Enterprise Random Password Manager: Delegation

Configuring Delegation Rules and Rights

Enterprise Random Password Manager (ERPM) is recognized for its ability to allow only delegated users access to the powerful privileged account passwords in the IT infrastructure. But what you may not realize is the extent to which ERPM can be configured to control the access of delegated users within ERPM itself, ensuring that personnel can only perform actions that are applicable to them.

ERPM administrators can establish access rules governing which identities (users, groups, roles, and accounts) can recover passwords, view systems, elevate account access, access the file vault, or even access the management console itself. A comprehensive list of access rules can be found in the Delegation Rules and Rights section of the ERPM user’s guide.

Delegation Through the Management Console
Delegation is generally performed in the web interface, but did you know there are actually more options available from the management console? Account masks (which filter lists of accounts), self recovery rules for stored passwords, and time restrictions on when users are allowed to recover passwords can’t be configured through the web console. 

Access rules within ERPM are another layer of security to protect sensitive, restricted data. Access rules are stored in the ERPM database and referenced when the console starts. So even if a rogue IT administrator starts a console and attempts to connect to the existing database to perform privileged password management operations, that administrator will be prevented from completing any actions that are not already explicitly granted. 

To configure the delegation rules through the console, use 'Manage Delegation' from the 'Settings | Manage Web Application' menu.


Contact us today for more information on ERPM role delegation.