You are viewing an earlier version of the admin guide. For the latest version, please visit EmpowerID Admin Guide v7.211.0.0.

Skip to end of banner
Go to start of banner

Onboard Credentials

Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 2 Next »

EmpowerID provides an Onboard Credentials wizard workflow designed to simplify and secure the process of vaulting computer and non-computer credentials. Credential management can be a challenging and risky task, as it involves storing sensitive information, such as usernames, passwords, and certificates. Onboard Credentials addresses these challenges by providing a guided, intuitive, and automated approach to credential vaulting, which ensures that all credentials are properly secured and easily accessible when needed. With Onboard Credentials, users can quickly and easily vault both computer and non-computer credentials, including Active Directory (AD) accounts, service accounts, SSH keys, API keys, and more, without having to navigate complex interfaces or processes. This wizard workflow is a valuable tool for organizations looking to streamline their credential management and improve their overall security posture.

To initiate any credential vaulting, users need to have the appropriate Management Roles for the type of credential being vaulted. For a complete list of the Management Roles associated with shared credentials, please see PAM Management Roles.

Onboard a credential

  1. Sign-in to the Resource Admin portal.

  2. Select Credentials from the Resource Type dropdown.

  3. Select the Workflows tab and click Onboard a Credential.


    This opens the Onboard Credential wizard workflow.

  4. Enter the following credential information:

    • Name

    • Display Name

    • Credential Type – Select the appropriate type of credential. Options include the following:

      • Azure Application Certificate – Select this credential type to vault a certificate for an Azure application managed by EmpowerID.

      • Azure Application Secret – Select this credential type to vault a secret for an Azure application managed by EmpowerID.

      • Default Credentials – Select this credential type to vault any set of credentials that has significance in your environment.

      • Domain Admin – Select this credential type to vault credentials for the administrator account in a domain managed in EmpowerID. Approved users are granted domain administrator permissions for all computers in the domain that you link to the credential.

      • Domain User – Select this credential type to vault credentials for a non-administrator account in a domain managed in EmpowerID. Approved users are granted user account permissions for each computer in the domain that you link to the credential.

      • Local Admin – Select this credential type to vault credentials for an administrator account on a local computer managed in EmpowerID. Approved users are granted administrator permissions on the local computer.

    • Personal Credential – Select this option if the credentials are personal to a specific user.

    • User Name – Enter the user name portion of the credentials.

    • Inventoried User Account – Search for and select the inventoried user account associated with the credentials. This field appears for Domain Admin, Domain User, and Local Admin credential types only.

    • Password – Enter the password portion of the credentials. This field is not used when using SSH Keys.

    • SSH Key – If onboarding credentials for a Linux system, select this option and then upload the SSH public key file.

    • Encrypted Notes – Optionally, enter any notes.

    • Description – Optionally, enter a description.

    • Location – Click the Select a Location link, then select a location for the credential and click Save.
      This field does not appear when onboarding Personal Credentials.

    • Enabled – Select this option to enable usage of the credentials.

  5. Click Next to proceed to the Access Request Settings configuration step.

  6. Under Owners and Policies, configure the following settings:

    • Access Request Policy – Select the Access Request policy appropriate for the credential. All of the below default policies are linked to the Owner Approval Approval Flow policy, which means that the owner of the credential must approve access requests.

      • Computer Creds - Allow Multi-Check-Out - No Password Reset – Select this policy when creating credentials that initiate an RDP or SSH session where more than one session (credential check out) is allowed, and you do not want EmpowerID to reset the password for the account when a user checks in the credentials. This policy is configured with the Owner Approval Approval Flow policy.

      • Computer Creds - No Multi-Check-Out - Password Reset – Select this policy when creating credentials that initiate an RDP or SSH session where more than one session is not allowed, and you do want EmpowerID to reset the password for the account when the user checks in the credentials.

      • MFA - Computer Creds - Allow Multi- Check-Out - No Password Reset – Select this policy when creating credentials that initiate an RDP or SSH session where multi-factor authentication is required, more than one session (credential check out) is allowed, and you do want EmpowerID to reset the password for the account when the user checks in the credentials.

      • Non-Computer Creds - Multi-Check-Out - No Password Reset – Select this policy when creating credentials for an account where more than one check out is allowed, and you do not want EmpowerID to reset the password when a user checks in the credentials.

      • Non-Computer Creds - No Approval, No Multi Check-Out with Password Reset – Select this policy when creating credentials for an account where more than one check out is not allowed, no approval is required, and you want EmpowerID to reset the password when a user checks in the credentials.

      • Non-Computer Creds - No Multi-Check-Out with Password Reset – Select this policy when creating credentials for an account where more than one check out is not allowed, and you want EmpowerID to reset the password when a user checks in the credentials. Please note that this policy type is only valid for use with user accounts with passwords that have been vaulted in EmpowerID. The user account must belong to a domain or account store that has been inventoried by EmpowerID.

    • Responsible Party – Search for and select the person responsible for the credentials.

    • Credential Owner – Search for and select the owner of the credentials.

  7. Under Configure Eligibility, add any eligible users for the credential as needed. Users must have a form of eligibility to request access to the credentials in the IAM Shop.

 Eligible Assignees

This setting allows you to specify who is eligible to request the credential. Eligible assignees can include the following:

  • Person – You can assign eligibility to individual people within your organization.

  • Group – You can assign eligibility to groups. When selected, members of those groups can request access.

  • Set Group – You can assign eligibility to Set Groups. When selected, members of those Set Groups can request access.

  • Management Role – You can assign eligibility to Management Roles. When selected, members of those Management Roles can request access.

  • Management Role Definition – You can assign eligibility to Management Role Definitions. When selected, all members of Management Roles derived from the Management Role Definition can request access.

  • Business Role and Location – You can assign eligibility to Business Roles and Locations. When selected, members of those Business Roles and Locations can request access.

To add eligible assignees, do the following:

  1. Under Eligible Assignees, select the assignee type from the Choose Type dropdown.

  2. Search for and select the appropriate assignee. For example, if assigning eligibility to a Management Role, search for and select the specific role.

  3. Click Add.

  4. Repeat the above steps to add other eligible assignees as needed.

 Pre-Apprioved Assignees

This setting allows you to specify who is pre-approved for the credential. Users who are pre-approved need to activate their membership. No further approvals are needed. Pre-approved assignees can include the following:

  • Person – You can assign pre-approval status to individual people within your organization.

  • Group – You can assign pre-approval status to groups. When selected, all members of those groups are pre-approved.

  • Set Group – You can assign pre-approval status to Set Groups. When selected, all members of those Set Groups are pre-approved.

  • Management Role – You can assign pre-approval status to Management Roles. When selected, all members of those Management Roles are pre-approved.

  • Management Role Definition – You can assign pre-approval status to Management Role Definitions. When selected, all members of Management Roles derived from the Management Role Definition are pre-approved.

  • Business Role and Location – You can assign pre-approval status to Business Roles and Locations. When selected, all members of those Business Roles and Locations are pre-approved.

To add pre-approved assignees, do the following:

  1. Under Pre-Approved Assignees, select the assignee type from the Choose Type dropdown.

  2. Search for and select the appropriate assignee. For example, if assigning pre-approval status to a Business Role and Location, search for and select the specific role and location.

  3. Click Add.

 Suggested Assignees

This setting allows you to specify who sees the credential as suggested in the IAM shop. Suggested assignees who request access to the credential route through the regular approval process set by the Access Request policy for the credential. Suggested assignees can include the following:

  • Person – You can assign suggested eligibility to individual people within your organization.

  • Group – You can assign suggested eligibility to groups. When selected, all members of those groups can request access.

  • Set Group – You can assign suggested eligibility to Set Groups. When selected, all members of those Set Groups can request access.

  • Management Role – You can assign suggested eligibility to Management Roles. When selected, all members of those Management Roles can request access.

  • Management Role Definition – You can assign suggested eligibility to Management Role Definitions. When selected, all members of Management Roles derived from the Management Role Definition can request access.

  • Business Role and Location – You can assign suggested eligibility to Business Roles and Locations. All members of those Business Roles and Locations can request access when selected.

To add suggested assignees, do the following:

  1. Select the assignee type from the Choose Type dropdown.

  2. Search for and select the appropriate assignee. For example, if assigning eligibility to a Set Group, search for the specific Set Group.

  3. Click Add.

  4. Repeat the above steps to add other suggested assignees as needed.

8. Click Next.

9. Review the Operation Execution Summary and click Submit to exit the workflow.

  • No labels