Basic Concepts

This section explains the fundamental concepts and components used in the Grizzle ZT-PAM architecture.
Each concept is defined together with its role and purpose within the system.

User

A User is a person authorized to access the Grizzle ZT-PAM system.
Users do not connect directly to privileged systems; instead, they initiate their access requests through the PSM or Web Gateway.
Each user is assigned roles, policies, and MFA configurations.

Example: Active Directory users, locally created users.

Account

An Account is a privileged or service account defined in the Vault and managed by Grizzle ZT-PAM.
Each account belongs to a specific platform and is typically subject to password rotation by CPM.

Example: Domain Admin, root, dbadmin, service-sqlbackup.

Vault

The Vault is the central digital repository where all credentials, passwords, SSH keys, and certificates are securely stored in encrypted form.
Access to the Vault is restricted to authorized services only.

Safe

A Safe is a logical grouping of accounts within the Vault, organized by purpose or system group.
Access control is applied at the Safe level — users authorized for a specific Safe can view only the accounts within it.

Example: Windows-Servers-Safe, Database-Admins-Safe.

Platform

A Platform defines the configuration parameters required to connect to a system using stored account credentials.
It acts as a template that can be replicated or customized.

Example: Windows Local Account, Unix SSH Account, MSSQL Database Account, Fortigate Admin Account.
Platform definitions determine how CPM changes passwords and how PSM connects to target systems.

Connection Component

A Connection Component is a connector module developed for a specific protocol or application type.

Example: RDP, SSH, Telnet, MSSQL, Web applications, etc.

CPM (Central Password Manager)

The Central Password Manager is responsible for managing the password lifecycle.
It automatically changes, verifies, and, when necessary, reconciles passwords according to defined policies.

PSM (Privileged Session Manager)

The Privileged Session Manager enables secure, isolated, and fully recorded privileged sessions.
Users connect to target systems via PSM, without ever seeing the password.

Web Gateway (HTML5 Gateway)

The Web Gateway allows users to initiate secure sessions directly from their web browsers without installing any client software.
All communication occurs over the HTTPS (443) port.

Credential Provider (CP)

The Credential Provider resides within PSM servers and customizes Windows login screens.
It securely authenticates user credentials through the ZT-PAM Vault or dedicated authentication APIs.

Policy

A Policy defines the rules that determine which users can access which systems, under what conditions, and how often passwords are rotated.

Role

A Role defines a set of permissions and responsibilities.
Access rights are centrally managed by assigning roles to users.

Example Roles: Auditor, Admin, User.

Policies

Policies contain general rules for account management, session control, and password rotation.
They can be applied globally or overridden through exceptions.

Exception

An Exception represents a special case or deviation from general policy settings.

Examples:

Local Windows account passwords must change every 120 days.
Domain account passwords must change every 30 days.
Database account passwords must rotate after each session.
Approval is required from another administrator before using Domain Administrator accounts.

Reconciliation Account

A Reconciliation Account is a privileged account used by CPM to perform password resets or reconciliation actions when password changes fail.

Session

A Session is the connection established between a user and a target system via PSM or Gateway.
Every session is recorded, auditable, and can be terminated when necessary.

MFA (Multi-Factor Authentication)

Multi-Factor Authentication (MFA) is a mechanism requiring more than one verification factor (e.g., password, OTP, device, biometric) to confirm a user’s identity.

Discovery Job / Task

A Discovery Job is a scheduled task that periodically scans and discovers new systems or accounts.
This enables dynamic onboarding of newly added assets into the platform.

Dual Control / Approval Workflow

A Dual Control or Approval Workflow requires approval from a second person before performing sensitive actions (e.g., password view, session start).
It enforces compliance with audit and security requirements.

Check-Out / Check-In

The Check-Out / Check-In mechanism allows a user to temporarily obtain a password (check-out) and return it once finished (check-in).
This ensures that account passwords are managed in a traceable and auditable way.

Access Request

An Access Request is a user-initiated request to gain access to a specific system.
It is used in approval-based access workflows (request/approval model).

User​

Account​

Vault​

Safe​

Platform​

Connection Component​

CPM (Central Password Manager)​

PSM (Privileged Session Manager)​

Web Gateway (HTML5 Gateway)​

Credential Provider (CP)​

Policy​

Role​

Policies​

Exception​

Reconciliation Account​

Session​

MFA (Multi-Factor Authentication)​

Discovery Job / Task​

Dual Control / Approval Workflow​

Check-Out / Check-In​

Access Request​