Content Comparison

Managing credentials is a crucial yet often challenging task for organizations, as it involves handling sensitive information like credentials—such as usernames, passwords, and certificates. To streamline this process and enhance security, EmpowerID offers certificates—can be complex and critical for organizations. EmpowerID simplifies this process through a user-friendly Onboard Credentials wizard workflow. This step-by-step guide simplifies the process of vaulting computer and non-computer credentials while ensuring their proper storage and easy accessibility, enhancing security and ease of access.

In this article, you'll learn how -to topic, we will walk you through the process of onboarding credentials to onboard credentials efficiently using EmpowerID's Onboard Credentials wizard workflow. By following this guide, you will be able to securely vault various types of credentials, including Active Directory (AD) accounts, service accounts, SSH keys, API keys, and more, without navigating complex interfaces or processes.

Insert excerpt

	IL:New Resource Snippets
	IL:New Resource Snippets
name	AllAccess
nopanel	true

info

Prerequisites

To initiate any credential vaulting, users need to ensure that you have the appropriate Management Roles for the type of credential being vaulted. For a complete list of the Management Roles associated with shared credentials, please see Graning more information, refer to the Granting Access to PAM with Management Roles article.

Procedure

...

Step 1 – Open the Onboard Credentials Wizard

Sign - in to the IAM Shop portal.
Select Credentials from the Resource Type dropdown.
Select Navigate to the Workflows tab and click .
Click Onboard a Credential.

This action opens the Onboard Credential wizard workflow.

Step 2 – Enter Credential Information

In the wizard, fill in the following credential information:

Name – Enter the name of the credential.
Display Name – Provide the display name.
Credential Type – Select the appropriate credential type
of credential. Options include
from the following options:
- Azure Application Certificate –
  Select this credential type to vault
  Vault a certificate for an Azure application managed by EmpowerID.
- Azure Application Secret –
  Select this credential type to vault
  Vault a secret for an Azure application managed by EmpowerID.
- Default Credentials –
  Select this credential type to vault
  Vault any set of credentials
  that has significance in
  significant to your environment.
- Domain Admin –
  Select this credential type to vault
  Vault credentials for the administrator account in a domain managed
  in
  by EmpowerID. Approved users are granted domain administrator permissions for all computers
  in the domain that you link
  linked to the credential.
- Domain User –
  Select this credential type to vault
  Vault credentials for a non-administrator account in a domain managed
  in
  by EmpowerID. Approved users are granted user
  account
  permissions for each computer
  in the domain that you link
  linked to the credential.
- Local Admin –
  Select this credential type to vault
  Vault credentials for an administrator account on a local computer managed
  in
  by EmpowerID. Approved users are granted administrator permissions on the local computer.
- Personal Credential – Select this option if the credentials are Vault personal credentials for youyour use.
User Name – Enter the username portion of the credentials.
Inventoried User Account – Search for and select the inventoried user account associated with the credentials. (This field only appears for Domain Admin, Domain User, and Local Admin credential types
only
.)
Password – Enter the password portion of the credentials. (This field is not used when using SSH Keys.)
SSH Key – If onboarding credentials for a Linux system, select this option and then upload the SSH public key file.
Encrypted Notes – Optionally, enter any notes.
Description – Optionally, enter a description.
Location – Click the Select a Location link, then search for and select the desired location for the credentials.

(This field does not appear when onboarding Personal Credentials.)
Enabled – Select this option to enable the usage of the credentials.
Click Next to proceed to the Access Request Settings configuration step.
Insert excerpt
IL:IAM Shop Snippets
IL:IAM Shop Snippets
name PersonalCredentials
nopanel true

Step 3 – Configure Access Request Settings

Under Owners and Policies, configure the following settings:

Access Request Policy – Select the appropriate Access Request policy
appropriate
for the credential.
All of the below
The following default policies are linked to the Owner Approval
Approval
Flow policy,
which means that
meaning the credential owner
of the credential
must approve access requests
.
:
- Computer Creds - Allow Multi-Check-Out - No Password Reset –
  Select this policy when creating credentials that initiate an
  For RDP or SSH
  session
  sessions where more than one session (credential checkout) is allowed, and
  you do not want EmpowerID to reset the password for the account when a user checks in the credentials. This policy is configured with the Owner Approval Approval Flow policy.
  passwords are not reset when checked in.
- Computer Creds - No Multi-Check-Out - Password Reset –
  Select this policy when creating credentials that initiate an RDP or SSH session where more than one session is not allowed, and you do want EmpowerID to reset the password for the account when the user checks in the credentials
  For single-session credentials where passwords are reset upon check-in.
- MFA - Computer Creds - Allow Multi-Check-Out - No Password Reset –
  Select this policy when creating credentials that initiate an
  For RDP or SSH
  session where
  sessions requiring multi-factor authentication
  is required, more than one session (credential checkout) is
  , where multiple sessions are allowed, and
  you do want EmpowerID to reset the password for the account when the user checks in the credentials
  passwords are reset upon check-in.
- Non-Computer Creds - Multi-Check-Out - No Password Reset –
  Select this policy when creating credentials for an account where more than one checkout is
  For non-computer credentials where multiple checkouts are allowed, and
  you do not want EmpowerID to reset the password when a user checks in the credentials
  passwords are not reset when checked in.
- Non-Computer Creds - No Approval, No Multi Check-Out with Password Reset –
  Select this policy when creating credentials for an account where more than one checkout is not allowed, no approval is required, and you want EmpowerID to reset the password when a user checks in the credentials
  For credentials that do not require approval, do not allow multiple checkouts, and require password resets upon check-in.
- Non-Computer Creds - No Multi-Check-Out with Password Reset –
  Select this policy when creating credentials for an account where more than one checkout is not allowed, and you want EmpowerID to reset the password when a user checks in the credentials. Please note that this policy type is only valid for use with user accounts with passwords that have been vaulted in EmpowerID. The user account must belong to a domain or account store that has been inventoried by EmpowerID.
  For credentials that do not allow multiple checkouts and require password resets upon check-in. (Only valid for user accounts with vaulted passwords in EmpowerID.)
Responsible Party – Search for and select the person responsible for the credentials.
Credential Owner – Search for and select the owner of the credentials.
Under Configure Eligibility, add any eligible users for the credential as needed. Users must have a form of eligibility be eligible to request access to the credentials in the IAM Shop. Insert excerptIL:IAM Shop SnippetsIL:IAM Shop SnippetsnameEligibilitynopaneltrue

Expand

title	Add Eligible Users

Tabs macro

defaultColor	#42526e
activeColor	#0052CC
width	15
hoverColor	#0065FF
tabType	no-icon
style	style-1
alignment	left

[{"label":"Add Eligible Assignees","id":"1","content":{"version":1,"type":"doc","content":[{"type":"paragraph","content":[{"type":"text","text":"This setting allows you to specify who is eligible to request the credential. Eligible assignees can include the following:"}]},{"type":"bulletList","content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"type":"text","text":"Person – You can assign eligibility to individual people within your organization."}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"type":"text","text":"Group – You can assign eligibility to groups. When selected, members of those groups can request access."}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"type":"text","text":"Set Group – You can assign eligibility to Set Groups. When selected, members of those Set Groups can request access."}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"type":"text","text":"Management Role – You can assign eligibility to Management Roles. When selected, members of those Management Roles can request access."}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"type":"text","text":"Management Role Definition – You can assign eligibility to Management Role Definitions. When selected, all members of Management Roles derived from the Management Role Definition can request access."}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"type":"text","text":"Business Role and Location – You can assign eligibility to Business Roles and Locations. When selected, members of those Business Roles and Locations can request access."}]}]}]},{"type":"paragraph","content":[{"type":"text","text":"To add eligible assignees, do the following:","marks":[{"type":"strong"}]}]},{"type":"orderedList","content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"type":"text","text":"Under "},{"type":"text","text":"Eligible Assignees","marks":[{"type":"strong"}]},{"type":"text","text":", select the assignee type from the "},{"type":"text","text":"Choose Type","marks":[{"type":"strong"}]},{"type":"text","text":" dropdown."}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"type":"text","text":"Search for and select the appropriate assignee. For example, if assigning eligibility to a group, search for and select the specific group."}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"type":"text","text":"Click "},{"type":"text","text":"Add","marks":[{"type":"strong"}]},{"type":"text","text":"."}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"type":"text","text":"Repeat the above steps to add other eligible assignees as needed. "},{"type":"hardBreak"}]},{"type":"mediaSingle","attrs":{"layout":"center"},"content":[{"type":"media","attrs":{"type":"external","url":"https://dotnetworkflow.jira.com/wiki/download/attachments/2809069857/EligibleEligibility.gif?version=2&modificationDate=1677532223958&cacheVersion=1&api=v2"}}]}]}]},{"type":"paragraph","content":[]}]},"icon":""},{"label":"Add Pre-approved Assignees","id":"2","content":{"version":1,"type":"doc","content":[{"type":"paragraph","content":[{"type":"text","text":"This setting allows you to specify who is pre-approved for the credential. Users who are pre-approved need to activate their membership. No further approvals are needed. Pre-approved assignees can include the following:"}]},{"type":"bulletList","content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"type":"text","text":"Person – You can assign pre-approval status to individual people within your organization."}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"type":"text","text":"Group – You can assign pre-approval status to groups. When selected, all members of those groups are pre-approved."}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"type":"text","text":"Set Group – You can assign pre-approval status to Set Groups. When selected, all members of those Set Groups are pre-approved."}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"type":"text","text":"Management Role – You can assign pre-approval status to Management Roles. When selected, all members of those Management Roles are pre-approved."}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"type":"text","text":"Management Role Definition – You can assign pre-approval status to Management Role Definitions. When selected, all members of Management Roles derived from the Management Role Definition are pre-approved."}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"type":"text","text":"Business Role and Location – You can assign pre-approval status to Business Roles and Locations. When selected, all members of those Business Roles and Locations are pre-approved."}]}]}]},{"type":"paragraph","content":[{"type":"text","text":"To add pre-approved assignees, do the following:","marks":[{"type":"strong"}]}]},{"type":"orderedList","content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"type":"text","text":"Under "},{"type":"text","text":"Pre-Approved Assignees","marks":[{"type":"strong"}]},{"type":"text","text":", select the assignee type from the "},{"type":"text","text":"Choose Type","marks":[{"type":"strong"}]},{"type":"text","text":" dropdown."}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"type":"text","text":"Search for and select the appropriate assignee. For example, if assigning pre-approval status to a person, search for and select the specific person."}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"type":"text","text":"Click "},{"type":"text","text":"Add","marks":[{"type":"strong"}]},{"type":"text","text":"."}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"type":"text","text":"Repeat the above steps to add other pre-approved assignees as needed. "},{"type":"hardBreak"}]},{"type":"mediaSingle","attrs":{"layout":"center"},"content":[{"type":"media","attrs":{"type":"external","url":"https://dotnetworkflow.jira.com/wiki/download/attachments/2809069857/PreapprovedEligibility.gif?version=2&modificationDate=1677532614343&cacheVersion=1&api=v2"}}]}]}]},{"type":"paragraph","content":[]}]},"icon":""},{"label":"Suggested Assignees","id":"mga8cb2oj","content":{"version":1,"type":"doc","content":[{"type":"paragraph","content":[{"type":"text","text":"This setting allows you to specify who sees the credential as "},{"type":"text","text":"suggested","marks":[{"type":"strong"}]},{"type":"text","text":" in the IAM shop. Suggested assignees who request access to the credential route through the regular approval process set by the Access Request policy for the credential. Suggested assignees can include the following:"}]},{"type":"bulletList","content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"type":"text","text":"Person – You can assign suggested eligibility to individual people within your organization."}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"type":"text","text":"Group – You can assign suggested eligibility to groups. When selected, all members of those groups can request access."}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"type":"text","text":"Set Group – You can assign suggested eligibility to Set Groups. When selected, all members of those Set Groups can request access."}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"type":"text","text":"Management Role – You can assign suggested eligibility to Management Roles. When selected, all members of those Management Roles can request access."}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"type":"text","text":"Management Role Definition – You can assign suggested eligibility to Management Role Definitions. When selected, all members of Management Roles derived from the Management Role Definition can request access."}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"type":"text","text":"Business Role and Location – You can assign suggested eligibility to Business Roles and Locations. All members of those Business Roles and Locations can request access when selected."}]}]}]},{"type":"paragraph","content":[{"type":"text","text":"To add suggested assignees, do the following:","marks":[{"type":"strong"}]}]},{"type":"orderedList","content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"type":"text","text":"Select the assignee type from the "},{"type":"text","text":"Choose Type","marks":[{"type":"strong"}]},{"type":"text","text":" dropdown."}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"type":"text","text":"Search for and select the appropriate assignee. For example, if assigning eligibility to a Set Group, search for the specific Set Group."}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"type":"text","text":"Click "},{"type":"text","text":"Add","marks":[{"type":"strong"}]},{"type":"text","text":"."}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"type":"text","text":"Repeat the above steps to add other suggested assignees as needed. "},{"type":"hardBreak"}]},{"type":"mediaSingle","attrs":{"layout":"center"},"content":[{"type":"media","attrs":{"type":"external","url":"https://dotnetworkflow.jira.com/wiki/download/attachments/2809069857/Suggested-Eligibility.gif?version=1&modificationDate=1677532854362&cacheVersion=1&api=v2"}}]}]}]},{"type":"paragraph","content":[]}]}}]

Click Next.
Review the Operation Execution Summary and click Submit.
Insert excerpt
IL:IAM Shop Snippets
IL:IAM Shop Snippets
name ComputerLookup
nopanel true

Step 4 – Link Computers to Credential (Optional)

If you are creating a computer credential, you will be presented with a computer lookup that allows you to search for one or more computers to which you can link the credential; otherwise, workflow will exit.

To link a credential to a computer, follow the below steps:

In the Computer lookup section of the workflow, search for the computer to which you want to link the credential and tick the box on the computer record to select it.
Repeat to select other computers as needed.
Click Next to complete the onboarding process.
Click Submit to close the operation execution summary.

...

Version	Old Version 1	New Version Current
Changes made by	Phillip Hanegan	Phillip Hanegan
Saved on	Aug 20, 2024	Sept 27, 2024