Use the Access Config tab to configure the access settings for the type of access being requested, based on the access type specified on the General tab.
Navigate to Administrative Tools | Entitlements | Access Request Policies | (create or edit a policy).
Property |
Description |
---|---|
Access Type |
This is a read-only field displaying the type of access selected on the General tab:
|
Include password release with sessions requests |
If Access Type is SSH, RDP |
Terminate expired sessions |
If Access Type is SSH, RDP |
Change password after check-in |
Select this check box if the password is to be changed after the user checks it back in. For password release requests, this option is selected by default. |
Allow simultaneous access |
Select this check box to allow multiple users access to the accounts and assets governed by this policy. Use the next check box to identify how many users can have access at once. |
Maximum users at one time |
When the Allow simultaneous access option is selected, enter the maximum number of users that can request access at one time. |
Asset-Based Session Access |
If Access Type is SSH, RDP
|
Allow password access to linked accounts |
If Access Type is Password Release, select this check box to allow users to request passwords for their respective linked account. Access to each user’s linked account is governed by the other configurations defined in this policy. For more information, see Linked Accounts tab (user). |
You select the one cluster or appliance to which the policy applies.
For information on the toggle to set the Session Module Password Access Enabled, see Session Appliances with SPS join. You will see the following message if SPP has not been joined or the join has been deleted: No SPS connection policies found.
If a policy is not functional, you will see the Warning icon next to a selection.
You can view the network segments that can be serviced by specific Safeguard for Privileged Passwords (SPP) or Safeguard for Privileged Sessions (SPS) Appliances within a clustered environment. For more information, see Managed Networks.
If you are using the embedded sessions module for Safeguard for Privileged Passwords, use the Session Settings tab to configure the settings for session access requests (below). The settings on this tab only apply to RDP and SSH (session) access requests.
Navigate to Administrative Tools | Entitlements | Access Request Policies | (create or edit a policy).
Property |
Description | ||
---|---|---|---|
Record sessions |
For SSH and RDP, this check box is selected by default indicating that all sessions for the accounts and assets governed by this policy are to be recorded. | ||
Enable Command Detection (SSH) |
For SSH session requests, select the Enable Command Detection check box to enable command detection, which means commands that are executed on the target host are detected and logged. | ||
SSH Controls |
If SSH is selected as the access type on the General tab, select one or more of the following options to create a session that uses the specified protocol:
| ||
Enable Windows Title Detection (RDP) |
For RDP session requests, select the Enable Windows Title Detection check box to enable windows title detection, which means the titles of all windows opened on the desktop during a privileged session are detected and logged. You can configure Safeguard for Privileged Passwords to send these actions to a syslog server, in an email message, or via an SNMP trap. For more information, see External Integration settings. | ||
RDP In-Session Controls |
If RDP is selected as the access type on the General tab, select the following option if you want to allow the user to transfer data via the clipboard:
Selecting this option allows the users to copy a file or text from the client machine and paste it to the remote server. The data copied during a session using this option is currently not available for play back in this initial release of Safeguard. |
Use the Time Restrictions tab to specify time restrictions for the access request policy.
Navigate to Administrative Tools | Entitlements | Access Request Policies | (create or edit a policy).
Property | Description |
---|---|
Use Time Restrictions |
Select this option to specify time restrictions for access requests for accounts and assets governed by this policy. Time restrictions control when the access request policy is effective relative to the user's time zone. For more information, see About time restrictions. |
Daily calendar |
Select and drag the days and hours you want to allow the policy to be effective. |
Reset |
Click Reset to remove any time restrictions set in the daily calendar. |
Use the Emergency tab to enable emergency access for the accounts and assets governed by the access request policy.
Property | Description | ||
---|---|---|---|
Enable Emergency Access |
Select this check box to allow users to request emergency access to accounts and assets governed by this policy. Clear this option to disallow emergency access. Emergency Access overrides the Approver requirements. That is, when a user requests access using Emergency Access, the request is immediately approved, provided that the other constraints are met such as the Requester settings. Multiple users are allowed to request emergency access simultaneously for the same account or asset. | ||
Notify When Account is Released with Emergency access | To |
(Optional) When emergency access is enabled, build an escalation notification contact list, by entering an email address or selecting To to choose an email address of a Safeguard for Privileged Passwords user. If you used the To button to add Safeguard for Privileged Passwords users, you can use the You can enter email addresses for non-Safeguard for Privileged Passwords users. To send event notifications to a user, you must configure Safeguard for Privileged Passwords to send alerts. For more information, see Configuring alerts.
| ||
Ignore Time Restrictions |
This check box is selected by default indicating that Safeguard for Privileged Passwords is to ignore time restrictions when a user requests emergency access. Clear this check box if you want to enforce the time restrictions set for this policy and only allow emergency access during the specified time period. |
© 2021 One Identity LLC. ALL RIGHTS RESERVED. Feedback Terms of Use Privacy