Tuesday Mar 18, 2014

What's New in PS2? Oracle Privileged Account Manager session management

As you saw in my previous blog there are a lot of new features in PS2 - and as we count down to our PS2 Webcast (April 10 @ 10:00 am PST - Register Here ) we will be posting a series of blogs detailing the new features.  In this blog, I have invited the PM team to talk about the new session management capability in OPAM.

11gR2 PS2 is an important release for OPAM where we made significant advances in many product areas. One such area is “Session Management”.

So, what is session management? In the past, privileged access management solutions focused on password vaults and providing secure access to the credentials stored in such vaults.

However, this approach raises certain questions:  

  • Can we prevent the end user seeing the actual privileged account password?
  • How can we control how the end user utilizes the password?
  • Can we capture the actions performed by the end user for audit purposes?

Session Management support in OPAM addresses all of these questions by focusing on the following areas:

Session Initiation

  1. Users can initiate a session as a privileged account without knowing the actual account password.
  2. Instead, the user just needs to authenticate himself and access to the target is granted based on the grants he has.
  3. Finally, since OPAM uses a gateway based approach the end user can connect using any protocol compliant 3rd party client.

Click for larger version

Thus privileged session initiation has been secured while not impacting the established working practices of the end user. The end user is still free to use the tools he is familiar with (ex. putty, openSSH etc.) and does not need to explicitly interact with OPAM for every checkout.

Session Control

  1. Sessions can be terminated based on usage policies (ex. after 30 mins)
  2. Sessions can be terminated by  security personal observing suspicious behavior

Since the sessions occur via OPAM’s Session Management server, there’s a controlled single entry point for privileged access. Additionally, since all sessions occur within OPAM’s purview we are able to control what occurs within a session and terminate it as needed.

Session Recording

  1. Session activity is recorded and stored in an Oracle audit database.
  2. It is indexed and searchable.

All action that occurs within a session is recorded, indexed and stored in the OPAM database. Therefore answering questions like who ran a certain command on the fileserver as admin between 9am and 10am on April 1st 2013 is trivial.

In summary OPAM’s Privileged Session Management is an important addition to the existing password vault solution, adding personal accountability and extending audit capabilities. In 11gR2 PS2, we focused on SSH since there is a very large footprint of SSH enabled target systems. However, moving forward we’ll be adding both new protocols and additional functionality as part of our session management offering.

For further details see Oracle Privileged Account Manager - Whitepaper


Oracle Identity Management is a complete and integrated next-generation identity management platform that provides breakthrough scalability; enables organizations to achieve rapid compliance with regulatory mandates; secures sensitive applications and data regardless of whether they are hosted on-premise or in a cloud; and reduces operational costs. Oracle Identity Management enables secure user access to resources anytime on any device.


« March 2014 »