
Solutions	\| User provisioning \| Job scheduling \| \| Output management \| \| Operations workflow management \| Security \|
Products	\| COSuser \| COSbatch \| COSprint \| COSduty \| \| OSM toolset \| Secure shell auditing \|
Customer service	\| Support and maintenance \| Education and training \| \| Consulting \|
Resource library	\| Datasheets and brochures \| White papers \| Case studies \| \| Article reprints \| Presentations \| Demo software \| \| Press releases \|
Partners	\| Already a partner \| Become a reseller \| \| Locate a partner \| Technology partners \|
About OSM	\| Our company \| Our customers \| Contact us \| \| How to find us \| Employment \| \| Legal information \|


	home \| contact \| COSuser \| COSprint \| COSbatch

Privileged user management

COSduty-SSA, as previously described, allows IT services to restrict the use of 'root', admin or superuser privileges by capturing privileged routines in a duty. Despite COSduty-SSA's execution facility running as root, the operator is not personally allowed such privileges and his/her ability to perform the duty is controlled by COSduty-SSA via its access-control mechanism.

There are times, however, when administrators do genuinely have to work as super-user. For example, a procedure may not yet have been written for a particular function. This is when the SSA (Secure Shell Auditing) functionality is called in to service.

SSA provides a secure mechanism for administrators to log in as 'root' (or other super-user) via a controlled gateway which is opened only when required, for specified durations. The gateway to any particular system is controlled by the person responsible for that system who need not necessarily be an administrator in their own right. Because the gateway process actually logs on to the system being managed, the administrator has no need to posses a super-user password. During the entire administration session, keyboard and return character streams are logged.

Administrators must make a formal request via the software for their privileged access. Such requests have to specify time and duration, and the specific system(s) to which access is required. Requests are then queued until approved by the person authorized to grant such approval.

Provided that the request is approved, a privileged shell is made available for the administrator at the appropriate time on the appropriate system(s). All access to the managed servers is through a system designated as the COSduty-SSA Access Server to which nobody has privileged access. The keystroke logs are held on a separate, secure audit server. Communication from the COSduty-SSA Access Server to the managed server is via SSH so an agent is required on each managed system.

The management of privileged access to Microsoft Windows systems differs a little and uses agentless technology. Requests for privileged access ('administrator') are made and approved in the same way. Instead of a session being set up with a remote agent, however, a remote login session hosted by the COSduty-SSA Access Server is initiated using the RDP protocol. In this way access can be granted to a remote user's desktop, or just to a particular application, without the need to install software on any Windows servers or workstations.

Privacy

Legal

Contact