In BeyondTrust PRA Service providers can be asked to announce a maintenance window in specific use cases before they can use any jump methode to a priviliged endpoint. The procedure to be configured is called «jump approval request» (Authorization Request). Jump approval requests for specific use cases can be configured in «jump policies».
If the option «jump approval request» is checked in a jump policie an approval email is sent to the designated recipients whenever a session is attempted with any Jump Item that uses this Jump Policy. When a user attempts to start a session with a Jump Item that uses this policy, a dialog prompts the user to enter a request reason and the time and duration for the request.
How can a request that has already been approved by a person be withdrawn – so that another person can connect instead of this during the announced maintenance window?
There are three possible methods for doing this:
Method 1: The user who made the request deletes it himself in the PRA Access console.
Method 2: The person who received the request by e-mail clicks again on the same link in that e-mail to get into the approval portal. Since the request was already approved – the only option now apperaing here is – to Deny the request. A new request can now be made from another person and for the same period as the previous one.
Method 3: If the person who asks and the person who approves has the same JumpPolicy assigned (also via different group policies) and the “Anyone Permitted to Request” option box is set in this JumpPolicy – any person in that configuration can Cancel the Request Authorization.
Jump Policy setting:
These circumstances were tested by a MICRODYN Employee with PRA Version 21.1.2. The results are kindly published here. There is no guarantee – neither from MICRODYN nor from the MANUFACTURER for the correctness of the here published information.