Now that you have setup Safeguard for Privileged Passwords, it's time to validate the access request policies you created for password release requests.
Now that you have setup Safeguard for Privileged Passwords, it's time to validate the access request policies you created for password release requests.
This exercise demonstrates the password release workflow from request to approval to review.
NOTE: If you setup users from your test lab as a Requester, Approver, and Reviewer user, have each of them log in to a web client using a mobile device. If mobile devices are not available, have your users log in to the Safeguard for Privileged Passwords desktop client at their own workstations.
To start the web client
Start three instances of the web client, logging in as Joe, Abe, and Ralph, respectively.
NOTE: Alternatively, you can open three browser windows on a single desktop and display them side-by-side to simulate mobile devices. Log in to each instance as your Requester, Approver, and Reviewer users.
(web client) Test: Request password
As Joe, the Requester user, perform the following steps.
Test: Approve password requests
(web client) Did you receive a notification on your mobile phone? You can approve the request from your mobile device without being logged in to Safeguard for Privileged Passwords. As Abe, the Approver user, click Approvals on the left of the page to complete the approval.
(desktop client) If you'd rather approve it using the desktop client proceed to the steps below.
As Abe, the Approver user, perform the following steps.
NOTE: Notice Abe has an additional authentication step to take in order to log in to Safeguard for Privileged Passwords. In addition, since you have set up Approval Anywhere, you can use the Starling 2FA app on your mobile phone to complete the login process.
Select Approve/Deny to approve Joe's password requests.
Test: The password and check it in
As Joe, perform the following steps.
Once the password becomes Available, open the requests and select Show Password to see the password on your screen.
Make note of the password so that you can verify that Safeguard for Privileged Passwords changes it after you use it.
Test: Review a password release
As Ralph, the Reviewer, use the web client or desktop client:
(web client)
(desktop client)
Test: Request emergency access
As Joe, perform the following steps.
Test: Review a password release
Select Workflow to view the transactions that took place as part of the request.
TIP: If one requester checks in the request and another requester wants to use it, the second requester is unable to check out the password until the original request has been reviewed. However, the Security Policy Administrator (PolicyAdmin) can Close a request that has not yet been reviewed. This will bypass the reviewer in the workflow and allow the account to be accessed by another requester.
Now that you have seen the end-to-end password release process from request to approval to review, let's demonstrate how the entitlement and policy time restrictions affect a password request.
An entitlement's time restrictions enforce when Safeguard for Privileged Passwords uses a policy. A policy's time restrictions enforce when a user can access the account passwords. If the entitlement and the policy both have time restrictions, the user can only check out the password for the overlapping time frame.
Time restrictions control when the entitlement or policy is in effect relative to a user's time zone. Although Safeguard for Privileged Passwords Appliances run on Coordinated Universal Time (UTC), the user's time zone enforces the time restrictions set in the entitlement or policy. This means that if the appliance and the user are in different time zones, Safeguard for Privileged Passwords enforces the policy in the user's time zone set in their account profile.
User can change their time zone, by default. Or, the User Administrator can prohibit a user from changing the time zone, possibly to ensure adherence to policy. For more information, see
Test: Entitlement time restrictions
As Joe, assuming that it is currently not during your lunch hour, request a password for a Linux account, for a duration of five minutes.
Test: Entitlement expiration
Did you see Safeguard for Privileged Passwords's notification?
NOTE: If you do not see the notification refresh your screen.
Test: Policy time restrictions
To determine which policy to use for a password release, Safeguard for Privileged Passwords considers both entitlement and policy priorities. Safeguard for Privileged Passwords first considers the entitlement priority, then the priorities of policies within that entitlement.
To test entitlement priorities, an account must be governed by two different entitlements.
Verify that the Linux Password Requests entitlement is priority #1.
NOTE: Safeguard for Privileged Passwords displays the priority number under the entitlement name.
To test policy priorities, an account must be in the scope of two policies within the same entitlement.
General tab:
Scope tab:
Requester tab:
Approver tab:
Reviewer tab:
Access Config tab:
Time Restrictions tab:
Emergency tab:
Are you required to add a Reason for your password request?
If not, then you know Safeguard for Privileged Passwords used the Weekday Maintenance Policy which does not have Reasons or Comments enabled.
Did the Time Restrictions prevent you from checking out this password?
The Weekday Maintenance Policy does not permit you to request a password on Sunday.
Are you required to add a Reason for your password request?
If so, then you know Safeguard for Privileged Passwords used the Sunday Maintenance Policy; the Weekday Maintenance Policy does not have Reasons or Comments enabled.
Did the Time Restrictions prevent you from checking out this password?
The Sunday Maintenance Policy permits you to request a password on Sunday.
© 2024 One Identity LLC. ALL RIGHTS RESERVED. Términos de uso Privacidad Cookie Preference Center