Hot Topics
Security Bloggers Network 
SBN

Breaking the Glass With Unlimited Administration Mode

by Barbara Hoffman on January 14, 2022

What happens when a user creates secrets and does not share them with anyone else, or if you are administrating Secret Server and need to re-organize your secrets?

Secret Server’s “break the glass” feature, Unlimited Administration Mode, can help in those situations.

The Unlimited Administrator Mode allows designated users to manage Secrets they would normally not have access to. Administrators with the “Administer Unlimited Admin Configuration” role permission can enable this by going to Administration > Configuration and selecting “Change Administration Mode”. Administrators can enter any optional notes explaining why they are enabling or disabling it, as well as creating an audit trail of this setting. A banner also appears in the header indicating to other users that Unlimited Administration Mode is turned on.

Secret Server Break the Glass Mode 1
When enabled, users that have the “Unlimited Administrator” role permission can now access all Secrets and folders (with the exception of DoubleLocked Secrets), regardless of permissions, and all features of the Secret Server. Having separate role permissions allows administrators to specifically assign which users will be affected by the setting. Typically these should be very trusted people in the organization.

When enabled, users that have the "Unlimited Administrator" role permission can now access all Secrets and folders.

Unlimited Administration Mode is powerful, and can be locked down to prevent abuse by ensuring no user has both permissions “Administer Role Permissions” and “Administer Unlimited Admin Configuration”. If no role has the “Unlimited Administrator” permission by default, then it will take two users to effectively turn Unlimited Administration Mode on –  One user to enable it in configuration, and the other user to grant the permission to users or groups.

If no role has the "Unlimited Administrator" permission by default it will take two users to turn Unlimited Administration Mode on

You can also have administrators notified by email when Unlimited Administration Mode is turned on or off by using event subscriptions. Our Knowledge Base article, How to protect the Unlimited Admin Mode using Event Subscriptions, details how to set that up.

Enable Unlimited Administrator Mode - No

Unlimited Administration Mode can be a key capability in incident response When you need emergency access to a Secret. For a complete checklist, check out our Cyber Security Incident Response Plan Template

Want to try Secret Server for yourself? Check it out and get the free trial here.

*** This is a Security Bloggers Network syndicated blog from Thycotic authored by Barbara Hoffman. Read the original post at: https://thycotic.com/company/blog/2022/01/14/breaking-the-glass-with-unlimited-administration-mode-2/

Barbara Hoffman ,

Secure Guardrails