Dual Control

The Master Policy enables organizations to ensure that passwords can only be retrieved after permission or ‘confirmation’ has been granted from an authorized Safe Owner(s). This is known as Dual Control.

How it works

Authorized Safe Owners can either grant or deny requests to access accounts. This feature adds an additional measure of protection, in that it enables you to see who wants to access the information in the Safe, when, and for what purpose.

 

The first group member who confirms or rejects a request does so on behalf of the entire group. If more than one confirmation is required, each group is equivalent to a single authorized user and will count as a single confirmation/rejection.

As soon as users receive confirmation for a request from an authorized user, they can access the password that the request was created for.

The manual security workflow comprises the following steps:

  1. The user creates a request: A user who wishes to access an account in an environment where the Master Policy enforces Dual Control must first create a request. In the request, the user specifies the reason for accessing the account, whether they will access it once or multiple times, and the time period during which they will access it. A notification about the request is sent to users who are authorized to confirm this request. For more information, refer to Request access to accounts.
  2. The request is confirmed or rejected by the authorized user: Through the notification, authorized users can access the request and view its details. Based on these details, authorized users either confirm or reject the request. The number of authorized users who are required to confirm requests is defined in the Master Policy. Confirm requests from the PVWA (see Confirm requests in PVWA) or from the CyberArk Mobile app (see Confirm requests in CyberArk Mobile App).
  3. The user connects to the account: Each time an authorized user responds to the request, the user who created it receives a notification. When the total number of required confirmations is received for the request, this user receives a final notification. The user can now activate the confirmation and access the account according to the request specifications. For more information, refer to Review waiting and approved requests .

The following diagram shows the above steps:

request workflow

Users can access requests as long as they are valid. As soon as a request becomes invalid, it cannot be accessed by either the user who created it or by users who are authorized to confirm it.

Requests become invalid for any of the following reasons:

  • The access period that the user specified in the request has passed.

  • The user created a request for single access, which has already been used.

  • The Safe’s request retention period for the request has passed.

  • The Safe or password specified in the request has been deleted.

  • There are not enough supervisors to authorize this request, the number of supervisors has changed, or the settings for confirmation have been changed.

  • The Vault version has been updated.

Dual control options

PAM - Self-Hosted offers you several options for dual control:

Option

Description

Require dual control password access approval

A request must be confirmed by one or more authorized users before privileged accounts can be accessed. A specific number of authorized users required to confirm requests can be determined in Advanced Settings by the Number of confirmers required to authorize requests setting. Dual control mode is enabled when the advanced multi-level and managerial approval modes are inactive.

Option

Description

Require multi-level password access approval

A request must be confirmed by two levels of authorized users before privileged accounts can be accessed. Authorized Safe owners (either groups or users) are assigned a confirmation level, and authorize requests according to that order. This means that the first level of authorized users  must confirm requests before they are transferred to the second level of authorized users. Permission to access the requested privileged account is only given after both levels of authorized users have confirmed the request. If a request is denied at the first level, it is not passed on to the second level, and if it is denied at the second level, the confirmations from the first level become irrelevant.

When a number of required confirmers is set by the Number of confirmers required to authorize requests advanced setting, this number of confirmers is required at each level. If All confirmers are required to confirm requests, all confirmers from both levels must confirm requests before accounts can be accessed. For example, if the Number of confirmers required to authorize requests setting is set to three confirmers, a total of six confirmers are required to review and approve requests – three confirmers from level one and three confirmers from level two.

For more information about configuring dual control, refer to Dual Control.

Only direct manager can approve password access requests

A request must be confirmed by the direct managers of the user who created the request. This streamlines the confirmation process as, typically, privileged accounts are stored in Safes where multiple authorized users can confirm requests. This workflow integrates with Active Directory to automatically identify the requestor’s direct manager.

This advanced setting cannot be enabled together with multi-level confirmation, or with multiple required confirmers (more than one), as requests will never be confirmed and will not be usable.

For more information about configuring the Vault for direct manager confirmation, see Dual Control.

As PSM and PSM for SSH is used to initiate privileged sessions without divulging passwords or keys, platforms can be configured to enable PSM and PSM for SSH connections without requiring confirmation, even when Dual Control is configured. For more information, refer to:

Configure PSM for Specific Platforms

Configure Platforms for PSM for SSH Connections

Create and manage requests

This section describes how to create requests for access to privileged accounts, track them, and use requests to access accounts after you have received confirmation from authorized users.

Request access to accounts

Before a user can retrieve an account in an environment where the Master Policy enforces access confirmation, a request must be sent to authorized users to be confirmed. You can create multiple requests in a single action to streamline the access workflow. If access to multiple accounts and confirmation is required, you can select the required accounts and submit requests for all of them in a single click. For each account, a separate request will be sent for confirmation. Once access to an account is confirmed you can use this account and don’t need to wait for confirmation for the other accounts.

Accounts that require confirmation before they can be accessed are marked with a status icon, as shown in the following example. This icon is displayed in the Accounts List and the Accounts Details page.

 

By default, confirmation for a Connect request will allow you to Show/Retrieve or Copy the password/SSH key as well.

However, the system can be configured to restrict users who create a Connect request and receive confirmation to connect to the remote machine with the requested account, but not to Show/Retrieve or Copy its password/SSH key. This restriction is only effective when access is through the PVWA web portal or the mobile PVWA.

  1. To create a request for access to a single account, from the Accounts List or the Account Details page, click Show/ Retrieve, Copy or Connect.

    The Request Access window appears.

  2. To create requests for access to multiple accounts, from the Accounts List, select the required accounts and click Request Access. The Request Access window appears.

     

    Confirmation for requests that are created for multiple accounts allow users to Show/Retrieve, Copy and Connect with passwords/SSH keys.

    The Request Access window prompts the user for all the access information that they are required to provide before they can access the account and view or use the password.

  3. In the Reason area, type the reason for the request.

  4. If a ticket is required to access this account, in the Ticket Information area, select the ticketing system and specify the ticket ID.

  5. If you require access during a period of time, in the Request Timeframe area, select Access is required from and specify the dates.

  6. If you will need to access the Safe or account several times, select Multiple access is required during this period.

  7. If this request requires multi-level confirmation, in the Confirmation area, the request Status indicates the number of authorized users who must confirm the request at each level. Click the information to view a list of the authorized users.

    If this request requires Direct Manager confirmation, the Status details indicates the number of authorized users who are required to confirm the request. Click Status details to display the name of the group that is required to confirm the request and a list of group members.

  8. If this request is for confirmation to log onto a remote machine transparently, and you can use either a domain or NIS account, you can select the machine(s) to connect to and enforce.

    • You can specify multiple machine addresses in either of the following ways:

      Any machine In Remote Machine, specify ‘*’ (asterisk). 
      Multiple machines In Remote Machine, specify multiple machine addresses separated with a comma. For example, 1.1.1.174, 1.1.1.228, 1.1.1.235.

      The next time you are prompted for remote connection details, these remote machine addresses will be listed in a drop-down list.

      image004

      When you connect using a confirmed request, you are automatically logged into this machine.

    • If a preconfigured list of addresses was defined for this account, you will only be able to specify a machine which appears in the All Addresses list.

      image003

    • If the account with the preconfigured list of addresses was also configured to allow the user to connect to addresses which do not appear in the preconfigured list, you will be able to enter a different address, or addresses from the ones that appear in the list.

  9. If this request is for confirmation to enable you to connect to a remote database through PSM, and the system is configured to enable specific users to connect as a different user, the Connect As drop-down list is displayed.

  10. From the drop-down list, select the user to use to log onto the remote database.
  11. To view more details about the users who will confirm this request, click the linked status; a list of authorized users for this request is displayed. You can view more information about specific users by expanding their user name.

  12. Click OK; the request is created and sent to users who can authorize it.

    or,

    Click Cancel to close the password retrieval form without sending the request.

After you have created the request, if the ENE is configured to send notifications for new requests a notification is sent to all the authorized users who are required to confirm the request.

  • If Require multi-level password access approval was enabled, a notification is sent to the first level of authorized users who are required to confirm it. After the required number of authorized users have confirmed the request, a notification is sent to the second level of authorized users who are required to confirm it.
  • If Only direct manager can approve password access requests was enabled, a notification is sent to your direct managers who are required to confirm it.

For more information about configuring the ENE to send notifications, refer to Configuration.

If a user tries to access the same account again before receiving confirmation, the Request Details page appears. A second request is not sent as the previous request is still unanswered.

View your requests

After you have sent a request, you can view its status at any time. You can also delete requests that are no longer relevant or invalid.

  1. In the Accounts List, the Requests View enables you to view the requests you have sent for authorization.

  2. Click My Requests; the My Requests page appears.

     

    The Request ID is unique to each Safe.

    This page lists the requests that you have created and sent for authorization. The icon next to each request indicates the status of the request:

    Icon Indicates  …

    		The request has not yet been authorized.

    confirmed icon

    		The request has been authorized.

    alert

    		The request has become invalid.
  3. Select Show only waiting requests to display your requests that have not yet been confirmed.
  4. Select Include expired requests to display invalid requests in the requests list.
  5. Click a request to display more information in the Request Details page.

Delete a request

The user who created a request can also delete it.

  1. In the Request Details page, click Delete on the toolbar; you are prompted to confirm that you want to delete the request.

  2. Click Yes to delete the request,

    or,

    Click No to leave the request in the Requests list and return to the Request Details page.

If the ENE is configured to send notifications when requests are deleted, a notification is sent to all the authorized users who are required to confirm the request.

  • If Require multi-level password access approval was enabled, a notification is sent to all authorized users at the level that is currently required to confirm this request.
  • If Only direct manager can approve password access requests was enabled, a notification is sent to your direct managers .

For more information about configuring the ENE to send notifications, refer to Configuration.

Review waiting and approved requests

You can review your waiting requests at any time. In addition, as soon as your request has been confirmed or denied by an authorized user, you can see it in your Request List.

  1. In the Accounts List, My Requests counter displays the total number of approved, declined and waiting requests. The tooltip displayed when you place your mouse over ‘My Requests’ displays the number of each type of request.

  2. Click the link to the request objects; the Access Requests page appears and displays the My Requests list.

    Confirmed requests are marked with the confirmed request icon so that you can identify them at a glance.

  3. Select Show only waiting requests to display requests that have not yet been authorized.
  4. Select Include expired requests to display invalid requests.

  5. Select the confirmed request; the Request Details page appears.

    This page displays the status of the request.

  6. Click the name of a user who is authorized to confirm the request to display more information.

  7. Click the name of the account that appears in the Account Details; the Account Details page for that account appears. The status icon now indicates that the request to retrieve this account was confirmed and you can now use the password.

If the confirmed request is for a single operation, after you have used it to access an account the request becomes invalid.

Confirm requests in PVWA

This section describes how to confirm requests for access to privileged accounts that you have received in the PVWA. It is specifically for users who are authorized to confirm requests.

Safe Owners who have the Authorize password requests permission for a specific Safe can authorize requests to permit other users to access an account in that Safe. The instructions below are for these Safe members.

Authorized users can either confirm or reject these requests in one step, or handle each request separately.

When a request must be authorized by multiple users, these users can do so in any order. However, if a request requires multi-level confirmation, the first level of authorized users receive the request for confirmation immediately after it is created. The second level of authorized users only receive the request after the required number of users at the first level have confirmed it. If any users at the first level deny the request, it is not sent to users at the second level.

 

The first group member who confirms or rejects a request does so on behalf of the entire group. If more than one confirmation is required, each group is equivalent to a single authorized user and will count as a single confirmation/rejection. This is relevant to both basic and multi-level confirmation.

After you have confirmed or denied a request, a notification is sent to all the authorized users who are required to confirm the request.

If the advanced Require multi-level password access approval setting was enabled:

  • After each confirmation or denial, a notification is sent to all authorized users at the confirmation level of the user who has just confirmed it.
  • After the first level of authorized users have confirmed a request, a notification about the request is sent to the second level of authorized users.
  • After the final confirmation, a notification is sent to both levels of authorized users.

  1. In the Accounts List, you can see how many requests are waiting for you to authorize.

  2. Click Incoming Requests; the Incoming Requests page appears.

    The Request ID is unique to each Safe.

  3. By default, this page displays the requests that are waiting for you to authorize or reject. Clear Show only requests waiting for my confirmation to display all the requests that you have authorized or rejected.

     

    This option may be hidden, so that you can only view requests that are waiting for you to authorize or reject.
  4. Select Include expired requests to display invalid requests.

  5. Click a request to display more information; the Request Details page for the authorized user appears.

    This page displays the details of the request as well as the buttons that enable the user to confirm or reject the request.

    If the operation is initiated from a Connect request, the text in the Operation details begins with Connect to.

    If the operation is initiated from a Show/Retrieve/Copy request, the text in the Operation details begins with Retrieve password.

    If this request requires multi-level confirmation, the following additional information is displayed:

    • In the Request Status, the number of users from each level that still have to confirm the request is displayed.

    • In the list of users who are required to authorize this request, the names of the authorized users are displayed.

    If this request requires confirmation by a direct manager, the following additional information is displayed:

    • In the Request Status, a single required confirmation is specified, as only the direct managers group can confirm this request.

    • In the list of users who are required to authorize this request, the name of the LDAP group who can confirm the request is displayed.

  6. Confirm a single request:

    1. In the Request Details page, after reading the request, specify the reason for authorizing or rejecting the request.

    2. Click Confirm to confirm the request,

      or,

      Click Reject to reject the request and prevent the user who created the request from accessing the account.

     

    By default, confirmation for a Connect request will allow users to Show/Retrieve or Copy the password/SSH key as well.

    However, the system can be configured to restrict users who create a Connect request and receive confirmation to connect to the remote machine with the requested account, but not to Show/Retrieve or Copy its password/SSH key. This restriction is only effective when access is through the PVWA web portal or the mobile PVWA.

  7. Confirm multiple requests

    1. In the Incoming Requests page, select the requests to confirm or reject.

    2. On the toolbar, click Confirm to confirm the selected requests,

      or,

      Click Reject to reject the requests and prevent the user who created the request from accessing the specified accounts.

    3. A window appears that summarizes the number of accounts included in this confirmation or rejection. If you are required to specify a reason, you will not be able to click OK until you have specified one.

      If some of the selected requests have already been confirmed or rejected, a message is displayed in this window.

Requests that have already been confirmed or reject cannot be confirmed or rejected again.

The Incoming Requests page appears again. If Show only requests waiting for my confirmation is selected, the request that was handled does not appear in the list.

After requests have been confirmed, users can see the requests’ new status in the Accounts List. For more information about accessing accounts after requests have been confirmed, see View your requests.

Confirm requests in CyberArk Mobile App

  1. On your mobile device, open the CyberArk Mobile app.

  2. Click the menu icon. Select a company and enter your CyberArk Mobile pin code.

    The CyberArk Mobile displays your applications.

  3. Select an application to display the accounts.

  4. Click the Requests tab to view the list of requests. By default, requests are listed from newest to oldest.

  5. Swipe each request to Confirm or Reject. Or click Select to confirm or reject multiple requests.

    The status of the request is updated in the users Accounts and Requests window in the PVWA.