Privileged access requests
Safeguard for Privileged Passwords provides a workflow engine that supports time restrictions, multiple approvers, reviewers, emergency access, and expiration of policy. It also includes the ability to input reason codes and integrate directly with ticketing systems.
In order for a request to progress through the workflow process, authorized users perform assigned tasks. These tasks are performed from the user's Home page.
As a Safeguard for Privileged Passwords user, your Home page provides a quick view to the access request tasks that need your immediate attention. In addition, an Administrator can set up alerts to be sent to users when there are pending tasks needing attention. For more information, see Configuring alerts.
The access request tasks you see on your Home page depend on the rights and permissions you have been assigned by an entitlement's access request policies. For example:
-
Requesters see tasks related to submitting new access requests, as well as actions to be taken once a request has been approved (for example, viewing passwords, copying passwords, launching sessions, and checking in completed requests).
Requesters can also define favorite requests, which then appear on their Home page for subsequent use.
- Approvers see tasks related to approving (or denying) and revoking access requests.
- Reviewers see tasks related to reviewing completed (checked in) access requests, including playing back a session if session recording is enabled.
The following three workflows are available:
Configuring alerts
All users are subscribed to the following email notifications; however, users will not receive email notifications unless they have been included in a policy as a requester (user), approver, or reviewer.
Email notifications
You must configure Safeguard for Privileged Passwords properly for users to receive email notifications:
- For Local users, you must set your email address correctly in My Settings. For more information, see My Settings.
- For Directory users, set your email correctly in the directory where your user resides.
- The Security Policy Administrator must configure the access request policies to notify people of pending access workflow events (that is, pending approvals and pending reviews). For more information, see Creating an access request policy.
- The Appliance Administrator must configure the SMTP server. For more information, see Enabling email notifications.
Role-based email notifications generated by default
Safeguard for Privileged Passwords can be configured to send email notifications warning you of operations that may require investigation or action. Your administrative permissions determine which email notifications you will receive by default.
NOTE: Safeguard for Privileged Passwords administrators can use the following API to turn off these built-in email notifications:
POST /service/core/v3/Me/Subscribers/{id}/Disable
In addition, Safeguard for Privileged Passwords administrators can subscribe to additional events based on their administrative permissions using the following API:
POST /service/core/v3/EventSubscribers
Password release request workflow
Safeguard for Privileged Passwords provides secure control of managed accounts by storing account passwords until they are needed, and releases them only to authorized persons. Then, Safeguard for Privileged Passwords automatically updates the account passwords based on configurable parameters.
Typically, a password release request follows this workflow.
- Request: Users that are designated as an authorized user of an entitlement can request passwords for any account in the scope of that entitlement's policies.
- Approve: Depending on how the Security Policy Administrator configured the policy, a password release request will either require approval by one or more Safeguard for Privileged Passwords users, or be auto-approved. This process ensures the security of account passwords, provides accountability, and provides dual control over the system accounts.
- Review: The Security Policy Administrator can optionally configure an access request policy to require a review of completed password release requests for accounts in the scope of the policy.