Configure Password View Policies That Require Approval of Requests
To require that password view requests be approved by another administrator, enable one of the following options in the Password View Policy:
capam33
HID_MyPasswordViewRequestsPanel
To require that password view requests be approved by another administrator, enable one of the following options in the Password View Policy
:
- Dual Authorization: Requires an administrator with anapproverrole to authorize accessbeforethe requester can access account credentials.
- Retrospective Approval: Provides immediate access to account credentials and sends a notification to administrators with an approver role for retrospective (after-the-fact) approval. Use this functionality (often referred to as "break glass") to provide emergency access to accounts that would typically requirepriorauthorization by an administrator with an approver role.
This content contains the following information:
2
To configure dual authorization or retrospective approval using the CLI, see Password View Requests in the CLI.
Who Can Be An Approver?
Dual authorization and retrospective approval require an approver to allow, deny, and delete password view requests. For a user to become an approver, that user must meet two criteria:
- The user must have a role with thecredentialsManageprivilege. Roles with this privilege are:
- Global Administrator
- Password Manager
- Operational Administrator
- The user must belong to a Credential Manager group that includes a Credential Manager role with the following privileges:
- Update Password View Request Status
- List Password View Request Summary By Approver
To see a list of Credential Manager roles in each group, select
Credentials, Manage Credential Groups
then double-click a role in the list and view the selected privileges for that role.Configure a Password View Policy That Requires Dual Authorization
Configure dual authorization to require an administrator with an
approver
role to authorize access before
the requester can access account credentials. Credential Manager sends an email to the requesters notifying them of the password view request decision. If the request is approved, the requester can view the password.Enable and configure dual authorization using the following procedure.
Follow these steps:
- Go toCredentials, Workflow,Password View Policies.
- On theDual Authorizationtab, select theDual Authorizationcheckbox.
- Set the time period for View Password requests.
- Request must be within:Specifies the time frame within which the password view can be requested. The default value is 14 days.
- Default Request Interval:Specifies the default interval in minutes to view the password, if applicable. The default value is 60 minutes. When a user requests a password, the time between theRequest Password FromandRequest Password Tofields is set to the default request interval.
- Maximum Request Interval:Specifies the maximum interval in minutes, up to which the password can be viewed, if applicable. The default value is 60 minutes.
When users request password viewing, it is for a specific time period. For example, August 8 from 9:00 to 11:00. Specify the time zone inGlobal Settings, Default Preferences.This time period defines when a user can retrieve and view a password. The View Password function does not initiate session management. - (Optional) SelectEnable One Click Approval.If selected, this option allows specified approvers to approve or deny the password view request without logging in to Credential Manager. If enabled, approvers are sent an email notification whenever someone attempts to view the password. The email notification all the standard details and a URL that approves the request and a URL that denies the request. The approver can select the approve or deny URL directly from the email without logging in toPAM. If One Click Approval isnotenabled, each approver still receives an email, but without the URLs. Instead, the approver must log in to view a list of pending requests, which are approved, denied, or expired.
- From theAvailable Approverslist, select users and move them to theSelected Approverslist.
- SelectOK.
When a user or administrator makes a request to view the password, Credential Manager automatically sends an email notification to the approvers for that account. The notification includes the following request details:
- Name of the user submitting the request
- Account name for the requested password view
- Requested account target application
- Requested account target server
- Password view reason
- Requested timeframe (in UTC)
Configure a Password View Policy That Requires Retrospective Approval
Configure retrospective approval to allow immediate emergency "break glass" access to account credentials and send a notification to administrators with an
approver
role for retrospective (after-the-fact) approval. Follow these steps:
- Go toCredentials, Workflow,Password View Policies.
- On theDual Authorizationtab, select theRetrospective Approvalcheckbox.
- (Optional) SelectEnable One Click Approval.If selected, this option allows specified approvers to approve or deny the password view request without logging in to Credential Manager. If enabled, approvers are sent an email notification whenever someone attempts to view the password. The email notification all the standard details and a URL that approves the request and a URL that denies the request. The approver can select the approve or deny URL directly from the email without logging in toPAM. If One Click Approval isnotenabled, each approver still receives an email, but without the URLs. Instead, the approver must log in to view a list of pending requests, which are approved, denied, or expired.
- From theAvailable Approverslist, select users and move them to theSelected Approverslist.
- SelectOK.
When a user or administrator makes a request to view the password, a dialog informs them that their request is for emergency access and requires retrospective approval. If they decide to proceed, Credential Manager automatically sends an email notification and adds the request to the
My Password View Approvals
list of assigned approvers. However, because the credentials have already been accessed, the only effect of approval or denial is how the request is audited in the session logs. For further information, see the following content: