Overview of Privileged Session Manager

Owned by Phillip Hanegan
Jul 30, 2019
2 min read

Privileged Session Manager (PSM) is an application cluster that allows you to access, record, and monitor privileged sessions. With PSM, users can be issued privileged access to computers while meeting audit requirements. It enables granting access to users for a specific amount of time, capability to monitor live and terminate session at any point and replaying sessions. It also includes time constrained access to credentials and automatic termination of sessions after limit expiry.

Features

  • Access — Privileged Session Manager permits users to view only resources for which they are granted access. They request access and initiate connection through the EmpowerID website.
    Privileged Session Manager proxies all sessions to target resources through the PSM servers thus enabling extensive control over the transmitted communication.
  • Live Monitoring, Recording and replay — Administrators can view sessions live (Provided policy allows for it), record sessions and replay them for review all from the EmpowerID website.
  • Credential Sharing — Computer credentials are encrypted and on request used to initiate privileged sessions with target resource by automatic login. The credentials are not exposed to users to enhance security. 
  • Auto-login — Privileged Session Manager can be combined with Privileged Access Manager, enabling you to configure access for automatic login, which enhances security and compliance by not exposing account credentials to users. 

Architecture

The PSM cluster consists of 3 dockerized Node.js applications each with their own responsibilities. 

  1. Application
  2. Daemon
  3. Uploader

Session Flow

Below is the UML diagram that outlines a session from initiation to viewing recorded session at the end. A description of the flow follows the image.

  1. User requests access to a computer by checking-out a credential from the list of available credentials.
  2. User clicks the login icon to initiate the RDP session and is prompted to enter their Master password. 
  3. The connection request is submitted to the PSM Application along with the master password that the user enters.
  4. The PSM Application talks to an EmpowerID API Endpoint to authorize and receive the credentials to the target resource.
  5. If the authorization is successful EmpowerID returns the crendetials to the PSM application server.
  6. The PSM Application connects to the target resource through the Daemon with the corresponding protocol.
  7. Input from the browser and response from the server are exchanged through a websocket connection.