Chat now with support
Chat with Support

Safeguard for Privileged Passwords On Demand Hosted - Administration Guide

Introduction System requirements and versions Using API and PowerShell tools Using the virtual appliance and web management console Cloud deployment considerations Setting up Safeguard for Privileged Passwords for the first time Using the web client Getting started with the desktop client Using the desktop client Activity Center Search box Privileged access requests Toolbox Accounts Account Groups Assets
General/Properties tab (asset) Accounts tab (asset) Account Dependencies tab (asset) Owners tab (asset) Access Request Policies tab (asset) Asset Groups tab (asset) Discovered SSH Keys (asset) Discovered Services tab (asset) History tab (asset) Managing assets
Asset Groups Discovery Entitlements Linked Accounts Partitions Profiles Settings
Access Request settings Appliance settings Asset Management settings Tags Backup and Retention settings Certificates settings Cluster settings Enable or Disable Services settings External Integration settings Password Management settings Real-Time Reports Safeguard Access settings SSH Key Management settings Security Policy Settings
Users User Groups Disaster recovery and clusters Administrator permissions Preparing systems for management Troubleshooting Frequently asked questions Appendix A: Safeguard ports Appendix B: SPP 2.7 or later migration guidance Appendix C: SPP and SPS join guidance Appendix D: Regular Expressions About us

Creating an access request policy (web client)

It is the responsibility of the Security Policy Administrator to define access request policies in Safeguard for Privileged Passwords.

A policy defines:

  • The scope, which may be assets, asset groups, accounts, or account groups.
  • The access type, which may be a:
    • Credential access type:

      • Password Release
      • SSH Key
    • Session access type:

      • RDP (Remote Desktop Protocol)
      • SSH (Secure SHell)
      • Telnet
  • The rules for checking out passwords, such as the duration, how many approvals are required, and so on.
Considerations
  • An access request policy is only assigned to one cluster.
  • An access request policy is only used in the entitlement in which it is created. If you delete an entitlement, all access request policies associated with that entitlement are deleted.

To add an access request policy to an entitlement ( web client)

  1. Navigate to Entitlements.
  2. In Entitlements, select to edit an entitlement from the list and open the Access Request Policies tab.
  3. Click New Access Policy from the details toolbar.
  4. In the Create Access Request Policy dialog, provide information in each of the tabs:

    General tab (create access request policy web client)

    Where you add general information about the access request policy as well as specify the type of access being requested.

    Security tab (create access request policy web client)

    Where you define the access settings for the selected type of request including allowing users to request passwords from their respective linked accounts.

    Scope tab (create access request policy web client)

    Where you assign assets, asset groups, accounts, or account groups to an access request policy.

    Workflow tab (create access request policy web client)

    Where you configure the access request policy requester, approver, reviewer settings.

General tab (create access request policy web client)

On the General tab, enter the following information for the access request policy.

Navigate to:

  • web client: Security Policy Management | Entitlements | Access Request Policies | (create or edit a policy)
Table 132: Access Request Policy: General tab properties
Property Description
Name

Enter a unique name for the access request policy.

Limit: 50 characters

Description

Enter descriptive text that explains the access request policy.

Limit: 255 characters

Priority

The priority of this policy compared to other policies in this entitlement.

If a user desires to access an account in the scope of two different request polices within an entitlement, then the policy with the highest priority (that is, the lowest number) takes precedence. For more information, see How Safeguard for Privileged Passwords evaluates policy when a user submits an access request.

Choose Request Policy Type

Specify the type of request policy:

  • Credential

    • Password

    • SSH Key

  • Session

    • RDP (Remote Desktop Protocol)
    • SSH (Secure SHell)
    • Telnet

Choose Credential Type

Specify the type of credential:

  • Password

  • SSH Key

NOTE: You can configure an access request policy for a password or SSH key request, however, if the Privileged Passwords module license is not installed, you will not be able to submit a password or SSH key release request.

Similarly, you can configure an access request policy for a session request; however, if the Safeguard for Privileged Sessions server is not joined to Safeguard for Privileged Passwords, you will be unable to submit a session request.

Have the Access Policy Expire on Date and Time Select this to enforce an expiration date for the policy. Enter the expiration date and time.

Use Time Windows

Select this option to enforce time windows.

Select and drag to highlight the hours you want to allow. Colored tiles are blocked times . Clear are available times.

Security tab (create access request policy web client)

Use the Access Config tab to configure the access settings for the type of access being requested, based on the access type specified on the General tab.

Navigate to:

  • web client: Security Policy Management | Entitlements | Access Request Policies | (create or edit a policy)
Table 133: Access Request Policy: Access Config tab properties

Property

Description

Include password release with sessions requests

If Access Type is RDP, SSH, or Telnet, select this check box to include a password release with session access requests.

Include SSH Key release with sessions requests

If Access Type is RDP, SSH, or Telnet, select this check box to include an SSH Key release with session access requests.

Close expired sessions

If Access Type is RDP, SSH, or Telnet, select this check box to close sessions that have expired.

Change password after check-in

Select this check box if the password is to be changed after the user checks it back in. This check box is selected by default.

Change SSH key after check-in

Select this check box if the SSH key is to be changed after the user checks it back in. This check box is selected by default.

Passphrase Protect SSH Key

If Access Type is SSH Key, select this check box to require a passphrase for the SSH key.

Allow simultaneous access

Select this check box to allow multiple users access to the accounts and assets governed by this policy. Use the next check box to identify how many users can have access at once.

Maximum users at one time

When the Allow simultaneous access option is selected, enter the maximum number of users that can request access at one time.

Asset-Based Session Access

If Access Type is RDP, SSH, or Telnet, select one of the following options to define the type of account credentials to be used to access any of the assets defined in the policy scope, in addition to the accounts defined in the policy scope when a session is requested:

  • None (default): The credentials are retrieved from the vault when the session is requested.
  • User Supplied: The requester user must provide the credentials when the session is requested.
  • Linked Account: The requester user's account is linked to a directory account that will be used when the session is requested.
    • Enable scope filtering for linked accounts: When selected, this setting allows you to limit the number of requestable accounts to linked accounts that are also defined in the policy scope.

      NOTE: If the policy scope includes only assets/asset groups and no accounts, then the scope filtering setting has no effect, and the policy is available to all of the linked directory accounts on each scoped policy asset.

  • Directory Account: Use the Browse button to select one or more directory accounts to be used when the session is requested.

    If the Directory Account was migrated from an SPP version prior to 2.7, the directory account identifier may be blank, because earlier SPP versions understood only one assignment and version 2.7 results in multiple assignments.

Allow password access to linked accounts

If Access Type is Password Release, select this check box to allow users to request passwords for their respective linked account. Access to each user’s linked account is governed by the other configurations defined in this policy. For more information, see Linked Accounts tab (user).

Additionally, Enable scope filtering for linked accounts can be selected in order to limit the number of requestable accounts to linked accounts that are also defined in the scope.

SPS Connection Policy

Use this drop-down to select an SPS connection policy to use with the access request policy.

Scope tab (create access request policy web client)

Use the Scope tab to assign accounts, account groups, assets, and asset groups to an access request policy.

Navigate to:

  • web client: Security Policy Management | Entitlements | Access Request Policies | (create or edit a policy)
  1. On the Scope tab:

    1. Click Add from the details toolbar and select one of the following options:

      • Add accounts to this policy
      • Add account groups to this policy
      • Add an asset to this policy
      • Add an asset group to this policy
    2. In the dialog, make a selection then click OK.

      If you do not see the selection you are looking for, depending on your Administrator permissions, you can create it in the dialog. (You must have Asset Administrator permissions to create accounts and assets. You must have Security Policy Administrator permissions to create account groups and asset groups.)

  2. Repeat step one to make additional selections. You can add multiple types of objects to a policy; however, you can only add one type of object, like an accounts or account group, at a time.

All of the selected objects appear on the Scope tab in the Access Request Policy dialog. To remove an object from the list, select the object and click Delete.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating