OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Why does PAM exist?

Hi Martin,

This is an elaboration on my answer to your question during the TC conference
call: why does Privileged Access/Account Management exist?

IMO, the simple answer is that PAM exists because superuser accounts exist.
Superuser accounts tend to be shared accounts used by a number of administrators
who all know the password. One problem with this is ensuring that only the right
people know the current password as the composition of the group of administrators
changes over time. If someone leaves the group then the password should be changed
and all the remaining group members informed, but that is easier said than done
and often skimped. Another problem is monitoring and auditing what individual
administrators are doing. Since they are all using the same login credentials we
can't associate any particular action with any particular person.

A PAM solution addresses these problems by changing the privileged account
password for each session (and keeping it hidden) and recording who created the
session and the actions they performed because the administrators log in to the
PAM solution as themselves.

The shared superuser account is the essential problem. The obvious alternative is
to have the administrators authenticate using individual identities and to manage
the access controls to give each administrator the access they need. When an
administrator leaves, their account can be disabled/removed (by another
administrator with the access rights to do so) and, assuming all user actions are
recorded, we know who did what when. We still need a way to bootstrap the
initial identities and access controls and this is something that a superuser
account has traditionally been used for. However, there has been a tendency to
attach all sorts of administrative activities with the superuser account, to the
extent that some administrative actions can only be performed by the superuser
account. A reason applications might do this is to avoid having to address
managing access rights for administrative activities.

So inadequate or non-existent support for managing access rights for
administrative actions forces administrative users to use a common superuser
account and, consequently, PAM is a thing. At least, that's the way I see it.


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]