Versions Compared

Old Version 3

changes.mady.by.user Phillip Hanegan

Saved on

compared with

New Version Current

changes.mady.by.user Phillip Hanegan

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

When a request for a non-computer credential is approved, users check out the credential to access the resources authorized by the credential. When the user is done with the credential—or credential – or the allocated time frame for using the credential has expired—the expired – the credential is checked in. Depending on the policy associated with the credential, the password may or may not be reset by the EmpowerID system.

Info

To initiate any credential vaulting for non-computer credentials, a user needs an access assignment that includes the following the Management Roles. Please note that the VIS-* and ACT-* Management Roles are scoped by location; thus a user will only need to have the specific roles pertaining to the location(s) for which they are responsible for vaulting credentials. Please note that the below list of Management Roles contains only those roles needed to vault non-computer credentials. If a person needs to manage shared credentials in other ways, such as approving check-out requests, that person would need a different set of Management Roles. For a complete list of the Management Roles associated with shared credentials, please see PAM Management Roles.

  • UI-Shared-Credential-Object-Administration — This Administration – This Management Role grants access to the user interfaces and workflows for managing shared credentials. 

  • VIS-Shared-Credential-All — This All – This Management Role grants visibility for all vaulted credentials.

  • VIS-Shared-Credential-MyLocations — This  – This Management Role grants visibility for vaulted credentials in a person's locations. This role would be assigned if the person should have visibility for vaulted credentials in their locations only.

  • VIS-Shared-Credential-MyOrg — This  – This Management Role grants visibility for vaulted credentials in a person's organizations. This role would be assigned if the person should have visibility for all vaulted credentials in their organizations.

  • ACT-Shared-Credential-Create-All — This All – This Management Role grants people with the role the ability to create a shared credential anywhere.

  • ACT-Shared-Credential-Create-MyLocations— This – This Management Role grants people with the role the ability to create a shared credential in a person's locations. This role would be assigned if the person should be able to create a shared credential in their locations only.

  • ACT-Shared-Credential-Create-MyOrg— This – This Management Role grants people with the role the ability to create a shared credential in a person's organization. This role would be assigned if the person should be able to create a shared credential in their organization only.

  • ACT-Shared-Credential-Create-All — This All – This Management Role grants people with the role the ability to create a shared credential anywhere.

  • ACT-Shared-Credential-Create-MyLocations — This MyLocations –  This Management Role grants people with the role the ability to create a shared credential in a person's locations. This role would be assigned if the person should be able to create a shared credential in their locations only.

  • ACT-Shared-Credential-Create-MyOrg — This MyOrg – This Management Role grants people with the role the ability to create a shared credential in a person's organization. This role would be assigned if the person should be able to create a shared credential in their organization only.

  • ACT-Shared-Credential-Object-Administration-All — This All – This Management Role grants people with the role the ability to create, edit and delete a shared credential anywhere.

  • ACT-Shared-Credential-Object-Administration-MyLocations — This MyLocations –  This Management Role grants people with the role the ability to create, edit and delete a shared credential in their locations. This role would be assigned if the person should be able to create, edit and delete a shared credential in their locations only.

  • ACT-Shared-Credential-Object-Administration-MyOrg — This MyOrg – This Management Role grants people with the role the ability to create, edit and delete a shared credential in their organization. This role would be assigned if the person should be able to create, edit and delete a shared credential in their organization only.

Users who vault credentials are the owners or Access Managers for those credentials. Access Managers can approve or deny access requests for the credentials they own.

...

Vault a non-computer credential

  1. On the navbar, expand Privileged Access and click select Shared Credentials.

  2. Click Select the All Shared Credentials tab and then click the Add button.

    Image RemovedImage Added


    This opens the Password Vault Data dialog.

    Image RemovedImage Added

  3. Enter a name for the shared credential in the Name and Display Name fields.

  4. Click the Shared Credential Policy drop-down and select the appropriate one to link to the credentials. Here are the default options for non-computer credentials:

    • Non-Computer Creds - Multi-Check-Out - No Password Reset —  – Select this policy to create credentials for an account where more than one check out is allowed and you do not want EmpowerID to reset the password when a user checks in the credentials.

    • Non-Computer Creds - No Approval, No Multi Check-Out with Password Reset —  – Select this policy to create credentials for an account where more than one check out is not allowed, no approval is required, and you want EmpowerID to reset the password when a user checks in the credentials.

    • Non-Computer Creds - No Multi-Check-Out with Password Reset —  – Select this policy to create credentials for an account where more than one check out is not allowed and you want EmpowerID to reset the password when a user checks in the credentials. Please note that this policy type is only valid for use with user accounts with passwords that have been vaulted in EmpowerID. The user account must belong to a domain or account store that has been inventoried by EmpowerID.

    • Service Account with Scheduled Password Reset —  – Select this policy for credentials for a Windows Service account or IIS App pool identity.
      When you select this policy, EmpowerID resets the password against all Windows servers in your environment that have Windows Services or App Pools. Please note that this policy type is only valid for use with service accounts with passwords that have been vaulted in EmpowerID. The service account must belong to a domain or account store that has been inventoried by EmpowerID.

  5. Underneath Location, click Select a Location and , then select a location to place for the credential and click Save.

    Image RemovedImage Added

  6. Enter a description in the Description field.

  7. In the User Name field, enter the user name for the account you are vaulting.

  8. In the Password field, enter the password for the account you are vaulting.

  9. Optionally, enter any notes in the Notes field.

  10. Select Enabled.

  11. Click Save.

  12. If you have not yet entered your master password for this session, EmpowerID prompts you to do so. Enter your master password and click OK.

    Image RemovedImage Added

  13. If you have not yet created a master password for yourself, EmpowerID prompts you to do so. Enter a password in the Password and Confirm Password fields and click OK.

Insert excerpt
IL:External Stylesheet
IL:External Stylesheet
nopaneltrue

...

See Also

Vault Computer Credentials

Link Credentials to Computers

Link Credentials to Domains

Vault Secrets

Check Out Credentials via PowerShell