You are viewing an earlier version of the admin guide. For the latest version, please visit EmpowerID Admin Guide v7.211.0.0.

Assign PSM-Enabled Computers to Access Request Policies

EmpowerID offers pre-configured Access Request policies specifically designed for Privileged Session Management (PSM), which can be used with minimal modifications or as a basis for creating custom policies. The available policies include the following:

  1. Computer Creds - Allow Multi-Check-Out - No Password Reset policy

  2. Computer Creds - No Multi-Check-Out - Password Reset policy

  3. MFA - Computer Creds - Allow Multi-Check-Out - No Password Reset policy

For a detailed explanation of these policies, please refer to the Access Request Policies and Privileged Session Management topic.

This article demonstrates how to configure Access Request Policy settings pertinent to PSM and assign computers enabled for PSM to the policy.

Step 1 – Configure the Access Request Policy for PSM

  1. Expand Low Code/No Code Workflow on the navbar and select Access Request Policies.

  2. Search for the Access Request Policy you are assigning to the computer and click the Edit button.


    This opens the policy in edit mode.



  3. Review the following settings and adjust them as needed for your environment.

    • Approval Policy – This setting specifies who and how many approvals are needed before access to the computer creds is granted to the requesting person. The default Approval policy for computer credentials is the Owner Approval Approval policy.

    • Fulfillment Delay (HRS) – This setting specifies how long the system should wait after approval is granted before fulfilling the approval. This setting is set to 0 by default.

    • Allow Activation (Skip Business Request – This setting specifies whether a Business Request needs to be generated before preapproved users can activate their access to the credentials. This setting is to true by default, meaning preapproved users can activate the credentials.

    • Enable Just in Time Account Provisioning – This setting specifies whether a user account should be provisioned on the computer for each person accessing the machine via a privileged session. When enabled, EmpowerID generates an account with a naming convention that appends the EmpowerID logon of the person with “_RandomNumber.”
      Please note that this setting is only applicable to Windows servers that have been inventoried as a Local Windows Server account store. For more information, please see the Local Windows Servers Connector topic.
      Additionally, the computer must have it’s Just-in-Time Access settings configured to allow just-in-time account provisioning. For more information on these settings, please see the Enable Computers for Privileged Session Management topic.

    • Time Restrictions – These settings are used to specify whether the amount of time a user can access the computer per session is to be limited. If enabled, the following settings are pertinent:

      • Default Access Duration (Min) – The setting specifies the default number of minutes users can remain in an active session.

      • Man Duration (Min) – This setting specifies the maximum number of minutes users can remain in an active session before being terminated by the system.

    • MFA Required for Access Request – These settings specify whether users need to perform one or more forms of multi-factor authentication before being allowed to log in to the computer.

      • Min Login LOA if Local – This setting specifies the number of points internal users need to accrue before they can log in to the computer. The required number of points can increased or decreased according to your organization’s security policies.

      • Min Login LOA if Remote – This setting specifies the number of points internal users need to accrue before they can log in to the computer. The required number of points can increased or decreased according to your organization’s security policies.

    • PSM Computer Settings – These settings are used to specify whether privileged session policy applies when users connect to the computer.

      • Max Allowed Concurrent Sessions – Sets the maximum number of sessions that can be running during the same time period.

      • Record Sesssions – Specifies whether sessions are to be recorded.

      • Allow Live Session Snooping – Specifies whether administrators can view sessions in real-time.

  4. Save your changes.

Step 2 – Assign Computers to the Access Request Policy

  1. Back in the Access Request Policies page, click the Access Request Policy link for the policy you just configured.


    This action opens the View One page for the Access Request policy. View One pages are designed to facilitate the viewing and management of the corresponding objects in EmpowerID.

     

  2. Expand the Resources Managed by Policy accordion if it is collapsed. You use this accordion to assign computers to the policy.

  3. Click the Add button.

     

  4. In the Assignment Information pane, do the following:

    1. Select Computer from the Resource Type dropdown.

    2. Search for the computer you want to assign to the policy.

    3. Select the computer from the grid.

       

    4. Search for and select any other computers you want to add to the policy.

  5. Click Save.