Creating Privileged Session Policies

You can create Privileged Session policies to determine how users can check out credentials to use computers in EmpowerID. You can select which policy to use each time you create a shared computer credential.

To comply with European Union GDPR (General Data Protection Regulation) that was implemented on May 25, 2018, you must do one of two things:

  • Turn off live monitoring and session recording.
  • Clearly alert the user that their session will be recorded, how it will be recorded, and that they can opt out of such monitoring by not continuing to the session.

This topic demonstrates how to create Privileged Session policies.

To create a Privileged Session policy

  1. In the Navigation Sidebar of the EmpowerID Web interface, expand Admin, then Policies, and click Shared Credential Policies.
  2. Above the grid, click the Add button.

    This opens the Create Shared Credential Policy form.

  3. Enter a NameDisplay Name, and Description for the policy.
  4. Select the Privileged Session Policy checkbox. Additional settings appear that relate to privileged sessions.

  5. Change the remaining settings to reflect your policy for privileged sessions:

    • Require Approval — Select to require someone to approve requests for credentials.
    • Allow Multi Check Out — Select to allow multiple users to check out credentials. 
    • Reset Password On Check In — Select to have the password reset after each user checks the credentials back in after use.
    • Allow Live Snooping — Select to allow administrators and computer owners to look in on live sessions and see what the user is doing.

      This setting and the next are illegal under European Union GDPR unless you clearly alert the user that their session may be subject to live snooping or recording (or both).

    • Record Sessions — Select to have EmpowerID record sessions and store them where administrators and computer owners can replay them at any time.

      To set up a repository to store recorded sessions, see Setting Up Privileged Session Management.

    • Default Access Duration in Minutes — Enter the number of minutes to grant access if the user does not specify. The default value is 60 minutes.
    • Max Access Duration in Minutes — Enter the maximum number of minutes a user can request for a privileged computer session. The default value is 2880 minutes (48 hours).
    • Min MFA Points if Local — Enter the minimum number of multi-factor authentication points required for a local user to request a privileged computer session. 
    • Min MFA Points if Remote — Enter the minimum number of multi-factor authentication points required for a remote user to request a privileged computer session. 
    • Schedule Enabled — Select to set up a password reset schedule for the credential.

  6. Click Save.

Now you can select your Privileged Session policy when you create a new shared computer credential. For more information, see Vaulting Computer Credentials.