Chat now with support
Chat with Support

One Identity Safeguard for Privileged Passwords 6.0.7 LTS - Evaluation Guide

Adding password release request policies

We now need to define the users who are authorized to make password release requests and add access request policies to define the scope (accounts that can be accessed) and rules for checking out passwords. For more information, see the Safeguard for Privileged Passwords Administration Guide, Creating an access request policy section.

To add a policy to the Linux Password Requests Entitlement

  1. As PolicyAdmin, navigate to Administrative Tools | Entitlements .
  2. Select the Linux Password Requests Entitlement.
  3. On the Users tab, add the Requesters user group as the user for this entitlement.

    An entitlement "User" is a person who is authorized to request passwords to accounts governed by the polices in the entitlement.

  4. On the Access Request Policies tab, create the following access request policy:

    1. General tab:

      • Policy Name: Linux Servers Password Release Request Policy
      • Description: The rules that define the request, approval, and review of password release requests for the Linux Server Accounts.
      • Access Type: Password Release.

    2. Scope tab:

      • Linux Server Accounts group

    3. Requester tab:

      • Select the following reasons: SU and Sys Maint.
      • Require a Reason.
      • Require a Comment.
      • Select the Allow Requester to Change Duration option.

    4. Approver tab:

      • Require one person from the Approvers user group to approve a password release request.

    5. Reviewer tab:

      • Require one person from the Reviewers user group to review a completed password release.

    6. Access Config tab

      • Select the Change password after check-in option.

    7. Time Restrictions tab:

      • Do not set policy Time Restrictions.

    8. Emergency tab:

      • Enable Emergency Access.

To add a policy to the Windows Password Requests Entitlement

  1. As PolicyAdmin, navigate to Administrative Tools | Entitlements.
  2. Select the Windows Password Requests Entitlement.
  3. On the Users tab, add the Requesters user group as the user for this entitlement.

    An entitlement User is a person who is authorized to request passwords to accounts governed by the polices in the entitlement.

  4. On the Access Request Policies tab, create the following access request policy:

    1. General tab:

      • Policy Name: Weekday Maintenance Policy
      • Description: The rules that define the request, approval, and review of password release requests for the Windows Server Accounts on weekdays.
      • Access Type: Password Release

    2. Scope tab:

      • Windows Server Accounts group

    3. Requester tab:

      • Do not require a Reason.
      • Do not require a Comment.
      • Select the Allow Requester to Change Duration option.

    4. Approver tab:

      • Require one person from the Approvers user group to approve a password release request.

    5. Reviewer tab:

      • Require one person from the Reviewers user group to review a completed password release.

    6. Access Config tab

      • Select the Change password after check-in option.

    7. Time Restrictions tab:

      • Allow users to access passwords in the scope of this policy anytime Monday through Friday.

    8. Emergency tab:

      • Do not Enable Emergency Access.

To add a policy to the Directory Requests Entitlement

  1. As PolicyAdmin navigate to Administrative Tools | Entitlements.
  2. Select the Directory Password Requests Entitlement.
  3. On the Users tab, add the Requesters user group as the user for this entitlement.

    An entitlement User is a person who is authorized to request passwords to accounts governed by the polices in the entitlement.

  4. On the Access Request Policies tab, create the following access request policy:

    1. General tab:

      • Policy Name: Weekday Maintenance Policy
      • Description: The rules that define the request, approval, and review of password release requests for the Windows Server Accounts on weekdays.
      • Access Type: Password Release

    2. Scope tab:

      • Directory Server Accounts group

    3. Requester tab:

      • Do not require a Reason.
      • Do not require a Comment.
      • Select the Allow Requester to Change Duration option.

    4. Approver tab:

      • Require one person from the Approvers user group to approve a password release request.

    5. Reviewer tab:

      • Require one person from the Reviewers user group to review a completed password release.

    6. Access Config tab:

      • Select the Change password after check-in option.

    7. Time Restrictions tab:

      • Allow users to access passwords in the scope of this policy anytime Monday through Friday.

    8. Emergency tab:

      • Do not Enable Emergency Access.

Password release workflow exercise

Now that you have setup Safeguard for Privileged Passwords, it's time to validate the access request policies you created for password release requests.

Exercise 1: Testing the password release workflow

This exercise demonstrates the password release workflow from request to approval to review.

Note: If you setup users from your test lab as a Requester, Approver, and Reviewer user, have each of them log in to a web client using a mobile device. If mobile devices are not available, have your users log in to the Safeguard for Privileged Passwords desktop client at their own workstations.

To start the web client

  1. Open a browser and navigate to https://<Appliance IP Address>.
  2. Start three instances of the web client, logging in as Joe, Abe, and Ralph, respectively.

    Note: Alternatively, you can open three browser windows on a single desktop and display them side-by-side to simulate mobile devices. Log in to each instance as your Requester, Approver, and Reviewer users.

(web client) Test: Request password

As Joe, the Requester user, perform the following steps.

  1. From the web client, click Home or My Requests, then click New Request.
    • If you have set up a Linux account and a Windows account, request a password from each.
  2. Use the default access options.
    • Notice how the policy configuration changes the user experience.
  3. Open Requests and review your pending requests.

Test: Approve password requests

(web client) Did you receive a notification on your mobile phone? You can approve the request from your mobile device without being logged in to Safeguard for Privileged Passwords. As Abe, the Approver user, click Approvals on the left of the page to complete the approval.

(desktop client) If you'd rather approve it using the desktop client proceed to the steps below.

As Abe, the Approver user, perform the following steps.

NOTE: Notice Abe has an additional authentication step to take in order to log in to Safeguard for Privileged Passwords. In addition, since you have set up Approval Anywhere, you can use the Starling 2FA app on your mobile phone to complete the login process.
  1. Open Approvals and review the requests waiting for your approval.

  2. Select Approve/Deny to approve Joe's password requests.

Test: The password and check it in

As Joe, perform the following steps.

  1. Once the password becomes Available, open the requests and select Show Password to see the password on your screen.

    Make note of the password so that you can verify that Safeguard for Privileged Passwords changes it after you use it.

  2. Select Copy.
  3. Using the password in your copy buffer, log in to the test server.
  4. Log out of the test server and return to the Safeguard for Privileged Passwords desktop.
  5. Select Check-In to complete the password check out process for the password requests.

Test: Review a password release

As Ralph, the Reviewer, use the web client or desktop client:

(web client)

  1. Click Reviews. Select the request.
  2. Enter a comment.
  3. Click to mark the selected request as reviewed.

(desktop client)

  1. Open Reviews and review the requests that are waiting for your review.
    1. Select Workflow to view the transactions that took place as part of the request.
    2. Select Review to enter a comment and complete the review process.

Test: Request emergency access

As Joe, perform the following steps.

  1. Request the password for the Linux asset again, this time use the Emergency Access option.
    • Notice that the password becomes immediately available. That is because Emergency access bypasses the approval.
  2. Once the password becomes Available, open the password request and select Show Password.
    • Is the password different this time? When the Change Password After Release option is selected in the policy, Safeguard for Privileged Passwords automatically changes the password after each use.
  3. Copy the password so you can use it to manually log in to the remote asset/account.
  4. After you have successfully logged in to the remote asset/account, log out of the test server and return to the Safeguard for Privileged Passwords desktop.
  5. Select Check-In.

Test: Review a password release

  1. As Ralph, perform the following:
    • In the web client Reviews and click to mark the selected request as reviewed.
    • In the desktop client:
      1. Open Reviews and review the requests that are waiting for your review.

      2. Select Workflow to view the transactions that took place as part of the request.

      3. Select Review to enter a comment and complete the review process.

TIP: If one requester checks in the request and another requester wants to use it, the second requester is unable to check out the password until the original request has been reviewed. However, the Security Policy Administrator (PolicyAdmin) can Close a request that has not yet been reviewed. This will bypass the reviewer in the workflow and allow the account to be accessed by another requester.

Exercise 2: Testing time restrictions

Now that you have seen the end-to-end password release process from request to approval to review, let's demonstrate how the entitlement and policy time restrictions affect a password request.

An entitlement's time restrictions enforce when Safeguard for Privileged Passwords uses a policy; a policy's time restrictions enforce when a user can access the account passwords. If the entitlement and the policy both have time restrictions, the user can only check out the password for the overlapping time frame.

Time restrictions control when the entitlement or policy is in effect relative to a user's time zone. Although Safeguard for Privileged Passwords Appliances run on Coordinated Universal Time (UTC), the user's time zone enforces the time restrictions set in the entitlement or policy. This means that if the appliance and the user are in different time zones, Safeguard for Privileged Passwords enforces the policy in the user's time zone set in his account profile.

Test: Entitlement time restrictions

  1. In the desktop client, as PolicyAdmin, navigate to Entitlements.
  2. Navigate to the General tab of the Linux Password Requests entitlement.
  3. Set the entitlement Time Restrictions to allow users to access passwords only during their lunch hour Monday through Friday.

  4. As Joe, assuming that it is currently not during your lunch hour, request a password for a Linux account, for a duration of five minutes.

    • Did Safeguard for Privileged Passwords allow you to check out this password? The request dialog disables the Request Immediately option. The request time will automatically be set for the next unrestricted time frame that allows the account password to be requested.
  5. Cancel the request (or return to your Home page).

Test: Entitlement expiration

  1. As PolicyAdmin, set the Time Restrictions for the Linux Password Requests role to 8:00 a.m. to 5:00 p.m. Monday through Friday.
  2. While you are in Time Restrictions, set this entitlement to expire today in 1 minute from now.
  3. Wait for the entitlement to expire.

    • Did you see Safeguard for Privileged Passwords's notification?

      Note: If you do not see the notification refresh your screen.

  4. As Joe, request a password for a Linux account.
    • Notice that the account is not available to check out. Safeguard for Privileged Passwords does not allow you to check out accounts associated with expired entitlements.
  5. As PolicyAdmin, remove the expiration time from the Time Restrictions, but leave the entitlement Time Restrictions enforced.
  6. As Joe, request a password for the same Linux account.
    • Observe that you are now allowed to request passwords for the Linux Password Requests accounts.
  7. Cancel the request (or return to your Home page).

Test: Policy time restrictions

  1. As PolicyAdmin, set the policy Time Restrictions for the Weekday Maintenance Policy to allow users to access passwords 8:00 a.m. to 5:00 p.m. Monday through Friday.
  2. As Joe, request a password for the Windows account for Sunday at 2:00 p.m.
    • This request was denied because the Weekday Maintenance Policy does not allow you to check out accounts on Sunday.
  3. Cancel the request (or return to your Home page).
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating