Process Password View Requests as an Approver

Learn how to process dual authorization and retrospective approval password view requests.
pam411
HID_MyApprovalsPanel
This content describes how to process dual authorization and retrospective approval password view requests.

Process Dual Authorization Requests

As an approver for a dual authorization password view policy, you can grant, deny, or expire a password view request. You can act on a specific request only once.
When the password view request exceeds the date and time in the request, the request status changes automatically. For example, a password view request start date and time are 2012-11-19 18:06 and the end date and time is 2012-11-19 19:06. After 2012-11-19 19:06, the status of the request that is yet pending changes to Expired. The status of the request that is approved or denied changes to Approved, Expired, or Denied. The status of the request that is checked in or checked out changes to Checked In or Checked Out.
The following methods are different ways to view requests:
Handle Requests from My Approval List
Follow these steps:
  1. Navigate to
    Credentials,
    Workflow
    ,
    My Approvals
    .  A list of requests appears.
  2. Select a specific pending password view request and select the
    VIEW
    button. The
    Password View Request Details
    pane appears.
  3. After reviewing the reason details in the email, select the appropriate option to approve, deny, or expire the request.
You can also select multiple password view requests and then select
Approve All
or
Deny All
.
Approve or Deny Requests from the Target Accounts Panel
After you receive an email notification of a password view request, review the details in the email. Then, approve or deny the request from the Current Requests section on the
Target Accounts
panel.
You cannot expire a password from the
Current Requests
section. You must select the entry and must select
Expire
from the
Password View Request Details
panel.
Follow these steps:
  1. Select
    Credentials
    ,
    Manage Targets
    ,
    Accounts
    . The
    Account List
    panel appears with a list of current requests.
  2. Take one of the following actions in the
    Current Requests
    section:
    • Select the green Thumbs Up icon under the
      Action
      column for the appropriate account.
    • Select the red Thumbs Down icon under the
      Action
      column for the account.
      The
      Password View Request Approval
      pop-up appears.
  3. Select
    Approve
    or
    Deny
    .
  4. Select the reason to approve the request from the drop-down list.
  5. (Optional) Enter the reason description.
  6. Select
    Save
    .
  7. When you are prompted to confirm the approval, select
    Yes
    .
Grant or Deny a One-Click Approval Request
A password view policy might be enabled for dual authorization with one-click approval. When a person attempts to view the account password with these features enabled, Credential Manager sends an email to the approver. The approver can approve or deny the request directly from the received email without logging in to the appliance.
The contents of the email can differ based on the email template configuration. See Configure the Email Server and Email Templates.
The approver can review the reason details in the email then approve or deny the request by:
  • Clicking the URL given for approving the password view request. The password view request status is updated to Approved. A web page appears with the approval confirmation message.
  • Clicking the URL given for denying the password view request. The password view request status is updated to Denied. A web page appears with the rejection message.
Under the following conditions, the approver might be redirected to an error page:
  • The approver is invalid or expired.
  • The password view request is invalid or expired.
  • The status is invalid.
  • The password view request is already approved or denied.

Process Retrospective Approval Requests

As an approver for a retrospective approval password view policy, you can retrospectively acknowledge or decline a password view request. You can act on a specific request only once.
Follow these steps:
  1. Navigate to
    Credentials,
    Workflow
    ,
    My Approvals
    .  A list of requests appears.
  2. Select a specific pending password view request and select the
    VIEW
    button.
    The
    Password View Request Details
    pane appears.
  3. After reviewing the reason details in the email, select the appropriate option to acknowledge or decline the request.
You can also select multiple password view requests and then select
Acknowledge All
or
Decline All.

Identify Extended Timeout Requirements in Password View Requests with Extended Timeout

As an approver, you can see the connection idle timeout value that is associated with a password view request in the following locations:
  • The
    Timeout
    column on the
    My Password View Approvals
    panel (
    Credentials
    ,
    Workflow
    ,
    My Approvals
    ).
  • The
    Connection Idle Time (Minutes)
    entry on the
    Password View Request Details
    pane
To identify a password view request seeking an extended timeout, look for a value more than the default
Connection Idle Timeout
specified in the Global Settings.

Delete a View Request Using the UI

All password view requests with status Approved, Denied, Pending, Expired, Acknowledged, or Denied are available in the My Approval List. Any password view request that is not required can be deleted from the My Approval List with the UI.
Use the following procedure to delete a request using the UI My Approval List.
Follow these steps:
  1. Go to
    Credentials
    ,
    Workflow
    ,
    My Approvals
    . The My Approval List Panel appears.
  2. Select the check box corresponding the password view requests to be deleted. Select
    Delete
    .
  3. When you are prompted to confirm the deletion, select
    OK
    .
Delete View Requests Automatically
You can automate the removal of password view requests using the
Password View Request Delete Interval
Days
setting. For example, if you set the value of the interval for two days, the requests are deleted automatically from the list after every two days.
Follow these steps to set the delete interval:
  1. Go to
    Settings
    ,
    Credential Manager
    ,
    General Settings
    .
  2. In the
    Password View Request Delete Interval Days
    field, enter the number of days you want view requests removed.
  3. Select
    Save
    .