Privilege elevation and delegation management (PEDM) is another category of privileged access management (PAM). Privilege elevation and delegation management (PEDM) solutions provide more granular access controls than privileged account and session management (PASM) tools and reduce the access-related risks associated with over-privileged users. While the password vaulting of privileged account and session management (PASM) solutions offers a basic level of control, it is provided on an all-or-nothing basis: users or even machines can either check out an administrator account with full access privileges or accept nothing.
Privilege elevation and delegation management (PEDM) solutions are designed to address this issue. According to Gartner, the tools provide host-based command control (filtering) as well as privilege elevation, with the latter taking the form of allowing particular commands to be run with a higher level of privileges.
With privilege elevation and delegation management (PEDM), organizations can take a stronger approach to security by only granting admin rights for individual tasks, applications, or scripts that require them on a limited basis. This type of fine-grained capability allows an organization to effectively implement the principle of least privilege and provide workers with just enough access to do their jobs. This is often referred to as zero standing privileges. In effect, privilege elevation and delegation management (PEDM) empowers organizations to provide permissions based on role, but with specific limitations—such as allowing an employee to have access to a particular server, but only during business hours or for a particular length of time.
At the conclusion of the session, the access rights are revoked. As a result, if the credentials are compromised, the attacker would not have the ability to maintain persistence. In addition, combining privilege elevation and delegation management (PEDM) with privileged account and session management (PASM) can reduce the number of administrator accounts in the organization. Due to their access rights, privileged accounts pose a serious danger to businesses if they fall into the hands of an attacker. Limiting the number of these accounts shrinks the threat landscape by mitigating the risk of abuses by malicious insiders or external threat actors.
Privilege elevation and delegation management (PEDM) solutions also enable administrators to systematically request new roles to obtain the rights they need to perform tasks. This self-service capability allows organizations to assign privileges and roles according to a flexible, just-in-time model that helps them meet their business needs. The tools also aid compliance efforts, as they typically feature monitoring (at host-level) and reporting capabilities as well.