Password Access Control Workflow(Feature available only in Premium and Enterprise Editions)
After successful authentication into Password Manager Pro, users get access to the passwords that are either owned by them or shared with them. While storing very sensitive passwords, quite often administrators wish to have an extra level of security. In some other cases, administrators wish to grant certain users with temporary access to passwords for a specified period of time.
There are also requirements to give users exclusive privilege to passwords. That means, only one user should be allowed to use a particular password at any point of time. When more than one user is required to work on the same resource, problems of coordination arise. Password Manager Pro provides access controls on concurrent usage to help resolve such issues.
How does Password Access Workflow work?
Once password access control is enforced for a resource, the password access attempt by the users will follow the work flow as detailed below:
- User needs access to a password that is shared with him/her.
- Makes a request for accessing the password.
- Request goes to administrator(s) for approval. If more users require access to the same password, all the requests will be queued up for approval.
- If the administrator does not approve the request within the stipulated time, it becomes void. Incase if the user has specified a stipulated time for password access, then it becomes void after the user-specified stipulated time.
- If the administrator rejects the request, it becomes void.
- If the administrator approves the request, user will be allowed to check out the password only during the specified stipulated time or during approval time by administrator. In case, two administrators have to approve a password, user will be allowed to check only after the approval by both the administrators.
- Once the user checks out a password, it will be available exclusively for their use till the stipulated time.
- If any other user requires access to the same password at the same time, they will be provided access only after the previous user checks in the password. This rule applies to all, including administrators, password administrators and owner of the password.
- Administrator can also revoke password access for the user at anytime. The password will be forcefully checked-in during such circumstances, denying access to the user. Once the user finishes his work, the password will be reset.
- While giving exclusive access to a user temporarily, Password Manager Pro provides the flexibility to enable administrators view the password concurrently. Through a simple administrative setting from "General Settings", users will be able to do that, if required.
Note:The access control workflow does not override the password ownership and sharing mechanism of Password Manager Pro. That means, it is only an enhanced access control mechanism. Normally, when a password is shared with a user, the user will be able to directly view the password. When the access control is enabled, the user will have to request the release of the password that he/she is already allowed access.
To implement access control workflow
- Navigate to "Resources" tab.
- Select the resource[s] for which you wish to enforce access control.
- If you have selected only one resource, click on the "Resource Actions" icon against that particular resource and select "Access Control" from the drop down. On the other hand, if you have selected more than one resource, click on "Resource Actions" button at the top of the resources list and select "Configure Access Control" from the dropdown.
In the pop-up form that opens,
- Designate the administrator(s) who can approve password release requests. The list of all administrators and password administrators in the system are listed in the left hand side. You can designate as many administrators as you wish. Anyone from the list of 'authorizers' could approve the requests that are raised by users. Optionally, you can enforce dual approval by designating two administrators. In that case, select the check box "Enforce approval by atleast two administrators" present at the end of the page and also ensure that you have placed at least two administrators in the "Authorized Administrators" box on the right hand side. You can also designate one or more user groups, who can approve password release requests. When a user group is designated, administrators and password administrators and admin users with custom role are given access rights. If dual approval is enforced, then the group should have atleast two valid admins.
- The option "Exclude some users from access control" allows you to exempt desired users or set of users from a selected user group from going through this control workflow, i.e. they would not have to raise requests for password access.
- If you have chosen dual approval then select the checkbox "Enforce approval by atleast two administrators" from 'Miscellaneous settings tab'
- After checkout, when a user tries to retrieve a password, on clicking the asterisks, the passwords appear in plain text. If you want to force the users to provide a reason for password retrieval, then select the checkbox, "Enforce users to provide a reason for password retrieval".
- The option "Send a reminder e-mail to administrator to process the password access request before the stipulated time" allows you to send a reminder mail to the administrator when the password request is yet to be approved, before minutes of the void time.
- There is also an option to provide grace time of upto 60 minutes to the user when the access time ends. To enable this option, select the checkbox "Once the access time ends, provide grace time of X minutes to the user" and specify the value in minutes.
- You also have an option to mention the auto check-in time when the request is approved by the administrator. This can be done by selecting the checkbox "The password will be checked in automatically after maximum of 48 hours of approval time" and specifying the auto check-in time in hours.
- Next, specify the maximum time period in hours after which a pending password request would become void, if administrators does not approve. Incase one administrator has approved the password request, then the approval status will be sent as notification to the other administrator.
- You can also enforce concurrency controls for password access. That is, the password could be made available for the exclusive use of a particular user for a specified time period during when no one else, including the owner of the resource would be allowed to view the password. By default, the password will remain exclusive for 8 hours. However you can modify it to the desired value. For example, if you specify the time period as two hours, the password would be made available exclusively for that user for two hours. Others cannot view the password during that period. After the specified time period, the password would become void and will not be available to the user. Other users will now be able to view the passwords. If you specify the value as '0' hours, the password will remain exclusive for unlimited hours.
- You can also enforce automatic reset of password once the user gives up password access. To do this, select the option "Reset Password After Exclusive Use". For automatic password reset to take effect, you need to ensure that all required credentials have been supplied to the resource for remote password reset or you should have installed PMP agents in the resource. Otherwise, the automatic password reset will not take effect.
- Password Manager Pro provides the option for automatic approval of password access requests. That means users need not have to wait for approval by authorized administrators while going through the access control workflow.The requests will be automatically approved and notifications will be sent to the authorized administrators. When the password is released after automatic approval, it will be reserved for exclusive use of the requester for the specified time periodThere are options for administrators to set automatic approval of requests raised during a specific time period in the day - for example, all the requests raised between 2 p.m to 3 p.m. Alternatively, you can even set automatic approval to take place anytime of the day. This automatic approval feature has been provided to serve the users when administrator is not available to approve. Except the automatic nature of approval, all other aspects of this feature remains the same as access control workflow.
- Once you have checked the necessary options for access control workflow, click "Save & Activate".
Following are some of the use case scenarios of access control workflow in an organization:
Case 1: User Requiring Access to a Password
A user, who requires access to a password which is safeguarded by the access control mechanism, will have to make a request to the administrator to grant permission to view the password.To make a request
- Navigate to "Resources" tab and switch to "Passwords" tab.
- All the passwords will be listed in the table below. Click "Request" against the desired passwords to request the administrator to grant permission to view the passwords.
- In the new pop-up form that opens,
- You can specify when you want to access the password - now or later.
- You can enter a reason to view the password.
- Also, you can send a reminder mail before few minutes of your access time.
- Once the administrator approves your request, you will be allowed to view the password. Till then, you will see the status as "Waiting for approval".
- Once the administrator approves, you will see the status as "Check Out". To view the password, click the link "Check Out".The "Checkout" button will be enabled only during the approved access time.
- Click "Save". Now, you will be allowed to view the password.
Case 2: Administrator approving a password request
If you're an administrator and a user has requested your approval to view a password, you will receive an email notification about the request. You can view all the requests pending your approval from the 'Admin' tab.To approve a request,
- Navigate to Admin >> Manage >> Password Access Requests.
- Click the link "Process request" against a request to allow the user to view the password. Once you do this, A new window will open, where the administrator can :
- Approve or reject the password access request.
- Specify when the user can access the password- Now or Later
- Specify the reason for password access request approval / rejection.
- Immediately after you approve the request, the status of the link will change to "Yet to Use" indicating that the user is yet to check out the password.
- Once the user has viewed the password, the status will change to "In use"
- You can also "Reject" the request, in which case, the request will be removed from the queue.
Case 3: User completes his password usage
The crux of the access control mechanism is that user will be allowed only temporary access to passwords. So, once the user finishes his work, he can give up the password.To give up access to the password,
- Click the link "Check In" present near the password. Once you do this, the password will be checked in and the status will change as "Request" again.
- You will no longer be able to view the password. In case, you require access again, you will have to go through the "Request-Release" process again.
Case 4: Administrator forcefully checking in the password
The essence of the access control mechanism is to provide exclusive access privilege to a user for a specified time period. During this period, no one will be allowed to view the password, including the owner. In case, an emergency need arises to revoke the exclusive permission to the user, administrator can forcefully check in the password at any point of time.To forcefully check in a password,
- Go to "Admin" >> "Password Access Requests".
- Click the link "Check in" against the specific request to revoke the user's access permission. Once you do this, user will not be allowed to view the password. Also, the request will vanish from the list.
Case 5: What happens if automatic password reset (if enabled) during password check in fails?
Once a password is checked out by a user, it will be checked in due to any of the following three reasons:
- User checks-in on their own after using the password.
- System automatically revokes access after the stipulated time and checks in.
- Administrator forcefully checks-in the password.
When password is checked in, if the admin settings require automatic password reset, Password Manager Pro will try to reset the password. In case, PMP is not able to reset the password in the actual resource, Password Manager Pro will immediately trigger email notifications to the administrators who approved the password access request of the user, who can troubleshoot and set things right. The password reset failure will also reflect in the audit trails.
Case 6: When a user has checked out a password, what happens if an already configured password reset scheduled task runs?
Password Manager Pro provides option for creating scheduled tasks for automatically resetting the passwords periodically. It is quite possible that a scheduled task starts executing the reset of a password that is currently being used by a user. If that reset task is allowed to get executed successfully, the user will be working with an outdated password. To avoid such issues, Password Manager Pro will not allow reset of that password alone. (All other passwords of other resources that are part of the scheduled task will be reset). The failure of scheduled reset of the particular password will reflect in the audit trails.
Case 7: Disabling Access Control
If you want to disable access control for any of the resources, you (administrator) may do so at anytime as explained below:
- Navigate to "Resources" tab.
- Select the resources for which you wish to disable access control.
- Click the link "Configure Access Control" from "Resource Actions" listing.
- Select the option "Deactivate".
Access Control for the selected resource will be deactivated. That means, any user who has permission to view the password (owned/shared) will be able to view the password without going through the access control process for that particular resource.
Case 8: Transferring approver privileges to other administrators
When an administrator leaves the organization or moves to a different department, resources owned by that administrator are transferred to some other administrator. If the departing administrator had acted as the approver for password release requests, the approval privileges should also be transferred. Otherwise, users requesting access to passwords will have no one to approve. Password Manager Pro provides an option to handle this scenario by allowing transfer of approver privileges from one administrator to another. All the resources that were earlier controlled by one admin can be easily transferred in bulk to another admin.
To transfer approver privileges,
- Navigate to "Users" tab.
- Search/select the user whose approver privileges you would like to transfer to another admin.
- Click the 'User Actions' icon against that user and select "Transfer Approver Privileges" from the drop down list.
- In the pop up that opens, all the resources for which the selected admin is authorized to approve password access requests will be displayed. Choose the desired resources.
- Then, select the admin to whom you would like to transfer the approver privileges to.
- Hit "Transfer". The approver privileges will be transferred and the authorized administrator will be subsequently changed.
Access Control for the selected resource will be deactivated. That means, any user who has permission to view the password (owned/shared) will be able to view the password without going through the Access Control process for that particular resource.
Summary of Terminologies:
The user has to make a request to view the password
Waiting for Approval
The password release request made by the user is pending administrator's approval
Administrator has approved the request and the user can view the password
The administrator can either approve or reject a password request
Yet to Use
Indicates that the user is yet to view the password released by the administrator
Password is being used exclusively by a user
Giving up/revoking password access