How to Manage Technician Access Policies for Privilege Management?
IT help desk technicians often log on to end user machines with administrative privileges to carry out certain tasks. This leads to various security and operational issues. To overcome such issues, Securden helps you define ‘Technician Access Policies’.
Typically, you can create policies authorizing specific technicians to perform administrative tasks on specific endpoints. Technicians can log on to end user machines with standard user privileges and offer the required assistance. Their privilege will be elevated on-demand temporarily. You can specify the computers on which specific technicians can have technician access.
How to Create a Technician Access Policy?
To create a technician access policy,
Step 1: Create a template
- Navigate to Admin >> Privilege Elevation and Delegation >> Technician Access Policies
You need to create policies for domain-joined computers and non-domain computers separately. When creating the policy, you need to select ‘Domain Policy’ or ‘Non-domain Policy’ as required.
Steps to create a technician policy
The policy creation involves specifying the computers on which specific technicians should be able to access to perform various operations. The process is quite flexible - you can allow a technician or a group of technicians to access all computers or only specific computers. The technician could be a ‘user’ or a ‘group’ or a ‘domain account’ or a ‘folder’ in Securden.
To create a policy,
Click ‘Add Policy’ and select ‘Add Domain Policy’ or ‘Non-domain Policy’ as needed.
In the GUI that opens, enter the following information:
- Technician policy name: The name that you enter here helps you uniquely identify the policy being created.
- Description: A brief of the policy for a quick overview
Select the computers the technician could access
In this step, you will specify the computers which you want to authorize the technician to access and carry out the tasks. You can allow access to all computers or only for specific computers.
Associate policy with the technician
The final step is to associate the policy with the required technicians or groups. The ‘technician’ could be a ‘user’ or a ‘group’ or a ‘domain account’ or a ‘folder’ in Securden. You can select either all ‘users’ and ‘accounts’ or specific users/groups/accounts/folders alone. For example, you can designate all members of the ‘IT Help Desk’ group to access the computers selected in the previous step.
To associate the policy with all domain users and accounts enable ‘All domain users/accounts imported in Securden’
To select users or groups, use the ‘search user/group’ and choose from the list of users/groups.
Finally ‘Save’ the changes.
Approval for policies
On completing this step, your technician access policy created will be reserved for review and approval by another administrator. You can check the approval status in the technician policies page. Approved policies will be shown as ‘Active’.
How to Approve and Implement the Policy?
Administrators can approve the policies created by other administrators from Admin >> Privilege Management >> Privilege Elevation Requests. Administrators will receive email notifications when a policy is created and awaits approval.
Workflow for Technicians
How do Technicians Commence Access?
When a technician wants to access an endpoint, the technician has to access the Securden tray icon present in the machine. (See the icon shown inside the red circle in the image below).
Upon clicking the tray icon, the technician will see a menu in which “Start Technician Access” will be one of the options. When that option is clicked, the technician will be prompted to enter credentials for authentication. The technician has to enter his/her domain account credentials to authenticate. Upon successful authentication, technician access will start.
The technician will have administrative access and can carry out the required tasks. Finally, the technician has to click “End Technician Access” access available in the tray icon menu.
The technician access activities are captured as part of Reports >> Privilege Management Trails.