust SSH Proxy.

The option enables connecting to the destination server through one or more bastion hosts using the same set of public and private key pairs managed by the system vault.

The option is a good addition to MSP endpoint access toolkit allowing to unify access to multiple SSH-based endpoints in the isolated customer network through the bastion hosts in a secure zero trust way.

SSH agent forwarding option is controlled by the custom Checkbox field with name Agent Forwarding, display name Agent Forwarding added to a record type of Unix Host with Key, Unix Host with Private Key or inherited record types and checked for the record to enable this option.

Added configurable restrictions for access requests

The update adds the option to restrict values for parameters submitted to request access for system actions and assets to limit users ability to submit incorrect or unreasonable requests.

Maximum Requested Time and Minimum Requested Time parameters limit the requested time either entered directly or by selecting the requested time range.

Minimum Reason Length requires users to submit descriptive requests for approvers to take informed action.

All restrictions are optional and are available in the Workflow section of the Administration / Settings / Parameters screen.

Added location tracking for requesters

The update adds the option to include the IP address of the person requesting access to the workflow approval notification for the approvers to make an informed decision about request approval based on the requester whereabouts.

The option is configured using notification template place-holders: log.ip for the IP address from the audit log, request.ip and request.requestor.ip for the last IP of the workflow requester.

Added event-triggered keys recording

The update support generates RDP WEB session key-sequence event in response to a mouse click, Function-Keys or Crtl-Keys actions in addition to ENTER-key.

The option allows handling session events in GUI based applications such as recording entered SQL statement in the SQL Studio and executing it by pressing a button or a function key.

Added streamlined deployment of HA and DR nodes

The update the option to Linux installation script to deploy the new system with the provided master password instead of generating one to simplify the deployment of High Availability or recovery nodes.

The update simplifies the deployment of additional or disaster recovery nodes based on the main node master key to decrypt system data.

Previously the option was available in a post-installation script replacing the system master password with a new one.

To activate the feature use -mp MASTER-PASSWORD option in the Linux installation script replacing MASTER-PASSWORD place-holder with the master password of the main node.