Creating a regular account

To create an account definition, follow the instructions below.

  1. Click + icon next to the Accounts tab of the Management sub-section, or
  2. Select Management > Accounts and then click Add account.
../../_images/5-5-add-account.png
  1. Define object’s name.
  1. Select Blocked option to disable account after it’s created (if needed).
../../_images/5-5-add-account-regular.png

  1. Select desired session recording option.

    • all - Fudo Enterprise saves session metadata (basic session information), records raw network traffic (RAW file) and stores session data in internal file format (FBS). The latter enables session playback using the built-in session player, as well as exporting sessions to a selection of video file formats.
    • raw - Fudo Enterprise saves session metadata (basic session information) and records raw network traffic (RAW file). The raw data can be downloaded but it cannot be played back in graphical form using the built-in session player (session player only depicts the networks packet exchange between the client and the target host).
    • noraw - Fudo Enterprise records the session data in a non-raw format that could be played back using the built-in session player.
    • none - Fudo Enterprise saves only session metadata (basic session information).

  2. From the Category drop-down list select privileged or non-privileged account category.

Note

During manual account creation, assigning the category as privileged or non-privileged is purely informational, yet during the Discovery, it is automatically assigned based on the account’s parameters in the source system.

  1. Select the Notes option to activate the field where you can enter a message for User Access Gateway users. If permissions are granted, notes can be also edited.

Note

Account notes can be displayed in the User Access Gateway.

../../_images/user-portal-note.png
  1. In the Settings tab, in the Type field, press the REGULAR button.
  2. In the Target section, select Server or Pool button to assign account to a specific server or a server pool by selecting it in the next step from the Server, or Pool drop-down list.
  1. Select SSH Agent forwarding option to authenticate the user against the target host using client’s SSH key.

Note

This option is available only after selecting an SSH server. Use -A option for connecting to SSH server.

  1. To have RDP, VNC or rendered HTTP sessions automatically processed, you can enable OCR session option for this account and select the language of processed data.
../../_images/5-5-accounts-ocr.png

Note

The OCR option is available only after selecting an RDP, VNC or HTTP server.

  1. In the Credentials section, enter privileged account domain.

Note

If a domain is entered in the Domain field, Fudo Enterprise will always use it to authenticate against the server. The domain will be added automatically to the user’s login.

  1. Type in login to the privileged account.
  2. In the Replace secret with section, click the button corresponding to one of the desired options.
../../_images/5-5-add-account-regular-auth.png

Password

  • Provide account password in the Secret field.

Note

Two-fold authentication

With two-fold authentication enabled, user is being prompted twice for login credentials. Once for authenticating against Fudo Enterprise and once again for accessing target system.

To enable two-fold authentication, select password from the Replace secret with drop-down list and leave the password and login fields empty.


SSH key

  • Click the Generate button and select the key algorithm.
  • Or click the Upload button and browse the file system to find the key definition file. Provide the Key passphrase if needed for the uploaded file.

Repository

  • Select external repository name.

Note

To learn more about defining an external password repository, please refer to the External passwords repositories section.


Other account

  • From the Account drop-down list, select account object, whose credentials will be used to authenticate user when establishing connection with monitored server.

Note

The list contains only objects to which you have been given access permissions.

  1. If Password option was chosen as an authentication method, provide additional configuration in the Password changers tab. Otherwise, continue to step 28 of this manual.

Note

The Password changers tab is active only when creating a regular account with a Password method selected, and an Login to the privileged account provided in the Credentials section.

  1. Select Password change policy from the list of the configured password change policies.
  2. In the Password checkout time limit field, define the time after which the password is returned automatically.

Note

Defining the password checkout time limit automatically enables the Secret Checkout feature for the particular Safe.

  1. Select Change password after last checkin option to change the password automatically after it has been returned by the last user.

Note

This options is available only for Secret Checkout feature and it’s enabled after specifying the Password checkout time limit.

  1. Select Change password after session option to change the account password remotely after the session is ended.

Note

This option requires to choose at least one Password changer and a Password change policy any other than Static, without restrictions.

Refer to the Password changers topic for detailed information on setting up password changers.

  1. Check the Password recovery option to set a password verifier, to automatically trigger a password changer if it verifies that the password for an Account was changed and a new password is not stored in Fudo Enterprise.

Note

Having the Password recovery option enabled, the Password Verifier spawns “Trigger password changer” action in the account. When it’s disabled, the Password Verifier only sends event “Unable to verify password for account <account_name>”.

../../_images/5-5-add-account-password-changers.png
  1. In the Password changer field select desired password changing script from the drop-down list, to have the password to the account changed automatically according to the password policy.
  2. In the Password changers window, in the Timeout field, define the script’s execution time limit.
  3. In the Variables section, assign attributes to variables.

Warning

  • To handle a password change, you must use an account (transport_login and transport_secret) that has delegated Reset user passwords and force password change at next logon permissions for the Organizational Unit (OU) containing the users whose passwords will be changed, or the account must be a member of the Account Operators group.
../../_images/5-5-account-changer.png
  1. Click Save to close the window.
  1. In the Password verifiers field select desired password verifier from the drop-down list, to have the password to the account verified automatically according to the password policy.
  2. In the Password verifiers window, in the Timeout field, define the script’s execution time limit.
  3. In the Variables section, assign attributes to variables.
  1. Click Save to close the window.

Note

Fudo Enterprise allows changing a password on a different node than the one that set as an Active cluster node for Password changers.

../../_images/5-5-pc-active-node.png

In order to have this configured, the following condition should be met:

  • Setting up a Password Changer / Password Verifier for an account, a value for transport_bind_ip variable should indicate the same cluster node for all password changers as well as password verifiers.
../../_images/5-5-accounts-pc-config.png
  • If the transport_bind_ip variable values indicate different cluster nodes, the configured password changer/verifier will be running on a node that set as an Active cluster node for Password changers.
  1. In the Data retention section, define automatic data removal settings.
  • Select Override global retention settings option to set other than global retention values for connections established using this account.
  • Check the Remove session data option to exclude sessions from retention mechanism.
  • Next to the Remove session data field, define the number of days after which the session data will moved to external storage device. Default value when the option is checked, is 30 days.
../../_images/5-5-accounts-retention.png
  1. Go to the Permissions tab to add users allowed to manage this object.
  2. Go to the Remote applications tab to assign the desired remote application entries to an account, enabling direct RDP connections to those applications.
../../_images/5-5-add-account-forward-remoteapp.png

Note

To learn more about defining remote applications, please refer to the Remote Applications section.

Note

The Remote applications tab is active only when creating a regular or forward account with an RDP server or pool assigned.


Related topics: