Accounts
The Accounts tab lists the managed accounts for which you have permissions to request access to retrieve passwords and start sessions. From this grid, you can initiate an access request for the listed accounts. From the Accounts tab, populate the list of managed accounts in the grid using any one of the following options:
- Click the Browse by Category buttons: Favorites, Recently Used, Local Accounts, Domain Linked Accounts, and Applications, to filter the list by category.
- Select filter criteria from the Filter by dropdown to filter by selected account properties.
- Search for accounts using the Quick Filter option.
- Click Load All Accounts to load all accounts in the organization.
Note
The Status column from the Local Accounts and Domain Linked Accounts grids was removed in Password Safe version 23.1. This column, now called Account Status, has been re-added in Password Safe version 23.3.
Note
For optimum efficiency, the web portal screen resolution should be no less than 1280 × 800 pixels.
Note
When you first log in to the Password Safe web portal, no accounts are available in the Favorites tab. Click the star next to the account to add it to the Favorites tab. Click Refresh above the grid to update the listed accounts.
Request a password release
-
From the Accounts tab, load the accounts in the grid by clicking a category or using the filter options, and then click Load All Accounts.
-
Click Access for the managed account for which you wish to request a session.
-
From the Start Session tab, select a ticket system and provide a ticket number if required, check your desired options, and then click Start RDP Session. An RDP connection file downloads with a one-time use token, which expires after a period of time based on Session Initialization timeout settings.
-
Run the file to establish a connection to the target system.
-
Enter the password that you use to authenticate into Password Safe.
-
Click Access for the managed account for which you wish to request a password.
-
From the Submit Request tab:
- Set a start date and time for the password to be made available.
- Set the length of time for the password to be available.
- Check Password for the type of access you need.
- Provide a reason for the request. The maximum allowed length is 200 characters.
- Select a ticket system and provide a ticket number.
Note
Reason, Ticket System, and Ticket Number fields might be optional or required, depending upon options configured in the access policy by your Password Safe administrator. Also, if your Password Safe administrator has set a specific ticket system in the access policy, you cannot select a different ticket system with your request.
- Click Submit Request. An email is sent to the approver if email notification is configured. You can view the status of your request from the Requests tab.
Retrieve a password
Passwords approved for release can be displayed at any time (and as often as needed) during the release duration. After the password is approved, an email notification is sent to the requestor's email account. The requestor can then retrieve the password.
- Click the link to see a window with the date and time the release was approved and any comments made by the approver.
- Click Retrieve Password to display the system account password.
- The password displays in a separate window. The visibility of the password might be limited, with a timer showing remaining time. Click Close Window to close the windows before the timeout.
- To copy the password to the clipboard, click the Copy button.
- Use the password to log in to the system within the password release time period.
Retrieve a password using Quick Launch
If your access policy is configured for auto-approval for the managed system account you are accessing, Quick Launch is available, allowing you to quickly retrieve the password for the managed account, bypassing the approval process. To use Quick Launch:
-
From the Accounts tab, click Access for the managed account you wish to access.
-
From the Quick Launch tab, click Retrieve Password.
-
Click Show to display the password or click the Copy icon to copy it.
Request SSH or RDP Sessions
When configured by your Password Safe administrator, you can request access to a managed system using a remote session. Using the Password Safe request and approval system, you can request remote sessions that use RDP and SSH connection types.
Password Safe acts as a proxy, providing session management to target systems. No passwords are transmitted, allowing inherently secure session management. The below sections detail how to request and start sessions in Password Safe.
Request an RDP session
- From the Accounts tab, load the accounts in the grid by clicking a category or using the filter options, and then click Load All Accounts.
- Click Access for the managed account for which you wish to request a session.
- From the Start Session tab, select a ticket system and provide a ticket number if required, check your desired options, and then click Start RDP Session. An RDP connection file downloads with a one-time use token, which expires after a period of time based on Session Initialization timeout settings.
- Run the file to establish a connection to the target system.
- Enter the password that you use to authenticate into Password Safe.
- Click Access for the managed account for which you wish to request a session.
- From the Submit Request tab:
- Set a session start date and time that corresponds with the access policy and is outside of a scheduled maintenance window.
- Set the length of time for the session.
- Check RDP Session for the type of access you need.
- Provide a reason for the request. The maximum allowed length is 200 characters.
- Select a ticket system and provide a ticket number.
Note
Reason, Ticket System, and Ticket Number fields may be optional or required, depending upon options configured in the access policy by your Password Safe administrator. Also, if your Password Safe administrator has set a specific ticket system in the access policy, you cannot select a different ticket system with your request.
- Click Submit Request. An email is sent to the approver if email notification is configured.
Use Direct Connect for RDP session
You can also use the Direct Connect feature to initiate an RDP session. As the requester, you can access the system without ever viewing the managed account's credentials.
To use Direct Connect, you must download the RDP file from the Password Safe web portal. This is a one-time download. Each account and system combination requires that you download the unique RDP file associated with it.
If the requestor is granted approval for RDP sessions, a message displays, stating, Request requires approval. If the request is not approved within 5 minutes, this connection will close. After five minutes, the RDP client disconnects, and you can send another connection request. When the request is approved, you are automatically connected.
To initiate a Direct Connect RDP session:
-
From the Accounts tab, load the accounts in the grid by clicking a category or using the filter options, and then click Load All Accounts.
-
Click Access for the managed account for which you wish to request a session.
-
From the Start Session tab, select a ticket system and provide a ticket number if required, check your desired options, and then click Start RDP Session. An RDP connection file downloads with a one-time use token, which expires after a period of time based on Session Initialization timeout settings.
-
Run the file to establish a connection to the target system.
-
Enter the password that you use to authenticate into Password Safe.
-
Find the account in the list.Click Access for the managed account for which you wish to request a session.
-
From the Direct Connect tab, click Download RDP File.
-
Run the file to establish a connection to the target system.
-
Enter your password that you use to authenticate into Password Safe.
Note
RDP Direct Connect supports only push two-factor authentication. An access-challenge response is not supported.
Note
LDAP users that use the mail account naming attribute cannot use RDP Direct Connect.
Start an RDP session without submitting a request
Users who have permissions to bypass the request and approval process for accessing the managed system and Password Safe administrators are able to start sessions and retrieve passwords immediately from the Start Session tab. The Start Session tab does not display for users who do not have permissions to bypass the request and approval process. To start the session:
- From the Accounts tab, load the accounts in the grid by clicking a category or using the filter options, and then click Load All Accounts.
- Click Access for the managed account for which you wish to request a session.
- From the Start Session tab, select a ticket system and provide a ticket number if required, check your desired options, and then click Start RDP Session. An RDP connection file downloads with a one-time use token, which expires after a period of time based on Session Initialization timeout settings.
- Run the file to establish a connection to the target system.
- Enter the password that you use to authenticate into Password Safe.
Start an admin session
Users who have full control permissions for the Password SafeAdmin Session feature and Password Safe administrators can open ad-hoc RDP and SSH sessions without going through the request process, using an Admin Session. From Admin Session tab, you can start a session immediately by completing the form and clicking Connect. Admin sessions also allow you to select a node associated with another region to act as a proxy for the session. This is useful in larger environments when assets you need to access are in your region.
SSH Direct Connect
Using an SSH client, a user can use the Password Safe Request and Approval system for SSH remote connections. The requester's information, including the Reason and the Request Duration, are auto-populated with default Password Safe settings.
To access a managed account or application using Direct Connect, the requester has to connect to Password Safe's SSH Proxy using a custom SSH connection string with one of the following formats:
- For UPN credentials:
<Requester>+<Username@Domain>+<System Name>@<Password Safe>
- For down-level logon names\non-domain credentials:
<Requester>@<Domain\\Username>@<System Name>@<Password Safe>
You can override the default SSH port and enter port 4422. The requester is then prompted to enter their password, which they use to authenticate with Password Safe.
- For UPN credentials:
ssh -p 4422 <Requester>+<Username@Domain>+<System Name>@<Password Safe>
- For down-level logon names\non-domain credentials:
ssh -p 4422 <Requester>@<Domain\\Username>@<System Name>@<Password Safe>
- For an SSH application:
ssh -p 4422 <Requester>@<Account name>:<Application alias>@<System name>@<Password Safe>
Once the requester is authenticated, they are immediately connected to the desired machine.
Updated 7 days ago