In EmpowerID, computer credentials are vaulted user names and passwords for Windows computers or SSH keys for Linux computers. Users can check credentials out to initiate RDP or SSH sessions on computers using EmpowerID's Privileged Session Manager. When you vault a computer credential, you specify the type of computer credential you are creating and link it to the Shared Credential policy for that credential type.
To initiate computer credential vaulting, a user needs an access assignment that includes the Computer PAM User Full Access Management Role. This Management Role allows users to view and connect to computers, vault credentials, and link them to computers. Users who vault computer credentials are the owners or Access Managers for those computer credentials. Access Managers can approve or deny access requests for the computer credentials they own, and can terminate RDP or SSH sessions on those computers. |
Domain User — Select this credential type to vault credentials for a non-administrator account in a domain managed in EmpowerID. Approved users are granted user account permissions for each computer in the domain that you link to the credential.
When you first enter the password for a domain user account, EmpowerID validates it against the directory password hash for that account. This ensures that you vault the correct credentials. |
Local Admin — Select this credential type to vault credentials for an administrator account on a local computer managed in EmpowerID. Approved users are granted administrator permissions on the local computer.
Enter a name for the Computer Credential in the Name and Display Name fields.
As a best practice, do not give a vaulted Computer Credential the same name as the account to which it is linked. |
Computer Creds - No Multi-Check-Out - Password Reset — Select this policy to create credentials that initiate an RDP or SSH session where more than one session is not allowed and you do want EmpowerID to reset the password for the account when the user checks in the credentials.
When using password reset, if the user checks out the credential but never actually sees the details and does not use it to connect to a privileged session, then the password is not reset on check in. |
To vault credentials for a domain admin or user, in the Managed User Account field, enter a managed user account and click the tile for the account to select it. This field does not appear on the form if you select Default Credentials from the Type drop-down.
For EmpowerID to know about the domain admin account, the domain that hosts the account must be a domain that EmpowerID is managing. |
Please note that when creating a master password, you cannot use the same password associated with your EmpowerID Person. |
For information on linking computer credentials to one or more computers, see Linking Credentials to Computers. For information on linking computer credentials to domains, see Linking Credentials to Domains. |
|