1. Field of the Invention
Embodiments of the disclosure relate in general to the field of computers and similar technologies, and in particular to software utilized in this field. Still more particularly, it relates to managing the lifecycle of a shared privileged account.
2. Description of the Related Art
In today's information technology (IT) environment, large numbers of systems and applications are deployed and managed by global teams. With the emergence of new security compliance requirements, IT administrators now need to efficiently manage system accounts that have special privileges. These system accounts have typically been granted these special privileges to perform system management tasks or access application services. Often, there are additional configurations required for these accounts. For example, a script to initiate a unique set of services on the system when a user logs on using the system account. Additionally, these business requirements require the usual identity management services needed to manage the sharing of these accounts.
One example of a privileged account is the root account on a UNIX server, which has special privileges to the system. In an IT environment with hundreds or even thousands of UNIX machines, a group of system administrators must be able to use these privileged accounts to manage systems. At the same time, individual accountability needs to be maintained for security compliance. Since only authorized users are allowed to use these accounts, mechanisms need to be built in to maintain the confidentiality of the account. In addition, mechanisms are needed to prevent multiple users from using the same account concurrently, yet still allowing multiple users to share the same account at different times. Additionally, clear audit trail records need to be maintained to show who can use these accounts at a specific date and time, and who is using the account to access a specific system. This is quite different from the usual identity management scenario where there is a single owner for each account and that person is responsible for remembering his or her password and other account management activities.
Yet another need is when a high level service requires a set of application services from multiple vendors in a service oriented architecture (SOA). Users authenticated to access high-level services need to be able to access services provided by the different application services seamlessly. In many cases, an IT administrator would like to use a pool of identities for the lower level application services and allow the authorized front-end user to be able to share the application while still be able to maintain the accountability of the access. Current approaches are known that support password delivery for privileged accounts but they do not provide management of the account lifecycle. Other approaches enable credentials to be securely shared by multiple users. Still other approaches require users to use multiple products from different vendors to manage privileged account sharing. As a result, users are faced with usability issues and are unable to seamlessly or fully utilize the typical capabilities of an identity management system.