Audience & purpose

As a Credential Owner you must be able to add a Credential to a Locker that you own.

Adding a Credential to a Locker

Only the Owner of a Locker can add a Credential to the Locker.

Work Flow 1:

1. Select the Locker that you own.
2. Click Add Credential.
3. Select the Credentials that will be assigned to the Locker.
   1. The Credentials will be assigned to the Locker.

Work Flow 2:

1. Go to the All Credentials page.
2. Select a Credential that you own.
3. Assign the Credential to a Locker that you own.
   1. The Credential will be assigned to the Locker.

Return to top

Audience & purpose

As an Automation Administrator you want to see the details of the a credential which was deleted from the Credential Vault one year ago. This will:

• Record point-in-time data of a credential object from its creation till deletion.
• Help in understanding what all changed in a credential object.
• Show details of objects which have been deleted from the Product.

Description

In the "Audit log" page, the following entries will be logged whenever a credential (or its attributes) is added, updated, or deleted.

Audit log entries

Status	Time	Action	Object name	Action taken by	Device	Source	Start time
Successful	<datetime>	Add credential	<credential name>	<user a>	<hostname>	Product	<datetime>
Successful	<datetime>	Update credential	<credential name>	<user a>	<hostname>	Product	<datetime>
Successful	<datetime>	Delete credential	<credential name>	<user a>	<hostname>	Product	<datetime>
Note: ▸ If an error occurs for any action, the "Status" will be set to "Unsuccessful". ▸ If an attribute of a credential is being "added" or "deleted", the action logged will be "Update Credential".

1. Select an Audit entry and click "View action".
   1. The "Details" page of the Audit entry will be displayed.
   2. For each of the Create/Edit/Delete credential actions, the "Details"page will show whether the action was "Successful" or "Unsuccessful".
   3. If the action was "Unsuccessful" it will also display the exact error message in the "Results" frame.
2. The "Audit log" page will be read-only. You can only act on the page-level toolbar.
3. The lower half of the page will show details of the credential object when the action was performed.
   1. It will not show data of the date when this page is being accessed unless there was absolutely no change in the credential object.
4. For the "Edit credential" action, the lower half of the page will display a data table with fields containing their "Old" and "New" values. It will only display the fields that are modified. See the following data table.

   "Edit Credential" action: Modified values

   What changed?	Old value	New value
   Type	User-provided	Standard
   Status	Unassigned	Incomplete
   Credential Name	FTP	SFTP
   Description	FTP server	FTP server credential
   Locker Name	FinLocker	Finance Locker
   Attribute<id1>.Type	User-created	Standard
   Attribute<id1>.Name	server	servername
   Attribute<id1>1.Description	server	server description
   Attribute<id1>.Masked	Yes	No
   Attribute<id1>.Value	–	172.168.2.1
   Attribute<id2>.Type	Standard	User-created
   Attribute<id2>.Name	user	username
   Attribute<id2>.Description	name	name of user
   Attribute<id2>.Masked	No	Yes
   Attribute<id2>.Value	test	***********
   For each Attribute field, increment the name prefixed with an "Attribute number id" like "Attribute4.Name", Attribute5 Attribute1001. Description and so on. For the Value field the change in value will be shown as 8 asterisk/star ("*") characters. For the "Create Credential" action, the table will display all fields the same as the "Edit Credential" action, except that it will additionally show the "Credential Name"field. The "Old value" column will not be displayed. For the "Delete Credential" action, the lower half will display the "Old value".

5. The breadcrumb trail will show "Audit log" → "View action".
6. Click the "Back" button to return you to the previous page.

Security

Note:

• Only authorized users will be allowed to view ALL the audit entries and their details.
• If you have the "Manage my credentials and lockers" permission you can view the Audit log for "Create", "Edit", or "Delete" of a credential.

Return to top

Audience & purpose

As an Automation Administrator, you want to see details of a credential whose ownership was transferred from "Owner X" to "Owner Y". This will:

• Record point-in-time data of a credential object since its ownership was transferred.
• Help in understanding all that has changed in a credential object.

Logging audit entries

In the Audit Log page the following entries will be logged whenever a Credential ownership is transferred.

Audit log entries

Status	Time	Action	Object name	Action taken by	Device	Source	Start time
Successful	<datetime>	Transfer credential ownership	<credential name>	<user a>	<hostname>	Product	<datetime>
Note:If an error occurs for this action, the "Status" field will be set to "Unsuccessful".

1. Select an audit entry and click "View action".
2. The "Details" page of the Audit entry will be displayed.
   1. For the "Transfer ownership" action, the Details page will show whether the action was "Successful" or "Unsuccessful".
   2. If the action was unsuccessful then it should also display the exact error message in the "Results" frame.
3. The Audit log page will be read-only. You can only act on the page-level toolbar.
4. The lower half of the page will show details of the credential object when the action was performed.
   1. It will not show data of the date when this page is being accessed, unless there was absolutely no change in credential object.
5. The Details page will show the "old" and "new" value of the credential owner once the ownership is transferred as shown in the following data table.

   What changed?	Old value	New value
   Credential Owner	abc	xyz

6. The breadcrumb trail will show "Audit log" → "View action".
7. Click the "Back" button to return to the page you came from.

Security

Only authorized users (Product Admins or users having the "View audit log" permission) will be allowed to view ALL the audit entries and their details.

Note: If a user has the "Administer All Lockers" permission, then he/she can view the Audit log for the credentials whose ownership is transferred by his/her action.

Return to top

Audience & purpose

An Product customer needs this functionality to secure confidential data.

Use Cases

Note the following use cases.

• On a fresh Product installation, once the Product Admin user is created and logs-in to Product for the first time, the Configure CV page is displayed.
• The Product Admin configures the Credential Vault by generating the Master key and selecting the Mode: Express mode or Manual mode, for opening the Credential Vault.
  • Irrespective of the mode selected, the Product Admin can copy the Master Key and keep it in a secure place.
• In Express mode:
  • The Vault is automatically opened.
  • On IIS restart, the Vault is closed.
  • After an IIS restart, if the Product Admin logs-in to Product, the Vault is opened once again without the need for the Admin to re-input the Master Key.
• In Manual mode:
  • The Vault is closed until the Product Admin enters the Master Key.
  • On IIS restart, the Vault is closed.
  • After an IIS restart, if the Product Admin logs-in to the Product, they have to re-input the Master Key to open the Vault.
• In the Product Settings page there is an option to toggle between "Express" and "Manual" modes.
  • When the Product Admin switches the mode, they are prompted to input the Master Key to validate the mode change.
• Important note:
  • None of the users can login to Product if the Vault is closed.

Return to top

Audience & purpose

As an Automation Expert, I want to create a new credential and store it securely in Credential Vault

Create a new Credential

You must be able to create credentials with "User-provided" and "Standard" attributes.

1. In the Credentials landing page, click the "Create credential" icon to display a Create new Credential page with empty fields and a blank attribute row.

   

2. Fill in the credential details:
   • Name and description of the credential.
   • Name, description, and value of the credential attribute.
3. Credentials:
   • Credential name: Maximum 50 characters, case-insensitive, and cannot include special characters such as: ( ) \ / " ' [ ] : | < > + = ; , ? * @ `
   • Credential description: Maximum 255 characters.
4. Attributes:
   • Attribute name: Maximum 50 characters, case-insensitive, and cannot include special characters such as: ( ) \ / " ' [ ] : | < > + = ; , ? * @ `
   • Attribute description: Maximum 255 characters.
   • Attribute value: Unlimited characters.
5. Check "User-provided" to mark the attribute as "User-provided".
   • Otherwise, the attribute is standard to other users.
   • By default, the credential must be marked "user-provided" by the system.
6. Check "Add Mask" to set an attribute value as "Masked".
   1. Otherwise it is "Unmasked".
7. If Masked on edit, the old value must not be shown.
   1. The typed-in "New value" will overwrite the "Old value".
8. Click the "Create attribute" icon to create a new row to input another credential attribute.
   1. The "X" icon will appear in the previous row.
9. Repeat these steps to add more attributes to the credential.
10. Click Create to create and store the credential and its attributes in the Credential Vault.
11. While creating a credential when the attribute is Standard, you will be forced to enter the value.
    • The credential owner can update the Standard value later by editing the credential.
    • If the attribute is user-provided, the field will be grayed out.
      • Only if the owner of the credential has USAGE access on a locker can he/she enter the credential value.
    • By default, the owner will not have USAGE access. He/she can then give themselves usage access to their locker (if they need it).

Credential encryption

The credential will be encrypted using AES 256 bits encryption and stored in the Credential Vault to meet FIPS compliance.

Use a unique credential name

The credential name must be unique throughout the Credential Vault.

Delete a credential attribute

Click the "X" icon to remove the selected attribute before saving the credential.

Validation messages

Note the following validation messages.

1. The name and attributes will be validated for duplication.
   • No two credentials may have the same name.

     This credential already exists.
     				To continue, please create a credential with a different credential name.

   • No two attributes in the credential may have the same name.

     This credential attribute already exists.
     				To continue, please create a credential attribute with a different attribute name.

2. A credential with a blank name will not be allowed.
3. An attribute within a credential having a blank name or value will not be allowed. The attribute "description" is optional.
4. On Save:
   • If an attribute row only has a description, then the user must be forced to input the mandatory name and value fields.
   • An attribute with just a description cannot be saved.

Return to top

Audience & purpose

As an Automation Expert, you want to create a new credential and store it securely in Credential Vault. This will:

• Secure sensitive data in the Credential Vault.
• Enable a TaskRobot to make use of the credential variable.

Using the Type field

The "Create Credential" page will display two options under the "Type" field as shown in the following screenshot.

• Standard (default)
• User-provided

The "Add to a locker" table

Use the following guidelines:

1. The "Add to a locker" table will list all the lockers to which the current logged-in user is a member.
   • If no lockers are available then the list will be empty.
   • The table will display the locker name, owner name, and the number of users who are members of the locker.
2. The "Add >" button will be disabled until a locker is selected.
3. Clicking the "Add >" button, the locker icon (on the right side) will be enabled and the selected locker name will be displayed. See the following screenshot.

   

4. The "Add >" button will change to "Replace >" once the locker is added.
   1. Clicking Replace > will replace the previous selected locker with the new selected locker's name.
5. Only one locker can be selected and assigned to a credential.
   1. Assigning a locker to a credential is optional.
6. If a locker cannot be added to the credential then it will be displayed as "disabled" in the lockers list.
7. The "Available Lockers" count (X of Y) will display:
   1. "X" as the count of available lockers to this user.
   2. "Y" as the count of total lockers in the system.
8. The "Search" filter above the table will allow you to search the locker.

Add attributes

Use the following guidelines:

1. By default, one empty attribute row will be displayed with an "Add another" button.
   1. Once the attribute is added, the "Add another" button will change to the "Remove" button.
   2. The lowest attribute row will keep the "Add another" button, however for all other rows from the top to one less than the lowest row will show the "Remove" button.
   3. Clicking the "Remove" button will delete the attribute row.
2. If the Type is "User-provided", then the "Value" field will display two radio buttons: Standard and User-provided. This is used to select the type of attribute value the user wants to enter.
   1. If "Standard" is selected, then the user can select the "Masked" checkbox and enter the value. If Masked. then the value will be shown as "********".
   2. If "User-provided" is selected, then the user can select the "Masked" checkbox and the value field will be disabled and display its contents with "(user-provided)" text.

Toast message

Click "Create credential..." to create the new credential, and a success toast message will be displayed on the page from where the user came.

Toast message
<credential name> successfully created

The "Close"/"Cancel" button

Returns you to the previous page you came from.

• It remains named "Close" until you fill in something, and then becomes "Cancel".

The "Create Credential" button

The "Create credential" button will be disabled until all required fields are filled in.

1. Click this button to create and display the credential as a new entry in the My Credentials page.

Return to top

Audience & purpose

As a Product Administrator you want to audit the Credential Vault.

Audit trail for credentials

The Audit trail for credential activities is described in the following data table.

Success and failure status descriptions

Level	Activity	Source	User	Status	Description
Information	Add Credential	Product	<user a>	Success	Credential "name=xxx" successfully created
Error	Add Credential	Product	<user a>	Failed	Credential "name=xxx" wasn't created.
Information	Update Credential	Product	<user a>	Success	Credential "name=xxx" successfully updated.
Error	Update Credential	Product	<user a>	Failed	Credential "name=xxx" wasn't updated.
Information	Delete Credential	Product	<user a>	Success	Credential "id=xxx" deleted successfully.
Error	Delete Credential	Product	<user a>	Failed	Credential "id=xxx" wasn't deleted.

Audit trail for credential attribute values

The Audit trail for credential attribute values is described in the following data table.

Success and failure status descriptions

Level	Activity	Source	User	Status	Description
Information	Update Credential	Product	<user a>	Success	Value for attribute "id=xxx" successfully created.
Error	Update Credential	Product	<user a>	Failed	Value for attribute "id=xxx" wasn't created.
Information	Update Credential	Product	<user a>	Success	Value for attribute "id=xxx" successfully updated.
Error	Update Credential	Product	<user a>	Failed	Value for attribute "id=xxx" wasn't updated.

Audit trail for lockers

The Audit trail for lockers is described in the following data table.

Success and failure status descriptions

Level	Activity	Source	User	Status	Description
Information	Add Locker	Product	<user a>	Success	Locker "name=xxx" successfully created.
Error	Add Locker	Product	<user a>	Failed	Locker "name=xxx" wasn't created.
Information	Update Locker	Product	<user a>	Success	Locker "name=xxx" successfully updated.
Error	Update Locker	Product	<user a>	Failed	Locker "name=xxx" wasn't updated.
Information	Delete Locker	Product	<user a>	Success	Locker "id=xxx" deleted successfully.
Error	Delete Locker	Product	<user a>	Failed	Locker "id=xxx" wasn't deleted.

Audit trail for locker access management

The Audit trail for locker access management is described in the following data table.

Success and failure status descriptions

Level	Activity	Source	User	Status	Description
Information	Add Consumer	Product	<user a>	Success	Role "xxx" was granted consumer permission on locker "yyy".
Information	Add Participant	Product	<user a>	Success	User "xxx" was granted participant permission on locker "yyy".
Information	Add Owner	Product	<user a>	Success	User "xxx" was granted owner permission on locker "yyy".
Information	Add Share	Product	<user a>	Success	User "xxx" was granted share permission on locker "yyy".
Information	Delete Consumer	Product	<user a>	Success	Role "xxx" was revoked consumer permission on locker "yyy".
Information	Delete Participant	Product	<user a>	Success	User "xxx" was revoked participant permission on locker "yyy".
Information	Delete Owner	Product	<user a>	Success	User "xxx" was revoked owner permission on locker "yyy".
Information	Delete Share	Product	<user a>	Success	User "xxx" was revoked share permission on locker "yyy".

Return to top

Audience & purpose

As a Credential owner, you want to keep track of credential status so that you are aware of whether the credential attribute values have been completed by all users (if user-specific) or not.

Update Credential Status

The Status of a new credential will be set to "Incomplete" by default.

1. If the credential is "common", then the Status will change to "Complete" when a locker is assigned.
   • If the locker is unassigned afterwards, then the Status will go back to "Incomplete".
2. If the credential has user-specific values, then the Status will change to "Complete" when a locker is assigned and all consumers have filled in their user specific values.
   • If the locker is unassigned afterwards, or a new consumer is added who has yet not provided his user-specific value, or the credential is edited by adding a new user-specific attribute, then the Status of credential will go back to "Incomplete".

Status view

Regarding user-specific credentials

1. A "Locker owner" will see the status as "Incomplete" for a credential until all consumers have provided their user-specific values.
2. A "Locker consumer" will see the status as "Incomplete" for a credential if he has not filled in his user-specific value.
   • Once he provides his values then the credential status changes to "Complete" for him.
3. A "Locker participant" will see the status as "Incomplete" for his credential until all consumers of the locker have provided their user-specific values.

Regarding common credentials

1. A "Locker owner" will see the status as "Complete" once the credential is added to the locker.
2. A "Locker consumer" will not see this credential.
3. A "Locker participant" does not see this credential.
   • If he has added his common credential to the locker, then he will see the status as "Complete" once the credential is assigned to the locker.

Return to top

Audience & purpose

As a Credential Owner you must be able to permanently delete an unwanted credential so that it can be removed from the system.

Deleting a credential

Use the following steps to delete a credential.

1. Only a Credential Owner can delete a credential.
2. A credential (owned by the Credential Owner) can only be deleted from the My Credentials page.
3. Note: If the credential is assigned to a locker:
   1. The credential cannot be deleted if it is assigned to a locker.
      1. It has to be removed from the locker before it can be deleted.
   2. A credential that you own can only be deleted from the My Credentials page.
   3. On deletion, a confirmation message will be displayed:

      Type	Message
      Information	Do you want to permanently delete the credential "<credential name>"?

   4. For a bulk delete, the message will be:

      Type	Message	Remarks
      Information	Do you want to permanently delete these <count> credentials?	A list of the selected credentials will be shown in a pop-up message.

   5. On confirmation, the credential and its attributes will be deleted from the system.

Return to top

Audience & purpose

As a Credential Owner you must be able to edit the credential, modify its structure (add/remove attributes), and set common values.

Edit a credential

Use the following steps to edit a credential.

1. Select a credential and click Edit.
   1. The credential and its attributes will become editable to the owner of the credential.
2. If the credential is not assigned to any locker, the user (credential owner) can:
   1. Change the credential, its name and description.
   2. Change the attribute name and description.
   3. Add or remove an attribute from the credential.
   4. Change "User-provided" to "Standard" and vice versa.
   5. For a "duplicate credential", the error message will be:

      This credential already exists.
      To continue, please edit the credential with a different credential name.

   6. For a "duplicate credential attribute", the error message will be:

      This credential attribute already exists.
      To continue, please edit the credential with a different attribute name.

3. If the credential is assigned to any locker:
   1. The user can edit the description of a credential and its attributes.
   2. The user can click "Delete" to delete the selected attribute if none of the users who have "USE" access on the locker has entered their value for the attribute in context. Otherwise, the attribute cannot be deleted.
4. Standard attribute values but NOT the attribute name:
   1. Can be edited by the OWNER whether it belongs to a locker or not.
5. Credential attribute values:
   1. Users with "Usage" access to the locker can edit their user-provided values for the credential attributes in context.
   2. On Save, the update will be stored.

Audience & purpose

As a Credential Owner you must be able to mask a credential attribute value for security purposes.

Important note

Roboth "user specific" and "common" attributes in a credential can be masked.

Why mask a common attribute?

There may be some situation where an employee in the management chain wants to share his credential for a task to run, but still wants to protect the password from others.

In those situations they may create a credential with their username/password marked as common and masked so that users who have "Usage Access" to that credential via a locker can use it in the task.

Return to top

Audience & purpose

As a Product user and locker consumer, this tab offers a quick and easy way to return credentials requested by you.

Description

1. The name of the tab is "User-provided credential requests".
   • When opened, it contains user-provided credentials where the user is a locker consumer.
   • The purpose of the tab is to make it easy for users to get to these credentials (which will always be in a locker and so will possibly be hard to find).
2. A standard credentials table is shown with a Status column containing two values: "Complete" and "Incomplete". See the following screenshot.

   

Process

A user wants easy access to a folder and its credentials.

1. A Locker Admin sends an email to the user with a request to add them to a locker.
2. The user replies to this email requesting easy access to a locker and its credentials.
3. The Locker Admin grants the user the "Usage access" permission.
4. In the "Status" column, the Locker Admin observes the complete/incomplete status of the request sent to the user.

Return to top

Audience & purpose

As a credential owner, you want to be able to view all of your credentials in the All Credentials page so that you can:

• Manage them.
• Keep track of their status.
• Assign lockers to them.

Default view

Use the following guidelines.

1. Click the "Credentials" tab to display the following two tabs by default:
   1. My Credentials tab
   2. My Lockers tab
2. The third tab, "Requests", will be displayed based on whether you have any credential requests.
3. If there are no credentials available for you, then the "My credentials" tab will show the following help text in the middle of the table.

   Message
   To see a credential in this list, create a credential.

   • Click the "create a credential" link to open the "Create credentials" page (see the "Create credentials" topic on this page).
4. The breadcrumb trail will show "Robots → Credentials".
   • Note: Switching between the tabs will not change the breadcrumb trail.

Credential table

When creating a new credential, it will be displayed in the credential table.

1. The credential entry should be set with following values:

   Column	Values
   Status	Incomplete (default) Complete
   Name	<name of the credential created>
   Locker name	- (default) <name of the locker the credential belongs to>
   My locker permissions	N/A (default) Locker owner Locker owner and consumer Locker manager Locker manager and consumer Locker participant Locker participant and consumer Locker consumer only
   Type	Standard User-provided (based on whether a credential has a user-provided attribute)
   Credential owner	<name of the credential creator>

2. A user can perform the following actions at row level:
   1. View: View the selected credential.
   2. Edit: Edit the selected credential.
   3. Delete: Delete the selected credential.
3. A user can perform the following actions at table level:
   1. Delete: Delete one or more selected credentials.
   2. Show/hide columns: Customize the column view.
4. When editing the credential, the entry in the table will be updated with the latest values.
5. When deleting the credential, the entry in the table will be deleted.

Credential Status transition

See the Credentials status transition topic in this page for details.

Locker access permission transition

Refer to the Grant role usage access to a locker topic for details.

My credentials: View action

The "My Credentials" view will display the following credentials to you.

1. Credentials that are created by you and have not been assigned a locker (outside locker).
2. Credentials that are created by you and have been assigned a locker (inside locker) for which you have "Owner", "Manager", "Participant" or "Consumer" access.
3. Credentials that are not created by you but assigned to a locker for which you have "Owner", "Manager", or "Consumer" access.

The "My Credentials" view will NOT display the following credentials to you.

1. Credentials that are not created by you and are outside the locker.
2. Credentials that are not created by you but are assigned to a locker for which you have "Participant" access.

My credentials: Edit action

The "My Credentials" tab will allow editing of the following credentials to you.

1. Credentials that are created by you and have not been assigned to a locker (outside locker).
2. Credentials that are created by you and have been assigned to a locker (inside locker) for which you have "locker owner", "manager", "participant" or "consumer" access.
3. Credentials that are not created by you but have been assigned to a locker (inside locker) for which you have "Locker Owner", or "Manager" and "Consumer" access.

Assign/reassign/unassign locker action

Clicking "Action" → "Assign credential to locker" will display a pop-up window displaying a list of all lockers to which you have access.

1. On selecting a locker name and clicking "Submit", the "Locker Name" column will be set to the name of the locker selected, and the credential will be assigned to that locker.
2. A credential can only be assigned to one locker at a time (e.g., a MyFTP credential CANNOT be added to Locker 1 and Locker 2. Only to Locker 1 or Locker 2).
3. On reassigning a credential to a different locker, the Locker Name will be updated.
4. On deleting the locker, the Locker Name will be set to '--'
5. If a credential is assigned to a shared locker, and if you want to reassign it to another locker, then a message will appear when "Submit" is clicked. See the following data table.

   Type	Message
   Error	You have to contact the owner of the current locker to remove your credential first, before you can change to another locker.

6. If a consumer tries to edit or delete a credential from the "All Credential" view, then he will be restricted by the display of the following error message.

   Type	Reason	Message	Buttons
   Error	Consumer cannot delete a credential which he does not own.	You cannot delete this credential as a consumer, please contact the credential owner.	Okay
   Error	Consumer cannot edit a credential which he does not own.	You cannot edit this credential as a consumer, please contact the credential owner.	Okay

Return to top

Audience & purpose

As a Credential Owner you must be able to remove a credential from the locker you own (for security reasons or if the task no longer uses it) so that all users with the "Usage Access" permission to the locker will lose/have their access revoked to the credential.

Removing a credential from a locker

Only the Owner of the locker can remove a credential from the locker.

Workflow 1:

1. Select the locker that you own.
2. Select a credential in that locker.
3. Click Remove.
   1. The credential will be removed from the locker.
   2. All user-specific entries made by users who have Use Access on that locker will be removed.

Workflow 2:

1. Go to the All Credentials page.
2. Select a credential that you own.
3. Set it as unassigned to a locker.
   1. The credential will be removed from the locker.
   2. All user-specific entries made by users who have Use Access on that locker will be removed.
   3. The All Credential page will have a VISUAL cue on which locker and credential you own, so you can accurately remove the specific credential.

Audit entry

An Audit entry will be logged when a credential is removed from a locker.

Level	Activity	Source	User	Status	Description
Information	Update Locker	Product	<user a>	Success	Locker "yyy" updated successfully. The credential "xxxx" is removed from the locker.

Return to top

Audience & purpose

An Product customer must be able to sync their Active Directory with Credential Vault so that credentials in the Vault do not get outdated as Active Directory enforces a password change every x days based on a corporate password rotation policy.

Synchronization options

The following options are potential synchronization tools.

Option 1: Password Interceptor

Use the IBM Security Directory Integrator.

Option 2: AD Password Filter:

Configure the Active Directory Password Filter with an Identity Management Application.

Audience & purpose

As a Locker Admin you must be able to transfer credential ownership from the current owner to another user. If the current owner leaves the company, the credential can still be used while it continues to meet corporate security policy.

This is used to:

• Avoid loss of credentials due to a credential owner leaving the company.
• Maintain RBAC and achieve company security.

Transferring credential ownership

Use the following steps to transfer credential ownership.

1. Login to Product as a user with the "Locker Admin" privilege.
2. Select the credential from All Credentials.
3. Click Transfer Ownership and select the target user.
   1. Credential ownership will be transferred from the current owner to the target owner.
4. If the original owner logs in to Product, in the All Credential page he will not see the credential that was transferred.

Note the following guidelines:

If a credential is not assigned to a locker, then the Locker Admin can transfer credential ownership to any user.

• Otherwise, the Locker Admin can see a list of only those users who are members of the locker to which the credential is assigned.
• Tip: To transfer a credential to any other user, make that user a "Member" of the locker.

Return to top