Hey ​@Kevin MU,

This is a good question to bring up to your account manager (in customer portal → left hand “Contact Us” box, it states the Sales Rep contact information). 

PASM (Passwordsafe+PRA) primarily solves a different focus than EPM. PASM I would consider absolutely fundamental for infrastructure security (past life: unix operations/infrastructure devops). PRA / PasswordSafe will monitor the sessions to the systems, and the session management in PRA is excellent in being granular into the session permissions. 

EPM, instead, runs in the kernel (*windows side) and hooks the processes and evaluates them against a policy. This can provide more granular control of what people do when they get to the server that wouldn’t be captured by PRA/PasswordSafe. It also provides a safeguard from individuals who make it to the system bypassing PRA/PasswordSafe to further secure the environment.

For EPM-UL/EPM-L, it’s a bit different as it tackles the challenges that traditional sudo management causes. It’s the tool I WISH I had while in unixops when I was asked to give root access to groups not managing the OS. It provides a more granular elevation option, and also remote command execution as defined by policy so there is no need to ever log into the target system as the admin for highly restricted machines. In that case, I would use PRA/PasswordSafe as more of a ‘break glass’ to get to the restricted machines as an admin for a different team, and still use EPM-UL to track everything. True break-glass for root access would be still have the credentials managed by PasswordSafe preferably.

​@tclowater Another great answer thanks a lot again !!