TLK Technology Self Service Request Tool For Privileged Access Using MIM 2016

TLK Enterprise would like a tool to be created in MIM for Privileged Access management (PAM). TLK wants the privileged groups in its current domain to have regulated access. They do not want another forest to be setup. The request for privileged access can come from

• Someone who wants to make a change to AD. AD group.
• Someone who wants to make a change to an application. Application group.

The tool with installation instructions can be downloaded from Github

The requirements

A form where users can request to be added to a Privileged group.

The PAM Request Creation form will have

• The user can request access only for themselves. So the user must be logged in, the Target will be picked up from the requestor.
• Name of the group/role requested. The range of the selection should be restricted to only the defined privileged roles/groups for the requestor.
• The reason for the request
• The duration of the request. It should be a flexible up till the max for the Role.
• The form once submitted will go to first to the requestor’s Manager for approval then go to Security Team for approval.

The PAM Request
Edit form will have

• Request extension can be submitted.
• Request can be ended by the PAM Admins

General

• The PAM request for Roles that require approval should be approved by the Manager first then approved by members of the PAM Approvers SG.
• PAM Extension (for Roles that require approval) will be approved by the requestor’s manager only. Only a request creator can request an extension.
• Only one PAM request extension can be submitted at a time. If there is an approval outstanding on a PAM request extension, the system will not allow another submission.
• Requestor will get an email notification that access has been granted.
• A user can only see their own PAM requests.
• PAM request or extensions can only be submitted by an Admin account. The extension request must be submitted by the original request submitter.
• The Max TTL for all PAM Roles will be 10hrs (3600secs).
• PAM Groups should be owned by the MIM Portal account (which runs the PS and has Account Operator like rights in AD)
• The PAM Role create form allow for availability to be specified during creation
• Create a “PAM Admins” set that will manage PAM system.
• Add a NavBar item for PAM Groups. Add the ability for PAM Admins to create a request for a new PAM Group to be created (via workflow) from the MIM Portal.
• Add ability for PAM Admins to see all PAM enabled groups.

The tool is available on Github below I have the specifications on how the tool was built.

Customizing the OOB PAM tool

PAMGroups

Pre-requisites

1. Exclude PAM OU “PAM Objects” from MIM Sync.
2. Make sure MIM Portal account has full control rights to the PAM OU.
3. It is recommended that SGs that you are going to enable for PAM should not have any user (unless a service or application account must be a member) or SG as member.
4. Another recommendation: If your AD group membership is managed via MIM, disable the ability for users to modify the membership via MIM. Use MPRs to limit who has rights to the Explicit member attribute of these SGs. Or exclude them from MIM group Sync. You should also limit what groups have AD membership modification rights to that SG (You can use delegation wizard, ACL scripting or you can place the SGs in the PAM OU and set who has change rights to objects in the PAM OU).
5. In the FIM MA put a filter for group name ending in “_PAM”
6. Create a Set called “PAM Admins”
7. Add “msidmPamEnabled” to the Admin filterscope.
8. Create a Set called “PAM: Set: All PAM Groups” a filter of “/Group[msidmPamEnabled = True]”

Display PAM Groups

1. Create a SearchScope with a filter of “/Group[msidmPamEnabled = True]”
2. Show “PAMGroups” on the NavBar. When you click on it should show the PAM enabled Groups and the Add, delete buttons

Create Pam Group

When you click on Add, it will show a form that will request the SG Group that you want to enable for PAM.

1. Create a custom resource called “PAMGroups”. The Add form will be for this resource object.
2. Create a Set of all PAMGroups objects.
3. Create Rights granting MPRs and give FIM Administrators and PAM Admins full rights to the PAMGroups objects.
4. Create a search scope that will show PAM Enabled Groups. Tie scope to the PAM Group page via UsageKeyWord PAMGroups. Add UsagekeyWord “PAMEnabledGroups”.
5. Create a search scope that will show PAMGroup requests. Tie scope to the PAM Group page via UsageKeyWord PAMGroups.
6. When create request is submitted, a workflow will trigger. Create a Workflow and MPR called “PAM: Process new PAM Group”
7. Create PS activity on the workflow that will run a PS script to

• Create a new SG in AD called “SG1_PAM”. Place it in PAM OU.
• Put that “SG1_PAM” as member of SG1.
• Create the PAM Group in the MIM Service.
• The PAM Group will be created with “_PAM” added to the end of the name.

PAM Role

Pre-requisites

• Create Rights granting MPRs and give PAM Admins full rights to the PAM Role objects.

Create a Role

• The create form should be updated
  • Add the availability day. From this day to that day. Place them just under the availability check button.
• Fix the value of the Role TTL to 3600. Make the default value, min and max for the RCDC control to be 3600.
• Make Privileges required.
• Make selection for the Privileges to be only from PAM Enabled groups. Use UsagekeyWord “PAMEnabledGroups”.

  

  

Edit a Role

• The Edit form should be updated
  • Add the availability day. From this day to that day. Place them just under the availability check button.
• Make the Role TTL RCDC control read-only.

PAM Request

Pre-requisites

• Create an SG in MIM called “PAM Approvers”
• Create a new Person attribute called “AccountType”. Set it to “Admin” for accounts you will use to submit PAM request.
• Create a new msidmPamRequest numeric attribute called PamRequestExtension, make it similar to the PAM Request TTL (Make it similar to the Role TTL so it shows you must enter secs).
• Create a new msidmPamRequest numeric attribute called PamRequestExtensionInUse,
• Create a new msidmPamRequest Boolean attribute “EndRequest”
• Create Rights granting MPRs and give PAM Admins full rights to the all PAM Request objects.
• Create the MPR “PAM: User can request time extension for PAM request created”.
  • Give creator “Modify a single valued attribute” right to only the PamRequestExtension attribute
• Create 4 Email templates,
  • User new PAM request completion notification
  • User PAM extension completion notification
  • User new PAM request Pending Approval
  • User PAM extension Pending Approval

Create a Request

The create form should be updated

• Change description to “Justification”
• Add msidmPamRequestTime, which is the day Access will be requested.
• Add msidmPamRequestTTL and the value entered must be smaller than the PAM Role TTL.
  • Underneath put “Maximum TTL is 3600 secs” as hint.
• Create a new Authz workflow called “PAM: Workflow: New Request Check” and MPR (Should be triggered on creation of a new PAM request.)
  • Copy Activities of “PAM: Request Authorization” to the new Authz workflow except the approval activity.
  • Add an MIM WAL activity to check that the AccountType attribute of the requestor is equal to “Admin”.
  • Add an activity that will check if Approval is True for the Role, if it is then send approval to the manager of the requestor. Use the MIM WAL approval activity because it allows for conditional approval.
  • Add an activity that will check if Approval is True for the Role, if it is send approval to members of the PAM Approvers SG. Use the MIM WAL approval activity because it allows for conditional approval.
  • Create new MPR “TLK: PAM: Users can create a PAM Request” give “All People” set create rights to the “All PAM Requests” set. Attach this new workflow
  • Disable the OOB MPR “PAM: Users can create a PAM Request”
• Create a new Action workflow called “PAM: Workflow: New Request Process”
  • Copy “PAM: Handle PAM Request” workflow activities.
  • Add an activity that will send notice to requestor once user is added
  • Edit the MPR “TLK: PAM: Users can create a PAM Request” attach this new workflow
  • Disable the OOB MPR “PAM: Users can create a PAM Request”

Edit a Request

The Edit form should be created, make it a copy of the create form.

• Add PamRequestExtension to the Edit form. Underneath put Hint, “Maximum TTL is 3600”.
  • Add a MIM WAL Authz workflow and MPR called “PAM: Workflow: PAM Request Extension Check” (Should be triggered when there is a change in PAMrequestExtension).
  • Check if the confirmed PAMrequestExtensionInUse value is blank, if it is not then the request is denied with a message saying there is an outstanding extension request.
  • Check that the requestor is an Admin account.
  • Check that the requestor is also the creator of the request being extended.
  • The Authz should check if the request has already expired. If expiration date is less than now then deny the extension request.
  • Create a set called “TLK: PAM: Set: Process extension of a PAM Requests”, the filter should be “/msidmPamRequest[PamRequestExtension > 0]”. Using the Set as Target set, create a Transition-in MPR called “TLK: PAM: Process extension of a PAM Requests”. Attach the Authz workflow.
• Create an Action Workflow called “PAM: Workflow: PAM Request Extension Process” (trigger when there is a change in PAMrequestExtension) that will
  • MIM WAL activity to copy PamRequestExtension to PamRequestExtensionInUse and clear the PAMrequestExtension attribute.
  • Add MIM WAL approval, check if approval is enabled for the Role. If it is send approval notice to Manager.
  • Next activity should be to add the requested time to Request expiration time. One has to factor in the periodic check of expired requests by the monitoring jobs.
  • Clear the PAMrequestExtensionInUse attribute.
  • Send notification to requestor that request is completed.
  • Attach the Action workflow to the MPR “TLK: PAM: Process extension of a PAM Requests”
• Add the Boolean attribute “PamEndRequest”. It should only be Editable to members of set “PAM Admins”.
  • Create an Action Workflow called “PAM: Workflow: PAM End Request” (trigger when there is a change in PamEndRequest) that will
  • Add a MIM WAL activity, check if PamEndRequest = True, if it is then set Request Expiration Time to now. One has to factor in the periodic check of expired requests by the monitoring jobs.
  • Clear the PamEndRequest attribute
  • Create an MPR called “TLK: PAM: PAM End Request”. Attach the workflow.