Least privilege is not just about who connects — it is about what they can do once connected. Ixiea evaluates commands and connection patterns at the gateway and applies the right enforcement action for each match, not a simple pass-or-fail gate.
Operator
Brokered session
Gateway
Filter stream
Target
Production
Each pattern maps to an enforcement action — not a simple allow or deny.
Shell history on a target can be altered. Database audit plugins miss ad-hoc clients. Gateway-side filtering sees every command and query in the brokered stream — tied to identity and policy version — before execution completes on the target.
Define pattern rules per role, target class, or session type. Each match maps to an enforcement action — permit as-is, block outright, require approval before execution, mask sensitive output, or raise an alert. Destructive patterns like rm -rf or DROP DATABASE are hard blocks; kubectl delete might route to approval instead. Regex and literal rules combine; the most restrictive matching action wins. Operators always see a clear outcome with policy reference, not a silent failure.
Restrict which source networks, client tools, or time-of-day windows may initiate sessions. Pair with JIT grants so standing connection rights never accumulate. Vendor identities get tighter connection ACLs by default — shorter sessions, fewer protocols, mandatory recording.
High-risk commands can pause the session and route an approval ticket to ServiceNow or your ITSM. The approver sees session context — who, what target, which command — before release. Approved actions are recorded with approver identity for audit export.
Ready to evaluate?
Walk through gateway brokering, recording, and audit exports in a working session — or browse the illustrated product flow first.
