Understanding Management Policies
Management Policy is a core element of Password Manager. Using the Management Policy, you can configure workflows for registering new users, resetting passwords, and others. For each Management Policy you can configure a user scope, and delegate Helpdesk tasks by configuring a Helpdesk scope. You can configure multiple Management Policies with different user and Helpdesk scopes, workflows, and secret questions. The default Management Policy with preconfigured workflows is available out of the box.
A Management Policy consists of the following components:
- Questions and Answers policy
- User scope
- Helpdesk scope
- Workflows
- User enforcement rules and reminders
User scope is a group or several groups of users managed by Password Manager. When configuring a user scope for a Management Policy, you can add user groups from different domains. For more information about the user scope, see Configuring user scope.
Helpdesk scope is a group of Helpdesk operators who are allowed to manage users from the user scope of the same Management Policy. By configuring the Helpdesk scope, you can delegate administrative tasks to specified Helpdesk operators. For more information about the Helpdesk scope, see Configuring access to the Helpdesk site.
Questions and Answers policy (Q&A policy) is a policy within which secret questions and Q&A profile settings are defined. Secret questions are a set of mandatory, optional, and Helpdesk questions for users’ Questions and Answers profiles. These questions are used to register users with Password Manager and later to authenticate users when they use the Self-Service site. Q&A profile settings define how many questions a user must answer to create Q&A profile settings and set requirements for user’s questions and answers. For more information about Q&A policy, see Configuring Questions and Answers policy.
All workflows are divided into two categories: Self-Service and Helpdesk workflows. The Self-Service workflows define the tasks available to users on the Self-Service site, that is, every configured workflow is a task on the Self-Service site. The helpdesk workflows define what tasks are available to helpdesk operators on the Helpdesk site. A workflow consists of several activities that you can add to or remove from the workflow to customize it.
The Default Management Policy offers preconfigured workflows that can be easily customized. For more information about workflows, see Workflow overview.
User enforcement rules and reminders allow you to set up the enforcement schedule to invite users to create or update their Q&A profiles and configure the reminder that will notify users to change passwords before password expiration. For more information, see User Enforcement Rules.
Configuring Access to the Administration Site
By default, the access to the Administration site is granted to only the domain user from the AD, who is a member of the local Administrators group and to the PMAdmin group, that is created during Password Manager installation.
To provide access to the Administration site, add the delegated administrators' accounts to the PMAdmin group and also add them to the IIS_IUSRS or Administrators group. Members of the referenced groups have access to the complete functionality of the Administration site.
Note that the account that you specified as Application Pool Identity when installing Password Manager is automatically added to the PMAdmin group.
|
IMPORTANT: Make sure to grant access to the Administration site only to the most trustworthy persons, since managing the Password Manager configuration may require dealing with user-sensitive information. |
Configuring Access to the Self-Service Site
Configuring access to the Legacy Self-Service site or Password Manager Self-Service site
To configure access to the Legacy Self-Service site or the Password Manager Self-Service site, you need to configure a user scope for the Management Policy you want to use. The workflows and secret questions that you configure for the Management Policy will apply only to the user scope of this Management Policy. You can add groups from different domains to a single user scope.
For more information, see Configuring user scope.
Configuring Access to the Helpdesk Site
In Password Manager you can easily delegate administrative tasks to dedicated Helpdesk operators. By configuring the Helpdesk scope you select groups of Helpdesk operators who will have access to the Helpdesk site. The Helpdesk site handles typical tasks performed by Helpdesk operators, such as resetting passwords, unlocking user accounts, assigning temporary passcodes, and so on.
Members of the Helpdesk scope are allowed to access the Helpdesk site and manage users from the user scope of the same Management Policy only.
You can also restrict groups of Helpdesk operators from accessing the Helpdesk site.
To configure a Helpdesk scope, you need to add a domain connection to the scope at first, and then specify groups from the selected domain.
To manage all domain connections from a single place, click General Settings | Domain Connections on the Administration site. For more information, view Domain Connections .
To add domain connection
- Open the Administration site by entering the Administration site URL in the in the address bar of your browser. By default, the URL is http://<ComputerName>/PMAdmin, where <ComputerName> is the name of the computer on which Password Manager is installed.
- On the Administration site, select the Management Policy you want to configure and click the Helpdesk Scope link.
- On the Helpdesk Scope page, click Add domain connection.
- If domain connections already exist, select a domain connection from the list. If you want to create a new connection, click Add domain connection.
- If you selected to create the new domain connection, in the Add New Domain Connection dialog, configure the following options:
- In the Domain name text box, type in the name of the domain that you want to add to the Helpdesk scope.
- In the Domain alias text box, type the alias for the domain that will be used to address the domain on the Self-Service site. This field is required because you can reuse the domain connection in the user scope.
- To have Password Manager access the domain using the Password Manager Service account, click Password Manager Service account. Otherwise, click Domain management account, and then enter user name and password for the domain management account. Note, that if Password Manager Service account is used to access the domain, it should have the same permissions as the domain management account.
For information on how to prepare a domain management account, see Configuring Permissions for Domain Management Account.
- Click Save.
To specify groups or OUs that are allowed to access the Helpdesk site
- On the Administration site, select the Management Policy you want to configure and click the Helpdesk Scope link.
- On the Helpdesk Scope page, select the domain connection for which you want to specify groups or OUs and click Edit.
- Do the following:
- To specify the groups, click Add under Groups allowed access to the Helpdesk site.
- To specify the OUs, click Add under Organizational units allowed access to the Helpdesk site.
- Click Save.
To specify groups or OUs that are denied access to the Helpdesk site
- On the Administration site, select the Management Policy you want to configure and click the Helpdesk Scope link.
- On the Helpdesk Scope page, select the domain connection for which you want to specify groups or OUs and click Edit.
- Do the following:
- To specify the groups, click Add under Groups denied access to the Helpdesk site.
- To specify the OUs, click Add under Organizational units denied access to the Helpdesk site.
- Click Save.