You are viewing an earlier version of the admin guide. For the latest version, please visit EmpowerID Admin Guide v7.211.0.0.
Assign PSM-Enabled Computers to Access Request Policies
- Phillip Hanegan
EmpowerID has pre-configured Access Request policies tailored for Privileged Session Management (PSM). These policies are ready to use with minimal adjustments or can serve as templates for creating customized policies suited to specific organizational needs. The available pre-configured policies include:
Computer Creds - Allow Multi-Check-Out - No Password Reset: This policy allows multiple check-outs of credentials without requiring a password reset after each session.
Computer Creds - No Multi-Check-Out - Password Reset: This policy is designed for environments where credential check-out is restricted to one user at a time, with a mandatory password reset after each session.
MFA - Computer Creds - Allow Multi-Check-Out - No Password Reset: This policy combines the flexibility of multiple credential check-outs with the added security of Multi-Factor Authentication (MFA) without requiring a password reset post-session.
For a detailed explanation of each policy, including their specific settings and configurations, please refer to the Access Request Policies and Privileged Session Management topic.
How to Configure and Assign PSM Policies
This section will guide you through the steps to configure the PSM-specific settings within these Access Request policies and how to assign computers enabled for PSM to the appropriate policy. Configuring these policies involves selecting the right settings that align with your security and operational requirements and assigning these policies to the relevant computer resources within your organization.
By following these steps, you can ensure that your PSM setup is robust, compliant with organizational policies, and tailored to the security needs of your specific IT environment.
Step 1 – Configure the Access Request Policy for PSM
Expand Low Code/No Code Workflow on the navbar and select Access Request Policies.
Search for the Access Request Policy you are assigning to the computer and click the Edit button to open the policy in edit mode.
Review and adjust the following settings as needed for your environment:
Setting | Default Value | Description |
|---|---|---|
Approval Policy | Owner Approval | Specifies who and how many approvals are needed before access to the computer credentials is granted. |
Fulfillment Delay (HRS) | 0 | Defines the waiting period (in hours) after approval before the system fulfills the request. |
Allow Activation (Skip Business Request) | True | Determines whether a Business Request needs to be generated before preapproved users can activate their access. |
Enable Just-in-Time Account Provisioning | Applicable only to Windows servers | Indicates whether a user account should be provisioned on the computer for each person accessing via a privileged session. When enabled, EmpowerID generates an account using the naming convention that appends the EmpowerID logon of the person with "_RandomNumber". This setting is applicable only to Windows servers cataloged as a Local Windows Server account store. Also, ensure the computer’s Just-in-Time Access settings are configured to allow this account provisioning. For additional details, refer to the Enable Computers for Privileged Session Management topic. |
Default Access Duration (Min) | - | Specifies the default duration (in minutes) for active sessions. |
Max Duration (Min) | - | Determines the maximum duration (in minutes) for active sessions before automatic termination. |
Min Login LOA if Local | - | Defines the minimum Level of Assurance points needed for internal users to log in. |
Min Login LOA if Remote | - | Sets the required Level of Assurance points for remote logins. |
Max Allowed Concurrent Sessions | - | Specifies the number of concurrent sessions allowed. |
Record Sessions | - | Determines whether sessions should be recorded. |
Allow Live Session Snooping | - | Allows administrators to view sessions in real-time. |
Save your changes after configuring the settings.
Step 2 – Assign Computers to the Access Request Policy
Back in the Access Request Policies page, click the Access Request Policy link for the policy you configured.
This action opens the View One page for the Access Request policy. View One pages are designed to facilitate the viewing and managing of the corresponding objects in EmpowerID.Â
If the Resources Managed by Policy accordion is collapsed, expand it. You use this accordion to assign computers to the policy.
Click the Add button.
Â
In the Assignment Information pane, do the following:
Select Computer from the Resource Type dropdown.
Search for the computer you want to assign to the policy.
Select the computer from the grid.
Â
Search for and select any other computers you want to add to the policy.
Click Save.
