Vaulting Computer Credentials

Owned by Phillip Hanegan
Last updated: Feb 26, 2020

In EmpowerID, computer credentials are vaulted user names and passwords for Windows computers or SSH keys for Linux computers. Users can check credentials out to initiate RDP or SSH sessions on computers using EmpowerID's Privileged Session Manager. When you vault a computer credential, you specify the type of computer credential you are creating and link it to the Shared Credential policy for that credential type.

To initiate computer credential vaulting for computers, a user needs an access assignment that includes the following the Management Roles. Please note that the VIS-* and ACT-* Management Roles are scoped by location; thus a user will only need to have the specific roles pertaining to the computers for which they are responsible for vaulting and maintaining vaulted credentials. 

  • UI-Computer-PAM-User-Full-Access Management Role — This Management Role grants access to the user interfaces and workflows for managing computer objects for privileged session management. 

  • UI-Computer-Shared-Credential-PAM-User-Full-Access — This Management Role grants access to the user interfaces and workflows for managing shared credentials and their relationship to computer objects.

  • VIS-Computer-All — This Management Role grants users the ability to see all computers.

  • VIS-Computer-MyLocations — This Management Role grants users the ability to see all computers in a Person's locations.

  • VIS-Computer-MyOrg — This Management Role grants users the ability to see all computers in a Person's organizations.

  • VIS-Computer-WhereLocalAdmin — This Management Role grants users the ability to see all computers where the person is a member of the local admins group.

  • ACT-Computer-Shared-Credential-Assigner-All — This Management Role grants users the ability to assign and unassign shared credentials to any computer.

  • ACT-Computer-Shared-Credential-Assigner-MyLocations — This Management Role grants users the ability to assign and unassign shared credentials to all computers in a Person's locations.

  • ACT-Computer-Shared-Credential-Assigner-MyOrganization— This Management Role grants users the ability to assign and unassign shared credentials to all computers in a Person's organization.

  • ACT-Computer-Shared-Credential-Assigner-Responsible — This Management Role grants users the ability to assign and unassign shared credentials to all computers where the Person is assigned as the responsible person.

Users who vault computer credentials are the owners or Access Managers for those computer credentials. Access Managers can approve or deny access requests for the computer credentials they own, and can terminate RDP or SSH sessions on those computers.

To vault computer credentials

  1. On the navbar, expand Privileged Access and click Computers.

  2. Click the Computer Credentials tab and then click the Add button.

     

  3. From the Type drop-down of the Password Vault Data dialog that appears, select the appropriate type of credential. Your options include the following:

    • Default Credentials — Select this standard credential type to vault any set of credentials that has significance in your environment.

    • Domain Admin — Select this credential type to vault credentials for the administrator account in a domain managed in EmpowerID. Approved users are granted domain administrator permissions for all computers in the domain that you link to the credential.

    • Domain User — Select this credential type to vault credentials for a non-administrator account in a domain managed in EmpowerID. Approved users are granted user account permissions for each computer in the domain that you link to the credential.

    • Local Admin — Select this credential type to vault credentials for an administrator account on a local computer managed in EmpowerID. Approved users are granted administrator permissions on the local computer.

  4. Enter a name for the credential in the Name and Display Name fields. As a best practice, you should not give a vaulted computer credential the same name as the account to which the credential is linked.

  5. From the Shared Credential Policy drop-down, select the Shared Credential policy to link to the Computer Credential. Here are the default options for computers:

    • Computer Creds - Allow Multi-Check-Out - No Password Reset — Select this policy to create credentials that initiate an RDP or SSH session where more than one session (credential check out) is allowed and you do not want EmpowerID to reset the password for the account when a user checks in the credentials. The reset password on check-in option should be disabled for Multi-Checkout policies. For Multi-Checkout policies, you can rotate the passwords after hours using the scheduled reset feature.

    • Computer Creds - No Multi-Check-Out - Password Reset — Select this policy to create credentials that initiate an RDP or SSH session where more than one session is not allowed and you do want EmpowerID to reset the password for the account when the user checks in the credentials.

    • MFA - Computer Creds - Allow Multi- Check-Out - No Password Reset — Select this policy to create credentials that initiate an RDP or SSH session where multi-factor authentication is required, more than one session (credential check out) is allowed, and you do want EmpowerID to reset the password for the account when the user checks in the credentials.

  6. Type a description in the Description field.

  7. To vault credentials for a domain admin or user, in the Managed User Account field, enter a managed user account and then click the tile for the account to select it. This field does not appear on the form if you select Default Credentials from the Type drop-down.

     

  8. In the User Name field, enter the user name for the account you are vaulting.

  9. To vault credentials that initiate an RDP session with a Windows computer, in the Password field, enter the password for the account.

  10. To vault credentials that initiate an SSH session with a Linux computer, select the SSH Key checkbox, then browse for and select the SSH Key for the computer.

  11. Optionally enter notes in the Notes field.

  12. Click Save.

  13. If you have not yet entered your master password for this session, EmpowerID prompts you to do so. Enter your master password and click OK

     

  14. If you have not yet created a master password for yourself, EmpowerID prompts you to do so. Enter a password in the Password and Confirm Password fields and click OK.

     

Please note that when creating a master password, you cannot use the same password associated with your EmpowerID Person.


Now that you have vaulted the computer credential, link it to one or more managed computers or a managed domain to allow users to access those computers using the credential.