WEBVTT 0:00:02.640000 --> 0:00:08.540000 If you are a small IT shop or an IT shop of one, then there's a good chance 0:00:08.540000 --> 0:00:14.700000 you're not going to need to know about the topic of this video, unless 0:00:14.700000 --> 0:00:16.380000 you're of course studying for an exam. 0:00:16.380000 --> 0:00:22.480000 But if you are a large organization, if you're part of a large organization 0:00:22.480000 --> 0:00:30.020000 and you want to effectively manage access to your resources, whether they 0:00:30.020000 --> 0:00:35.300000 be in Azure AD or Azure itself, then privileged identity management is 0:00:35.300000 --> 0:00:38.540000 something that you're going to want to take a look at. 0:00:38.540000 --> 0:00:43.900000 And that's what we're going to talk about in this video. 0:00:43.900000 --> 0:00:46.780000 So we're going to talk about privileged identity management. 0:00:46.780000 --> 0:00:48.700000 Very simple. We'll talk about what it is. 0:00:48.700000 --> 0:00:52.720000 And then I'm going to demonstrate it with a fairly straightforward demonstration, 0:00:52.720000 --> 0:00:56.300000 hopefully. At least hopefully you'll find it straightforward. 0:00:56.300000 --> 0:00:58.620000 Anyways, let's move on. 0:00:58.620000 --> 0:01:03.760000 Okay, so I want to start out right away talking about what PIM or again, 0:01:03.760000 --> 0:01:07.580000 privileged identity management or PIM actually is. 0:01:07.580000 --> 0:01:16.220000 Okay, if you think about a scenario, let's say that I've got a help desk 0:01:16.220000 --> 0:01:26.040000 person. Okay, and that help desk person has access to Azure, but normally 0:01:26.040000 --> 0:01:29.740000 that access is fairly unlimited. 0:01:29.740000 --> 0:01:36.200000 Maybe they've got read access and they can see everything there. 0:01:36.200000 --> 0:01:45.480000 But for security and really also just for liability for that person, let's 0:01:45.480000 --> 0:01:48.220000 say this person is Sue. 0:01:48.220000 --> 0:01:56.100000 Okay, so Sue is one of my tech support people. 0:01:56.100000 --> 0:02:00.320000 She's a level two or level three tech support person. 0:02:00.320000 --> 0:02:02.240000 Great at what she does. 0:02:02.240000 --> 0:02:13.520000 She's got read access because she's in the reader role for my subscriptions. 0:02:13.520000 --> 0:02:17.840000 This is my Azure subscription, I'll just say Azure. 0:02:17.840000 --> 0:02:24.180000 Okay, so Sue has reader access to my Azure subscription. 0:02:24.180000 --> 0:02:30.960000 Okay, but Sue is also responsible for managing issues that come up. 0:02:30.960000 --> 0:02:35.200000 She's our frontline manager for any issues that come up on virtual machines 0:02:35.200000 --> 0:02:39.180000 that are in our Azure subscription. 0:02:39.180000 --> 0:02:49.960000 So here we've got a VM gone bad for some reason. 0:02:49.960000 --> 0:02:55.200000 And now Sue needs to fix that. 0:02:55.200000 --> 0:02:57.380000 Sue absolutely needs to get access. 0:02:57.380000 --> 0:02:59.940000 It's actually absolutely right for her to get access. 0:02:59.940000 --> 0:03:04.960000 She needs to go in and she needs to have contributor access. 0:03:04.960000 --> 0:03:08.460000 I'm going to say C O N contributor. 0:03:08.460000 --> 0:03:13.120000 She needs contributor access in order to go in and troubleshoot and fix 0:03:13.120000 --> 0:03:18.860000 that VM. Now one way I could do that is I could go ahead and just give 0:03:18.860000 --> 0:03:23.160000 her say virtual machine contributor access. 0:03:23.160000 --> 0:03:25.620000 And she'll just have that and then she can do that. 0:03:25.620000 --> 0:03:29.540000 But you know, what if Sue is my only technician? 0:03:29.540000 --> 0:03:34.120000 Great. What if I've got, you know, 30 technicians, 100 technicians? 0:03:34.120000 --> 0:03:38.500000 Okay. And what if people move in and out of positions are on or are off 0:03:38.500000 --> 0:03:44.480000 shift, right? We don't want people to have the unnecessary permissions, 0:03:44.480000 --> 0:03:46.700000 right? Least required rights. 0:03:46.700000 --> 0:03:48.320000 So what I would want to do is manage. 0:03:48.320000 --> 0:03:51.800000 I'd say, okay, Sue, when you need it, I'll go ahead and give it to you. 0:03:51.800000 --> 0:03:53.520000 Let me know. I'll go ahead and take that back. 0:03:53.520000 --> 0:03:55.240000 But that's very manual, right? 0:03:55.240000 --> 0:04:00.420000 What I really want is I want to process whereby Sue can go and actually 0:04:00.420000 --> 0:04:02.960000 request that and say, you know what? 0:04:02.960000 --> 0:04:06.140000 I'm going to go through this PEM system. 0:04:06.140000 --> 0:04:08.640000 It's a privilege identity management. 0:04:08.640000 --> 0:04:10.460000 It's been set up, right? 0:04:10.460000 --> 0:04:22.680000 And I'm going to make a request for that, we'll say, I'm going to say 0:04:22.680000 --> 0:04:27.280000 VC for virtual machine contributor. 0:04:27.280000 --> 0:04:30.040000 Okay. And if that's approved, then I'll have it. 0:04:30.040000 --> 0:04:34.080000 But not only will I have it, but it will be time limited and it will be 0:04:34.080000 --> 0:04:39.720000 audited, right? And so this way, you know, of course, Sue's going to do, 0:04:39.720000 --> 0:04:43.120000 she's her job, she's going to go and do her job right, everything's fine. 0:04:43.120000 --> 0:04:48.180000 But let's say something happens when Sue's, you know, not on shift. 0:04:48.180000 --> 0:04:52.320000 Well, there's no way that could be assigned to Sue because Sue only had 0:04:52.320000 --> 0:04:56.800000 the appropriate rights for a specific period of time. 0:04:56.800000 --> 0:04:59.320000 And that's been logged and audited. 0:04:59.320000 --> 0:05:04.200000 Okay. And so really when it comes down to it, that's what PEM is about. 0:05:04.200000 --> 0:05:13.460000 It's a simple system that is designed to allow you to manage, well, frankly, 0:05:13.460000 --> 0:05:14.680000 privileged identity. 0:05:14.680000 --> 0:05:17.180000 Okay. And so what it provides are the following. 0:05:17.180000 --> 0:05:18.340000 You can see these. 0:05:18.340000 --> 0:05:21.140000 You've got just in time privileged access. 0:05:21.140000 --> 0:05:25.560000 In other words, Sue's not going to have that level of access until she 0:05:25.560000 --> 0:05:28.220000 needs it. You have time limited access. 0:05:28.220000 --> 0:05:32.100000 I can set how long up to eight hours that that access is granted. 0:05:32.100000 --> 0:05:34.240000 There's an approval process that can be set up. 0:05:34.240000 --> 0:05:36.460000 And I'm going to show that to you. 0:05:36.460000 --> 0:05:42.780000 I can also say if you're going to get this, this is a, you know, elevated 0:05:42.780000 --> 0:05:46.100000 privilege. You need to make sure that you go through multi-factor authentication. 0:05:46.100000 --> 0:05:51.480000 That can be set independently of other multi-factor authentication settings. 0:05:51.480000 --> 0:05:53.000000 You can set up notifications. 0:05:53.000000 --> 0:05:57.800000 So when events occur in privileged identity management, you have that. 0:05:57.800000 --> 0:05:59.280000 You also can have access reviews. 0:05:59.280000 --> 0:06:04.680000 So you can see who's been using it as well as a complete audit trail. 0:06:04.680000 --> 0:06:11.260000 One thing to note, privileged identity management does require Azure AD 0:06:11.260000 --> 0:06:13.700000 premium P2. Okay. 0:06:13.700000 --> 0:06:17.680000 Probably should be on this list, but that is an important thing to consider 0:06:17.680000 --> 0:06:21.980000 when you are thinking about privileged identity management. 0:06:21.980000 --> 0:06:25.380000 Okay. Now, the next thing that I'm going to do is just demonstrate this. 0:06:25.380000 --> 0:06:30.160000 And I'm going to take you on a bit of a tour of the privileged identity 0:06:30.160000 --> 0:06:31.520000 management environment. 0:06:31.520000 --> 0:06:35.560000 But then I'm also going to set up an example. 0:06:35.560000 --> 0:06:41.880000 So the example is I have this tech, this technician, Sue. 0:06:41.880000 --> 0:06:47.800000 Sue normally has reader access to our subscription, where we have all 0:06:47.800000 --> 0:06:51.820000 our resources. But there is a virtual machine that Sue needs to have access 0:06:51.820000 --> 0:06:57.100000 to. All right. And so I'm going to allow her to elevate her permissions 0:06:57.100000 --> 0:07:00.460000 through privileged identity management. 0:07:00.460000 --> 0:07:04.200000 Okay. And so that'll kind of be the practical component of this. 0:07:04.200000 --> 0:07:09.260000 All right. Let's go ahead and let's jump into this. 0:07:09.260000 --> 0:07:15.200000 All right. Here is my login or not my login. 0:07:15.200000 --> 0:07:15.960000 This is my portal. 0:07:15.960000 --> 0:07:19.900000 I'm logged in and I am a global administrator. 0:07:19.900000 --> 0:07:21.720000 Sorry about that flash there. 0:07:21.720000 --> 0:07:27.300000 And I am going to go ahead and set up privileged identity management. 0:07:27.300000 --> 0:07:28.620000 Now, there's a couple of ways that you can get to. 0:07:28.620000 --> 0:07:34.080000 You can see I actually have this on my desktop. 0:07:34.080000 --> 0:07:37.120000 And before I can use privileged identity management, I need to go into 0:07:37.120000 --> 0:07:38.900000 Azure Active Directory. 0:07:38.900000 --> 0:07:44.400000 And I need to go into licenses. 0:07:44.400000 --> 0:07:48.180000 And I need to add. 0:07:48.180000 --> 0:07:52.140000 Let's see here. There we go. 0:07:52.140000 --> 0:07:55.880000 Azure Active Directory Premium P2, which I currently have. 0:07:55.880000 --> 0:07:59.680000 Okay. So that's really the first thing that you need. 0:07:59.680000 --> 0:08:05.520000 Now, one way that I can get to privileged identity management is to go 0:08:05.520000 --> 0:08:07.480000 into identity governance. 0:08:07.480000 --> 0:08:13.780000 Okay. And under identity governance, you will see these options, including 0:08:13.780000 --> 0:08:15.740000 privilege identity management. 0:08:15.740000 --> 0:08:19.380000 And I can jump down into that. 0:08:19.380000 --> 0:08:24.640000 And that is going to start the privilege identity management process. 0:08:24.640000 --> 0:08:31.100000 Now, once I'm in here, I've got a set of tasks. 0:08:31.100000 --> 0:08:32.840000 So I can see the roles I'm assigned to. 0:08:32.840000 --> 0:08:38.480000 I can see in the requests I've made, I can approve requests from others. 0:08:38.480000 --> 0:08:40.780000 And I can also review access. 0:08:40.780000 --> 0:08:44.960000 Okay. And most importantly, I have the ability to manage both Azure AD 0:08:44.960000 --> 0:08:48.200000 roles and Azure resources. 0:08:48.200000 --> 0:08:53.240000 However, in order to manage these. 0:08:53.240000 --> 0:08:59.840000 If I go here. And. 0:08:59.840000 --> 0:09:04.880000 There. Open up here. 0:09:04.880000 --> 0:09:09.240000 Users. Me. Okay. 0:09:09.240000 --> 0:09:11.060000 And assigned roles. 0:09:11.060000 --> 0:09:13.700000 Okay. In addition to the fact that I'm a global administrator to have 0:09:13.700000 --> 0:09:17.800000 full rights within privilege identity management, I also have to have 0:09:17.800000 --> 0:09:23.260000 the privileged role administrator role, which I assigned to myself. 0:09:23.260000 --> 0:09:29.040000 Okay. Now, I will tell you that some text will say that gets assigned 0:09:29.040000 --> 0:09:32.380000 automatically. It does not always. 0:09:32.380000 --> 0:09:35.120000 Let's just put it that way. 0:09:35.120000 --> 0:09:38.760000 So that sets up privilege identity management. 0:09:38.760000 --> 0:09:41.860000 And again, I can get back there. 0:09:41.860000 --> 0:09:45.240000 By wherever identity governance, I was actually right on it. 0:09:45.240000 --> 0:09:47.140000 I can still never find it. 0:09:47.140000 --> 0:09:49.340000 I'm going to go to manage role assignments. 0:09:49.340000 --> 0:09:53.260000 Okay. Now I can manage Azure AD roles. 0:09:53.260000 --> 0:09:55.700000 Okay. And what you do. 0:09:55.700000 --> 0:09:58.860000 Is you assign eligibility to roles. 0:09:58.860000 --> 0:10:01.260000 And this is kind of walks you through the process. 0:10:01.260000 --> 0:10:06.700000 Okay. So here are all of the roles in Azure AD. 0:10:06.700000 --> 0:10:08.880000 That I can assign. 0:10:08.880000 --> 0:10:13.980000 So let's say, for example, that someone was going to need to be a password 0:10:13.980000 --> 0:10:18.280000 administrator might need that, you know, to reset. 0:10:18.280000 --> 0:10:22.160000 Passwords, managed service requests and also managed service health. 0:10:22.160000 --> 0:10:23.940000 So I could go into this. 0:10:23.940000 --> 0:10:27.240000 And what I can do is a couple things. 0:10:27.240000 --> 0:10:31.580000 For every role, I can go into the role assignment or role settings. 0:10:31.580000 --> 0:10:34.780000 Okay. And I can control settings. 0:10:34.780000 --> 0:10:38.960000 So first of all, what is the maximum duration in hours by default? 0:10:38.960000 --> 0:10:41.440000 It's eight and go up to 24. 0:10:41.440000 --> 0:10:43.940000 Maybe that at eight. 0:10:43.940000 --> 0:10:47.660000 Okay. On activation, I can require Azure MFA. 0:10:47.660000 --> 0:10:52.480000 I can require justification on activation. 0:10:52.480000 --> 0:10:56.240000 You can integrate this with the ticketing system. 0:10:56.240000 --> 0:10:58.380000 And I can also require approval. 0:10:58.380000 --> 0:11:02.880000 And if I require approval, I'm going to go and set who is able to approve 0:11:02.880000 --> 0:11:06.080000 this. I'm going to make myself able to approve it. 0:11:06.080000 --> 0:11:14.820000 Okay. And then next, okay, I want to allow permanent eligible assignment. 0:11:14.820000 --> 0:11:18.380000 Allow permanent active assignment. 0:11:18.380000 --> 0:11:24.900000 Now, what that means is that once I set you and I assign it to be eligible, 0:11:24.900000 --> 0:11:26.180000 by default, it's permanent. 0:11:26.180000 --> 0:11:29.980000 I can also say, okay, once you're eligible, you're only eligible for a 0:11:29.980000 --> 0:11:32.720000 year. Same thing with permanent active. 0:11:32.720000 --> 0:11:34.040000 That doesn't mean you're permanently active. 0:11:34.040000 --> 0:11:36.700000 It just means it's assigned once you activate it. 0:11:36.700000 --> 0:11:41.840000 It's the count, whatever that countdown is set starts. 0:11:41.840000 --> 0:11:47.580000 And also, I can still require MFA and justification. 0:11:47.580000 --> 0:11:50.960000 Next is notification. 0:11:50.960000 --> 0:11:54.540000 So there's a whole notification capability built in. 0:11:54.540000 --> 0:11:57.780000 And I'm not going to go through all these, but notifications when members 0:11:57.780000 --> 0:12:01.900000 are assigned as eligible, notifications when members are assigned as active, 0:12:01.900000 --> 0:12:05.700000 notification when eligible members activate this role. 0:12:05.700000 --> 0:12:14.620000 Okay. And there are different alerts and built in folks that can set them 0:12:14.620000 --> 0:12:16.940000 as well as additional recipients. 0:12:16.940000 --> 0:12:19.800000 Okay. And so I can just update that. 0:12:19.800000 --> 0:12:23.420000 Now, that's an Azure AD role. 0:12:23.420000 --> 0:12:29.060000 Okay. What I want to do is go back and I think the Azure resource roles 0:12:29.060000 --> 0:12:37.340000 are more interesting just from the standpoint of them being a bit more 0:12:37.340000 --> 0:12:41.080000 probably practical day to day. 0:12:41.080000 --> 0:12:47.100000 Like I said, I can see my support technicians needing this kind of capability 0:12:47.100000 --> 0:12:49.620000 frequently. All right. 0:12:49.620000 --> 0:12:55.200000 Now, one thing, if you're going to do this, you have to do it by subscription 0:12:55.200000 --> 0:12:57.600000 and couple of rules here with the subscriptions. 0:12:57.600000 --> 0:13:06.300000 First of all, your subscription has to be managed or connected or associated 0:13:06.300000 --> 0:13:09.600000 with the Azure AD tenant. 0:13:09.600000 --> 0:13:12.820000 Yeah. I only have one subscription associated with this tenant. 0:13:12.820000 --> 0:13:17.380000 If I had more, I could in fact, associate those as well. 0:13:17.380000 --> 0:13:22.400000 What you do is I would go and say discover resources. 0:13:22.400000 --> 0:13:29.600000 Okay. And what that would do is really look for, in this case, any of 0:13:29.600000 --> 0:13:34.380000 the associated subscriptions that are not managed. 0:13:34.380000 --> 0:13:37.900000 If I go to manage, there's my managed one right there. 0:13:37.900000 --> 0:13:42.780000 Okay. So I already did that and I had found, I went through exactly that. 0:13:42.780000 --> 0:13:44.500000 I had discovered resources. 0:13:44.500000 --> 0:13:51.640000 I found this subscription and then I went ahead and I linked them up. 0:13:51.640000 --> 0:13:55.360000 Okay. So fairly easy to do there. 0:13:55.360000 --> 0:13:58.560000 All right. But now what I want to do is I'm going to dive down into this. 0:13:58.560000 --> 0:14:07.360000 Okay. And what you'll see is that I have a, you know, pretty interesting 0:14:07.360000 --> 0:14:17.340000 dashboard here. And I can see members with eligible assignments go there. 0:14:17.340000 --> 0:14:22.180000 That's going to be a request or subject is Sue. 0:14:22.180000 --> 0:14:25.860000 That's the person that I'm going to end up working with for this and already 0:14:25.860000 --> 0:14:29.620000 set some up, frankly, just to make sure everything was working. 0:14:29.620000 --> 0:14:35.100000 What I want to do now is I want to take a look at assignments. 0:14:35.100000 --> 0:14:40.440000 All right. And right now Sue has been assigned the, I don't remember what 0:14:40.440000 --> 0:14:44.000000 desktop virtualization user role, which is just a random one that I wanted 0:14:44.000000 --> 0:14:45.180000 to make sure that she had. 0:14:45.180000 --> 0:14:50.900000 But what I want to do is I want to make it so that Sue can request having 0:14:50.900000 --> 0:14:55.740000 the virtual machine contributor. 0:14:55.740000 --> 0:14:58.660000 So I'm going to go in here and add assignments. 0:14:58.660000 --> 0:15:06.480000 Okay. And I'm going to select a role and that's going to be, should be 0:15:06.480000 --> 0:15:09.700000 enough there, virtual machine contributor. 0:15:09.700000 --> 0:15:13.480000 Okay. Now I'm going to select members. 0:15:13.480000 --> 0:15:18.000000 Now this doesn't add the person to that role. 0:15:18.000000 --> 0:15:27.000000 It just adds it to the role, adds her in this case to the role assignment. 0:15:27.000000 --> 0:15:29.380000 Okay. Then I've got settings. 0:15:29.380000 --> 0:15:32.980000 Okay. I'm going to assign her as eligible. 0:15:32.980000 --> 0:15:36.240000 Okay. And that assignment is by default. 0:15:36.240000 --> 0:15:44.800000 She is eligible by default for, it's up to a year and I have it for one 0:15:44.800000 --> 0:15:48.900000 year. Okay. So I'm going to go and assign that. 0:15:48.900000 --> 0:16:00.600000 Okay. So Sue is now a, has the ability to request being a virtual machine 0:16:00.600000 --> 0:16:04.940000 contributor. And what I'm going to do is I'm going to flip over and I'm 0:16:04.940000 --> 0:16:05.780000 now logged in as Sue. 0:16:05.780000 --> 0:16:10.540000 And this is in an, in private window. 0:16:10.540000 --> 0:16:16.620000 Easiest way to tell is I go back and forth is the navigation bar. 0:16:16.620000 --> 0:16:19.840000 It's kind of a light theme for my regular account. 0:16:19.840000 --> 0:16:22.100000 It's kind of a dark theme for Sue. 0:16:22.100000 --> 0:16:25.340000 Okay. Now Sue is in and Sue has reader permissions. 0:16:25.340000 --> 0:16:31.160000 Right. Now Sue needs to stop this virtual machine. 0:16:31.160000 --> 0:16:34.420000 Okay. She needs to perform some maintenance on the virtual machine. 0:16:34.420000 --> 0:16:36.580000 In order to do that, she needs to stop it. 0:16:36.580000 --> 0:16:41.440000 So Sue comes in and she stops the virtual machine and immediately she 0:16:41.440000 --> 0:16:45.740000 is told that this operation has failed because Sue by default does not 0:16:45.740000 --> 0:16:51.180000 have rights to stop a virtual machine, but she does have training. 0:16:51.180000 --> 0:16:56.580000 And what she's going to do is go to Azure AD privilege identity management. 0:16:56.580000 --> 0:17:02.900000 Okay. And she's going to go and take a look. 0:17:02.900000 --> 0:17:06.780000 Right now she has one eligible role. 0:17:06.780000 --> 0:17:11.240000 I think she's probably going to need to go ahead and log back in. 0:17:11.240000 --> 0:17:24.720000 So let's sign her out and sign her back in. 0:17:24.720000 --> 0:17:29.040000 She can pick up that eligible role. 0:17:29.040000 --> 0:17:40.840000 All right. Oh, that's because that's Azure AD. 0:17:40.840000 --> 0:17:42.120000 I was looking in the wrong place. 0:17:42.120000 --> 0:17:43.220000 All right. There we go. 0:17:43.220000 --> 0:17:44.280000 Two different types of roles. 0:17:44.280000 --> 0:17:46.560000 She was well trained, but I was not. 0:17:46.560000 --> 0:17:50.920000 All right. So here's Azure resources and here is virtual machine contributor 0:17:50.920000 --> 0:17:58.020000 and she has the ability over here to activate this role. 0:17:58.020000 --> 0:18:03.060000 Okay. All right. 0:18:03.060000 --> 0:18:09.960000 And custom activation start time duration two hours reason. 0:18:09.960000 --> 0:18:21.260000 I need to shut down the VM. 0:18:21.260000 --> 0:18:25.200000 Activate. All right. 0:18:25.200000 --> 0:18:29.340000 So it's processing the request is activating the role. 0:18:29.340000 --> 0:18:40.740000 And once it's done activating, I'm going to need to sign out and sign 0:18:40.740000 --> 0:18:45.120000 back in. I'm going to be very quiet while doing that. 0:18:45.120000 --> 0:18:49.400000 So that you're not wasting too much of your time. 0:18:49.400000 --> 0:18:55.000000 I signed out. Actually, it's really not that hard to do. 0:18:55.000000 --> 0:18:57.660000 Second, it was going to take longer than that. 0:18:57.660000 --> 0:18:59.880000 So I misinformed you. 0:18:59.880000 --> 0:19:04.980000 I was not in fact, I did not in fact log out, but now that she has that 0:19:04.980000 --> 0:19:07.500000 role for the next two hours. 0:19:07.500000 --> 0:19:14.800000 I'm in here. And she can stop the virtual machine. 0:19:14.800000 --> 0:19:20.320000 Now, obviously the sole purpose of privilege identity management is not 0:19:20.320000 --> 0:19:25.180000 to simply allow someone to stop a virtual machine, but that's an example 0:19:25.180000 --> 0:19:29.280000 of an activity that otherwise could not be done that we can control access 0:19:29.280000 --> 0:19:38.980000 again, not only for our security, but also for the next one that will 0:19:38.980000 --> 0:19:44.780000 be done. So I'm going to go on that real quickly and show you the audit. 0:19:44.780000 --> 0:19:52.800000 And so here are my general settings. 0:19:52.800000 --> 0:19:59.660000 And what I can do is I come down here to resource audit and there you 0:19:59.660000 --> 0:20:09.380000 can see that Sue added herself and activated her own role. 0:20:09.380000 --> 0:20:14.400000 And then I can see the activity detail from that. 0:20:14.400000 --> 0:20:22.360000 Now earlier I had played around and Sue had requested the ability to have 0:20:22.360000 --> 0:20:27.220000 another role. I don't honestly remember exactly what that one was, but 0:20:27.220000 --> 0:20:34.340000 you can see that I could go back and say, okay, don't remember the role 0:20:34.340000 --> 0:20:40.240000 that she had. Remember activities, virtual machine, there we go. 0:20:40.240000 --> 0:20:41.980000 That's actually desktop virtualization. 0:20:41.980000 --> 0:20:46.080000 This is for being used or being added to those roles. 0:20:46.080000 --> 0:20:51.680000 Okay, so that is privileged identity management, the ability to control 0:20:51.680000 --> 0:20:56.960000 access while still allowing people to do their work, having a workflow 0:20:56.960000 --> 0:21:04.480000 potentially in terms of being able to define approval process for a request. 0:21:04.480000 --> 0:21:09.400000 And also I think most importantly having a full audit capability for that.