Configure Password View Policies to Require Request Approval

To require that password view requests be approved by another administrator, enable the dual authorization option in the Password View Policy. If you enable dual authorization, a person with an Approver role must authorize access to the password before the requester can view the password.
capam32
HID_MyPasswordViewRequestsPanel
To require that password view requests be approved by another administrator, enable the 
dual authorization
 option in the Password View Policy
If you enable dual authorization, a person with an Approver role must authorize access to the password before the requester can view the password.
When a requester attempts to view the account password, Credential Manager sends an email with the request to the specified approver or approvers. Approvers receive the email notification with the following request details:
  • Name of the user submitting the request
  • Account name for the requested password view
  • Requested account target application
  • Requested account target server
  • Password view reason
  • Requested timeframe (in UTC)
Dual authorization offers a 
one-click approval
 feature. One-click approval allows identified approvers to approve or deny the password view request without logging in to 
.
When one-click approval is enabled, an email is sent to the approvers whenever someone attempts to view the password. The email notification all the standard details and two URLs. One URL approves the request and the other URL denies the request. The approver does not need to log in to the appliance. Instead, they can select the approve or deny URL directly from the email. If One Click Approval is 
not
 enabled, each approver still receives an email, but without the URLs. Instead, the approver must log in to view a list of pending requests, which are approved, denied, or expired.
Credential Manager sends an email to the requesters notifying them of the password view request decision. If the request is approved, the requester can view the password.
This topic explains the following tasks:
 
 
2
 
 
To configure dual authorization using the CLI, see View Dual Authorization Requests in the CLI.
Who Can Be An Approver?
Dual authorization requires an approver to allow, deny, and delete password view requests. For a user to become an approver, that user must meet two criteria:
  • The user must have a role with the 
    credentialsManage
     privilege. Roles with this privilege are:
    • Global Administrator
    • Password Manager
    • Operational Administrator
    For more about roles and privileges, see User Roles
  • The user must belong to a Credential Manager group that includes a Credential Manager role with the following privileges:
    • Update Password View Request Status
    • List Password View Request Summary By Approver
    For example, the System Admin Group is a Credential Manager group with the necessary privileges.
    To see a list of Credential Manager roles in each group, select 
    Credentials, Manage Credential Groups
    . Double-click a role in the list and view the selected privileges for that role.
Require Dual Authorization
Enable and configure dual authorization using the following procedure. 
 
Follow these steps:
 
  1. Go to
     Credentials, Workflow
    Password View Policies.
     
  2. On the 
    Dual Authorization 
    tab, select the 
    Dual Authorization
     checkbox.
  3. Set the time period for View Password requests.
    • Request must be within:
       Specifies the time frame within which the password view can be requested. The default value is 14 days.
    • Default Request Interval:
       Specifies the default interval in minutes to view the password, if applicable. The default value is 60 minutes. When a user requests a password, the time between the 
      Request Password From
       and 
      Request Password To
       fields is set to the default request interval.
    • Maximum Request Interval:
       Specifies the maximum interval in minutes, up to which the password can be viewed, if applicable. The default value is 60 minutes.
    When users request password viewing, it is for a specific time period. For example, August 8 from 9:00 to 11:00. Specify the time zone in 
    Global Settings, Default Preferences
    .
    This time period defines when a user can retrieve and view a password. The View Password function does not initiate session management.
  4. (Optional) Select 
    Enable One Click Approval.
    If selected, this option allows specified approvers to approve or deny the password view request without logging in to Credential Manager. 
  5. From the 
    Available Approvers
     list, select users and move them to the 
    Selected Approvers
     list.
  6. Select 
    OK
When a user or administrator makes a request to view the password, Credential Manager automatically sends an email notification to the approvers for that account. A confirmation message appears.