Access Request Policies and Privileged Session Management
In EmpowerID, Access Request policies govern how users request and receive access to resources. These policies define the approval and fulfillment process, particularly for Privileged Session Management (PSM), where secure access to computer credentials must be strictly controlled and audited.
Access Request policies for PSM also determine whether a session is governed by a Privileged Session Policy, which includes options for recording sessions, monitoring live activity, and limiting concurrent sessions.
Approval Policies for Privileged Sessions
Administrators can configure Access Request policies to require explicit approval for privileged session requests.
- The default policy is Owner Approval, where the owner of the credential must approve access.
- You can substitute this with custom Approval Policies to meet your organizational workflow and compliance needs.
Pre-Configured Access Request Policies for Computer Credentials
EmpowerID provides several pre-configured Access Request policies designed for PSM scenarios. These include combinations of access mode (multi-check-out), password reset behavior, and MFA.
1. Computer Creds – Allow Multi-Check-Out – No Password Reset
- Allows multiple users to check out the same computer credentials concurrently (RDP or SSH).
- Does not reset passwords after check-in.
2. Computer Creds – No Multi-Check-Out – Password Reset
- Only one session allowed at a time.
- Password is reset after check-in.
3. MFA – Computer Creds – Allow Multi-Check-Out – No Password Reset
- Same as Policy #1, but requires multi-factor authentication (MFA) before granting access.
Access Request Policy Configuration
You can customize these policies to meet your organization's PSM and security standards.
General Settings
| Setting | Description |
|---|---|
| Name | Name of the policy |
| Display Name | Display name shown in the user interface |
| Description | Administrative description of the policy |
| Allow Activation (Skip Business Request) | When enabled, skips Business Request workflows and grants access immediately without approvals |
| Approval Policy | Defines the approval workflow required to fulfill the access request |
| Fulfillment Delay (HRS) | Time (in hours) to delay fulfillment after approval |
| Is Shipping Data | Internal use only |
| Enable Just in Time Account Provisioning | Automatically creates temporary user accounts for sessions when used with Local Windows Server account stores. Learn more |
| Selectable in UI | Whether this policy can be manually selected by users in the EmpowerID Web interface |
Time Restriction Settings
| Setting | Description |
|---|---|
| Time Restrict Access | Restricts session access to defined durations. If enabled, you can define default and maximum duration limits. |
MFA Requirements
| Setting | Description |
|---|---|
| Min Login LOA If Local | Minimum Level of Assurance (LOA) required for users on a local network |
| Min Login LOA If Remote | Minimum LOA required for remote users |
Shared Credential Settings
These settings control how shared credentials behave when used in a session.
| Setting | Description |
|---|---|
| Publish in IAM Shop | Makes credentials visible and requestable in the IAM Shop |
| Allow Multi Check Out | Allows concurrent use of the same credential by multiple users |
| Reset Password On Check In | Resets the credential password once a session ends |
| Update Windows Services On Password Reset | Updates any associated Windows services using the same credentials |
| Update IIS App Pools On Password Reset | Updates IIS App Pool credentials tied to this account |
Privileged Session Policy Settings
These determine how PSM governs session security.
| Setting | Description |
|---|---|
| Privileged Session Policy | Enables session governance settings, including maximum concurrent sessions, session recording, and live session viewing by administrators. |
Password Rotation Settings
Configure scheduled credential rotation:
- Enable automatic password reset on a schedule.
- Specify start date, end date, and rotation frequency.
By properly configuring Access Request policies with privileged session rules, you ensure secure and compliant access to sensitive systems in your EmpowerID environment. These settings help enforce least-privilege principles, support auditability, and mitigate risk from shared credentials.