Ephemeral Accounts

PAM can create Ephemeral Accounts to support no standing access to privileged systems.

This helps support the concept of least privileged using time based workflows to provision and de-provision an account when needed and only with the permissions that are required.

Creating Ephemeral Account Records

  1. Login to PAM with a System Administrator account.
  2. Navigate to Administration > Record Types, locate the type Windows Host Ephemeral Account and click the Edit button.
  3. Uncheck the Hidden box and click Save.
  4. Now that the Record Type is unhidden, you can log out of the System Administrator account. It is no longer required to complete the configuration.

  5. Navigate to a location in the Vault where you wish to create the record and select Add Record > Windows Host Ephemeral Account.

  6. Create your record using the below as guidance:

    • Name: enter a name for your record

    • Description: optionally, enter a description for your record

    • Host: enter the host for the endpoint where the ephemeral account will be created

    • Port: enter the port that will be used for connectivity

    • User: enter the username that will be created for the ephemeral account

    • Password: leave this field empty

  7. Click Save and Return.

    After the record is saved, we will now configure the Task that performs the ephemeral account creation process.

  8. In this new record, click Manage > Tasks.

  9. For the Shadow Account, select an existing record that contains the credentials of an account that can create new local accounts on this endpoint. For example, in a Windows domain, this could be a record that contains the credentials of a Domain Administrator account.

    • If the Shadow Account field is read-only, that means it is set to inherit this Shadow Account from the record type. In this situation, you will need to navigate to Administrator > Record Types and add this Shadow Account directly to the Tasks list of this type. This will require your System Administrator account again. Alternatively, you can click the Make Unique button to break inheritance from the Record Type.

    • If the Shadow Account field is read/write enabled, then enter the name of the record that contains the credentials of an account that can create local accounts on this endpoint.

  10. Once you have the Shadow Account configured, save your change and return to the record.

  11. After the Shadow Account is saved, we will next configure the Workflow, whose approval and subsequent expiration, will trigger the creation and ultimate removal of the ephemeral account.

  12. From the Record, select Manage > Workflows to configure a workflow binding.

  13. On the Workflow Bindings page, you will create a new workflow binding that will be used to request access and once approved, will be used to generate the ephemeral account.

  14. Create the Workflow Binding as needed and click the Save button to complete the process.

  15. That completes the configuration of the Ephemeral Account process. In the next section, we will illustrate the User experience from workflow request through the workflow expiration when the ephemeral account is removed from the host.

The Ephemeral Account Process

  1. Login to PAM with the user account that was bound by the workflow created in the previous section.
  2. Navigate to this Ephemeral Account record and click the Request Connect button.
  3. Fill out the request access form as required and submit it when completed. During testing, we would recommend requesting a short amount of time (i.e. 5 minutes) so that you do not have to wait too long for the workflow to eventually expire.
  4. If the submitted workflow was not configured for automatic approval, Approve the submitted request to continue.
  5. Once approved, PAM will begin the Ephemeral Account creation process. Depending on the PAM queue, this process may take a few seconds or a few minutes to complete. You can follow the process by monitoring the Job History tab of this record.
  6. After the Ephemeral Account is successfully created, the user’s Connect Requested button will change to Connect indicating that the user may now connect to the Host with the Ephemeral account.
  7. Click Connect to create your remote session.
  8. The User will connect to the Host with this newly created ephemeral account. When done, simply Disconnect or Sign Out of the remote session to complete.
  9. Finally, after the workflow’s approved time expires, the user’s Connect button will change back to Request Connect and PAM will delete this Ephemeral Account from the Host.