One of the most important — and so far, among the most popular — new features in Password Hub Business 2022.2 is Temporary Access. In a moment, we’ll take a closer look at both sides of the equation: requesting Temporary Access to an entry, and approving/denying a request for Temporary Access. First, let’s quickly summarize Password Hub Business for those who are new to the Devolutions community.
About Password Hub Business
Password Hub Business is our secure cloud-based password manager solution for teams. It empowers organizations to easily and securely vault and manage business-user passwords and other sensitive information (e.g., building alarm codes, software license keys, corporate credit card numbers, etc.) through a user-friendly web interface that can be quickly, easily, and securely accessed via any browser.
In addition, Password Hub Business seamlessly integrates with our remote connection solution, Remote Desktop Manager, to create a robust password management and session management platform that supports over 150 tools and technologies. For more information on this integration, please click here. To request a free 30-day trial of Password Hub Business, please click here.
About Temporary Access
The new Temporary Access feature in Password Hub Business enables users to request elevated privileges so that during a specific period of time they can carry out a task that is not typically part of their regular scope of work (e.g., open a session). The request is received by a designated Approver, who approves or denies it accordingly.
Temporary Access in Remote Desktop Manager 2022.2 with Password Hub Business (as a data source) is also supported. Users can request a connection directly from RDM. Click here for more information.
How to Make a Temporary Access Request
Making a Temporary Access request in Password Hub Business is easy and fast. Here are the steps:
In the Vault tab, select the entry that you want to access in the associated vault.
Click More, then select Temporary Access Request.
- In the Temporary Access Request window, select the desired access duration in the drop-down menu, and then click Send Request.
- Next, select the Permissions level you want to temporarily receive. The options are: Readers, Operators, or Contributors. For an overview of the rights associated with each role, please click here. You can also hover your cursor over the eye icon to see what rights are available for each role (the example below is for the Operators role).
- Use the drop-down menu to select the Approver who will receive the request If you are not certain of the name, then use the search filter (wow, those Sysadminotaur folks are everywhere, aren’t they?).
- Create a short message explaining why you want access to the entry. While this step is optional, we recommend it as it helps the Approver make a more informed decision. When your message is finished, click Send Request.
The Approver will receive the request instantly (though they may not respond instantly if they are away/busy, or if they need more information to decide whether to approve or deny the request).
How to Approve or Deny a request for Temporary Access
What does this workflow look like from the Approver’s side?
When a user sends you a Temporary Access request, you will be automatically notified by email. In the email, click the Go to entry dashboard button to view the request directly in the entry in Password Hub Business.
Once you are in the entry, you will see a Temporary Access Request section near the top. Click the View Details button to open the Temporary Access Response window.
If you wish, you can also see all pending Temporary Access requests associated with a selected vault in the Temporary Access Request box of the Dashboard. Clicking on a request brings you to the entry.
When the entry is selected, clicking the View Details button in the Temporary Access Request section allows you to see information about the request.
In the top section, you will see the Permissions level and the Access duration that the user is requesting. If you wish, you can change the Access duration.
If the user sent you a message with their request, you will see it here as well.
Now, you can Approve or Deny the Temporary Access request by clicking on the corresponding button. If you wish, you can send a note back to the user. We recommend doing so if you change the duration, or deny the request (e.g., “I cannot approve your request without authorization from Kali on the IT Security Team, and she is out of the office until Monday. I will follow-up with her and get back to you”).
Once the request is approved, both the approver and the requester can revoke it. To do this, click the View Details button, then click the Revoke button.
This feature is designed to give your organization a centralized and standardized Temporary Access request workflow that is automatically logged. This is much better than having different users and Approvers apply their own rules, and it is far more secure than giving some (or perhaps even all) users more permissions than they typically need — not because it makes sense to do so, but because it’s easier.
With the Temporary Access feature, users can be given the appropriate permissions for their role, which per the Principle of Least Privilege (POLP) is enough for them to carry out their day-to-day tasks and nothing more. And when they need elevated permissions (and when this need is verified), this can be granted on a case-by-case basis for a specific duration.
Tell Us What You Think
Whether you are a user requesting Temporary Access, or an Approver who receives requests, we hope that you find this new feature valuable and practical. Please let us know what you think by commenting below, or by posting in our forum.
If you have a specific inquiry related to your Devolutions Password Hub instance, you can find answers and resources in our online Knowledge Base and Help Portal, or email us at firstname.lastname@example.org. If you would like more information on possibly deploying Devolutions Password Hub in your organization, please contact our sales team at email@example.com.