Skip to main content

Use cases and examples

The following examples demonstrate some common tasks performed by product administrators. See Privileged Access in the User guide for instructions and examples for requesting and checking out privileged access, and viewing and downloading recorded sessions.

Example: Manually manage accounts on a vault-only system

This example demonstrates how to manually manage administrator credentials stored in a vault-only managed system:

  1. Create a new vault-only managed system policy .

    1. Click Manage the system > Privileged access > Managed system policies.

    2. Click Add new…

    3. Enter the following:

      ID

      Vault-MSP

      Description

      MSP for vault-only managed systems

      Mode

      Vault-only

      Managed by

      Select the Privileged Access Manager Service in the Managed by list. This is the service that will manage systems in this policy.

      Authentication type

      Password

      Enforce password policy

      leave deselected

    4. Click Add.

      2329.png

  2. Define the Access disclosure plugins.

    1. Click the Access disclosure plugins tab.

    2. Click Select

    3. Select the Copy and Display plugins and click Select.

    4. Select Access current password for both the copy and display plugins.

    5. Select Access old passwords for the display plugin.

    6. Click Update.

  3. Configure Access control.

    1. Click the Access control tab.

    2. Select the following for IT_SEC_USERS.

      • View properties for this policy

      • Modify properties for this policy

      • Pre-approved check-out of managed accounts

      • Randomize/override password of managed accounts

        These settings are part of the privileges required to check out the managed accounts and to override the passwords.

    3. Click Update.

  4. Provide the IT_SEC_USERS group the "Create managed systems" administrative privilege. This privilege is required to override passwords.

    1. Click Manage the system > Security > Access to product features > Administrator groups.

    2. Click Add new…

    3. Enter the following:

      ID

      IT-SECURITY

      Description

      IT Security Group

      Allowed privileges

      Create managed systems

    4. Click Add.

    5. Click the Membership criteria tab.

    6. Click Select

    7. Select the _IT_SECURITY_ user class.

      Members of the _IT_SECURITY_ user class are also linked to the IT_SEC_USERS group and can now override passwords in addition to checking out accounts.

    8. Click Select .

  5. Create a vault-only managed system.

    1. Click Manage the system > Privileged access > Managed systems.

    2. Click Add new…

    3. Enter the following:

      ID

      Router-ADM

      Description

      Router used by the admin team

      Help URL

      http://intranet/routerinfo.html

      2330.png

    4. Click Add.

  6. Click the Policies tab.

  7. Click Select

  8. Select the VAULT-MSP managed system policy.

  9. Click Select .

  10. Click the Managed accounts tab.

  11. Click Add new… at the bottom of the page.

  12. Type the ID of the account in the Account field.

  13. Type a password in the Password and Confirm password fields.

  14. Click Add.

Example: Automatically rotate target system credentials

This example demonstrates how to manage and automatically rotate target system credentials for an Active Directory DN target system.

Even without a Bravura Privilege license, organizations can manage target system credentials using the limited-license Bravura Privilege features available with Bravura Pass and Bravura Identity . Automatic rotation of target system credentials is accomplished by linking the target system credentials to a managed account within the target system credentials tab.

Passwords are randomized daily by default. You can change this frequency system-wide, or for individual managed system policies. See Password randomization for more information.

  1. Manage the domain target system:

    1. Navigate to the Target system information page for the domain target system.

    2. Select the checkbox to Automatically create a Bravura Privilege managed system.

    3. Run auto discovery .

  2. Add the managed system and accounts to an MSP:

    1. Navigate to Privileged access > Managed system policies > VAULT_ADM_GRP.

      This is a default managed system policy for managing administrative credentials .

    2. Click the Member systems tab, then add the managed domain target system.

    3. Click the Managed accounts tab, then add the domain accounts you want to manage.

  3. Manually randomize the account passwords:

    1. Click the Randomization sub tab.

    2. Select and randomize the passwords for the domain accounts.

      Bravura Security Fabric randomizes the password for the selected accounts on the target system.

  4. Link the target system credentials to a managed account:

    1. Navigate back to the Target system information page for the domain target system.

    2. Click the Credentials tab.

    3. Add the accounts you want to manage on this page.

      Ensure you check the Updated by Privileged Access Manager? box so the new credentials will be updated here when the password is randomized.

    4. For each credential, click Select under Get credential from Bravura Privilege and select a managed account from which to get the Password.

    It is highly recommended that you configure your password policies before Bravura Security Fabric starts managing system passwords.

    get-credential

Example: Requesting Windows account access

Click below to view a demonstration of requesting to check out a Windows administrator account, authorizing the request, checking out the account and using display disclosure to view the password and then checking the account back in.

This example demonstrates a request to check out the Windows administrator account, authorize the request and then check the account back in.

Requirements

This example assumes:

In this example the BILLIG user has permissions via teams to request check outs of the Windows and Linux managed accounts.BILLIG is assigned as a requester for the Windows Admin Accounts and Unix Admin Accounts teams.

The Approver group for Windows Admin Accounts is set up so that a request to check out the Windows administrator account needs approval from a member of the IT-WINDOWS-MANAGERS group. Requests to check out Linux managed accounts from the Unix Admin Accounts team are configured to require approval from a member of the IT-UNIX-MANAGERS group.

Request to check out the Windows admin account

  1. Open a new browser tab to Bravura Privilege .

  2. Log in to the Front-end (PSF) as the standard user billig .

  3. Click Privileged access.

    The Privileged access app opens.

  4. Click Accounts under the PRIVILEGED ACCESS heading from the Filter panel to see available accounts.

    lab-cico-accounts

  5. Select the WINNT:wkstn1.bravura.corp:Administrator account to request access.

    lab-cico-winrequest

  6. Click Request check-out from the Actions panel on the right to open the request details form.

  7. Review the required information for the request.

  8. Enter any Requester notes that you would like displayed to the authorizers.

  9. Click the Submit button at the bottom of the request details form.

    Bravura Privilege issues the request, notifies appropriate authorizers and displays a summary of the request under DETAILS .

  10. Click View request.

    Bravura Privilege displays a summary of the request.

    lab-cico-summary

  11. Click the Request: ID link to open request details.

  12. Select the Display details boxes at the top of the request for Operations, Authorizers and Authorization notes to review the available authorizers.

    lab-cico-details
Authorize the request

To authorize the request:

  1. Open another browser tab to Bravura Privilege .

  2. Log in to the Front-end (PSF) as the authorized user harolr.

  3. Click the link: There are 1 request(s) awaiting your approval .

    The Requests app opens.

  4. From the Results panel, select the request you want to review.

    Bravura Privilege displays the details in the Actions panel on the right.

  5. Review the request.

  6. Click Approve.

    lab-cico-approve

  7. Click the Approve button below the Comment field.

The request to check out the account has been successfully granted approval as configurations are such that only one approver is required to authorize the request before access is granted.

Check out the managed account

Once the request has been approved, you can check out the account:

  1. Return to the tab where you are acting as billig.

  2. Click Home .

  3. Click the link: Your privileged access requests have been approved .

    lab-cico-checkout

  4. Click Check out from the Actions panel .

    The Privileged access app displays available actions and disclosure options in the Actions panel to the right.

    lab-cico-checkedout

  5. To view the password, click the Display disclosure option.

    lab-cico-view
Check in

Once you have finished using the account, you can check it in again.

  1. As billig, navigate to the Privileged access app (if you are not there already).

  2. Click Mine under the CHECK-OUTS heading from the Filter panel .

  3. Select the account from the Results panel to display the check-out details in the Actions panel .

  4. Click Check in from the Actions panel .

    Due to the configurations set in the managed system policy, the password is randomized automatically when the account is checked back in.

If you were able to check-out the Administrator account, approve the request, view the password with display disclosure and check it back in, you have successfully completed the lab.

Example: Requesting Linux account access

Click below to view a demonstration of requesting to check out a Linux administrator account, authorizing the request, checking out the account and using it in PuTTy and then checking the account back in.

In this section: