Security settings

Authorizations

Definition

Soffid console provides a granular access control system. That granular control system allows the administrator user to assign granular permissions to roles. Be in mind that some permissions may inherit some other permissions.

You cannot assign permissions directly to users. Instead, permissions are assigned to roles and roles are assign to users, either directly or through grant inheritance.

The roles may be created into Soffid application system, but could also be included in any other application system.

Permissions are grouped into permission scopes. Most scopes are Soffid object types, but there are one special scope named Soffid, that applies to Soffid console web pages.

Addons can create their own authorizations that automatically will appear at this screen. When a new addon has been installed and applied, the first thing to do use to be assign permissions for this new addon. In fact, administrators won't be able to manage the addon unless the log out and log in to get the newly created permissions.

The permissions given to roles and the roles given to users are cached by Soffid. In order to reapply permissions, the user should close its session and log-in again

image-1711094581997.png

  1. Roles
  2. Information system

Standard attributes

Actions

Authorization query action

Import

Allows you to upload a CSV file with the authorization data to add or to update the granular control system. If they exist, the values of the CSV file will prevail.

First, you need to pick up a CSV file, that CSV has to contain a specific configuration. Then you need to check the contents. And finally, you need to select the mappings for each column of the CSV file to import the data correctly and to click the Import button.

Download CSV file Allows you to download a CSV file with the authorization data.

Authorization detail actions

Add new

Allows you to add a new role to the authorization. You can choose that option clicking the add button (+).

First, you need to search a role writing the role name on the field, and Soffid will show the values related. Second, you can select one or more roles and accept.

And finally, you need to apply changes to save the roles added. If you cancel that action, no role will be assigned.

Delete

Allows you to delete one or more roles from an authorization.

To delete one role, you need to click the subtraction symbol (-), located at the end of the row, of the role which you want to delete and then apply changes.

To delete more than one role, you can select the roles which you want to delete and there click the subtraction symbol (-) and then apply changes.

It is mandatory apply changes to save the roles deleted.

Soffid will ask you for confirmation to perform that action, you could confirm or cancel the operation.

Apply changes Allows you to update the changes made on the authorization.
Undo Allows you to quit without applying any changes.


Authentication

Definition

Soffid could use different kinds of external authentication sources. These mechanisms could be selectively enabled or disabled.

Screen overview

image.png

image.png

image.png

image.png

image.png

image.png

Standard attributes

Global status

Once you check the Enforce TLS connections to Soffid Console option, there are no easy way to come back. You should use this option only en Production environments.

💻 Image

image.png

💻 Image

image-1685358837043.png

💻 Image

image-1685358984524.png

💻 Image

image-1712138497760.png

Username and password

Internal

External

Not all the external systems are included, only the ones that have marked the check "Trust password" on the agent. For more information about agents please visit the Agents page.

Once an agent is configured, Soffid will still use its internal tables to authenticate usernames and passwords.

If the password entered by the user does not match, the Soffid core will issue a "ValidatePassword" task for each trusted target system. If any of the trusted target systems accepts the password, it will be hashed and stored in Soffid tables and login will be accepted.

External SAML identity provider 

It should be noted this feature does not depend on the federation addon. That is a feature included by default in the Soffid smart engine to allow you to include in the authentication flow a mechanism to use a third-party SAML system.

Finally, download the Soffid Console and load it into your SAML Identity Provider federation.

If SAML Identity Provider is enabled, as well as username and password, the user will have the chance to select the preferred authentication method. Otherwise, if only SAML is enabled, the user will be automatically redirected to SAML Identity Provider.

💻 Image

image-1685358871521.png

💻 Office 365 as External SAML identity provider

Introduction

Steps to configure Office 365 as External SAML identity provider.

Step-by-Step

1. Open a https://portal.azure.com

2. Open Microsoft Entra ID and then select Enterprise applications option

image.png

image.png

 

3. Select All applications and click New Application

image.png

4. Select Create your own application

image.png

5. Type the name of your app and select the "Integrate any other application you don't find in the gallery (Non-gallery)" option

image.png

6. Click on Set up single sign on

image.png

7. Click the SAML option

image.png

8. Enter the Basic SAML Configuration and Save:

image.png

image.png

9. Configure Attributes & Claims and change the attributes and claims to send the mailnickname as the user identifier (nameid)

image.png


image.png

10. Copy the App Federation Metadata Url

image.png

11. Configure the External SAML identity Provider in the Soffid Console Authentication page

image.png

12. Optional, enable any user to login

image.png

Webservice authentication

Soffid allows you to configure the way to verify the identity of a user or sysctem accesing to the Soffid Web Service, to ensure that only authorized entities can interact with the service.

Bear in mind that the Identity Provider needs to have enabled the OpenID profile.

Also, the Identity Provider cert must be in the Console cacerts.

💻 Image

image-1718117594526.png

Enable LinOTP integration

Soffid allows you to use an external OTP, LinOTP in this case. If you decide to use LinOTP, Soffid could be configured to request the user to authenticate using a second factor authentication to perform certain actions. In another case, you can use the Soffid OTP.

If you want to configure the Soffid OTP you could visit Two factor authentication (2FA) chapter.

Second Factor Authentication configuration

💻 Example

Request only the OTP for these pages:

image-1691657269637.png

💻 Example

Request OTP for all pages except those containing menu.zul or otp.zul:

image-1691736830460.png

💻 Example

image-1692278416756.png

In both configurations, if OTP is required by the user, a popup requesting the token value is raised to write the OTP value.

Actions

Download metada

Allows you to download an XML file with metadata to load it into your SAML Identity Provider federation when you use an External SAML identity provider

Confirm changes Allows you to save the changes made in the Authentication setup.


Password policies

Definition

Password domain

Is a logical way of grouping managed systems that are sharing the same password for each account. If the administrator chooses to have the same password for every system, only one password domain should exist. If the administrator chooses to assign a different password for each system, then a password domain should be created for each managed system.

Password policies

Password policies allow you to define custom rules that passwords must comply with to enhance system security. For each password domain, Soffid allows you to create different password policies related to user type. It is only possible to define a single password policy for one password domain and one user type. 

There are two kinds of password policies.

A password policy will also define how often the password needs to be changed and how many days are allowed to change it.

Regarding password complexity, you can specify the minimum and the maximum number of lowercase letters, uppercase letters, numbers, and symbols, as well as password length.

The administrator users can define a regular expression that must match each password. This can be used, for instance, to ensure that the first password is not numeric.

It is allowed to create a list of forbidden words that cannot be used as passwords.

image-1641381462597.png

image-1721216347698.png

image-1721216407839.png

  1. Password domain
  2. User Type

Standard attributes

Password Domain

Password policies

Password validation script example:
codi3 = user.userName.substring(0, 3);
codi3 = codi3.toLowerCase();
if (passwordT != null)
	if(codi3.equals(passwordT.substring(0,3)))
  		return false;
return true;

Actions

Password policies query actions

Add new domain

Allows you to create a new password domain. You can choose that option on the hamburger menu or click the add button (+).To add a new password domain it will be mandatory to fill in the required fields

Add new password policy

Allows you to create a new password policy on a specific password domain. Below the father password domain, you can find the button to perform that action. To add a new password policy it will be mandatory to fill in the required fields.

Password domain detail actions

Apply changes

Allows you to save a new password domain or to update the password domain changes. To save the data it will be mandatory to fill in the required fields.

Delete

Allows you to delete a password domain. To delete a password domain you can click on the hamburger icon and then click the delete button (trash icon).

Soffid will ask you for confirmation to perform that action, you could confirm or cancel the operation.

Undo

Allows you to quit without applying any changes.

Password policies detail actions

Apply changes

Allows you to create a new password policy or to update password policy changes. To save the data it will be mandatory to fill in the required fields.

Delete

Allows you to delete a password policy. To delete a password policy you can click on the hamburger icon and then click the delete button (trash icon).

Soffid will ask you for confirmation to perform that action, you could confirm or cancel the operation.

Undo

Allows you to quit without applying any changes.

Add word

Allows you to create a new forbidden word. Those forbidden words may not be used to create a password if they are selected.


Configure PAM session servers

Definition

Soffid provides the functionality that allows you to configure the Jump servers. That option is located on

Main Menu > Administration > Configure Soffid > Security settings > Configure PAM session servers

To configure that functionality is mandatory to install PAM following the instructions of the PAM installation page.

A Jump server is the control point that forces users to log into that system first, then, they could traverse to other servers without having to log in again. The purpose of a jump server is to be the only gateway for access to your infrastructure reducing the size of any potential attack surface.

Screen overview

Standard attributes

Actions

Add new

Allows you to add a new configuration of PAM.  You can choose that option by clicking the add button (+).

You must fill in all the attributes to save a new configuration. 

Delete

Allows you to delete one or more configuration PAM registers, you must select one or more records from the list and click the button with the subtraction symbol (-).

To perform that action, Soffid will ask you for confirmation, you could confirm or cancel the operation.

Apply chanages

Allows you to create a new configuration PAM or to update an existing one. To save the data it will be mandatory to fill in the required fields. Also, the password and user name should be correct to connect.

Undo

Allows you to quit without applying any changes made.


PAM Rules

Definition

Soffid allows you to define rules to detect commands executed on a server. When a user launches a command defined on a rule, Soffid will detect it.

To use those rules you need to define the PAM policies. For more information, you can visit the PAM policies page.

Screen overview

image-1696499283030.png

Keyboard example

image-1696499194127.png

Screen example

image-1696499256255.png

Keyboard example

image.png

Standard attributes

Actions

PAM rules query

Query

Allows you to query PAM rules through different search systems, Quick, Basic and Advanced.

Add or remove columns

Allows you to show and hide columns in the table.

Add new

Allows you to create a new PAM rule. You can choose that option on the hamburger menu or click the add button (+).

To add a new PAM rule it will be mandatory to fill in the required fields.

Delete

Allows you to remove one or more PAM rules by selecting one or more records and next clicking the button with the subtraction symbol (-).

To perform that action, Soffid will ask you for confirmation, you could confirm or cancel the operation.

Import

Allows you to upload a CSV file with the PAM rules list to add or update PAM rules to Soffid.

First, you need to pick up a CSV file, that CSV has to contain a specific configuration. Then you need to check the content to be loaded, it is allowed to choose if you want or not to load a specific attribute. And finally, you need to select the mappings for each column of the CSV file to import the data correctly and click the Import button.

Download CSV file

Allows you to download a CSV file with the PAM rules information.

PAM rules detail

Apply changes

Allows you to create a new configuration PAM rule or to update an existing one. To save the data it will be mandatory to fill in the required fields.

Undo

Allows you to quit without applying any changes made.

Delete

Allows you to delete a PAM rule. To perform that action, Soffid will ask you for confirmation, you could confirm or cancel the operation.


PAM Policies

Definition

Privileged Access Management (PAM) policies are a set of guidelines and controls that dictate how privileged access is granted, managed, and audited within an organization.

Soffid allows you to define policies, those policies can be made up of several rules. For each rule, you could select the action to perform when Soffid detects that rule is accomplished.

To use those policies you need to define how policies will be used by each folder in the password vault. For more information, you can visit the Password Vault page

Screen overview

image-1722407672194.png

Standard attributes

When you save the standard attributes of a PAM policy and edit the policy again, the rule list will be shown. Here you can customize the policy depending on the existing rules.

(*) You can visit the following page for more information about the issues: https://bookstack.soffid.com/books/soffid-3-reference-guide/page/issue-policies and  https://bookstack.soffid.com/link/1153#bkmrk-pam-violation

The PAM policies configuration is sent to the user-console.policies to the Store container. You can find this file at /opt/soffid/tomee/data/ips

💻 Image

image.png

Actions

PAM rules query

Query

Allows you to query PAM policies through different search systems, Quick, Basic and Advanced.

Add or remove columns

Allows you to show and hide columns in the table.

Add new

Allows you to create a new PAM policy. You can choose that option on the hamburger menu or click the add button (+).

To add a new PAM policy it will be mandatory to fill in the required fields.

Delete

Allows you to remove one or more PAM policies by selecting one or more records and next clicking the button with the subtraction symbol (-).

To perform that action, Soffid will ask you for confirmation, you could confirm or cancel the operation.

Import

Allows you to upload a CSV file with the PAM policies list to add or update PAM policies to Soffid.

First, you need to pick up a CSV file, that CSV has to contain a specific configuration. Then you need to check the content to be loaded, it is allowed to choose if you want or not to load a specific attribute. Finally, you need to select the mappings for each column of the CSV file to import the data correctly and click the Import button.

Download CSV file

Allows you to download a CSV file with the PAM policies information.

PAM rules detail

Apply changes

Allows you to create a new configuration PAM policy or to update an existing one. To save the data it will be mandatory to fill in the required fields.

Undo

Allows you to quit without applying any changes made.

Delete

Allows you to delete a PAM policy. To perform that action, Soffid will ask you for confirmation, you could confirm or cancel the operation.


Password recovery configuration

Description

Soffid provides you the functionality that allows to the users recover their passwords. To do that, the admin user, o a user with the proper roles, must config the the password recovery parameters.

Screen Overview

image-1711378217620.png

Custom attributes

Actions

Confirm changes

Allows you to save the data of password recovery configuration. To save the data it will be mandatory to fill in the required fields.


OTP settings

Definition

The OTP settings allow the administrator users to configure the available OPT options. Soffid provides four different OTP implementations.

Main Menu > Administration > Configuration > Security settings > OTP settings

Screen overview

image-1698996143859.png

image-1698996183374.png

Standard attributes

Email

To send an email, will be mandatory to fill in the value of the mail.from parameter. You can visit the mail server parameters.

SMS

https://www.xxxxxxx.com/cgi-bin/sms/http2sms.cgi?account=sms-bg490971-1&password=XXXXXXt&login=user&from=SOFFID&to=${PHONE}&message=This is your access PIN: ${PIN}&noStop&contentType=application/json&class=0
"status":100

The URL and POST data to be sent, the administrator can use some tags that will be replaced by some target user attributes:

Voice (alternative to SMS)

The POST data to be sent, the administrator can use some tags that will be replaced by some target user attributes:

Time based HMAC Token

Event based HMAC Token

Security PIN

Actions

Confirm changes

Allows you to save the updates and quit the page.


XACML Policy Management

Definition

The PDP, Policy Decision Point, is in charge of evaluating the defined rules. The Policy Decision Point is essentially a policy compiler. The PDP must verify that the specified rules are within the scope of the rule authors authority. The PDP provides the authorization to the PEP.

XACML Policy Management

The policy language is used to describe general access control requirements, and has standard extension points for defining new functions, data types, combining logic, etc. The request/response language lets you form a query to ask whether or not a given action should be allowed, and interpret the result.

Main Menu > Administration > Configuration > Security settings > XACML Policy Management

It is possible to import an existing PolicySet into Soffid. The file to import must be a well-formed XML.

To know more about XACML, read XACML 2.0 Standard Specification


https://www.oasis-open.org/committees/download.php/2713/Brief_Introduction_to_XACML.html

XACML PEP configuration

Description

The PEP, Policy enforcement point,  is a component of policy-based management, where enforce the policies. It is the component that serves as the gatekeeper to access a digital resource. The PEP gives the PDP, Policy Decision Point, the job of deciding whether or not to authorize the user based on the description of the user's attributes.

XACML PEP configuration

Soffid allows you to configure different policies enforcement points, each of then can use a different policy set.

Main Menu > Administration > Configuration > Security settings > XACML PEP configuration

Screen

image-1628231580976.png

Common attributes

Common attributes for each PEP:

Policies enforcement points

Web Policy Enforcement Point

The policy will be enforced when the user open a new Soffid page. Using this PEP you can define the rules to access to Soffid pages.

SUBJECTS RESOURCES ACTIONS ENVIRONMENTS

User
User attributes
Account
System
Role
Group
Primary Gorup
IP Address

Server URL

Get

Put

Post

Current Time

Current Date

Current DateTime

Role centric Policy Enforcement Point

The policy will be enforced when the user login into Soffid. It will calculate the user authorizations as of the permissions that the user has assigned.

SUBJECTS RESOURCES ACTIONS ENVIRONMENTS

User
User attributes
Account
System
Role
Group
Primary Gorup
IP Address

Soffid  object

Attributes 

 

 

create

update

delete

query

Current Time

Current Date

Current DateTime

Dynamic role Policy Enforcement Point

The policy will be enforced when the user performs an action to evaluate if the user has or not authorization. The user must have the proper role and comply with the XACML rule.

You can use that PEP to split the permissions, for instance, a support group can update the permission of a specific group of user, and another support group can update the permissions of another group of users.

SUBJECTS RESOURCES ACTIONS ENVIRONMENTS

User
User attributes
Account
System
Role
Group
Primary Gorup
IP Address

Soffid  object

Attributes 

(*)

 

create

update

delete

query

Current Time

Current Date

Current DateTime

(*) It is allowed to use "Attribute Selector" to configure Dynamic role policy.

External Policy Enforcement Point (https://iam-sync-lab.soffidnetlab:1760//XACML/pep)

PEP of general purpose. Calling the web service, the clients can made validations and figure out if the users have access.

SUBJECTS RESOURCES ACTIONS ENVIRONMENTS

User
User attributes
Account
System
Role
Group
Primary Gorup
IP Address

Token

Method

Soffid object

Get

Put

Current Time

Current Date

Current DateTime

Password vault Policy Enforcement Point (https://iam-sync-lab.soffidnetlab:1760//XACML/vault)

The policy will be enforced when the password vault is used.

SUBJECTS RESOURCES ACTIONS ENVIRONMENTS

User
User attributes
Account
System
Role
Group
Primary Gorup
IP Address

Access level

Account

System

Login

Vault Folder 

Server URL

setPassword

queryPassword

queryPasswordBypassPolicy

launch

 

Current Time

Current Date

Current DateTime

Digital certificates

Definition

Soffid includes Digital certificate functionality as a security enhancement. You could add new Digital certificates, internal or external. If you select the external certificate, you could add a valid certificate to Soffid; If you select the internal certificate, Soffidl will generate a valid certificate.

Screen Overview

Internal

image-1695885525346.png

External

image-1695885507434.png

Standard attributes

Internal

External

Actions

Digital certificates query

Add new

Allows you to add a new certificate. You can choose that option on the hamburger menu or click the add button (+). To add a new certificate it will be mandatory to fill in the required fields. 

Delete

Allows you to remove one or more certificates by selecting one or more records and next clicking the button with the subtraction symbol (-).

To perform that action, Soffid will ask you for confirmation, you could confirm or cancel the operation.

Download CSV file

Allows you to download a CSV file with the digital certificates data.

New token

Next

Allows you to browse the wizard to create a new certificate.

Apply changes

Allows you to save the data of a new certificate or to update the data of a specific certificate. To save the data it will be mandatory to fill in the required fields

Undo

Allows you to quit without applying any changes.

Recertification policies

Description

Soffid allows you to establish some policies to define the scope of the recertification process.

Menu option

Main Menu > Administration > Configuration > Security settings > Recertification policies

Screen overview

image-1653572713094.png

Custom attributes

(*1) grant object is a com.soffid.iam.api.RoleAccount object.

Examples

Some sample scripts for the filters and approval steps are shown below

Filter

Return all grants with risk.

return grant.sodRisk != null 
	&& grant.sodRisk != es.caib.seycon.ng.comu.SoDRisk.SOD_NA;

Steps

account = serviceLocator.getAccountService().findAccountById(grant.accountId);
StringBuffer sb =  new StringBuffer();
for (owner : account.ownerUsers) {
  if (sb.length() > 0)
    sb.append(" ");
  
  sb.append(owner);
}
if (sb.length() > 0) 
  return sb.toString();
else 
  return "admin";
com.soffid.iam.api.Role role = serviceLocator.getApplicationService().findRoleByNameAndSystem(grant.roleName, grant.system);
StringBuffer sb =  new StringBuffer();
List owners = role.getAttributes().get("owner");
if (owners != null) {
	for (owner : account.ownerUsers) {
    	if (sb.length() > 0)
    		sb.append(" ");
        
        sb.append(owner);
	}
}

if (sb.length() == 0) 
	return "admin";
else 
	return sb.toString();

Mail template

image-1653470454738.png

Actions

 Recertification policies query

Add new

Allows you to add a new Recertification policy. You can choose that option on the hamburger menu or click the add button (+).

To add a new it is necessary to fill in the required fields.

Delete

Allows you to remove one or moreRecertification policies by selecting one or more records and next clicking the button with the subtraction symbol (-).

To perform that action, Soffid will ask you for confirmation, you could confirm or cancel the operation.

Import

Allows you to upload a CSV file with the Recertification policies to add or update the attribute definition to Soffid.

First, you need to pick up a CSV file, that CSV has to contain a specific configuration. Then you need to check the content to be loaded, it is allowed to choose if you want or not to load a specific attribute. And finally, you need to select the mappings for each column of the CSV file to import the data correctly and click the Import button.

Download CSV file

Allows you to download a CSV file with the basic information of all Recertification policies. 

Add or remove columns

 Allows you to show and hide columns in the table. You can also set the order in which the columns will be displayed. The selected columns and order will be saved for the next time Soffid displays the page to the user. 

 Recertification policies details

Apply changes

Allows you to save the data of a new policy or to update the data of a specific policy and quit. To save the data it will be mandatory to fill in the required fields.

Save

Allows you to save the data of a new policy or to update the data of a specific policy. To save the data it will be mandatory to fill in the required fields.

Delete

Allows you to remove a specific policy. You can choose that option on the hamburger icon.

To perform that action, Soffid will ask you for confirmation, you could confirm or cancel the operation.

Undo

Allows you to quit without applying any changes. 



https://download.soffid.com/doc/console/latest/uml/es/caib/seycon/ng/comu/SoDRisk.html

Issue policies

Definition

Soffid has defined automatic events by default. For each of these events, it is possible to define the tasks to be performed and configure them.

You can find this functionality in the following path:

Main Menu > Administration > Configuration > Security settings > Issue policies

The default events are the following;

Issue Type Description
account-created

This issue is created when the Sync Server detects when a new account is created. This may occur after the Reconciliation process has been executed.

disconnected-system This issue is created when the Sync Server detects that some target system is offline. 
discovered-host

This issue is created when the Sync Server detects a new host in the network. This only occurs after the Network Discovery process has been executed.

discovered-system

This issue is created when the Sync Server detects a new system in a host. This only occurs after the Network Discovery process has been executed.

duplicated-user

This issue is created the system detects that there are duplicate users, or when the task is generated manually from the user management.

enabled-account-on-disabled-user This issue is created when an enabled account is detected on a disabled user. This may occur after the reconciliation process has been executed.
failed-job

This issue is created when the system detects job failures. This may occur by running any scheduled task.

global-failed-login This issue is created when the number of session start failures exceeds the threshold of 0.8.
integration-errors This issue is created when the Sync Server detects an integration error between Soffid and an end system. You can check the task in the Monitoring & Reporting.  
locked-account

This issue is created when an account has been blocked for exceeding the maximum number of login attempts. You can configure the property Lock after failures in the Password policies settings. Even if it is temporarily locked, the incident will be generated.

login-different-country

This issue is created when Soffid detects a new login from a different country. It only works with the Identity Provider and it is necessary to have the geolocation database updated.

login-from-new-device

This issue is created when Soffid detects a new login from a new device. It only works with the Identity Provider.

login-not-recognized This issue is created when Soffid detects a login not recognized (disabled user or user does not exist) in the Soffid Console or in Soffid as an Identity Provider.
otp-failures This issue is created when an OTP is blocked for exceeding the number of attempts. Currently blocked with 10 unsuccessful attempts.
pam-violation This issue is created when any of the rules of the PAM are violated. You can define the PAM rules and the PAM policies. Be in mind, that you must check the "Open issue" option in the PAM policies you wish to control.
password-changed

This issue is created when a Password change is detected. These changes come from the end system (Active Directory or Soffid OpenLDAP) and Soffid has been notified. The issue is not created if it is the operator or a script that changes the password in Soffid.

permissions-granted

This issue is created when it is detected that permissions have been given to a user on the end system. This may occur after the reconciliation process has been executed.

risk-increase This issue is created when it is detected the risk level of a user is increased. You can configure the risks in the Segregation of Duties option.
robot-login This issue is created when it is detected is detected that someone who has not passed the CAPTCHA is trying to log in to the Identity Provider.
security-exception This issue is created when unauthorized access to the console via WebService or admin console occurs.

Screen Overview

image-1689689114657.png

image-1686554911612.png

  1. Roles

Standard attributes

Note that it will be necessary to restart the Sync Server when changing the action of an issue.

Actions

Issue policies query action

Download CSV file Allows you to download a CSV file with the issue policies data.

Issue policy detail

Add new

Allows you to add a new action to the issue policy. You can choose the action from the action list. Depending on the selected action, you must fill in different information.

Once the information will be filled in, you need to close the window and Apply the changes.

Delete

Allows you to delete one or more actions from the actions list.

Apply changes Allows you to update the changes made to the issue policy.
Undo Allows you to quit without applying any changes.
 


Break-glass recovery configuration

Definition

Break glass is the mechanism that allows users to gain emergency access to critical systems or information under exceptional circumstances when normal access procedures are not viable. 

For more information you can visit the  Break Glass book.

image-1721911781264.png

  1. User

Standard attributes

Authorized users

Allows you to configure from one to three users to break glass

Authorized application

Audit information

Actions

Generate Token

Allows you to generate a new Token by clicking the refresh icon 

image-1721911436603.png

Apply changes Allows you to update the changes made on the break glass recovery configuration.
Undo Allows you to quit without applying any changes.