Onboard Credentials
Managing credentials—such as usernames, passwords, and certificates—can be complex and critical for organizations. EmpowerID simplifies this process through a user-friendly Onboard Credentials wizard workflow, enhancing security and ease of access.
In this article, you'll learn how to onboard credentials efficiently using EmpowerID's Onboard Credentials wizard workflow.
Prerequisites
To initiate credential vaulting, ensure that you have the appropriate Management Roles for the type of credential being vaulted. Refer to the Granting Access to PAM with Management Roles article for more information.
Procedure
Step 1 – Open the Onboard Credentials Wizard
Sign in to the IAM Shop portal.
Select Credentials from the Resource Type dropdown.
Navigate to the Workflows tab.
Click Onboard a Credential.
This action opens the Onboard Credential wizard workflow.
Step 2 – Enter Credential Information
In the wizard, fill in the following credential information:
Name – Enter the name of the credential.
Display Name – Provide the display name.
Credential Type – Select the appropriate credential type from the following options:
Azure Application Certificate – Vault a certificate for an Azure application managed by EmpowerID.
Azure Application Secret – Vault a secret for an Azure application managed by EmpowerID.
Default Credentials – Vault any set of credentials significant to your environment.
Domain Admin – Vault credentials for the administrator account in a domain managed by EmpowerID. Approved users are granted domain administrator permissions for all computers linked to the credential.
Domain User – Vault credentials for a non-administrator account in a domain managed by EmpowerID. Approved users are granted user permissions for each computer linked to the credential.
Local Admin – Vault credentials for an administrator account on a local computer managed by EmpowerID. Approved users are granted administrator permissions on the local computer.
Personal Credential – Vault personal credentials for your use.
User Name – Enter the username portion of the credentials.
Inventoried User Account – Search for and select the inventoried user account associated with the credentials. (This field only appears for Domain Admin, Domain User, and Local Admin credential types.)
Password – Enter the password portion of the credentials. (This field is not used when using SSH Keys.)
SSH Key – If onboarding credentials for a Linux system, select this option and then upload the SSH public key file.
Encrypted Notes – Optionally, enter any notes.
Description – Optionally, enter a description.
Location – Click the Select a Location link, then search for and select the desired location for the credentials. (This field does not appear when onboarding Personal Credentials.)
Enabled – Select this option to enable the usage of the credentials.
Click Next to proceed to the Access Request Settings configuration step.
Step 3 – Configure Access Request Settings
Under Owners and Policies, configure the following settings:
Access Request Policy – Select the appropriate Access Request policy for the credential. The following default policies are linked to the Owner Approval Flow policy, meaning the credential owner must approve access requests:
Computer Creds - Allow Multi-Check-Out - No Password Reset – For RDP or SSH sessions where more than one session (credential checkout) is allowed, and passwords are not reset when checked in.
Computer Creds - No Multi-Check-Out - Password Reset – For single-session credentials where passwords are reset upon check-in.
MFA - Computer Creds - Allow Multi-Check-Out - No Password Reset – For RDP or SSH sessions requiring multi-factor authentication, where multiple sessions are allowed, and passwords are reset upon check-in.
Non-Computer Creds - Multi-Check-Out - No Password Reset – For non-computer credentials where multiple checkouts are allowed, and passwords are not reset when checked in.
Non-Computer Creds - No Approval, No Multi Check-Out with Password Reset – For credentials that do not require approval, do not allow multiple checkouts, and require password resets upon check-in.
Non-Computer Creds - No Multi-Check-Out with Password Reset – For credentials that do not allow multiple checkouts and require password resets upon check-in. (Only valid for user accounts with vaulted passwords in EmpowerID.)
Responsible Party – Search for and select the person responsible for the credentials.
Credential Owner – Search for and select the owner of the credentials.
Under Configure Eligibility, add any eligible users for the credential as needed. Users must be eligible to request access to the credentials in the IAM Shop.
Click Next.
Review the Operation Execution Summary and click Submit.
Step 4 – Link Computers to Credential (Optional)
If you are creating a computer credential, you will be presented with a computer lookup that allows you to search for one or more computers to which you can link the credential; otherwise, workflow will exit.
To link a credential to a computer, follow the below steps:
In the Computer lookup section of the workflow, search for the computer to which you want to link the credential and tick the box on the computer record to select it.
Repeat to select other computers as needed.
Click Next to complete the onboarding process.
Click Submit to close the operation execution summary.