Creating Privileged Access Policies

Owned by Phillip Hanegan
Last updated: Feb 25, 2020
2 min read

Privileged Access policies control shared credential check-out and privileged session access. EmpowerID includes a number of these that you can use for most situations; however, you can create new policies as needed. For example, if you want a specific policy that controls access to computers for contractors, within minutes you can easily create and implement just such a policy. To do so, you will need to have the UI-Admin-Privileged-Access Management Role.

To comply with European Union GDPR (General Data Protection Regulation) that was implemented on May 25, 2018, you must do one of two things:

  • Turn off live monitoring and session recording.

  • Clearly alert the user that their session will be recorded, how it will be recorded, and that they can opt out of such monitoring by not continuing to the session.

To create a Privileged Access policy

  1. On the navbar, expand Privileged Access and click Privileged Access Policies.

  2. Above the grid, click the Add button.



    This opens the Create Shared Credential Policy form.


     

  3. Enter a NameDisplay Name, and Description for the policy.

  4. Select the Privileged Session Policy checkbox. Additional settings appear that relate to privileged sessions.

  5. Change the remaining settings to reflect your policy for privileged sessions:

    • Require Approval — Select to require someone to approve requests for credentials.

    • Allow Multi Check Out — Select to allow multiple users to check out credentials. 

    • Reset Password On Check In — Select to have the password reset after each user checks the credentials back in after use.

    • Allow Live Snooping — Select to allow administrators and computer owners to observe live sessions.

    • Record Sessions — Select to have EmpowerID record sessions and store them where administrators and computer owners can replay them at any time.

    • Default Access Duration in Minutes — Enter the number of minutes to grant access if the user does not specify. The default value is 60 minutes.

    • Max Access Duration in Minutes — Enter the maximum number of minutes a user can request for a privileged computer session. The default value is 2880 minutes (48 hours).

    • Min MFA Points if Local — Enter the minimum number of multi-factor authentication points required for a local user to request a privileged computer session. 

    • Min MFA Points if Remote — Enter the minimum number of multi-factor authentication points required for a remote user to request a privileged computer session. 

    • Schedule Enabled — Select to set up a password reset schedule for the credential.

    • Password Reset Schedule — Expand the drop-down and specify the schedule for password resets

  6. Click Save.