Privileged access requests
Safeguard for Privileged Passwords provides a workflow engine that supports time restrictions, multiple approvers, reviewers, emergency access, and expiration of policy. It also includes the ability to input reason codes and integrate directly with ticketing systems.
In order for a request to progress through the workflow process, authorized users perform assigned tasks. These tasks are performed from the user's 
Home page.
As a Safeguard for Privileged Passwords user, your Home page provides a quick view to the access request tasks that need your immediate attention. In addition, an Administrator can set up alerts to be sent to users when there are pending tasks needing attention. For more information, see Configuring alerts.
The access request tasks you see on your Home page depend on the rights and permissions you have been assigned by an entitlement's access request policies. For example:
-
Requesters see tasks related to submitting new access requests, as well as actions to be taken once a request has been approved (for example, viewing passwords, copying passwords, launching sessions, and checking in completed requests).
Requesters can also define favorite requests, which then appear on their Home page for subsequent use.
- Approvers see tasks related to approving (or denying) and revoking access requests.
- Reviewers see tasks related to reviewing completed (checked in) access requests, including playing back a session if session recording is enabled.
The following three workflows are available:
Configuring alerts
All users are subscribed to the following email notifications; however, users will not receive email notifications unless they have been included in a policy as a requester (user), approver, or reviewer.
- Access Request Approved
- Access Request Denied
- Access Request Expired
- Access Request Pending Approval
- Access Request Revoked
- Password was Changed
- SSH key was Changed
- Review Needed
Email notifications
You must configure Safeguard for Privileged Passwords properly for users to receive email notifications:
- For Local users, you must set your email address correctly in My Settings. For more information, seeMy Settings.
- For Directory users, set your email correctly in the directory where your user resides.
- The Security Policy Administrator must configure the access request policies to notify people of pending access workflow events (that is, pending approvals and pending reviews). For more information, see Creating an access request policy.
- The Appliance Administrator must configure the SMTP server. For more information, see Enabling email notifications.
Role-based email notifications generated by default
Safeguard for Privileged Passwords can be configured to send email notifications warning you of operations that may require investigation or action. Your administrative permissions determine which email notifications you will receive by default.
Table 15: Email notifications based on administrative permissions
|
Appliance Administrator
Operations Administrator |
Appliance Healthy
Appliance Restarted
Appliance Sick
Appliance Task Failed
Archive Task Failed
Cluster Failover Started
Cluster Replica Enrollment Completed
Cluster Replica Removal Started
Cluster Reset Started
Disk Usage Warning
Factory Reset Appliance
License Expired
License Expiring Soon
NTP Error Detected
Operational Mode Appliance
Raid Error Detected
Reboot Appliance
Shutdown Appliance |
|
Partition Owner (if none, sent to the Asset Administrator)
NOTE: If Asset Administrators want to be notified along with the Partition Owners, they can set themselves up as an explicit owners or create an email subscription for the event.
The API /service/core/v3/EventSubscribers endpoint can be used to create event subscribers for events, including events on specific assets or accounts. |
Account Discovery Failed
Dependent Asset Update Failed
Password Change Failed
Password Check Failed
Password Check Mismatch
Password Reset Needed
Restore Account Failed
Service Discovery Failed
SSH Check Mismatch
SSH Host Key Mismatch
SSH Key Change Failed
SSH Key Check Failed
SSH Key Discovery Failed
SSH Key Install Failed
SSH Key Reset Needed
SSH Key Was Reset
Suspend Account Failed
Test Connection Failed |
| Security Policy Administrator |
Policy Expiration Warning
Policy Expired
Entitlement Expiration Warning
Entitlement Expired |
NOTE: Safeguard for Privileged Passwords administrators can use the following API to turn off these built-in email notifications:
POST /service/core/v3/Me/Subscribers/{id}/Disable
In addition, Safeguard for Privileged Passwords administrators can subscribe to additional events based on their administrative permissions using the following API:
POST /service/core/v3/EventSubscribers
Password release request workflow
Safeguard for Privileged Passwords provides secure control of managed accounts by storing account passwords until they are needed, and releases them only to authorized persons. Then, Safeguard for Privileged Passwords automatically updates the account passwords based on configurable parameters.
Typically, a password release request follows this workflow.
- Request: Users that are designated as an authorized user of an entitlement can request passwords for any account in the scope of that entitlement's policies.
- Approve: Depending on how the Security Policy Administrator configured the policy, a password release request will either require approval by one or more Safeguard for Privileged Passwords users, or be auto-approved. This process ensures the security of account passwords, provides accountability, and provides dual control over the system accounts.
- Review: The Security Policy Administrator can optionally configure an access request policy to require a review of completed password release requests for accounts in the scope of the policy.
