In the web client, the Workflow tab is split in to three tabs that allow you to configure the requester, approver, and reviewer settings for an access request policy:
Navigate to:
- web client: Security Policy Management | Entitlements | Access Request Policies | (create or edit a policy)
Requester tab
Use the Requester tab to specify the requester settings for an access request policy.
Property | Description |
---|---|
Duration of Access Approval |
Enter or select the default duration (days, hours, and minutes) that the requester can access the accounts and assets governed by this policy. The access duration cannot exceed a total of 31 days (44,640 minutes). |
Allow Requester to Change Duration | Select this check box to allow the requester the ability to modify the access duration. |
Maximum Time Requester Can Have Access |
If you select the Allow Requester to Change Duration option, you can set the maximum duration (days, hours, and minutes) that the requester can access the accounts and assets governed by this policy. The default access duration is seven days. The maximum access duration is 31 days. The users can change the access duration, but they cannot access the accounts or assets governed by this policy for longer than the maximum access duration time. |
Allow Emergency Access |
Select this option to allow users to request emergency access to accounts and assets governed by this policy. Clear this option to disallow emergency access. Emergency Access overrides the Approver requirements; that is, when a user requests access using Emergency Access, the request is immediately approved, provided that the other constraints are met, such as the Requester settings. Multiple users are allowed to request emergency access simultaneously for the same account or asset. |
Ignore Time Restrictions |
Select this option to ignore time restrictions when a user requests emergency access. Clear this option if you want to enforce the time restrictions set for this policy and only allow emergency access during the specified time period. |
Notify When Account is Released with Emergency access | To |
(Optional) When emergency access is enabled, build an escalation notification contact list, by entering an email address or selecting To to choose an email address of a Safeguard for Privileged Passwords user. You can enter email addresses for non-Safeguard for Privileged Passwords users. To send event notifications to a user, you must configure Safeguard for Privileged Passwords to send alerts. For more information, see Configuring alerts. IMPORTANT: Safeguard for Privileged Passwords does not dynamically maintain the email addresses for an escalation notification contact list. If you change a Safeguard for Privileged Passwords user's email address or delete a Safeguard for Privileged Passwords user after creating a policy, you must update the email addresses in an escalation notification contact list manually. For more information, see User not notified. |
Require Comment |
Select this check box to require that a requester provide a Comment when making an access request. |
Reasons |
Click Add to add one or more reasons to the selected access request policy. Then, when requesting access to a password, SSH key, or a session, a user can select a predefined reason from a list. Click OK to add a reason. NOTE: You must have reasons configured in Safeguard for Privileged Passwords to use this option. For more information, see Reasons.. If you do not see the reason you are looking for, you can create a reason from the Reasons dialog by clicking the New toolbar button. |
Require Reason Code |
Select this option to require that a requester provide a Reason when requesting access. This option is only available if you have selected Reasons for the policy. If you add reasons to a policy, and leave this option cleared, the users will have the option of choosing a reason; but they will not be required to select a reason. |
Approver tab
Use the Approver tab to specify the approver settings for an access request policy.
Property | Description |
---|---|
Auto-Approved |
Select this option to automatically approve all access requests for accounts and assets governed by this policy. |
Notify when Account is Auto-Approved | To |
(Optional) When no approvals are required, enter an email address or select To to choose a user to notify when access is auto-approved. If you used the To button to add Safeguard for Privileged Passwords users, you can use the Clear icon to remove an individual address from this list or right-click and select Remove All to clear all addresses from the list. NOTE: To send event notifications to a user, you must configure Safeguard for Privileged Passwords to send alerts. For more information, see Configuring alerts. |
Approvals Required |
Select this option to require approval for all access requests for accounts and assets governed by this policy. Enter the following information:
|
Notify if approvers have pending requests after To |
(Optional) Select this check box to enable notifications.
IMPORTANT: Safeguard for Privileged Passwords does not dynamically maintain the email addresses for an escalation notification contact list. If you change a Safeguard for Privileged Passwords user's email address or delete a Safeguard for Privileged Passwords user after creating a policy, you must update the email addresses in an escalation notification contact list manually. For more information, see User not notified. NOTE: To send event notifications to a user, you must configure Safeguard for Privileged Passwords to send alerts. For more information, see Configuring alerts. |
Approval Anywhere has been enabled. View enabled users. |
Indicates that the Approval Anywhere feature has been configured. Click the users link to view a list of the users who are authorized to approve requests using this feature. You can add users as Approval Anywhere approvers by clicking the Add toolbar button in the Approval Anywhere Users dialog. |
Reviewer tab
Use the Reviewer tab to specify the reviewer settings for an access request policy.
Property | Description |
---|---|
Review Not Required |
This check box is selected by default, indicating that no review is required for completed access requests for accounts and assets governed by this policy. |
Review Required |
Select this check box to require a review of completed access requests for accounts and assets governed by this policy.
A reviewer can only review an access request once it is completed. The users you authorize as reviewers receive alerts when an access request requires their review if they have Safeguard for Privileged Passwords configured to send alerts. TIP: As a best practice, add user groups as reviews rather than individuals. This makes it possible to add an individual reviewer to a pending access request. In addition, you can modify a reviewers list without editing the policy. |
Require Comment |
Select this check box if the reviewer is required to enter a comment when reviewing an access request. |
Pending Reviews Do Not Block Access |
Select this check box when you want to allow new access requests whether a prior request is approved or not approved. In other words, no requests will be blocked based on the approval status of a prior request. |
Notify If Reviewers Have Pending Reviews After To |
(Optional) Select this check box to enable notifications.
You can enter email addresses for non-Safeguard for Privileged Passwords users. To send event notifications to a user, you must configure Safeguard for Privileged Passwords to send alerts. For more information, see Configuring alerts. IMPORTANT: Safeguard for Privileged Passwords does not dynamically maintain the email addresses for an escalation notification contact list. If you change a Safeguard for Privileged Passwords user's email address or delete a Safeguard for Privileged Passwords user after creating a policy, you must update the email addresses in an escalation notification contact list manually. For more information, see User not notified. |