Requesting and Granting Roles, Passwordless Access

This tutorial illustrates how users can request roles, how administrators can grant them and how roles grant passwordless access to target hosts.

Key Concepts

• Multi-Factor Authentication (MFA) (Steps 1-2)
• Requesting roles (Steps 3-4)
• Granting roles (Steps 5-7)
• Passwordless access (Steps 8-9)

Steps

1. Our example user chris.hall logs in to PrivX.

2. This PrivX instance has Multi-Factor Authentication (MFA) active, so Chris checks the pin code from his authenticator application, for example Google Authenticator app.

3. In this example, Chris needs SSH-based access to certain target hosts. The desired access is governed by role ssh-user, which he does not (yet) have.

4. He clicks Request a new role, fills in the required information and submits his request for role ssh-user.

The pending request is shown under My Requests. An approver (a member of privx-admin in this example) needs to approve the request.

5. An Administrator logs in and sees the pending role request from Chris on his home page.

6. The administrator reviews the request and grants the role.

7. The request status changes also on Chris's My Requests and the new role is listed on his My Roles.

8. Chris decides to take his new role for a spin, so he navigates to Connections and checks out his newly available SSH target hosts. He clicks PrivXDemo Linux-3 ...

9. ... and is granted passwordless access as user ubuntu.