Configure Credential Policies in Bomgar Vault

Credential policies in Vault provide administrators with the ability to set rules, permissions, check in/check out policies, and settings that can be applied to multiple credentials stored in Vault. For example, a Vault administrator may create a credential policy with settings specific to Active Directory (AD) credentials, and another credential policy with settings specific to MySql credentials.

It is generally recommended that Vault administrators set up credential policies prior to creating or importing credentials in Vault. When credentials are created, credential policies enable administrators to easily apply specific settings to the new credentials - even hundreds of them - at once.

Create a Credential Policy

There are several steps to creating a credential policy. Read each below carefully to ensure proper configuration.

  1. Navigate to Credentials > Credential Policy.

New Credential Policy Button

  1. Click the New Credential Policy button.

 

Section 1 - Policy profile

Note: As you walk through the add and edit processes for credentials, you can click on the steps to navigate between different sections.

This section allows you to specify the name and description of the new credential policy and to designate the policy's access type.

New Credential Policy Section 1

  1. Enter the Credential policy name.
  2. Enter the policy's Description.
  3. Check the Access type box if you wish to designate an access type for the policy, and then select Restricted or Shared.
  4. Click Next.

Section 2 - Automation rules

This section allows you to designate the credential type for the policy, apply settings specific to the selected credential type, and set guidelines for how and when the credentials assigned to the policy are validated and rotated.

New Credential Policy Section 2

  1. Select the credential type from the dropdown menu labeled What type of credentials will this/these be?
  2. Choose if you would like to enable automatic rotation for credentials in this policy.
    • Check the box labeled Do you want to enable automation on these credentials?
    • Select Enabled to enable automation or Disabled to disable automation.
  3. If automation is enabled, establish rules for validation and rotation of credentials in this policy.
    • Check the box labeled Automatically validate this credential policy, and then select how often credentials assigned to this policy are automatically validated. Leave this box unchecked to disable automatic validation.
    • Check the box labeled Automatically rotate this credential policy, and then select how often credentials assigned to this policy are automatically rotated. Leave this box unchecked to disable automatic rotation.
  4. Select whether credentials in this group can rotate other credentials.
    • Check the box labeled Is this account allowed to rotate other credentials?
    • Select Yes to allow or No to disallow credentials assigned to this policy to rotate other credentials.

Step 3 - Permissions

This section allows you to set permissions for the credential policy, designating which users and user groups can view and access the credentials in the policy.

New Credential Policy Section 3

  1. Answer the following questions for your organization:
    • Who should be notified when these credentials are used?
    • Who is allowed to check out these credentials?
    • Who is allowed to rotate these credentials?
    • Can applications use these credentials?
  2. Once you have identified the answers, choose whether you wish to assign permissions based on individual users, user groups, or both.
    • To assign permissions based on user level, click on the name of the user(s) in the Users with Email list. Then click > to move the user into the Assigned list.
    • To assign permissions based on user group level, click on the name of the user group(s) in the Groups list. Then click > to move the user group into the Assigned list.
  3. Click Next.

Note: All rules, policies, and permissions set at the credential group level overwrite any rules, policies, and permissions set at the credential level.

Step 4 - Check out policy

This section allows you to set parameters for checking out credentials assigned to this policy.

New Credential Policy Section 4

  1. Check the Check out policy, Allow multiple users to check out the password at the same time, and Does this credential group require approval before use? boxes if you would like credential settings to be adjustable only at the group level.
  2. If checked, select the parameters for each.
    • Choose whether credentials from this policy can be checked out by only Vault users, by only applications integrated with Vault, or by both.
    • Choose if multiple users can access a credential from this group at the same time.
    • Select whether approval is required before a credential from this group can be checked out.
      • If selected, choose what happens when approval is rejected and granted.
      • Select who should approve the usage of the policy.
      • Select whether users with permission to view the credential are allowed to break the glass and checkout the credential.
      • Select who is notified when approcal is skipped.
  1. Click Next.

Step 5 - Check in policy

This section allows you to set parameters for checking in credentials assigned to this policy.

New Credential Policy Section 5

  1. Check the When the credential policy is checked back in, should it be rotated? box to force credentials assigned to this policy to be rotated upon check in.
  2. Choose what account can rotate a credential that has been checked in from this policy.
    • This credential will rotate itself - the credential rotates without any intervention by a user.
    • This credential will use a "Manager" account - the credential can be rotated by someone with a credential manager role. If this option is selected, a field labeled Select the account that will rotate the credential appears. The default setting is any, which allows any credential manager account to rotate the credential. Click the Load button to bring up a dialog box that allows you to search for credential manager accounts and assign a specific credential manager to the check in policy.

Note: The account used as the credential manager must already exist within the Bomgar Vault application.

  1. Check Use this password template when rotating credentials to associate the credential with a password template, and then select the desired password template from the dropdown menu. If no password template is desired, leave this box unchecked. You can edit the password template by clicking on the i icon.

Note: For more information on password templates in Bomgar Vault, please see Review Password Template Settings.

  1. Click Next.

Step 6 - Settings

This section allows you to configure settings around storing passwords, automatic password check-in, and rotation failures.

The Settings step of the Credential Policies process.

  1. Enter a value for the number of past passwords you would like the system to store and how many days these passwords should be stored. Note that zero is an acceptable value.
  2. Set a number of hours a password can be available for use before being automatically checked back in by the software.
  3. Click Next.