Configure Credential Policies
Credential policies in Vault provide administrators with the ability to set rules, permissions, check in/check out policies, and settings that can be applied to multiple credentials stored in Vault. For example, a Vault administrator may create a credential policy with settings specific to Active Directory (AD) credentials, and another credential policy with settings specific to MySql credentials.
It is generally recommended that Vault administrators set up credential policies prior to creating or importing credentials in Vault. When credentials are created, credential policies enable administrators to easily apply specific settings to the new credentials - even hundreds of them - at once.
Create a Credential Policy
There are several steps to creating a credential policy. Read each below carefully to ensure proper configuration.
- Navigate to Credentials > Credential Policy.
- Click the New Credential Policy button.
Section 1 - Policy Profile
This section allows you to specify the name and description of the new credential policy and to designate the policy's access type.
- Enter the Credential policy name.
- Enter the policy's Description.
- Check the Access type box if you wish to designate an access type for the policy, and then select Restricted or Shared.
- Click Next.
Section 2 - Automation Rules
This section allows you to designate the credential type for the policy, apply settings specific to the selected credential type, and set guidelines for how and when the credentials assigned to the policy are validated and rotated.
- Select the credential type from the dropdown menu labeled What type of credentials will this/these be?
- Choose if you would like to enable automatic rotation for credentials in this policy.
- Check the box labeled Do you want to enable automation on these credentials?
- Select Enabled to enable automation or Disabled to disable automation.
- Check the box labeled Automatically validate this credential policy, and then select how often credentials assigned to this policy are automatically validated. Leave this box unchecked to disable automatic validation.
- Check the box labeled Automatically rotate this credential policy, and then select how often credentials assigned to this policy are automatically rotated. Leave this box unchecked to disable automatic rotation.
- Check the box labeled Is this account allowed to rotate other credentials?
- Select Yes to allow or No to disallow credentials assigned to this policy to rotate other credentials.
Step 3 - Permissions
This section allows you to set permissions for the credential policy, designating which users and user groups can view and access the credentials in the policy.
- Answer the following questions for your organization:
- Who should be notified when these credentials are used?
- Who is allowed to check out these credentials?
- Who is allowed to rotate these credentials?
- Can applications use these credentials?
- Once you have identified the answers, choose whether you wish to assign permissions based on individual users, user groups, or both.
- To assign permissions based on user level, click on the name of the user(s) in the Users list. Then click > to move the user into the Assigned list.
- To assign permissions based on user group level, click on the name of the user group(s) in the Groups list. Then click > to move the user group into the Assigned list.
- Click Next.
Note: All rules, policies, and permissions set at the credential group level overwrite any rules, policies, and permissions set at the credential level.
Step 4 - Check Out Policy
This section allows you to set parameters for checking out credentials assigned to this policy.
- Check the Check out policy, Allow multiple users to check out the password at the same time, and Does this credential group require approval before use? boxes if you would like credential settings to be adjustable only at the group level.
- If checked, select the parameters for each.
- Choose whether credentials from this policy can be checked out by only Vault users, by only applications integrated with Vault, or by both.
- Choose if multiple users can access a credential from this group at the same time.
- Select whether approval is required before a credential from this group can be checked out.
- Click Next.
Step 5 - Check In Policy
This section allows you to set parameters for checking in credentials assigned to this policy.
- Check the When the credential policy is checked back in, should it be rotated? box to force credentials assigned to this policy to be rotated upon check in.
- Choose what account can rotate a credential that has been checked in from this policy.
- This credential will rotate itself - the credential rotates without any intervention by a user.
- This credential will use a "Manager" account - the credential can be rotated by someone with a credential manager role. If this option is selected, a field labeled Select the account that will rotate the credential appears. The default setting is any, which allows any credential manager account to rotate the credential. Click the Load button to bring up a dialog box that allows you to search for credential manager accounts and assign a specific credential manager to the check in policy.
Note: The account used as the credential manager must already exist within the Bomgar Vault application.
- Check Use this password template when rotating credentials to associate the credential with a password template, and then select the desired password template from the dropdown menu. If no password template is desired, leave this box unchecked.
Note: For more information on password templates in Bomgar Vault, please see Review Password Template Settings.
- Click Next.
Step 6 - Settings
This section allows you to configure settings around storing passwords, automatic password check-in, and rotation failures.
- Enter a value for the number of past passwords you would like the system to store and how many days these passwords should be stored. Note that zero is an acceptable value.
- Set a number of hours a password can be available for use before being automatically checked back in by the software.
- Enter the number of attempts and time between each attempt that are available for rotation failures.
- Click Next.
Assign Permissions to Users
To set which users have access to create, delete, and modify credentials in a credential policy, you must assign them permissions within the credential policy.
- Go to Credentials > Credential Policies.
- From the list, locate the credential policy you need permissions to use.
- Click on the Permissions icon beside that policy.
- Decide which permissions are needed.
- Who can create, delete and modify credentials in this credential policy? Grants all permissions to the user.
- Who can create credentials in this credential policy? Grants permission only to create credentials.
- Who can delete credentials from this credential policy? Grants permission only to delete credentials.
- Who can modify credentials in this credential policy? Grants the permission only to modify credentials.
- After selecting the permissions needed, click on your username from the Users list.
- Click the > arrow to assign your user account this permission.
- Click Accept.