Privileged Access policies control shared credential check-out and privileged session access. EmpowerID includes a number of these that you can use for most situations; however, you can create new policies as needed. For example, if you want a specific policy that controls access to computers for contractors, within minutes you can easily create and implement just such a policy. To do so, you will need to have the UI-Admin-Privileged-Access Management Role.
| Note |
|---|
To comply with European Union GDPR (General Data Protection Regulation) that was implemented on May 25, 2018, you must do one of two things:
|
Create the policy
...
On the navbar, expand Privileged Access and select Privileged Access Policies.
Above the grid, click the Add button.
...
...
...
Enter a Name, Display Name, and Description for the policy.
...
Select the Privileged Session Policy checkbox. Additional settings appear that relate to privileged sessions.
...
Change the remaining settings to reflect your policy for privileged sessions:
Publish in IT Shop – Select to allow eligible users request access to the policy from the IT Shop.
Require Approval – Select to require someone to approve requests for credentials.
Allow Multi Check Out – Select to allow multiple users to check out credentials.
Reset Password On Check In – Select to have the password reset after each user checks the credentials back in after use.
Allow Live Snooping – Select to allow administrators and computer owners to observe live sessions.
Record Sessions – Select to have EmpowerID record sessions and store them where administrators and computer owners can replay them at any time.
Default Access Duration in Minutes – Enter the number of minutes to grant access if the user does not specify. The default value is 60 minutes.
Max Access Duration in Minutes – Enter the maximum number of minutes a user can request for a privileged computer session. The default value is 2880 minutes (48 hours).
Min MFA Points if Local – Enter the minimum number of multi-factor authentication points required for a local user to request a privileged computer session.
Min MFA Points if Remote – Enter the minimum number of multi-factor authentication points required for a remote user to request a privileged computer session.
Schedule Enabled – Select to set up a password reset schedule for the credential.
Password Reset Schedule – Expand the drop-down and specify the schedule for password resets
...
Request policies play a crucial role in managing resource access within an organization. In EmpowerID, they serve as the foundation for guiding the approval and fulfillment processes for user access requests. By defining the required approvals, conditions, and entitlements, Access Request policies help administrators control who can access specific resources and under what circumstances. In the context of PSM, Access Request policies are essential for regulating user access to computer credentials related to servers and other machines configured for RDP or SSH sessions. They ensure that only authorized users can access privileged credentials, thereby reducing the risk of unauthorized access or misuse of sensitive information.
In EmpowerID, Access Request policies are essential for managing resource access by guiding the approval and fulfillment processes for user access requests. They are particularly important for Privileged Session Management (PSM), where they regulate users' access to computer credentials related to servers or other machines set up for RDP or SSH sessions. Additionally, Access Request policies establish whether such sessions fall under a privileged session policy, which governs aspects such as session recording, live session monitoring, and the maximum number of concurrent sessions allowed on a specific computer.
...
Approval Policies for Privileged Sessions
Administrators can use Access Request policies to set up Approval Policies, ensuring that privileged session access requests are authorized by an approved user before being granted. By default, EmpowerID Access Request policies for computer credentials are configured with the Owner Approval policy, which requires the owner of a computer credential to approve access requests prior to a user initiating a session. However, organizations can choose other approval flows as desired.
Pre-configured Access Request Policies for Computer Credentials
EmpowerID provides several pre-configured Access Request policies for computer credentials, each featuring its own PSM-specific settings:
1. Computer Creds - Allow Multi-Check-Out - No Password Reset
This policy is applicable for computer credentials initiating an RDP or SSH session where multiple sessions (credential checkouts) are allowed, and password reset upon user check-in isn't required by EmpowerID.
2. Computer Creds - No Multi-Check-Out - Password Reset
This policy is applicable for computer credentials initiating an RDP or SSH session where multiple sessions aren't permitted, and you want EmpowerID to reset the account password when the user checks in the credentials.
3. MFA - Computer Creds - Allow Multi-Check-Out - No Password Reset
This policy is applicable for computer credentials initiating an RDP or SSH session requiring multi-factor authentication, allowing multiple sessions (credential checkouts), and when you want EmpowerID to reset the account password upon user check-in.
...
By leveraging these pre-built Access Request policies and configuring them according to your organization's security requirements, administrators can effectively manage privileged sessions and ensure secure access to critical resources. Regularly reviewing and updating these policies will help maintain compliance with relevant regulations and internal policies and enhance overall security.
| Insert excerpt | ||||||
|---|---|---|---|---|---|---|
|