Documentation
Solutions Guide

Privileged Access Management

Modern PAM for infrastructure. Secure, audit, and control access to your most critical systems without the complexity of legacy solutions.

Estimated time: 30 minutes

PAM Capabilities

Password vaulting and rotation
SSH key management
Certificate-based authentication
Session recording and playback
Real-time session monitoring
Emergency access procedures
Privilege elevation workflows
Comprehensive audit logging

Configuration Steps

1

Define Privileged Roles

Create roles with elevated permissions.

tacctl create -f - <<EOF
kind: role
metadata:
  name: db-admin
spec:
  allow:
    db_labels:
      env: [production, staging]
    db_users: [postgres, admin]
    db_names: ["*"]

  options:
    max_session_ttl: 4h
    require_session_mfa: true
    enhanced_recording: true
EOF
2

Configure Credential Vaulting

Store and rotate privileged credentials.

tacctl create -f - <<EOF
kind: credential_vault
metadata:
  name: production-credentials
spec:
  backend:
    type: aws-secrets-manager
    region: us-east-1

  credentials:
    - name: prod-db-root
      type: database
      rotation:
        interval: 24h
        method: dual-password
EOF
3

Enable Session Recording

Record all privileged sessions.

tacctl create -f - <<EOF
kind: role
metadata:
  name: privileged-access
spec:
  options:
    record_session:
      default: strict
      ssh: strict
      kubernetes: best_effort

    enhanced_recording:
      enabled: true
      command: true
      network: true
EOF
4

Set Up Approval Workflows

Require approval for privileged access.

tacctl create -f - <<EOF
kind: access_request_policy
metadata:
  name: privileged-approval
spec:
  roles: [db-admin, ssh-root]

  thresholds:
    - approve: 1
      deny: 1

  suggested_reviewers:
    - team: security
    - team: platform

  max_duration: 4h
  request_reason: required
EOF
5

Configure Session Isolation

Isolate privileged sessions to prevent credential exposure.

tacctl create -f - <<EOF
kind: role
metadata:
  name: isolated-admin
spec:
  options:
    # Inject credentials without exposing to user
    credential_injection: true

    # Lock session to client IP
    pin_source_ip: true

    # Terminate on disconnect
    disconnect_expired_cert: true
    client_idle_timeout: 15m
EOF

PAM Enabled

With PAM configured, you have:

  • Centralized credential vaulting with auto-rotation
  • Session isolation preventing credential exposure
  • Complete session recording for audit
  • Approval workflows for privileged access

Related Guides

Just-in-Time Access

Eliminate standing privileges

Session Recording

Record privileged sessions

Secrets Management

Centralized secret vault