Versions Compared

Old Version 4

changes.mady.by.user Phillip Hanegan

Saved on

compared with

New Version Current

changes.mady.by.user Phillip Hanegan

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

EmpowerID offers has pre-configured Access Request policies specifically designed tailored for Privileged Session Management (PSM), which can be used . These policies are ready to use with minimal modifications adjustments or can serve as a basis templates for creating custom customized policies suited to specific organizational needs. The available pre-configured policies include the following:

  • Computer Creds - Allow Multi-Check-Out - No Password Reset: This policy allows multiple check-outs of credentials without requiring a password reset after each session.

  • Computer Creds - No Multi-Check-Out - Password Reset: This policy is designed for environments where credential check-out is restricted to one user at a time, with a mandatory password reset after each session.

  • MFA - Computer Creds - Allow Multi-Check-Out - No Password Reset: This policy combines the flexibility of multiple credential check-outs with the added security of Multi-Factor Authentication (MFA) without requiring a password reset post-session.

For a detailed explanation of these policieseach policy, including their specific settings and configurations, please refer to the Access Request Policies and Privileged Session Management topic.This article demonstrates how to configure Access Request Policy settings pertinent to PSM and

How to Configure and Assign PSM Policies

This section will guide you through the steps to configure the PSM-specific settings within these Access Request policies and how to assign computers enabled for PSM to the appropriate policy. Configuring these policies involves selecting the right settings that align with your security and operational requirements and assigning these policies to the relevant computer resources within your organization.

By following these steps, you can ensure that your PSM setup is robust, compliant with organizational policies, and tailored to the security needs of your specific IT environment.

Step 1 – Configure the Access Request Policy for PSM

  1. Expand Low Code/No Code Workflow on the navbar and select Access Request Policies.

  2. Search for the Access Request Policy you are assigning to the computer and click the Edit (blue star) button .

    Image Removed

    This opens to open the policy in edit mode.

    Image Removed

  3. Review and adjust the following settings and adjust them as needed for your environment.:

Setting

Default Value

Description

Approval Policy

...

Owner Approval

Specifies who and how many approvals are needed before access to the computer

...

credentials is granted

...

.

...

Fulfillment Delay (HRS)

...

0

Defines the waiting period (in hours) after approval before the system fulfills the request.

Allow Activation (Skip Business Request

...

)

True

Determines whether a Business Request needs to be generated before preapproved users can activate their access

...

.

...

Enable Just-in-Time Account Provisioning

...

Applicable only to Windows servers

Indicates whether a user account should be provisioned on the computer for each person accessing

...

via a privileged session.

When enabled, EmpowerID generates an account

...

using the naming convention that appends the EmpowerID logon of the person with

...

"_RandomNumber

...

". This setting is applicable only

...

to Windows servers

...

cataloged as a Local Windows Server account store.

...

Also, ensure the computer’s Just-in-Time Access settings are configured to allow

...

this account provisioning. For

...

additional details, refer to the Enable Computers for Privileged Session Management topic.

Time Restrictions – These settings are used to specify whether the amount of time a user can access the computer per session is to be limited. If enabled, the following settings are pertinent:

Default Access Duration (Min)

...

-

Specifies the default

...

duration (in minutes) for active sessions.

Max Duration (Min)

...

-

Determines the maximum

...

duration (in minutes) for active sessions before automatic termination.

Min Login LOA if Local

...

-

Defines the minimum Level of Assurance points needed for internal users to log in.

Min Login LOA if Remote

...

PSM Computer Settings – These settings are used to specify whether privileged session policy applies when users connect to the computer.

...

Max Allowed Concurrent Sessions – Sets the maximum number of sessions that can be running during the same time period.

...

-

Sets the required Level of Assurance points for remote logins.

Max Allowed Concurrent Sessions

-

Specifies the number of concurrent sessions allowed.

Record Sessions

-

Determines whether sessions should be recorded.

Allow Live Session Snooping

...

-

Allows administrators to view sessions in real-time.

  1. Save your changes after configuring the settings.

Step 2 – Assign Computers to the Access Request Policy

  1. Back in the Access Request Policies page, click the Access Request Policy link for the policy you just configured.

    Image Removed


    This action opens the View One page for the Access Request policy. View One pages are designed to facilitate the viewing and management managing of the corresponding objects in EmpowerID.

    Image RemovedImage Added

  2. Expand If the Resources Managed by Policy accordion if it is collapsed, expand it. You use this accordion to assign computers to the policy.

  3. Click the Add (blue star) button.

    Image RemovedImage Added

  4. In the Assignment Information pane, do the following:

    1. Select Computer from the Resource Type dropdown.

    2. Search for the computer you want to assign to the policy.

    3. Select the computer from the grid.

      Image RemovedImage Added

    4. Search for and select any other computers you want to add to the policy.

  5. Click Save.

...