Shared Credentials

Show Me!

A video tutorial is available on this topic. To access the video, click the following link:

Watch a related video (08:35)

Any credential that you own can be shared with other users of the program. In this case, a "user" can be another person who has logged on to the console machine and launched Security Controls, or it can be a user you have created using a REST API request. Sharing a credential enables other users to use the credential without knowing the secure details about the credential. For example, a senior administrator may possess credentials that provide access to a secure area of your organization. The senior administrator can share the credential with one or more junior administrators. This enables the junior administrators to access the required areas and perform their jobs without revealing the password.

All credentials are stored with strong encryption techniques. Only the credential owner and those users the owner has elected to share the credential with are able to decrypt and use the credential.

The credentials are encrypted using NIST recommendations and FIPS 140-2 certified algorithms.

To share a credential, on the Manage Credentials dialog, select the desired credential and then click Share. The Share Credential dialog is displayed.

The credential whose shared settings are being edited is shown in the title of the dialog.

Field

Description

Enable for background services

If enabled, the credential shown in the dialog title can be used to specify credentials for service components within the program. The credential account must have administrator rights on the console server. The service components within Security Controls that require a shared credential include the following:

Why is it necessary to share a credential with background services? Credentials are encrypted, so you must share a credential so that the service components can access and decrypt it when needed.

Example: If you select Tools > Options > Internet proxy and attempt to assign Service credentials, only credentials that are shared with background services are available for selection. The service must have access to the credential in order to decrypt it.

What are the security implications?

It is recommended that you create a service account to perform background service functions rather than using a domain administrator account. For more information, see Potential Security Implications When Sharing Credentials.

Shared

Indicates if the credential will be shared with the associated user name.

User name

Any user who has previously logged on to the Security Controls console machine will be displayed in this list. Each user is assigned a unique user certificate and an associated private key that enable the user to encrypt and decrypt shared credentials. Any user without a user certificate is not eligible to be assigned a shared credential and will not be displayed in the list.

If the list contains users who are no longer affiliated with this project, you can delete them using the User Manager dialog.

Copy usages to selected users

If enabled, all usages of the credential by the credential owner will be propagated to the selected users. For example, if you share a credential that is being used to schedule console tasks, enabling this check box will automatically update the console scheduler credential assignment for the shared users. You can verify the usage assignments using the View usages button on the Credentials Manager dialog.