Process Password View Requests as an Approver
Learn how to process dual authorization and retrospective approval password view requests.
pam411
HID_MyApprovalsPanel
This content describes how to process dual authorization and retrospective approval password view requests.
Process Dual Authorization Requests
Process Dual Authorization Requests
As an approver for a dual authorization password view policy, you can grant, deny, or expire a password view request. You can act on a specific request only once.
When the password view request exceeds the date and time in the request, the request status changes automatically. For example, a password view request start date and time are 2012-11-19 18:06 and the end date and time is 2012-11-19 19:06. After 2012-11-19 19:06, the status of the request that is yet pending changes to Expired. The status of the request that is approved or denied changes to Approved, Expired, or Denied. The status of the request that is checked in or checked out changes to Checked In or Checked Out.
The following methods are different ways to view requests:
Handle Requests from My Approval List
Follow these steps:
- Navigate toCredentials,Workflow,My Approvals. A list of requests appears.
- Select a specific pending password view request and select theVIEWbutton. ThePassword View Request Detailspane appears.
- After reviewing the reason details in the email, select the appropriate option to approve, deny, or expire the request.
You can also select multiple password view requests and then select
Approve All
or Deny All
.Approve or Deny Requests from the Target Accounts Panel
After you receive an email notification of a password view request, review the details in the email. Then, approve or deny the request from the Current Requests section on the
Target Accounts
panel.You cannot expire a password from the
Current Requests
section. You must select the entry and must select Expire
from the Password View Request Details
panel.Follow these steps:
- SelectCredentials,Manage Targets,Accounts. TheAccount Listpanel appears with a list of current requests.
- Take one of the following actions in theCurrent Requestssection:
- Select the green Thumbs Up icon under theActioncolumn for the appropriate account.
- Select the red Thumbs Down icon under theActioncolumn for the account.ThePassword View Request Approvalpop-up appears.
- SelectApproveorDeny.
- Select the reason to approve the request from the drop-down list.
- (Optional) Enter the reason description.
- SelectSave.
- When you are prompted to confirm the approval, selectYes.
Grant or Deny a One-Click Approval Request
A password view policy might be enabled for dual authorization with one-click approval. When a person attempts to view the account password with these features enabled, Credential Manager sends an email to the approver. The approver can approve or deny the request directly from the received email without logging in to the appliance.
The contents of the email can differ based on the email template configuration. See Configure the Email Server and Email Templates.
The approver can review the reason details in the email then approve or deny the request by:
- Clicking the URL given for approving the password view request. The password view request status is updated to Approved. A web page appears with the approval confirmation message.
- Clicking the URL given for denying the password view request. The password view request status is updated to Denied. A web page appears with the rejection message.
Under the following conditions, the approver might be redirected to an error page:
- The approver is invalid or expired.
- The password view request is invalid or expired.
- The status is invalid.
- The password view request is already approved or denied.
Process Retrospective Approval Requests
Process Retrospective Approval Requests
As an approver for a retrospective approval password view policy, you can retrospectively acknowledge or decline a password view request. You can act on a specific request only once.
Follow these steps:
- Navigate toCredentials,Workflow,My Approvals. A list of requests appears.
- Select a specific pending password view request and select theVIEWbutton.ThePassword View Request Detailspane appears.
- After reviewing the reason details in the email, select the appropriate option to acknowledge or decline the request.
You can also select multiple password view requests and then select
Acknowledge All
or Decline All.
Identify Extended Timeout Requirements in Password View Requests with Extended Timeout
Identify Extended Timeout Requirements in Password View Requests with Extended Timeout
As an approver, you can see the connection idle timeout value that is associated with a password view request in the following locations:
- TheTimeoutcolumn on theMy Password View Approvalspanel (Credentials,Workflow,My Approvals).
- TheConnection Idle Time (Minutes)entry on thePassword View Request Detailspane
Connection Idle Timeout
specified in the Global Settings.Delete a View Request Using the UI
Delete a View Request Using the UI
All password view requests with status Approved, Denied, Pending, Expired, Acknowledged, or Denied are available in the My Approval List. Any password view request that is not required can be deleted from the My Approval List with the UI.
Use the following procedure to delete a request using the UI My Approval List.
Follow these steps:
- Go toCredentials,Workflow,My Approvals. The My Approval List Panel appears.
- Select the check box corresponding the password view requests to be deleted. SelectDelete.
- When you are prompted to confirm the deletion, selectOK.
Delete View Requests Automatically
You can automate the removal of password view requests using the
Password View Request Delete Interval
Days
setting. For example, if you set the value of the interval for two days, the requests are deleted automatically from the list after every two days. Follow these steps to set the delete interval:
- Go toSettings,Credential Manager,General Settings.
- In thePassword View Request Delete Interval Daysfield, enter the number of days you want view requests removed.
- SelectSave.