Privilege Management RFP base questions
The worksheet provided below is offered only as a preliminary guideline for questions that should be asked on an RFP for comm
privilege management solutions. It is not intended to be an exhaustive list of requirements or questions that should be explore
RFP questions should be fine grained enough to allow prospective buyers to fully express priorities, but not so detailed that the
1 Architecture, Implementation & Performance
Please describe the various ways your solution may be implemented.
1.2 How does your solution support clients from multiple AD
domains/Forests? For example, do you need to switch between
multiple management consoles when supporting Domain clients and
non domain PCs?
Describe how your solution’s architecture minimizes impact and WAN
traffic on remote networks, regional offices, and campus backbones.
1.4 Describe the user interface and how an administrative user interacts
with the system.
1.5 Does your solution have the ability to support remote and mobile
users? Please describe.
1.6 Does your solution support virtualized environments? If yes, list the
virtualization technologies that are supported.
2 Privilege Elevation Approach
2.1 Explain how your solution automates the process of analyzing and
determining user needs in order to prepare the environment. What
steps are involved? How is the discovery process approached and
recorded? For example, explain any workflows, admin rights discovery
processes, and how common privilege needs across the user base are
2.2 Does your solution provide a centralized method for managing
privileges for data on shares, files, and registry? Please describe.
2.3 Describe how your solution manages the approval process for granting
ad-hoc permission requests.
2.4 Describe in detail the method by which your system controls the
granting of permissions globally to all users/machines or groups.
2.5 Do you provide the ability to set user authorization policies based on
day and time? Provide details.
2.6 Do you provide the ability to set user authorization policies based on
location? Provide details.
2.7 Restrict the ability to install or execute applications based on policy(s)
in place. Provide details.
2.8 Describe your solution’s role-based access control (RBAC). For
example, do you have a way to enforce which IT group(s) have
permission to start, stop, modify policies, view reports, etc.
2.9 Do end users have the ability to run elevated tasks without being
prompted by the system? Please explain how this is achieved.
2.10 Explain how clients that are disconnected from AD and VPN get new
policies? How are policies propagated and protected?
2.11 Does your software provide the ability to discover applications which
require administrator rights from computers where rights have already
2.12 Can your solution enforce end users to enter a business justification
before elevating privileges for an application?
2.13 Regarding policy proliferation control, please describe your ability to
aggregate events from multiple computers and combine them into
2.14 Does your product support Windows Catalog when creating elevation
2.15 Does your product support custom scripting when applying policy
conditions? Please provide an example.
2.16 Does your product support COM objects when creating elevation
2.17 Do you support elevation of Web URL/Web Applications? Please
provide an example.
2.18 Can your product automatically create a policy based on an event that
was automatically discovered on multiple PCs?
2.19 Can you grant elevation based on the Digital Signature of a specific
vendor and grant permissions by application request? For example, a
policy will elevate Microsoft Process Monitor but will not elevate MS
2.20 Can your product deliver custom scripts that require elevated rights to
execute to an end user PC?
2.21 Can your product create exceptions based on registry, file, OS match
when applying policies? Please provide an example.
When your product discovers applications that require admin rights,
can end users enter the business justification as to why they need this
application which can later be reviewed in a single report?
2.23 Does your product support the surpression of UAC for all of the
following: EXE, MSI, ActiveX, OS Admin Tasks?
2.24 Is the customization of messages that are displayed to the end user
supported, including the following: notification balloons, rich text,
variables, custom logos, backgrounds, URL, link to Outlook in multiple
3 Audit Trails/Policy Validation and Reporting
Describe the audit trail and policy validation capabilities of the
Does your solution provide comprehensive reporting with built-in and
3.2 customized reporting capabilities? Please describe.
Does your solution provide policy auditing and change history data?
For example, When and by whom a policy was changed, modified,
3.3 and/or deleted?
Can you discover users/groups who have administrative rights without
deploying your agent? Do you have remediation capabilities to then
3.4 remove admin rights?
Does your product provide screen recorded video and user activity
3.5 auditing capabilities?
How does your solution integrate with Configuration Management
4.1 products such as Microsoft’s SCCM?
Describe how the solution integrates with help desk solutions for
4.2 creating and managing requests for privileges.
5 Hardware/Software Requirements & Certifications
5.1 List the security certifications that your product has passed. Please
provide details of the certification criteria and testing process.
How does the solution protect its integrity on the Windows machine?
5.3 Is it possible to hide your agent's footprint on the end user's PC?
6 Training/Professional Services
Are on site professional services available? If so, what is the cost per
6.2 Please describe your training program(s).
7 Software Releases and Product Roadmap
7.1 How frequently are software versions released?
7.2 What process is used to communicate software releases?
7.3 What is your policy around supporting back versions?
8.1 Please provide details related to your pricing model.
8.2 How are maintenance and/or subscription renewals handled?
ne for questions that should be asked on an RFP for commercially available
ve list of requirements or questions that should be explored. In general, good
yers to fully express priorities, but not so detailed that the RFP gets lost in