Tchater maintenant avec le support
Tchattez avec un ingénieur du support

One Identity Safeguard for Privileged Passwords 2.11 - Evaluation Guide

Adding password release request policies

We now need to define the users who are authorized to make password release requests and add access request policies to define the scope (accounts that can be accessed) and rules for checking out passwords. For more information, see the Safeguard for Privileged Passwords Administration Guide, Creating an access request policy section.

To add a policy to the Linux Password Requests Entitlement

  1. As PolicyAdmin, navigate to Administrative Tools | Entitlements .
  2. Select the Linux Password Requests Entitlement.
  3. On the Users tab, add the Requesters user group as the user for this entitlement.

    An entitlement "User" is a person who is authorized to request passwords to accounts governed by the polices in the entitlement.

  4. On the Access Request Policies tab, create the following access request policy:

    1. General tab:

      • Policy Name: Linux Servers Password Release Request Policy
      • Description: The rules that define the request, approval, and review of password release requests for the Linux Server Accounts.
      • Access Type: Password Release.
    2. Scope tab:

      • Linux Server Accounts group
    3. Requester tab:

      • Select the following reasons: SU and Sys Maint.
      • Require a Reason.
      • Require a Comment.
      • Select the Allow Requester to Change Duration option.
    4. Approver tab:

      • Require one person from the Approvers user group to approve a password release request.
    5. Reviewer tab:

      • Require one person from the Reviewers user group to review a completed password release.
    6. Access Config tab

      • Select the Change password after check-in option.
    7. Time Restrictions tab:

      • Do not set policy Time Restrictions.

    8. Emergency tab:

      • Enable Emergency Access.

To add a policy to the Windows Password Requests Entitlement

  1. As PolicyAdmin, navigate to Administrative Tools | Entitlements.
  2. Select the Windows Password Requests Entitlement.
  3. On the Users tab, add the Requesters user group as the user for this entitlement.

    An entitlement User is a person who is authorized to request passwords to accounts governed by the polices in the entitlement.

  4. On the Access Request Policies tab, create the following access request policy:

    1. General tab:

      • Policy Name: Weekday Maintenance Policy
      • Description: The rules that define the request, approval, and review of password release requests for the Windows Server Accounts on weekdays.
      • Access Type: Password Release
    2. Scope tab:

      • Windows Server Accounts group
    3. Requester tab:

      • Do not require a Reason.
      • Do not require a Comment.
      • Select the Allow Requester to Change Duration option.
    4. Approver tab:

      • Require one person from the Approvers user group to approve a password release request.
    5. Reviewer tab:

      • Require one person from the Reviewers user group to review a completed password release.
    6. Access Config tab

      • Select the Change password after check-in option.
    7. Time Restrictions tab:

      • Allow users to access passwords in the scope of this policy anytime Monday through Friday.

    8. Emergency tab:

      • Do not Enable Emergency Access.

To add a policy to the Directory Requests Entitlement

  1. As PolicyAdmin navigate to Administrative Tools | Entitlements.
  2. Select the Directory Password Requests Entitlement.
  3. On the Users tab, add the Requesters user group as the user for this entitlement.

    An entitlement User is a person who is authorized to request passwords to accounts governed by the polices in the entitlement.

  4. On the Access Request Policies tab, create the following access request policy:

    1. General tab:

      • Policy Name: Weekday Maintenance Policy
      • Description: The rules that define the request, approval, and review of password release requests for the Windows Server Accounts on weekdays.
      • Access Type: Password Release
    2. Scope tab:

      • Directory Server Accounts group
    3. Requester tab:

      • Do not require a Reason.
      • Do not require a Comment.
      • Select the Allow Requester to Change Duration option.
    4. Approver tab:

      • Require one person from the Approvers user group to approve a password release request.
    5. Reviewer tab:

      • Require one person from the Reviewers user group to review a completed password release.
    6. Access Config tab:

      • Select the Change password after check-in option.
    7. Time Restrictions tab:

      • Allow users to access passwords in the scope of this policy anytime Monday through Friday.

    8. Emergency tab:

      • Do not Enable Emergency Access.

Adding session request policies

Prior to requesting a session, you must create a session request policy that defines the users who are authorized to access an asset or account. As part of this request policy you will also define the protocol (SSH or RDP) to be used as well as the type of account credentials to be specified to access the asset or account.

To write the policies that govern session requests

  1. As PolicyAdmin navigate to Administrative Tools | Entitlements.
  2. Select the Sessions Requests entitlement.
  3. On the Users tab, add the Requesters user group as the user.
  4. On the Access Request Policies tab, create the following access request policies for the sessions request entitlement:
    1. Create a policy for SSH sessions:

      General tab:

      • Policy Name: SSH Session Request Policy
      • Description: The rules that define the request, approval, and review of session requests using SSH protocol.
      • Access Type: SSH

      Scope tab:

      • Linux Server Accounts group

      Requester tab:

      • Select the following reason: SSH Session.
      • Require a Reason.
      • Require a Comment.
      • Select the Allow Requester to Change Duration option.

      Approver tab:

      • Require one person from the Approvers user group to approve a session request.

      Reviewer tab:

      • Require one person from the Reviewers user group to review a session release.

      Access Config tab:

      • Use the default settings (None is selected by default).

      Session Settings tab

      • Select Record Sessions.
      • Select Enable Command Detection.
      • Leave the SSH Controls selected:
        • Allow SFTP
        • Allow SCP
        • Allow X11 Forwarding

      Time Restrictions tab:

      • Do not set policy time restrictions.

      Emergency tab:

      • Do not enable emergency access.
    2. Create a policy for RDP sessions:

      General tab:

      • Policy Name: RDP Session Request Policy
      • Description: The rules that define the request, approval, and review of session requests using RDP protocol.
      • Access Type: RDP

      Scope tab:

      • Windows Server Accounts group.

      Requester tab:

      • Do not select or require a reason.
      • Do not require a comment.
      • Select the Allow Requester to Change Duration option.

      Approver tab:

      • Select Auto-approved.
      • Click the To button to Notify when Account is Auto-Approved and select the Safeguard for Privileged Passwords user to receive the email notification.

      Reviewer tab:

      • Require one person from the Reviewers user group to review a past session release.

      Access Config tab:

      • Select User Supplied.

      Session Settings tab:

      • Select Record Sessions.
      • Leave the RDP In-Session Controls selected:
        • Allow Clipboard

      Time Restrictions tab:

      • Do not set policy time restrictions.

      Emergency tab:

      • Do not enable emergency access.
  5. Log out.

Password release request exercises

Now that you have setup Safeguard for Privileged Passwords, it's time to validate the access request policies you created for password release requests.

Exercise 1: Testing the password release workflow

This exercise demonstrates the password release workflow from request to approval to review.

Note: If you setup users from your test lab as a Requester, Approver, and Reviewer user, have each of them log in to a web client using a mobile device. If mobile devices are not available, have your users log in to the Safeguard for Privileged Passwords desktop client at their own workstations.

To start the web client

  1. Open a browser and navigate to https://<Appliance IP Address>.
  2. Start three instances of the web client, logging in as Joe, Abe, and Ralph, respectively.

    Note: Alternatively, you can open three browser windows on a single desktop and display them side-by-side to simulate mobile devices. Log in to each instance as your Requester, Approver, and Reviewer users.

(web client) Test: Request password

As Joe, the Requester user, perform the following steps.

  1. Use the default access options.
    • Notice how the policy configuration changes the user experience.
  2. Open Requests and review your pending requests.

Test: Approve password requests

(desktop client) If you'd rather approve it using the desktop client proceed to the steps below.

As Abe, the Approver user, perform the following steps.

NOTE: Notice Abe has an additional authentication step to take in order to log in to Safeguard for Privileged Passwords. In addition, since you have set up Approval Anywhere, you can use the Starling 2FA app on your mobile phone to complete the login process.
  1. Open Approvals and review the requests waiting for your approval.
  2. Select Approve/Deny to approve Joe's password requests.

Test: The password and check it in

As Joe, perform the following steps.

  1. Once the password becomes Available, open the requests and select Show Password to see the password on your screen.

    Make note of the password so that you can verify that Safeguard for Privileged Passwords changes it after you use it.

  2. Select Copy.
  3. Using the password in your copy buffer, log in to the test server.
  4. Log out of the test server and return to the Safeguard for Privileged Passwords desktop.
  5. Select Check-In to complete the password checkout process for the password requests.

Test: Review a password release

As Ralph, the Reviewer, use the web client or desktop client:

(web client)

  1. Click Reviews. Select the request.
  2. Enter a comment.
  3. Click to mark the selected request as reviewed.

(desktop client)

  1. Open Reviews and review the requests that are waiting for your review.
    1. Select Workflow to view the transactions that took place as part of the request.
    2. Select Review to enter a comment and complete the review process.

Test: Request emergency access

As Joe, perform the following steps.

  1. Request the password for the Linux asset again, this time use the Emergency Access option.
    • Notice that the password becomes immediately available. That is because Emergency access bypasses the approval.
  2. Once the password becomes Available, open the password request and select Show Password.
    • Is the password different this time? When the Change Password After Release option is selected in the policy, Safeguard for Privileged Passwords automatically changes the password after each use.
  3. Copy the password so you can use it to manually log in to the remote asset/account.
  4. After you have successfully logged in to the remote asset/account, log out of the test server and return to the Safeguard for Privileged Passwords desktop.
  5. Select Check-In.

Test: Review a password release

  1. As Ralph, perform the following:
    • In the web client Reviews and click to mark the selected request as reviewed.
    • In the desktop client:
      1. Open Reviews and review the requests that are waiting for your review.
      2. Select Workflow to view the transactions that took place as part of the request.

      3. Select Review to enter a comment and complete the review process.

TIP: If one requester checks in the request and another requester wants to use it, the second requester is unable to check out the password until the original request has been reviewed. However, the Security Policy Administrator (PolicyAdmin) can Close a request that has not yet been reviewed. This will bypass the reviewer in the workflow and allow the account to be accessed by another requester.

Documents connexes