Listen
Translate
Lockers
This section covers various procedures related to the editing, adding, removing and deleting of credentials and lockers in Credential Vault.
Audit log: Create/edit/delete action on lockers
- Audience & Purpose
-
As a Product Admin, you want to see the details of the "Finance locker" which was deleted from the Credential Vault one year ago. This will help:
- Record point-in-time data of a locker object from its creation to its deletion.
- Understand all that changed in the locker object.
- Show details of objects which have been deleted from the Product.
Logging audit entries
In the Audit Log page, the following entries will be logged whenever a locker is added, updated or deleted.
Audit log page entries Status Time Action Object name Action taken by Device Source Start time Successful <datetime> Add locker <locker name> <user a> <hostname> Product <date time> Successful <datetime> Update locker <locker name> <user a> <hostname> Product <date time> Successful <datetime> Delete locker <locker name> <user a> <hostname> Product <date time> Table data notes:
- If an error occurs for any action, the status will be set to "Unsuccessful".
- If a credential is being added or removed, to or from the locker, the action logged will be "Update Locker".
- Select an Audit entry and click "View action".
- The "Details" page of the Audit entry will be displayed.
- For each of Create/Edit/Delete locker actions, the Details page will show whether the action was "Successful" or "Unsuccessful".
- If the action was "Unsuccessful" then it will also display the exact error message in the "Results" frame.
- The Audit log page will be Read-Only. You can only act on the page-level toolbar.
- The lower-half of the page will show details of the locker object and when the action was performed.
- It will not show data of the date when this page is being accessed unless there was absolutely no change in credential object.
- For the "Edit locker" action, the lower half of the page will display a table with fields containing their "Old" and "New" values.
- Note: It will only display the fields that are modified. See the following data table.
Edit locker action: Modified locker object values What changed? Old value New value Locker Name Finlocker Finance Locker Description Finlocker Finance Locker Locker Owners John Mike Locker Managers – John Locker Participants – Mark, Amy, Jason Locker Consumers Role1 Role1, Role2 Number of Credentials 2 4 Table data notes:
- For the "Create locker" action, the table will display all fields the same as for the "Edit locker" action, except that it will additionally show the "Locker name" field.
- The "Old value" column will not be displayed.
- For the "Delete locker" action, the lower half of the page will display the "Old value".
- Important note: The sample data provided in above table uses "Username" as the field value for Locker Owner, Manager, or Participant.
- The breadcrumb trail will show Audit log → View action.
- Click "Back" to return to the previous page.
Security
Only authorized users will be allowed to view ALL the audit entries and their details.
- If you have the "Manage my lockers" permission, you can view the Audit log for Create, Edit or Delete of your lockers.
- If you have has the "Administer All lockers" permission, you can view the Audit log for Create, Edit, or Delete of ALL lockers.
Create my own locker
- Audience & purpose
-
This applies to Product Experts who need to create and share their own lockers. As an Product Expert you must be able to:
- Create your own locker and use it to group credentials pertaining to a specific department or role.
- Share the locker with others so they can also participate to create their specific credentials or use the common credentials.
Workflow 1
Use the following steps to create Workflow 1.
- Open the All Credentials page.
- Select a credential.
- Select the Locker drop-drown list and click Create Locker to open the Create New Locker wizard.
- "Create Locker" is permission based. A user with the View and Manage my Lockers permission can create lockers.
Workflow 2
Use the following steps to create Workflow 2.
- Access an existing locker.
- Click the top-right Create New Locker icon to open the Create new locker wizard.
Create new locker wizard page
General information
You can fill in the name and description of the Locker.
- Lockers:
- Name field: Must be unique, contain a maximum 50 characters, case insensitive, and cannot include special characters such as: ( )\ / " ' [ ] : | < > + = ; , ? * @ `
- Description field: Contains a maximum of 255 characters.
- Except for "Description", all other fields are mandatory. A locker must have at least one role and one owner.
Locker usage access
A locker owner can grant/revoke a role "Usage access" to the locker.
- If access is revoked, the following warning message will be displayed:
The selected role will be revoked Usage access to this locker. Are you sure? OK Cancel
- Click "OK" to remove Role access.
- Default roles will not be listed and will not be granted Usage access.
- The "Roles Management" permission for a Locker Owner is not mandatory to assign roles a usage access permission.
Locker access
A Locker Owner can grant/revoke other users owner access if he/she has the Share Locker permission.
- If access is revoked, the following warning message will be displayed:
The selected user will be revoked access to this locker. Are you sure? OK Cancel
- Click "OK" to remove User access.
- By default, the creator of the locker will be set as the owner of the locker.
- They cannot be set as a participant of the locker he/she owns.
Credential Vault insight: Locker dashboard in Product
- Audience & purpose
-
As a Locker Admin you want to get a quick insight of each locker and credential access/usage by means of a visual dashboard in Credential Vault. This will enable you to:
- Analyze and identify what is the percentage utilization of each locker.
- See which credential is accessed the most Robot-wise.
- See which credentials are good or bad and which credentials are failing the most.
Insight tab view
For each locker created in Credential Vault, an "Insight" tab will be displayed as shown in the following screenshot.
- The Insight tab will display a dashboard with following widgets (as per the screenshot):
- Percentage (%) utilization of the locker.
- Most accessed credential.
- Credential Classification: Incomplete, Good, or Bad.
- Credential failure.
- Each widget will show real-time data for all credentials within the locker.
Widget 1: Percentage utilization of locker
This chart will provide an insight on the percentage (%) utilization of the locker with respect to the credential access (usage) within the locker by each Robot.
- The chart will display all the Robots with their respective percentage (%) utilization of the locker.
- A tabular data table will display a list of all Robots accessing the locker with their respective access count for each user.
- The top user for each Robot will be listed first, and then other users in the descending order of their access count.
Widget 2: Most accessed credential
A tabular data table will display the credential within the locker that is accessed the most by respective Robots.
- It will display the total access count for each Robot in descending order.
Widget 3: Credentials classification
This chart will provide an insight into classifying all credentials within a locker as Incomplete, Bad, or Good.
- An "Incomplete" credential is one in which some users have not specified their values for user-specific credentials.
- A "Bad" credential is one in which the values of that credential are found to be invalid.
- A "Good" credential is one in which the values of that credential are found valid.
- It will display the total number of credentials count under each category.
- Clicking the category will drill down and show a list of all such credentials that fall in that category.
Widget 4: Credentials failure
This chart will provide an insight into the list of all credentials that are failing due to invalid or incorrect values.
- From the chart it will be possible to identify which credential fails the most.
Validations
The Insight tab will be displayed only to Locker Owners or Locker Admins.
- Each of the charts will display values as per the current status of the credentials being accessed within a locker.
- If there is no data to be displayed, then the chart and table will be shown as blank.
- Only Robot runners will be considered for counting the credential access.
Security
Only authorized users:
- Locker Owners or Admins: will be allowed to see the dashboards.
- Credential consumers: will be allowed to log the count for their credential access.
Notes: Audit log
The credential access will be validated across all of the 17 commands of the Product Client that provides support for "Credential Variables".
- For each Robot that accesses a credential within a locker, the respective count will be logged in Product.
- For each credential failure within a locker that is accessed by a Robot, the respective count will be logged in Product as: "Bad Credential".
- For each credential success within a locker that is accessed by a Robot, the respective count will be logged in Product as: "Good Credential".
Delete my own locker
- Audience & purpose
-
This applies to Locker Owners and Locker Admins wanting to delete a locker. As a Locker Owner you must be able to delete a locker that you own so that you do not have to:
- Manage redundant lockers.
- Manage lockers which are not in use.
Workflow
Use the following steps to delete a locker.
- Select a locker and click the "Delete" icon.
- If you are a Locker Owner or Locker Admin you will be allowed to delete a locker.
- On deleting, a confirmation message will be provided:
Are you sure you want to delete the selected locker? Yes No
- On confirmation (Yes), the locker and any user-specific values associated with the credential(s) in the locker must be deleted.
- A credential belonging to the deleted locker will be set to "Unassigned" and its status set as "Incomplete" after the locker's deletion.
- If you do not have the "Delete locker" permission, then on clicking "Save changes" the following error message will be displayed.
- The "Confirm delete" pop-up will close and you will see the "My Lockers" landing page.
- The "Delete" action will be removed from the "Actions" column.
Type Reason Message Error Permission not granted or revoked. You do not have permission to delete lockers.
To delete an existing locker, please contact the system administrator.- If the locker to be deleted is already deleted by some other user, then the following error message will be displayed.
Type Reason Message Error Locker does not exist. <name of object> wasn't found.
It may have been renamed or deleted.
To continue, please contact your system administrator.- Important note: The credential is not deleted from the system.
- Only the user-specific values associated with the credential via that locker's access are deleted.
Edit my own locker
- Audience & purpose
- As a Locker Owner you must be able to edit a locker that you own.
Edit a locker name and description
If you are a Locker Owner, you will be allowed to edit a locker.
- Select a locker and click the "Edit" icon.
- The "Description" field is optional, however you can edit it whenever required.
- The "Name" field is mandatory and it can be changed at any point in time.
- See the following screenshot.
Validation
Note:
- Ensure the "locker name" does not exceed 50 characters.
- Ensure the "locker description" does not exceed 255 characters.
- If you do not have the "Edit locker" permission, then when clicking "Save changes" the following error message will be displayed.
- The "Edit" action will be removed from the "Actions" column.
Type Reason Message Error Permission not granted or revoked. You do not have permission to edit lockers. To edit an existing locker, please contact the system administrator.
- For a "duplicate" locker name, the error message will be:
This locker already exists. To continue, please edit the locker with different locker name.
Security
Only an authorized user will be allowed to edit the locker.
Grant a role usage access to a locker
- Audience & purpose
-
As a Locker Owner you must be able to grant a role "Usage Access" to your locker so that any user who belongs to that role can:
- Use the credentials in that locker.
- Enter their user-specific values for the non-common attributes for those credentials (that are marked user-specific).
Role access
Users can get access to locker content only via their role.
Workflow
The Locker Owner has to give a role "Usage Access" to the locker, and all users in that role will get access to the locker's content.
- Login as Jack.
- Create a user-specific credential called "FTP" with attributes:
- Hostname: Mark it as "common" attribute. The Hostname assigned value is "www.aaftp.com".
- Username: NOT marked as a common attribute.
- Password: NOT marked as a common attribute.
- Create a locker. For example: "FinanceLocker".
- Add the FTP credential to the FinanceLocker.
- Create a role. For example: "FinRole".
- Add users "Nicole" and "Paul" to the FinRole.
- Select FinanceLocker and assign FinRole to it.
- Now Nicole and Paul have access to the FinanceLocker locker via the FinRole role.
- Users Nicole and Paul receive an email and Product notification to enter their user-specific credentials for the FTP credentials.
- Nicole logs-in to the Product portal, selects the FinanceLocker locker, and enters her value for the FTP Username and Password.
- Note: She cannot enter a value for the "Hostname" as it was marked "common" and assigned as www.aaftp.com by Jack.
- Paul logs-in to the Product portal, selects the FinanceLocker locker, enters his value for the FTP Username and Password, and saves it.
- Note: He cannot enter a value for the "Hostname" as it was marked and assigned as www.aaftp.com by Jack.
Note: Even Jack, the Locker's Owner, will not have "Usage Access" to the locker's content until he is part of the FinRole that has the Usage Access permission associated to and on that locker.
Validation
If a role is given a Usage Access permission to a locker, the users associated with that role will get an email and a Product notification to enter their user-specific credential.
Locker Admin privileges
- Audience & purpose
-
This applies to users with the Locker Admin role who will:
- Manage all lockers.
- Mitigate the risk of locker ownership when the Locker Owner is not available.
- Product must support the "Locker Admin" roles so that specific users with Locker Admin role can monitor and maintain all lockers in the system.
-
In the event a Locker Owner leaves the company, the user in this Locker Admin role can:
- Transfer the ownership of a credential from one user to another.
- Add a new owner to the locker.
- For further reference, see Roles: Locker Admin role
Locker Admin: Permissions
The Locker Admin role:
- Can view all lockers in the Credential Vault.
- Cannot see the contents of the locker: Credential details, Usage tab.
- A Locker Admin can:
- Can edit the locker (a locker they do not own, manage, participate, or are a consumer of).
- Can add a new owner to the locker.
- Can revoke a user owner permission to the locker (participant).
- Can revoke an owner share permission on an owners locker (manager).
- Can remove a credential (cannot add a credential) from the locker.
- Can edit the name and description of the locker.
- A Locker Admin can create, manage, participate, or consume a locker. For this locker, their permissions are the same as a normal user.
- A Locker Admin can:
- Can import or export lockers.
- Can delete a locker.
- Can transfer a credential's ownership.
- Cannot delete the credentials that they do not own.
- Cannot add/update/remove himself as a locker member.
See the following screenshots.
Locker member (participant): Permissions/grant
- Audience & purpose
- This applies to Product participant users with the "Access" permission. This is used to perform certain actions on the locker and its content based on the "Access" permission (participant) so that credentials are secured from malicious access.
- This is also used to provide "RBAC (Role-based Access Control)" to lockers.
Permissions
As a locker participant you can perform following actions:
- Add my credentials to the locker shared with me.
- You cannot share a shared locker.
- You cannot delete a locker that is shared with you.
- You cannot add other user credentials to the locker shared with you.
- You cannot remove other user credentials from the locker that was shared with you.
- If you added your credential to the locker that was shared with you, you cannot remove it. Only the Locker Owner can remove it.
- As a participant, if you added your credential to another locker, you cannot delete your credential until it is removed from that locker by that Locker's Owner.
Audit logging
Granting access to a user must be audit-logged and then displayed with the following message:
User "X" is granted Participant permission on Locker X by User Y on timestamp.
Locker owner permission/grant
- Audience & purpose
- This applies to Locker Owners using "Role-based Access Control (RBAC)". As a user you must be able to perform certain actions on the locker and its content based on the "Access" permission (owner) so that credentials are secured from malicious access.
Permissions
A Locker Owner will be able to perform the following actions:
- Share a locker if you have the "Share" permission:
- Add one or more users as owners or participants.
- Add credentials to a locker:
- From the "All Credential" page, select a credential to add to a locker, or
- Select a locker and add a credential from the displayed list.
- Cannot add another user's credentials to their locker.
- Remove credentials from a locker:
- Select the owned locker, then select a credential and click the "Remove" icon.
- Remove another user's (participant) credentials from my locker:
- Select an owned locker, then select a credential and click the "Remove" icon.
- Delete a locker:
- Select a locker and click the "Delete" icon.
- An owner of the locker cannot be granted "participant" access for the same locker.
Grant owner permission
Use the following steps to grant the owner permission.
- Edit the locker where you have "Owner" access (the creator of the locker becomes its natural owner).
- Grant other users "Owner" access to the locker.
Audit logging
Granting access to a user must be audit-logged as shown in this message:
User X granted owner permission on Locker X by User Y on timestamp.
Note:
A credential can only belong to one locker at a time.
My locker view
- Audience & purpose
- As a Product user you want to view you lockers and the credentials contained within them.
Creating a credential
When you create a new credential the "All Credentials" page will display the new credential entry in the order of it being created (i.e., the newest on top).
- For a newly created credential, the table columns will be set with following values: "Status: Incomplete" (this is the default).
- Credential name: <name of credential created>.
- Owner: <name of the credential creator>.
- Locker name: Unassigned (default).
- Credential type: "User specific" or "Common" based on whether the credential has user-specific values or not.
Editing a credential
When you edit a selected credential, the entry in the "All Credentials" page will be updated based on the changes made.
On transferring the owner, the "Owner" column will be updated to the newly assigned owner.
Deleting a credential
When you delete a selected credential, the entry in the "All Credentials" page will be removed.
Assign/Reassign/Unassign a locker
- When you create a new locker, the "Locker Name" drop-down will list all of the lockers that are created.
- When selecting a new locker, the "Locker Name" column will be set to the name of the locker.
- A credential can only be assigned to one locker at a time. For example, the MyFTP credential CANNOT be added to Locker 1 and to Locker 2. It can only be added to Locker 1 or Locker 2).
- When reassigning a credential to a different locker, the "Locker Name" will be updated.
- When deleting a locker, the "Locker Name" will be set to "Unassigned".
- If a credential is assigned to a shared locker, and if you want to reassign it to another locker, then a message when clicking the locker name will appear:
"You have to contact the owner of current locker to remove your credential first, before you can change to another locker."
Credentials view
The "All Credentials" view will display the following credentials to you:
- Credentials that are created by you.
- Credentials to which you have consumer access.
- Credentials whose ownership has been transferred to you.
- Note: The previous credential owner will not see the credentials.
- If a consumer tries to edit or delete a credential from the "All Credential" view then they should be restricted by showing the following error message. See the following data table.
Type Reason Message Buttons Error Consumer cannot delete a credential which he does not own. You cannot delete this credential as a consumer, please contact the credential owner. Okay Error Consumer cannot edit a credential which he does not own. You cannot edit this credential as a consumer, please contact the credential owner. Okay
Lockers view
The following lockers will be displayed to you.
- Lockers created by you.
- Lockers for which you are co-owner or participant.
- Lockers for which you have consumer access.
Within a locker, a locker owner or co-owner can see all of its credentials.
Within a locker, you as a locker participant can see the credentials that you have added to the locker.
- For this locker, you as the participant cannot see the "Permissions" and "Details" tab, but for your credential you can see the "General" and "Users" tabs.
Within a locker, you as a locker consumer can see all the credentials - both common and user-specific.
- You can edit the user-specific attributes value.
- For this locker, you as the consumer can see the "Credentials" tab but not "Permission" and "Details" tabs.
- For the credentials, you as the consumer can see the "General"" tabs but not the "Users" tab.
The following data table highlights the Locker & Credential View.
Locker User Credential tab Permissions tab Details tab Owner Yes Yes Yes Participant Yes No No Consumer Yes No No
Locker User Credential list General tab Users tab Owner All Yes Yes Participant Only a credential added by him. Yes Yes, only for his credential. Consumer All Yes No
User tab view
The "Users" tab will display all users corresponding to the consumer roles that are added to the locker.
- The users list will be sorted on the Status column (descending) and grouped by "Roles" & "Username".
- This means that all users with "Incomplete" status are listed first.
- If a user belongs to multiple roles then there will be a single entry for that user.
- However, the "Rolename" will display a comma separated list of roles to which the user belongs.
- If an Owner or Participant is also a Consumer of a locker, then that user will also be listed in the "Users" list.
- A user will be able to sort on individual columns.
- For a common credential, the "Users" tab will not be displayed.
Revoke owner or participant permission on a locker
- Audience & purpose
- This applies to Locker Owners and is used to select a user that has the "Access" permission to the locker and to revoke their "Participant" or "Owner" permission for security purposes.
Revoking locker permissions
Use the following guidelines to revoke locker permissions.
- The Locker Owner cannot self-revoke his permission.
- The Locker Owner can revoke another Owner's "Access" to the locker.
- The Locker Owner cannot revoke a user's "Participant" or "Owner" permission on a locker unless he removes the credential added by the Participant or Owner in context.
- If the Locker Owner tries to revoke a user's Owner or Participant permission on a locker when that user's credential is in the locker, the following message will be displayed:
Cannot revoke <user>'s Owner or Participant permission. Please remove their credential(s) from the locker <lockername> and try again. OK
- If a Locker Owner is changed to a participant or vice versa, then the credential check is not required.
Workflow
Edit a locker and revoke the Owner/Participant permission for a user. See the following screenshot.
Audit logging
The "Revoke" action must be audit-logged and the following message displayed:
<User X> has revoked <User Y> access to Locker on timestamp.
Revoke role usage access to a locker
- Audience & purpose
- A Locker Owner must be able to revoke role "Usage Access" to a locker for security reasons. This ensures that users who are assigned to that revoked role will not get access to the locker's content.
Objective
Edit a locker and remove locker access to a role.
Procedure
As a Locker Owner, use the following steps to remove locker access to a role.
- Select a locker.
- Revoke a role's "Usage Access" permission to the locker.
- Users assigned to that role will not be able to access the locker.
- All user-specific credential values entered by the users in that role will be deleted.
- Note:
- The credential as such is not deleted, only the user-specific entered credential values will be deleted.
- If the credential "Owner" goes to their "All Credential" page, they will still find their credential listed.
Share locker
- Audience & purpose
-
This applies to Locker Owners who need to secure locker access. As a Locker Owner you must be able to:
- Share your locker with other users, but only if you have the "Share" privilege.
- Prevent locker access ending up in the hands of malicious users.
Share locker permission
Use the following guidelines to establish the sharing of lockers.
- The "Creator of a Locker" by default has the "Share Locker" permission. There is no role-level permission for "Share Locker".
- The "Creator of a Locker" is the owner of the locker.
- The "Locker Admin" can grant or revoke the "Share Locker" permission from the Locker Owner.
- The "Locker Owner" can share their locker with other users if they have:
- The Share Locker permission, i.e., add other users as Owner (co-owner).
- Add other users as Participants.
- The Locker Owner can grant or revoke other Owners a "Share Locker" permission provided they have the Share Locker permission.
- The "Participant" of a locker cannot share the locker to another user.
- Any owner can remove another owner from the locker (at any given time there should at least be one owner).
- If the Owner A (who DOESN’T have the "Share Locker” permission on Locker A) removes Owner B (who HAS the "Share Locker" permission on Locker A) then Owner A cannot share the Locker until the "Locker Admin"" gives the Share Locker permission to Owner A.
Share locker column
See the "Share Locker" column (bordered in red) as displayed in the following Locker Membership table screenshot.
Username Ownership Share locker A Owner Yes B Co-owner No C Participant No Note: If User "A" grants the Share Locker permission to user "B", then the column above will show Yes for User "B".
- The Share Locker column will be disabled for all Users except for Locker Admins and Locker Owners having the Share Locker permission.
- It will display a "tick mark" for Owner and Co-owner if they have the "Share Locker" permission.
- For a Participant, the checkbox will not be displayed.
- The "Add" and "Add All" buttons will be enabled for the Owner or Co-owner having the Share Locker permission.
- For a Participant, these buttons are disabled.
Revoke share locker permission
A Locker Admin or Locker Owner having the "Share Locker" permission can revoke the Share Locker permission by editing the locker.
- The "Share Locker" column in the Locker Membership table is enabled for these users (see the preceding screenshot).
- The Locker Admin or Owner can select any Co-owner and uncheck the "Share Locker" column.
- This is not applicable to a Participant.
- A Locker Owner cannot add any other user as an Owner or Participant to the locker once the permission is revoked.
- The Add and Add All buttons are disabled.
- A Locker Owner having the Share Locker permission cannot remove this permission for themselves.
Remove owner
Any Owner can remove another Owner from the locker unless there is a single owner for the locker.
Credential usage after revoking the "Share Locker" permission
If the Co-owner or Participant had added some credentials to the locker prior to the revoking of the Share Locker permission, then these credentials will remain for "Usage-access" to the consumer roles unless the Owner decides to delete them.
- The Owner or Co-owner will continue to exhibit their role as a Locker Owner.
Product Admin cannot share locker
The Product Admin role should not have access to this share permission.
- For security reasons a Product Admin cannot share lockers.
- There is a separate role called Locker Admin to manage all lockers in the system.
Audit entry
An Audit entry will be logged when a Locker Admin grants or revokes the Share Locker permission to/from the Locker Owner.
Email notification
An email will be sent to the Locker Owner or Co-owner whenever the Locker Admin grants or revokes the Share Locker permission (if SMTP is enabled).
Use cases
Assumptions:
- There are two lockers: "LOCKER A" and "LOCKER B".
- User "John" is Creator and Owner of "LOCKER A", and just an Owner of "LOCKER B".
- User "Jack" is a Participant of "LOCKER A", and just an Owner of "LOCKER B".
- Scenario 1 (no change to permissions)
- Locker A
- John can share his locker "LOCKER A".
- John is the Creator of "LOCKER A", and it comes with the default Share Locker permission.
- Jack cannot share "LOCKER A".
- He is a Participant on "LOCKER A", not an Owner.
- Locker B
- John cannot share his locker "LOCKER B".
- John is Owner of "LOCKER B" but does not have the Share permission unless someone provides it to him.
- Jack cannot share his locker "LOCKER B".
- Jack is the Owner of "LOCKER B", but does not have Share permission unless someone provides it to him.
- The Share permission can be provided by a Locker Admin or an Owner with the Share Locker permission.
- Scenario 2 (The Locker Admin revokes John's "Share Locker" permission on "Locker A").
- Locker A
- John CANNOT share his Locker "LOCKER A".
- John is the Owner of "LOCKER A", but he does not have the Share Locker permission.
- Jack cannot share "LOCKER A" by design.
- Jack is a Participant on LOCKER A - not the Owner.
- Locker B
- Jack CANNOT share his locker "LOCKER B"
- Jack is the owner of "LOCKER B", but does not have the Share Locker permission unless someone provides it to him.
System locker
- Audience & purpose
-
This applies to Product Admins to secure application-wide credentials. As a Product Admin you want to have:
- An inbuilt system locker in Product so that credentials which are set or used at application level, Client side or Product side, are managed internally within the system by using this system locker.
- There should not be a need for any specific user to externally manage it.
Create a system locker
Use the following steps to create a system locker.
- When a Product Admin connects to the Credential Vault for the first time, a system locker will be created internally with the following values:
- Name: AAE_SysLocker
- Description: This locker is internal to system and hidden to all Product users.
- Its main purpose is to manage system-defined credentials which will be used at the Application level for both Client and Product.
- All users can access the system locker whenever required.
- The following system credentials should be pre-defined and assigned to the system locker:
- Client-side: AutoLogin settings, Email settings.
- Product-side: SMTP settings, VCS settings.
- The system locker and credentials should be self-owned by default.
- Client-side credentials should be user-specific.
- Product-side credentials should be common.
"All Credentials" view
The system locker and its credentials will NOT be visible in the All Credentials view, even if the current user is an Admin or Locker Admin.
Client-side credentials
Refer to the Client-side system defined credentials topic for Client-side credentials.
- When each Client fills in their Autologin or Email settings:
- The corresponding values will be set in the attributes of the respective system credentials for this user.
- The attribute values will be reset if the settings are removed for this user.
Product-side credentials
Refer to the Mail server configuration topic for Product-side credentials.
- When a Product Admin fills in the SMTP and/or VCS settings:
- The corresponding values will be set in the attributes of the respective system credentials.
- The attribute values will be reset if the settings are removed.
Security
The system locker and system-defined credentials will be secured from unauthorized access.
Credential migration: Migration utility
Note the following information regarding Product data migration from version 10.x to 11.0.
- During the migration of Product data from version 10.x to 11.0, the system-defined credentials will be migrated to the new system locker in Product version 11.0.
- The credentials will be migrated under the name of the user to whom the credentials belong.
System locker with blank attribute values
- Audience & purpose
-
As a Robot Runner, when you remove your autologin settings from the "Product Client Tools - Options" settings, your credential-attribute value pair set previously will be reset to blank values.
- This is used to allow Clients to clear their autologin or email settings.
Resetting Client Autologin or Email settings
Refer to the "System locker" topic previous to this one for further information.
- When a user from the AE Client removes his Autologin or Email Settings, the respective credential attribute values of the user will be set to blanks.
- The credential attributes value pair that was created and set by the Client user for the first time will not be deleted.
- Setting the attribute value to blank will only be applicable to system-defined credentials.
- For custom defined credentials, the attribute value will be mandatory and cannot be left blank.