7.1 Resource Reservation

RPAM (Remote Privileged Access Management) implements a remote access model based on granting permissions for limited and controlled time periods. This approach enhances security by reducing unnecessary exposure and enables a structured and auditable management of access to critical resources.

In Thinfinity Workspace, RPAM is implemented mainly via the Resource Reservation system. To control access to resources, this module uses a combination of booking requests and role-based approval workflows.

Key principles of RPAM and how they are implemented in Thinfinity Workspace

RPAM operates on several core principles and often involves a combination of processes and technologies. The Resource Reservation system implements the following principles:

1. Principle of Least Privilege (PoLP): This is the foundational concept and it means users are granted only the absolute minimum access rights and permissions necessary to perform their specific job functions, and only for the duration required. This principle is implemented in Thinfinity Workspace via the possibility of defining roles by grouping default system permissions and applying it to a resource’s Access Profile.

2. Just-in-Time (JIT) Access: Grants elevated privileges only when they are explicitly requested and for a limited, defined period. This is implemented via the Resource Reservation system which ensures that a user having a certain role can only access a resource based on a request which can be granted or denied.

3. Approval Workflow: the ability to implement an approval workflow for resource reservation requests. This mechanism ensures that before a user can gain access to a resource (Access Profile), explicit authorization is required. This adds an essential layer of security and control, preventing unauthorized access and ensuring adherence to security policies.

4. Once the user roles are defined, the workflow typically involves:

• User Request: A user submits a request to reserve a specific resource for a defined period. This request often includes details about the purpose of access and the expected duration.

• Approver Review: Approvers, who are typically security administrators, IT managers, or team leads, evaluate the legitimacy of the request. They might consider factors such as the user's role, the sensitivity of the resource, the business need, and existing security policies.

• Authorization/Rejection: Based on their review, approvers can either authorize (approve) or reject the reservation request.

• JIT Access Granting: If authorized, the system automatically grants the user access to the reserved resource for the specified time frame. If rejected, access is denied, and the user is notified of the decision.