Dual Control

The Master Policy enables organizations to ensure that passwords can only be retrieved after permission or ‘confirmation’ has been granted from an authorized Safe Owner(s). This is known as Dual Control.

How it works

Authorized Safe Owners can either grant or deny requests to access accounts. This feature adds an additional measure of protection, in that it enables you to see who wants to access the information in the Safe, when, and for what purpose.

 

The first group member who confirms or rejects a request does so on behalf of the entire group. If more than one confirmation is required, each group is equivalent to a single authorized user and will count as a single confirmation/rejection.

As soon as users receive confirmation for a request from an authorized user, they can access the password that the request was created for.

The manual security workflow comprises the following steps:

  1. The user creates a request: A user who wishes to access an account in an environment where the Master Policy enforces Dual Control must first create a request. In the request, the user specifies the reason for accessing the account, whether they will access it once or multiple times, and the time period during which they will access it. A notification about the request is sent to users who are authorized to confirm this request. For more information, refer to Request access to accounts.
  2. The request is confirmed or rejected by the authorized user: Through the notification, authorized users can access the request and view its details. Based on these details, authorized users either confirm or reject the request. The number of authorized users who are required to confirm requests is defined in the Master Policy. Confirm requests from the PVWA (see Confirm requests in PVWA) or from the CyberArk Mobile app (see Confirm requests in CyberArk Mobile App).
  3. The user connects to the account: Each time an authorized user responds to the request, the user who created it receives a notification. When the total number of required confirmations is received for the request, this user receives a final notification. The user can now activate the confirmation and access the account according to the request specifications. For more information, refer to Review waiting and approved requests .

The following diagram shows the above steps:

request workflow

Users can access requests as long as they are valid. As soon as a request becomes invalid, it cannot be accessed by either the user who created it or by users who are authorized to confirm it.

Requests become invalid for any of the following reasons:

  • The access period that the user specified in the request has passed.

  • The user created a request for single access, which has already been used.

  • The Safe’s request retention period for the request has passed.

  • The Safe or password specified in the request has been deleted.

  • There are not enough supervisors to authorize this request, the number of supervisors has changed, or the settings for confirmation have been changed.

  • The Vault version has been updated.

Dual control options

PAM - Self-Hosted offers you several options for dual control:

Create and manage requests

This section describes how to create requests for access to privileged accounts, track them, and use requests to access accounts after you have received confirmation from authorized users.

Request access to accounts

Before a user can retrieve an account in an environment where the Master Policy enforces access confirmation, a request must be sent to authorized users to be confirmed. You can create multiple requests in a single action to streamline the access workflow. If access to multiple accounts and confirmation is required, you can select the required accounts and submit requests for all of them in a single click. For each account, a separate request will be sent for confirmation. Once access to an account is confirmed you can use this account and don’t need to wait for confirmation for the other accounts.

Accounts that require confirmation before they can be accessed are marked with a status icon, as shown in the following example. This icon is displayed in the Accounts List and the Accounts Details page.

View your requests

After you have sent a request, you can view its status at any time. You can also delete requests that are no longer relevant or invalid.

Delete a request

The user who created a request can also delete it.

Review waiting and approved requests

You can review your waiting requests at any time. In addition, as soon as your request has been confirmed or denied by an authorized user, you can see it in your Request List.

Confirm requests in PVWA

This section describes how to confirm requests for access to privileged accounts that you have received in the PVWA. It is specifically for users who are authorized to confirm requests.

Safe Owners who have the Authorize password requests permission for a specific Safe can authorize requests to permit other users to access an account in that Safe. The instructions below are for these Safe members.

Authorized users can either confirm or reject these requests in one step, or handle each request separately.

When a request must be authorized by multiple users, these users can do so in any order. However, if a request requires multi-level confirmation, the first level of authorized users receive the request for confirmation immediately after it is created. The second level of authorized users only receive the request after the required number of users at the first level have confirmed it. If any users at the first level deny the request, it is not sent to users at the second level.

 

The first group member who confirms or rejects a request does so on behalf of the entire group. If more than one confirmation is required, each group is equivalent to a single authorized user and will count as a single confirmation/rejection. This is relevant to both basic and multi-level confirmation.

After you have confirmed or denied a request, a notification is sent to all the authorized users who are required to confirm the request.

If the advanced Require multi-level password access approval setting was enabled:

  • After each confirmation or denial, a notification is sent to all authorized users at the confirmation level of the user who has just confirmed it.
  • After the first level of authorized users have confirmed a request, a notification about the request is sent to the second level of authorized users.
  • After the final confirmation, a notification is sent to both levels of authorized users.

Confirm requests in CyberArk Mobile App