Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

In EmpowerID, Access Request policies are essential crucial for managing resource access by and guiding the approval and fulfillment processes for user access requests. They are particularly important for These policies are pivotal in Privileged Session Management (PSM), where they regulate users' regulating access to computer credentials related to for servers or other machines set up for devices used in RDP or SSH sessions. Additionally, Access Request policies establish They determine whether such sessions fall under are subject to a privileged session policy, which governs aspects such as controls session recording, live session monitoring, and the maximum number of limits on concurrent sessions allowed on for a specific computer. Additionally, Access Request policies include settings to update Windows Services and IIS App Pools when passwords are reset, which is important when credentials linked to these services require password updates after check-outs and check-ins.

...

Furthermore, these policies facilitate the automated rotation of passwords on a scheduled basis, enhancing security and compliance.

Tip

Approval Policies for Privileged Sessions

Administrators

can

use Access Request policies to

set up

implement Approval Policies, ensuring that an approved user authorizes privileged session access requests

are authorized by an approved user before being granted

before initiation. By default,

EmpowerID Access Request policies for

access to computer credentials

are configured with

is controlled by the Owner Approval policy,

which requires

requiring the owner

of a computer credential to approve access requests prior to a user initiating

's approval before a user initiates a session. However, organizations can choose other approval flows as desired.

...

Access Request Policies for Computer Credentials

EmpowerID provides offers several pre-configured Access Request policies tailored for computer credentials, each featuring its own PSM-specific settings:

...

with specific settings for Privileged Session Management. By leveraging these pre-built Access Request policies and configuring them according to your organization's security requirements, administrators can effectively manage privileged sessions and ensure secure access to critical resources. Regularly reviewing and updating these policies will help maintain compliance with relevant regulations and internal policies and enhance overall security.

You can view these policies by navigating to Low Code/No Code Workflow > Access Request Policies and searching for “Computer.”

Policy Name

Applicability

MFA Requirement

Password Reset Policy

Computer Creds - Allow Multi-Check-Out - No Password Reset

...

Suitable for multiple RDP or SSH

...

sessions without a password reset.

No

No

Computer Creds - No Multi-Check-Out - Password Reset

This policy is applicable for computer credentials initiating an RDP or SSH session where multiple sessions aren't permitted, and you want EmpowerID to reset the account password when the user checks in the credentials.

...

Ideal for single-session environments where a password reset is required post-session.

No

Yes

MFA - Computer Creds - Allow Multi-Check-Out - No Password Reset

...

For environments requiring multi-factor authentication, allowing multiple sessions

...

Access Request Policy for Computer Credential Settings

By leveraging these pre-built Access Request policies and configuring them according to your organization's security requirements, administrators can effectively manage privileged sessions and ensure secure access to critical resources. Regularly reviewing and updating these policies will help maintain compliance with relevant regulations and internal policies and enhance overall security.

General Settings

...

.

Yes

No

General Settings for Access Request Policies

The table below outlines the general settings available for Access Request policies in EmpowerID:

Setting

Description

Name

Name of the policy

/Display Name

Display Name of

Identifies the policy

that appears to users

within the system and in the UI.

Description

Description

Provides a brief overview of the policy's purpose and scope.

Allow Activation (Skip Business Request)

Specifies whether Business Requests are generated for access requests. If selected, the system does not route requests through Approval policies.

Approval Policy

Specifies the Approval policy linked to the Access Request policy. Approval policies determine who can approve access requests and how many approvals are required before access is granted, etc. The drault Access Request policies for computer credentials are configured with the Owner Approval Approval policy.

Fulfillment Delay (HRS)

Specifies the number of hours the system should wait to fulfill approved requests

Is Shipping Data

Internal

For internal EmpowerID use only

Enable Just in Time Account Provisioning

Specifies whether EmpowerID should provision a user account

Enables dynamic account provisioning on the

computer to which the policy is applied when that user connects to the computer using PSM

target computer at session start. This only applies when an account store is created for the computer in question. For details on how to create an account store for a Windows server, see the Local Windows Servers Connector topic in this guide.

Selectable in UI

Specifies whether

Allows the

Access Request

policy

can

to be selected

in

from the EmpowerID Web Interface.


Time and MFA Restrictions

...

These settings define temporal access boundaries and additional security layers:

Setting

Description

Time Restrict Access

Specifies whether connections to the computer are restricted to specific durations of time. If enabled, additional settings can be configured to specify the default access duration, the max duration in minutes, and whether users can select durations within those parameters

Setting

Description

Min Login LOA If Local

Specifies the

Enables time-based access restrictions with configurable durations.

MFA Required for Access Request

...

Imposes a minimum Level of Assurance

points required for users to log in to the computer if on the local network, if any.

Min Login LOA If Remote

Specifies the minimum Level of Assurance points required for users to log in to the computer if the user is remote, if any

for login based on user location (local or remote).

Shared Credential Settings

...

These settings are used to define if credentials are available to users in the IAM Shop and password reset options:

Setting

Description

Publish in IAM Shop

Specifies whether

Determines if credentials are

available to eligible users

visible for user selection in the IAM Shop.

Allow Multi Check Out

Specifies whether credentials can be checked out by multiple concurrent users

Permits multiple users to concurrently check out the credentials.

Reset Password On Check In

Specifies whether EmpowerID should reset the password portion of the credential after

Enforces a password reset when a user completes their session and disconnects from the computer

Update Windows Services On Password Reset

Specifies whether EmpowerID should update

Updates the password for Windows services

passwords after

when a user completes their session and disconnects from the computer.

Update IIS App Pools On Password Reset

Specifies whether EmpowerID should update IIS App Pool passwords after a user completes their session and disconnects from the computer

PSM Computer Settings

Setting

Description

Privileged Session Policy

Specifies whether privileged session policy applies when users connect to the computer. If selected, additional settings are used to determine the maximum number of concurrent sessions are allowed, whether sessions are to be recorded and whether administrators can view current sessions in real time.

Password Rotation Settings

These settings are used to specify whether passwords for credentials should be automatically reset by EmpowerID on a scheduled basis. If selected, you can specify the start and end dates and the frequency of the resets.

...

enable administrators to configure automatic password resets for credentials within EmpowerID, enhancing security through regular updates. The settings allow for precise control over when and how often these resets occur.

Setting

Description

Schedule Password Reset Enabled

Toggle this setting to enable or disable scheduled password resets.

Password Reset Schedule – Start Date

Defines the date when the password resets will start.

Password Reset Schedule – End Date

Defines the date when the password resets will end, if applicable.

Interval

Determines the frequency of the password resets. Options include 'Once', 'Hourly', 'Minute', 'Daily', 'Weekly', 'Monthly', or 'Run Indefinitely'.

Insert excerpt
IL:External Stylesheet
IL:External Stylesheet
nopaneltrue

Macrosuite divider macro
dividerWidth80
dividerTypetext-with-icon
emoji{"id":"smile","name":"Smiling Face with Open Mouth and Smiling Eyes","short_names":["smile"],"colons":":smile:","emoticons":["C:","c:",":D",":-D"],"unified":"1f604","skin":null,"native":"😄"}
isEditingIconOrEmojifalse
textColor#000000
dividerWeight3
labelPositionmiddle
textAlignmentcenter
iconColor#0052CC
iconSize30
fontSizemedium
textNext Steps
emojiEnabledfalse
dividerColor#DFE1E6
dividerIconbootstrap/BarChartSteps
dividerColor#DFE1E6

Assigning Assign PSM-Enabled Computers to Access Request Policies to Computers