Follow

How can I add a Vault in the Password Server?

The Vaults tab lets the user access all of the vaults that they are allowed to see, and to create new ones if they are assigned that privilege.

Shared Vaults

Shared Vaults can be shared between multiple users. Upon creation they are bound to a certain Scope, or visibility level, and only members with access to that scope can see this vault. They will have one or more Owners to manage user access and permissions. These vaults are the most common as they allow the full range of features for administration and management of passwords, including synchronization and password rotation.

Personal Vaults

Personal Vaults provide the ability to synchronize passwords. By default a personal vault is only accessible by the user that created it, but access can also be granted to admins. Organization Administrators are able to see users' Personal Vaults and they may also request access to them, but there is no way for an admin to forcibly take control of one. This vault type is for limited-access passwords that can be synchronized and used in remote desktop connections, or personal passwords that may need to be viewed by an admin.

Private Vaults

If the AuthAnvil Password Server administrator has allowed the permission, users can maintain private vault. These vaults are completely private, and cannot be viewed or seized by administrators, or even shared with other users. Additionally, the user must enter a unique password in order to log into their private vault, so the private vault is kept safe even if the user's login password is changed or compromised. This password can be changed if the user is logged into the private vault, but cannot be reset if the user forgets it. This means that they will lose access to all of their stored passwords.

 

Creating Shared Vaults

To create a shared vault, simply click on the Vaults tab, mouse over the actions menu and click "Create a New Vault"

  1. In the "General Information" panel, set a Name, Description, and Scope for the Vault. Note that the scope cannot be changed after the vault is created.
    image
  2. In the "Vault Password Policy" tab, set the password policy for the vault. These settings are populated based on the organization's default settings.The following Password Policy Settings are available:
    • Minimum Length: The minimum length that a password can be. Must be set to greater than 3.
    • Maximum Length: The maximum length that a password can be. Cannot be longer than 64.
    • Days to Expiration: How many days before the password is marked as expired in the AuthAnvil Password Server and requires a change. Setting this value to 0 will cause the password to never expire.
    • Password Requirements: Whether passwords should be required to contain characters from the sets of English Uppercase, English Lowercase, Base 10 Digits, or non-alphabetic special characters.
    • Save Password History: Whether the AuthAnvil Password Server should keep a record of historical passwords for each password in the vault.
      • Enforce Password History: Whether the AuthAnvil Password Server should stop users from re-using passwords from the historical password list.
      • Keep Password History For: How many passwords the AuthAnvil Password Server should keep in the historical password list for each password.
    • Enable automatic rekey of Vault: Whether the vault should be automatically rekeyed on a schedule.
      • Automatically rekey the Vault after: How often the Vault should be automatically rekeyed.

    image

  3. The "Vault Members" tab allows you to add users to the vault and assign permissions. These users and permissions can be modified on the modify vaults page.There are several permission levels available for users:
    • Owner: The user has full control over the vault, and can set password policy, add and delete users, and even delete the vault itself. This permission level also implies all of the other permission levels, including Audit, and has all of their privileges. A user can only be assigned the "Owner" permission if they have the "Allowed to Own Shared Vaults" permission assigned to their user account.
    • Create: The user has permissions to import, create, and delete passwords within the vault. It implies the read and modify permissions.
    • Modify: The user has permissions to modify the existing passwords within the vault. It implies the read permission.
    • Read: The user can read and export existing passwords from the vault.
    • Launch: The user can launch one-click applications from AuthAnvil Single Sign On. Web Launch capability is available for Windows Passwords (RDP launch) and Web Passwords.
    • Audit: The user can run vault-specific reports from the reports tab.
    • Requires Approval: This permission can be combined with the read and modify permissions. The user must request permission from an administrator before being allowed to view or modify the password for a set period of time. The user can also be assigned the Audit permission while this permission is active.

    image

  4. Finally, click "Save Changes" to create the Vault.
 

Managing Vaults

Managing existing vaults is done from the vaults tab. Just click on the name of the vault that you would like to manage.

The following management options are available from the actions menu on the vault page:

  • Add Password: Add a new password to the vault. Available to users with the create permission and above.
  • Import Passwords: Import a new password to the vault from a password import file. Available to users with the create permission and above.
  • Manage Vault Settings: Manage the password policy, vault membership and permissions and delete the vault. Available to users with the owner permission.
  • Export Vault: Export all of the passwords in the vault into a comma separated list of values in clear text. Available to users with the read permission and above.

The following management options are available from the Manage Vault Settings page:

  • General Settings: Display name and description. Vault scope cannot be changed.
  • Vault Password policy: All of the password policy options. See "Creating Vaults" for more information.
  • Current and Available Vault Members: Which users are members of the vault, and which permissions they have assigned to them. See "Creating Vaults" for a detailed explanation of vault permissions.
  • Actions Menu:
    • Delete Vault: Delete the vault and all of the passwords contained inside it.
    • Rekey Vault: Re-encrypt the vault data with new encryption keys.

When finished, click "Save Changes" to save changes, or "Cancel" to cancel them.

 

Requesting Access to Vaults

If a user does not have permissions to access a vault, but it belongs to a scope that they are a member of, then they can request to join the vault.

  1. Click on the Vault name and click "Request Membership".
  2. The Vault owners will receive an email with the request. If they want to give the user permissions to the vault, they can click on the link in the email and can choose what level of permissions to assign the user.

Seizing Vaults

If an administrator does not have permissions to access a vault that is in a scope that they are a member of, and they have the "Allowed to own shared vaults" permission, they can request to join the vault or seize the vault. If they need to seize the vault, they click on the vault name and click the seize vault button. This will send an email message to every member of the vault, informing them which administrator has seized the vault, and that they are now an owner of that vault.

 

Managing Personal Vaults

To use Personal Vaults click on the Vaults page. If you have the permission "Allowed to own Vaults and create Personal Vaults" you will see a Personal Vaults tab. As outlined earlier, Personal Vaults are able to rotate and synchronize passwords, and they can also be used to configure remote desktop links for Windows credentials. They are more limited than Shared Vaults as they are only tied to a single user by default.

To use synchronization with a Personal Vault, sync agents must have access to the "Personal Scope" in their Scopes list. This will enable users to rotate and synchronize passwords using this sync agent.

 

Personal Vaults - Admin View


image

While a Personal Vault is controlled by a single user, Organization Administrators have a special view that enables them to see a list of the Personal Vaults. Clicking on a vault that an admin does not have access to will ask if they want to request ownership. By default, approved access is granted for 5 days.

 

Creating a Private Vault

To create a private vault, the user navigates to the Vaults tab, then clicks on "Private Vault". They will need to choose a private vault password of at least 4 characters that contains characters from two of the character sets of lowercase a-z, uppercase A-Z, numeric (0-9), and special characters and then click "Create".


image

 

Modifying Private Vaults

To log into and manage a private vault, the user clicks on the Vaults tab, then the Private Vault tab, then logs in with their private vault password.

The following management options are available from the actions menu on the vault page:

  • Add Password: Add a new password to the private vault.
  • Manage Vault Settings: Manage the settings for the private vault.
  • Export Vault: Export all of the passwords in the vault into a comma separated list of values in clear text.

The following management options are available from the Manage Vault Settings page:

  • Update Private Vault Password: Updates the password used to log into the Private Vault.
  • Actions Menu:
    • Delete Vault: Delete the vault and all of the passwords contained inside it.
    • Rekey Vault: Re-encrypt the vault data with new encryption keys.

When finished, click "Save Changes" to save changes, or "Cancel" to cancel them.

 

Differences between Private and Shared Vaults

Since private vaults are designed for a single user's private passwords, there are a few design differences between them and Shared Vaults:

  • Private vaults do not apply a password policy. As such, the only limitation on passwords is that they must be between 4 and 64 characters long. There are no restrictions on content, age, or history.
  • The user always has the option to export their private vault, even if the "Allow Vault members who can Read to export content to CSV (in clear text)" setting is disabled in the settings page.
  • Password history is not kept, so cannot be viewed.
  • Private passwords cannot be synchronized using sync agents.
  • Private vaults cannot be automatically rekeyed. They can, however, be manually rekeyed at the user's convenience.

 

Related Articles

See this article for information on adding Scopes.

See this article for information on Adding Passwords to Vaults.

 

Questions?

If you have any questions or need some help, we would be happy to assist. Open a case at help.scorpionsoft.com or send an email to support@scorpionsoft.com.

 

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request

Comments

Powered by Zendesk