Your browser does not support HTML5 local storage or you have disabled it. Some functionality on this site, including saving your privacy settings and offering you special discounts, uses local storage and may not work with local storage disabled. We recommend allowing the use of local storage in your browser. In some browsers, it is the same setting used for disabling cookies.

PrivX™ Architecture & Operation

What is PrivX On-Demand Access Manager

PrivX On-Demand Access Manager is an access management platform that revolutionizes how privileged access management is done in the cloud and elastic computing environments. PrivX eliminates the need for passwords on service accounts and instead uses short-lived SSH certificates. This completely eliminates password rotation, secrets management, and credentials vaulting for privileged access. Access is granted based on roles defined in Active Directory (AD) in real time.

It does not need any agents on servers. There is no more a need for passwords, password rotation, or password vaulting. And no more permanent SSH keys.

This in turn translate to faster and cheaper deployment, better scalability, better reliability, simplified future-proof architecture, no vendor lock-in, and lower on-going costs.


The problem with traditional credentials

IT is the bottleneck in the time it takes to process and assign access rights according to 62% of respondents to Gartner. Credentials need to be provisioned, removed, or configured on the endpoints each time new instances come online, an employee changes roles, 3rd party access needs to be removed, and so on.

Traditional password vault based Privileged Access Management (PAM) solutions are difficult to deploy in cloud environments. Securing, managing, rotating, and vaulting traditional credentials has always been burdensome. The scale and elasticity of cloud environments exacerbates the problem.

How PrivX improves scalability and security

PrivX On-Demand Access Manager improves efficiency and security by replacing traditional credentials with short-lived on-demand SSH certificates. This means no secrets or agents are required on the endpoints, credentials are changed after each use, and users never have direct access to endpoint credentials.

Certificates are trusted based on a trusted certification authority, not something that is configured on a server separately for each user or credential. Not having to worry about provisioning, managing, or monitoring credentials allows cloud environments using PrivX to scale quickly and efficiently.

Quicker deployment and lower TCO

No agents on the endpoints, no credentials to deploy, no password vault to configure and train users on means no lengthy deployment projects. Users have the flexibility to user their existing SSH and RDP client tools or use our web client. Quicker deployment, no extra training, and using the tools you already have means lower TCO (Total Cost of Ownership).

A portal and a database are installed as virtual machines, and a script is run on target servers to update SSH configuration files. Most deployments are completed in hours.

Key functionality

Elimination of passwords and SSH keys

PrivX lets you eliminate all permanent credentials from servers. There is no longer any need for passwords for service accounts or even root. There is no need for permanent SSH keys either. This means there are no long-term credentials that can be stolen by hackers. It is a big step towards getting rid of passwords overall.

Session recording

PrivX offers session recording for all privileged users. This is a requirement in many compliance regulations and cybersecurity best practice. It is also an important deterrent against insider crime and an important forensics and evidence gathering tool.

Analytics and early warning

PrivX can also pass user actions and session contents to sophicticated analytics tools for early threat warning capability. It integrates with SIEM (Security Incident and Event Management) and Analytics systems used in the enterprise. This enables early warning of suspicious and wrongful activity by trusted users and vendors

Transparent monitoring

PrivX provides transparent monitoring of encrypted SSH and Remote Desktop (RDP) traffic. PrivX decrypts SSH and RDP traffic on the fly using endpoint private keys. This allows PrivX to transparently inspect, report, and control access. No other solution is capable of transparently controlling access by automation tools and scripts.


Connection flow

First the user authenticates with an Active Directory password or two-factor authentication to a PrivX gateway. PrivX validates the user and the user's role against Active Directory. PrivX then generates a short-lived SSH certificate to transparently connect the user to the target host. At no time does PrivX store credentials to disk or go to configure them on target servers.

How PrivX roles are created and mapped

PrivX provides role-based access control (RBAC) for users. Group memberships are defined in Active Directory or LDAP, and rules are used to map those to roles with access rights and additional conditions for access.

PrivX roles are used to authenticate against the target hosts. Roles can be defined as explicitly granted roles, or they can be dynamically mapped from existing Active Directory groups. A single role mapping may depend on multiple user directory sources for rules. Role Store dynamically evaluates user’s roles as needed.

Certificate authority

PrivX acts as the Certificate Authority (CA) and creates short-lived SSH certificates. Traditional CAs cannot used for this purpose because traditional CAs do not work with OpenSSH certificates. Private keys can be stored on a hardware security module (HSM).

Microservices architecture

PrivX On-Demand Access Manager is built using a modern microservices architecture. Each microservice communicates with each other services using REST APIs. User authentication is implemented using the OAuth 2.0 authorization framework. The built-in OAuth2 service can integrate against identity providers such as Active Directory or LDAP (Lightweight Directory Access Protocol). PrivX also has a Local User Directory that can be used for configuring users outside Active Directory. A Role Store component takes user defined rules and information from multiple sources to determine PrivX roles for users. An Authorizer service creates certificates attached to roles for users connecting to specific accounts on target hosts.


Request more information