Versions Compared

Old Version 1

changes.mady.by.user Phillip Hanegan

Saved on

compared with

New Version Current

changes.mady.by.user Phillip Hanegan

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

In EmpowerID, non-computer credentials are vaulted user names and passwords that can be requested and checked out by users to access the specific applications and other resources authorized by those credentials. When you vault a non-computer credential, you specify the type of credential you are vaulting and link it to the Shared Credential policy for that credential type. EmpowerID encrypts the user name, password and notes information for all credential types.

When a request for a non-computer credential is approved, users check out the credential to access the resources authorized by the credential. When the user is done with the credential – or the allocated time frame for using the credential has expired – the credential is checked in. Depending on the policy associated with the credential, the password may or may not be reset by the EmpowerID system.Managing credentials is a crucial yet often challenging task for organizations, as it involves handling sensitive information like usernames, passwords, and certificates. To streamline this process and enhance security, EmpowerID offers a user-friendly Onboard Credentials wizard workflow. This step-by-step guide simplifies the process of vaulting computer and non-computer credentials while ensuring their proper storage and easy accessibility.

In this how-to topic, we will walk you through the process of onboarding credentials using EmpowerID's Onboard Credentials wizard workflow. By following this guide, you will be able to securely vault various types of credentials, including Active Directory (AD) accounts, service accounts, SSH keys, API keys, and more, without navigating complex interfaces or processes.

Insert excerpt
IL:New Resource Snippets
IL:New Resource Snippets
nameAllAccess
nopaneltrue

Info

To initiate any credential vaulting

...

, users need to have the

...

appropriate Management Roles for the type of credential being vaulted. For a complete list of the Management Roles associated with shared credentials, please see Access to PAM

...

.

Onboard a credential

  • UI-Shared-Credential-Object-Administration – This Management Role grants access to the user interfaces and workflows for managing shared credentials. 

  • VIS-Shared-Credential-All – This Management Role grants visibility for all vaulted credentials.

  • VIS-Shared-Credential-MyLocations – This Management Role grants visibility for vaulted credentials in a person's locations. This role would be assigned if the person should have visibility for vaulted credentials in their locations only.

  • VIS-Shared-Credential-MyOrg – This Management Role grants visibility for vaulted credentials in a person's organizations. This role would be assigned if the person should have visibility for all vaulted credentials in their organizations.

  • ACT-Shared-Credential-Create-All – This Management Role grants people with the role the ability to create a shared credential anywhere.

  • ACT-Shared-Credential-Create-MyLocations – This Management Role grants people with the role the ability to create a shared credential in a person's locations. This role would be assigned if the person should be able to create a shared credential in their locations only.

  • ACT-Shared-Credential-Create-MyOrg – This Management Role grants people with the role the ability to create a shared credential in a person's organization. This role would be assigned if the person should be able to create a shared credential in their organization only.

  • ACT-Shared-Credential-Create-All – This Management Role grants people with the role the ability to create a shared credential anywhere.

  • ACT-Shared-Credential-Create-MyLocations –  This Management Role grants people with the role the ability to create a shared credential in a person's locations. This role would be assigned if the person should be able to create a shared credential in their locations only.

  • ACT-Shared-Credential-Create-MyOrg – This Management Role grants people with the role the ability to create a shared credential in a person's organization. This role would be assigned if the person should be able to create a shared credential in their organization only.

  • ACT-Shared-Credential-Object-Administration-All – This Management Role grants people with the role the ability to create, edit and delete a shared credential anywhere.

  • ACT-Shared-Credential-Object-Administration-MyLocations –  This Management Role grants people with the role the ability to create, edit and delete a shared credential in their locations. This role would be assigned if the person should be able to create, edit and delete a shared credential in their locations only.

  • ACT-Shared-Credential-Object-Administration-MyOrg – This Management Role grants people with the role the ability to create, edit and delete a shared credential in their organization. This role would be assigned if the person should be able to create, edit and delete a shared credential in their organization only.

Users who vault credentials are the owners or Access Managers for those credentials. Access Managers can approve or deny access requests for the credentials they own.

Vault a non-computer credential

...

On the navbar, expand Privileged Access and select Shared Credentials.

Select the All Shared Credentials tab and then click the Add button.

...

...

Enter a name for the shared credential in the Name and Display Name fields.

...

  1. Sign-in to the Resource Admin portal.

  2. Select Credentials from the Resource Type dropdown.

  3. Select the Workflows tab and click Onboard a Credential.

    Image Added


    This opens the Onboard Credential wizard workflow.

    Image Added

  4. Enter the following credential information:

    • Name

    • Display Name

    • Credential Type – Select the appropriate type of credential. Options include the following:

      • Azure Application Certificate – Select this credential type to vault a certificate for an Azure application managed by EmpowerID.

      • Azure Application Secret – Select this credential type to vault a secret for an Azure application managed by EmpowerID.

      • Default Credentials – Select this credential type to vault any set of credentials that has significance in your environment.

      • Domain Admin – Select this credential type to vault credentials for the administrator account in a domain managed in EmpowerID. Approved users are granted domain administrator permissions for all computers in the domain that you link to the credential.

      • Domain User – Select this credential type to vault credentials for a non-administrator account in a domain managed in EmpowerID. Approved users are granted user account permissions for each computer in the domain that you link to the credential.

      • Local Admin – Select this credential type to vault credentials for an administrator account on a local computer managed in EmpowerID. Approved users are granted administrator permissions on the local computer.

    • Personal Credential – Select this option if the credentials are personal to a specific user.

    • User Name – Enter the user name portion of the credentials.

    • Inventoried User Account – Search for and select the inventoried user account associated with the credentials. This field appears for Domain Admin, Domain User, and Local Admin credential types only.

    • Password – Enter the password portion of the credentials. This field is not used when using SSH Keys.

    • SSH Key – If onboarding credentials for a Linux system, select this option and then upload the SSH public key file.

    • Encrypted Notes – Optionally, enter any notes.

    • Description – Optionally, enter a description.

    • Location – Click the Select a Location link, then select a location for the credential and click Save.
      This field does not appear when onboarding Personal Credentials.

      Image Added

    • Enabled – Select this option to enable the usage of the credentials.

  5. Click Next to proceed to the Access Request Settings configuration step.

    Insert excerpt
    IL:IAM Shop Snippets
    IL:IAM Shop Snippets
    namePersonalCredentials
    nopaneltrue

  6. Under Owners and Policies, configure the following settings:

    • Access Request Policy – Select the Access Request policy appropriate for the credential. All of the below default policies are linked to the Owner Approval Approval Flow policy, which means that the owner of the credential must approve access requests.

      • Computer Creds - Allow Multi-Check-Out - No Password Reset – Select this policy when creating credentials that initiate an RDP or SSH session where more than one session (credential checkout) is allowed, and you do not want EmpowerID to reset the password for the account when a user checks in the credentials. This policy is configured with the Owner Approval Approval Flow policy.

      • Computer Creds - No Multi-Check-Out - Password Reset – Select this policy when creating credentials that initiate an RDP or SSH session where more than one session is not allowed, and you do want EmpowerID to reset the password for the account when the user checks in the credentials.

      • MFA - Computer Creds - Allow Multi- Check-Out - No Password Reset – Select this policy when creating credentials that initiate an RDP or SSH session where multi-factor authentication is required, more than one session (credential checkout) is allowed, and you do want EmpowerID to reset the password for the account when the user checks in the credentials.

      • Non-Computer Creds - Multi-Check-Out - No Password Reset – Select this policy

...

      • when creating credentials for an account where more than one

...

      • checkout is allowed, and you do not want EmpowerID to reset the password when a user checks in the credentials.

      • Non-Computer Creds - No Approval, No Multi Check-Out with Password Reset – Select this policy

...

      • when creating credentials for an account where more than one

...

      • checkout is not allowed, no approval is required, and you want EmpowerID to reset the password when a user checks in the credentials.

      • Non-Computer Creds - No Multi-Check-Out with Password Reset – Select this policy

...

      • when creating credentials for an account where more than one

...

Underneath Location, click Select a Location, then select a location for the credential and click Save.

...

...

Enter a description in the Description field.

...

In the User Name field, enter the user name for the account you are vaulting.

...

In the Password field, enter the password for the account you are vaulting.

...

Optionally, enter any notes in the Notes field.

...

Select Enabled.

...

Click Save.

...

If you have not yet entered your master password for this session, EmpowerID prompts you to do so. Enter your master password and click OK.

...

...

If you have not yet created a master password for yourself, EmpowerID prompts you to do so. Enter a password in the Password and Confirm Password fields and click OK.

...

      • checkout is not allowed, and you want EmpowerID to reset the password when a user checks in the credentials. Please note that this policy type is only valid for use with user accounts with passwords that have been vaulted in EmpowerID. The user account must belong to a domain or account store that has been inventoried by EmpowerID.

...

Service Account with Scheduled Password Reset – Select this policy for credentials for a Windows Service account or IIS App pool identity.
When you select this policy, EmpowerID resets the password against all Windows servers in your environment that have Windows Services or App Pools. Please note that this policy type is only valid for use with service accounts with passwords that have been vaulted in EmpowerID. The service account must belong to a domain or account store that has been inventoried by EmpowerID.

    • Responsible Party – Search for and select the person responsible for the credentials.

    • Credential Owner – Search for and select the owner of the credentials.

  2. Under Configure Eligibility, add any eligible users for the credential as needed. Users must have a form of eligibility to request access to the credentials in the IAM Shop.

    Insert excerpt
    IL:IAM Shop Snippets
    IL:IAM Shop Snippets
    nameEligibility
    nopaneltrue

  3. Click Next.

  4. Review the Operation Execution Summary and click Submit.

    Insert excerpt
    IL:IAM Shop Snippets
    IL:IAM Shop Snippets
    nameComputerLookup
    nopaneltrue

  5. In the Computer lookup section of the workflow, search for the computer to which you want to link the credential and tick the box on the computer record to select it.

    Image Added

  6. Repeat to select other computers as needed.

  7. Click Next to complete the operation and exit the workflow.

Insert excerpt
IL:External Stylesheet
IL:External Stylesheet
nopaneltrue

See Also

Vault Computer Credentials

Link Credentials to Computers

Link Credentials to Domains

Vault Secrets

Check Out Credentials via PowerShell