Skip to main content

Password vault

Description

Soffid provides a protected storage, to save and manage accounts for multiple applications, that is the Password vault. Here you can save the accounts and passwords to access to critical systems and to your applications as well. Password vault allows you to handle the access control list to these accounts. Sometimes these accounts can be used by a specific user or a set of users.

The accounts are organized in folder depending on the permissión, the criticality level, .... These accounts can be system accounts or user accounts.

The Password vault exposes a subset of accounts to some users. These accounts are available through the Self services portal. You can visit My applications page for more information.

When a privileged account is being config, it will be able to assign a workflow or approval process to request in order to use that account. For more information visit the link How to apply policies

Folders

In the password vault, two kinds of folders are used: personal folders and shared folders, which depend on the Owners configuration you define.

On one hand, each user has their own personal folder. Inside this folder, the user can create accounts. That account will not be shared with any other user.

On the other hand, the shared folders could be used or managed by the owner/manager/SSO users.

Accounts

Soffid allows you to create new accounts on a specific folder on the password vault page, to add a new account will be mandatory to fill in some attributes, like System, name, and login name. You can consult the existing accounts related to a folder. For each account, you can update or delete the account, view and set a password.

Also, you can create accounts on the Account page and assign the appropriate vault folder.

Soffid allows administrator users to configure a workflow to request permissions when a user try to change the password of a privileged account in the password vault. That process can be defined with the BPM Editor as an Account reservation type. For more information you can visit the BPM Editor book.

  1. Accounts

Standard attributes

Folder attributes

  • Folder detail
    • Name: folder name which will be displayed in My Applications.
    • Description: folder description.
    • PAM policy: when using PAM system, you could choose the policy that will comply with for each folder. When you define a policy for a folder, that policy will apply to all accounts hanging from this folder. For more information you can visit the Configure PAM page.
  • Owners
    • Owner users: list of users who will be the folder owners.
    • Owner groups: list of groups, whose users will be the owners of the folder.
    • Owner roles: list of roles. The users who have assign these permissions will be the owners of the folder.
  • Managers
    • Manager users: list of users who can manage the folder. Those users can view the password depending on the password policy.
    • Manager groups: list of groups, whose users can manage the folder. Those users can view the password depending on the password policy.
    • Manager roles: list of roles. The users who have assign these permissions can manage the folder. Those users can view the password depending on the password policy.
  • SSO users
    • Granted  users: list of user who can use the account of that folder.
    • Granted groups: list of groups, whose users can manage the account of that folder
    • Granted roles: list of roles. The users who have assign these permissions can manage the account of that folder.
  • Browse folder
    • Users: list of users who can browse the folder, but can not perform any action.
    • Groups: list of groups, whose users can browse the folder, but can not perform any action.
    • Roles: list of roles. The users who have assign these permissions can browse the folder, but can not perform any action.

Accounts attributes

Actions Tab

This tab shows the read-only attributes of the user account:

  • Name: user account name.
  • Description: brief description.
  • System: target system to which the account will be connected.
  • Login name: login name to connect to target system.
  • Login url: URL to connect.
  • In use by: user name who is using that account.

Also, this tab allows you to launch the connection to the target system, view the password, set the password to launc the connection and unlock the use of that account. All those options depend on the account definition and user privileges.

Basics Tab

This tab show all the account attributes and allows you to update the account configuration.

Visit the Account page to view more information about the standard attributes of an account.

Actions

Folders query actions

Query

Allows you to query folders through, only Quick search is available.

Add new

Allows you to create a new folder. You can choose that option on the hamburger menu or clicking the add button (+).

To add a new folder it will be mandatory to fill in the required fields.

A folder need to have, at less, an owner to manage it.

Folder actions

Apply changes

Allows you to save a new folder or an update an existing folder.To save the data it will be mandatory to fill in the required fields. Be in mind that is important to indicate who are the owners of the folder.

Undo

Allows you to quit without save any change made.

Delete

Allows you to delete a folder if you have the right permissions.To delete a folder you can click on the hamburger icon and then click the delete button (trash icon).Soffid will ask you for confirmation to perform that action, you could confirm or cancel the operation.

Account actions

Apply changes

Allows you to save a new account.To save the data it will be mandatory to fill in the required fields. Be in mind that is important to indicate who are the owners of the folder.If the account exist on the system, you can assign the vault folder on the account window.

Undo

Allows you to quit without save any change made.

Delete

Allows you to delete an account from a folder if you have the right permissions. To delete a host you can click on the hamburger icon and then click the delete button (trash icon).Soffid will ask you for confirmation to perform that action, you could confirm or cancel the operation.

Set password

Allows you to set a password to  access to the account.


How to apply policies

Soffid allows you to define policies and rules to apply to a specific or a set of folder. To do that is needed to install the XACML  addon and configure the proper policies and rules. 

Also, you can config a workflow or approval process to request in order to use accounts saved on a folder.

 

Example

If you are going to config a folder, "VaultFolder" where you are going to archive and save other folders and some accounts. Also you need to define and establish policies and rules to access to those accounts and the XACML PEP configuration. Soffid allow you to config those policies and rules using the XACML editor and establish when the policies and rules must comply and config the XACML PEP.

XACML Policy Management

 

 

XACML PEP config

It is mandatory to enable the Password Vault PEP and populate the information about the XACML policy set and the version which apply.

image-1627903193056.png

 

 

 

 

Visit the XACML Book for more information.

Visit the BPM Editor Book for more information.