Hi everyone,
I have a question regarding PASM. I have users and devices managed through Password Safe, and session delivery is handled by PRA. If I want a user connecting from PRA with credentials injected from Password Safe to provide a reason for connecting, where do I configure this in PS or PRA? Also, if they need an approval workflow, where do I configure that in PS or PRA?
You’d set this up in pra.
The actual checkout in PWS is done by the api which needs an auto-approval policy.
Hi
It Was the integration you created between PRA and PS via ECM Server?
Hi, if it's about integrating PS and PRA with the ECM, the client wants an approval workflow, but I'm not sure whether to implement it from PS or PRA.
Hi
When PRA injects Password Safe credentials through ECM Server integration, all access is based on auto-approval, and the session comment is automatically created by the ECM Server API call.
Hi
When PRA injects Password Safe credentials through ECM Server integration, all access is based on auto-approval, and the session comment is automatically created by the ECM Server API call.
Hi, thank you for your response.
I have a question: is there an option to prevent the approval and feedback process from being automatic?
I'd like to know if the approval workflow can be authorized by another user.
Hi
When PRA injects Password Safe credentials through ECM Server integration, all access is based on auto-approval, and the session comment is automatically created by the ECM Server API call.
Hi
I understand that self-approval is with password safe and PRA saas, my case is on-premises. When I consulted the brand, they told me that the ECM is inside the /appliance PS, so I don't know if it's the same process.
Hi
When PRA injects Password Safe credentials through ECM Server integration, all access is based on auto-approval, and the session comment is automatically created by the ECM Server API call.
Hi, thank you for your response.
I have a question: is there an option to prevent the approval and feedback process from being automatic?
I'd like to know if the approval workflow can be authorized by another user.
Hi
Unfortunately it's not currently possible to create an approval workflow in this integration scenario because when the ECM makes the credential API call, it waits a few seconds for the result. To create an approval workflow in PRA, a jump policy would be needed, which must be applied to a jump group, however the External Jump Group, being for internal PRA use, does not receive a Jump Policy.
Hi
Our friend Pulitros144, in another post, shared a golden tip that makes it possible to access JumpItems with an approval workflow.
With the default integration settings between PRA and PS, it's not possible to apply Jump Policy (approval workflow or time restrictions) because Jump Items are stored in a Jump Group (e.g., External Jump Items) that doesn't allow Jump Policy configuration. Therefore, access is always auto-approved.
To resolve this behavior, simply create a Jump Group (e.g., Jump Group Windows Infra Base), add all Jump Items with the exact Name and Hostname/IP that appear in External Jump Items and apply the appropriate Jump Policy to this Jump Group.
Finally, to prevent users from having an "alternative access path" using External Jump Items, remove the "Allow Search for External Jump Items" option from the PRA settings in Management > Security. This will remove the External Jump Item Group Name (without interfering with PS credential injection), leaving only the Jump Group you created with the Jump Policy.
Best regards.
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.
