Apply Access Controls Based on Just-in-Time Contexts

In Traditional PAM workflows, permissions are often granted globally to individuals based upon job role, and do not take into account real-time risk factors such as location, day or time. Password Safe enables the dynamic assignment of just-in-time privileges via the Advanced Workflow Control engine.

Policies can be extended to block password access to some managed resources unless the request originated from the corporate network, another approved source or only allow access to certain vendor accounts if they originate from the vendor network.

Having this capability ensures that users have the right access according to the context of their request, thereby minimizing opportunities for exploiting privileged credentials.

Advanced Workflow Control

Streamline workflow: Leverage true Role-Based Access Controls (RBAC) with Active Directory and LDAP integration for assigning roles and rights to users.

Simplify requests: Manage checkout workflows with seamless connectivity to RDP & SSH via native desktop tools such as puTTY and Microsoft MSTSC.

Accommodate break-glass requests: Ensure access to password-managed systems after hours, on weekends, or in other emergency situations.

Utilize JIT context: Provides additional context by considering the day, date, time and location when a user accesses resources to determine their ability to access those systems.

Bulk Changes: Filter and select multiple accounts to perform mass password changes, removal, and unlinking from a managed AD account.

Ad Hoc Groups: Create ad hoc groups of managed accounts in seconds.

Post-login command execution: Administrators can leverage a Unix or Linux Jumphost to run a specific command or script after a session connects.

Multi-system checkout: Allows admins to check out an account with a multi-system parameter, then launch sessions to linked systems.

Expedite checkout operations: Expedite checkout operations using OneClick for access to passwords, sessions and applications that would normally be approved automatically.

Connect to sessions without an agent: With DirectConnect, administrators can launch an SSH session by simply passing a connection string to the Password Safe proxy. No agents need to be installed on the hosts, and connection to any SSH system is supported, including Unix/Linux hosts, and network devices such as routers or firewalls.