The Imprivata Password Manager
The Imprivata password manager allows users to manage their application passwords from the Imprivata agent menu. Users can use the password manager to handle password problems on their own before calling the help desk. This feature can be disabled for some or all users in user policies under the Single Sign-On tab.
NOTE: The Imprivata password manager is different than the Imprivata Self-Service Password Reset licensed feature:
- The Imprivata password manager allows users to manage their application passwords from the Imprivata agent menu.
- Imprivata Self-Service Password Reset allows users to securely identify themselves to Enterprise Access Management if they have forgotten their primary password or lost an authentication device.
What Users Can Do with the Password Manager
The password manager enables users to:
- Update — Users can update the credentials stored in Enterprise Access Management to match those expected by the application. This is useful if the credentials no longer match, such as after an Administrator has changed an application password without use of EAM. To edit account information, the user opens an edit window as described in Editing Account Credentials. This feature can be disabled for some or all users in user policies under the Single Sign-On tab. It can also be disabled for individual applications in the Security section of the application’s deployment page.
- Reveal password — Users can reveal their application passwords after passing a re-authentication challenge as detailed in Revealing Application Account Passwords.
- Add logon account — Users who have multiple accounts for an application can add additional accounts to listed applications. This is another way to access the Add function (under More Options...) in the multiple accounts window. See Adding Application Accounts.
- Add application — Enterprise Access Management lists the applications for which the user has enrolled credentials. The user may have additional applications that are not yet listed because the Imprivata agent has not yet learned the credentials. Users can wait and let Enterprise Access Management list them normally, or users can manually enter those applications as described in Adding Applications to the List.
Editing Account Credentials
- Users can edit the details for their accounts.
- The content of the edit window depends upon the application profile.
Most of the information here should only be modified under the direction of help desk personnel to resolve specific issues. This feature can be disabled for some or all users in user policies under the Single Sign-On tab. It can also be disabled for individual applications in the Security section of the application’s deployment page.
Revealing Application Account Passwords
Users can reveal their application passwords after a re-authentication challenge. The user is challenged for re-authentication by a primary authentication method allowed for the user.
After passing the re-authentication challenge, the user sees the password revealed in plain text. To protect revealed passwords, the window closes after 30 seconds of user inactivity.
NOTE: Remind users about the risk of revealing a password where it can be seen by others.
This feature can be disabled for some or all users in user policies under the Single Sign-On tab. It can also be disabled for individual applications in the Security section of the application’s deployment page.
Example: Recovering from an Unsuccessful Login Attempt
Users can now recover from login failures even if they can't remember the password. The agent returns to Learning/Capture mode after login failure is detected, but credentials are not deleted so the user can still use the password manager to edit or reveal the password. A login may fail for a number of reasons. When a login fails, the user is notified.
The user also sees the notification in the password manager as shown in the following image:
When a login fails, the user can review the credentials for the failed login and edit them if needed, as detailed in Revealing Application Account Passwords.
Rarely, a login may fail due to application issues unrelated to the user. If the user knows the credentials are correct, the user can click Ignore this to restore the previous credentials.
Adding Application Accounts
A user with two or more accounts for the same application is presented with the list of logon accounts to choose from upon opening the application. User accounts are normally added automatically as users authenticate to their application accounts. Users can manually add accounts for single sign-on for applications that are enabled for multiple user accounts.
To add a new account to an application already listed in the Manage Passwords window:
- Click Add logon account as shown in the following image:
-
- Enter account details. For Display Name give a name for this user account up to 44 alphanumeric characters. This differentiates this account from other accounts you may have for the same application.
-
- Click OK. The new account is displayed in the list of accounts.
Adding Applications to the List
Before a user can reveal or edit application credential information, the applications must be listed in the Password Manager dialog. The list is pre-populated with applications for which the user has already enrolled credentials. If an application is not yet listed, the user can add any deployed and enabled application.
To manually add a deployed application to the Manage Passwords window:
- Click Add application as shown in the following image:
-
- The Add Application window opens, listing all the applications that are deployed to the user and enabled, but for which the user has not yet enrolled. (Enrolled applications are automatically listed.)
- Select the application to add from the list as shown in the following image and click OK:
-
- Enter account details. For Display Name give a name for this user account up to 44 alphanumeric characters. This differentiates this account from other accounts you may have for the same application.
- Click OK. The Display Name and credentials are displayed when you select the application name in the list.
Controlling the Actions Available for an Application
Each application can have its own security settings controlling the actions available to users in the password manager. The actions available to users are enabled from each application’s deployment page.
If an application’s deployment settings allow them, then user access to the actions is controlled from the user policies.
How Applications Become Listed
Before users can review, edit, and delete application credential information, the applications must be listed in the Manage Passwords dialog. The list is pre-populated with applications for which users have already enrolled credentials.
When a user clicks Manage Passwords, the Manage Password window opens. If a user is just starting with Enterprise Access Management, the list may be empty.
With a new Imprivata agent installation, as users log into applications normally, the Imprivata agent learns their credentials for each application. After Enterprise Access Management has learned credentials for each application, they are displayed in the Manage Passwords list, and the credentials can be revealed in the right pane (if the application security settings and the user policy allow it).
- To add a user account to an application to the list, see Adding Application Accounts.
- To add an unlisted application to the list, see Adding Applications to the List.
Application Profile Properties
The properties information about the application profile comes from the application’s Deployment page.
Available information includes:
- Profile Name — The Profile Name listed near the top of the application profile deployment page. The Profile Name is the same as the Application Name that is entered when the application is profiled, but you can change the Profile Name to something more user-friendly for your users.
- Shared credential domain — Lists the domain name if the application shares credentials with user domain credentials. Shared credentials information is under the Credentials section of the application profile deployment page.
- Credential store — Lists the credential store if the application shares credentials with other applications in an Enterprise Access Management credential store. Shared credentials information is under the Credentials section of the application profile deployment page.
- Multiple accounts — Indicates whether users are allowed to have multiple accounts for this application.
- APG version — Comes from the Profile Created listing under Application Name on the Deployment page.
- Users can reveal credentials — Indicates whether users are allowed to reveal their own credentials for this application. This can be overridden by the user’s User Policy. Before revealing credentials, the user must first pass a re-authentication challenge.
- Password policy — Indicates whether this application is subject to a password policy, and if so, what kind of password policy. Password policies are set at the bottom of the application’s deployment page.
- Edit and delete account — Indicates whether users are allowed to modify or delete their own credentials for each account of this application. This setting is in the Credentials section of the application’s deployment page. It can be overridden by the user’s User Policy.
- Bypass single sign-on — Indicates whether users are allowed to access this application without the use of the Imprivata agent. This setting is in the Credentials section of the application’s deployment page. It can be overridden by the user’s User Policy.
NOTE: The Imprivata password manager is different than the Imprivata Self-Service Password Reset licensed feature:
The Imprivata password manager allows users to manage their application passwords from the Imprivata agent menu.
Imprivata Self-Service Password Reset allows users to securely identify themselves to Enterprise Access Management if they have forgotten their primary password or lost an authentication device.
