Privileged In EmpowerID, Access policies control shared credential check-out and privileged session access. EmpowerID includes a number of these that you can use for most situations; however, you can create new policies as needed. For example, if you want a specific policy that controls access to computers for contractors, within minutes you can easily create and implement just such a policy. To do so, you will need to have the UI-Admin-Privileged-Access Management Role.
| Note |
|---|
To comply with European Union GDPR (General Data Protection Regulation) that was implemented on May 25, 2018, you must do one of two things:
|
Create the policy
...
On the navbar, expand Privileged Access and select Privileged Access Policies.
Above the grid, click the Add button.
...
...
...
Enter a Name, Display Name, and Description for the policy.
...
Select the Privileged Session Policy checkbox. Additional settings appear that relate to privileged sessions.
...
Change the remaining settings to reflect your policy for privileged sessions:
Publish in IT Shop – Select to allow eligible users request access to the policy from the IT Shop.
Require Approval – Select to require someone to approve requests for credentials.
Allow Multi Check Out – Select to allow multiple users to check out credentials.
Reset Password On Check In – Select to have the password reset after each user checks the credentials back in after use.
Allow Live Snooping – Select to allow administrators and computer owners to observe live sessions.
Record Sessions – Select to have EmpowerID record sessions and store them where administrators and computer owners can replay them at any time.
Default Access Duration in Minutes – Enter the number of minutes to grant access if the user does not specify. The default value is 60 minutes.
Max Access Duration in Minutes – Enter the maximum number of minutes a user can request for a privileged computer session. The default value is 2880 minutes (48 hours).
Min MFA Points if Local – Enter the minimum number of multi-factor authentication points required for a local user to request a privileged computer session.
Min MFA Points if Remote – Enter the minimum number of multi-factor authentication points required for a remote user to request a privileged computer session.
Schedule Enabled – Select to set up a password reset schedule for the credential.
Password Reset Schedule – Expand the drop-down and specify the schedule for password resets
...
Request policies are crucial for managing resource access and guiding the approval and fulfillment processes for user access requests. These policies are pivotal in Privileged Session Management (PSM), regulating access to computer credentials for servers or other devices used in RDP or SSH sessions. They determine whether such sessions are subject to a privileged session policy, which controls session recording, live monitoring, and limits on concurrent sessions for a specific computer. Additionally, Access Request policies include settings to update Windows Services and IIS App Pools when passwords are reset, which is important when credentials linked to these services require password updates after check-outs and check-ins. Furthermore, these policies facilitate the automated rotation of passwords on a scheduled basis, enhancing security and compliance.
| Tip |
|---|
Approval Policies for Privileged SessionsAdministrators use Access Request policies to implement Approval Policies, ensuring that an approved user authorizes privileged session access requests before initiation. By default, access to computer credentials is controlled by the Owner Approval policy, requiring the owner's approval before a user initiates a session. However, organizations can choose other approval flows as desired. |
Access Request Policies for Computer Credentials
EmpowerID offers several pre-configured Access Request policies tailored for computer credentials, each with specific settings for Privileged Session Management. By leveraging these pre-built Access Request policies and configuring them according to your organization's security requirements, administrators can effectively manage privileged sessions and ensure secure access to critical resources. Regularly reviewing and updating these policies will help maintain compliance with relevant regulations and internal policies and enhance overall security.
You can view these policies by navigating to Low Code/No Code Workflow > Access Request Policies and searching for “Computer.”
Policy Name | Applicability | MFA Requirement | Password Reset Policy |
|---|---|---|---|
Computer Creds - Allow Multi-Check-Out - No Password Reset | Suitable for multiple RDP or SSH sessions without a password reset. | No | No |
Computer Creds - No Multi-Check-Out - Password Reset | Ideal for single-session environments where a password reset is required post-session. | No | Yes |
MFA - Computer Creds - Allow Multi-Check-Out - No Password Reset | For environments requiring multi-factor authentication, allowing multiple sessions. | Yes | No |
General Settings for Access Request Policies
The table below outlines the general settings available for Access Request policies in EmpowerID:
Setting | Description |
|---|---|
Name/Display Name | Identifies the policy within the system and in the UI. |
Description | Provides a brief overview of the policy's purpose and scope. |
Allow Activation (Skip Business Request) | Specifies whether Business Requests are generated for access requests. If selected, the system does not route requests through Approval policies. |
Approval Policy | Specifies the Approval policy linked to the Access Request policy. Approval policies determine who can approve access requests and how many approvals are required before access is granted, etc. The drault Access Request policies for computer credentials are configured with the Owner Approval Approval policy. |
Fulfillment Delay (HRS) | Specifies the number of hours the system should wait to fulfill approved requests |
Is Shipping Data | For internal EmpowerID use only |
Enable Just in Time Account Provisioning | Enables dynamic account provisioning on the target computer at session start. This only applies when an account store is created for the computer in question. For details on how to create an account store for a Windows server, see the Local Windows Servers Connector topic in this guide. |
Selectable in UI | Allows the policy to be selected from the EmpowerID Web Interface. |
Time and MFA Restrictions
These settings define temporal access boundaries and additional security layers:
Setting | Description |
|---|---|
Time Restrict Access | Enables time-based access restrictions with configurable durations. |
MFA Required for Access Request | Imposes a minimum Level of Assurance for login based on user location (local or remote). |
Shared Credential Settings
These settings are used to define if credentials are available to users in the IAM Shop and password reset options:
Setting | Description |
|---|---|
Publish in IAM Shop | Determines if credentials are visible for user selection in the IAM Shop. |
Allow Multi Check Out | Permits multiple users to concurrently check out the credentials. |
Reset Password On Check In | Enforces a password reset when a user completes their session and disconnects from the computer |
Update Windows Services On Password Reset | Updates the password for Windows services when a user completes their session and disconnects from the computer. |
Update IIS App Pools On Password Reset | Specifies whether EmpowerID should update IIS App Pool passwords after a user completes their session and disconnects from the computer |
PSM Computer Settings
Setting | Description |
|---|---|
Privileged Session Policy | Specifies whether privileged session policy applies when users connect to the computer. If selected, additional settings are used to determine the maximum number of concurrent sessions are allowed, whether sessions are to be recorded and whether administrators can view current sessions in real time. |
Password Rotation Settings
These settings enable administrators to configure automatic password resets for credentials within EmpowerID, enhancing security through regular updates. The settings allow for precise control over when and how often these resets occur.
Setting | Description |
|---|---|
Schedule Password Reset Enabled | Toggle this setting to enable or disable scheduled password resets. |
Password Reset Schedule – Start Date | Defines the date when the password resets will start. |
Password Reset Schedule – End Date | Defines the date when the password resets will end, if applicable. |
Interval | Determines the frequency of the password resets. Options include 'Once', 'Hourly', 'Minute', 'Daily', 'Weekly', 'Monthly', or 'Run Indefinitely'. |
| Insert excerpt | ||||||
|---|---|---|---|---|---|---|
|
| Macrosuite divider macro | ||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|