You select the one cluster or appliance to which the policy applies.
- Navigate to Administrative Tools | Entitlements | Access Request Policies | (create or edit a policy), then the Session Settings tab.
- If you see a message like No SPS connection policies found., you may have selected a policy with an invalid connection policy. For more information, see Access Request Policies tab.
- In SPS Connection Policy, select the cluster or appliance to which the policy applies.
- The default is safeguard_default.
- If you are using telnet with SPS, the telnet Connection Policy created in SPS is available.
- Select Sps Initiate if the access policy is for use by Safeguard for Privileged Sessions (SPS) to create an SPS initiated Access Request.
- For other policies, the host name and IP address of the cluster master is displayed first followed by the SPS cluster description.
If a policy is not functional, you will see the Warning icon next to a selection.
You can view the network segments that can be serviced by specific Safeguard for Privileged Passwords (SPP) or Safeguard for Privileged Sessions (SPS) Appliances within a clustered environment. For more information, see Managed networks.
Use the Time Restrictions tab to specify time restrictions for the access request policy.
Navigate to Administrative Tools | Entitlements | Access Request Policies | (create or edit a policy).
Table 95: Access Request Policy: Time Restriction tab properties
Use Time Restrictions |
Select this option to specify time restrictions for access requests for accounts and assets governed by this policy.
Time restrictions control when the access request policy is effective relative to the user's time zone. For more information, see About time restrictions. |
Daily calendar |
Select and drag the days and hours you want to allow the policy to be effective. |
Reset |
Click Reset to remove any time restrictions set in the daily calendar. |
Use the Emergency tab to enable emergency access for the accounts and assets governed by the access request policy.
Table 96: Access Request Policy: Emergency tab properties
Enable Emergency Access |
Select this check box to allow users to request emergency access to accounts and assets governed by this policy. Clear this option to disallow emergency access.
Emergency Access overrides the Approver requirements; that is, when a user requests access using Emergency Access, the request is immediately approved, provided that the other constraints are met, such as the Requester settings. Multiple users are allowed to request emergency access simultaneously for the same account or asset. |
Notify When Account is Released with Emergency access | To |
(Optional) When emergency access is enabled, build an escalation notification contact list, by entering an email address or selecting To to choose an email address of a Safeguard for Privileged Passwords user.
If you used the To button to add Safeguard for Privileged Passwords users, you can use the Clear icon to remove an individual address from this list or right-click and select Remove All to clear all addresses from the list.
You can enter email addresses for non-Safeguard for Privileged Passwords users.
To send event notifications to a user, you must configure Safeguard for Privileged Passwords to send alerts. For more information, see Configuring alerts.
IMPORTANT: Safeguard for Privileged Passwords does not dynamically maintain the email addresses for an escalation notification contact list. If you change a Safeguard for Privileged Passwords user's email address or delete a Safeguard for Privileged Passwords user after creating a policy, you must update the email addresses in an escalation notification contact list manually. For more information, see User not notified.. |
Ignore Time Restrictions |
This check box is selected by default, indicating that Safeguard for Privileged Passwords is to ignore time restrictions when a user requests emergency access. Clear this check box if you want to enforce the time restrictions set for this policy and only allow emergency access during the specified time period. |
When you add users to an entitlement, you are specifying which people can request passwords to the accounts governed by the selected entitlement's access request policies, or which people can request sessions for the accounts and assets governed by the selected entitlement's access request policies. A user can be a Sessions Appliance certificate user. For more information, see Session Appliances with SPS join.
It is the responsibility of the Security Policy Administrator to add users to entitlements. The Security Policy Administrator only has permission to add groups, not users. For more information, see Administrator permissions.
To add requester users to an entitlement
- Navigate to Administrative Tools | Entitlements.
- In Entitlements, select an entitlement from the object list and click the Users tab.
- Click Add User or User Group from the details toolbar.
- Select one or more users or user groups from the list in the Users/User Groups selection dialog, and click OK.
If you do not see the user or user group you are looking for, depending on your Administrator permissions, you can create them in the Users/User Groups selection dialog. (You must have Authorizer Administrator or User Administrator permissions to create users or Security Policy Administrator permissions to create user groups.)
To create new users or user groups in the Users/User Groups selection dialog
- Click Create New, then select Create a New User or Create a New User Group.
For more information about creating users or user groups, see Adding a user or Adding a user group.
- Create additional users or user groups as required.
- Click OK to add the new users and user groups to the selected entitlement's membership.