...
On the navbar, expand Privileged Access and select PAM Workflows.
Click Create Computer and Credential.
This opens the Onboard Computer wizard workflow.Enter the following information in the computer form:
DNS Host Name – DNS of the computer
Display Name – Display name of the computer
Description – Description of the computer
Publish in IAM Shop – Select this option if you want users to be able to request access to the computer in the IAM Shop
Allows RDP Connections – Select this option to allow users to initiate RDP connections to the computer
Allows SSH Connections – Select this option to allow users to initiate SSH connections to the computer (Linux)
Enable Just in Time Account Provisioning – Select this option to enable accounts to be created on the computer for users requesting access to the machine. If this option is selected here and deselected on the policy governing access to the computer, EmpowerID overrides the policy setting and provisions the account.
Computing Platform – Select one of the available options or leave the default setting of Unknown
Operating System Type – OS of the computer
Computer Type – Type of computer, such as Windows Workstation
Private Address – Private IP address of the computer
Public Address – Public IP address of the computer
Click Next to progress to the Select Creation Location configuration step.
In the Select Creation Location lookup, search for and select the account store and, in the case of AD or LDAP, the specific OU within that account store where the computer is to be created.
Insert excerpt IL:Callouts IL:Callouts name ComputersForRDP nopanel true Click Submit to progress to the Access Request Settings configuration step.
Under Owners and Policies, configure the following settings:
Access Request Policy – Select the Access Request policy appropriate for the credential. For computers, the following policies are pertinent. Each is linked to the Owner Approval Approval Flow policy, which means the owner of the computer must approve access requests.
Default Access Request Policy – Select this option when creating a computer without vaulting credentials for it in EmpowerID
Computer Creds - Allow Multi-Check-Out - No Password Reset – Select this policy when creating a computer and simultaneously vaulting credentials that initiate an RDP or SSH session where more than one session (credential check out) is allowed and you do not want EmpowerID to reset the password for the account when a user checks in the credentials. This policy is configured with the Owner Approval Approval Flow policy.
Computer Creds - No Multi-Check-Out - Password Reset – Select this policy when creating a computer and simultaneously vaulting credentials that initiate an RDP or SSH session where more than one session is not allowed, and you do want EmpowerID to reset the password for the account when the user checks in the credentials.
MFA - Computer Creds - Allow Multi- Check-Out - No Password Reset – Select this policy when creating a computer and simultaneously vaulting credentials that initiate an RDP or SSH session where multi-factor authentication is required, more than one session (credential check out) is allowed, and you do want EmpowerID to reset the password for the account when the user checks in the credentials.
Non-Computer Creds - Multi-Check-Out - No Password Reset – Select this policy when creating a computer and simultaneously vaulting credentials for an account where more than one checkout is allowed, and you do not want EmpowerID to reset the password when a user checks in the credentials.
Non-Computer Creds - No Approval, No Multi Check-Out with Password Reset – Select this policy when creating a computer and simultaneously vaulting credentials for an account where more than one checkout is not allowed, no approval is required, and you want EmpowerID to reset the password when a user checks in the credentials.Non-Computer Creds - No Multi-Check-Out with Password Reset – Select this policy when creating a computer and simultaneously vaulting credentials for an account where more than one checkout is not allowed, and you want EmpowerID to reset the password when a user checks in the credentials. Please note that this policy type is only valid for use with user accounts with passwords that have been vaulted in EmpowerID. The user account must belong to a domain or account store that has been inventoried by EmpowerID.
Responsible Party – Search for and select the person responsible for the computer.
Computer Owners – Search for and select one or more persons as owners of the computer and then click Add.
Computer Deputies – Search for and select one or more persons as deputy owners of the computer and then click Add.
Under Configure Eligibility, optionally add any eligible users for the computer as needed. Users must have a form of eligibility to request access to the computer in the IAM Shop. If you are not publishing the computer to the IAM shop, you can skip this and proceed to the next step.
Insert excerpt IL:IAM Shop Snippets IL:IAM Shop Snippets name Eligibility nopanel true Click Next to progress to the Select Gateway (Optional) configuration.
Optionally, search for and select the gateway computer used for PSM sessions and click Next to progress to the Select Credentials (optional) setting. If this setting is not applicable, simply click Next.
Optionally, search for and select the vaulted credentials for the computer and click Next to create the computer. If this setting is not applicable, simply click Next.
...
Macrosuite divider macro | ||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
Assign IAM Shop Permission Levels to Computers
Enable Computers for Privileged Session Management
...