Set up dual control

This topic describes how to set up an approval process for connecting to target devices using the dual control mechanism.

Dual control means that two entities are responsible for an action. In Privilege Cloud, dual control can be configured in order to allow users to connect to a target device only after they receive approval or confirmation from an authorized safe owner.

Dual control adds an additional measure of protection and is often used for privileged accounts that require additional monitoring. It is configured in the Master Policy. For details, see Require dual control password access approval.

How it works

You can either grant or deny requests to access accounts. This allows you to see who wants to access the information in the safe, when, and for what purpose.

As soon as users receive confirmation for a request from an authorized user, they can access the password that the request was created for.

The workflow

request workflow

The user creates a request.

A user who wants to access an account in an environment where the Master Policy enforces dual control must first create a request.

In the request, the user specifies the reason for accessing the account, whether they will access it once or multiple times, and the time period during which they will access it.

A notification about the request is sent to users who are authorized to confirm this request.
The request is confirmed or rejected by the authorized user.

Through the notification, authorized users can access the request and view its details.

Based on these details, authorized users either confirm or reject the request. See Approve user access from CyberArk Mobile.

The number of authorized users who are required to confirm requests is defined in the Master Policy. For details, see Require dual control password access approval.
The user connects to the account.

Each time an authorized user responds to the request, the user who created it receives a notification.

When the total number of required confirmations is received for the request, this user receives a final notification.

The user can now activate the confirmation and access the account according to the request specifications.

The request lifecycle

You can access requests as long as they are valid. As soon as a request becomes invalid, it cannot be accessed by either the user who created it or by users who are authorized to confirm it.

Requests become invalid for any of the following reasons:

The access period that the user specified in the request has passed.
The user created a request for single access, which has already been used.
The safe’s request retention period for the request has passed.

The safe or password specified in the request has been deleted.
There are not enough supervisors to authorize this request, the number of supervisors has changed, or the settings for confirmation have been changed.

Configure dual control

This section describes how to configure dual control for a specific platform. Once configured, all of the accounts associated with this platform with require dual control.

To configure dual control:

In the Privilege Cloud Portal, click Policies.
In the Master Policy, select Require dual control password access approval, and then, in the Rule Preview pane, click Add Exception.
On the Create Exception page, select the platform for which you want to configure dual control, and then click Next.
Set Require dual control password access approval to Active, and configure the advanced settings. For details, see Advanced settings.
Click Finish.

Create authorized users

In order to confirm or deny requests, users need to be safe owners and have the Authorize password requests authorization.

Any changes in the confirmers settings, such as removing confirmers and changing confirmer levels, makes all existing requests obsolete.

All existing active requests must be deleted and re-created.

To create an authorized user:

If the user is not a member of the safe, add the user as a member. For details, see Add Safe members

Edit the users authorizations on the Safe Member page.

Select Authorize account requests.
If Require multi-level password access approval , then select the level. For details, see Advanced settings.

Users who belong to multiple groups, and one group is defined as the first level of confirmers and the other is defined as the second level of confirmers will be considered as the second level of confirmers.

Dual control settings

When activating dual control, you have the following settings.

Basic policy rule

Option	Description
Require dual control password access approval	A request must be confirmed by one or more authorized users before privileged accounts can be accessed. A specific number of authorized users required to confirm requests can be determined in Advanced Settings by the Number of confirmers required to authorize requests setting. Dual control mode is enabled when the advanced multi-level and managerial approval modes are inactive.

Option

Description

Require dual control password access approval

A request must be confirmed by one or more authorized users before privileged accounts can be accessed. A specific number of authorized users required to confirm requests can be determined in Advanced Settings by the Number of confirmers required to authorize requests setting. Dual control mode is enabled when the advanced

multi-level and managerial approval modes are inactive.

Advanced settings

Option	Description
Require multi-level password access approval	A request must be confirmed by two levels of authorized users before privileged accounts can be accessed. Authorized Safe owners (either groups or users) are assigned a confirmation level, and authorize requests according to that order. This means that the first level of authorized users must confirm requests before they are transferred to the second level of authorized users. Permission to access the requested privileged account is only given after both levels of authorized users have confirmed the request. If a request is denied at the first level, it is not passed on to the second level, and if it is denied at the second level, the confirmations from the first level become irrelevant. When a number of required confirmers is set by the Number of confirmers required to authorize requests advanced setting, this number of confirmers is required at each level. If All confirmers are required to confirm requests, all confirmers from both levels must confirm requests before accounts can be accessed. For example, if the Number of confirmers required to authorize requests setting is set to three confirmers, a total of six confirmers are required to review and approve requests – three confirmers from level one and three confirmers from level two.
Only direct manager can approve password access requests	A request must be confirmed by the direct managers of the user who created the request. This streamlines the confirmation process as, typically, privileged accounts are stored in Safes where multiple authorized users can confirm requests. This workflow integrates with Active Directory to automatically identify the requestor’s direct manager. This advanced setting cannot be enabled together with multi-level confirmation, or with multiple required confirmers (more than one), as requests will never be confirmed and will not be usable.

Option

Description

Require multi-level password access approval

A request must be confirmed by two levels of authorized users before privileged accounts can be accessed. Authorized Safe owners (either groups or users) are assigned a confirmation level, and authorize requests according to that order. This means that the first level of authorized users must confirm requests before they are transferred to the second level of authorized users. Permission to access the requested privileged account is only given after both levels of authorized users have confirmed the request. If a request is denied at the first level, it is not passed on to the second level, and if it is denied at the second level, the confirmations from the first level become irrelevant.

When a number of required confirmers is set by the Number of confirmers required to authorize requests advanced setting, this number of confirmers is required at each level. If All confirmers are required to confirm requests, all confirmers from both levels must confirm requests before accounts can be accessed. For example, if the Number of confirmers required to authorize requests setting is set to three confirmers, a total of six confirmers are required to review and approve requests – three confirmers from level one and three confirmers from level two.

Only direct manager can approve password access requests

A request must be confirmed by the direct managers of the user who created the request. This streamlines the confirmation process as, typically, privileged accounts are stored in Safes where multiple authorized users can confirm requests. This workflow integrates with Active Directory to automatically identify the requestor’s direct manager.

This advanced setting cannot be enabled together with multi-level confirmation, or with multiple required confirmers (more than one), as requests will never be confirmed and will not be usable.

Terminate privileged session after dual control timeframe expiration

You can control the timeframe in which end users access the organization's assets. This is important from an accountability and compliance perspective.

Enforce the timeframe of the dual control request that is associated with the session, and trigger session termination once that threshold is reached.

To configure session termination

In the Privilege Cloud portal, go to Administration > Configuration Options.
Expand Configurations > Privileged Session Management > General Settings, and then click Session Settings.

In the Properties pane, set the following properties:

property	Description
EnforceDualControlTimeframeOnPSMConnections	Set to Yes. This property enforces the Timeframe set in the dual control request on the PSM connection. PSM sessions are terminated at the end of the Timeframe or at the end of the MaxSessionDuration, whichever is sooner. The user receives a notification before the session is terminated. The timing of the warning is based on the WarningDisconnectionInterval value .
MaxSessionDuration	Set the maximum duration of the session in minutes

property

Description

EnforceDualControlTimeframeOnPSMConnections

Set to Yes.

This property enforces the Timeframe set in the dual control request on the PSM connection.

PSM sessions are terminated at the end of the Timeframe or at the end of the MaxSessionDuration, whichever is sooner.

The user receives a notification before the session is terminated. The timing of the warning is based on the WarningDisconnectionInterval value .

MaxSessionDuration

Set the maximum duration of the session in minutes

In the left pane, click Dual Control, and then, in the Properties pane, set the value of the Timeframe property (in days).
Save your changes.

Approve user access from CyberArk Mobile

On your mobile device, open the CyberArk Mobile app.
Click the menu icon. Select a company and enter your CyberArk Mobile pin code.

The CyberArk Mobile displays your applications.
Select an application to display the accounts.
Click the Requests tab to view the list of requests. By default, requests are listed from newest to oldest.
Swipe each request to Confirm or Reject. Or click Select to confirm or reject multiple requests.

The status of the request is updated in the users Accounts and Requests window in the Privilege Cloud Portal.

Dual control properties