By default, credential-less access allows users to access accounts in a non-exclusive way enabling multiple users to simultaneously access a privileged account. However, for audit purposes and to monitor user activity events within the target application, administrators may want to enable the exclusive access mode for such applications. When this mode is enabled, a privileged account for that application is accessible by only one user at any given time.

If a user has exclusive access to the target application (Windows Server1) using an account, they can still block exclusive access for another application (Windows Server2) using the same account, whether it is for overlapping or different periods of time. During this period, another user cannot request access to any target application (Windows servers) using the same account.

For example, let us consider two users John (user1) and Bob (user2), where John is requesting a privileged session to Windows Server1 using the Active Directory (AD) account (acc1) for a specific timeslot while Bob is requesting a privileged session to Windows Server2.

The following table describes different various scenarios illustrating how CPAM manages multiple credential-less requests in exclusive mode:

Scenario Result

John requests an additional privileged session to Windows Server1 for overlapping time using the AD account (acc1).

John cannot block the same timeslot as it is already blocked by the same user.

Bob requests a privileged session to Windows Server1 for overlapping time using the AD account (acc1)

Bob cannot block the timeslot for Windows Server1 as the AD account (acc1) is already blocked by John.

Bob requests a privileged session to Windows Server2 for overlapping time using the AD account (acc1)

Bob cannot block the timeslot for Windows Server2 as the AD account (acc1) is already blocked by John.