Build the environment for the Credential Provider

PVWA

The following procedure describes how to build an environment for the Credential Provider in the PVWA.

Build an environment in the PVWA

Add the application(s) that will request passwords from the Credential Provider. You can add applications in the Applications tab of the PVWA either manually or automatically.

For information about adding applications, refer to Manage applications.
Enforce users to specify a reason for requesting secrets.

In Privileged Access Security solutions (v8.0 and later), users are required to specify a reason each time they retrieve a password if the Require users to specify reason for access rule is set in the Master Policy. For more information about setting this rule, refer to the Privileged Access Security docs.

The Credential Provider SDK can be configured to specify a reason for retrieving a password even if this option is not selected. For more information, refer to Application Password SDK.
To enable object level access, in the Edit Safe page, select Enable Object Level Access Control. For more information about object level access control, refer to the Privileged Access Security docs.

In the Password Safe, add the privileged accounts that will be required by the applications. You can either do this in either of the following ways:

Manually – Add accounts manually one at a time, and specify all the account details.
Automatically – Add multiple accounts automatically using the Password Upload feature.

Before adding privileged accounts, define all the standard considerations for controlling and managing the privileged accounts used by the applications within the context of the Credential Provider implementation and the timeframe in which passwords must be supplied:

Item	Description
Access Control	The users that require access to these accounts, including Provider, automated, and human users.
Workflows	The workflows that will be used for accessing these accounts. This refers to dual control, ticketing integration, check-in/check-out, and other standard Vault workflows.
Compliance	The compliance requirements for managing these accounts, and whether an account management policy has already been defined for these accounts.
Account Management	The methods that will be implemented to enforce the defined compliance requirements.
Monitoring and auditing	The way that the enterprise monitors the system and ensures that policies are enforced properly.

Add the Credential Provider and application users as Members of the Password Safes where the applications’ passwords are stored. This can either be done manually in the Safes tab, or by specifying the Safe names in the CSV file for adding multiple applications.
1. Add the Credential Provider user as a Safe Member with the following authorizations:
  - List accounts
  - Retrieve accounts
  - View Safe Members
2. Add the application(s) as a Safe Member with the following authorizations:
  - Retrieve accounts
  - List accounts (required for authentication with credential files)
  If this user belongs to a group, make sure that the group has this authorization.
3. If the Safe is configured for object level access, make sure that both the Credential Provider user and the application have access to the password(s) to retrieve.

For more information about configuring Safe Members, refer to the Privileged Access Security docs.

Credential Provider machine

The following procedure describes how to build an environment on the Credential Provider machine.