Create a Password View Policy

Each target account is associated with a password view policy, whether it is the default policy or a policy that you create. Use this procedure to create a password view policy with the UI.
capam32
HID_PasswordViewPolicyPanel
Each target account is associated with a password view policy, whether it is the default policy or a policy that you create. Use this procedure to create a password view policy with the UI.
To use the CLI to create a password view policy, see Create a Password View Policy with the CLI.
 
 
2
 
 
Configure a Password View Policy
 
Follow these steps:
 
  1. Select 
    Credentials, Workflow
    Password View Policies
    . The Password View Policies page appears.
  2. Select
     Add
    .
  3. On the Basic Info tab, enter a policy 
    Name
     and 
    Description
     and specify the properties of the policy using the following controls:
    • Re-authenticate for View
      : If set, a dialog appears when a user tries to view a password. To continue, the user enters their password.
    • Re-authenticate for Auto-Connect
      : If set, a dialog appears when a user tries to auto-connect to an application through Access. To continue, the user enters their password.
    • Reason Required for View
      : If set, a dialog appears when a user tries to view an Account password. The user selects a Reason and enters an optional Description and optional Reference Code to view the password. Select the View Credential (eye icon) for an Account on the Account List page or on the Account Details page.
    • Reason Required for Auto-Connect
      : If set, a dialog appears when a user tries to auto-connect. The user selects a Reason and enters an optional Description and optional Reference Code to auto-connect.
    • Change Password on View
      : Viewed password on synchronized and non-synchronized accounts is automatically changed after the delay specified 
      in the Change Password Interval
       field.
      The password view policy can also require that the user check out the password to view it. For password check-out, the password is changed only when it is checked back in, regardless of the number of times the user displays the password. For compound accounts, even if only one account is accessed, the password is changed on all servers.
    • Automatic Password Change (Optional): set 
      one
       of the following options to change passwords that are used in remote sessions (not "viewed" passwords):
      • Change Password On Connection End. 
        A password is automatically changed when the user SSH or RDP connection to a target server ends. The connection can end because the connection times-out, the user terminates the connection, or the connection is lost. This option does not apply to "View Password."
      • Change Password on Session End.
         All passwords that are used to log in to target servers are changed when the user session in 
        Privileged Access Manager
         ends. The connection can end because the user logs out, a session times out, or connectivity is lost. This option does not apply to "View Password."
    • Change Password on Auto-Connect
      : An auto-connect password gets changed automatically after the session is terminated. This setting might not be suitable for environments where multiple sessions are initiated simultaneously using the same credential.
    • Change Password Interval
       (appears only if one or both of the 
      Change Password on View 
      or 
      Change Password on Auto-Connect
       options are selected): Specifies an interval (in minutes) between the password view or auto-connect operation (as applicable) until Credential Manager changes the password.
      If the 
      Check-out/Check-in
       option is also set, the Change Password Interval setting is ignored. Instead, the password is changed when the account is checked in.
    • Check-out/Check-in: 
      If selected, this option specifies how long Credential Manager waits (in minutes) before automatically checking in the account password.
      The Check-in/checkout interval must be less than or equal to the Dual authorization interval. When you enable check-out/check-in and dual authorization, the check-out/check-in expiry time becomes less than or equal to the dual authorization expiry time.
How View Policy Changes are Applied
Any change to an existing password view policy applies to all future attempts to view a password. However, any ongoing view attempts are governed by the previous policy. For example, if you disable the Check-out/Check-in option while a password is checked out, the password remains checked out. A user checks the password back in or the check-out time expires. Therefore, if there are outstanding password view requests for an account, do not change the password view policy.
Changes that are made to the list of request approvers take effect immediately. For example, a new approver is able to receive the relevant email notification and approve or deny the request. Similarly, approver that is removed from the list can no longer receive the email or, approve or deny the request.
Enable Password Verification
When a user first logs in to the UI and views a password, Credential Manager verifies the password. To enable verification every time a password is viewed, set the 
Re-authenticate For View 
setting.
Follow these steps:
 
  1. Select 
    Credentials
    Workflow
    Password View Policies
    .
  2. For each password view policy, select 
    Re-authenticate For View
    .
  3. Select 
    OK
    .
Enabling Dual Authorization (Optional)
Dual authorization requires a person with an Approver role to grant access to the account password before a person can view the password. If you configure dual authorization, you can also enable 
One-click approval
. One-click approval allows identified approvers to approve or deny the password view request without logging in to 
Privileged Access Manager
For more information about the Dual Authorization option, see Get Authorization to View a Password.