Nailing the Security Audit with RRCU

ConductorOne docs

Enable emergency access requests

Emergency access (also known as "break glass" access) is a system for granting expedited access approval in the event of an emergency or incident when access is urgently needed.

What’s an emergency access request?

In emergency situations, some employees might need immediate access to resources and systems that they don’t normally have access to. In order to get these employees the access they need, companies create expedited access review procedures (sometimes called “break glass” procedures in reference to the “break glass in case of fire” signs on alarms and fire safety equipment).

ConductorOne’s emergency access request process works like this:

  1. Admins enable select entitlements to accept emergency access requests.

  2. Each entitlement that supports emergency access is assigned an emergency access policy.

  3. When an emergency arises, a user requests access through ConductorOne and selects Emergency access on the request form in the web app or Slack. If you prefer to use the CLI, you can request emergency access through Cone.

  4. ConductorOne routes the request through the emergency access review process.

  5. The user is granted emergency access.

How are emergency access requests shown in the ConductorOne app?

When requesting access in ConductorOne, the Emergency access toggle is shown when a user has selected an entitlement with emergency access enabled.

A completed request access form in ConductorOne for 1 hour of access to an AWS admin role, showing the emergency access toggle present and enabled.

Emergency access requests are shown with a thunderbolt icon in all task lists, including on the Tasks, Requests, and Open requests pages.

Two request tasks in a task table, one showing a thunderbolt icon next to the request icon.

A badge at the top of the request task’s details page also shows that the request is for emergency access.

A task details page showing the 'Emergency access requested' badge in the header.

Can an open access request be escalated to emergency access? Yes, it can! If a request for standard non-emergency access is open, but emergency access is needed, go to the request and click Escalate to emergency access. When using Cone, escalate a task by running cone task escalate.

Emergency access policies

When a request for emergency access is created, the request bypasses the request policy set on the entitlement or application and uses a designated emergency access policy instead.

You can use any existing request policy as the emergency access policy, but you might want to create dedicated emergency access policies to be used in this situation.

Tips for creating emergency access policies

  1. Make sure to choose the Request policy type.

  2. Give your emergency access policy a name that indicates that this policy is used for emergency access requests.

  3. Consider creating multiple emergency access policies with a range of levels of required review before access is granted, which you can match to each entitlement based on its level of sensitivity.