Access Request Policies and Privileged Session Management

In EmpowerID, Access Request policies are essential for managing resource access by guiding the approval and fulfillment processes for user access requests. They are particularly important for Privileged Session Management (PSM), where they regulate users' access to computer credentials related to servers or other machines set up for RDP or SSH sessions. Additionally, Access Request policies establish whether such sessions fall under a privileged session policy, which governs aspects such as session recording, live session monitoring, and the maximum number of concurrent sessions allowed on a specific computer.

PSM Computer Settings on an Access Request Policy

Approval Policies for Privileged Sessions

Administrators can use Access Request policies to set up Approval Policies, ensuring that privileged session access requests are authorized by an approved user before being granted. By default, EmpowerID Access Request policies for computer credentials are configured with the Owner Approval policy, which requires the owner of a computer credential to approve access requests prior to a user initiating a session. However, organizations can choose other approval flows as desired.

Pre-configured Access Request Policies for Computer Credentials

EmpowerID provides several pre-configured Access Request policies for computer credentials, each featuring its own PSM-specific settings:

1. Computer Creds - Allow Multi-Check-Out - No Password Reset

This policy is applicable for computer credentials initiating an RDP or SSH session where multiple sessions (credential checkouts) are allowed, and password reset upon user check-in isn't required by EmpowerID.

2. Computer Creds - No Multi-Check-Out - Password Reset

This policy is applicable for computer credentials initiating an RDP or SSH session where multiple sessions aren't permitted, and you want EmpowerID to reset the account password when the user checks in the credentials.

3. MFA - Computer Creds - Allow Multi-Check-Out - No Password Reset

This policy is applicable for computer credentials initiating an RDP or SSH session requiring multi-factor authentication, allowing multiple sessions (credential checkouts), and when you want EmpowerID to reset the account password upon user check-in.

Access Request policies for computer credentials with the Owner Approval Approval policy

 

Access Request Policy for Computer Credential Settings

By leveraging these pre-built Access Request policies and configuring them according to your organization's security requirements, administrators can effectively manage privileged sessions and ensure secure access to critical resources. Regularly reviewing and updating these policies will help maintain compliance with relevant regulations and internal policies and enhance overall security.

General Settings

Setting

Description

Setting

Description

Name

Name of the policy

Display Name

Display Name of the policy that appears to users in the UI

Description

Description of the policy

Allow Activation (Skip Business Request)

Specifies whether Business Requests are generated for access requests. If selected, the system does not route requests through Approval policies.

Approval Policy

Specifies the Approval policy linked to the Access Request policy. Approval policies determine who can approve access requests and how many approvals are required before access is granted, etc. The drault Access Request policies for computer credentials are configured with the Owner Approval Approval policy.

Fulfillment Delay (HRS)

Specifies the number of hours the system should wait to fulfill approved requests

Is Shipping Data

Internal use

Enable Just in Time Account Provisioning

Specifies whether EmpowerID should provision a user account on the computer to which the policy is applied when that user connects to the computer using PSM. This only applies when an account store is created for the computer in question. For details on how to create an account store for a Windows server, see the https://dotnetworkflow.jira.com/wiki/spaces/EAGV24R2/pages/3390543091 topic in this guide.

Selectable in UI

Specifies whether the Access Request policy can be selected in the EmpowerID Web Interface


Time Restrictions

 

Setting

Description

Setting

Description

Time Restrict Access

Specifies whether connections to the computer are restricted to specific durations of time. If enabled, additional settings can be configured to specify the default access duration, the max duration in minutes, and whether users can select durations within those parameters.

MFA Required for Access Request

 

Setting

Description

Setting

Description

Min Login LOA If Local

Specifies the minimum Level of Assurance points required for users to log in to the computer if on the local network, if any.

Min Login LOA If Remote

Specifies the minimum Level of Assurance points required for users to log in to the computer if the user is remote, if any.

Shared Credential Settings

Setting

Description

Setting

Description

Publish in IAM Shop

Specifies whether credentials are available to eligible users in the IAM Shop

Allow Multi Check Out

Specifies whether credentials can be checked out by multiple concurrent users

Reset Password On Check In

Specifies whether EmpowerID should reset the password portion of the credential after a user completes their session and disconnects from the computer

Update Windows Services On Password Reset

Specifies whether EmpowerID should update Windows services passwords after a user completes their session and disconnects from the computer

Update IIS App Pools On Password Reset

Specifies whether EmpowerID should update IIS App Pool passwords after a user completes their session and disconnects from the computer

PSM Computer Settings

Setting

Description

Setting

Description

Privileged Session Policy

Specifies whether privileged session policy applies when users connect to the computer. If selected, additional settings are used to determine the maximum number of concurrent sessions are allowed, whether sessions are to be recorded and whether administrators can view current sessions in real time.

Password Rotation Settings

These settings are used to specify whether passwords for credentials should be automatically reset by EmpowerID on a scheduled basis. If selected, you can specify the start and end dates and the frequency of the resets.

Assigning Access Request Policies to Computers