Configuring Emergency Access in PAM

Emergency access, as the name implies, is used in highly critical and urgent situations. For instance, imagine the scenario when an administrator who has access to an IT resource is away and your team requires immediate access to the device. The emergency access feature helps in this scenario to gain access in a hassle-free manner with a well-defined workflow.

How does Emergency Access Work?

You can enable a designated list of users as ‘Emergency Access Users’ allowing them to access all passwords (work accounts) stored in Securden, breaking the usual access controls during emergency situations. When an emergency access requirement arises, any of the designated users will first declare emergency and get access after the predefined mandatory waiting period. In the meantime, all administrators will be notified of the situation.

How to Configure Emergency Access?

To configure emergency access, navigate to Admin >> Emergency Access >> Configure Emergency Access. In the GUI that opens, you can designate the users who should get the emergency access privilege. You can define the maximum time duration until which the user should have emergency access. As an additional control, you can define a mandatory waiting period (in minutes) until the person should wait before gaining emergency access. All administrators will be notified when someone wants to gain emergency access.

Move the toggle “Enable Emergency Access” to turn on emergency access. You will see two options namely, “All users” and “Specific users”. As the name itself implies, “All users” option grants the emergency access privilege to all the users. On the other hand, if you want to grant the privilege only to certain specific users or groups of users, you need to choose the option “Specific users”.

When you choose the “Specific users”, you need to select the users or groups from the list. You can define the maximum duration up to which a user can avail emergency access. Specify the duration in minutes.

As a security best practice, to guard against any possible misuse of the provision, you can enforce a mandatory waiting period for anyone to gain access after ‘breaking the glass’. During this window, notifications will go to all administrators, who can revoke access if any suspicious motive is found. You can define the waiting time in minutes.

After configuring these values, click “Save”.

The above steps complete the emergency access configuration. The configuration done by one administrator has to be approved by another administrator. The approval can be done from the same page in the GUI. When another administrator logs in, the link to approve or reject the request will be visible as shown below.

How to Initiate Emergency Access?

When an emergency access requirement arises, the designated user(s) can initiate the access from Admin >> Emergency Access >> Initiate Emergency Access. In the GUI that opens, the user has to justify why the emergency access is needed. As per the emergency access configuration, the user will get access.