| (Personal background: I currently work in the enterprise identity space, where problems like this are bog-standard.) Everyone else seems to be going on about SSO. That's good for end users signing into websites & laptops, but I'm getting the sense that you're more worried about admin-level permissions management. First, some terminology to help you Google for things: > new hire be given access to all required passwords day 1 > when such new hire gets promoted, how can we give access to the additional passwords > if someone leaves the company, how can we change only the sensible passwords they had access to and preferably notify everyone with access The more technical/sales-y way to say this is "I want a PAM solution with JML workflow integration for my secrets management" (JML: Joiner, Mover, Leaver, PAM: Privileged Access Management), and it'd be part of your overall identity management (IdM) strategy. Some big-name companies in the IdM space: Sailpoint, Quest One Identity, CyberArk. Those'll give extended management of your canonical source(s) of identity & authorization info (typically Active Directory/Entra ID, but with the big-name products you can also integrate with modern solutions like Workday, FOSS e.g. LDAP servers, or old-fashioned stuff like CSV drops on an FTP share, and set up push or pull workflows to set user attributes & permissions based on your needs). So you want IdM, plus (at least) 1 of 2 things: 1. Secrets management (for static secrets). I've personally seen folks using Thycotic Secret Server and LastPass Enterprise (although there's lots more companies in that space). That gets you the basic "get admin X a password that was created by admin Y". This is more of a requirement for servers you can't integrate IdM with (so it'd be licensed to admins only), because for day-to-day admin work (stuff like "add this user to that group"), what you'd ideally want is: 2. Full PAM. Essentially, you'd set up a workflow to temporarily "check out" a secret (i.e. password) for a set period of time (which the user could request some capped number of extensions to), that's then automatically-changed by the IdM once their time's up. (You can also do things like "give anyone who asks & gets manager signoff group permissions to XYZ that expires in 90 days".) Sailpoint and CyberArk can both do this. Now, all that's for server admin. If you're talking about handing out admin permissions for endpoints (this is your classic "Tech support needs to privesc to fix something, but I don't want to leave the Windows admin passwords lying around in random techs' clipboards, and I don't want to let just anyone use ADUC (which, IIRC, is required to effectively use LAPS)"), you want something slightly different (in addition to an IdM solution): 3. EPM (Endpoint Privilege Management). BeyondTrust is the big name here. This lets you grant some permissions to end users (e.g. "install pre-approved software", "change (only some) networking settings"), while locking everything else behind an admin account (which you can gate access to using your PAM; that gets you auto-rotation of Windows admin PWs right after they're touched, plus JML workflows for your tech support personnel). Now, go forth and Google (and when you start asking for demos, try not to let the salespeople drown you in buzzwords like I just did)! |