Dual Control

The Dual Control parameters enable you to benefit from the Vault’s dual control mechanism. This means that whenever a user tries to retrieve an account, a request is created and confirmation must be received from authorized users.

Dual control is configured at system level in the Master Policy. For details, see Dual Control.

Configure Dual Control

In the System Configuration page, click Options and display the Dual Control parameters.

Parameter Description
FromTime The default value for the ‘From time’ in the request when a time frame is specified.
ToTime The default value for the ‘To time’ in the request when a time frame is specified.
Timeframe Specifies the number of days after the ‘From Date’ specified in the request that the ‘To Date’ will display.
ForceTimeframe Determines whether or not the user is required to specify a time frame when he creates a request.
MaximumTimeframe Specifies the maximum number of minutes that can be specified in the request.
MultipleAccessChecked Determines whether or not multiple access will be a default setting.
ForceMultipleAccess Determines whether or not the request must be for multiple access to the account or file during the specified time frame.
AllowTimeframe Determines whether or not the access timeframe and multiple access features will be displayed when a new request is created. If this parameter is set to No, the access timeframe and multiple access features will be hidden.
AllowMultipleAccess Determines whether or not the multiple access features will be displayed when a new request is created. If this parameter is set to No, the multiple access features will be hidden.
RestrictConnectConfirmation

Determines whether users who create a Connect request and receive confirmation will be able to connect to the remote machine with the requested account, but not to Show/Retrieve or Copy its password/SSH key.

Confirmation of a Show/Retrieve or Copy request always allows all operations (Show/Retrieve, Copy or Connect).

If this parameter is set to Yes, confirmation of a Connect request is limited to Connect only. This is only effective when access is through the PVWA web portal or the mobile PVWA.

If this parameter is set to No, the request confirmation is not limited and will allow Show/Retrieve, Copy or Connect.

Parameter Description
AllowViewingHandledRequests Determines whether users who are authorized to confirm requests will be able to see requests they have already handled.
Parameter Description
ForceConfirmationReason Determines whether or not an authorized user is required to specify a reason when confirming or rejecting a request.

Define authorized users

This section describes how to define users who are authorized to confirm requests for access to privileged accounts. It is specifically for Vault administrators who manage Vault users and define the CyberArk workflows.

Set the confirmation requirement

When creating a Safe or changing Safe properties, you can specify that Users who wish to retrieve passwords and files require confirmation from an authorized Safe Owner.

1. Click POLICIES to display the Master Policy.
2. In Privileged Access Workflows, select Require dual control password access approval.
3. In the Rule Preview pane, click Edit Settings; the Edit Rule Settings window appears.

4. Set the policy settings as described below:
Require dual control password access approval – This setting determines whether this master policy rule is applied, using the following values:
Active – This rule will applied at Master Policy level to all platforms, unless an Exception overrides it.
Inactive – The rule will not be applied at all.
Require multi-level password access approval – This advanced setting enforces an access control workflow in which end users require two levels of authorization before they can access privileged accounts. Each list of Safe members must include users who are authorized to confirm requests at both levels. The number of required confirmers set in the advanced Number of confirmers required to authorize requests setting applies to each levels of authorized users. For more information about setting different levels of authorized users, refer to Dual Control.
Only direct managers can approve password access requests – This advanced setting enforces an access control workflow in which end users require authorization from their direct managers before they can access privileged accounts. This workflow requires the Digital Vault to recognize and integrate with your Active Directory. For more information, refer to the Privileged Access Security Installation Guide.

Note:  This mode cannot be enabled together with multi-level confirmation, or with multiple required confirmers (more than one), as requests will never be confirmed and will not be usable.

For more information about configuring the Vault for direct manager confirmation, refer to Dual Control.

Number of confirmers required to authorized requests – The number of authorized users who are required to confirm requests
If Require multi-level password access approval was enabled, select a number to determine the number of authorized users at each level who are required to confirm requests.
If Only direct manager can approve password access requests was enabled, you cannot specify a multiple number of direct managers for this mode.
5. Click Save to save the new rule settings and remain in the Edit Rule Settings window,

or,

Click Save & Close to save the new rule settings and display the Master Policy page. You can see the Advanced Settings in the Rule Preview pane.

The system is now configured for dual control, and users who wish to retrieve accounts are required to request access confirmation from at least one authorized user. By default, requests are retained in the Safe for 30 days.

Users can specify default settings for requests in the Dual Control settings in the Web Access Options. For more information, refer to Configure the system through PVWA.

Create an authorized user

Authorized Users can confirm requests by other users who require access to passwords. When you add a user as an Owner of the Safe, you can give them the ‘Authorize password requests’ authorization, or you can update an existing Safe member’s properties.

Note:  Any changes in the confirmers settings (eg, removing confirmers, changing confirmer levels, etc.) makes all existing requests obsolete. All existing active requests must be deleted and re-created.

If the user is not yet an owner of the Safe where the accounts are stored:

1. In the Add Safe Members page, select the Safe member/group to configure as an authorized user.
2. Select the authorizations that the Safe member/group will have in the Safe. Specifically, select Authorize password requests; the Confirmation Level options appear.

The options enable you to define two different levels of authorized users to confirm requests. This is relevant to the Require multi-level password access approval setting, which is an advanced setting of the Master Policy’s Require dual control password access approval rule.

3. If Require multi-level password access approval was enabled, select the level to which the user/group will belong.
Level 1 – The first level of users who are authorized to confirm requests.
Level 2 – The second level of users who are authorized to confirm requests.

These users can only confirm requests at the specified levels. In addition, the first level of authorized users  must confirm requests before any authorized users from the second level can confirm them.

Note:  Users who belong to multiple groups, and one group is defined as the first level of confirmers and the other is defined as the second level of confirmers will be considered as the second level of confirmers.

4. Click Add; the Safe member is added to the Safe with the authorization to confirm requests from other users to access passwords in this Safe.

Enable a Safe owner to access a Safe without confirmation

Although confirmation is specified in the Safe properties window and therefore applies to all Safe Owners, it is possible to give certain users authorization to access the Safe without requiring confirmation from other Safe Owners.

1. In the Safe Details page, display the Safe Members tab and select the Safe member who you will permit to access accounts without confirmation, the Update Safe Members page appears.
2. Select Access Safe without Confirmation, then click Save; this Safe Owner is now able to access the Safe or file without confirmation.

dual control 16

A Safe Owner who has an open request for confirmation can be given authorization to access the Safe without confirmation. However, he will not be able to access the Safe in this way until all open requests have been confirmed.

Confirmation by direct managers

To enforce the advanced Only direct manager can approve password access requests setting, the Vault must be configured to recognize LDAP directories so that it can identify the direct managers of users who create requests.

 
Direct managers must belong to a group that is defined as a direct manager group. A confirmer who is a direct owner of a Safe cannot confirm requests as a direct manager.
A direct manager who is a member of multiple groups which are owners of the same Safe, cannot confirm requests as a direct manager either.

For details about integrating with LDAP directories, see Configure transparent user management using LDAP.

  1. Log onto the PVWA as an administrator user. Make sure that this user belongs to the Vault Admins group.

  2. Add the LDAP user/group of managers who will confirm requests as a Safe owner of the Safe that contains the privileged accounts for which users require confirmation before accessing them.

    1. In the Safes list, select the relevant Safe, then click Members; the Safe Details page appears.

    2. In the Members tab, click Add Member, then search for the name of the LDAP user/group to add as a Safe member. You can also leave the Search edit box empty to search for all groups.

    3. In the Search In drop-down box, select LDAP > Search, then select the LDAP group to add from the list of users and groups in the external directory whose names match the specified keyword is displayed.

    4. Select the permissions that the LDAP group will have in the Safe. Specifically, select Authorize password requests.

    5. Click Add; the LDAP group is added as a Safe owner with the selected permissions and confirmation appears at the bottom of the screen.

    6. Click Close; the Safe Details page appears and displays the new Safe member in the Members list.

  3. Configure LDAP integration to determine the LDAP Managers’ group that will confirm requests.

    1. Click ADMINISTRATION to display the System Configuration page, then click LDAP Integration; the LDAP Integration page appears.

    2. Expand Profiles, then select the LDAP profile to configure; the profile properties are displayed in the Properties pane.

    3. Specify the following property to determine the Managers’ group that will confirm requests:

      Parameter

      Description

      ManagersGroupDN

      The name of an LDAP attribute in the LDAP that defines a specific user/group of managers who will confirm direct manager requests for a specific user/group. These groups are created for specific users/groups according to the LDAP hierarchy. For example, if you specify ManagersGroupDN=DirectManagersGroup, the Vault will search LDAP users for the DirectManagersGroup attribute to identify users and groups who will be able to confirm requests at managerial level.

  1. Click Apply to save the new configurations and apply them immediately,or click Save to save the new configurations and apply them after the period of time specified in the RefreshPeriod parameter.