Key privileged access workflows

Auto-discovery and onboarding

Automatically discover systems from Active Directory, LDAP, CSV, SQL, or a CMDB. Probe each system to discover local accounts, groups, services, and scheduled tasks. Classify and onboard systems and accounts using import rules.

Password randomization and rotation

Automate credential hygiene for administrator and service accounts. Randomize passwords on a configurable schedule and propagate changes to dependent services (Service Control Manager, Scheduler, IIS, DCOM).

Privilege request and approval

User requests elevated access; policy and approvers validate before granting access. Risk scoring can adapt approvals, disclosure methods, and session monitoring based on request context.

Just-in-time checkout

Grant time-boxed credentials or sessions; auto-revoke on expiry. Supports temporary group membership elevation as an alternative to shared account checkout.

Session brokering and monitoring

Broker SSH/RDP sessions via browser extension, VDI proxy, or HTML5 proxy. Optionally record screen video, keystrokes, clipboard contents, and window metadata. Tamper-resistant recording disconnects sessions if monitoring is interrupted.

Vaulted disclosure

Securely reveal or inject credentials without exposing raw passwords. Supports display, copy, RDP, SSH, VNC, Telnet, and web application sign-on methods.

Service account management

Discover subscriber-to-service-account dependencies. Randomize service account passwords and automatically notify dependent services of new values. Includes transaction management for retry and rollback.

API credential retrieval

Replace static embedded passwords in scripts and applications with secure API calls. The API is secured with one-time passwords, IP address validation, and client fingerprinting.

Audit and reporting

Provide evidence of who accessed what, when, and what actions were performed. Over 180 built-in reports cover privileged account usage, access events, and compliance.