Master Policy Rules

Users must receive approval from authorized users before they can access passwords. This enables you to see who wants to access passwords, when, and for what purpose. By default, this rule is inactive.

Advanced settings enable you to determine the following workflows:

• Whether requests for privileged accounts require approval from multiple levels of users.

• Whether requests for privileged accounts must be approved by a direct manager.

• The number of authorized users required to confirm requests.

For more information, refer to Dual Control.

Users can check out an account and lock it so that no other users can retrieve it at the same time. After the user has used the password, they check the password back into the Vault. Together with enforcing one-time password access, this restricts access to a single user, ensuring exclusive usage of the privileged account and guaranteeing accountability. By default, this rule is inactive.

For more information, refer to Account check-out and check-in.

Accounts can be retrieved for one-time use only, and the password stored inside must be changed after each use before the account is released and can be used again. Passwords can be changed automatically by the Privileged Access Manager - Self-Hosted solution’s password management capability. By default, this rule is inactive.

For more information, refer to Account check-out and check-in.

Users can connect to remote devices without needing to know or specify the required password. This prevents the password from being exposed to the user and maintains productivity as the user does not have to open a login session and then copy and paste the password credentials into it. In addition, advanced settings define whether or not users are permitted to view passwords. This enforces strong authentication for accessing managed devices and restricts user access to passwords according to granular access control. By default, this rule is active.

Users can only retrieve accounts after they specify a reason that explains why they want to retrieve them. By default, this rule is active.

An advanced setting determines whether users will be able to specify a free text reason in the Reason edit box or will be required to select one of the predefined reasons.

The Master Policy determines how frequently passwords must be changed. By default, passwords are changed every 90 days. You can see when password changes are planned in the Compliance Report.

Passwords will be verified after the timeframe specified in the previous rule. They can be changed manually or replaced by a unique and highly secure password that is randomly generated by the Password Vault. By default, passwords are verified every 7 days.

All IT administrator privileged sessions on remote machines will be monitored and isolated. By default, this rule is inactive.

All activities in each privileged session in text and/or video format will be recorded and stored in the Vault, compressed, for future auditing. These recordings are transparent to users and cannot be bypassed. By default, this rule is active.

This rule controls the number of days that Safe activities audits are retained. By default, audits of activities are kept for 90 days.

If this parameter is set to zero, activities in the Safe will not be written in an audit log.