Set the Master Policy

The Master Policy enables you to define a baseline for how you manage accounts in your organization.

To access and manage policies in the Privilege Cloud Portal you must be a member of the Vault Admins group.

Set Master Policy rules and settings

  1. In the Privilege Cloud Portal, click Policies. The Master policy appears by default, displaying the rules applied in each category.

  2. Click each rule to display the Rule Preview pane which displays a description of the rule, advanced settings, and the exceptions to the rule.

  3. To set the value for each rule, select the rule row and in the Rule Preview pane click the Value field edit icon, set the required value, and save it.

  4. To set the rule's advanced settings, click Edit Settings, set your selections, and save your settings.

  5. To set exceptions for the rule, click Add Exception. To learn more about exceptions, see Create exceptions to Master Policy.

Master policy rules and settings

This section describes the Master Policy rules, their default values, and advanced settings.

Require dual control password access approval

Description

Users must receive approval from authorized users before they can access passwords. This enables you to see who wants to access passwords, when, and for what purpose.

This rule helps enforce separation of duties.

For details, see Set up dual control.

Default value

Inactive

Advanced settings

Determine the following workflows:

  • Whether requests for privileged accounts require approval from multiple levels of users.

  • Whether requests for privileged accounts must be approved by a direct manager.

  • The number of authorized users required to confirm requests.

Enforce check-in/check-out exclusive access

Description

Users can check out an account and lock it so that no other users can retrieve it at the same time. After the user has used the password, they check the password back into the Vault. Together with enforcing one-time password access, this restricts access to a single user, ensuring exclusive usage of the privileged account and guaranteeing accountability.

To achieve automatic release of locked passwords and full personal accountability, enable this rule along with the Enforce one-time password access rule. If a user doesn't check the account in manually within a predefined timeframe, the account is checked in automatically. This timeframe is determined by the MinValidityPeriod platform setting or by the timeframe defined in the dual control request.

For details, see Lock and release an account.

Default value

Inactive

Advanced settings

None

Enforce one-time password access

Description

Use this rule to ensure that passwords are changed after each access.

When a user retrieves an account, a password change process is initiated, and will occur automatically after a predefined timeframe.

In contrast to the Enforce check-in/check-out exclusive access rule, multiple users can access the same password simultaneously.

To achieve personal accountability, enable this rule and the Enforce check-in/check-out exclusive access rule together. The timeframe that an account will be available before it will be automatically changed is determined by the MinValidityPeriod platform setting or by the timeframe defined in the dual control request.

Default value

Inactive

Advanced settings

None

Require users to specify reason for access

Description

Users can only retrieve accounts after they specify a reason that explains why they want to retrieve them.

Default value

Active

Advanced settings

Set whether users can specify a reason by free text or are required to select one of the predefined reasons.

Require password change every X days

Description

The Master Policy determines how frequently passwords must be changed.

You can see when password changes are planned in the Compliance Report.

Note: This setting does not enforce password rotation, it just determines the rotation period.

Default value

90 days

Advanced settings

None

Require password verification every X days

Description

Passwords will be verified after the timeframe specified in the previous rule. They can be changed manually or replaced by a unique and highly secure password that is randomly generated by the Password Vault.

Default value

7 days

Advanced settings

None

Require privileged session monitoring and isolation

Description

All IT administrator privileged sessions on remote machines will be monitored and isolated.

Default value

Inactive

Advanced settings

None

Record and save session activity

Description

All activities in each privileged session, in text and/or video format, are recorded and stored in the Vault, in a compressed format, for future auditing. These recordings are transparent to users and cannot be bypassed.

Platform properties determine privileged session recording and storage behavior. The sessions are stored for a configurable number of days (par=SessionRecorderSafeRetention), and then deleted. See Privileged Session Management in UI and Workflows.

Default value

Active

Advanced settings

None

Activities audit retention period

Description

This rule controls the number of days that Safe activities audits are retained.

If this parameter is set to zero, activities in the Safe will not be written in an audit log.

Default value

90 days

Advanced settings

None