Creating a safe

Warning

Data model objects: safes, users, servers, accounts and listeners are replicated within the cluster and object instances must not be added on each node. In case the replication mechanism fails to copy objects to other nodes, contact technical support department.

  1. Click + icon in the main menu next to the Safes tab, or

Select Management > Safes and then click Add.

  1. Enter object’s name.
  1. Select Blocked option to disable access to object after it’s created.
  1. Select Login reason option, to display prompt upon logging in, asking user to enter login reason.

Note

Login reason is not supported in HTTP connections.

  1. Select Access request required votes option and provide a number of the voters. This option enables a so called Just-In-Time feature that allows defining and scheduling the time when a user is allowed to access specific resources for a set period of time. The user sends requests via the Access Gateway and the voters accept or reject them on an the Admin Panel. Read more about the Just-In-Time feature in a Access requests page.
  2. Select Require approval option to have the administrator approve each connection to servers accessed through configured safe. Provide how many minutes the administrator has to approve or reject a request. For more information, refer to the Require approval for access section.
  1. Assign security policies in the Policies field.
  2. From the Note access drop-down list, select access rights to account related notes: read-only access or write access.

Notes can be accessed either from the account edit form

../../_images/5-1-account-notes.png

or in the User Portal (Access Gateway).

../../_images/user-portal-note1.png
  1. Select Session time limit option and input a minutes value.
  2. Select Session inactivity limit option and input a minutes value.
  3. The OTP in Access Gateway option is enabled by default and is responsible for generating OTP in the Access Gateway.

Warning

Disabling the OTP in Access Gateway option makes impossible connecting via the Native Client or Web Client. Access via the Access requests would be possible only.

  1. For RDP, VNC and SSH-based safes, select Web Client option to allow connecting to the session in browser.

Note

The Web Client option can’t be enabled when the OTP in Access Gateway option is disabled.

  1. Select a Backup target as a destination place for storing data.
  2. In the Protocol functionality section, select allowed protocols’ features.
../../_images/5-1-safe-protocol-func.png

Note

Protocol functionality options overview:

  • RDP

    • Audio Input Redirection - Redirects audio input from the client device to the remote desktop, allowing voice input applications to function.
    • Dynamic Virtual Channels - Enables support for the feature of multiple virtual channels over a single RDP session.
    • Clipboard Redirection - Shares clipboard contents between the client and remote desktop, enabling copy-paste functionality.
    • Sound Redirection - Redirects audio output from the remote desktop to the client device.
    • Device Redirection - Allows peripherals (e.g., printers, USB devices, smart cards) connected to the client device to be used within the remote desktop session.
    • Multimedia Redirection - Improves multimedia playback by offloading the decoding process to the client device for smoother video and audio.
    • Suspend - Pauses and saves the current session, allowing it to be resumed later without restarting. With the Suspend option enabled, the session content will not be available for viewing when the user minimizes the client application.
    • Max. Resolution - Sets the maximum resolution for the remote desktop session, affecting display quality and bandwidth usage.
    • Max. Color Depth - Sets the maximum color depth for the remote desktop session, affecting visual quality and bandwidth usage.

  • SSH*

    • SSH Agent Forwarding - Enables the User to utilize the SSH Agent Forwarding option during authentication.
    • Environment - Disabling this option will prevent the passing of environment variables to the server using -o SendEnv=. This option does not block the use of environment variables on the destination server.
    • Port Forwarding - Enables redirecting network traffic from one port to another, allowing secure connections to services behind firewalls or NAT.
    • SCP (Secure Copy Protocol) - Enables secure file transfer between local and remote systems using SSH.
    • Sessions - Disabling this option will prevent the initiation of interactive sessions and the execution of remote commands. Nevertheless, certain options, such as port forwarding, will remain available.
    • SFTP (Secure File Transfer Protocol) - Enables secure file transfer and management over SSH.
    • Shell - Disabling this option will prevent the initiation of interactive sessions. However, it will still be possible to execute remote commands and forward ports.
    • Terminal - Enables pseudo-terminal functionality.
    • X11 - Enables support for X11 protocol.
    • Exec - Enables executing a single command on the remote server without starting an interactive shell session.

  • VNC

    • Client Cut Text - User is allowed to paste text into the VNC server computer.
    • Server Cut Text - User is allowed to copy and paste text from the VNC server computer into the user’s computer.

*For detailed information about SSH functionalities please refer to RFC 4254 - The Secure Shell (SSH) Connection Protocol.

  1. Select Users tab to assign users allowed to access accounts assigned to this safe.

  • Click Add user.

  • Click i next to desired user to enable server access over monitored safe.

  • Click ok to close the modal window.

  • Define safe access options.

    • Click . to fill out the Valid from and Valid to fields with date and time interval when user will be allowed to access servers through the given safe. When defined date and time comes, access to the given safe is granted to the user automatically.
    ../../_images/5-4-safe-users-valid-from.png
    • Click . to enable and define time intervals during which the user will be allowed to connect to servers.
    ../../_images/5-4-safe-users-time-policy.png
    • Click . to allow user to use Secret Checkout feature and view passwords in the User Portal.
    • Click . to disable access for selected user.
    • Click . to delete selected user from the safe.

Note

Access time policy options are disabled when the Access request required votes option is enabled for the safe.

../../_images/5-1-safe-users.png
  1. Select Granted users tab to assign users allowed to manage this object.
  • Click Add user.
  • Click i next to desired user to enable server access over monitored safe.
  • Select notifications that will be enabled for the particular granted user. More on this subject is at the Notifications page.
  • Click ok to close the modal window.
../../_images/5-1-safe-granted-users.png
  1. Select Accounts tab to add accounts accessible through this safe.
  • Click Add account.
  • Click . to add accounts.
  • Click ok to close the modal window.
  • Click . to assign listeners to accounts.
  • Click . to add listeners.
  • Click ok` to close the modal window.
../../_images/5-1-safe-accounts.png
  1. Click Save.

Related topics: