Request a Password from Password Safe

If you have a dual control configuration, the password release is a three-step process. Using dual control ensures the security of the system account password, provides accountability, and provides dual control over the managed accounts.

  1. Password request: An authorized requester requests a password release.
  2. Password approval: An authorized approver reviews and approves the request for release.
  3. Password retrieval: The authorized requester retrieves the approved password.

To use a dual control setup, Password Safe users must be assigned one of the following roles: Requestor, Approver, or Requestor/Approver.

Request a Password Release

  1. Log in to the Password Safe web portal.
  2. On the Accounts page, select the tab for the type of system or application you need to access.
  1. Select the system from the list.
  2. On the Requests page, set the following:
    • Start Date: Select the start date for the session that corresponds with the access policy.
    • Start Time: Select Immediately to release the password at the current time, or click the Scheduling button for a future release. For example, schedule a release to coincide with scheduled maintenance.
    • Requested Duration: Set the length of time that the password should be available.
      The default value is two hours. The maximum duration is 365 days. The default and maximum durations are set on the managed account.
    • Access Request: For the session type, select Password, RDP Session, SSH, or Application Session.
    • Reason: Enter a reason for the request. The maximum allowed length is 200 characters.
    • Ticket System: Select a ticket system from the list. Ticket systems can be used for cross-reference.
    • Ticket Number: Enter a ticket number.

Reason, Ticket System, and Ticket Number fields may or may not be required, depending upon options configured in the access policy by your Password Safe administrator. Also, if your Password Safe administrator has set a specific ticket system in the access policy, you cannot select a different ticket system with your request.

  1. Click Submit Request. An email is sent to the approver if email notification is configured.

Review a Password Request

You can review password requests on the Requests page. The list of requests available for review depends on your role. You can review the requests on systems where you are a requester.

  1. On the Requests page, click the buttons to view all, active, and pending requests.
  2. Use the filter setting available on each header to narrow the search. Enter filter criteria in the box.

Approve or Deny a Password Request

When a password request for a system is properly submitted, the associated approvers for that system are notified by email of the pending request. Using the following procedure, an approver can approve or deny the password request:

  1. Log in to to the Password Safe Web Portal.
  2. Select Approve and click Pending.
  3. Click on a pending request.
  4. Enter a comment for the approval.
  5. Select Approve or Deny.

An approver will be asked to confirm any denied requests. Once a request is approved, the approver can still deny if the situation warrants.

Retrieve a Password

Passwords approved for release can be displayed at any time (and as often as needed) during the release duration. After the password is approved, an email notification is sent to the requestor's email account. The requestor can then retrieve the password.

  1. Click the link to see a window with the date and time the release was approved and any comments made by the approver.
  2. Click Retrieve Password to display the system account password. The password displays in a separate window for a maximum of 20 seconds. The dialog box can be closed before the 20-second timeout.

Copy Password to Clipboard

  1. To copy the password to the clipboard, click the Copy button.
  2. Use the password to log in to the system within the password release time period.

Multi-System Checkout

Managed systems can be linked to Active Directory accounts. You can submit a request to these Active Directory accounts and then access the managed systems linked to that account.

Your Password Safe administrator must configure the correct permissions for the managed system to use this feature.

  1. Log in to the Password Safe web portal.
  2. Click Menu, then select Accounts.
  3. Click the Domain Linked Accounts tab for the system type you need to access.
  1. Select the account from the list.

Multi-System Checkout Request

  1. On the Requests page, set the following:
    • Start Date: Select the start date for the session that corresponds with the access policy.
    • Start Time: Select Immediately to release the password at the current time, , or use the scheduling option to schedule the password release for another time. For example, schedule a release to coincide with scheduled maintenance.
    • Requested Duration: Set the length of time the password should be available.
      The default value is two hours. The maximum duration is 365 days. The default and maximum durations are set on the managed account by your Password Safe administrator.
    • Access Request: Select the type of access: Password, RDP Session, SSH, or Application Session.

     

    The available options will vary depending on the account selected.

    • Multi-System Checkout: Select this option to use this account and request for Admin Sessions. This option is displayed only if the requestor has permissions to use this feature.
    • Reason: Enter a reason for the request. By default, this field is required, but it can be disabled through BeyondInsight options. The maximum allowed length is 200 characters.
    • Ticket System: (optional) Select a ticket system from the list. Ticket systems can be used for cross-reference.
    • Ticket Number: (optional) Enter a ticket number.
  2. Click Submit Request. An email is sent to the approver if email notification is configured.

Approve a Request for Multi-System Checkout

If the request is approved either automatically or by an approver, the account is available on the Admin Sessions page for the duration of the request for which it was approved.

  1. On the Admin Sessions page, select an account from the Available Accounts list.
  2. The Asset/IP list populates with managed systems that are tied to the account.
  3. Select an asset from the Asset menu.
  4. Once a request is approved, the requestor can then choose to open the session with any computer linked to the approved account regardless of whether or not it was included in the initial request.
  5. Click Connect to start the RDP or SSH session.

Use the OneClick Feature

A requestor sees the OneClick (thunderbolt) button when they log in to Password Safe to make a request. When they open OneClick, any access policies that are configured with auto-approve are checked for availability. Clicking the button allows the requestor to choose the duration of the request and connect immediately, as long as they have entered a request which meets the criteria of the access policy. Comprehensive messages are displayed to the requestor if their requests do not meet the requirements configured in the access policy.