Privileged-Access Management Process


Have any other TeamDynamix-using organizations used TeamDynamix to create a privileged-access management process?  We're getting read to build one, but would like to have some ideas.




Asked by Sheila McBride on Wed 1/10/24 11:12 AM
Hi Mark,

I've built a Visio, but not sure how much it helps in terms of what it looks like using TDX. Essentially we want to trigger a quarterly review in which system owners gather data and, ideally, record it in TDX as either groups or form attributes, and compare it with the previous review. Then the Dean for IT would review and indicate who should be removed from having privileged access. It's an IT Security thing.

So I'd like to be able to keep tables against which TDX could populate form fields, but I suspect that's an iPaaS thing, which we won't have for a while. So I was thinking I could use groups but if I want the group values to appear in a form to check off or not check off, they should be attributes with group members as values.


I can seem to add an attachment from here. Also, when I try to reply to your email, it goes to no-reply and I can't get it to change. Seems like a bug?
- Sheila McBride Wed 1/10/24 12:17 PM
Actually the Questions system doesn't support reply-by-email currently. As for adding an attachment, you can either edit the original question and add the attachment, or just supply a new "answer" to include it with that.

I'm not aware of a "great" way to do this without using an iPaaS form, but I imagine using custom attributes that you create and use to track current group membership and then use for this security audit form/service would be the closest thing possible. Then you could cascade the appropriate group membership attribute based on a parent field selection of the group value they need to check for. Maybe the manager could also check only the names of the persons in the attribute list that need to remain in the group. Unselected persons would need removed and then removed from the attribute choice options.

They further would want a field where they can include new persons to add to the group.
- Mark Sayers Wed 1/10/24 1:14 PM
Hi Mark,

Okay, that's a good start. I'll try a sample set of groups. Thanks!
- Sheila McBride Wed 1/10/24 3:38 PM
Hi Mark,

This is coming along. When you said, "Then you could cascade the appropriate group membership attribute based on a parent field selection of the group value they need to check for," can you tell me what you mean by cascade and a parent field?
- Sheila McBride Fri 1/12/24 1:31 PM
I meant that you would possibly set up attribute dependencies to control what shows up, and when based on a selection from a primary field. You can read about attribute dependencies here: - Mark Sayers Fri 1/12/24 1:33 PM
Okay, I use dependencies a lot. Still trying to figure out at what level to make the groups. If I want to create a scheduled ticket template, would I need a template and schedule for each group? That may be a matter of how much reviewing management can handle. - Sheila McBride Fri 1/12/24 1:38 PM
Hi Mark,

I'm making good progress on this workflow. I'd like to be able to create a report for each group/attribute population (values). Is there such a thing?

- Sheila McBride Tue 1/16/24 9:21 AM
There isn't such a thing as a "group" type custom attribute specifically, no. I'm not sure what you're referring to specifically. - Mark Sayers Tue 1/16/24 10:09 AM
Hi Mark,

Right. As we talked about below, for our Privileged-Access Management process that I'm building, I'm using a custom attribute for each application's admin list, the population of which is a list of checkbox values. I see that I can export the list from the attribute to Excel one by one. Is it possible to create a report that will pull all the attributes labeled PAM and their values?

- Sheila McBride Tue 1/16/24 10:13 AM
You should be able to do that yes. Custom attributes are able to be included in custom ticket reports as either columns or filters or both. You'll find your custom attribute by its Header Text value that you gave it when creating the attribute in TDAdmin. - Mark Sayers Tue 1/16/24 11:38 AM
Hi Mark,

Okay. I built this report: PAM Export - Gary, ID: 255969.

It displays the columns, but not the values.
- Sheila McBride Tue 1/16/24 11:56 AM
I would need you to provide a screen shot of how you configured the report exactly to know better what is going on. - Mark Sayers Tue 1/16/24 12:33 PM
Hi Mark,

Sure. I'll start a new question so I can add that.
- Sheila McBride Tue 1/16/24 12:34 PM
Sign In to leave feedback or contribute an answer

Answer (1)

This answer has been marked as the accepted answer
Mark Sayers Wed 1/10/24 11:18 AM

Hello Sheila,

Can you describe in your own terms what you'd consider a privileged-access management process to entail/achieve?

It's not something I've heard specifically of a client doing, but perhaps with more details something will pop out to me.

Mark Sayers
Sr Support Consultant, CS

No feedback
Hi Mark, thanks, this is good. Is there a way for a workflow to check for an attribute value being changed? For example, if the Zoom Admins Attribute has values available for Suzie, Mike, and John, and the manager checks who to keep or not keep, can the system see that he made a change or do I have to do a check for each value? And if he can see a change in value, can it trigger a task to the team to make the change? We are working with 100s of apps with many admins per app. It's easy to build the value lists, but checking if value for each one would take tons of conditions. - Sheila McBride Wed 1/10/24 3:18 PM
I'd assume you'd want to just have an attribute that indicates whether they would be changing group membership in any way or no, and then based on that field make their selections. You could filter on that "will you be making membership changes" yes/no field to see if a task is needed for the appropriate team or administrators. - Mark Sayers Wed 1/10/24 3:28 PM