Role-Based Access Management

Control Access to Privileged Accounts

ERPM makes it easy to configure role-based access controls that "hot connect" with your directory services, so your organization's policies are always enforced – and automatically updated whenever user roles and IT assets change.

Enterprise Random Password Manager (ERPM)  provides a web interface for the remote recovery of passwords. Passwords for accounts that have been changed through ERPM can be displayed through the web application. Users with appropriate access controls have the right to use the application as well as the right to recover passwords for accounts managed by ERPM. There are a number of permissions that can be delegated out to users of the web application. These permissions apply to users, global groups, or roles (RBAC) and control access to the features of the web interface as well as system and account information exposed through the web interface.

With ERPM it's simple to configure role-based access controls to map user roles (as defined by your directory services and any explicit accounts that you configure) to groups of IT resources that users can access. You can create rules that match your organization's policies and update in real time whenever directory changes occur. This helps ensure that your organization's policies are always enforced, regardless of how personnel roles and IT assets may change. 

You can also configure explicit accounts, for example, to provide access to subcontractor personnel without granting domain credentials – allowing subcontractors to access predefined groups of systems through Remote Desktop / SSH connections that do not disclose any passwords. You can also configure options that grant individuals and groups immediate, audited access to particular groups of servers – or require certain departments and individuals (for example, tier-one help desk staff and contractors) to get explicit management approval before access is allowed.

Flexible Authentication

ERPM authenticates in real time with trusted Windows domains, popular standards-based directories such as Oracle Internet Directory and Novell eDirectory, and LDAP and RADIUS compliant servers. You can also grant access to members of selected Windows groups, individual Windows users, roles (as defined by your directory services), RADIUS users, or independent, explicit logins that you assign. 

You can grant any role the ability to access groups of resources, systems and accounts that you define, or to individual systems and accounts. ERPM allows you to configure time-bound password retrieval that forces check-in and a password change after each access, so you'll always know who had access at what time, and for what stated purpose. 

Multifactor Options

Today's regulatory mandates – including the Consensus Audit Guidelines and others – require multifactor authentication when requesting privileged access. ERPM supports the industry's broadest range of time-based and event-based multifactor authentication, including:

  • Out-of-the box support for proprietary tokens including RSA SecurID and YubiKey
  • OATH authentication using third-party tokens
  • Out-of-band, Time-based One-Time Password (TOTP) authentication by email and SMS using OATH services – providing easily configured multi-factor security that requires nothing further for your organization to buy

Use of multi-factor authentication can help safeguard your organization against common hacker exploits. For example, by deploying out-of-band multifactor authentication using email or SMS delivered to IT staff cell phones – available at no added cost – you can defeat many social engineering attacks by adding an additional verification of password requestors' identities.

Contact us to learn more about how Lieberman Software can help you secure your organization's privileged accounts.