diff --git a/docs/passwordsecure/9.3/configuration/_category_.json b/docs/passwordsecure/9.3/configuration/_category_.json new file mode 100644 index 0000000000..9843cc2a8e --- /dev/null +++ b/docs/passwordsecure/9.3/configuration/_category_.json @@ -0,0 +1,10 @@ +{ + "label": "Configuration", + "position": 40, + "collapsed": true, + "collapsible": true, + "link": { + "type": "doc", + "id": "configuration" + } +} \ No newline at end of file diff --git a/docs/passwordsecure/9.3/configuration/advancedview/_category_.json b/docs/passwordsecure/9.3/configuration/advancedview/_category_.json new file mode 100644 index 0000000000..09f5c3ea34 --- /dev/null +++ b/docs/passwordsecure/9.3/configuration/advancedview/_category_.json @@ -0,0 +1,6 @@ +{ + "label": "Advanced View", + "position": 20, + "collapsed": true, + "collapsible": true +} \ No newline at end of file diff --git a/docs/passwordsecure/9.3/configuration/advancedview/clientmodule/_category_.json b/docs/passwordsecure/9.3/configuration/advancedview/clientmodule/_category_.json new file mode 100644 index 0000000000..32dfd95a1c --- /dev/null +++ b/docs/passwordsecure/9.3/configuration/advancedview/clientmodule/_category_.json @@ -0,0 +1,10 @@ +{ + "label": "Client Module", + "position": 20, + "collapsed": true, + "collapsible": true, + "link": { + "type": "doc", + "id": "client_module" + } +} \ No newline at end of file diff --git a/docs/passwordsecure/9.3/configuration/advancedview/clientmodule/applications/_category_.json b/docs/passwordsecure/9.3/configuration/advancedview/clientmodule/applications/_category_.json new file mode 100644 index 0000000000..ae7e02e7ab --- /dev/null +++ b/docs/passwordsecure/9.3/configuration/advancedview/clientmodule/applications/_category_.json @@ -0,0 +1,10 @@ +{ + "label": "Applications", + "position": 80, + "collapsed": true, + "collapsible": true, + "link": { + "type": "doc", + "id": "applications" + } +} \ No newline at end of file diff --git a/docs/passwordsecure/9.3/configuration/advancedview/clientmodule/applications/applications.md b/docs/passwordsecure/9.3/configuration/advancedview/clientmodule/applications/applications.md new file mode 100644 index 0000000000..8465dc9cdd --- /dev/null +++ b/docs/passwordsecure/9.3/configuration/advancedview/clientmodule/applications/applications.md @@ -0,0 +1,110 @@ +--- +title: "Applications" +description: "Applications" +sidebar_position: 80 +--- + +# Applications + +## What are applications? + +Applications can be used to configure automated logins to various systems. Especially when combined +with various protective mechanisms, the company benefits in terms of security because complex +passwords are automated and entered in the login masks in concealed form. Various types are +available, such as Remote Desktop (**RDP**), Secure Shell (**SSH**), general applications (**SSO**) +and web applications. The Single Sign On Engine offers countless configuration options to enable +automatic logon to almost any kind of software. + +![applications module](/images/passwordsecure/9.2/configuration/advanced_view/clientmodule/applications/applications_1-en.webp) + +- Automatic logins to websites are covered by the + [Autofill Add-on](/docs/passwordsecure/9.3/configuration/autofilladdon/autofill_add-on.md). + +## The four types of applications + +Netwrix Password Secure varies between four different types of applications: RDP, SSH, SSO and web +applications. + +![new application](/images/passwordsecure/9.2/configuration/advanced_view/clientmodule/applications/applications_2-en.webp) + +In terms of how they are handled, **RDP and SSH** applications can be covered together. Both types +of application can be (optionally) "embedded" in Netwrix Password Secure. The relevant session then +opens in its own tab in the [Reading pane](/docs/passwordsecure/9.3/configuration/advancedview/operationandsetup/reading_pane.md). +All other forms of automatic logins are summarized in the **SSO applications** and **web +applications** categories. How exactly these logins are created and used is covered in the next +section and in the web applications chapter. They include all forms of Windows login masks and also +applications for websites. In contrast to RDP and SSH applications, they cannot be started embedded +in Netwrix Password Secure but are instead opened as usual in their own window. These SSO +applications need to be defined in advance. In Netwrix Password Secure, this is also described as +[Learning the applications](/docs/passwordsecure/9.3/configuration/advancedview/clientmodule/applications/learningtheapplications/learning_the_applications.md). In contrast, +RDP and SSH can be both completely defined and also started within Netwrix Password Secure. + +## RDP and SSH + +A new RDP/SSH application can be created via the ribbon or also the context menu that is accessed +using the right mouse button. A corresponding form opens in each case where the variables for a +connection can be defined. + +![new application](/images/passwordsecure/9.2/configuration/advanced_view/clientmodule/applications/applications_3-en.webp) + +These variables also correspond precisely to those (using the example of RDP here) that can be +configured when creating an RDP connection via “mstsc”. Whether the connections should be started in +a tab, full screen mode or in a window can be defined in the field **"window mode"**. + +## Working with RDP and SSH applications + +If you have created e.g. an RDP connection, this can now also be directly started via the ribbon. +The connection to the desired session can be established via the icon **Establish RDP connection**. + +![estabish RDP](/images/passwordsecure/9.2/configuration/advanced_view/clientmodule/applications/applications_4-en.webp) + +Netwrix Password Secure now attempts to log in to the target system with the information available. +Data that are not saved in the form will be directly requested when opening the session. It is thus +also possible to only enter the IP address and/or the password after starting the Netwrix Password +Secure application. If all data has been retrieved, the RDP session will open in a tab – if so +defined (Window mode field in the application): + +![RDP session](/images/passwordsecure/9.2/configuration/advanced_view/clientmodule/applications/applications_5-en.webp) + +## Logging in via SSH certificates + +It is also possible to complete the authentication process using SSH certificates. For this purpose, +the certificate is saved as a document in .ppk format. (It may be necessary to firstly approve this +file ending in the settings). The document is then linked to the record via the footer. The record +does not need to have a password. However, it is necessary for the record to be linked to a SSH +application. + +## Linking records and applications + +The application defines the requirements for the desired connection and also optionally for the +target system. By linking records with applications, the complete login process can be automated. If +the record now also supplies the user name and password, all of the information required for the +login is available. Applications and records are linked via the "Start" tab in the ribbon. If this +link to a record is established, a 1-click login to the target system is possible. + +![linking RDP](/images/passwordsecure/9.2/configuration/advanced_view/clientmodule/applications/applications_6-en.webp) + +The following example illustrates this process using an RDP connection: + +![RDP Connection](/images/passwordsecure/9.2/configuration/advanced_view/clientmodule/applications/applications_7-en.webp) + +A record can also be linked to multiple target systems in this manner. The user name and record are +supplied by the record, while all other information necessary for the login is supplied by the +different applications. In the following example, a record (user name and password) is linked to +multiple access points. + +![multiple access points](/images/passwordsecure/9.2/configuration/advanced_view/clientmodule/applications/applications_8-en.webp) + +This is generally a very common scenario. Nevertheless, it should be noted that accessing multiple +servers with one single password is questionable from a security standpoint. It is generally +recommended that a unique password is issued for every server/access point. + +NOTE: It is possible to leave the **IP address** field empty in the application. If an **IP +address** field exists in the linked record then this address will be used. If there is also no IP +address in the record, a popup window will appear in which the desired IP address can be entered +manually. + +Alternatively, it is possible to connect several records with one RDP connection. In this way, you +can combine different users with an RDP connection and register them straightforward. + +![connect RDP sessions](/images/passwordsecure/9.2/configuration/advanced_view/clientmodule/applications/applications_9-en.webp) diff --git a/docs/passwordsecure/9.3/configuration/advancedview/clientmodule/applications/exampleapplications/_category_.json b/docs/passwordsecure/9.3/configuration/advancedview/clientmodule/applications/exampleapplications/_category_.json new file mode 100644 index 0000000000..c7ac80dfd9 --- /dev/null +++ b/docs/passwordsecure/9.3/configuration/advancedview/clientmodule/applications/exampleapplications/_category_.json @@ -0,0 +1,10 @@ +{ + "label": "Example Applications", + "position": 40, + "collapsed": true, + "collapsible": true, + "link": { + "type": "doc", + "id": "example_applications" + } +} \ No newline at end of file diff --git a/docs/passwordsecure/9.3/configuration/advancedview/clientmodule/applications/exampleapplications/example_applications.md b/docs/passwordsecure/9.3/configuration/advancedview/clientmodule/applications/exampleapplications/example_applications.md new file mode 100644 index 0000000000..80db8b01ba --- /dev/null +++ b/docs/passwordsecure/9.3/configuration/advancedview/clientmodule/applications/exampleapplications/example_applications.md @@ -0,0 +1,11 @@ +--- +title: "Example Applications" +description: "Example Applications" +sidebar_position: 40 +--- + +# Example Applications + +In this section you'll find examples for applications. + +- [SAP GUI logon - SSO Application](/docs/passwordsecure/9.3/configuration/advancedview/clientmodule/applications/exampleapplications/sap_gui_logon_-_sso_application.md) diff --git a/docs/passwordsecure/9.3/configuration/advancedview/clientmodule/applications/exampleapplications/sap_gui_logon_-_sso_application.md b/docs/passwordsecure/9.3/configuration/advancedview/clientmodule/applications/exampleapplications/sap_gui_logon_-_sso_application.md new file mode 100644 index 0000000000..f145ce0241 --- /dev/null +++ b/docs/passwordsecure/9.3/configuration/advancedview/clientmodule/applications/exampleapplications/sap_gui_logon_-_sso_application.md @@ -0,0 +1,42 @@ +--- +title: "SAP GUI logon - SSO Application" +description: "SAP GUI logon - SSO Application" +sidebar_position: 10 +--- + +# SAP GUI logon - SSO Application + +## Fundamental information + +Logging into SAP can be achieved via the usage of +[Start Parameter](/docs/passwordsecure/9.3/configuration/advancedview/clientmodule/applications/learningtheapplications/start_parameter.md). The +prerequisite here is for the login process to be carried out via the "SAPshortcut". All available +parameters are listed in the [SAP-Wiki](https://wiki.scn.sap.com/wiki/display/NWTech/SAPshortcut). + +Form Firstly, a [Forms](/docs/passwordsecure/9.3/configuration/advancedview/clientmodule/forms/forms.md) should be created with the required fields. This +could look like this: + +![SAP form](/images/passwordsecure/9.2/configuration/advanced_view/clientmodule/applications/examples/sap/sap_gui_logon_1-en.webp) + +## Record + +A corresponding record is then created via the form: + +![SAP record](/images/passwordsecure/9.2/configuration/advanced_view/clientmodule/applications/examples/sap/sap_gui_logon_2-en.webp) + +## Application + +A corresponding SSO application now needs to be created. + +![SAP Application](/images/passwordsecure/9.2/configuration/advanced_view/clientmodule/applications/examples/sap/sap_gui_logon_3-en.webp) + +## Link + +The record now needs to be linked with the application. To do this, open the context menu by right +clicking on the record. The previously created application can then be selected here via +**Applications** and **Connect application**. + +![link record/application](/images/passwordsecure/9.2/configuration/advanced_view/clientmodule/applications/examples/sap/sap_gui_logon_4-en.webp) + +The link is then displayed in the ribbon. Clicking on the link will now open SAP, whereby the +parameters for logging in to the application are directly transferred. diff --git a/docs/passwordsecure/9.3/configuration/advancedview/clientmodule/applications/learningtheapplications/_category_.json b/docs/passwordsecure/9.3/configuration/advancedview/clientmodule/applications/learningtheapplications/_category_.json new file mode 100644 index 0000000000..542da12aad --- /dev/null +++ b/docs/passwordsecure/9.3/configuration/advancedview/clientmodule/applications/learningtheapplications/_category_.json @@ -0,0 +1,10 @@ +{ + "label": "Learning the applications", + "position": 10, + "collapsed": true, + "collapsible": true, + "link": { + "type": "doc", + "id": "learning_the_applications" + } +} \ No newline at end of file diff --git a/docs/passwordsecure/9.3/configuration/advancedview/clientmodule/applications/learningtheapplications/learning_the_applications.md b/docs/passwordsecure/9.3/configuration/advancedview/clientmodule/applications/learningtheapplications/learning_the_applications.md new file mode 100644 index 0000000000..9acaa59f9e --- /dev/null +++ b/docs/passwordsecure/9.3/configuration/advancedview/clientmodule/applications/learningtheapplications/learning_the_applications.md @@ -0,0 +1,89 @@ +--- +title: "Learning the applications" +description: "Learning the applications" +sidebar_position: 10 +--- + +# Learning the applications + +## Which applications need to be learned? + +As already indicated in the previous section, RDP and SSH applications are completely embedded in +Netwrix Password Secure. These applications thus do not need to be specially learned. All other +applications in Windows need to be learned once. + +## What does learning mean? + +The record contains the user name and password. Learning involves defining the steps required. The +result is equivalent to a script that defines where precisely the login data should be entered. In +Netwrix Password Secure, the completed instructions themselves are also known as an "application". + +## Relevant rights + +The following options are required. + +### User right + +- Can add new RDP applications +- Can add new SSH applications +- Can add new SSO applications +- Can add new web applications + +## Configuration + +First, a new SSO application is created via the ribbon. + +![new sso application](/images/passwordsecure/9.2/configuration/advanced_view/clientmodule/applications/learning_the_applications/learning_the_applications_1-en.webp) + +Various properties for the application can now be defined in the tab that opens. The fields **Window +title**, **Application** and **Application path** are not manually filled. This is done via the +**Create application** button in the ribbon: + +![new sso application](/images/passwordsecure/9.2/configuration/advanced_view/clientmodule/applications/learning_the_applications/learning_the_applications_2-en.webp) + +A crosshair cursor now appears. It enables the actual "mapping" or assignment of the target fields. +You can see the field assignment for the user name below using a login to an SQL server as an +example. All of the other fields that should be automatically entered are assigned in the same way. +The process is always the same. You select the field that needs to be automatically filled and then +decide which information should be used to fill it. + +![mapping fields](/images/passwordsecure/9.2/configuration/advanced_view/clientmodule/applications/learning_the_applications/learning_the_applications_3-en.webp) + +In parallel to the previous step, all of the already assigned fields will be displayed on the right +edge of the screen. In this example, the VMware vSphere Client has a total of 4 assigned fields: IP, +user name, password and clicking the button to subsequently confirm the login. + +![connected fields](/images/passwordsecure/9.2/configuration/advanced_view/clientmodule/applications/learning_the_applications/learning_the_applications_4-en.webp) + +NOTE: "Graphical recognition:" The graphical recognition function provides additional protection. It +can be used to define other factors for the SSO. An area is defined that then serves as the output +for the comparison (e.g. for login masks with an image). In order to activate the graphical +recognition function, click on the eye at the top right after assigning the fields! The area that +will serve as the output point is then marked. + +Once you have assigned all of the fields, you can exit the application process using the enter +button. The fields "Window title", "Application" and "Application path" mentioned at the beginning +are now automatically filled. + +![filled fields](/images/passwordsecure/9.2/configuration/advanced_view/clientmodule/applications/learning_the_applications/learning_the_applications_5-en.webp) + +As you can see, the .exe file is directly referenced. If the application is saved to the same +storage location for all users, it can then also be accessed by all other users. + +## Linking records with applications + +In the [Passwords](/docs/passwordsecure/9.3/configuration/advancedview/clientmodule/passwords/passwords.md), the newly created application can now be directly +linked. To do this, mark the record to be linked and open the "Connect application" menu in the +"Start" tab via the ribbon. This will open a list of all the available applications. It is now +possible here to link to the previously created application "VMware". + +![connect application with record](/images/passwordsecure/9.2/configuration/advanced_view/clientmodule/applications/learning_the_applications/learning_the_applications_6-en.webp) + +When the link has been established, this application can then be directly started via the ribbon in +future. Pressing the button directly opens the linked application. + +![start application](/images/passwordsecure/9.2/configuration/advanced_view/clientmodule/applications/learning_the_applications/learning_the_applications_7-en.webp) + +**CAUTION:** With respect to permissions, applications are subject to the same rules as for +passwords, roles or documents. It is possible to separately define which group of users is permitted +to use each application. diff --git a/docs/passwordsecure/9.3/configuration/advancedview/clientmodule/applications/learningtheapplications/start_parameter.md b/docs/passwordsecure/9.3/configuration/advancedview/clientmodule/applications/learningtheapplications/start_parameter.md new file mode 100644 index 0000000000..ee8140d3f6 --- /dev/null +++ b/docs/passwordsecure/9.3/configuration/advancedview/clientmodule/applications/learningtheapplications/start_parameter.md @@ -0,0 +1,77 @@ +--- +title: "Start Parameter" +description: "Start Parameter" +sidebar_position: 10 +--- + +# Start Parameter + +## Start parameters for SSO applications⚓︎ + +Start parameters can be defined when creating or editing an SSO application. These parameters are +immediately transferred when starting the application. This is done, for example, to directly start +the program with various basic settings. The corresponding parameters should be requested from the +manufacturer of the software or taken from the documentation. + +## Configuration of the parameters⚓︎ + +The parameters can be directly entered in the application in the corresponding field. Alternatively, +a configuration window is also available for this purpose. + +![parameters applications](/images/passwordsecure/9.2/configuration/advanced_view/clientmodule/applications/learning_the_applications/start_parameter/start_parameter_1-en.webp) + +The required elements can be moved here from the right side to the left side by drag & drop. + +![edit parameters](/images/passwordsecure/9.2/configuration/advanced_view/clientmodule/applications/learning_the_applications/start_parameter/start_parameter_2-en.webp) + +Different categories are available here: + +In the **Parameter** category, only the parameter descriptions **Field name** or **Parameter** are +available. These then need to be manually supplemented. The parameters in the **Field name** +category can directly address the fields, meaning directly transfer the field names. Example In this +example, the following start parameter have been defined for the Salamander application: + +- **L** (for folder path in the left column) +- **R** (for folder path in the right column) + +For both parameters, the password fields with the names "Left Path" and "Right Path" are then +transferred in each case. + +![enter parameter](/images/passwordsecure/9.2/configuration/advanced_view/clientmodule/applications/learning_the_applications/start_parameter/start_parameter_3-en.webp) + +The application is then linked with the following password: + +![linked password parameter](/images/passwordsecure/9.2/configuration/advanced_view/clientmodule/applications/learning_the_applications/start_parameter/start_parameter_4-en.webp) + +When the Salamander application is started, the placeholder is replaced by the field names. +Therefore, instead of + +**-L `{field:Left Path}` -R `{field:Right Path}`** + +the following start parameters are transferred: + +**-L "C:\Projekte\" -R "C:\Ablage\Projekte"** + +## Placeholder for fields⚓︎ + +Fields can be added via certain placeholders based on their type or their name. The easiest way to +do this is using the configuration window described above. + +| Field type | Placeholder | +| ----------------------- | ----------------- | +| Text | `{Text}` | +| Password | `{Password}` | +| Date | `{Date}` | +| Check | `{Check}` | +| URL | `{Url}` | +| Email | `{Email}` | +| Phone | `{Phone}` | +| ​List | `{List}` | +| Header | `{Header}` | +| Multiline text | ​`{Memo}` | +| Multiline password text | ​`{PasswordMemo}` | +| Integer | `{Int}` | +| Floating-point number | `{Decimal}` | +| User name | `{UserName}` | +| ​IP address | `{Ip}` | +| Enter field name | `{field:name}` | diff --git a/docs/passwordsecure/9.3/configuration/advancedview/clientmodule/applications/rdpandsshapplications/_category_.json b/docs/passwordsecure/9.3/configuration/advancedview/clientmodule/applications/rdpandsshapplications/_category_.json new file mode 100644 index 0000000000..82ef1e3691 --- /dev/null +++ b/docs/passwordsecure/9.3/configuration/advancedview/clientmodule/applications/rdpandsshapplications/_category_.json @@ -0,0 +1,10 @@ +{ + "label": "RDP and SSH Applications", + "position": 20, + "collapsed": true, + "collapsible": true, + "link": { + "type": "doc", + "id": "rdp_and_ssh_applications" + } +} \ No newline at end of file diff --git a/docs/passwordsecure/9.3/configuration/advancedview/clientmodule/applications/rdpandsshapplications/rdp_and_ssh_applications.md b/docs/passwordsecure/9.3/configuration/advancedview/clientmodule/applications/rdpandsshapplications/rdp_and_ssh_applications.md new file mode 100644 index 0000000000..b90b6ac47a --- /dev/null +++ b/docs/passwordsecure/9.3/configuration/advancedview/clientmodule/applications/rdpandsshapplications/rdp_and_ssh_applications.md @@ -0,0 +1,49 @@ +--- +title: "RDP and SSH Applications" +description: "RDP and SSH Applications" +sidebar_position: 20 +--- + +# RDP and SSH Applications + +**RDP and SSH applications** can be used "embedded" inside Netwrix Password Secure. Starting one of +those applications opens a new tab inside Netwrix Password Secure. + +## Creating RDP and SSH Applications + +A new RDP or SSH application can be created via the ribbon or the context menu. The corresponding +form appears in which you define the variables for a connection. + +![new rdp application](/images/passwordsecure/9.2/configuration/advanced_view/clientmodule/applications/rdp_and_ssh_applications/rdp_and_ssh_applications_1-en.webp) + +These variables correspond exactly to those that can be configured (here using the RDP example) when +creating an RDP connection via "mstsc". The window mode defines whether the connection should be +started in a tab, in full screen mode or in a separate window. + +## Working with RDP and SSH Applications + +For example, if you have created an RDP application, you can start it directly from the ribbon. With +the icon "Establish RDP connection" the connection to the desired session will be established. + +![establish RDP](/images/passwordsecure/9.2/configuration/advanced_view/clientmodule/applications/applications_4-en.webp) + +Netwrix Password Secure now tries to log in to the target system with the available information. All +missing information will be requested directly after the connection is established. It is therefore +also possible to enter the IP address and/or password after starting the application. + +![RDP connection](/images/passwordsecure/9.2/configuration/advanced_view/clientmodule/applications/rdp_and_ssh_applications/rdp_and_ssh_applications_3-en.webp) + +## Login via SSH certificates + +It is also possible to use SSH-certificates for authentication. For this purpose, the certificate is +stored as a document in .ppk format. The document is then linked to the data record via the footer. +The data record does not have to contain a password, but it must be linked to an SSH application. + +NOTE: The file extension may first have to be enabled via the settings. + +## Keyboard shortcuts + +Netwrix Password Secure supports various +[Keyboard shortcuts](/docs/passwordsecure/9.3/configuration/advancedview/operationandsetup/dashboardandwidgets/keyboard_shortcuts.md). For +example transferring user name and password to the corresponding application. However, it should be +noted that this only works if the application is opened directly from Netwrix Password Secure diff --git a/docs/passwordsecure/9.3/configuration/advancedview/clientmodule/applications/rdpandsshapplications/recording_a_session.md b/docs/passwordsecure/9.3/configuration/advancedview/clientmodule/applications/rdpandsshapplications/recording_a_session.md new file mode 100644 index 0000000000..1813418aab --- /dev/null +++ b/docs/passwordsecure/9.3/configuration/advancedview/clientmodule/applications/rdpandsshapplications/recording_a_session.md @@ -0,0 +1,77 @@ +--- +title: "Recording a session" +description: "Recording a session" +sidebar_position: 10 +--- + +# Recording a session + +## What is session recording? + +Session recording can be used to make a visual recording of RDP and SSH sessions. These recordings +can then be subsequently viewed and evaluated. In this context, it is also possible to limit this +functionality so that only the user themselves or an assigned person e.g. security officer can view +and evaluate these recordings. + +![notifications modul](/images/passwordsecure/9.2/configuration/advanced_view/clientmodule/applications/rdp_and_ssh_applications/recording_a_session/notifications_1-en.webp) + +## Relevant rights + +The following options are required to manage sessions for an application. + +### User right + +- Can manage recordings for an application + +NOTE: Please note that session recording uses disk space in the database. Although the way the +recordings are saved is efficient in terms of resources, the required amount of disk space varies +greatly depending on the content. The more that is done during the recorded session, the higher the +disk space usage. + +Session recording firstly needs to be activated for the relevant RDP or SSH application before it +can take place. + +RDP + +![activating session recording](/images/passwordsecure/9.2/configuration/advanced_view/clientmodule/applications/rdp_and_ssh_applications/recording_a_session/recording_a_session_2-en.webp) + +SSH + +![activating session recording](/images/passwordsecure/9.2/configuration/advanced_view/clientmodule/applications/rdp_and_ssh_applications/recording_a_session/recording_a_session_3-en.webp) + +If the setting has been activated, the recording will start automatically the next time a connection +is established. + +NOTE: The recordings are already streamed to the server and saved into the database during the +recording process. Therefore, no recordings are lost even if the connection is terminated. They are +immediately saved until the connection is terminated or until the end of the session. + +## Viewing the session recordings + +If recordings exist for an application, these can be called up and viewed in the Applications +module. + +![viewing session recording](/images/passwordsecure/9.2/configuration/advanced_view/clientmodule/applications/rdp_and_ssh_applications/recording_a_session/recording_a_session_4-en.webp) + +It is possible to search the session recordings using the filter as usual. It is also possible here +to limit the search results based on the date and user. In the section on the right, it is also +possible to further filter the searched list based on all column contents. + +![session records](/images/passwordsecure/9.2/configuration/advanced_view/clientmodule/applications/rdp_and_ssh_applications/recording_a_session/recording_a_session_5-en.webp) + +Once a session recording has been selected, a new tab will open in which you can view the recording. +The function "Skip inactivity" can be activated via the ribbon so that a recording can be +effectively and quickly viewed so as only to see the relevant actions. + +![viewing a session recording](/images/passwordsecure/9.2/configuration/advanced_view/clientmodule/applications/rdp_and_ssh_applications/recording_a_session/recording_a_session_6-en.webp) + +When are indicators set? + +- Mouse click +- Keyboard command + +## Automatic deletion of old recordings + +If desired, recordings can be automatically cleaned up. This option can be configured on the +**Server Manager**. Further information can be found in the section +[Managing databases](/docs/passwordsecure/9.3/configuration/servermanger/managingdatabases/managing_databases.md)s. diff --git a/docs/passwordsecure/9.3/configuration/advancedview/clientmodule/client_module.md b/docs/passwordsecure/9.3/configuration/advancedview/clientmodule/client_module.md new file mode 100644 index 0000000000..a91528d405 --- /dev/null +++ b/docs/passwordsecure/9.3/configuration/advancedview/clientmodule/client_module.md @@ -0,0 +1,46 @@ +--- +title: "Client Module" +description: "Client Module" +sidebar_position: 20 +--- + +# Client Module + +## What are modules? + +Netwrix Password Secure can be customized according to the needs of the users. This requirement can +be applied by the user, and can also be applied by administrative users. This means that everyone +gets only those functionalities that are necessary for his special work. The amount of features +required by an administrator differs significantly from those of a normal user. The **modular +structure** of Netwrix Password Secure supports this approach by showing only those specific areas +that should actually be used by the respective user. + +![modules](/images/passwordsecure/9.2/configuration/advanced_view/clientmodule/client_modules_1-en.webp) + +## Visibility of modules + +The modules are the gateway to various features of version 9. Similarly to the features, not all +modules have to be made available to all user layers. The **Visibility of modules** can be defined +individually within the user rights. + +![user settings](/images/passwordsecure/9.2/configuration/advanced_view/clientmodule/client_modules_2-en.webp) + +NOTE: The visibility of modules can always be adapted to the needs of individual user groups + +## Sorting modules + +You can access the “Navigation options” via the three dots found at the bottom right end of the +module displayed in the client. You can also find those modules displayed there that you have +permissions to see in accordance with the visibility settings explained previously but which are +hidden e.g. due to the scaling of the size of the client (Application and Password Reset in the +example). + +![sorting modules](/images/passwordsecure/9.2/configuration/advanced_view/clientmodule/client_modules_3-en.webp) + +The navigation options enable you to define the maximum number of visible elements and also how they +are sorted. + +![sorting modules](/images/passwordsecure/9.2/configuration/advanced_view/clientmodule/client_modules_4-en.webp) + +NOTE: The previously described visibility of the modules is a basic requirement for viewing and +sorting them in the navigation options diff --git a/docs/passwordsecure/9.3/configuration/advancedview/clientmodule/discoveryservice/_category_.json b/docs/passwordsecure/9.3/configuration/advancedview/clientmodule/discoveryservice/_category_.json new file mode 100644 index 0000000000..9cf6aada7f --- /dev/null +++ b/docs/passwordsecure/9.3/configuration/advancedview/clientmodule/discoveryservice/_category_.json @@ -0,0 +1,10 @@ +{ + "label": "Discovery Service", + "position": 100, + "collapsed": true, + "collapsible": true, + "link": { + "type": "doc", + "id": "discovery_service" + } +} \ No newline at end of file diff --git a/docs/passwordsecure/9.3/configuration/advancedview/clientmodule/discoveryservice/configuration_1.md b/docs/passwordsecure/9.3/configuration/advancedview/clientmodule/discoveryservice/configuration_1.md new file mode 100644 index 0000000000..47befb4adc --- /dev/null +++ b/docs/passwordsecure/9.3/configuration/advancedview/clientmodule/discoveryservice/configuration_1.md @@ -0,0 +1,109 @@ +--- +title: "Configuration" +description: "Configuration" +sidebar_position: 20 +--- + +# Configuration + +## The Discovery Service module + +When this module is opened in Netwrix Password Secure, **there are no entries displayed in the +Discovery Service** module at the beginning. The entries need to be generated using a +[System tasks](/docs/passwordsecure/9.3/configuration/advancedview/mainmenufc/extras/systemtasks/system_tasks.md). + +![discovery service entries](/images/passwordsecure/9.2/configuration/advanced_view/clientmodule/discoveryservice/configuration/configuration_ds-1-en.webp) + +Once a **System Task** has been completed, the data discovered during the search is listed in a +table: + +![discovery service entries](/images/passwordsecure/9.2/configuration/advanced_view/clientmodule/discoveryservice/configuration/configuration_ds-2-en.webp) + +NOTE: The information can be grouped together using the column editor. + +## Network Scan + +A **Discovery Service Task** is used to add a new [Discovery Service](/docs/passwordsecure/9.3/configuration/advancedview/clientmodule/discoveryservice/discovery_service.md) and +is then correspondingly configured for a **Network Scan**. Depending on the configuration of the +**Network Scan**, the following types are discovered: + +- Service accounts +- Active Directory users +- User accounts + +## Configuration of a Discovery Service Task + +To collect data for the **Discovery Service**, the **Discovery Service Task** needs to be +correspondingly configured for a **Network Scan**. + +### General and overview + +The following image shows a newly added **Discovery Service Task**. + +![new discovery task](/images/passwordsecure/9.2/configuration/advanced_view/clientmodule/discoveryservice/configuration/configuration_ds-3-en.webp) + +1. Shows information about the **Discovery Service Task**. +2. In the **General** section, the name of the **Discovery Service Task** is entered (optionally + with a description). The Status is always set to **Activated** by default but it can also be set + to **Deactivated** in the configuration. +3. The **Overview** shows the activities of the **Discovery Service Task**: Last run: shows the date + it was last run. Next run: shows the date of the next run. + +## Task settings + +Password: + +1. User name field: Type +2. Password field: Type Multiple password field —> field 1. is used. + +This section is used for special entries for the **Discovery Service Task**. After it has been +finished, the **Network Scan** scans the **network** according to these guidelines. + +![task settings](/images/passwordsecure/9.2/configuration/advanced_view/clientmodule/discoveryservice/configuration/configuration_ds-4-en.webp) + +1. **Password** and **Computer scan variants**: The required password must already have been issued + and it requires corresponding rights for the domain. Active Directory computer: Only those + computers that are in Active Directory are scanned (there is also the option of using it + individually or pinging the network). Ping network: A network filter for the configuration of the + network is displayed. +2. **Network filter**: This defines the network to be scanned: either using an IP range or an IP + network address. Range: The start IP address and end IP address for the range on the network are + entered here Network: The network address and corresponding subnet mask for the network are + entered here +3. **Domain**: The domain to be used for the **network scan** is entered here. In addition, you can + select that only computers in the entered domain are scanned. A name resolution should work for + this purpose. +4. **Scan configuration**: The Network Scan for the configuration of Active Directory is defined + here. Select from either **Active Directory user of services** or **Active Directory user**. The + second section defines the scan configuration for the local computer. Select from either Local + user of services or _Local user_. + +**CAUTION:** The system executing the scan – on which the Server Manager is installed – is not +scanned! + +## Interval / Executing server / Tags + +This section is used to enter information about the start of the task and other additional +information. + +![Interval / Executing server / Tags](/images/passwordsecure/9.2/configuration/advanced_view/clientmodule/discoveryservice/configuration/configuration_ds-5-en.webp) + +1. **Interval**: The interval at which the **Discovery Service Task** should be executed is defined + here. The default setting is hourly, one year after adding the **Discovery Service Task**. The + interval can be adjusted in minutes or set to be executed only once (optionally with an end + date). +2. **Executing server (optional)**: Servers with an Server Manager can be entered here that will be + used to execute the Discovery Service Task if the main server crashes. The Discovery Service Task + is then automatically taken over and executed by the accessible servers on the list. The list is + searched from top to bottom to find an accessible server. +3. **Tags**: The use of tags is described in more detail in the section + [Tag manager](/docs/passwordsecure/9.3/configuration/advancedview/mainmenufc/extras/tag_manager.md). A special tag can be + entered here for the **Discovery Service Task**. + +After the **Discovery Service Task** has been configured, a connection test is performed when the +configuration is saved. The system then indicates whether the configuration is correct or faulty. +Depending on the message, the **Discovery Service Task** may need to be amended. + +**CAUTION:** The **default setting** for the **Discovery Service Task** after it has been saved is +**Activated!** It will **immediately actively** scan the network for data. This data is **read** but +not amended! diff --git a/docs/passwordsecure/9.3/configuration/advancedview/clientmodule/discoveryservice/converting_entries.md b/docs/passwordsecure/9.3/configuration/advancedview/clientmodule/discoveryservice/converting_entries.md new file mode 100644 index 0000000000..7643e359de --- /dev/null +++ b/docs/passwordsecure/9.3/configuration/advancedview/clientmodule/discoveryservice/converting_entries.md @@ -0,0 +1,163 @@ +--- +title: "Converting entries" +description: "Converting entries" +sidebar_position: 40 +--- + +# Converting entries + +An important element for the **Discovery Service** is the **Conversion Wizard**. It processes the +discovered **entries** and then creates corresponding **passwords** and **Password Resets**. + +The **Conversion Wizard** is started in the Start ribbon and it is also possible to switch here to +the **System Tasks**. + +![ribbon](/images/passwordsecure/9.2/configuration/advanced_view/clientmodule/discoveryservice/converting_entries/converting_entries_1-en.webp) + +After the **Discovery Service Task** has been successfully executed, the entries are available in +the **Discovery Service**. Further processing of the entries is then carried out using the +**Conversion Wizard**. For processing in the **Conversion Wizard**, the network is scanned for the +following types: + +1. Discovered type: Service +2. Discovered type: Active Directory user +3. Discovered type: User account + +!! hint Only those **services are recorded** to which at least one **AD user** or **user account** +can be assigned! Only **AD users** and **user accounts** to which **at least one service** can be +assigned are recorded. + +## Execution + +In the **Discovery Service** table, the user selects the entries for which he wants to add a +**Password Reset** or **password**. The user then clicks on the **Conversion Wizard** and the +**Discovery Service Conversion Wizard** opens for further editing. + +![data selection](/images/passwordsecure/9.2/configuration/advanced_view/clientmodule/discoveryservice/converting_entries/converting_entries_2-en.webp) + +1. A **Discovery Service Task** first needs to be selected. This determines the context in which the + new data will be created (for a new **Password Reset**, the **password for the domain + administrator** for the task will be used as the executing user. In addition, only those + **Discovery Service Task entries** that are also discovered by the entered **Discovery Service + Task** will be used for the conversion). +2. The discovered entries will be displayed in this column with the **services** for which the user + has been entered. +3. This column shows the **discovered type** for the entry. +4. This column shows already existing passwords in Netwrix Password Secure that match the discovered + **Active Directory user** or **user account**. It is possible to select here which password can + be used when creating a **Password Reset** (it is then used as the only password linked to the + Password Reset). Alternatively, these passwords can also be newly created. + +NOTE: Logically, **every root node** corresponds to **one user** and all of its associated data +(e.g. services). A **Password Reset** is created later for **every user** and its associated data. + +The following image shows the options **add new password** or retain **existing password**. + +![associated password](/images/passwordsecure/9.2/configuration/advanced_view/clientmodule/discoveryservice/converting_entries/converting_entries_3-en.webp) + +In addition, the **organisational unit** in which the existing password is located is displayed. + +## Settings + +The **Password Reset** is configured in the **Settings Ribbon**. + +![reset setting](/images/passwordsecure/9.2/configuration/advanced_view/clientmodule/discoveryservice/converting_entries/converting_entries_4-en.webp) + +The **settings** will be described in more detail below: + +1. The organisational unit in which the **Password Reset** should be created is entered here. In + addition, a template for the rights inheritance can be entered here. +2. The **responsible user** for the **password** is entered here. A special tag can be set here. +3. Adding a **Password Reset** Option 1: **Do you also want to add a Password Reset?** Adds a + **Password Reset** If **option 1** is not selected, the following options are not displayed. +4. Setting for executing a **Password Reset** Option 2: **(Execute Password Resets immediately after + they are created)** means that the **Password Reset** will be executed as soon as you click on + **Finish**. +5. The **responsible user for the Password Reset** is entered here. +6. Various **triggers for the Password Reset** can be selected here. + +**CAUTION:** After clicking on **Finish**, the **Password Resets** will be **immediately executed** +and the **passwords changed!**. This also applies to **Windows passwords!** + +If option 1: **Do you also want to add a Password Reset?** is not selected, \*steps 4, 5 and 6 are +not displayed for configuration. + +![password reset option](/images/passwordsecure/9.2/configuration/advanced_view/clientmodule/discoveryservice/converting_entries/converting_entries_5-en.webp) + +NOTE: After clicking on **Finish**, one or more **passwords will be created** but **no corresponding +Password Resets will be created!** + +## Assignment (Active Directory user) + +In the **Assignment (Active Directory user)** Ribbon, the discovered data for the **Discovery +Service entries** is transferred to a password form. + +The following images shows the **Assignment (Active Directory user)** Ribbon + +![Assignment (Active Directory user)](/images/passwordsecure/9.2/configuration/advanced_view/clientmodule/discoveryservice/converting_entries/converting_entries_6-en.webp) + +### Description + +1. An **Existing form** can be selected or a **New form** with names can be added +2. The **discovered properties** are displayed here +3. The **properties** are \*assigned to the form fields here + +### "Existing form" selected + +![Assignment of the form field](/images/passwordsecure/9.2/configuration/advanced_view/clientmodule/discoveryservice/converting_entries/converting_entries_7-en.webp) + +### Procedure + +1. An **Existing form** is selected here +2. The **assignment** to the fields is carried out here Important assignments are **Type: General** + and **Type: Password Reset**. An amendment can be carried out here + +### "New form" selected + +![New Form](/images/passwordsecure/9.2/configuration/advanced_view/clientmodule/discoveryservice/converting_entries/converting_entries_8-en.webp) + +### Converting Procedure + +1. A name for the **New form** needs to be entered here +2. The discovered entries are **automatically** assigned as standard Important assignments are + **Type: General** and **Type: Password Reset**. An amendment can be carried out here + +### Summary + +A brief overview of the actions that will be carried out with the added configuration is displayed +in the **Summary** Ribbon. These actions will then be carried out if you click on **Finish**. + +![summary](/images/passwordsecure/9.2/configuration/advanced_view/clientmodule/discoveryservice/converting_entries/converting_entries_9-en.webp) + +## Confirmation prompt + +An important aspect of Netwrix Password Secure V8 is the **security** of passwords on systems. In +the **Discovery Service**, a **security measures** is thus triggered at the **last step** for +creating **Password Resets**. If the option **Execute Password Resets immediately after they are +created** is used in the configuration, the **selected passwords** are immediately changed after +clicking on **Finish**. + +**CAUTION:** **If you are not paying careful attention, this could have inconvenient consequences.** + +**Security level 1:** An **Important note** is displayed in the **Summary** after clicking on +**Finish**. + +**CAUTION:** **Please observe the note and read it through carefully!** + +An **Overview** of which actions will be carried out is displayed for the user together with this +note. The user can then still decide to **Cancel** the process. If you click on **OK**, an +**additional confirmation warning** will be displayed. + +![important note](/images/passwordsecure/9.2/configuration/advanced_view/clientmodule/discoveryservice/converting_entries/converting_entries_10-en.webp) + +**Security level 2:** + +Another **confirmation prompt** highlights that it is important to understand what you are about to +do. It will no longer be possible to reverse the actions afterwards! + +**CAUTION:** **Last chance to cancel the execution!** + +![securtiy warning](/images/passwordsecure/9.2/configuration/advanced_view/clientmodule/discoveryservice/converting_entries/converting_entries_11-en.webp) + +After **entering the displayed number** and **confirming with OK**, the process is **executed +immediately** and the **Password Resets** are carried out and the **associated passwords changed**. diff --git a/docs/passwordsecure/9.3/configuration/advancedview/clientmodule/discoveryservice/created_passwords.md b/docs/passwordsecure/9.3/configuration/advancedview/clientmodule/discoveryservice/created_passwords.md new file mode 100644 index 0000000000..5cb0fb12aa --- /dev/null +++ b/docs/passwordsecure/9.3/configuration/advancedview/clientmodule/discoveryservice/created_passwords.md @@ -0,0 +1,40 @@ +--- +title: "Created passwords" +description: "Created passwords" +sidebar_position: 50 +--- + +# Created passwords + +After clicking on **Finish**, the **passwords** and the **Password Resets** (in accordance with the +selected options) are created for the entries. A **password** and a **Password Reset** are explained +in the following example. + +## Password + +![password list](/images/passwordsecure/9.2/configuration/advanced_view/clientmodule/discoveryservice/created_password/created_passwords_1-en.webp) + +1. The name of the created password +2. General data about the password +3. Data about the password created from the form (existing or new) + +## Password Reset + +Another password is created in the **Password Reset module** and is required for an associated +**Password Reset**. + +![password reset list](/images/passwordsecure/9.2/configuration/advanced_view/clientmodule/discoveryservice/created_password/created_passwords_2-en.webp) + +Points 1-7 are described below: + +1. The name of the Password Reset +2. Overview of the password +3. General +4. The data for the trigger are displayed here +5. The scripts for the passwords to be changed are displayed here +6. The associated password that will be reset using the Password Reset +7. The validity is shown here (if one has been entered) + +This data can then be used to create a **Password Reset** for the user for the discovered +**Discovery Service entry**. The **Password Reset** is activated via the corresponding trigger that +has been set. diff --git a/docs/passwordsecure/9.3/configuration/advancedview/clientmodule/discoveryservice/deleting_entries.md b/docs/passwordsecure/9.3/configuration/advancedview/clientmodule/discoveryservice/deleting_entries.md new file mode 100644 index 0000000000..a05b5d4992 --- /dev/null +++ b/docs/passwordsecure/9.3/configuration/advancedview/clientmodule/discoveryservice/deleting_entries.md @@ -0,0 +1,51 @@ +--- +title: "Deleting entries" +description: "Deleting entries" +sidebar_position: 60 +--- + +# Deleting entries + +After creating an automatic **Password Reset** via the **Conversion Wizard**, the data is no longer +required and can be deleted. The discovered entries have a **link** to the relevant **Discovery +Service Task** that was executed and can be found and displayed using the filter function. + +## Deletion process + +The discovered data in the **Discovery Service** cannot simply be deleted and removed from the +**Discovery Service entries**. As the entries have a **link to the Discovery Service Task**, it is +necessary to delete the discovered entries via the **Discovery Service Task** that was created. If +entries were discovered using a joint **Discovery Service Task**, it is not possible to simply +delete them. This is the case if two different users have carried out a scan on the same area. If +you delete one of the two **Discovery Service Task**, only the entries that had a single link to +this **Discovery Service Task** will be deleted. The entries for the other **Discovery Service +Task** will be retained and must be deleted via the associated **Discovery Service Task**. You can +find out which **Discovery Service Task** found a particular entry by selecting the entry via the +**Conversion Wizard**. + +![Conversion Wizard.](/images/passwordsecure/9.2/configuration/advanced_view/clientmodule/discoveryservice/deleting_entries/deleting_entries_1-en.webp) + +## Deleting entries by changing the settings in the System Task + +If the IP range for an existing **Discovery Service Task** is changed and the **Discovery Service +Task** is then executed for this new IP range, the previously discovered entries from the previous +executed **Discovery Service Task** will be deleted from the **Discovery Service**. If you want to +carry out a **Discovery Service Task** for a different IP range, you should create a new **Discovery +Service Task**. This will prevent any already discovered entries from being deleted. However, if the +existing entries are no longer required, you can delete them by using the same **Discovery Service +Task** with a different IP range. + +1. Task B only scans the IP address: 192.168.150.1 +2. Only the entries for the IP address 192.168.150.1 are discovered +3. Task A is changed and now scans the IP address:192.168.150.2 +4. Result: +5. Only the entries from the IP address 192.168.150.2 are discovered +6. Entries for IP address 192.168.150.1 are deleted +7. Exception: +8. Task B scans the IP address: 192.168.150.1 +9. The same entries for IP address 192.168.150.1 are discovered as for 1. +10. A new scan using Task A with a different IP address 192.168.150.2 will not delete the data from + Task B + +NOTE: The **Password Resets** and **passwords** created using the **Conversion Wizard** are not +deleted when the **Discovery Service Tasks** are deleted. diff --git a/docs/passwordsecure/9.3/configuration/advancedview/clientmodule/discoveryservice/discovered_entries.md b/docs/passwordsecure/9.3/configuration/advancedview/clientmodule/discoveryservice/discovered_entries.md new file mode 100644 index 0000000000..d56f9fb6f3 --- /dev/null +++ b/docs/passwordsecure/9.3/configuration/advancedview/clientmodule/discoveryservice/discovered_entries.md @@ -0,0 +1,85 @@ +--- +title: "Discovered entries" +description: "Discovered entries" +sidebar_position: 30 +--- + +# Discovered entries + +The entries for the **Discovery Service** are discovered using a **Discovery Service Task**. It can +take some time for all the data on the systems for the entered IP network to be collected. This can +be easily recognized by the **blue arrow** symbol on the **Discovery Service Task** and a +corresponding message is also shown in the General display. Once the **Discovery Service Task** has +been completed, the data will be shown in the **Discovery Service module**. + +![new discovery service task](/images/passwordsecure/9.2/configuration/advanced_view/clientmodule/discoveryservice/discovered_entries/discovered_entries_1-en.webp) + +The **Discovery Service Task** needs to be carefully configured. The configurable sections are +described below. + +1. **Discovery Service Task**: Display of the status: this can be updated in the preview and logbook + using the F5 button. Red hand: Deactivated Blue arrow: Activated and being executed Boxes: + Corresponds to the assigned tag +2. **General**: The latest information about the **Discovery Service Task** is shown here. A + **message** will be shown to indicate an active **Discovery Service Task**. +3. **Overview**: Current data for the **Discovery Service Task** about its progress and subsequent + executions are shown here. +4. **Logbook**: The **logbook** can be found in the **footer** of the **Discovery Service Task**. + The latest activities carried out by the **Discovery Service Task** are shown here. + +NOTE: The **data** is **not kept up-to-date while the task is being executed** and does not always +show the latest status. Therefore, the data should be regularly **updated** using the **F5 button**! + +## Using the Discovery Service entries + +The successful execution of a **Discovery Service Task** is a requirement for the **Discovery +Service entries**. The discovered data is listed in table form in the **Discovery Service module** +and can be correspondingly organized using the **Discovery Service System Task** filter. + +![discovery service entries](/images/passwordsecure/9.2/configuration/advanced_view/clientmodule/discoveryservice/discovered_entries/discovered_entries_2-en.webp) + +In this section, the **Discovery Service entries** that were discovered by the **Discovery Service +Task** and selected for the **Conversion Wizard** are displayed. + +## Multiple selection of Discovery Service entries + +If multiple entries are selected for a **Password Reset**, a corresponding number of **passwords** +and **Password Resets** need to be added in the **Conversion Wizard**. Depending on the entries +selected (service, Active Directory user, user account), it is necessary to carry out corresponding +**assignments** in the **Conversion Wizard** for the **passwords**. + +![Discovery service conversion wizard ](/images/passwordsecure/9.2/configuration/advanced_view/clientmodule/discoveryservice/discovered_entries/discovered_entries_3-en.webp) + +Every line must be connected to a **password** in the end. Therefore, it is necessary to carry out +an assignment process in the **Conversion Wizard** for every entry. + +![Discovery service conversion wizard ](/images/passwordsecure/9.2/configuration/advanced_view/clientmodule/discoveryservice/discovered_entries/discovered_entries_4-en.webp) + +For **Active Directory users**, it is possible to assign an existing **password**. + +NOTE: The subsequent process is carried out in the same way as when only one **Discovery Service +entry** is selected. + +## Filter settings + +A good filter is required for processing the discovered data. A **filter that has been adapted for +this purpose** is available for processing the entries in the **Discovery Service module**. The +options in the **filter** are described below: + +![Filter for discovered data](/images/passwordsecure/9.2/configuration/advanced_view/clientmodule/discoveryservice/discovered_entries/discovered_entries_5-en.webp) + +Description of the **filter with the special options for the Discovery Service entries**: + +1. **Discovered type**: The discovered entries can be filtered here according to their type. +2. **Discovered system is resettable**: Indicates whether a Password Reset can be created from the + discovered data. +3. **Relevance**: Grading the importance of the discovered system. A high relevance means that + multiple services have been discovered for an Active Directory user or user account. Less + important: Exactly one service was found Important: Two to nine services were found Very + important: 10 or more services were found If a Password Reset has already been created, the + relevance is downgraded to less important. +4. **Transferred as password**: Indicates whether a password can be created via the Conversion + Wizard +5. **Transferred as Password Reset**: Indicates whether a Password Reset can be created via the + Conversion Wizard +6. **Discovery service system tasks**: The entries are filtered here based on the System Task. diff --git a/docs/passwordsecure/9.3/configuration/advancedview/clientmodule/discoveryservice/discovery_service.md b/docs/passwordsecure/9.3/configuration/advancedview/clientmodule/discoveryservice/discovery_service.md new file mode 100644 index 0000000000..d9dc37f534 --- /dev/null +++ b/docs/passwordsecure/9.3/configuration/advancedview/clientmodule/discoveryservice/discovery_service.md @@ -0,0 +1,37 @@ +--- +title: "Discovery Service" +description: "Discovery Service" +sidebar_position: 100 +--- + +# Discovery Service + +## The problem + +**Service accounts** are used on most networks. These accounts are used, for example, to carry out +certain services. It is not uncommon for **one and the same password** to be used here for multiple +accounts. Manually changing these passwords is extremely time consuming. Therefore, this process is +often ignored for reasons of convenience. + +The result is that the same outdated passwords are often used for many **security-critical access +points**. This naturally represents a **severe security risk** and leaves the door wide open for any +attacker who gains access to just one of the passwords! + +## The solution + +Netwrix Password Secure offers the solution to this problem: The security of the network can be +significantly increased using a combination of **Discovery Service** and **Password Reset**. The +complete network can be scanned with the aid of **Discovery Service**. This process searches for +both local user accounts and also Active Directory users. In addition, Password Resets are also +established via which the passwords for the accounts discovered during the search can be reset. + +## Functionality + +The **Discovery Service** process can be split into three logical steps: + +- A **Discovery Service Task** is added that searches for data on the network. This can be executed + once or cyclically and runs in the background. +- After the task has been executed successfully, the data discovered during the search is displayed + in the **Discovery Service module** (e.g. Windows users, services, etc.). +- **Passwords** or **Password Resets** can then be generated from the data discovered during the + search. diff --git a/docs/passwordsecure/9.3/configuration/advancedview/clientmodule/discoveryservice/logbook_1.md b/docs/passwordsecure/9.3/configuration/advancedview/clientmodule/discoveryservice/logbook_1.md new file mode 100644 index 0000000000..4b3f96ed0d --- /dev/null +++ b/docs/passwordsecure/9.3/configuration/advancedview/clientmodule/discoveryservice/logbook_1.md @@ -0,0 +1,44 @@ +--- +title: "Logbook" +description: "Logbook" +sidebar_position: 70 +--- + +# Logbook + +The logbook in the footer of the **Discovery Service Task** is extremely helpful for checking the +**Discovery Service Task**. Information about the progress of the **Discovery Service Task** is +displayed here. The data is displayed both in the **footer** and also in the **logbook module** +(although in more detail here). To display the footer, the user requires the **user right**: Global +settings in the [User settings](/docs/passwordsecure/9.3/configuration/advancedview/mainmenufc/usersettings/user_settings.md) in the category: +"Footer area" - "Show logbook in the footer area (activated)" + +## Show in footer + +![logbook in footer](/images/passwordsecure/9.2/configuration/advanced_view/clientmodule/discoveryservice/logbook/logbook_ds-1-en.webp) + +The following **events** are displayed in the **logbook for the footer** and in the **logbook +module**: + +1. New +2. Change +3. Execute +4. Execution completed +5. Error during execution + +If an error occurs during the execution of the **Discovery Service Task**, this is also shown n the +**logbook for the footer** with **additional information** about the error. + +![ logbook for the footer](/images/passwordsecure/9.2/configuration/advanced_view/clientmodule/discoveryservice/logbook/logbook_ds-2-en.webp) + +## Display in the logbook + +In general, the **logbook module** displays more detailed information about the **Discovery Service +Task**. The [Filter](/docs/passwordsecure/9.3/configuration/advancedview/operationandsetup/filter/filter.md) can be used to select which data +is displayed. The same **events** as for the footer for the **Discovery Service Task** are also used +here. + +![logbook entries](/images/passwordsecure/9.2/configuration/advanced_view/clientmodule/discoveryservice/logbook/logbook_ds-3-en.webp) + +The column editor can be used to arrange and display the data in the table according to their +importance. diff --git a/docs/passwordsecure/9.3/configuration/advancedview/clientmodule/discoveryservice/requirements.md b/docs/passwordsecure/9.3/configuration/advancedview/clientmodule/discoveryservice/requirements.md new file mode 100644 index 0000000000..bcb85dff67 --- /dev/null +++ b/docs/passwordsecure/9.3/configuration/advancedview/clientmodule/discoveryservice/requirements.md @@ -0,0 +1,65 @@ +--- +title: "Requirements" +description: "Requirements" +sidebar_position: 10 +--- + +# Requirements + +## Relevant rights + +The following options are required to use the discovery service: + +### User rights + +- Show discovery service module +- Can manage discovery service system tasks + +## Discovery Service Requirements + +One requirement for the **Discovery Service** is data about **Active Directory users**, **user +accounts** and **service accounts**. A **Network Scan** is used to scan the network and collect this +data. Before configuring the **Network Scan**, a password needs to be issued that provides +**access** to the corresponding **server/client** and **services on a network** for collecting the +data. This user should be a member of admin for the corresponding group of domains. Otherwise, you +can use a domain administrator. + +**CAUTION:** A corresponding **password** with **rights** for the **domains** must exist before +adding a **Network Scan**! + +### Password + +- Required for the **authentication** process with the **Active Directory computer**. +- Required for the **authentication** process with the **WMI (Windows Management Instrumentation)** + on the computer to be scanned. + +### Requirements for the network infrastructure + +- The computer to be scanned and AD controller must be accessible via the network. +- The service: “Windows Management Instrumentation” must have been started on the computer to be + scanned (carried out by Windows as standard). +- Help section for starting the service: + [Microsoft Website](https://msdn.microsoft.com/de-de/library/aa826517(v=vs.85).aspx) +- The firewall must not block WMI requests (not blocked as standard). +- Help section for configuring the firewall: + [Microsoft Website](https://msdn.microsoft.com/de-de/library/aa822854(v=vs.85).aspx) + +NOTE: Only **IPv4 addresses** can currently be scanned. + +### Open ports for the scan (necessary) + +LDAP: Port 389(TCP,UDP) RPC/WMI: Port 135(TCP) (Windows Server 2008, Windows Vista and higher +versions) – port 49152-65535 (TCP) or a static WMI port (Windows 2000, Windows XP and Windows +Server 2003) – port 1025-5000 (TCP) or a static WMI port + +### Computer name (Hostname) + +1. IP address: Indicates the IP address for the element discovered during the scan – meaning where + it was found (the IP address of the domain controller in the case of an Active Directory user). +2. Computer name and associated IP address: The computer name is first requested on the **DNS + server** for the domain. The computer name returned by the server also contains the domain names + as a postfix (e.g. Client01.domain.local). If there is no entry on the domain for the requested + IP address, the computer name is determined via **NetBIOS**. The domain name is not displayed on + the computer (e.g. Client01). In Netwrix Password Secure V8, the **DNS request** is the preferred + function for determining the computer name. If no result is delivered, a request via **NetBIOS** + is made. diff --git a/docs/passwordsecure/9.3/configuration/advancedview/clientmodule/documents.md b/docs/passwordsecure/9.3/configuration/advancedview/clientmodule/documents.md new file mode 100644 index 0000000000..e16062b535 --- /dev/null +++ b/docs/passwordsecure/9.3/configuration/advancedview/clientmodule/documents.md @@ -0,0 +1,67 @@ +--- +title: "Documents" +description: "Documents" +sidebar_position: 20 +--- + +# Documents + +## What are documents? + +Security-critical data does not necessarily need to be in the form of passwords. To enable the +uniform and secure storage of data other than passwords, Netwrix Password Secure version 9 offers +effective tools for the professional handling of sensitive documents and files. The ability to share +documents with others according to their permissions gives you access to the current status of a +document and helps avoid redundancies. The documents module is complemented by a sophisticated +version management system, which records all versions of a document that were saved in the past and +thus enables you to revert back to historical versions. The configuration of visibility is explained +in a similar way to the other modules in one place.. + +![Document modul](/images/passwordsecure/9.2/configuration/advanced_view/clientmodule/documents/documents_1-en.webp) + +## Relevant rights + +The following option is required to add new documents. + +## User right + +- Can add new documents + +## Adding documents + +There are two ways to manage documents and files in Netwrix Password Secure v8: + +- **Creating a link**: In this case, only a file that is located locally or on a network drive will + be linked. The file itself is not stored in the database. Neither version management nor the + traceability of changes in the history are possible. +- **Storing the document in the database**: The file becomes part of the encrypted database. It is + saved within the database and can be made available selectively to employees for further + processing in the future based on their permissions. + +![New document](/images/passwordsecure/9.2/configuration/advanced_view/clientmodule/documents/documents_2-en.webp) + +## Document selection + +When selecting the file to be uploaded, you can either browse your file system via the Explorer view +or add objects by drag & drop. The latter gives you the possibility to directly import several +documents in one step. + +![searching document](/images/passwordsecure/9.2/configuration/advanced_view/clientmodule/documents/documents_3-en.webp) + +## Versioning + +The heart of each document management system is the ability to capture and archive changes to +documents or files. All versions of a document can be compared with each other and historical +versions can be restored if necessary. Netwrix Password Secure provides this functionality via the +history in the ribbon, as well as in the footer area for ​​the detailed view of a document. This can +be used in the same way as the [History](/docs/passwordsecure/9.3/configuration/advancedview/clientmodule/passwords/history.md). The interplay between the +document-specific event logbook and the history provides a complete list of all information that is +relevant to the handling of sensitive data. Version management can be used to restore any historical +versions of a document. + +NOTE: The file size for a **linked document** can only be updated if the document was opened using +Netwrix Password Secure. + +NOTE: If desired, the document history can be automatically cleaned up. This option can be +configured on the **Server Manager**. Further information can be found in the section Managing +databases. diff --git a/docs/passwordsecure/9.3/configuration/advancedview/clientmodule/forms/_category_.json b/docs/passwordsecure/9.3/configuration/advancedview/clientmodule/forms/_category_.json new file mode 100644 index 0000000000..3b8a4fc8f6 --- /dev/null +++ b/docs/passwordsecure/9.3/configuration/advancedview/clientmodule/forms/_category_.json @@ -0,0 +1,10 @@ +{ + "label": "Forms", + "position": 60, + "collapsed": true, + "collapsible": true, + "link": { + "type": "doc", + "id": "forms" + } +} \ No newline at end of file diff --git a/docs/passwordsecure/9.3/configuration/advancedview/clientmodule/forms/change_form.md b/docs/passwordsecure/9.3/configuration/advancedview/clientmodule/forms/change_form.md new file mode 100644 index 0000000000..045899a013 --- /dev/null +++ b/docs/passwordsecure/9.3/configuration/advancedview/clientmodule/forms/change_form.md @@ -0,0 +1,73 @@ +--- +title: "Change form" +description: "Change form" +sidebar_position: 10 +--- + +# Change form + +## Changing forms + +It is necessary in some cases to change the form for a record. In these cases, this is mostly to +consolidate existing data or to adapt the form to match changes in the data structure. These +functionalities are available under "Extras/Settings" in the ribbon. + +![change form](/images/passwordsecure/9.2/configuration/advanced_view/clientmodule/forms/change_form_1-en.webp) + +In the following screenshot, you can see the dialogue for "mapping" the form fields from the +previously used form to the new form. In this example, a record that previously belonged to the +"Website" form is being "mapped" to the "Password" form (right). + +![change form](/images/passwordsecure/9.2/configuration/advanced_view/clientmodule/forms/change_form_2-en.webp) + +The drop-down menu allows you to select the target form. The comparison of current and new form +fields is shown in the lower section. + +- Fields **marked in green** have already been assigned to the new form +- Fields **marked in red** indicate fields that have not been assigned + +### Relevant rights + +The following options are required to change forms. + +### User right + +- Can change form for a password + +**CAUTION:** Please note that information could be lost during this process! In the example, this +applies to the fields "Website" and "Information". + +## The effects of changes to forms on existing records + +In general, changes to forms do not effect existing records. This means that a record that was +created with a certain form will not itself be changed after this form has been adapted/changed. It +remains in its original state. However, there are methods by which changes to forms could be adopted +by existing records. There are two possibilities in this context: + +### How to change forms + +If you press the "Change form" button (as mentioned in the previous section), the already existing +form will be used by default. If this form has been changed in the meantime, the new form field will +be directly shown and adopted after it is saved. + +![New Form](/images/passwordsecure/9.2/configuration/advanced_view/clientmodule/forms/change_form_3-en.webp) + +### Apply form changes to passwords + +The setting "Apply form changes to passwords" makes it possible to force the change to the form to +be adopted. This becomes effective when editing the record! It is immaterial here whether changes +are being made to the record. Simply re-editing and saving the record will cause the adjustment to +the form. + +### The following permissions/configuration must exist + +- The user that wants to make the change requires the read right to the form +- The "read", "write" and authorize" rights for the record (and the form to be edited) are required. +- Sealed and masked records remain unaffected + +## Conclusion + +A common feature of both variants is that adjustments to forms cannot be automatically triggered. +Already existing records are thus not automatically adjusted. The adjustment thus needs to be +carried out manually. In the first case, the manual step is to use the function "Change form". In +the second case, it is sufficient to simply edit and save the record. diff --git a/docs/passwordsecure/9.3/configuration/advancedview/clientmodule/forms/forms.md b/docs/passwordsecure/9.3/configuration/advancedview/clientmodule/forms/forms.md new file mode 100644 index 0000000000..e151e9c718 --- /dev/null +++ b/docs/passwordsecure/9.3/configuration/advancedview/clientmodule/forms/forms.md @@ -0,0 +1,116 @@ +--- +title: "Forms" +description: "Forms" +sidebar_position: 60 +--- + +# Forms + +## What are forms? + +When creating a new data record, it is always indispensable to query all relevant data for the +intended application. In this context, **Forms** represent templates for the information which have +to be stored. The manageability of existing forms primarily ensures the completeness of the data +which have to be stored. Nevertheless, their use as an effective filter criterion is not to be +ignored! Forms have a lasting impact on working withNetwrix Password Secure v8 and must be managed +and maintained with the necessary care by the administration. + +![form module](/images/passwordsecure/9.2/configuration/advanced_view/clientmodule/forms/forms_1-en.webp) + +## Relevant rights + +The following options are required to add new forms. + +### User right + +- Can add new forms +- Display form module + +## Standard forms + +Netwrix Password Secure is supplied with a series of standard forms – these should generally cover +all standard requirements. Naturally, it is still possible to adapt the standard forms to your +individual requirements. + +![forms](/images/passwordsecure/9.2/configuration/advanced_view/clientmodule/forms/forms_2-em.webp) + +The associated preview for the form selected in +[List view](/docs/passwordsecure/9.3/configuration/advancedview/operationandsetup/list_view.md) appears in the +[Reading pane](/docs/passwordsecure/9.3/configuration/advancedview/operationandsetup/reading_pane.md). Both the field name and also +the field type are visible. + +## Creating new forms + +The wizard for creating new forms can be started via the ribbon, the keyboard shortcut "Ctrl + N" or +also the context menu that is accessed using the right mouse button. The same mechanisms can now be +used to create new form fields within the wizard. Depending on the selected field type, other +options are available in the **field settings** section. This will be clearly explained below using +the example of the field type "Password". The sequence in which form fields are requested when +creating new records corresponds to the sequence within the form. This can be adapted using the +relevant buttons in the ribbon. + +![Creating new forms](/images/passwordsecure/9.2/configuration/advanced_view/clientmodule/forms/forms_3-en.webp) + +The following field settings thus appear for the field type "Password": "Mandatory field, reveal +only with reason, check only generated passwords and password policy". These can now be defined as +desired. (**Note**: It is possible to select +[Password rules](/docs/passwordsecure/9.3/configuration/advancedview/mainmenufc/extras/password_rules.md) within the field settings; +they are defined as part of the options in the main menu) + +**CAUTION:** If a form has been created, it can then be selected for use when creating new records. +The prerequisite is that the logged-in user has at least read rights to the form. + +## Permissions for forms + +In the same way as for other objects (records, roles, documents,…), permissions can also be granted +for forms. On the one hand, this ensures that not everyone can edit existing forms, while on the +other hand, it allows you to make forms available to selective groups. This ensures that clarity is +maintained and that users are not confronted with information that is irrelevant to them. The form +"Credit cards" may be relevant within the accounting department but administrators do not generally +need to use it. + +## Configuring the info field + +Every record displays other information underneath the obligatory name of the record in list view. +In the following example, the user name is also displayed in addition to the name of the password. +The name of the form is displayed in between in a blue font. + +![Configuring the info field](/images/passwordsecure/9.2/configuration/advanced_view/clientmodule/forms/forms_4-en.webp) + +The name of the record (192.168.150.236) and the form (password) cannot be adjusted – these are +always displayed. The user (Administrator) that is still saved for the record is currently +displayed. This can be configured in the info field for the form. It is thus possible to separately +define for each form what information for a record can be directly seen in list view. In the form +module, the info field is configured by opening the form which has to be edited in editing mode by +double clicking on it and then pressing the \*Configure info field” button in the ribbon. + +![Configuring the info field](/images/passwordsecure/9.2/configuration/advanced_view/clientmodule/forms/forms_5-en.webp) + +This will open a separate tab that enables you to design the info section via drag & drop. The +fields that are available on the right can be "dragged" onto the configuration window on the left. +In the following example, "Start RDP session2 will be made visible in the info section, whereby only +the word "RDP" is assigned a function – namely to start the RDP manager. A preview is shown in the +top section. + +![preview form](/images/passwordsecure/9.2/configuration/advanced_view/clientmodule/forms/forms_6-en.webp) + +The info field for the form is now updated. It is now possible to start the RDP session directly in +the RDP session. + +![updated form](/images/passwordsecure/9.2/configuration/advanced_view/clientmodule/forms/forms_7-en.webp) + +NOTE: The **forms module** is based on the +[Web Application](/docs/passwordsecure/9.3/configuration/webapplication/web_application.md) module of the same name. Both modules +have a different scope and design but are almost identical to use. + +## Standard form + +There are two possible ways to define a standard form. + +### Via the “standard form” user setting + +![settings form](/images/passwordsecure/9.2/configuration/advanced_view/clientmodule/forms/forms_8-en.webp) + +### Via the form selection + +![default form](/images/passwordsecure/9.2/configuration/advanced_view/clientmodule/forms/forms_9-en.webp) diff --git a/docs/passwordsecure/9.3/configuration/advancedview/clientmodule/logbook.md b/docs/passwordsecure/9.3/configuration/advancedview/clientmodule/logbook.md new file mode 100644 index 0000000000..d6dfecac31 --- /dev/null +++ b/docs/passwordsecure/9.3/configuration/advancedview/clientmodule/logbook.md @@ -0,0 +1,58 @@ +--- +title: "Logbook" +description: "Logbook" +sidebar_position: 70 +--- + +# Logbook + +## What is a logbook? + +Netwrix Password Secure logs all user interactions. These entries can be viewed and filtered via the +logbook. The logbook records which user has made exactly what changes. This module is +(theoretically) classified as uncritical. This is because the employee only has access to those +logbook entries to which he is actually entitled. + +![Logbook module](/images/passwordsecure/9.2/configuration/advanced_view/clientmodule/logbook/logbook_1-en.webp) + +## Relevant rights + +The following options are required: + +### User right + +- Display logbook module + +## Use of the filter in the logbook + +You can also use the filter in the logbook. This enables you to limit the number of displayed +elements based on the defined criteria. In the following example, the user is searching for logbook +entries relating to the object type “Password” that also match the event criteria "Change". In +short: The entries are being filtered based on changes to passwords. + +![Logbook filter](/images/passwordsecure/9.2/configuration/advanced_view/clientmodule/logbook/logbook_2-en.webp) + +## Grouping in the logbook + +This list can also be grouped together by dragging and dropping column headers – see the following +grouping of the columns for **computer user**. The filtered results now show all changes to +passwords carried out by the computer user "administrator". + +![Logbook entries](/images/passwordsecure/9.2/configuration/advanced_view/clientmodule/logbook/logbook_3-en.webp) + +## Revision-safe archiving + +In Netwrix Password Secure, an uncompromising method is used when handling the logbook: Every change +of state is recorded and saved in the MSSQL database. There are no plans to allow triggers for +logbook entries to be selectively defined. It is only by using this process that changes are +completed in a traceable and audit-proof manner to prevent falsification. + +NOTE: If desired, the logbook can be automatically cleaned up. This option can be configured on the +Server Manager. Further information can be found in the section +[Managing databases](/docs/passwordsecure/9.3/configuration/servermanger/managingdatabases/managing_databases.md). + +## Transferring to a Syslog server + +The logbook can also be completely transferred to a +[Syslog](/docs/passwordsecure/9.3/configuration/servermanger/databaseproperties/syslog.md) server. Further information on this +subject can be found in the section Syslog. diff --git a/docs/passwordsecure/9.3/configuration/advancedview/clientmodule/notifications.md b/docs/passwordsecure/9.3/configuration/advancedview/clientmodule/notifications.md new file mode 100644 index 0000000000..a19c8e7946 --- /dev/null +++ b/docs/passwordsecure/9.3/configuration/advancedview/clientmodule/notifications.md @@ -0,0 +1,78 @@ +--- +title: "Notifications" +description: "Notifications" +sidebar_position: 30 +--- + +# Notifications + +## What are notifications? + +With the notification system, you are always up-to-date on all events that you consider important. +Almost all modules allow users to configure notifications. All configured messages are only created +for the currently registered Netwrix Password Secure user. It is not possible to create a +notification for another user. Each user can and should define himself which passwords, which +triggers as well as changes are important and informative for him. The configuration of visibility +is explained in a similar way to the other modules in one place +[Visibility](/docs/passwordsecure/9.3/configuration/advancedview/permissionconceptandprotective/protectivemechanisms/visibility.md) + +![Notifications modul](/images/passwordsecure/9.2/configuration/advanced_view/clientmodule/applications/rdp_and_ssh_applications/recording_a_session/notifications_1-en.webp) + +NOTE: The reading pane is deactivated in this module by default. It can be activated in the +"Display" tab in the ribbon. + +## Module-specific ribbon functions + +There are also some ribbon functionalities that are exclusively available for the notification +module. In particular, the function **Forward important notifications to email addresses** enables +administrators and users to maintain control and transparency independent of the location. + +![Ribbon notifications](/images/passwordsecure/9.2/configuration/advanced_view/clientmodule/notifications/notifications_2-en.webp) + +### Mark notifications as read + +The two buttons on the ribbon enable you to mark notifications as read/unread. In particular, the +filter criterion available in this context (see following screenshot) enables fast sorting according +to current and also historical notifications. + +![filter notifications](/images/passwordsecure/9.2/configuration/advanced_view/clientmodule/notifications/notifications_3-en.webp) + +It is possible to mark the notifications as read/unread via the ribbon and also via the context menu +that is accessed using the right mouse button. If the corresponding setting has been activated, +opening a notification will also mean that it is marked as read. + +## Manual configuration of notifications + +Irrespective of the selected module, permissions can be configured manually for objects. The +following dialogue can be opened via the ribbon in the "Actions" tab: + +![Manual configuration of notifications](/images/passwordsecure/9.2/configuration/advanced_view/clientmodule/notifications/notifications_5-en.webp) + +- **Notification**: Definition for the trigger +- **Value**: Defines whether a notification should be created for the previously defined trigger. In + the example for the "Apple" record, this only occurs when the record is edited. +- **Event type**: The event type for the generated notifications can be either "Info", "Warning" or + "Error". This information can also be used e.g. as an additional filter criterion. + +In contrast to previous editions, it is best to configure the notifications manually. This ensures +that a notification is really only triggered for relevant events. + +## Other triggers for notifications + +As well as manually configurable notifications, there are other triggers in Netwrix Password Secure +which will result in notifications. + +- [Seals](/docs/passwordsecure/9.3/configuration/advancedview/permissionconceptandprotective/protectivemechanisms/seals/seals.md): Requests + to release sealed records are handled via the notification system +- [System tasks](/docs/passwordsecure/9.3/configuration/advancedview/mainmenufc/extras/systemtasks/system_tasks.md)s: If reports are automatically + created via the system tasks, these are also made available in the form of a notification. If this + type of notification is selected, it can be directly opened via the corresponding button that + appears on the ribbon. + +![Ribbon functions notifications](/images/passwordsecure/9.2/configuration/advanced_view/clientmodule/notifications/notifications_6-en.webp) + +## Automatic deletion of old notifications + +If desired, notifications can be automatically cleaned up. This option can be configured on the +**Server Manager**. Further information can be found in the section +[Managing databases](/docs/passwordsecure/9.3/configuration/servermanger/managingdatabases/managing_databases.md). diff --git a/docs/passwordsecure/9.3/configuration/advancedview/clientmodule/organisationalstructure/_category_.json b/docs/passwordsecure/9.3/configuration/advancedview/clientmodule/organisationalstructure/_category_.json new file mode 100644 index 0000000000..7f4d6b5f64 --- /dev/null +++ b/docs/passwordsecure/9.3/configuration/advancedview/clientmodule/organisationalstructure/_category_.json @@ -0,0 +1,10 @@ +{ + "label": "Organisational structure", + "position": 40, + "collapsed": true, + "collapsible": true, + "link": { + "type": "doc", + "id": "organisational_structure" + } +} \ No newline at end of file diff --git a/docs/passwordsecure/9.3/configuration/advancedview/clientmodule/organisationalstructure/directoryservices/_category_.json b/docs/passwordsecure/9.3/configuration/advancedview/clientmodule/organisationalstructure/directoryservices/_category_.json new file mode 100644 index 0000000000..5efafacf63 --- /dev/null +++ b/docs/passwordsecure/9.3/configuration/advancedview/clientmodule/organisationalstructure/directoryservices/_category_.json @@ -0,0 +1,10 @@ +{ + "label": "Directory services", + "position": 30, + "collapsed": true, + "collapsible": true, + "link": { + "type": "doc", + "id": "directory_services" + } +} \ No newline at end of file diff --git a/docs/passwordsecure/9.3/configuration/advancedview/clientmodule/organisationalstructure/directoryservices/activedirectorylink/_category_.json b/docs/passwordsecure/9.3/configuration/advancedview/clientmodule/organisationalstructure/directoryservices/activedirectorylink/_category_.json new file mode 100644 index 0000000000..74abd1d2fd --- /dev/null +++ b/docs/passwordsecure/9.3/configuration/advancedview/clientmodule/organisationalstructure/directoryservices/activedirectorylink/_category_.json @@ -0,0 +1,10 @@ +{ + "label": "Active Directory link", + "position": 10, + "collapsed": true, + "collapsible": true, + "link": { + "type": "doc", + "id": "active_directory_link" + } +} \ No newline at end of file diff --git a/docs/passwordsecure/9.3/configuration/advancedview/clientmodule/organisationalstructure/directoryservices/activedirectorylink/active_directory_link.md b/docs/passwordsecure/9.3/configuration/advancedview/clientmodule/organisationalstructure/directoryservices/activedirectorylink/active_directory_link.md new file mode 100644 index 0000000000..2af4c8d6d2 --- /dev/null +++ b/docs/passwordsecure/9.3/configuration/advancedview/clientmodule/organisationalstructure/directoryservices/activedirectorylink/active_directory_link.md @@ -0,0 +1,75 @@ +--- +title: "Active Directory link" +description: "Active Directory link" +sidebar_position: 10 +--- + +# Active Directory link + +## What are active directory profiles? + +The connection to Active Directory (AD) is established via so-called AD profiles. These profiles +contain all of the information relevant for establishing a connection to AD and enable +imports/synchronization of users, organisational units or roles. To connect to various different +ADs, it is naturally also possible to create multiple AD profiles. + +## Two import modes in comparison + +When importing from Active Directory, Netwrix Password Secure distinguishes between two modes, which +differ significantly and are explained in separate sections. + +- End-to-end encryption +- Master Key mode + +In principle, the two variants differ by the presence of the encryption mentioned above. In the +solution with active end-to-end encryption (**E2EE**), the process may be less convenient (see +table) but there is a huge benefit in terms of security. In Master Key mode, a master key is created +on the server that has full permissions for all users, organisational units and roles. This +represents an additional attack vector, which does not exist in end-to-end mode. In return, however, +in Master Key mode, users can be updated via synchronization with the Active Directory. Memberships +of organisational units and roles are also imported. In the more secure end-to-end mode, this +synchronization of the changes must be carried out manually. + +NOTE: It is technically possible to create several profiles with different modes. However, this is +not recommended for the sake of clarity. + +| Comparison of the modes | End-to-end mode | Master key mode | +| ---------------------------------------------------------- | --------------- | --------------- | +| End-to-end encryption\* | + | - | +| Importing user information | + | + | +| Importing assigned roles | - | + | +| Importing roles to organisational units | - | + | +| Synchronizing user information | - | + | +| Synchronizing assigned roles | - | + | +| Synchronizing roles with organisational units | - | + | +| User can be edited in Netwrix Password Secure | + | - | +| Organization unit can be edited in Netwrix Password Secure | + | - | +| Roles can be edited in Netwrix Password Secure | + | - | +| Password can be edited in Netwrix Password Secure | + | - | +| Login with domain password | - | + | +| Netwrix Password Secure is the leading system | + | - | +| Active Directory is the leading system | - | + | +| Autologin | + | + | + +As can be seen **E2EE offers the highest level of security**. The aim is merely to import users, +organisational units and roles. Those must be administered and configured in Netwrix Password +Secure. In contrast, a connection in **Master Key mode offers the highest level of convenience**. It +imports not only users, organisational units and roles but also their links and assignments. +Synchronization with Active Directory is possible – **The AD is used as the leading system**. + +## Users, groups and roles + +When importing or synchronizing from Active Directory, users are also added as users in Netwrix +Password Secure. Netwrix Password Secure also uses the organisational units as such. + +In order for Netwrix Password Secure to be quickly integrated into the given infrastructure, roles +can also be directly imported from the Active Directory. Namely Active Directory Groups are used to +password-safe roles. + +NOTE: Groups in groups Memberships, which may be present in the Active Directory, will not be +displayed within Netwrix Password Secure. Both groups are imported as roles, but independent and not +linked in any way. + +**CAUTION:** If Master Key mode has been selected for the Active Directory profile, the AD is the +leading system. In this mode, roles that have been imported cannot be changed locally in Netwrix +Password Secure. diff --git a/docs/passwordsecure/9.3/configuration/advancedview/clientmodule/organisationalstructure/directoryservices/activedirectorylink/end-to-end_encryption.md b/docs/passwordsecure/9.3/configuration/advancedview/clientmodule/organisationalstructure/directoryservices/activedirectorylink/end-to-end_encryption.md new file mode 100644 index 0000000000..46b707af1d --- /dev/null +++ b/docs/passwordsecure/9.3/configuration/advancedview/clientmodule/organisationalstructure/directoryservices/activedirectorylink/end-to-end_encryption.md @@ -0,0 +1,160 @@ +--- +title: "End-to-end encryption" +description: "End-to-end encryption" +sidebar_position: 10 +--- + +# End-to-end encryption + +## Maximum encryption + +[Active Directory link](/docs/passwordsecure/9.3/configuration/advancedview/clientmodule/organisationalstructure/directoryservices/activedirectorylink/active_directory_link.md) with active end-to-end encryption currently offers +**maximum security**. Only users, organisational units and roles are imported. The permissions and +the hierarchical relationship between the individual objects needs to be separately configured in +Netwrix Password Secure. The advantage offered by end-to-end encryption is that Active Directory is +“defused” as a possible insecure gateway. In Master Key mode, users who control Active Directory +receive de facto complete access to all passwords because resetting a Windows user name enables +users to log in under another person’s name. Active Directory is thus the leading system. **Using an +active E2EE connection, users require their own password for Netwrix Password Secure**. There is +thus no access to users’ data via Active Directory. + +## Relevant rights + +The following options are required to add new profiles. + +### User right + +- Can add new Active Directory profiles +- Display organisational structure module +- Display role module + +## Creating profiles + +The process for creating a new profile is started via the icon "manage profiles" on the ribbon. + +![New AD profile](/images/passwordsecure/9.2/configuration/advanced_view/clientmodule/organisationalstructures/directoryservices/activedirectorylink/end_to_end_encryption_1-en.webp) + +NOTE: "End-to-end" needs to be set in the "Encryption" field + +A **user** is required to access the AD. The user should be formatted as follows: Domain\user. It +must have access to the AD. + +- The relevant **user password** (domain password) is required for the user mentioned above +- **Direct search** is recommended for very large domain trees. The representation of the tree + structure is omitted, elements can only be found and selected via the search. +- The **filter** can be used to directly specify an AD path as an entry point via an LDAP query. +- Various security options – so-called AuthenticationTypes Enumeration – can be selected for the + connection of the AD to Netwrix Password Secure: + - Secure + - SecureSocketsLayer + - ReadOnlyServer + - Signing + - Sealing + +## Import + +The import is started directly in the ribbon. A wizard guides the user through the entire operation. + +![Import icon](/images/passwordsecure/9.2/configuration/advanced_view/clientmodule/organisationalstructures/directoryservices/activedirectorylink/end_to_end_encryption_2-en.webp) + +## Organisational structure + +First, an organisational unit is selected for the import. If there are no organisational units in +the database yet, as in this example, the data is imported into the **main organisational unit**. + +![Import wizard/organisational structure](/images/passwordsecure/9.2/configuration/advanced_view/clientmodule/organisationalstructures/directoryservices/activedirectorylink/end_to_end_encryption_3-en.webp) + +## Active Directory objects + +In the next step, select the relevant profile that should be used for the import. Then, select the +organisational units and/or users for the import. A search is available for this purpose. + +![Import wizard/AD objects](/images/passwordsecure/9.2/configuration/advanced_view/clientmodule/organisationalstructures/directoryservices/activedirectorylink/end_to_end_encryption_4-en.webp) + +It can be seen that the organisational units **Jupiter** and **Contoso** contain items to be +imported. The organisational units themselves will not be imported. The check next to the group +**Accounting** indicates that the group itself will be imported along with some of its sub-elements. + +There are different symbols which indicate the elements to be imported. + +- The element itself and all possible sub-elements will be imported +- The element itself and some of its sub-elements will be imported +- The element will not be imported; however, it contains elements that will be imported + +A context menu that is accessed using the right mouse button is available within the list that +provides helpful functions for selecting the individual elements. + +![context menu](/images/passwordsecure/9.2/configuration/advanced_view/clientmodule/organisationalstructures/directoryservices/activedirectorylink/end_to_end_encryption_5-en.webp) + +- Select sub-objects selects all sub-objects that are located directly below the current object +- Deselect sub-objects removes tags from all sub-objects that are located directly below the current + object +- Reset all items removes all previously set tags +- Display element details lists all information that is available for the current element + +In the lower area you can specify whether the users just selected for import should be created as +**Light** or **Advanced User (View)**s. + +NOTE: If individual users, organisational units, or roles cannot be selected for import, they have +already been imported via another profile + +## Summary + +The last page summarizes which objects will be edited and in what form. It specifies the names of +the elements along with their descriptions. The **Status** column specifies whether the object is +added, updated, or disabled. The last column specifies the organisational unit into which the +element is imported. The number of objects is added together at the bottom. + +![Import wizard/Summary](/images/passwordsecure/9.2/configuration/advanced_view/clientmodule/organisationalstructures/directoryservices/activedirectorylink/end_to_end_encryption_6-en.webp) + +NOTE: Depending on the amount of data, it may take several minutes to create the summary. + +## Importing + +The import itself is carried out by the server in the background. The individual elements then +appear in the list one by one. This may take some time, depending on the amount of import data. If +the import is terminated, you will receive a confirmation. + +![confirmation](/images/passwordsecure/9.2/configuration/advanced_view/clientmodule/organisationalstructures/directoryservices/activedirectorylink/end_to_end_encryption_7-en.webp) + +NOTE: As end-to-end encryption is retained in this mode, the server does not receive a key to match +already imported users with the AD. There is thus no synchronization with the AD. Similarly, no +memberships can be imported. After the import, users must be manually assigned to the appropriate +organisational units and roles. + +## Imported users and organisational units + +In end-to-end mode, the imported users behave like local users. The users can/must be edited +manually in Netwrix Password Secure. The affiliations to organisational units and/or roles must be +adapted manually. + +## Rights + +The rights will be issued as follows during the import or synchronization. + +### New objects + +| | User | Groups | Roles | +| --------------------------------- | ------------------------------------------------- | --------------------------- | ------------------------------------------------- | +| Are rights inherited from the OU? | If no preset has been saved | If no preset has been saved | No | +| Are rights applied from a preset? | If a preset has been saved | If a preset has been saved | No | +| Is the "add" right issued? | No | Yes | No | +| Who receives the rights key? | Imported users and all with the "authorize" right | All | Imported roles and all with the "authorize" right | + +### Changed objects + +| | User | Groups | Roles | +| --------------------------------- | ---- | ------ | ----- | +| Are rights inherited from the OU? | No | No | No | +| Are rights applied from a preset? | No | No | No | +| Is the "add" right issued? | No | No | No | +| Who receives the rights key? | None | None | None | + +NOTE: In end-to-end mode, **no role affiliations** are issued during the import or synchronization. + +## Logging into Netwrix Password Secure + +Users imported in this mode can not login with the domain password. Rather, a password is generated +during import. This password is sent to the users by e-mail. If a user has not entered an e-mail +address, the user name is entered as the password. The initial password can be changed by the +administrator or the user himself at the first login. diff --git a/docs/passwordsecure/9.3/configuration/advancedview/clientmodule/organisationalstructure/directoryservices/activedirectorylink/masterkey_mode.md b/docs/passwordsecure/9.3/configuration/advancedview/clientmodule/organisationalstructure/directoryservices/activedirectorylink/masterkey_mode.md new file mode 100644 index 0000000000..605f4b622b --- /dev/null +++ b/docs/passwordsecure/9.3/configuration/advancedview/clientmodule/organisationalstructure/directoryservices/activedirectorylink/masterkey_mode.md @@ -0,0 +1,249 @@ +--- +title: "Masterkey mode" +description: "Masterkey mode" +sidebar_position: 20 +--- + +# Masterkey mode + +## Maximum convenience + +In contrast to [End-to-end encryption](/docs/passwordsecure/9.3/configuration/advancedview/clientmodule/organisationalstructure/directoryservices/activedirectorylink/end-to-end_encryption.md), which places the main focus on +security, Masterkey mode provides the maximum level of convenience. It not only imports users, +organisational units and roles but also their links and affiliations. It can be synchronized to +update the information and affiliations. **In this scenario, Active Directory is used as a leading +system**. + +## Relevant rights + +The following options are required to add new profiles. + +### User right + +- Can add new Active Directory profiles +- Display organisational structure module +- Display role module + +## Creating profiles + +Profile management is started via the icon of the same name on the ribbon. + +![AD profile](/images/passwordsecure/9.2/configuration/advanced_view/clientmodule/organisationalstructures/directoryservices/activedirectorylink/masterkey_mode_1-en.webp) + +The following information must be provided in the profile: + +- **Profile name** +- An optional **description** +- Masterkey mode is selected for the **encryption** + +NOTE: In the case of already created profiles, the encryption can no longer be changed. + +- The **domain** field is used to define which domain is to be read. The value entered here will + also be used for authentication if no alternative spellings have been saved under **Other domain + names**. +- A **local user** (for example, the administrator) or an already imported user must be specified. + The data will be imported under that user’s name. +- A **user** is required to access the AD. The user should be formatted as follows: Domain\User. It + must have access to the AD. +- Corresponding **user password** (domain password) for the user. +- \*_Direct search_ is recommended for very large domain trees. The tree structure is omitted, + elements can then only be found and selected via the search. +- By activating the checkbox **Restrict user import to role members only**, a simplified mode is + activated. In this mode, only AD users who are members of at least one role are imported. As soon + as they are no longer a member of at least one role, they are deleted from Netwrix Password + Secure. +- By activating the checkbox **Force update on next synchronization**, **ALL** records will be + updated on the next synchronization, regardless of whether the record has changed in the Active + Directory or not. (This checkbox is automatically activated when you have edited the other + responsible users and is deactivated again after the next synchronization). +- The **LDAP filter** can be used to directly specify an AD path as an entry point via an LDAP + query. +- Various security options – so-called AuthenticationTypes Enumeration (**Flags**) – can be selected + for the connection of the AD to Netwrix Password Secure: + - Secure + - SecureSocketsLayer + - ReadOnlyServer + - Signing + - Sealing + +NOTE: The first two options are already activated by default when configuring a new profile. If a +connection is not possible, deactivate SecureSocketsLayer and try again. + +- **Other responsible users or roles** can be used to define who is permitted to carry out the + synchronization with the AD. +- The option **Other domain names** can be used to save alternative spellings of the login domain. + These must correspond to the spelling entered in the login window. For example, if a connection is + being established to the domain **jupiter.local** or an IP address, the login can only be carried + out with **jupiter\user** if **jupiter** has been saved here. + +**CAUTION:** The master key is added in form of a certificate. It is **essential to back up** the +generated certificate! If the database is being moved to another server, the certificate also needs +to be transferred! Further information can be found in the section +[Certificates](/docs/passwordsecure/9.3/configuration/servermanger/certificates/certificates.md). + +NOTE: You can now use the option to integrate a RADIUS server. Read more in +[RADIUS authentication](/docs/passwordsecure/9.3/configuration/advancedview/clientmodule/organisationalstructure/directoryservices/activedirectorylink/radius_authentication.md). + +## Import + +You can start the import directly in the ribbon. A wizard guides the user through the entire +operation. + +![import icon](/images/passwordsecure/9.2/configuration/advanced_view/clientmodule/organisationalstructures/directoryservices/activedirectorylink/end_to_end_encryption_2-en.webp) + +## Organisational structure + +First, an organisational unit is selected for the import. If there are no organisational units in +the database yet, as in this example, the data is imported into the **main organisational unit**. + +![import wizard / organisational structure](/images/passwordsecure/9.2/configuration/advanced_view/clientmodule/organisationalstructures/directoryservices/activedirectorylink/end_to_end_encryption_3-en.webp) + +### Active Directory objects + +In the next step, select the profile you will use to import the data. Then, select organisational +units and/or users for the import. A search is available for this purpose. + +![import wizard / AD objects](/images/passwordsecure/9.2/configuration/advanced_view/clientmodule/organisationalstructures/directoryservices/activedirectorylink/end_to_end_encryption_4-en.webp) + +As you can see, the organisational units **Jupiter** and **Contoso** contain items to be imported. +The organisational units themselves will not be imported. The group **1099 Contractor** is imported +including all sub-elements. The check next to the group **Accounting** indicates that the group +itself will be imported along with some of its sub-elements. The ticks in the last column ensure +that the elements are observed in future synchronization sequences. + +There are different symbols which indicate the elements to be imported. + +The element itself and all possible sub-elements will be imported The element itself and some of its +sub-elements will be imported The element will not be imported; however, it contains elements that +will be imported + +Right-clicking in the list will launch a context menu. It provides helpful functions for the +selection of the individual elements. + +![select subjects](/images/passwordsecure/9.2/configuration/advanced_view/clientmodule/organisationalstructures/directoryservices/activedirectorylink/end_to_end_encryption_5-en.webp) + +NOTE: If individual users cannot be selected for import, they have already been imported via an +end-to-end encrypted profile. + +In the lower area you can specify whether the users just selected for import should be created as +**Light** or **Advanced User (View)**s. + +## Summary + +The last page summarizes which objects will be edited and in what form. It specifies the names of +the elements along with their descriptions. The **Status** column specifies whether the object is +added, updated, or disabled. The last column specifies the organisational unit into which the +element is imported. The number of objects can be seen at the bottom. + +![import wizard / summary](/images/passwordsecure/9.2/configuration/advanced_view/clientmodule/organisationalstructures/directoryservices/activedirectorylink/end_to_end_encryption_6-en.webp) + +## Importing + +The server imports data in the background. The individual elements then appear in the list one by +one. This may take some time, depending on the amount of import data. If the import was terminated, +this is symbolized by a hint. + +![Notification](/images/passwordsecure/9.2/configuration/advanced_view/clientmodule/organisationalstructures/directoryservices/activedirectorylink/end_to_end_encryption_7-en.webp) + +## Imported users and organisational units + +The users and organisational units imported in Masterkey mode cannot be edited in Netwrix Password +Secure. Therefore, any changes must be made in AD and synchronized. AD thus becomes the leading +system. Affiliations to roles are also synchronized and must be set in the AD. In organisational +units or roles created in Netwrix Password Secure, the users can be included directly in Netwrix +Password Secure. + +## Rights + +The rights will be issued as follows during the import or synchronization. + +### New objects + +| | User | Groups | Roles | +| --------------------------------- | ------------------------------------------------- | --------------------------- | ------------------------------ | +| Are rights inherited from the OU? | If no preset has been saved | If no preset has been saved | No | +| Are rights applied from a preset? | If a preset has been saved | If a preset has been saved | No | +| Is the "add" right issued? | No | Yes | No | +| Who receives the rights key? | Imported users and all with the "authorize" right | All | All with the "authorize" right | + +### Changed objects + +| | User | Groups | Roles | +| --------------------------------- | ------------------------------ | ------ | ------------------------------ | +| Are rights inherited from the OU? | If no preset has been saved | No | No | +| Are rights applied from a preset? | If a preset has been saved | No | No | +| Is the "add" right issued? | No | No | No | +| Who receives the rights key? | All with the "authorize" right | None | All with the "authorize" right | + +NOTE: If a user is imported, he will be given those roles that he also had in AD insofar as these +roles already exist in Netwrix Password Secure or have also been imported. + +## Logging into Netwrix Password Secure + +Users who are imported using this mode can log in with the domain password. Please note that no +domain needs to be specified when logging in. Of course, the login process can also be supplemented +with +[Multifactor Authentication](/docs/passwordsecure/9.3/configuration/servermanger/managingdatabases/databasesettings/multifactor_authentication_ac.md). + +NOTE: Logging on using Kerberos works "automatically". As long as the corresponding Kerberos server +is accessible, the users in the domain authenticate themselves via Kerberos using their domain +password. If the logon via Kerberos does not work – e.g. due to incorrect configuration of the +domain controller – the logon via the NTLM protocol is attempted. However, these are all settings +that have to be made on the domain controller and have nothing to do with Netwrix Password Secure. + +**CAUTION:** Logging on to Netwrix Password Secure using SSO via Kerberos is currently not possible. + +## Permissions to imported objects + +The rights to be issued to imported users are explained in the following example: + +![Permission MKM User](/images/passwordsecure/9.2/configuration/advanced_view/clientmodule/organisationalstructures/directoryservices/activedirectorylink/masterkey_mode_7-en.webp) + +1. In Master Key mode, **all** users will be issued with the **read** right. +2. The **responsible user** will be issued with all rights and the key. This ensures that he can + also synchronize or change the user in the future +3. **Other responsible users** are issued with the same rights as the **responsible user** +4. The **Master Key** for the **Active Directory** profile will also be issued with all rights and + keys as it will be used for the synchronization +5. Finally, users will be issued with the rights for themselves + +NOTE: All users and roles issued with **rights** to the imported object also receive its rights key. + +## Synchronization + +During synchronization, all relevant information for users, organisational units and roles (names, +email, etc.) is updated. Changed affiliations for roles are adjusted. Likewise, users are activated +or deactivated according to the settings in the AD. If the membership of organisational units is to +be changed, this can be done by **Drag & Drop**. New users and correspondingly defined roles are +imported. + +NOTE: If the tick was not set in the Synchronization column when a user is imported, no changes are +made. + +### Manual synchronization + +The synchronization can be started manually at any time via the corresponding button in the ribbon. + +![manual synchronization](/images/passwordsecure/9.2/configuration/advanced_view/clientmodule/organisationalstructures/directoryservices/activedirectorylink/masterkey_mode_8-en.webp) + +Select the required profile and start the synchronization. As is the case with the initial import, +the synchronization runs in the background. A hint indicates that the process has been completed. + +### Synchronization via system tasks + +The synchronization can also be carried out automatically. This is made possible via the +[System tasks](/docs/passwordsecure/9.3/configuration/advancedview/mainmenufc/extras/systemtasks/system_tasks.md). + +### Deleting or removing users + +If a user is deleted in Active Directory, it is also deleted in Netwrix Password Secure during the +next synchronization. For this purpose, it is necessary for the user to be imported as a +**synchronizable** user. + +If the user is only deleted from Netwrix Password Secure but retained in Active Directory, a +synchronization needs to be carried out to delete it from the database. For this purpose, the wizard +is called up via **import**. The first step is to select an organisational unit. This has no effect +when simply deleting a user. The second step is to search for the user. Both ticks are removed. + +After checking the summary, the process is concluded. The synchronization is completed and the user +is deleted from the database. diff --git a/docs/passwordsecure/9.3/configuration/advancedview/clientmodule/organisationalstructure/directoryservices/activedirectorylink/radius_authentication.md b/docs/passwordsecure/9.3/configuration/advancedview/clientmodule/organisationalstructure/directoryservices/activedirectorylink/radius_authentication.md new file mode 100644 index 0000000000..9f6b032355 --- /dev/null +++ b/docs/passwordsecure/9.3/configuration/advancedview/clientmodule/organisationalstructure/directoryservices/activedirectorylink/radius_authentication.md @@ -0,0 +1,38 @@ +--- +title: "RADIUS authentication" +description: "RADIUS authentication" +sidebar_position: 30 +--- + +# RADIUS authentication + +## What is the RADIUS authentication? + +RADIUS (Remote Authentication Dial-In User Service) is a client-server protocol used primarily for +authentication and authorization of users during dial-up connections in corporate networks. Netwrix +Password Secure can also benefit from the advantages of a RADIUS server. In particular, multi-factor +authentication should be mentioned here. But all other RADIUS-typical functions can also be used. +Further information can be found for example at **Wikipedia**. + +## Requirements + +In order for Netwrix Password Secure to address a RADIUS server, the following requirements must be +met: + +- A RADIUS server must be available and accessible via the network. +- Access to the Netwrix Password Secure Server Manager must be set up on the RADIUS server. +- A corresponding Secret must be configured for access. +- In Netwrix Password Secure, users must have been imported from the AD in Masterkey mode. + +## Configuration + +The actual connection of the RADIUS server is simple: + +![radius integration](/images/passwordsecure/9.2/configuration/advanced_view/clientmodule/organisationalstructures/directoryservices/activedirectorylink/radius_authentication_1-en.webp) + +- **Use RADIUS** - First, the usage is activated. +- **Host Address** - The address of the RADIUS server is stored here. +- **Secret** - Refers to the secret stored for the Netwrix Password Secure Server Manager. +- **AUTH Port** - The so-called AUTH port of the RADIUS server is specified here. +- **ACT Port** - The ACCT port of the RADIUS server can also be stored; if required. +- **Timeout** - The time the RADIUS server has to react; can also be configured. diff --git a/docs/passwordsecure/9.3/configuration/advancedview/clientmodule/organisationalstructure/directoryservices/directory_services.md b/docs/passwordsecure/9.3/configuration/advancedview/clientmodule/organisationalstructure/directoryservices/directory_services.md new file mode 100644 index 0000000000..4b48867a6c --- /dev/null +++ b/docs/passwordsecure/9.3/configuration/advancedview/clientmodule/organisationalstructure/directoryservices/directory_services.md @@ -0,0 +1,16 @@ +--- +title: "Directory services" +description: "Directory services" +sidebar_position: 30 +--- + +# Directory services + +It is possible to use existing user and group structures from external directories with Netwrix +Password Secure. + +Choose your preferred integration method: + +- [Microsoft Entra ID connection](/docs/passwordsecure/9.3/configuration/advancedview/clientmodule/organisationalstructure/directoryservices/entraidconnection/entra_id_connection.md) + +- [Active Directory link](/docs/passwordsecure/9.3/configuration/advancedview/clientmodule/organisationalstructure/directoryservices/activedirectorylink/active_directory_link.md) diff --git a/docs/passwordsecure/9.3/configuration/advancedview/clientmodule/organisationalstructure/directoryservices/entraidconnection/_category_.json b/docs/passwordsecure/9.3/configuration/advancedview/clientmodule/organisationalstructure/directoryservices/entraidconnection/_category_.json new file mode 100644 index 0000000000..9604774739 --- /dev/null +++ b/docs/passwordsecure/9.3/configuration/advancedview/clientmodule/organisationalstructure/directoryservices/entraidconnection/_category_.json @@ -0,0 +1,10 @@ +{ + "label": "Microsoft Entra ID connection", + "position": 20, + "collapsed": true, + "collapsible": true, + "link": { + "type": "doc", + "id": "entra_id_connection" + } +} \ No newline at end of file diff --git a/docs/passwordsecure/9.3/configuration/advancedview/clientmodule/organisationalstructure/directoryservices/entraidconnection/entra_id_connection.md b/docs/passwordsecure/9.3/configuration/advancedview/clientmodule/organisationalstructure/directoryservices/entraidconnection/entra_id_connection.md new file mode 100644 index 0000000000..f2975dd9af --- /dev/null +++ b/docs/passwordsecure/9.3/configuration/advancedview/clientmodule/organisationalstructure/directoryservices/entraidconnection/entra_id_connection.md @@ -0,0 +1,170 @@ +--- +title: "Microsoft Entra ID connection" +description: "Microsoft Entra ID connection" +sidebar_position: 20 +--- + +# Microsoft Entra ID connection + +More and more companies use cloud services. Therefore, also the management of users is outsourced. +Instead of a classic Active Directory via LDAP, an Entra ID is used more often. Netwrix Password +Secure integrates the possibility to bring in users and roles from Azure. To use users and roles +from multiple Entra IDs, you can create multiple profiles. + +## Introduction + +## Why Entra ID? + +More and more companies use cloud services. Therefore, also the management of users is outsourced. +Instead of a classic Active Directory via LDAP, an Entra ID is used more often. Netwrix Password +Secure integrates the possibility to bring in users and roles from Azure. To use users and roles +from multiple Entra IDs, you can create multiple profiles. + +Remember, In order to use Azure login with the windows application, +[WebView2](https://developer.microsoft.com/de-de/microsoft-edge/webview2/) from Microsoft must be +installed on the client device. + +### Differences to the LDAP connection + +The connection to the Entra ID differs in one special point from the connection to a conventional +Active Directory. While Netwrix Password Secure queries the users, groups, and roles actively from +the conventional AD, the Entra ID is pushing them automatically to our server. For this a so-called +[SCIM service](https://en.wikipedia.org/wiki/System_for_Cross-domain_Identity_Management) is used. + +To login to Netwrix Password Secure, after entering the username a popup opens for the +authentication with the entered Microsoft account. Here, a possible configured second factor is also +requested. The authentication is handled via the +[Open ID Connect protocol](https://openid.net/connect/). + +### Linking Entra ID + +Below you will find instructions on how to connect Entra ID to Netwrix Password Secure. In the Azure +portal, go to the management page of your Microsoft Entra ID. Use an account with administrative +permissions for this. During this, login to Netwrix Password Secure with an account that has the +user right "Display organisational structure module", "Can manage Entra ID profiles", and "Can +create new Entra ID profiles" enabled. + +## Setup + +### New enterprise application + +Login to the [Azure portal](https://portal.azure.com/#azure-portal) and go to the management page of +your Microsoft Entra ID. + +NOTE: You need an account with administrative permissions + +- Write down your "Tenant ID" shown in the Azure console or by using PowerShell: + + +``` +Connect-AzureAD + +``` + +- Navigate in your Entra ID to "Enterprise applications" +- Add an own application, that is not listed in the Azure Gallery – in our example, we name it + "Netwrix Password Secure" + +NOTE: A key feature of Netwrix Password Secure is, that it is self-hosted by our customers. However, +to be listed in Azure Gallery, a SaaS model is required. Therefore, Netwrix Password Secure is not +available in the Azure Gallery. + +- When the application was created successfully, you are redirected to it automatically +- Write down the "Application ID" +- In the navigation, click "Users and groups" +- Add the Users and groups that should be available to Netwrix Password Secure + +**CAUTION:** The import of Azure groups as Netwrix Password Secure roles is only possible if you +have booked the Azure package Entra ID Premium P1! + +- Navigate to the "Provisioning" page +- Configure the Provisioning Mode to "Automatic" + +### Netwrix Password Secure Entra ID configuration + +NOTE: Your Netwrix Password Secure user need the following permissions: + + +``` +- Display organisational structure module +- Can manage Azure AD profiles +- Can create new Azure AD profiles + +``` + +- Navigate to the module "Organisational structure" +- In the toolbar, click on "Manage profiles" in the category "Entra ID" +- Create the profile with your information +- Insert the `Tenant ID` and the `Application ID` +- As soon as the profile has been saved, a popup opens for generating a token +- Choose a desired expiration date (max. 10 years) and click "Generate token" +- Write down the values of the fields "Tenant URL" and "Secret Token" + +### Azure provisioning configuration + +Fill the fields "Tenant URL" and "Secret Token" with the information provided by Netwrix Password +Secure Click "Test Connection" When the test has been successful, click on "Save" at the top of the +page Back on the "Provisioning" page, click "Start provisioning" In the settings of the +provisioning, check if "Provisioning Status" is set to "On" All allocated users and groups are +created in Netwrix Password Secure now + +NOTE: Azure´s default provisioning interval is 40 Minutes. So it may some time until the users and +roles are shown in Netwrix Password Secure. + +**CAUTION:** Please note that Azure establishes the connection to Netwrix Password Secure. For this, +the client URL must be accessible from an external network / provisioning agent and any used SSL +certificate must be valid! If the users are not created in Netwrix Password Secure, consult the +Azure Enterprise Application Provisioning log for more information. + +### Azure login configuration + +To enable the Azure login for your users, a few more steps are required: + +- Navigate to the Overview page of your Entra ID +- Navigate to "App registrations" +- If no application is displayed, click "All applications" +- Click on "Netwrix Netwrix Password Secure" and navigate to "Authentication" +- Click on "Add a platform", select "Web" and configure the required URIs: + +| Client | URI | +| ------------------------ | ------------------------------------------------------------------------- | +| Web Application | `https://`Web Application_URL`/authentication/login-via-oidc` | +| Advanced view & Autofill | `https://login.microsoftonline.com/common/oauth2/nativeclient` | +| Google Chrome Extension | `https://bpjfchmapbmjeklgmlkabfepflgfckip.chromiumapp.org` | +| Microsoft Edge Extension | `https://ahdfobpkkckhdhbmnpjehdkepaddfhek.chromiumapp.org` | +| Firefox Extension | `https://28c91153e2d5b36394cfb1543c897e447d0f1017.extensions.allizom.org` | + +![web_configuration_entra_id](/images/passwordsecure/9.2/configuration/advanced_view/clientmodule/organisationalstructures/directoryservices/entra_id/web_configuration_entra_id.webp) + +Click on "Add a platform", select "Mobile & desktop applications" and configure the required +mobile-app URI: + +| Client | URI | +| ------------- | ------------------ | +| iOS & Android | `psrmobile://auth` | + +![mobile_and_desktop_applications](/images/passwordsecure/9.2/configuration/advanced_view/clientmodule/organisationalstructures/directoryservices/entra_id/mobile_and_desktop_applications.webp) + +#### Create client secret + +Navigate to your Netwrix Netwrix Password Secure App registration -> Certificates & secrets -> +Client secret + +Create a client secret: + +![certificates-secrets-en_1544x311](/images/passwordsecure/9.2/configuration/advanced_view/clientmodule/organisationalstructures/directoryservices/entra_id/certificates-secrets-en_1544x311.webp) + +Copy it over to the Netwrix Password Secure Entra ID profile: + +![entra_id_client_secret](/images/passwordsecure/9.2/configuration/advanced_view/clientmodule/organisationalstructures/directoryservices/entra_id/entra_id_client_secret.webp) + +#### Set API permissions + +Finally, the API permissions for the Azure API have to be set, so the login to can be performed +successfully. + +1. Navigate to "API permissions" and click "Add a permission" +2. Select "Microsoft Graph" and then "Delegated permissions" +3. Set the checkboxes for "openid" and "profile" just under "OpenId permissions" +4. Click on "Add permissions" +5. Click on "Grant admin consent for YOUR_AD_NAME" diff --git a/docs/passwordsecure/9.3/configuration/advancedview/clientmodule/organisationalstructure/directoryservices/entraidconnection/microsoft_entra_id_faq.md b/docs/passwordsecure/9.3/configuration/advancedview/clientmodule/organisationalstructure/directoryservices/entraidconnection/microsoft_entra_id_faq.md new file mode 100644 index 0000000000..8825ca490e --- /dev/null +++ b/docs/passwordsecure/9.3/configuration/advancedview/clientmodule/organisationalstructure/directoryservices/entraidconnection/microsoft_entra_id_faq.md @@ -0,0 +1,57 @@ +--- +title: "Microsoft Entra ID Services FAQ" +description: "Microsoft Entra ID Services FAQ" +sidebar_position: 10 +--- + +# Microsoft Entra ID Services FAQ + +## Is it possible to migrate from LDAP to Entra ID? + +Currently, an automated migration from LDAP users (E2E as well as MasterKey) to Entra ID users is +not possible! + +## Which port is used for the SCIM endpoint for provisioning users/groups from Entra ID to the Application Server? + +11015 is the port that will be used for the communication from Entra ID to Netwrix Password Secure. + +## Does the Entra ID connection support nested groups? + +Due to Azure based technical limitations, Netwrix Password Secure does not support nested groups. + +## Does Entra ID work on servers that are only available internally? + +An integration on servers, that are not accessible from external sources, the integration of Entra +ID is also possible. For this, you can use the +[Entra ID on-premises application provisioning to SCIM-enabled apps](https://learn.microsoft.com/en-us/azure/active-directory/app-provisioning/on-premises-scim-provisioning). +This can be installed on all or only one application server. It must be noted that the IP or DNS +name of the "Tenent URL" specified in the subsequently created enterprise application is present in +the alternative application names in the server certificate. Tip: `https://127.0.0.1:11015/scim` can +also be specified as the "Tenent URL", in which case 127.0.0.1 must again be present in the +alternative application names in the server certificate. + +- Download the Provisioning Agent +- Install the Provisioning Agent on the server with the Netwrix Password Secure Server +- Start "AAD Connect Provisioning Agent Wizard" +- Select "On-premises application provisioning Entra ID to application", click next +- Click "Authenticate" and authenticate with a user.This user should be a Hybrid administrator or a + global administrator. +- Click "Confirm" +- Wait for the application to finish the registration in Azure +- Switch to the Azure Portal +- Click "Microsoft Entra ID" +- Click "Enterprise applications" +- Click "New application" +- Search for "On-premises SCIM app" +- Click "On-premises SCIM app" +- Adjust the name +- Click "Create" +- Wait for the operation to end +- Click the created application in the overview of "Enterprise applications" +- Click "Provisioning" +- Click "Get started" +- Set provisioning mode "Automatic" +- Unhide "On-Premises Connectivity" +- Assign the just installed agent to this application by selecting it and click "Assign Agent(s)" +- It takes about 20 minutes until the agent is correctly connected to your application and you can + proceed. diff --git a/docs/passwordsecure/9.3/configuration/advancedview/clientmodule/organisationalstructure/first_factor.md b/docs/passwordsecure/9.3/configuration/advancedview/clientmodule/organisationalstructure/first_factor.md new file mode 100644 index 0000000000..97fa927875 --- /dev/null +++ b/docs/passwordsecure/9.3/configuration/advancedview/clientmodule/organisationalstructure/first_factor.md @@ -0,0 +1,64 @@ +--- +title: "First factor" +description: "First factor" +sidebar_position: 40 +--- + +# First factor + +## What is meant by first factor? + +It is a process that regulates access to our system. + +## Requirements + +With the user setting **Edit first factor** you have the possibility to define another factor for +authentication than the standard password. + +![Edit first factor](/images/passwordsecure/9.2/configuration/advanced_view/clientmodule/organisationalstructures/firstfactor/first_factor_1-en.webp) + +## Factors + +### Smartcard (only on Advanced view) + +The configuration is done via the user setting **First factor**. + +![Smartcard 1st factor](/images/passwordsecure/9.2/configuration/advanced_view/clientmodule/organisationalstructures/firstfactor/first_factor_2-en.webp) + +NOTE: This option is only valid for users in master key mode + +**CAUTION:** Be Aware" The smartcard logon tries to determine whether the certificate belongs to the +user to be logged on based on the applicant in the smartcard certificate. This is done using regex, +the default regex `^{username}[.@\\/-_:]({domain})$` or `^({domain})[.@\\/-_:]({username})$` is +applied to the applicant. In this case, `{username}` is replaced with the user to be registered and +`{domain}` is replaced with the domain in the AD profile in the regex and if the regex query is +positive, the user is registered. If the format of your applicant in your certificates is not +compatible with these two regex queries, you must set a custom regex query in the Server Manager. +Please note that `{username}` for username and `{domain}` for the AD domain SHOULD be present in the +regex query. If the domain must be explicitly specified, it must be written in capital letters. + +In addition, the smartcard certificate must of course also be valid on the server! + +## Fido2 (only at the Web Application) + +## Requirement + +For Fido2 it is mandatory that +SMTP ([Advanced settings](/docs/passwordsecure/9.3/configuration/servermanger/mainmenu/advanced_settings.md)) is configured. +In addition, an e-mail address must be stored for the AD users. + +Furthermore, the URL of the Web Application must be stored in the Server Manager: + +![Edit WebClient URL](/images/passwordsecure/9.2/configuration/advanced_view/clientmodule/organisationalstructures/firstfactor/first_factor_3-en.webp) + +### Configuration + +The configuration is done via the user setting **First Factor**. + +![FIDO2](/images/passwordsecure/9.2/configuration/advanced_view/clientmodule/organisationalstructures/firstfactor/first_factor_4-en.webp) + +As soon as an AD user logs on to the Web Application, he gets the following prompt + +![prompt](/images/passwordsecure/9.2/configuration/advanced_view/clientmodule/organisationalstructures/firstfactor/first_factor_5-en.webp) + +After clicking on **Setup Fido2 access** in the mail, Fido2 is configured. diff --git a/docs/passwordsecure/9.3/configuration/advancedview/clientmodule/organisationalstructure/managingusers/_category_.json b/docs/passwordsecure/9.3/configuration/advancedview/clientmodule/organisationalstructure/managingusers/_category_.json new file mode 100644 index 0000000000..5ab4bd9aa4 --- /dev/null +++ b/docs/passwordsecure/9.3/configuration/advancedview/clientmodule/organisationalstructure/managingusers/_category_.json @@ -0,0 +1,10 @@ +{ + "label": "Managing users", + "position": 10, + "collapsed": true, + "collapsible": true, + "link": { + "type": "doc", + "id": "managing_users" + } +} \ No newline at end of file diff --git a/docs/passwordsecure/9.3/configuration/advancedview/clientmodule/organisationalstructure/managingusers/managing_users.md b/docs/passwordsecure/9.3/configuration/advancedview/clientmodule/organisationalstructure/managingusers/managing_users.md new file mode 100644 index 0000000000..1cbe829669 --- /dev/null +++ b/docs/passwordsecure/9.3/configuration/advancedview/clientmodule/organisationalstructure/managingusers/managing_users.md @@ -0,0 +1,86 @@ +--- +title: "Managing users" +description: "Managing users" +sidebar_position: 10 +--- + +# Managing users + +## How are users managed in Netwrix Password Secure? + +The way in which users are managed is highly dependent on whether Active Directory is connected or +not. In Master Key mode, Active Directory remains the leading system. Accordingly, users are then +also managed in the AD. If Netwrix Password Secure is the leading system, e.g. in end-to-end mode, +users are managed in the organisational structures module. More details are provided in the relevant +sections. + +## Relevant rights + +The following options are required to add local users. + +### User rights + +Can add new users -Display organisational structure module + +## Adding local users + +In general, new users are added in the same way as creating a local organisational unit. Therefore, +only the differences will be covered below. + +### Creating users + +![create user](/images/passwordsecure/9.2/configuration/advanced_view/clientmodule/organisationalstructures/managingusers/create-user-wc.webp) + +- **Allocated roles**: New users can directly be allocated one or more rolls when they are created +- **Change password on next login**: The user will be requested to change their user password on the + next login (obligatory) +- **Account is deactivated**: The user is created with the status "deactivated". The account is thus + not useable. The write rights for a user can be set/removed with this option. In editing mode, the + account can also be deactivated during ongoing operation. +- **Restricted user**: Controlling entities exist in many companies that are only tasked with + checking the integrity and hierarchies of various pieces of information with one another but are + not required to productively work with the information themselves. This could be a data protection + officer or also an administrator in some cases. This would be the case if an administrator was + responsible for issuing permissions to other people but should not be able to view the data + themselves. The property **restricted user** is used to limit the visibility of the password + field. It thus deals with purely administrative users or controlling entities. + +NOTE: Restricted users cannot view any passwords + +### Configuring rights + +The second tab of the wizard allows you to define the permissions for the newly created user. If an +allocated organisational unit or a rights template group was defined in the first tab, the new user +will inherit its permissions. Here, these permissions can be adapted if desired. + +### Configuring user rights + +Users always receive their user rights via role, which is either user-specific or global (see user +rights). If no role is defined in the first tab "Create user", the third tab will thus contain +globally defined user rights. + +## Importing users + +Importing from Active Directory can be carried out in two ways that are described in a separate +section. + +## User licenses + +There are two different types of licenses, **Advanced view** and **Basic view** licenses. In all +other editions you can only purchase Advanced view licenses. Please note that licensed Basic view +users are not able to use the Advanced view. However, Advanced view Users can also switch to the +Basic view. + +**CAUTION:** For licensing reasons, it is not intended to switch from a Advanced view user to a +Basic view user! + +Our sales team will be happy to answer any questions you may have about licensing. + +Display data to which the user is authorized In order to display the data to which a user is +authorized, you must right-click on the corresponding user in the organisational structure. In the +context menu that opens, you will find the following options under **displaying data records**: + +Password -Documents -Forms -Rolls -Uses -Password Reset -System Tasks -Seal templates + +NOTE: All authorizations for a data record are taken into account, regardless of whether you are +authorized by a role or the user. diff --git a/docs/passwordsecure/9.3/configuration/advancedview/clientmodule/organisationalstructure/managingusers/user_passwords_logging_in.md b/docs/passwordsecure/9.3/configuration/advancedview/clientmodule/organisationalstructure/managingusers/user_passwords_logging_in.md new file mode 100644 index 0000000000..67a274545d --- /dev/null +++ b/docs/passwordsecure/9.3/configuration/advancedview/clientmodule/organisationalstructure/managingusers/user_passwords_logging_in.md @@ -0,0 +1,91 @@ +--- +title: "User passwords / logging in to client" +description: "User passwords / logging in to client" +sidebar_position: 10 +--- + +# User passwords / logging in to client + +## User passwords + +Depending on the type of user, they will either be allocated their password in Netwrix Password +Secure or the login will be carried out using access data for the domain. How the user logs in also +differs according to the type of user. + +### Differences between users and passwords + +- **Local users** Local users are those users that were directly created in Netwrix Password Secure. + These users must be directly assigned a password when they are created. If local users are + migrated from older versions, they receive a randomly generated password that is sent to them via + email. +- **AD users in end-to-end mode** These users must also be assigned a password in Netwrix Password + Secure. A new password will also be issued via email for these users in the case of a possible + migration. +- **AD users in Master Key mode** These users log in directly with access data for the domain. It is + thus not necessary to assign them a password. As these users directly authenticate themselves via + Active Directory, the currently saved password in Active Directory is thus always valid. These + users can still directly log in using the existing password even after a migration + +### Required rights + +Various rights are required in order to issue or change user passwords. One prerequisite is the user +right **Can display organisational structure module**. **Read** and **write** rights for the user +are also required. Finally, membership of the user is required. Normally, the user themselves and +the user who created or imported the user have the right to change their password. + +![Permission for user](/images/passwordsecure/9.2/configuration/advanced_view/clientmodule/organisationalstructures/managingusers/user_passwords_1-en.webp) + +### Assigning and changing passwords + +As already explained, local users are directly assigned their initial password when the user is +created. The situation is different for users that are imported in end-to-end mode. They do not +possess a password directly after the import and can thus not log in. It is thus necessary to assign +passwords after the import. + +The passwords can be directly assigned or changed via the ribbon. Naturally, it is also possible to +select multiple users if e.g. several imported users should be assigned the same password. + +![change password](/images/passwordsecure/9.2/configuration/advanced_view/clientmodule/organisationalstructures/managingusers/user_passwords_2-en.webp) + +### Change password on next login + +Even if several users receive the same initial password, it is sensible to force them to change it +to an individual password. There is a corresponding option for this purpose. In the case of **local +users**, this can be activated during the creation of the user. In the case of **users in end-to-end +mode**, this option is directly activated during import for security reasons. This option is +automatically deactivated after the user has successfully logged in and changed the password. + +![change password next login](/images/passwordsecure/9.2/configuration/advanced_view/clientmodule/organisationalstructures/managingusers/user_passwords_3-en.webp) + +### Security of passwords + +To guarantee that passwords are sufficiently strong, it is recommended that corresponding +[Password rules](/docs/passwordsecure/9.3/configuration/advancedview/mainmenufc/extras/password_rules.md) are created. It is +especially important to ensure here that user names are excluded. The password rule then still needs +to be defined as a user password rule. + +## Logging in to the database + +The process for logging into the database differs depending on the type of user. + +### Local user + +Local users simply log in using their user name and the assigned password. + +![login username](/images/passwordsecure/9.2/configuration/advanced_view/clientmodule/organisationalstructures/managingusers/user_passwords_4-en_415x238.webp) + +![login password](/images/passwordsecure/9.2/configuration/advanced_view/clientmodule/organisationalstructures/managingusers/user_passwords_5-en.webp) + +## AD user + +If only one domain has been configured, the users from AD can also log in with their user name and +password the same as local users. If multiple domains have been configured or there is a local user +with the same name, the name of the domain must be entered in front of the user name + +The name of the domain must be entered as it is configured in the AD profile under **Domains**. The +option **Other domain names** can be used to save other forms of the domain name. + +![AD User](/images/passwordsecure/9.2/configuration/advanced_view/clientmodule/organisationalstructures/managingusers/user_passwords_6-en.webp) + +NOTE: The logon to the client is automatically forwarded to the Autofill Add-on and other clients on +the same computer. The same applies to logging on to the Autofill Add-on. diff --git a/docs/passwordsecure/9.3/configuration/advancedview/clientmodule/organisationalstructure/multifactorauthentication/_category_.json b/docs/passwordsecure/9.3/configuration/advancedview/clientmodule/organisationalstructure/multifactorauthentication/_category_.json new file mode 100644 index 0000000000..6af5368eaf --- /dev/null +++ b/docs/passwordsecure/9.3/configuration/advancedview/clientmodule/organisationalstructure/multifactorauthentication/_category_.json @@ -0,0 +1,10 @@ +{ + "label": "Multifactor authentication", + "position": 50, + "collapsed": true, + "collapsible": true, + "link": { + "type": "doc", + "id": "multifactor_authentication" + } +} \ No newline at end of file diff --git a/docs/passwordsecure/9.3/configuration/advancedview/clientmodule/organisationalstructure/multifactorauthentication/multifactor_authentication.md b/docs/passwordsecure/9.3/configuration/advancedview/clientmodule/organisationalstructure/multifactorauthentication/multifactor_authentication.md new file mode 100644 index 0000000000..e5eaca1d41 --- /dev/null +++ b/docs/passwordsecure/9.3/configuration/advancedview/clientmodule/organisationalstructure/multifactorauthentication/multifactor_authentication.md @@ -0,0 +1,93 @@ +--- +title: "Multifactor authentication" +description: "Multifactor authentication" +sidebar_position: 50 +--- + +# Multifactor authentication + +## What is multifactor authentication? + +By means of multifactor authentication, you can save the login – in addition to the password – with +a further factor. Setting up a multifactor authentication can be done by either the administrator or +the user. + +## Requirements + +To use multifactor authentication on a database, it must firstly have been activated on the Server +Manager. In the database module, open the settings for the selected database via the ribbon. + +![database settings](/images/passwordsecure/9.2/configuration/advanced_view/clientmodule/organisationalstructures/multifactorauthentication/multifactor_authentication_1-en.webp) + +It is possible to separately define in the settings whether it is permitted to use each interface on +the database. + +![multifactor authentication](/images/passwordsecure/9.2/configuration/advanced_view/clientmodule/organisationalstructures/multifactorauthentication/multifactor_authentication_2-en.webp) + +### Other settings + +In the user settings, it is also possible to define the "Length of validity of a multifactor +authentication token" in minutes. + +NOTE: In order for a user (administrator) to be able to **configure** multifactor authentication for +other users, the user must have the rights **read**, **write**, **delete** and **authorize**. It is +important that these rights exist before Multifactor Authentication is set up. + +## Configuration of multifactor authentication + +In the [Organisational structure](/docs/passwordsecure/9.3/configuration/advancedview/clientmodule/organisationalstructure/organisational_structure.md) module, you select the user and +the interface "Multifactor authentication" in the ribbon. + +![TOTP](/images/passwordsecure/9.2/configuration/advanced_view/clientmodule/organisationalstructures/multifactorauthentication/multifactor_authentication_3-en.webp) + +The desired type of authentication is selected and given a title. This name is also displayed to the +user when logging in. The subsequent process differs depending on the desired authentication type. + +### Google authenticator + +The prerequisite for this is that the relevant app has been started on a smartphone. After the name +has been assigned for the authentication, you generate a new secret via the corresponding button. A +QR code is displayed, which must be scanned using the Google Authenticator app on a smartphone. + +![google authenticator](/images/passwordsecure/9.2/configuration/advanced_view/clientmodule/organisationalstructures/multifactorauthentication/multifactor_authentication_4-en.webp) + +Once the Google Authenticator app has detected the QR code, it will return a 6-digit PIN. You must +then enter it in the appropriate field. Finally, click on **Create** in the ribbon. + +## RSA SecurID Token + +To set up multifactor authentication using RSA SecurID, simply enter the RSA user name and click +**Create** directly in the ribbon. + +![RSA SecurID Token](/images/passwordsecure/9.2/configuration/advanced_view/clientmodule/organisationalstructures/multifactorauthentication/multifactor_authentication_5-en.webp) + +NOTE: The prerequisite for the use of RSA SecurID token is that the access data has been stored in +the Database settings on the Server Manager. + +## Public key infrastructure + +For PKI setup, the **Select** button is used to open the menu for selecting the desired certificate. +All eligible certificates are displayed. + +![Public key infrastructure](/images/passwordsecure/9.2/configuration/advanced_view/clientmodule/organisationalstructures/multifactorauthentication/multifactor_authentication_7-en.webp) + +Now just select the desired certificate from the list to confirm the process. + +## Yubico One Time Password + +The configuration of multifactor authentication using Yubico One Time Password is described +in[Multifactor Authentication](/docs/passwordsecure/9.3/configuration/servermanger/managingdatabases/databasesettings/multifactor_authentication_ac.md). + +## Delete Multifactor Authentication (MFA) + +The multifactor authentication can be deleted by the user himself or by another user with sufficient +authorization. The rights **Read**, **Write**, **Authorize** and **Delete** are required for another +user to perform the deletion. + +In order to delete a file, you should go to the main menu. Under **Account** you will find the item +**Multifactor Authentication**. An alternative way is to enter the management of multifactor +authentication via the organisational structure. To do so, select the corresponding user and click +on the **Multifactor Authentication** ribbon. + +In the administration of the multi-factor authentication you will then find in the ribbon the +possibility to delete the stored MFA. diff --git a/docs/passwordsecure/9.3/configuration/advancedview/clientmodule/organisationalstructure/multifactorauthentication/otp_(one-time-password).md b/docs/passwordsecure/9.3/configuration/advancedview/clientmodule/organisationalstructure/multifactorauthentication/otp_(one-time-password).md new file mode 100644 index 0000000000..b675535af4 --- /dev/null +++ b/docs/passwordsecure/9.3/configuration/advancedview/clientmodule/organisationalstructure/multifactorauthentication/otp_(one-time-password).md @@ -0,0 +1,55 @@ +--- +title: "OTP (One-Time-Password)" +description: "OTP (One-Time-Password)" +sidebar_position: 20 +--- + +# OTP (One-Time-Password) + +## Using OTP in Netwrix Password Secure + +A one-time password is a password that is valid once and can be used for authentication or +transactions. Accordingly, each additional authentication or authorization requires a new one-time +password. + +## Establishment + +To set up OTP in Netwrix Password Secure, proceed as follows. + +- **Create form with OTP field** + +Create a new form or add an OTP field to an existing form: + +- **Create password** + +You assign the new or customized form to existing passwords and edit them or create a new password +with the new or customized form. + +Next, the OTP field must be configured. For this purpose the key (secret) of the desired +website/application is stored in Netwrix Password Secure. + +As soon as the secret has been deposited and the password saved, the setup is complete. + +## OTP in HTML WebViewer and Emergency WebViewer + +##### OTP in HTML WebViewer + +1. Set up OTP +2. Create + [HTML WebViewer export](/docs/passwordsecure/9.3/configuration/advancedview/mainmenufc/export/html_webviewer_export.md) +3. Open the created HTML WebViewer + +How to use the HTML WebViewer can be read in the chapter with the same name. + +##### OTP in Emergency WebViewer + +NOTE: The special feature of the Emergency WebViewer is that the stored OTP secret is also +displayed. + +In order to use the One-Time-Password in the +[EmergencyWebViewer](/docs/passwordsecure/9.3/configuration/advancedview/mainmenufc/extras/systemtasks/emergency_webviewer.md) +you have to proceed as follows: + +1. Set up OTP +2. Emergency HTML WebViewer Export Task Create +3. Open the created emergency WebViewer diff --git a/docs/passwordsecure/9.3/configuration/advancedview/clientmodule/organisationalstructure/multifactorauthentication/yubicoyubikey.md b/docs/passwordsecure/9.3/configuration/advancedview/clientmodule/organisationalstructure/multifactorauthentication/yubicoyubikey.md new file mode 100644 index 0000000000..e9dbc85a30 --- /dev/null +++ b/docs/passwordsecure/9.3/configuration/advancedview/clientmodule/organisationalstructure/multifactorauthentication/yubicoyubikey.md @@ -0,0 +1,82 @@ +--- +title: "Yubico / Yubikey" +description: "Yubico / Yubikey" +sidebar_position: 10 +--- + +# Yubico / Yubikey + +## Setting up multifactor authentication + +### Requirements + +The following firewall release must be granted: + +- [https://api.yubico.com/wsapi/2.0/verify](https://api.yubico.com/wsapi/2.0/verify) + +### Requesting the Yubico API key + +An API key must be requested for configuration. For this purpose, use the following link and enter +an e-mail address: [Yubico Website](https://upgrade.yubico.com/getapikey/) + +![yubico setup](/images/passwordsecure/9.2/configuration/advanced_view/clientmodule/organisationalstructures/multifactorauthentication/yubico/yubico_yubikey_1-en.webp) + +Yubikey will then generate a **One Time Password**. The Yubikey used must only be touched in the +right place. + +![yubico stick](/images/passwordsecure/9.2/configuration/advanced_view/clientmodule/organisationalstructures/multifactorauthentication/yubico/yubico_yubikey_2-en.webp) + +The **One Time Password** is entered directly into the corresponding field. + +![yubico OTP](/images/passwordsecure/9.2/configuration/advanced_view/clientmodule/organisationalstructures/multifactorauthentication/yubico/yubico_yubikey_3-en.webp) + +Once the general terms and conditions have been approved, the API Key can be requested. + +![yubico key](/images/passwordsecure/9.2/configuration/advanced_view/clientmodule/organisationalstructures/multifactorauthentication/yubico/yubico_yubikey_4-en.webp) + +### Configuring the Yubikey API + +The actual setting up of the multifactor authentication is carried out on the Server Manager in the +**Database** module. First select the required data base; then open the "Features" in the ribbon. +The **Yubico Client ID** and the **Yubico Secret Key** must then be entered and saved. + +![Configuration yubico](/images/passwordsecure/9.2/configuration/advanced_view/clientmodule/organisationalstructures/multifactorauthentication/yubico/yubico_yubikey_5-en.webp) + +The interface is now ready and can be used. + +NOTE: The HTTPS endpoint [Yubico Verify](https://api.yubico.com/wsapi/2.0/verify) is used for +communication with Yubico. Please make sure that the Netwrix Password Secure Server can connect to +this endpoint. + +## Configuring multifactor authentication for users + +Multifactor authentication can be configured in the Netwrix Password Secure client. It can be done +by the user themselves in **Backstage** in the [Account](/docs/passwordsecure/9.3/configuration/advancedview/mainmenufc/account.md) +menu. In order to configure the Yubikey, simply select **Yubico OTP**. + +![setup second factor](/images/passwordsecure/9.2/configuration/advanced_view/clientmodule/organisationalstructures/multifactorauthentication/yubico/yubico_yubikey_6-en.webp) + +Now click in the field for the token and create a token using the Yubikey. For **Yubikey NEO**, you +only need to touch the touch panel. The same applies to **Yubikey Nano**. + +![yubico stick](/images/passwordsecure/9.2/configuration/advanced_view/clientmodule/organisationalstructures/multifactorauthentication/yubico/yubico_yubikey_2-en.webp) + +The token is entered directly into the corresponding field. The multifactor authentication is +configured once you’ve clicked on configure. + +![Configuration yubico](/images/passwordsecure/9.2/configuration/advanced_view/clientmodule/organisationalstructures/multifactorauthentication/yubico/yubico_yubikey_8-en.webp) + +## Logging in with the Yubikey + +To login with Multifactor Authentication, the database is first selected and then **User Name** and +**Password** are entered and confirmed. + +After the first password authentication, another window for the **Yubico Key** is displayed. + +![Login yubico](/images/passwordsecure/9.2/configuration/advanced_view/clientmodule/organisationalstructures/multifactorauthentication/yubico/yubico_yubikey_10-en.webp) + +Click on the field to highlight it, and enter the **Yubico Key** by touching the Yubikeys. + +![yubico stick](/images/passwordsecure/9.2/configuration/advanced_view/clientmodule/organisationalstructures/multifactorauthentication/yubico/yubico_yubikey_2-en.webp) + +The user is now logged on. diff --git a/docs/passwordsecure/9.3/configuration/advancedview/clientmodule/organisationalstructure/organisational_structure.md b/docs/passwordsecure/9.3/configuration/advancedview/clientmodule/organisationalstructure/organisational_structure.md new file mode 100644 index 0000000000..5b197a5b0f --- /dev/null +++ b/docs/passwordsecure/9.3/configuration/advancedview/clientmodule/organisationalstructure/organisational_structure.md @@ -0,0 +1,113 @@ +--- +title: "Organisational structure" +description: "Organisational structure" +sidebar_position: 40 +--- + +# Organisational structure + +## What are organisational structures? + +The storage of passwords or documents always takes place according to the defined organisational +structures. The module enables complex structures to be defined, which later form the basis for the +systematic storage of data. It is often possible to define them on the basis of already existing +organization diagrams for the company or department. It is also possible to use other criteria, such +as the function / activity performed, as the basis for creating hierarchies. It is always up to the +customer themselves to decide which structure is most useful for the purpose of the application. + +![Organizational structure modul](/images/passwordsecure/9.2/configuration/advanced_view/clientmodule/organisationalstructures/organizational_structures_1-en.webp) + +## Relevant rights + +The following options are required for adding new organisational structures. + +### User rights + +- Can add new organisational units +- Display organisational structure module + +## Module-specific ribbon functions + +The operation of the ribbon differs fundamentally in a couple of aspects to how it works in other +modules. The following section will focus on only those elements of the ribbon that differ. The +remaining actions have already be explained for the password module. + +![create new user/organisational unit](/images/passwordsecure/9.2/configuration/advanced_view/clientmodule/organisationalstructures/organizational_structures_2-en.webp) + +- **New organisational unit/user**: New organisational units or new users can be added via the + ribbon, the keyboard shortcut "CTRL + N" or also the context menu that is accessed using the right + mouse button. Due to its complexity, there is a separate section for this function: + [User management](/docs/passwordsecure/9.3/configuration/webapplication/functionalscope/organisationalstructure/user_management.md) +- **Drag & Drop**: If this option has been activated, it is possible to move users or organisational + units in list view via drag & drop +- **Permissions**: The configuration of permissions within the organisational structure is important + both for the administration of the structure and also as the basis for the permissions in + accordance with + [Inheritance from organisational structures](/docs/passwordsecure/9.3/configuration/advancedview/permissionconceptandprotective/automatedsettingofpermissions/inheritance_from_organizational.md). + The benefits of + [Predefining rights](/docs/passwordsecure/9.3/configuration/advancedview/permissionconceptandprotective/predefiningrights/predefining_rights.md) are + explained in a separate section. +- **Settings**: The settings can be configured for both users and also organisational units. More + information on [User settings](/docs/passwordsecure/9.3/configuration/advancedview/mainmenufc/usersettings/user_settings.md)… +- **Active Directory**: The connection to Active Directory is explained in a dedicated section + [Active Directory link](/docs/passwordsecure/9.3/configuration/advancedview/clientmodule/organisationalstructure/directoryservices/activedirectorylink/active_directory_link.md) +- **Microsoft Entra ID**: The connection to Microsoft Entra ID is explained in a dedicated section +- **Multi Factor authentication**: Additional security during login is provided through positive + authentication based on another factor. More on this subject… +- **Reset password**: Administrators can reset the passwords with which users log in to Netwrix + Password Secure to a defined value. Naturally, this is only possible if the connection to Active + Directory is configured + via[End-to-end encryption](/docs/passwordsecure/9.3/configuration/advancedview/clientmodule/organisationalstructure/directoryservices/activedirectorylink/end-to-end_encryption.md). In the + alternative [Masterkey mode](/docs/passwordsecure/9.3/configuration/advancedview/clientmodule/organisationalstructure/directoryservices/activedirectorylink/masterkey_mode.md), the + authentication is linked to the correct entry of the AD password. + +NOTE: To reset a user password, membership for the user is a prerequisite. + +The example below shows the configuration of a user where only the user themselves is a member. + +![permission for user](/images/passwordsecure/9.2/configuration/advanced_view/clientmodule/organisationalstructures/organizational_structures_3-en.webp) + +This configuration means that the user password cannot be reset by administrators. The disadvantage +is that if the password is lost there is no technical solution for "resetting" the password in the +system. + +**CAUTION:** It is not recommended to configure the permissions so that only the user themselves has +membership. No other interventions can be made if the password is then lost. + +## Adding local organisational units + +Both users and also organisational units themselves can be added as usual via the ribbon +(alternatively via Ctrl + N or via the context menu). These processes are supported by various +wizards. The example below shows the creation of a new organisational unit: + +### Create organisational unit + +![Add new organisational unit](/images/passwordsecure/9.2/configuration/advanced_view/clientmodule/organisationalstructures/organizational_structures_4-en.webp) + +- **Allocated organisational unit**: If the new object is defined as a **main organisational unit**, + it is not allocated to an existing organisational unit +- **Rights template group**: If an already existing organisational unit was selected under + "allocated organisational unit", you can select one of the existing rights template groups. + +NOTE: The organisational unit marked in list view will be used as a default. This applies to the +fields "allocated organisational unit" and also "rights template". + +### Create role + +![Create role](/images/passwordsecure/9.2/configuration/advanced_view/clientmodule/organisationalstructures/organizational_structures_5-en.webp) + +When creating a new organisational unit, the second tab in the wizard enables you to directly create +a new role. This role will not only be created but also given "read permission" to the newly created +organisational unit. + +### Configuring rights + +![Configuring rights](/images/passwordsecure/9.2/configuration/advanced_view/clientmodule/organisationalstructures/organizational_structures_6-en.webp) + +The third tab of the wizard allows you to define the permissions for the newly created +organisational unit. If an allocated organisational unit or a rights template group was defined in +the first tab, the new organisational unit will inherit its permissions. These permissions can be +adapted if desired. + +NOTE: The **organisational structure** module is based on the Web Application module of the same +name. Both modules have a different scope and design but are almost identical to use. diff --git a/docs/passwordsecure/9.3/configuration/advancedview/clientmodule/organisationalstructure/permissionsfororganisational/_category_.json b/docs/passwordsecure/9.3/configuration/advancedview/clientmodule/organisationalstructure/permissionsfororganisational/_category_.json new file mode 100644 index 0000000000..d844547bfe --- /dev/null +++ b/docs/passwordsecure/9.3/configuration/advancedview/clientmodule/organisationalstructure/permissionsfororganisational/_category_.json @@ -0,0 +1,10 @@ +{ + "label": "Permissions for organisational structures", + "position": 20, + "collapsed": true, + "collapsible": true, + "link": { + "type": "doc", + "id": "permissions_for_organisational" + } +} \ No newline at end of file diff --git a/docs/passwordsecure/9.3/configuration/advancedview/clientmodule/organisationalstructure/permissionsfororganisational/inheriting_permissions.md b/docs/passwordsecure/9.3/configuration/advancedview/clientmodule/organisationalstructure/permissionsfororganisational/inheriting_permissions.md new file mode 100644 index 0000000000..0d090cc864 --- /dev/null +++ b/docs/passwordsecure/9.3/configuration/advancedview/clientmodule/organisationalstructure/permissionsfororganisational/inheriting_permissions.md @@ -0,0 +1,38 @@ +--- +title: "Inheriting permissions" +description: "Inheriting permissions" +sidebar_position: 10 +--- + +# Inheriting permissions + +## What is inherited in organisational structures? + +If you open the permissions for an organisational structure, the currently configured permissions +will be visible. In the following example, there are a total of four roles with varying permissions +for the organisational structure. + +![inheriting permission](/images/passwordsecure/9.2/configuration/advanced_view/clientmodule/organisationalstructures/permissionsous/inheriting_permissions_1-en.webp) + +## Relevant rights + +The following options are required to view "**inherit**" and "**overwrite**" icons. + +### User right + +- Can overwrite permissions +- Can inherit permissions + +The two highlighted options are now available on the ribbon. + +- **Inherit**: This means that all of the configurations defined in the current permissions mask are + inherited by underlying organisational structures when it is saved. The permissions are added to + existing ones +- **Overwrite**: This means that all of the configurations defined are applied to underlying + organisational structures when it is saved. The previous permissions are lost. + +Both mechanisms are protected by a confirmation prompt. If both "inherit" and also "overwrite" are +selected, "overwrite" is considered the overriding function. + +**CAUTION:** Both mechanisms are not protected by user rights. The **authorize** right for the +organisational structure is required to activate the inheritance or overwrite functions. diff --git a/docs/passwordsecure/9.3/configuration/advancedview/clientmodule/organisationalstructure/permissionsfororganisational/permissions_for_organisational.md b/docs/passwordsecure/9.3/configuration/advancedview/clientmodule/organisationalstructure/permissionsfororganisational/permissions_for_organisational.md new file mode 100644 index 0000000000..ff72a34ad7 --- /dev/null +++ b/docs/passwordsecure/9.3/configuration/advancedview/clientmodule/organisationalstructure/permissionsfororganisational/permissions_for_organisational.md @@ -0,0 +1,62 @@ +--- +title: "Permissions for organisational structures" +description: "Permissions for organisational structures" +sidebar_position: 20 +--- + +# Permissions for organisational structures + +## Relevance + +These permissions primarily define which users/roles have what form of permissions for +organisational structures. In addition, there are **two mechanisms** that directly build on the +permissions for organisational structures. + +1. **Limiting visibility**: It was already explained in the section on + [Visibility](/docs/passwordsecure/9.3/configuration/advancedview/permissionconceptandprotective/protectivemechanisms/visibility.md) + that selectively withholding information is a very effective + [Protective mechanisms](/docs/passwordsecure/9.3/configuration/advancedview/permissionconceptandprotective/protectivemechanisms/protective_mechanisms.md). + Configuration of the visibility is carried out directly when issuing permissions to + organisational structures. +2. **Inheriting permissions for records**: + [Inheritance from organisational structures](/docs/passwordsecure/9.3/configuration/advancedview/permissionconceptandprotective/automatedsettingofpermissions/inheritance_from_organizational.md) + is defined as a system standard. This means that there is no difference between the permissions + for an organisational structure and the permissions for data that is stored in these + organisational structures. + +The way in which permissions for organisational structures are designed thus effects the subsequent +work with Netwrix Password Secure in many ways. The following diagram describes the above-mentioned +interfaces. + +![Permissions for organizational structures](/images/passwordsecure/9.2/configuration/advanced_view/clientmodule/organisationalstructures/permissionsous/permissions_for_organizational_structures_1-en.webp) + +## Permissions + +The visibility and also inheritance mechanisms are not considered below. This section exclusively +deals with permissions for the actual organisational structure. It deals with which users and roles +have what form of permissions for a given organisational structure. Permissions for organisational +structures can be defined via the ribbon or also the context menu that is accessed using the right +mouse button. A permissions tab appears: + +![Permissions for OU](/images/passwordsecure/9.2/configuration/advanced_view/clientmodule/organisationalstructures/permissionsous/permissions_for_organizational_structures_2-en.webp) + +NOTE: The basic mechanisms for setting permissions is described in detail in the Authorization +concept. + +**CAUTION:** It is important that the permissions displayed here are interpreted correctly! The +example above shows the permissions for the "organisational structure IT". + +The user Max Muster possesses all rights to the organisational structure IT and can thus edit, +delete and also grant permissions for this structure. + +## The add right + +The "add" right holds a special position amongst the available rights because it does not refer to +the organisational unit itself but rather to data that will be created within it. In general, it is +fair to say that to add objects in an organisational unit requires the add right. If a user wants to +add a new record to an organisational unit, the user requires the above-mentioned right. In the +example above, only the administrator has the required permissions for adding new records. Even the +IT manager – who possess all other rights to the organisational structure "IT" – does not have the +right to add records. + +**CAUTION:** The add right merely describes the right to create objects in an organisational unit. diff --git a/docs/passwordsecure/9.3/configuration/advancedview/clientmodule/passwordreset/_category_.json b/docs/passwordsecure/9.3/configuration/advancedview/clientmodule/passwordreset/_category_.json new file mode 100644 index 0000000000..a3d9a19b3d --- /dev/null +++ b/docs/passwordsecure/9.3/configuration/advancedview/clientmodule/passwordreset/_category_.json @@ -0,0 +1,10 @@ +{ + "label": "Password Reset", + "position": 90, + "collapsed": true, + "collapsible": true, + "link": { + "type": "doc", + "id": "password_reset" + } +} \ No newline at end of file diff --git a/docs/passwordsecure/9.3/configuration/advancedview/clientmodule/passwordreset/configuration_2.md b/docs/passwordsecure/9.3/configuration/advancedview/clientmodule/passwordreset/configuration_2.md new file mode 100644 index 0000000000..c5ad12aed1 --- /dev/null +++ b/docs/passwordsecure/9.3/configuration/advancedview/clientmodule/passwordreset/configuration_2.md @@ -0,0 +1,69 @@ +--- +title: "Configuration" +description: "Configuration" +sidebar_position: 20 +--- + +# Configuration + +## Creating a Password Reset + +New Password Resets can be directly added via the ribbon or the keyboard shortcut "Ctrl + N" in the +Password Reset module. With regards to setting permissions, a Password Reset behaves in precisely +the same way as every other object. It is thus possible to precisely control which users can view +and use which Password Resets. + +## Configuration Guide + +The configuration of a new Password Reset comprises four steps. All of the necessary conditions and +variables for the configuration are defined in the following areas: "General", "Trigger", "Scripts" +and "Linked passwords". + +![configuration password reset](/images/passwordsecure/9.2/configuration/advanced_view/clientmodule/passwordreset/configuration/configuration_1-en.webp) + +### General + +- **Name**: Designation for the Password Reset +- **Responsible user**: All completed Password Resets are also recorded within Netwrix Password + Secure (logbook,…). To ensure these steps can be allocated to a user, a user who is registered in + Netwrix Password Secure is selected in the field "Responsible user". + +### Trigger + +Triggers describe the conditions that need to be fulfilled so that a Password Reset is carried out. +There are a total of three possible triggers available: + +- Reset the password x minutes after the password has been viewed +- Reset the password when it has not been changed for x days +- Reset the password when it has been expired for x days + +At least one trigger must be activated so that the Password Reset is activated. Deactivating all +triggers is equivalent to deactivating the Password Reset. All three triggers can be activated and +deactivated independently of one another. Only one selection can be made in each of the three +categories. + +NOTE: A separate system task within Netwrix Password Secure checks every minute whether a trigger +applies. + +### Scripts + +A new dialogue appears after the selection in which the type of system "to be reset2 can be defined. + +![new script password reset](/images/passwordsecure/9.2/configuration/advanced_view/clientmodule/passwordreset/configuration/configuration_2-en.webp) + +- **Script type**: You select here from the possible script types. +- **Password**: The credentials for the record that will ultimately carry out the Password Reset. + The required information is specifically requested in each case. For example, if the reset is for + an MSSQL user, the MSSQL instance and the port used needs to be entered. + +The functions and configuration process are described in detail in the section Scripts. + +NOTE: It is not possible to create a Password Reset without an associated script. + +### Linked passwords + +All records that should be reset with the Password Reset according to the selected trigger are +listed under “Linked passwords”. Multiple objects can be entered. The linked Password Reset is also +visible in the footer of the reading pane once it has been successfully configured. + +![new script password reset](/images/passwordsecure/9.2/configuration/advanced_view/clientmodule/passwordreset/configuration/configuration_2-en.webp) diff --git a/docs/passwordsecure/9.3/configuration/advancedview/clientmodule/passwordreset/heartbeat.md b/docs/passwordsecure/9.3/configuration/advancedview/clientmodule/passwordreset/heartbeat.md new file mode 100644 index 0000000000..bad456d35f --- /dev/null +++ b/docs/passwordsecure/9.3/configuration/advancedview/clientmodule/passwordreset/heartbeat.md @@ -0,0 +1,73 @@ +--- +title: "Heartbeat" +description: "Heartbeat" +sidebar_position: 50 +--- + +# Heartbeat + +## What is the heartbeat? + +The heartbeat checks whether passwords in Netwrix Password Secure match the login data on the +relevant systems. This process ensures that the passwords do not differ from one another. + +## Requirements + +The heartbeat is only available for passwords that are linked to a properly functioning Password +Reset. + +### Supported script types + +The passwords for the following script types can be tested: + +- Windows user +- MSSQL user +- Active Directory users +- Linux user + +Further information can be found in the section Scripts. + +## Testing using heartbeat + +The testing process using the heartbeat can be executed via various methods. + +## Testing via Password Reset + +The heartbeat is always carried out before the first resetting process using a Password Reset. After +the script has run, the testing process is carried out again. Further information on this process +can also be found in the section [Rollback](/docs/passwordsecure/9.3/configuration/advancedview/clientmodule/passwordreset/rollback.md). + +### Manual testing + +The heartbeat can be executed in the ribbon for the password module by clicking on **Check login +data**. The currently marked password is always tested. + +### Automatic testing via the password settings + +It is also possible to configure the heartbeat to run cyclically. It can be configured either via +the [User settings](/docs/passwordsecure/9.3/configuration/advancedview/mainmenufc/usersettings/user_settings.md) or directly in the +[Password settings](/docs/passwordsecure/9.3/configuration/advancedview/clientmodule/passwords/password_settings.md). + +## Results of the tests + +The results of the test can be viewed in the **passwords module**. + +![result heartbeat](/images/passwordsecure/9.2/configuration/advanced_view/clientmodule/passwordreset/heartbeat/heartbeat_1-en.webp) + +The date when it was last executed can be seen at the top of the +[Reading pane](/docs/passwordsecure/9.3/configuration/advancedview/operationandsetup/reading_pane.md). The success of the testing +process is indicated alongside using a coloured icon. Further information can be displayed by moving +the mouse over the icon. + +The icon has three different versions. These have the following meanings: + +The last test was successful. The password is correct The test could not be performed. For example, +the password could not be reached. The last test was completed. However, the password is different +to the one on the target system. + +## Filtering the results + +The filter can be configured using the filter group **Status of the login data** so that the tested +records can be selected. + +![Filter heartbeat status](/images/passwordsecure/9.2/configuration/advanced_view/clientmodule/passwordreset/heartbeat/heartbeat_2-en.webp) diff --git a/docs/passwordsecure/9.3/configuration/advancedview/clientmodule/passwordreset/logbook_entries_under_password.md b/docs/passwordsecure/9.3/configuration/advancedview/clientmodule/passwordreset/logbook_entries_under_password.md new file mode 100644 index 0000000000..6b9cc63df7 --- /dev/null +++ b/docs/passwordsecure/9.3/configuration/advancedview/clientmodule/passwordreset/logbook_entries_under_password.md @@ -0,0 +1,44 @@ +--- +title: "Logbook entries under Password Reset" +description: "Logbook entries under Password Reset" +sidebar_position: 70 +--- + +# Logbook entries under Password Reset + +Subsequently all possible logbook entries in connection with Password Reset are listed + +The password reset first checks with the first script (via the heartbeat) whether the password is +correct: + +| Logbook Type | Logbook Record | +| ------------------------------ | -------------- | +| Login data valid | Container | +| Login data invalid | Container | +| Check errors during login data | Container | + +Afterwards all scripts of the password reset are executed one after the other and the following +logbook entries are written: + +| Logbook type | Logbook record | +| --------------------- | -------------- | +| Execute | Password Reset | +| Execute Rollback | Password Reset | +| Execution Error | Password Reset | +| Error during rollback | Password Reset | + +If an attempt was made to perform a rollback, but the rollback cannot be performed because the old +password was incorrect before the reset, or the first script is of the type “user-defined”, the +following logbook entry is written: + +| Logbook type | Logbook record | +| --------------------- | -------------- | +| Error during rollback | Password Reset | + +If a password reset has failed and an attempt is made to perform a rollback, the reset is blocked +for one day and the following logbook entry is written: (It does not matter if the rollback worked +or not) + +| Logbook type | Logbook record | +| ---------------------- | -------------- | +| Password Reset blocked | Password Reset | diff --git a/docs/passwordsecure/9.3/configuration/advancedview/clientmodule/passwordreset/password_reset.md b/docs/passwordsecure/9.3/configuration/advancedview/clientmodule/passwordreset/password_reset.md new file mode 100644 index 0000000000..c84a61949b --- /dev/null +++ b/docs/passwordsecure/9.3/configuration/advancedview/clientmodule/passwordreset/password_reset.md @@ -0,0 +1,29 @@ +--- +title: "Password Reset" +description: "Password Reset" +sidebar_position: 90 +--- + +# Password Reset + +## What is a Password Reset? + +The safest passwords are those that no one knows. A Password Reset enables passwords to be reset to +a new and unknown value according to freely definable triggers. A trigger could be a definable time +interval or a certain action by the user. **The value of the password is changed in both Netwrix +Password Secure and also on the target system.** + +![Password reset diagram](/images/passwordsecure/9.2/configuration/advanced_view/clientmodule/passwordreset/password_reset_1-en.webp) + +This process will be explained below using a specific example. The password for the MSSQL user has +expired. The Password Reset changes the password in Netwrix Password Secure and also in the target +system to a new value. + +![Password reset process diagram](/images/passwordsecure/9.2/configuration/advanced_view/clientmodule/passwordreset/password_reset_2-en.webp) + +NOTE: If an error occurs during the execution of a password reset, the affected reset is blocked +with all associated passwords. This is noted in the logbook with an entry "blocked". + +**CAUTION:** Due to the complexity of the process, it is strongly recommended that Password Reset is +configured **in combination with certified partners**. The desired simplification of work processes +using the above-mentioned automated functions is accompanied by numerous risks. diff --git a/docs/passwordsecure/9.3/configuration/advancedview/clientmodule/passwordreset/requirements_1.md b/docs/passwordsecure/9.3/configuration/advancedview/clientmodule/passwordreset/requirements_1.md new file mode 100644 index 0000000000..8d2e1ac0d6 --- /dev/null +++ b/docs/passwordsecure/9.3/configuration/advancedview/clientmodule/passwordreset/requirements_1.md @@ -0,0 +1,23 @@ +--- +title: "Requirements" +description: "Requirements" +sidebar_position: 10 +--- + +# Requirements + +## Relevant rights + +The following options are required for creating a Password Reset. + +### User rights + +- Can add new Password Resets +- Display Password Reset module + +### Requirements for Password Resets + +- A password that has administrative rights to the relevant target computers must have been saved in + Netwrix Password Secure. +- The Microsoft Remote Admin Tools must be saved on the target system. +- The target system must be accessible via the network. diff --git a/docs/passwordsecure/9.3/configuration/advancedview/clientmodule/passwordreset/rollback.md b/docs/passwordsecure/9.3/configuration/advancedview/clientmodule/passwordreset/rollback.md new file mode 100644 index 0000000000..823b2016ae --- /dev/null +++ b/docs/passwordsecure/9.3/configuration/advancedview/clientmodule/passwordreset/rollback.md @@ -0,0 +1,29 @@ +--- +title: "Rollback" +description: "Rollback" +sidebar_position: 60 +--- + +# Rollback + +## What is a rollback? + +If an error occurs while running a script, a rollback is initiated. This ensures that the original +password is restored. + +## When does a rollback run? + +The following diagram shows when and according to which criteria a rollback is initiated: + +![rollback run](/images/passwordsecure/9.2/configuration/advanced_view/clientmodule/passwordreset/rollback/rollback_1-en.webp) + +## Procedure + +If a rollback needs to be run, all scripts for the Password Reset are executed once again. The last +password in the history is used for this process. No new historical entry is created after the +rollback. + +## Logbook + +The logbook can be used to see if a rollback has been run and if it was successful. After a +rollback, the password should be checked once again as a precaution. diff --git a/docs/passwordsecure/9.3/configuration/advancedview/clientmodule/passwordreset/scripts.md b/docs/passwordsecure/9.3/configuration/advancedview/clientmodule/passwordreset/scripts.md new file mode 100644 index 0000000000..a1b706fffb --- /dev/null +++ b/docs/passwordsecure/9.3/configuration/advancedview/clientmodule/passwordreset/scripts.md @@ -0,0 +1,82 @@ +--- +title: "Scripts" +description: "Scripts" +sidebar_position: 30 +--- + +# Scripts + +## Available scripts + +The following scripts are supplied and can be directly used. In all scripts, a password is firstly +selected in the upper section. This is not the password that will be reset on the target system. +Instead, a user should be entered here that can complete the rest of the process on the target +system. This password thus requires administrative rights to the target system. + +A delay can also be configured in every script. This may be necessary, for example, if a password is +changed in AD and it is firstly distributed to other controllers. + +![new script](/images/passwordsecure/9.2/configuration/advanced_view/clientmodule/passwordreset/scripts/password_safe_scripts_1-en.webp) + +## Active Directory Password Reset + +This script is responsible for changing passwords for Active Directory users (domain users). Access +to Active Directory is configured here under **Hostname**. + +![Active Directory Password Reset](/images/passwordsecure/9.2/configuration/advanced_view/clientmodule/passwordreset/scripts/password_safe_scripts_2-en.webp) + +## Service accounts + +This script changes the access data within a service. Both the user and also the password can be +changed. The **host name** – i.e. the target computer – and the **service name** are saved here. + +![Service accounts scripts](/images/passwordsecure/9.2/configuration/advanced_view/clientmodule/passwordreset/scripts/password_safe_scripts_3-en.webp) + +Please note that the **display name** for the **service** needs to be used. + +![display name service](/images/passwordsecure/9.2/configuration/advanced_view/clientmodule/passwordreset/scripts/password_safe_scripts_4-en.webp) + +The access data in the associated password can be saved as follows: + +### Local user + +[Username] [Username] .[Username] [Computer][Username] + +### Active Directory user + +[Domain][Username] + +## Windows user + +This script can be used to reset the passwords for local Windows users. Only the **host name** needs +to be saved here. + +![Windows user script](/images/passwordsecure/9.2/configuration/advanced_view/clientmodule/passwordreset/scripts/password_safe_scripts_5-en.webp) + +## Linux user + +Linux users can also be reset in the same way as Windows users. It is also only necessary to enter +the **host name** and the **port** here. + +![Linux user script](/images/passwordsecure/9.2/configuration/advanced_view/clientmodule/passwordreset/scripts/password_safe_scripts_6-en.webp) + +## MSSQL user + +This script resets passwords for local MSSQL users. It is only necessary to enter the **MSSQL +instance** and the **port**. + +![MSSQL user script](/images/passwordsecure/9.2/configuration/advanced_view/clientmodule/passwordreset/scripts/password_safe_scripts_7-en.webp) + +The name of the MSSQL instance can be taken from the login window for the SQL Management Studio. + +![MSSQL user script](/images/passwordsecure/9.2/configuration/advanced_view/clientmodule/passwordreset/scripts/password_safe_scripts_8-en.webp) + +If a domain user is being used to log in to the SQL server, the user needs to be managed via the +script **Active Directory user**. + +## Planned task + +The passwords for users of Windows Task Scheduler can be changed using this script. The **host +name** of the computer on which the task will run and the **name** of the task itself are entered. + +![planned task](/images/passwordsecure/9.2/configuration/advanced_view/clientmodule/passwordreset/scripts/password_safe_scripts_9-en.webp) diff --git a/docs/passwordsecure/9.3/configuration/advancedview/clientmodule/passwordreset/user-defined_scripts.md b/docs/passwordsecure/9.3/configuration/advancedview/clientmodule/passwordreset/user-defined_scripts.md new file mode 100644 index 0000000000..7726d669ff --- /dev/null +++ b/docs/passwordsecure/9.3/configuration/advancedview/clientmodule/passwordreset/user-defined_scripts.md @@ -0,0 +1,79 @@ +--- +title: "User-defined scripts" +description: "User-defined scripts" +sidebar_position: 40 +--- + +# User-defined scripts + +## Individual solutions using your own scripts + +If your requirements cannot be met using the [Scripts](/docs/passwordsecure/9.3/configuration/advancedview/clientmodule/passwordreset/scripts.md), it is also possible +to create your own Powershell scripts. These scripts need to meet certain requirements to be used in +Netwrix Password Secure. + +## Storage location, name and call + +The scripts must be saved in the following directory: +`C:\ProgramData\MATESO\Password Safe and Repository Service\System\PowerShell` + +The scripts are saved in the **format.ps1**. + +## Structure of the scripts + +The PowerShell scripts must have the following structure: + +### RunScript function + +Netwrix Password Secure always calls the RunScript function. + + +``` +function RunScript +param ( +        [String]$HostName, +        [String]$UserName, +        [String]$NewPassword, +        [String]$CredentialsUserName, +        [Security.SecureString]$CredentialsPassword +    ) + +``` + +The following standard parameters can be used here: + +- UserName: The user name for which the password should be changed +- Password: The password that should be reset +- CredentialsUserName: The user name of the user authorized to carry our the reset (e.g. + administrator) +- CredentialsPassword: The password of the authorized user + +### Scriptblock + +The **scriptblock** can be used when the script should run in the context of another user. The +actual change is then carried out in the **scriptblock**. + +It is important in this case that you provide Netwrix Password Secure with feedback about what has +been changed via a **Write-Output**. The following example simply uses the outputs **true** or +**false**. However, it is also conceivable that an error message or similar is output. + + +``` +    $scriptBlock = {param ($UserName, $Password) +    // Make changes to SAP +    if($OK) { +        Write-Output "true" +    } else { +        Write-Output "false" +    } + +``` + +Naturally, CredentialsUserName and CredentialsPassword can also be directly used in the script (i.e. +without the **scriptblock**). You can view the supplied MSSQL script as an example. + +### Invoke + +A credential then still needs to be created. This is then transferred to the **scriptblock** using +the **invoke** command. It is also important in this case to provide Netwrix Password Secure with +feedback about all errors via **Write-Output** or **throw [System.Exception]**. diff --git a/docs/passwordsecure/9.3/configuration/advancedview/clientmodule/passwords/_category_.json b/docs/passwordsecure/9.3/configuration/advancedview/clientmodule/passwords/_category_.json new file mode 100644 index 0000000000..563e094d99 --- /dev/null +++ b/docs/passwordsecure/9.3/configuration/advancedview/clientmodule/passwords/_category_.json @@ -0,0 +1,10 @@ +{ + "label": "Passwords", + "position": 10, + "collapsed": true, + "collapsible": true, + "link": { + "type": "doc", + "id": "passwords" + } +} \ No newline at end of file diff --git a/docs/passwordsecure/9.3/configuration/advancedview/clientmodule/passwords/creating_new_passwords.md b/docs/passwordsecure/9.3/configuration/advancedview/clientmodule/passwords/creating_new_passwords.md new file mode 100644 index 0000000000..66879a2767 --- /dev/null +++ b/docs/passwordsecure/9.3/configuration/advancedview/clientmodule/passwords/creating_new_passwords.md @@ -0,0 +1,87 @@ +--- +title: "Creating new passwords" +description: "Creating new passwords" +sidebar_position: 10 +--- + +# Creating new passwords + +## What does creating new passwords/records mean? + +Saving a record/password stores information in the MSSQL database. This process is started in the +Passwords module for the client. It is accessed either via the icon in the ribbon, using the +keyboard shortcut "CTRL + N" or via the context menu that is accessed using the right mouse button +in list view. The next step is to select a suitable form that will open in a modal window. + +## Requirements + +The following 2 user rights are required: + +- Can add new passwords +- Display password module + +## Selecting a form + +When creating a new record, it is possible to select from all the forms for which the logged-in user +has the required permissions. To make the selection process as easy as possible, a preview of the +form fields included in the form is shown on the right hand side. + +![Select form](/images/passwordsecure/9.2/configuration/advanced_view/clientmodule/passwords/creating_new_passwords_1-en.webp) + +In this example, you can see that the "Password" form marked on the left contains three form fields +"Name", "User name" and "Password". Forms thus act as **templates** according to which their +information is saved. (Management of the forms including issuing permissions and editing existing +forms is covered in a separate section) + +## Entering data + +The window for creating a new record always open in a separate tab. As can be seen below, the +corresponding form fields for the previously selected form can now be filled. Password fields +deserve special mention here because they can be handled differently based on password rules. The +record can be saved via the ribbon when all fields have been filled. + +![new record](/images/passwordsecure/9.2/configuration/advanced_view/clientmodule/passwords/creating_new_passwords_2-en.webp) + +## Validity and tags + +Irrespective of the selected form, it is always possible to define the validity and tags for a +record. Both values are optional. + +![Validity and tags](/images/passwordsecure/9.2/configuration/advanced_view/clientmodule/passwords/creating_new_passwords_3-en.webp) + +- The **validity** defines an end date until which the record is valid. This information can be + evaluated e.g. in the logbook or in reports. It is thus possible to create a list of all expired + passwords for a user or an authorized entity. However, it is not possible to limit the usability + of expired passwords for security reasons. +- **Tags** are freely definable properties of records that can be used as search criteria. This also + allows thematically linked information to be grouped together. + +## Setting permissions for new records + +In principle, there are various approaches for setting permissions for newly created records. All of +them have already been described in the Authorization concept section. It is important to note here +that **manual setting of permissions is only possible after saving** a record. Automatic permissions +are set before the record is saved. In this context, the selection of the organisational structure +and the permissions for a record are important aspects. + +![permissions new record](/images/passwordsecure/9.2/configuration/advanced_view/clientmodule/passwords/creating_new_passwords_4-en.webp) + +- **Manual setting of permissions**: If you want to manually set permissions for the record, select + the organisational structure in which the record should be saved. After saving the record, the + permissions can be manually amended via the permissions tab in the ribbon. If you only want to + create a personal record for which no other user will receive permissions, simply select your own + organisational structure and conclude the process with "save" via the ribbon. + +NOTE: If any kind of automatic permissions have been activated for the selected OU, this will always +be prioritized. + +**CAUTION:** Even when creating private records, inheritance of permissions based on the logged-in +user can also be activated as an option. This option is described in a separate section. + +NOTE: The user right Allow sharing of personal passwords can be used to define that personal +passwords cannot be released to other users. + +**Automatic setting of permissions**: Automatic setting of permissions is carried out before the +record is saved. Irrespective of whether predefined rights or rights inheritance is being used, the +configuration is always carried out in the organisational structure or permissions area. Saving the +record thus completes the process for creating the password including the issuing of permissions. diff --git a/docs/passwordsecure/9.3/configuration/advancedview/clientmodule/passwords/form_field_permissions.md b/docs/passwordsecure/9.3/configuration/advancedview/clientmodule/passwords/form_field_permissions.md new file mode 100644 index 0000000000..9d246adca8 --- /dev/null +++ b/docs/passwordsecure/9.3/configuration/advancedview/clientmodule/passwords/form_field_permissions.md @@ -0,0 +1,38 @@ +--- +title: "Form field permissions" +description: "Form field permissions" +sidebar_position: 40 +--- + +# Form field permissions + +## What are form field permissions? + +The authorization concept allows separate permissions to be set for each object. These objects could +be records, forms or users. Netwrix Password Secure goes one step further in this context. Every +single form field for a record can also be granted with separate permissions. It is thus possible to +grant different permissions for the password field of a record than are set for the other fields. + +## Relevant rights + +The following options are required to view "inherit" and "overwrite" icons. + +### User right + +- Can overwrite permissions +- Can inherit permissions + +## Configuration + +The associated form field permissions for the marked record can be opened via the ribbon using the +drop-down menu under "Permissions". + +![form field permissions](/images/passwordsecure/9.2/configuration/advanced_view/clientmodule/passwords/form_field_permissions_1-en.webp) + +The window that opens allows you to select the relevant form field for which you want to grant +permissions. The following example focuses on the password field. + +![permissions of password field](/images/passwordsecure/9.2/configuration/advanced_view/clientmodule/passwords/form_field_permissions_2-en.webp) + +The permissions configured here now exclusively apply to the password field. The other form fields +remain unaffected. diff --git a/docs/passwordsecure/9.3/configuration/advancedview/clientmodule/passwords/history.md b/docs/passwordsecure/9.3/configuration/advancedview/clientmodule/passwords/history.md new file mode 100644 index 0000000000..2b897e9f10 --- /dev/null +++ b/docs/passwordsecure/9.3/configuration/advancedview/clientmodule/passwords/history.md @@ -0,0 +1,56 @@ +--- +title: "History" +description: "History" +sidebar_position: 60 +--- + +# History + +## What is the history? + +Alongside saving passwords and keeping them safe, the ability to trace changes to records also has +great relevance. The history maintains a seamless account of the versions for all form fields in a +record. Every change to records is separately recorded, saved and can thus also be restored. In +addition, it is always possible to compare historical values with the current version. The history +is thus an indispensable component of every security concept. + +## The history in the reading pane + +The optional footer area can be used to already display the history when in the reading pane. All of +the historical entries are listed and sorted in chronological order. + +![history in footer](/images/passwordsecure/9.2/configuration/advanced_view/clientmodule/passwords/history_1-en.webp) + +The different versions are displayed one below the other on the left. The info for each respective +version can then be seen alongside on the right. A quick view can be displayed via the **History** +in the ribbon or via a double click. + +![quick view history](/images/passwordsecure/9.2/configuration/advanced_view/clientmodule/passwords/history_2-en.webp) + +## Detailed history in the Extras + +The detailed history for the record marked in list view can be called up in the Start/Extras tab. + +![History](/images/passwordsecure/9.2/configuration/advanced_view/clientmodule/passwords/history_3-en.webp) + +The history for the marked record opens in a separate tab. In list view, all of the available +versions with the date and time of their last change are sorted in chronological order. + +![history list view](/images/passwordsecure/9.2/configuration/advanced_view/clientmodule/passwords/history_4-en.webp) + +## Comparison of versions + +At least two versions need to be selected in order to carry out a comparison. In list view, mark the +first version and then add another version via the “Add” button on the right of the reading pane to +compare with the first one. + +![comparison of history versions](/images/passwordsecure/9.2/configuration/advanced_view/clientmodule/passwords/history_5-en.webp) + +If deviations exist between the two versions, these will be highlighted in color. + +![difference between password history](/images/passwordsecure/9.2/configuration/advanced_view/clientmodule/passwords/history_6-en.webp) + +## Restoring versions + +A selected status can be restored via the ribbon. The current state is overwritten and added to the +history diff --git a/docs/passwordsecure/9.3/configuration/advancedview/clientmodule/passwords/moving_passwords.md b/docs/passwordsecure/9.3/configuration/advancedview/clientmodule/passwords/moving_passwords.md new file mode 100644 index 0000000000..345a9483b1 --- /dev/null +++ b/docs/passwordsecure/9.3/configuration/advancedview/clientmodule/passwords/moving_passwords.md @@ -0,0 +1,48 @@ +--- +title: "Moving passwords" +description: "Moving passwords" +sidebar_position: 30 +--- + +# Moving passwords + +## What happens when records are moved? + +Data can be moved within Netwrix Password Secure to another organisational structure. This does not +necessarily have to be linked to a change in permissions (the effects are described separately +below). Moving records without changing the permissions mainly has effects on the filtering or +search functions for records. + +## How do you move a record? + +The (marked) records are moved either via the ribbon or via the context menu that is accessed using +the right mouse button. + +![moving password](/images/passwordsecure/9.2/configuration/advanced_view/clientmodule/passwords/moving_passwords_1-en.webp) + +Multiple records can also be marked and moved. The selected permissions are then valid for all +records in this case. + +### Required permissions + +No special user rights/settings are required in order to move records. The “move” right for the +record is the only deciding factor. + +![required permissions](/images/passwordsecure/9.2/configuration/advanced_view/clientmodule/passwords/moving_passwords_2-en.webp) + +## Effects on existing permissions + +![effects on existing permissions](/images/passwordsecure/9.2/configuration/advanced_view/clientmodule/passwords/moving_passwords_3-en.webp) + +- **Retain permissions**: The permissions for the record are not changed by moving it and are + retained +- **Overwrite permissions**: The permissions for the record are overwritten by the target OU +- **Extend permissions**: The existing permissions are extended to include the permissions for the + target OU + +**CAUTION:** From a technical perspective, all rights will be removed from the record when +overwriting the permissions. The permissions will then be applied to the record in accordance with +the rights template or inheritance from organisational structures. It is important to note here that +it is theoretically possible to remove your own rights to the record! The rights change will only be +carried out if at least one user retains the right to issue permissions as a result. Otherwise, the +rights change will be cancelled with a corresponding message. diff --git a/docs/passwordsecure/9.3/configuration/advancedview/clientmodule/passwords/password_settings.md b/docs/passwordsecure/9.3/configuration/advancedview/clientmodule/passwords/password_settings.md new file mode 100644 index 0000000000..bcb187aa92 --- /dev/null +++ b/docs/passwordsecure/9.3/configuration/advancedview/clientmodule/passwords/password_settings.md @@ -0,0 +1,33 @@ +--- +title: "Password settings" +description: "Password settings" +sidebar_position: 50 +--- + +# Password settings + +## What are password settings? + +The password settings can be used to define a diverse range of options. These can be found in the +ribbon in the subsection “Extras”. The settings open up in a new tab. + +![password settings](/images/passwordsecure/9.2/configuration/advanced_view/clientmodule/passwords/password_settings_1-en.webp) + +### Category: Browser + +- **Default browser**: This option can be used to define a default browser for every record + separately. You can select from all browsers that have been registered as a browser in Windows. + +### Category: SSO + +- **Browser Extensions**: **Exact domain check**: This setting defines whether the domain for + displaying the record should be subjected to an exact domain check or not. Further information on + this subject can be found under Add-ons. +- **Browser Extensions**: Automatically fill login masks: This setting defines whether the login + masks are automatically filled when logging in via SSO. This is the case when the user is located + on a login page. If the record for this page has been saved, the login mask will be filled if this + option has been activated. Otherwise, this step needs to be carried out manually via the add-on. + If multiple records have been saved for this page, the user must complete this step manually via + the add-on in both cases. +- **Browser Extensions**: Automatically send login masks: If this option has been activated, the + login button is automatically pressed after filling in the login information. diff --git a/docs/passwordsecure/9.3/configuration/advancedview/clientmodule/passwords/passwords.md b/docs/passwordsecure/9.3/configuration/advancedview/clientmodule/passwords/passwords.md new file mode 100644 index 0000000000..205a7fddfa --- /dev/null +++ b/docs/passwordsecure/9.3/configuration/advancedview/clientmodule/passwords/passwords.md @@ -0,0 +1,115 @@ +--- +title: "Passwords" +description: "Passwords" +sidebar_position: 10 +--- + +# Passwords + +## What are passwords? + +In Netwrix Password Secure v8, the data record with the passwords represents the central data +object. The Passwords module provides administrators and users with central access to the passwords +for the purpose of handling this sensitive data that requires protection. Search filters in +combination with color-highlighted tags enable very focussed work. Various approaches can be used to +help apply the desired permissions to objects. Furthermore, the ergonomic structure of the module +helps all users to use Netwrix Password Secure in an efficient and targeted manner. + +![Password modul](/images/passwordsecure/9.2/configuration/advanced_view/clientmodule/passwords/passwords_1-en.webp) + +## Prerequisite + +The following user right is required for adding new passwords: + +- **Can add new passwords** + +## Module-specific ribbon functions + +The ribbon offers access to all possible actions relevant to the situation at all times. Especially +within the "Passwords" module, the ribbon plays a key role due to the numerous module-specific +functions. General information on the subject of the ribbon is available in the relevant section. +The module-specific ribbon functions will be explained below. + +![ribbon functions](/images/passwordsecure/9.2/configuration/advanced_view/clientmodule/passwords/passwords_2-en.webp) + +### New + +- **New password**: New passwords can be added via this icon in the ribbon, via the context menu + that is accessed using the right mouse button and via the shortcut (Ctrl + N). The next step is to + select a suitable form. +- **Open**: Opens the object marked in list view and provides further information about the record + in the reading pane. +- **Delete**: Deletes the object marked in list view. A log file entry is created (see logbook). +- **Reveal**: The function **Reveal** can be used for all records that have a password field. The + passwords in the reading pane will be revealed. In the example, the passwords have been revealed + and can be hidden again with the **Hide** button. + +![hide password](/images/passwordsecure/9.2/configuration/advanced_view/clientmodule/passwords/passwords_3-en.webp) + +### Actions + +- **Notifications**: Defining notifications enables a constant flow of information about any type of + interaction. The issuing of notifications is carried out in the module designed for this purpose. +- **Duplicate**: Duplicating creates an exact copy of the record in a new tab. +- **Move**: Moves the record marked in list view to another organisational structure. +- **Toggle** **Favorite**: The selected record is marked as a favorite. It is possible to switch + between all records and favorites at any time. +- **Quick view**: A modal window opens for the selected record for 15 seconds and displays all + available information **including the value of the password**. +- Notifications: A list of all configured notifications + +### Permissions + +- **Permissions**: The drop-down menu can be used to set both password permissions and also form + field permissions. This method only allows the manual setting of permissions for data (see + + authorization concept) + +- **Password masking**: Masking passwords that need to be protected from unauthorized users is an + important feature of the security concept in Netwrix Password Secure. +- **Seal**: The multi-eye principle in Netwrix Password Secure is covered in its own section. Seals. + +### Clipboard + +The clipboard is a key element in the ribbon. This only exists in the "Passwords" module. **Clicking +on the desired form field for a record in the ribbon** will copy it to the clipboard. + +![Clipboard](/images/passwordsecure/9.2/configuration/advanced_view/clientmodule/passwords/passwords_4-en.webp) + +The message in the style of the "Balloon Tips" in Windows shows that the password has now been saved +in the clipboard for 300 seconds. (Note: the time until the clipboard is cleared is 60 seconds by +default. In the present case, this has been adjusted via the user settings.) + +### Start + +Conveniently working with passwords is only possible via the efficient usage of automated accesses +via RDP, SSH, general Windows applications or websites. This makes it possible to dispense with +(unsecure) entries via "copy & paste". + +- **Open web page**: If an URL is saved in the record, this menu option can be used to directly open + it. +- **Applications**: If applications have been linked to records, they can be directly opened via the + "start menu". + +### Extras + +- **Create external link**: This option creates an external link for the record marked in list view. + A number of different options can be selected: + +![external link](/images/passwordsecure/9.2/configuration/advanced_view/clientmodule/passwords/passwords_5-en.webp) + +**CAUTION:** If several sessions are opened on a client, an external link is always called in the +first session. + +- **History**: This icon opens the history for those records selected in list view in a new tab. Due + to the comprehensive recording of historical versions of passwords, it is now possible to compare + several versions with one another. +- **Print**: This option can be used to open the print function. +- **Export**: It is possible to export all the selected records and also the data defined by the + filter to a .csv file. +- **Change form**: It is possible to change the form used for individual records. "Mapping" of the + previous form fields can be directly carried out in the process. +- **Settings**: The password settings are described in a separate section. + +NOTE: The password module is based on the module of the same name in the Web Application. Both +modules have a different scope and design. However, they are almost identical to use. diff --git a/docs/passwordsecure/9.3/configuration/advancedview/clientmodule/passwords/recycle_bin.md b/docs/passwordsecure/9.3/configuration/advancedview/clientmodule/passwords/recycle_bin.md new file mode 100644 index 0000000000..66989e5558 --- /dev/null +++ b/docs/passwordsecure/9.3/configuration/advancedview/clientmodule/passwords/recycle_bin.md @@ -0,0 +1,26 @@ +--- +title: "Recycle Bin" +description: "Recycle Bin" +sidebar_position: 70 +--- + +# Recycle Bin + +This option allows you to view and permanently delete deleted passwords to which you are entitled. + +## Procedure for deleting passwords + +To put passwords into the recycle bin there are 2 possible procedures. Select the passwords you want +to delete and click on **Move to bin (1)** or right-click on the passwords and select **Move to +bin(2)**. + +![bin_2](/images/passwordsecure/9.2/configuration/advanced_view/clientmodule/passwords/bin_2.webp) + +You will then be asked if you actually want to perform this action. + +![bin_3](/images/passwordsecure/9.2/configuration/advanced_view/clientmodule/passwords/bin_3.webp) + +## Managing the Recycle Bin + +The management of the recycle bin can be found in chapter +[Bin](/docs/passwordsecure/9.3/configuration/advancedview/mainmenufc/extras/trash.md). diff --git a/docs/passwordsecure/9.3/configuration/advancedview/clientmodule/passwords/revealing_passwords.md b/docs/passwordsecure/9.3/configuration/advancedview/clientmodule/passwords/revealing_passwords.md new file mode 100644 index 0000000000..f9080a3f71 --- /dev/null +++ b/docs/passwordsecure/9.3/configuration/advancedview/clientmodule/passwords/revealing_passwords.md @@ -0,0 +1,68 @@ +--- +title: "Revealing passwords" +description: "Revealing passwords" +sidebar_position: 20 +--- + +# Revealing passwords + +## What is involved in revealing passwords? + +Not all information is encrypted by the MSSQL database in Netwrix Password Secure for performance +reasons. Only the password itself (=secret) is encrypted with the help of the used encryption +algorithms and is then saved in the MSSQL database. As access to the MSSQL server is otherwise +secured via access permissions, this process enables the **maximum possible working speed** with a +**unchanged high level of security** through the use of **sophisticated**, **cryptographic +methods**. Revealing passwords describes the mechanism by which a password is made visible to the +user in the client. This process for dealing with passwords very precisely reflects the importance +of data security in Netwrix Password Secure – and this process will thus be described in detail +below. + +### Example case + +The record "Blogger" has been saved in the database and is visible to the logged-in user. It can +thus be deduced that the user has at least a read right for the record. As can be gathered from the +authorization concept, the user thus also generally has a read right to the password itself. This +means the user can view the value of the password using the "reveal" function. + +![Show password](/images/passwordsecure/9.2/configuration/advanced_view/clientmodule/passwords/revealing_passwords_1-en.webp) + +## Revealing passwords – diagram + +In this context, it is important to note that the word "reveal" does not really accurately describe +this process. It creates the **incorrect** impression that the client already has the password and +only needs to reveal it. However, the processes running in the background until the password are +revealed are much more complex and will thus be described below. + +![revealing password diagram](/images/passwordsecure/9.2/configuration/advanced_view/clientmodule/passwords/revealing_passwords_2-en.webp) + +### Saving the password on the server + +Even though you would assume the opposite, at the start a masked password (\*) is neither available +on the client nor the server in plain text! The password is stored as part of the MSSQL database in +a hybrid encrypted state via the two methods **AES 256** and **RSA**. Accordingly, it is not +currently possible either on the server or the client to view the password. If you mark a record, +the password is not available at all on the client and is encrypted on the server before it is +revealed. + +### The encrypted password is requested + +Pressing the "reveal"- button triggers the process for requesting the password. A request is sent to +the server to apply for the encrypted password to be released. The server itself does not possess +the required key (private key) to decrypt the password. Therefore, it can only deliver the +**encrypted value**. + +### Checking the permissions + +Whether the request sent in step 2 is approved is defined in the authorization concept. Once the +request has been received, the server checks whether the user possess the required rights. It also +checks the possible existence of other security mechanisms such as a seal or password masking. If +the necessary requirements for releasing the password have been met, the server now sends the +**encrypted password**. In the same step, a **log file entry** is saved that documents the user’s +access to the password. + +### Decrypting the password on the client + +The user now has the encrypted password which has been delivered by the server. The user himself +possesses the **private key** required for decrypting the password and can now view the actual +password. diff --git a/docs/passwordsecure/9.3/configuration/advancedview/clientmodule/roles.md b/docs/passwordsecure/9.3/configuration/advancedview/clientmodule/roles.md new file mode 100644 index 0000000000..903b67f780 --- /dev/null +++ b/docs/passwordsecure/9.3/configuration/advancedview/clientmodule/roles.md @@ -0,0 +1,79 @@ +--- +title: "Roles" +description: "Roles" +sidebar_position: 50 +--- + +# Roles + +## What are roles? + +Each employee in a company is ultimately a member of a department and / or part of a particular +function level. These departments or groups are mapped within Netwrix Password Secure using the role +concept. The authorizations can be configured and inherited in a role-based manner. The **Roles +module** should only be made available to administrators. Accordingly, it is recommended to limit +the visibility of the role management. It is also possible to delegate the management of departments +or separate areas completely to third parties via the role concept. The authorization concept +ensures that users are only granted access to those roles to which they are entitled. + +![Roles module](/images/passwordsecure/9.2/configuration/advanced_view/clientmodule/roles/roles_1-en.webp) + +## Relevant rights + +The following options are required. + +### User right + +- Can add new roles +- Display role module + +## Roles in focus + +The configuration of roles is the basis for the authorization concept. The permissions for data +could also be set at a user level. However, the use of roles can dramatically reduce the +administrative workload, and it helps to keep an overview. In addition to the authorizations for +data, user rights are also mapped in the best case via roles. + +![Permissions meaning for Roles](/images/passwordsecure/9.2/configuration/advanced_view/clientmodule/roles/roles_2-en.webp) + +Roles are the central objects within Netwrix Password Secure. They form the indispensable bridge +between users and authorizations of any kind. + +## Creating and granting permissions for new roles + +If you are in the **roles module**, the process for creating new roles is the same as for +[Creating new passwords](/docs/passwordsecure/9.3/configuration/advancedview/clientmodule/passwords/creating_new_passwords.md). Roles can be created via the +ribbon and also via the context menu that is accessed using the right mouse button. + +![creating new role](/images/passwordsecure/9.2/configuration/advanced_view/clientmodule/roles/roles_3-en.webp) + +## Planning phase + +Just like the [Organisational structure](/docs/passwordsecure/9.3/configuration/advancedview/clientmodule/organisationalstructure/organisational_structure.md), +you should also familiarize yourself with the intended role concepts. The mapping of structures +present in a company is the starting point for the success of Netwrix Password Secure. You should +design the roles in Netwrix Password Secure only once a detailed design has been drawn up, and all +the requirements of all project participants have been met. + +## Why are there no groups? + +Netwrix Password Secure enforces the avoidance of unnecessary structures through the role concept. A +group-in-group nesting is not supported – and is not necessary at all. The resultant increase in +performance as well as increased overview promotes efficiency and effectiveness. The elegant +interplay of organisational structures, roles, and granular filter options can cover all +customer-specific scenarios. + +NOTE: This architecture makes nesting of roles obsolete. + +## Overview of members for a role + +As well as being able to view the **members** in the permissions dialogue, a list of all members for +a role is already made available in the +[Reading pane](/docs/passwordsecure/9.3/configuration/advancedview/operationandsetup/reading_pane.md). All of the other users with +permissions but without membership of the role are not taken into account. + +![role overview](/images/passwordsecure/9.2/configuration/advanced_view/clientmodule/roles/roles_4-en.webp) + +NOTE: The roles module is based on the +[Roles module](/docs/passwordsecure/9.3/configuration/webapplication/functionalscope/roles_module.md) of the Web +Application. Both modules have a different scope and design but are almost identical to use. diff --git a/docs/passwordsecure/9.3/configuration/advancedview/mainmenufc/_category_.json b/docs/passwordsecure/9.3/configuration/advancedview/mainmenufc/_category_.json new file mode 100644 index 0000000000..4230fa2e53 --- /dev/null +++ b/docs/passwordsecure/9.3/configuration/advancedview/mainmenufc/_category_.json @@ -0,0 +1,10 @@ +{ + "label": "Main menu", + "position": 30, + "collapsed": true, + "collapsible": true, + "link": { + "type": "doc", + "id": "main_menu_fc" + } +} \ No newline at end of file diff --git a/docs/passwordsecure/9.3/configuration/advancedview/mainmenufc/account.md b/docs/passwordsecure/9.3/configuration/advancedview/mainmenufc/account.md new file mode 100644 index 0000000000..cbd4dd26ae --- /dev/null +++ b/docs/passwordsecure/9.3/configuration/advancedview/mainmenufc/account.md @@ -0,0 +1,89 @@ +--- +title: "Account" +description: "Account" +sidebar_position: 20 +--- + +# Account + +## What is an account? + +Users can configure all user-specific information in their account. It should be noted that if the +[Masterkey mode](/docs/passwordsecure/9.3/configuration/advancedview/clientmodule/organisationalstructure/directoryservices/activedirectorylink/masterkey_mode.md) +process is used, user data will always be taken from Active Directory – editing this information in +Netwrix Password Secure is thus not possible. + +![account](/images/passwordsecure/9.2/configuration/advanced_view/mainmenu/account/installation_with_parameters_123-ewn.webp) + +## Edit profile + +All of the information in the contact and address sections can be defined under “Edit profile”. Some +areas of the profile overlap with the **management of users.** This information is explained in +[Managing users](/docs/passwordsecure/9.3/configuration/advancedview/clientmodule/organisationalstructure/managingusers/managing_users.md). + +NOTE: No changes can be made to users that were imported from AD using Master Key mode. In this +case, all information will be imported from AD. + +#### Editing user image + +A new image can be added or the existing one replaced or deleted by clicking on the profile image. + +NOTE: No changes can be made to users that were imported from AD with the aid of Master Key mode. If +an image has been saved in AD, it will be used here. + +#### Change password + +It is recommended that the user password is changed on a regular basis. If you want to use a new +password, it is necessary to enter the existing password in advance. The strength of the password +will be directly displayed. + +NOTE: Users who were imported from AD with the aid of Master Key mode log in with the domain +password. Therefore, no password can be configured in this case. + +NOTE: The strength of the user password can be stipulated by administration through the issuing of +password rules. + +NOTE: If a user changes his or her password, all sessions that are still open are automatically +terminated. + +#### Multifactor authentication + +Multifactor authentication provides additional protection through a second login authentication +using a hardware token. The configuration is carried out via the ribbon in the “Security” section. +See also in +[Multifactor authentication](/docs/passwordsecure/9.3/configuration/advancedview/clientmodule/organisationalstructure/multifactorauthentication/multifactor_authentication.md) + +![installation_with_parameters_124](/images/passwordsecure/9.2/configuration/advanced_view/mainmenu/account/installation_with_parameters_124.webp) + +#### Configure autologin + +This option can be used to automate the login to Netwrix Password Secure. For setup, just enter the +password twice and save it. + +The autologin is linked to the hardware and thus will not work on a different computer. If you +change the hardware or the hardware ID, an existing autologin needs to be recreated. + +#### Relevant right + +Option to manage the autologin + +User right + +- Can manage autologin + +**CAUTION:** The automatic login should be handled as a process critical to security. It is +important to note that all data can be accessed, for example, if you forget to lock the computer. + +NOTE: For security reasons, the autologin is only valid for 180 days and then needs to be +subsequently renewed. + +#### Reset settings + +Clicking on this button resets all user-specific settings such as the column width, colour scheme, +etc. to the default values. + +#### Start offline synchronization + +If you have made changes to the database and do not want to wait for the next automatic +synchronization, an offline synchronization can also be started manually. The synchronization runs +in the background and is indicated by a status bar in the footer as well as by the icon. More… diff --git a/docs/passwordsecure/9.3/configuration/advancedview/mainmenufc/administration.md b/docs/passwordsecure/9.3/configuration/advancedview/mainmenufc/administration.md new file mode 100644 index 0000000000..07d7869388 --- /dev/null +++ b/docs/passwordsecure/9.3/configuration/advancedview/mainmenufc/administration.md @@ -0,0 +1,44 @@ +--- +title: "Administration" +description: "Administration" +sidebar_position: 60 +--- + +# Administration + +## Sessions + +Via the menu item **Sessions**, all users connected to the database can be displayed. This page is +purely informative in character and thus no configurations can be made here. + +![installation_with_parameters_120](/images/passwordsecure/9.2/configuration/advanced_view/mainmenu/administration/installation_with_parameters_120.webp) + +The session view starts in the currently active module in a separate tab. + +#### Locked users + +All currently locked users can also be retrieved. There are two scenarios here: + +1. User name correct, password incorrect: The user name is displayed +2. User name incorrect: The client is displayed + +In addition, the number of attempted logins and the length of time that the user was locked in each +case can be seen. + +![installation_with_parameters_121](/images/passwordsecure/9.2/configuration/advanced_view/mainmenu/administration/installation_with_parameters_121.webp) + +#### Default password rules + +Password rules can be defined for both user passwords and also for WebViewer exports that then need +to be fulfilled. In the following example, a user password must correspond to the “default password” +rule in order to be valid + +![Standard password rule](/images/passwordsecure/9.2/configuration/advanced_view/mainmenu/administration/installation_with_parameters_122-en_677x129.webp) + +#### Relevant right + +There is a separate option for defining the password rules for named passwords. + +**User right** + +- Can configure standard password rules diff --git a/docs/passwordsecure/9.3/configuration/advancedview/mainmenufc/export/_category_.json b/docs/passwordsecure/9.3/configuration/advancedview/mainmenufc/export/_category_.json new file mode 100644 index 0000000000..badb938bf9 --- /dev/null +++ b/docs/passwordsecure/9.3/configuration/advancedview/mainmenufc/export/_category_.json @@ -0,0 +1,10 @@ +{ + "label": "Export", + "position": 80, + "collapsed": true, + "collapsible": true, + "link": { + "type": "doc", + "id": "export" + } +} \ No newline at end of file diff --git a/docs/passwordsecure/9.3/configuration/advancedview/mainmenufc/export/export.md b/docs/passwordsecure/9.3/configuration/advancedview/mainmenufc/export/export.md new file mode 100644 index 0000000000..4b64cbaac9 --- /dev/null +++ b/docs/passwordsecure/9.3/configuration/advancedview/mainmenufc/export/export.md @@ -0,0 +1,56 @@ +--- +title: "Export" +description: "Export" +sidebar_position: 80 +--- + +# Export + +## What is an export? + +An export is used for extracting the data saved in the MSSQL database. Both selective (manual) and +automated [System tasks](/docs/passwordsecure/9.3/configuration/advancedview/mainmenufc/extras/systemtasks/system_tasks.md) can extract information from +Netwrix Password Secure in this manner. + +**CAUTION:** Please note that extracting passwords is always associated with a weakening of the +security concept. The informative value of the logbook will suffer when data is exported because the +revision of this data will no longer be logged. This aspect needs to be taken into account +particularly in conjunction with the Netwrix Password Secure +[Export wizard](/docs/passwordsecure/9.3/configuration/advancedview/mainmenufc/export/export_wizard.md) because the export result is not separately secured +by a password. + +The export function is accessed via the Main menu/Export. There are two fundamental types of export +– the WebViewer export and the export wizard. However, the latter is divided into four +subcategories. + +![installation_with_parameters_63](/images/passwordsecure/9.2/configuration/advanced_view/mainmenu/export/installation_with_parameters_63.webp) + +The [HTML WebViewer export](/docs/passwordsecure/9.3/configuration/advancedview/mainmenufc/export/html_webviewer_export.md) creates a HTML file +protected by a password. In contrast, the export wizard creates an open and unprotected .csv file. + +## Requirements + +Permissions are used to define whether a record can be exported or not. Various protective +mechanisms can be applied. Restrictions can be placed on either the record itself and also via user +rights + +- **The permissions for the record:** The permissions for the record define whether a record can be + exported + +![Export in the ribbon](/images/passwordsecure/9.2/configuration/advanced_view/mainmenu/export/installation_with_parameters_64-en.webp) + +In this example, the marked role IT employee does not have the required permissions to export the +record. In contrast, the IT manager does have the required permissions. In addition, the +administrator possesses all rights, including the right to export. + +#### Relevant right + +The following option is required. + +User right + +- Can export + +NOTE: If a record is exported, this user right and also the corresponding permissions for the record +must be set. The user right defines whether a user can generally export data, while the permissions +for the record define which records can be exported. diff --git a/docs/passwordsecure/9.3/configuration/advancedview/mainmenufc/export/export_wizard.md b/docs/passwordsecure/9.3/configuration/advancedview/mainmenufc/export/export_wizard.md new file mode 100644 index 0000000000..3da7f42246 --- /dev/null +++ b/docs/passwordsecure/9.3/configuration/advancedview/mainmenufc/export/export_wizard.md @@ -0,0 +1,58 @@ +--- +title: "Export wizard" +description: "Export wizard" +sidebar_position: 20 +--- + +# Export wizard + +## What export wizards are there? + +There are a total of four different export wizards. + +![installation_with_parameters_74_548x283](/images/passwordsecure/9.2/configuration/advanced_view/mainmenu/export/export_wizard/installation_with_parameters_74_548x283.webp) + +The functionality of these wizards only differs based on the data to be exported. A distinction is +made between passwords, organisational structures, forms and applications. **As all four wizards are +handled in the same way, the following section will only describe the password export wizard.** The +remaining three wizards function in the same way. + +## What is the password export wizard? + +This wizard allows records to be exported in standard.csv format. In contrast to the +[HTML WebViewer export](/docs/passwordsecure/9.3/configuration/advancedview/mainmenufc/export/html_webviewer_export.md), the resulting file is +not protected by a password. It goes without saying that this feature must be used carefully. + +## Starting the password export wizard + +The export wizard can be accessed in a variety of different ways: + +- **Starting via Main menu/Extras:** If the wizard is opened, the export will include all passwords + for which the registered user has the required permissions. If the user is an administrator with + permissions for all records, the export will include all passwords in the database. +- **Starting via the ribbon:** The export can also be started via the + [Ribbon](/docs/passwordsecure/9.3/configuration/advancedview/operationandsetup/ribbon.md) in the + [Passwords](/docs/passwordsecure/9.3/configuration/advancedview/clientmodule/passwords/passwords.md) module. + +![Export ribbon](/images/passwordsecure/9.2/configuration/advanced_view/mainmenu/export/export_wizard/installation_with_parameters_75-en.webp) + +The password export wizard can be started via the ribbon in two ways. **Selected passwords** exports +only those passwords marked in list view, whereby **Passwords based on the filter** uses the +currently defined filter settings as the criteria. + +The wizard + +A diverse range of variables for the export and the storage location can be defined in the wizard. A +corresponding preview is also provided. + +![installation_with_parameters_76](/images/passwordsecure/9.2/configuration/advanced_view/mainmenu/export/export_wizard/installation_with_parameters_76.webp) + +Once the wizard has been completed, the desired export is created and saved to the defined storage +location. + +**CAUTION:** It is important to once again point out the sensitive nature of this export function +that could have critical consequences from a security perspective. As the required permissions for +this export are generally only granted to users/roles with higher positions in the hierarchy, this +subject is even more relevant from a security perspective: It is possible to export all passwords +for which a user has the required permissions. Administrators could thus (intentionally or +unintentionally) cause more damage per se. diff --git a/docs/passwordsecure/9.3/configuration/advancedview/mainmenufc/export/html_webviewer_export.md b/docs/passwordsecure/9.3/configuration/advancedview/mainmenufc/export/html_webviewer_export.md new file mode 100644 index 0000000000..1c56da98c4 --- /dev/null +++ b/docs/passwordsecure/9.3/configuration/advancedview/mainmenufc/export/html_webviewer_export.md @@ -0,0 +1,131 @@ +--- +title: "HTML WebViewer export" +description: "HTML WebViewer export" +sidebar_position: 10 +--- + +# HTML WebViewer export + +## What is a HTML WebViewer export? + +The **WebViewer** is an option inNetwrix Password Secure for exporting passwords in an encrypted +**HTML file**. The records are selected using the +[Filter](/docs/passwordsecure/9.3/configuration/advancedview/operationandsetup/filter/filter.md) function. The passwords for which the user +has the corresponding permissions are exported. They are displayed in a current browse that has +**JavaScript activated**. + +## Data security + +- Naturally, the HTML WebViewer file is **encrypted** +- The export of the file is protected using a corresponding + [User rights](/docs/passwordsecure/9.3/configuration/advancedview/mainmenufc/userrights/user_rights.md) +- The user requires the **export right** for the passwords + +## Required rights + +The **export right for the WebViewer** is configured via the **user rights**: + +User right + +- Can export HTML WebViewer + +The **export right** for the password is configured as normal via the ribbon: + +![installation_with_parameters_65](/images/passwordsecure/9.2/configuration/advanced_view/mainmenu/export/html_webviewer-export/installation_with_parameters_65.webp) + +## Exporting a HTML file + +The **HTML file** is created on the user\*s client and started in the **Main menu** under **Export +WebViewer**. + +![installation_with_parameters_66](/images/passwordsecure/9.2/configuration/advanced_view/mainmenu/export/html_webviewer-export/installation_with_parameters_66.webp) + +The **HTML WebViewer Wizard** carries out the \* WebViewer export\*. + +###### Create WebViewer + +General information and notes about the export are displayed under **Create WebViewer**. + +###### Settings + +General information such as the **Name** and **Export path** for the **HTML file** can be entered +here. + +**File name**: Freely selectable name + +**Export path:** Storage location for the file on the client + +**Time until logout**: Time in seconds for which the window remains open without any activity + +**Standard value:** 60 seconds, user can define the time + +Export **WebViewer** with **user password** or new freely **definable password**: You can decide +here whether to issue a new password for the export. + +![installation_with_parameters_67](/images/passwordsecure/9.2/configuration/advanced_view/mainmenu/export/html_webviewer-export/installation_with_parameters_67.webp) + +- WebViewer export with an Active Directory user + +If an **Active Directory user** is carrying out the **WebViewer** export, a **password** needs to be +explicitly entered. + +![installation_with_parameters_68](/images/passwordsecure/9.2/configuration/advanced_view/mainmenu/export/html_webviewer-export/installation_with_parameters_68.webp) + +###### Export filter + +The export filter works in the same way as the filters for the modules. + +![installation_with_parameters_69](/images/passwordsecure/9.2/configuration/advanced_view/mainmenu/export/html_webviewer-export/installation_with_parameters_69.webp) + +#### Finish + +The information about the exported passwords is displayed in the **Finish** ribbon. Clicking on the +**Finish** + +button will then create the **HTML** **file** in the export path and close the window. + +![installation_with_parameters_70](/images/passwordsecure/9.2/configuration/advanced_view/mainmenu/export/html_webviewer-export/installation_with_parameters_70.webp) + +A subsequent note provides you with information about the export process. + +![installation_with_parameters_71](/images/passwordsecure/9.2/configuration/advanced_view/mainmenu/export/html_webviewer-export/installation_with_parameters_71.webp) + +## Using the HTML WebViewer file + +The **HTML file** is created in the export path and can be copied to a mobile data medium (USB +stick, external HDD, …). The **HTML file** can be opened in a standard browser and displays the +**Netwrix Password Secure – HTML WebViewer / Login** when started. The **database** and the **user +name** are predefined. The user \*password is used for the login. + +**CAUTION:** The login mask is blocked for a period of time if the password is incorrectly entered! + +1. Database: Predefined +2. User: Predefined +3. Password: Entered by the user + +![Login HTML WebViewer](/images/passwordsecure/9.2/configuration/advanced_view/mainmenu/export/html_webviewer-export/installation_with_parameters_72-en.webp) + +###### Overview + +After logging in to Netwrix Password Secure, the overview page for the \*HTML- WebViewer \* with the +passwords is displayed. + +NOTE: Use the password search function in the event of more than 20 passwords! + +1. Displayoftherecords(max.20) +2. Detailedinformationontheselectedrecord +3. Search,logout,timeout +4. Copytoclipboard +5. Reveal + +![Entry in HTML WebViewer](/images/passwordsecure/9.2/configuration/advanced_view/mainmenu/export/html_webviewer-export/installation_with_parameters_73-en.webp) + +#### Closing the HTML WebViewer overview + +You can log out by clicking on **Logout**. In the event of a longer period of inactivity, the user +will be **automatically logged out after a set period of time has expired (time until logout).** + +NOTE: You have been logged out due to inactivity. + +The browser will then show the **Netwrix Password Secure– HTML WebViewer / Login** again and also +the reason for being logged out. It is possible to log in again. diff --git a/docs/passwordsecure/9.3/configuration/advancedview/mainmenufc/extras/_category_.json b/docs/passwordsecure/9.3/configuration/advancedview/mainmenufc/extras/_category_.json new file mode 100644 index 0000000000..e42f1173a8 --- /dev/null +++ b/docs/passwordsecure/9.3/configuration/advancedview/mainmenufc/extras/_category_.json @@ -0,0 +1,10 @@ +{ + "label": "Extras", + "position": 10, + "collapsed": true, + "collapsible": true, + "link": { + "type": "doc", + "id": "extras" + } +} \ No newline at end of file diff --git a/docs/passwordsecure/9.3/configuration/advancedview/mainmenufc/extras/extras.md b/docs/passwordsecure/9.3/configuration/advancedview/mainmenufc/extras/extras.md new file mode 100644 index 0000000000..9f19ee94e9 --- /dev/null +++ b/docs/passwordsecure/9.3/configuration/advancedview/mainmenufc/extras/extras.md @@ -0,0 +1,23 @@ +--- +title: "Extras" +description: "Extras" +sidebar_position: 10 +--- + +# Extras + +## What are Extras? + +Netwrix Password Secure provides a diverse range of supporting features that do not directly provide +added value but mostly build on existing approaches and expand their functionalities. They are +work-saving features that in total simplify the process of working with Netwrix Password Secure. + +![installation_with_parameters_77_517x414](/images/passwordsecure/9.2/configuration/advanced_view/mainmenu/extras/installation_with_parameters_77_517x414.webp) + +- [Password rules](/docs/passwordsecure/9.3/configuration/advancedview/mainmenufc/extras/password_rules.md) +- [Password generator](/docs/passwordsecure/9.3/configuration/advancedview/mainmenufc/extras/password_generator.md) +- [Reports](/docs/passwordsecure/9.3/configuration/advancedview/mainmenufc/extras/reports.md) +- [System tasks](/docs/passwordsecure/9.3/configuration/advancedview/mainmenufc/extras/systemtasks/system_tasks.md) +- [Seal templates](/docs/passwordsecure/9.3/configuration/advancedview/mainmenufc/extras/seal_templates.md) +- [Tag manager](/docs/passwordsecure/9.3/configuration/advancedview/mainmenufc/extras/tag_manager.md) +- [Image management](/docs/passwordsecure/9.3/configuration/advancedview/mainmenufc/extras/image_manager.md) diff --git a/docs/passwordsecure/9.3/configuration/advancedview/mainmenufc/extras/image_manager.md b/docs/passwordsecure/9.3/configuration/advancedview/mainmenufc/extras/image_manager.md new file mode 100644 index 0000000000..9489f1950e --- /dev/null +++ b/docs/passwordsecure/9.3/configuration/advancedview/mainmenufc/extras/image_manager.md @@ -0,0 +1,75 @@ +--- +title: "Image management" +description: "Image management" +sidebar_position: 70 +--- + +# Image management + +## What is image management? + +All logos and icons are managed in the image management. They can then be linked to the +corresponding data records. The images are then displayed in the Basic view as well as in the list +view of the client. + +![Icon/logos in NPS](/images/passwordsecure/9.2/configuration/advanced_view/mainmenu/extras/image_management/installation_with_parameters_106-en.webp) + +## Relevant rights + +The following options are required: + +- Can upload new password images +- Can manage password images + +NOTE: It is important that the setting “Ask for Favicon-Download “ is only considered, if the right +“Can upload new password images “ has been activated! + +#### Managing Icons/Logos + +There are two ways to upload icons. + +1. By creating or saving the dataset. + +In order to import favicons directly when saving the data set, the following preconditions must be +met: + +- Setting “Ask Favicon-Download “ is activated. +- A URL is stored in the data record. + +If these preconditions are met, the stored URL is checked for the favicon when saving the data +record. If a favicon is found, it will be imported into the database and displayed in the data +record in future. + +NOTE: If there are several deposited, always use the first one. + +2. Manual filing + +In the main menu in [Extras](/docs/passwordsecure/9.3/configuration/advancedview/mainmenufc/extras/extras.md) you can find the image management. Here, you have the +possibility to store icons and logos manually. + +![Image management](/images/passwordsecure/9.2/configuration/advanced_view/mainmenu/extras/image_management/installation_with_parameters_107-en.webp) + +Click on the + symbol to open the mask for creating images. + +![add image](/images/passwordsecure/9.2/configuration/advanced_view/mainmenu/extras/image_management/installation_with_parameters_108-en.webp) + +- **Name** Name the picture here. + +- **Search** **value** The following priority must be observed: + + - **Passwords**: first URL in the password (if several URLs are stored) -> attached tags -> + password name -> names of connected applications + - **Applications**: URL stored in the application -> attached tags -> application name + +- ![icon_open_folder](/images/passwordsecure/9.2/configuration/advanced_view/mainmenu/extras/image_management/icon_open_folder.webp) + This symbol can be used to upload locally saved icons and logos. + +NOTE: Please note that the icons and logos are not stored locally, but in the database. + +## Conditions + +The following conditions must be met for icons/logos to be uploaded and saved accordingly: + +- The maximum size of an image file is 100 MB. +- Supported formats are png, jpg, bmp, ico, .svg +- Several search values can be separated by a comma (“Netflix.de, Netflix.com”). diff --git a/docs/passwordsecure/9.3/configuration/advancedview/mainmenufc/extras/password_generator.md b/docs/passwordsecure/9.3/configuration/advancedview/mainmenufc/extras/password_generator.md new file mode 100644 index 0000000000..6388c732b4 --- /dev/null +++ b/docs/passwordsecure/9.3/configuration/advancedview/mainmenufc/extras/password_generator.md @@ -0,0 +1,68 @@ +--- +title: "Password generator" +description: "Password generator" +sidebar_position: 20 +--- + +# Password generator + +## What is the password generator? + +The complexity of passwords is generally determined by their randomness. In order to be able to rely +100% on the fact that the passwords are randomly generated, an algorithm for generating passwords is +indispensable. The password generator performs this function and is completely integrated into the +software. + +![installation_with_parameters_82](/images/passwordsecure/9.2/configuration/advanced_view/mainmenu/extras/password_generator/installation_with_parameters_82.webp) + +## Opening the password generator + +The password generator can be opened in different ways: + +- **Main menu/Extras/Password generator:** Here, the password generator is accessed directly. + Passwords generated in the password generator can be copied to the clipboard. + +![Password generator](/images/passwordsecure/9.2/configuration/advanced_view/mainmenu/extras/password_generator/installation_with_parameters_83-en.webp) + +- **When creating new records:** Once the password field has been selected in the reading pane, the + password generator can then be directly opened in the “Form field” tab via the ribbon. Passwords + generated here can be directly entered into the password field for the new record using the + “Adopt” button. Alternatively: The password generator can also be accessed on the right in the + password field in the reading pane. + +## Functionality + +The Character section is used to define the character groups that should form part of the password. +This section can also be used to exclude (special) characters. Once the password length has been +defined, a preview of a password that corresponds to the configured criteria is displayed on the +bottom edge of the password generator. The “shuffle function” can be activated via the icon on the +right next to the password preview. This will generate a new password in accordance with the defined +criteria. + +#### Phonetic passwords + +This type of password can be recognised by the fact that it is relatively easy to remember (they are +“readable”) but do not have any association to terms found in dictionaries. Only the number of +syllables + +and the total length are defined in this case. Options that can be set are how the syllables are +separated and whether to use LeetSpeak. + +![installation_with_parameters_84](/images/passwordsecure/9.2/configuration/advanced_view/mainmenu/extras/password_generator/installation_with_parameters_84.webp) + +Password rule + +Already defined[Password rules](/docs/passwordsecure/9.3/configuration/advancedview/mainmenufc/extras/password_rules.md) can be utilised for the +automatic generation of new passwords + +## Multigenerator + +The multigenerator makes it possible to automatically generate up to 200 passwords. The convention +used for generating these passwords is always the previously defined default. This could be: + +- User defined +- Phonetic passwords +- Password rules + +The generated passwords are saved in a text file in the local user directory and can be opened +immediately if desired. diff --git a/docs/passwordsecure/9.3/configuration/advancedview/mainmenufc/extras/password_rules.md b/docs/passwordsecure/9.3/configuration/advancedview/mainmenufc/extras/password_rules.md new file mode 100644 index 0000000000..0af1b5fa65 --- /dev/null +++ b/docs/passwordsecure/9.3/configuration/advancedview/mainmenufc/extras/password_rules.md @@ -0,0 +1,82 @@ +--- +title: "Password rules" +description: "Password rules" +sidebar_position: 10 +--- + +# Password rules + +## What are password rules? + +It is generally recommended that passwords should consist of at least 12 different characters, be +complex and be automatically created. Rules set guidelines that can be made binding for users – +meaning that the use of passwords with a certain level of complexity is enforced. Existing rules can +also be reused in other areas. + +![Password rules](/images/passwordsecure/9.2/configuration/advanced_view/mainmenu/extras/password_rules/installation_with_parameters_97-en.webp) + +## Relevant right + +The following option is required to manage password rules. + +User right + +- Can manage password rules + +## Managing password rules + +If “Password rules” is selected under Main menu/Extras, the available password rules will appear in +a separate tab in the currently active module. + +![installation_with_parameters_98](/images/passwordsecure/9.2/configuration/advanced_view/mainmenu/extras/password_rules/installation_with_parameters_98.webp) + +In this screenshot, a total of 3 password rules are shown. As the rule “Very secure password” has +been selected in [List view](/docs/passwordsecure/9.3/configuration/advancedview/operationandsetup/list_view.md), the +[Reading pane](/docs/passwordsecure/9.3/configuration/advancedview/operationandsetup/reading_pane.md) on the right displays the +configuration for this rule: + +- **General:** The Password length of 25 is the minimum number of characters that a password needs + to contain according to this rule. The required Password quality is an internal measure of + security, which is calculated for this rule. This value always lies between 1 (very unsecure) and + 100 (maximum security). +- **Categories:** A password can consist of a total of four categories. It is possible to define + which of these categories to use and also how many of them to use. +- **Forbidden characters**: It is also possible to exclude some special characters. These characters + need to be entered in the list without separators. +- **Forbidden passwords:** Some passwords and the user name can also be added to the list of + forbidden passwords +- **Preview rules:** When new rules are created, an example password is generated that conforms to + the configured rules. This is only the case for passwords with a minimum length of 3 characters! + +## Using password rules + +Once password rules have been defined, they can be productively used in two different ways: + +- Use within the [Password generator](/docs/passwordsecure/9.3/configuration/advancedview/mainmenufc/extras/password_generator.md) +- Default for the password field in a form: + +When a password field is defined in a form, one of the defined password rules can be set as the +default. This means that the default will always be used when a new password is created. In this +way, it is possible to ensure that the required level of complexity is maintained for certain +passwords. + +![installation_with_parameters_99](/images/passwordsecure/9.2/configuration/advanced_view/mainmenu/extras/password_rules/installation_with_parameters_99.webp) + +If one of these password rules is defined for a form, it is only possible to define a new random +value for the password if a new password is created. The icon on the right hand side of the password +field is used for this purpose. + +![installation_with_parameters_100](/images/passwordsecure/9.2/configuration/advanced_view/mainmenu/extras/password_rules/installation_with_parameters_100.webp) + +## Defining standard rules for user passwords + +If Master Key mode is not being used, users can change their passwords in Netwrix Password Secure. +The administrator can define the password strength required for these passwords by using standard +password rules. + +## Visibility + +The password rules themselves are not subject to any permissions. All defined rules are therefore +available to all users. The rules are managed from the Main menu. + +NOTE: Users can only manage the rules if they have the appropriate user right diff --git a/docs/passwordsecure/9.3/configuration/advancedview/mainmenufc/extras/reports.md b/docs/passwordsecure/9.3/configuration/advancedview/mainmenufc/extras/reports.md new file mode 100644 index 0000000000..e2ba5eac4d --- /dev/null +++ b/docs/passwordsecure/9.3/configuration/advancedview/mainmenufc/extras/reports.md @@ -0,0 +1,57 @@ +--- +title: "Reports" +description: "Reports" +sidebar_position: 30 +--- + +# Reports + +## What are reports? + +Comprehensive reporting is an important component of the ongoing monitoring of processes in Netwrix +Password Secure. Similar to selectively configurable +[Notifications](/docs/passwordsecure/9.3/configuration/advancedview/clientmodule/notifications.md), reports also contain +information that can be selectively defined. The difference is mainly the trigger. Notifications are +linked to an event, which acts as the trigger for the notification. In contrast, reports enable +tabular lists of freely definable actions to be produced at any selected time – the trigger is thus +the creation of a report. This process can also be automated via +[System tasks](/docs/passwordsecure/9.3/configuration/advancedview/mainmenufc/extras/systemtasks/system_tasks.md). + +![reports](/images/passwordsecure/9.2/configuration/advanced_view/mainmenu/extras/reports/installation_with_parameters_78-en.webp) + +NOTE: Reports only ever contain information for which the user has the required permissions. + +A separate tab for managing existing reports and creating new reports can be opened in the current +module via the Main menu/Extras/Reports. The module in which the report is opened is irrelevant, the +contents are always the same. + +![installation_with_parameters_79](/images/passwordsecure/9.2/configuration/advanced_view/mainmenu/extras/reports/installation_with_parameters_79.webp) + +The filter on the left has no relevance in relation to reports. Although reports can also be +“tagged” in theory, filtering has no effect on the reports. In +[List view](/docs/passwordsecure/9.3/configuration/advancedview/operationandsetup/list_view.md), there are currently three +configured report requests shown. + +#### Creating a report request + +New report requests can be created in list view via the ribbon or also the context menu that is +accessed using the right mouse button. The form for creating a new report request again opens in a +separate tab. Alongside a diverse range of variables, the report type can be defined using a +drop-down list. There are currently dozens of report types available. + +![installation_with_parameters_80](/images/passwordsecure/9.2/configuration/advanced_view/mainmenu/extras/reports/installation_with_parameters_80.webp) + +The filter can be used to define the scope of the report e.g. to focus on a certain OU or simply a +selection of tags. Once saved, the report will now be shown in the list of report requests. + +###### Manually create reports + +You can now create a manual report via the ribbon. This will open in a separate tab and can be +displayed in the default web browser if desired. + +![installation_with_parameters_81](/images/passwordsecure/9.2/configuration/advanced_view/mainmenu/extras/reports/installation_with_parameters_81.webp) + +Automated sending of reports via system tasks + +In general, reports are not manually created but are automatically sent to defined recipients. This +is apossible via system tasks, which can run processes of this nature at set times. diff --git a/docs/passwordsecure/9.3/configuration/advancedview/mainmenufc/extras/seal_templates.md b/docs/passwordsecure/9.3/configuration/advancedview/mainmenufc/extras/seal_templates.md new file mode 100644 index 0000000000..d2755fbdfc --- /dev/null +++ b/docs/passwordsecure/9.3/configuration/advancedview/mainmenufc/extras/seal_templates.md @@ -0,0 +1,34 @@ +--- +title: "Seal templates" +description: "Seal templates" +sidebar_position: 50 +--- + +# Seal templates + +## What are the seal templates? + +The configuration of +[Seals](/docs/passwordsecure/9.3/configuration/advancedview/permissionconceptandprotective/protectivemechanisms/seals/seals.md) must be +well-thought-out and error-free. It is absolutely essential to save the once-invested effort in the +form of seal templates. The automation of ever-recurring tasks will, in this context, extremely +speed up the timing of the work. Once defined, templates can be attached to data records in a few +simple steps. The adaptation of already created stencils is presented in the seal templates as clear +and very fast. + +![Seal templates](/images/passwordsecure/9.2/configuration/advanced_view/mainmenu/extras/seal_templates/installation_with_parameters_101-en.webp) + +NOTE: A separate tab opens in the active module in order to edit the default templates + +## Creating templates + +**CAUTION:** The right Can manage seal templates is required + +When creating seals, the seal can be saved as a template using the wizard. All templates saved in +this way are listed in the overview of the seal templates. Furthermore, it is possible to edit +existing templates directly or create new ones via the button in the ribbon. This is done in the +same way as the seal assistant. + +![installation_with_parameters_102](/images/passwordsecure/9.2/configuration/advanced_view/mainmenu/extras/seal_templates/installation_with_parameters_102.webp) + +Once templates have been added, they can be immediately used for the creation of new seals. diff --git a/docs/passwordsecure/9.3/configuration/advancedview/mainmenufc/extras/systemtasks/_category_.json b/docs/passwordsecure/9.3/configuration/advancedview/mainmenufc/extras/systemtasks/_category_.json new file mode 100644 index 0000000000..2c51c5c2d4 --- /dev/null +++ b/docs/passwordsecure/9.3/configuration/advancedview/mainmenufc/extras/systemtasks/_category_.json @@ -0,0 +1,10 @@ +{ + "label": "System tasks", + "position": 40, + "collapsed": true, + "collapsible": true, + "link": { + "type": "doc", + "id": "system_tasks" + } +} \ No newline at end of file diff --git a/docs/passwordsecure/9.3/configuration/advancedview/mainmenufc/extras/systemtasks/emergency_webviewer.md b/docs/passwordsecure/9.3/configuration/advancedview/mainmenufc/extras/systemtasks/emergency_webviewer.md new file mode 100644 index 0000000000..d267ef7c4b --- /dev/null +++ b/docs/passwordsecure/9.3/configuration/advancedview/mainmenufc/extras/systemtasks/emergency_webviewer.md @@ -0,0 +1,165 @@ +--- +title: "EmergencyWebViewer" +description: "EmergencyWebViewer" +sidebar_position: 10 +--- + +# EmergencyWebViewer + +## What is an Emergency WebViewer export? + +Safeguarding data is essential and this should be carried out using +[Backup management](/docs/passwordsecure/9.3/configuration/servermanger/mainmenu/backupsettings/backup_management.md). +However, a backup is not sufficient in some cases e.g. if a backup cannot be directly restored due +to a hardware problem. In these cases, **Netwrix Password Secure** offers the backup feature +**Emergency WebViewer Export**. + +The **Emergency WebViewer Export** is based on an encrypted **HTML file** which can be decrypted +using a corresponding **key**. Both files are required to view the passwords in a browser and form +the core system of the backup mechanism. + +## Creation of the file and key + +The **Emergency WebViewer Export** is created in Netwrix Password Secure as a +**[System tasks](/docs/passwordsecure/9.3/configuration/advancedview/mainmenufc/extras/systemtasks/system_tasks.md)** and this task can be used to guarantee a regular backup of +the records (passwords) by entering an interval. When setting up the system task, the user thus +defines the cycle at which the **Emergency WebViewer.html file** is created on the Server Manager. +The existing file is overwritten in each case by the latest version at the defined interval. The +associated key is only created once at the beginning and needs to be saved. The current version of +the **HTML file** can only be decrypted using this **key**. + +**CAUTION:** The key (PrivateKey.prvkey) and the file (Emergency WebViewer.html) must be saved onto +a secure medium (USB stick, HDD, CD/DVD, …) and kept in a secure location! + +## Data security + +• Naturally, the HTML WebViewer file is encrypted + +• The export of the file is protected using a corresponding +[User rights](/docs/passwordsecure/9.3/configuration/advancedview/mainmenufc/userrights/user_rights.md) + +• The file can only be encrypted using the **PrivateKey.prvkey** file + +**CAUTION:** The export right for the passwords is not required for the Emergency WebViewer Export! + +## Required rights + +The user requires the following right to create a **Emergency WebViewer Export system task:** + +![installation_with_parameters_89](/images/passwordsecure/9.2/configuration/advanced_view/mainmenu/extras/system_tasks/emergency_webviewer/installation_with_parameters_89.webp) + +## Emergency WebViewer.html and PrivateKey.prvkey + +The **Emergency WebViewer Export** creates two associated files. + +1. The file **Emergency WebViewer.html** is created on the computer executing the task +2. The associated key **PrivateKey.prvkey** is created on the client. + +## Calling up the Emergency WebViewer Export + +The Emergency WebViewer Export is set up as a **system task**. It can be called up in the main menu +under **Extras -> System Tasks**. + +![installation_with_parameters_90_831x487](/images/passwordsecure/9.2/configuration/advanced_view/mainmenu/extras/system_tasks/emergency_webviewer/installation_with_parameters_90_831x487.webp) + +## Creating a Emergency WebViewer Export file + +Clicking on New opens a new window and the **Emergency WebViewer Export** can be selected. The +**configuration page** is then displayed. + +![installation_with_parameters_91_578x390](/images/passwordsecure/9.2/configuration/advanced_view/mainmenu/extras/system_tasks/emergency_webviewer/installation_with_parameters_91_578x390.webp) + +It is not possible to use the **Emergency WebViewer Export** with an **Active Directory user.** + +![installation_with_parameters_92_467x103](/images/passwordsecure/9.2/configuration/advanced_view/mainmenu/extras/system_tasks/emergency_webviewer/installation_with_parameters_92_467x103.webp) + +## Configuration page for the Emergency WebViewer Export task + +A new tab is displayed: **New emergency HTML WebViewer export task** This now needs to be configured +in accordance with the requirements. + +![new emergend HTML](/images/passwordsecure/9.2/configuration/advanced_view/mainmenu/extras/system_tasks/emergency_webviewer/installation_with_parameters_93-en_925x527.webp) + +1. **General** Name: Enter a unique name Description: Enter additional information + Status: Execution: \*Activated\*/Deactivated +2. **Overview** Last run: Information display Next run: Information display +3. **Task settings** Folder path: Enter from the perspective of the server + Private key: needs to be saved +4. **Interval** Setting for when the system task is executed +5. **Executing server (optional)** Address (IP) of the additional server +6. **Tags** Freely definable characteristics of records + +**CAUTION:** The private key for the Emergency WebViewer must be saved before the system task can be +saved! + +## Displaying the Emergency WebViewer Export tasks + +Once the configuration has been completed, the **system task** is displayed in the current module in +the + +**System Tasks** tab. The user has the option of checking the data here + +![installation_with_parameters_94_914x671](/images/passwordsecure/9.2/configuration/advanced_view/mainmenu/extras/system_tasks/emergency_webviewer/installation_with_parameters_94_914x671.webp) + +## Using the Emergency WebViewer.html file + +After the **system task** has been successfully executed, **two files** will have been created for +the password backup. + +1. Emergency WebViewer.html +2. PrivateKey.prvkey + +**CAUTION:** The file Emergency WebViewer.html is saved on the server executing the task. The + +**CAUTION:** key PrivateKey.prvkey needs to be securely saved by the user!\* + +The **Emergency WebViewer Export** is used in the same way as the **WebViewer export**. The +**passwords** are displayed in a current browser. The passwords are accessed in the **Emergency +WebViewer Export** with the **user password** and the **key** saved for the user. The search +function is used to select the **key (PrivateKey.prvkey)** and also to check its **validity**. If +all data has been correctly entered, it is then possible to log in. + +NOTE: The current user needs to log in using their password. If an incorrect password is entered, +access is temporarily blocked. + +Login data + +- Database: Predefined +- User: Predefined +- Password: User password (must be entered by the user) +- Key: PrivateKey.prvkey + +![emergency-webviewer](/images/passwordsecure/9.2/configuration/advanced_view/mainmenu/extras/system_tasks/emergency_webviewer/emergency-webviewer.webp) + +## Overview + +After successfully logging in, the **overview page** for the **Emergency WebViewer Export** is +displayed. This contains information about the saved **passwords** just like with the WebViewer +export. The passwords are now available to the user. + +Overview: Emergency HTML WebViewer / passwords + +![password in emergency webviewer](/images/passwordsecure/9.2/configuration/advanced_view/mainmenu/extras/system_tasks/emergency_webviewer/installation_with_parameters_96-en.webp) + +The following data is displayed in the overview: + +Overview data: + +1. Display of the currently available records +2. Detailed information on the selected record +3. Search, logout, timeout until logout +4. Copy password to clipboard +5. Reveal password + +## Security note + +The existing **passwords** are now available to the user for further processing. The HTML page is +closed by clicking on **Logout**. + +If the user is **inactive** for **60 seconds**, he is automatically **logged out** and the **login** +is displayed with additional information. + +NOTE: You have been logged out due to inactivity + +The user can log in again using the **password** and **key** as described above. After successfully +logging in, the **Emergency WebViewer Export overview** is displayed again. diff --git a/docs/passwordsecure/9.3/configuration/advancedview/mainmenufc/extras/systemtasks/system_tasks.md b/docs/passwordsecure/9.3/configuration/advancedview/mainmenufc/extras/systemtasks/system_tasks.md new file mode 100644 index 0000000000..7433e80cc0 --- /dev/null +++ b/docs/passwordsecure/9.3/configuration/advancedview/mainmenufc/extras/systemtasks/system_tasks.md @@ -0,0 +1,98 @@ +--- +title: "System tasks" +description: "System tasks" +sidebar_position: 40 +--- + +# System tasks + +## What are system tasks? + +Netwrix Password Secure supports administrators and users by automating repetitive tasks. These are +represented as system tasks. Predefined tasks can thus be carried out at freely defined intervals. + +![System Tasks](/images/passwordsecure/9.2/configuration/advanced_view/mainmenu/extras/system_tasks/installation_with_parameters_85-en.webp) + +## Relevant rights + +The following options are required for managing system tasks. + +User right + +- Can manage Active Directory system tasks +- Can manage system task reports +- Can manage discovery service system tasks +- Can manage Emergency WebViewer export system tasks +- Can manage WebViewer export system tasks + +## What can be automated? + +There are currently four different work processes that can be automated using system tasks: + +- **HTML WebViewer export:** Exports a freely definable selection of records in an AES-256 encrypted + HTML file. The file is saved in the form of notifications. +- **Reports:** Automatically creates a report that is issued in the notifications. This requires a + report request to be created in advance. +- **Network service scan:** Searches for service accounts on the network at defined cycles +- **Active Directory synchronization:** The comparison with Active Directory can also be automated + via system tasks. This requires an active directory profile to be created in advance. It is + important to note that only the Master Key profile can be automatically compared. + +## Creating system tasks + +System tasks can be initiated as usual via the ribbon or also the context menu that is accessed +using the right mouse button. The desired process to be automated using system tasks is then +selected from the four above-mentioned work processes. + +![installation_with_parameters_86](/images/passwordsecure/9.2/configuration/advanced_view/mainmenu/extras/system_tasks/installation_with_parameters_86.webp) + +Naturally, the four work processes also share some similarities in their configuration. + +- **Status:** The system task is normally activated and then starts immediately after it has been + saved according to the defined intervals. If the system task is deactivated here, it is still + saved but is not yet activated. +- **Next run:** This setting describes when the system task will be performed or when it was already + performed for the first time (if this task was already created and is now being edited) +- **Interval:** The interval at which the system task should be executed is defined here. All + increments between every minute and once only are possible. It is also possible to enter an end + date. + +The differences between the four work processes to be automated are described below. These +differences are always part of the task settings within the system task form – the example here +shows an HTML WebViewer export to be configured. + +![installation_with_parameters_87](/images/passwordsecure/9.2/configuration/advanced_view/mainmenu/extras/system_tasks/installation_with_parameters_87.webp) + +WebViewer generator + +- Filter: The passwords that should be exported are defined using a filter. +- Password: The HTML WebViewer creates an encrypted HTML file. The password is defined here and must + then be confirmed. + +Reports + +- Report request: The report requests defined in Reports are available and can be selected here. + +Discovery Service + +- The Discovery Service scans the network and lists all of the services for which a service user has + been saved. These can then be maintained using Netwrix Password Secure. The information collected + can then be directly transferred to the Password Reset for this purpose. + +Active Directory synchronization + +- The Active Directory profile required for the synchronization is selected from those available. + +Emergency WebViewer export + +- The Emergency WebViewer export creates an encrypted HTML file that contains all passwords. In an + emergency, the data required to get the system up and running again can be accessed in this file. + +NOTE: Tags could be defined for individual tasks – yet they have no relevance and can also not be +used as filter criteria in the system tasks. + +Status + +A corresponding note will be displayed to indicate if a task is currently being executed. + +![installation_with_parameters_88](/images/passwordsecure/9.2/configuration/advanced_view/mainmenu/extras/system_tasks/installation_with_parameters_88.webp) diff --git a/docs/passwordsecure/9.3/configuration/advancedview/mainmenufc/extras/tag_manager.md b/docs/passwordsecure/9.3/configuration/advancedview/mainmenufc/extras/tag_manager.md new file mode 100644 index 0000000000..421a9d28a8 --- /dev/null +++ b/docs/passwordsecure/9.3/configuration/advancedview/mainmenufc/extras/tag_manager.md @@ -0,0 +1,34 @@ +--- +title: "Tag manager" +description: "Tag manager" +sidebar_position: 60 +--- + +# Tag manager + +## What is the tag manager? + +All existing tags can be viewed, edited and deleted directly in the tag manager. This can be +achieved via the filter, within the “Edit mode” of a data set as well as via the main menu under the +group [Extras](/docs/passwordsecure/9.3/configuration/advancedview/mainmenufc/extras/extras.md). + +![how to open the tag manager](/images/passwordsecure/9.2/configuration/advanced_view/mainmenu/extras/tag_management/installation_with_parameters_103-en.webp) + +![Tag management](/images/passwordsecure/9.2/configuration/advanced_view/mainmenu/extras/tag_management/installation_with_parameters_104-en.webp) + +The tag manager itself is a clearly structured tool with which you can view and edit all relevant +information. The colours can also be assigned here. The “Number used” column indicates how often an +object has been tagged with the tag. In this way, you can keep track of and remove tags that are no +longer needed. + +![All tags](/images/passwordsecure/9.2/configuration/advanced_view/mainmenu/extras/tag_management/installation_with_parameters_105-en.webp) + +## Relevant rights + +The following option is required for managing tags + +User right + +- Manage tags + +**CAUTION:** It is only possible to delete tags if there are no more data associated with them diff --git a/docs/passwordsecure/9.3/configuration/advancedview/mainmenufc/extras/trash.md b/docs/passwordsecure/9.3/configuration/advancedview/mainmenufc/extras/trash.md new file mode 100644 index 0000000000..acce29979c --- /dev/null +++ b/docs/passwordsecure/9.3/configuration/advancedview/mainmenufc/extras/trash.md @@ -0,0 +1,24 @@ +--- +title: "Bin" +description: "Bin" +sidebar_position: 80 +--- + +# Bin + +Here the logged-in user can manage his recycle bin. All deleted passwords to which the user is +entitled are displayed. + +## Functions + +The following functions are available: + +![bin_4](/images/passwordsecure/9.2/configuration/advanced_view/mainmenu/extras/trash/bin_4.webp) + +- **Restore**: The selected passwords are restored. + +- **Delete permanently**: The selected passwords are permanently deleted. This means that they can + no longer be restored. + +- **Empty entire bin**: The entire recycle bin is permanently deleted, so none of these passwords + can be recovered. diff --git a/docs/passwordsecure/9.3/configuration/advancedview/mainmenufc/general_settings.md b/docs/passwordsecure/9.3/configuration/advancedview/mainmenufc/general_settings.md new file mode 100644 index 0000000000..51f8c4cfc6 --- /dev/null +++ b/docs/passwordsecure/9.3/configuration/advancedview/mainmenufc/general_settings.md @@ -0,0 +1,38 @@ +--- +title: "General settings" +description: "General settings" +sidebar_position: 30 +--- + +# General settings + +## What are general settings? + +The **general settings** relate to users. Thus, each user can customize the software to their own +needs. The following options can be configured: + +Colour scheme + +Various Windows colour schemes are available. The colour scheme Colorful provides e.g. different +colours which make it easier to distinguish between the modules in the software. If the colour +scheme is changed, the client must be restarted. + +Language + +The user can toggle between English and German. After changing the language, the client must be +restarted. + +Starting the application minimised in the notification area + +You can start the client minimized if you wish to run Netwrix Password Secure in the background. You +will be able to access it through the notification area. + +Minimise the application on closing + +If this option has been activated, the Netwrix Password Secure client will not end when the window +is closed but will merely be minimised. It will continue to run in the background. It is then only +possible to properly end Netwrix Password Secure via the main menu. + +Starting with Windows + +Of course, you can start the Netwrix Password Secure Client directly with Windows. diff --git a/docs/passwordsecure/9.3/configuration/advancedview/mainmenufc/import.md b/docs/passwordsecure/9.3/configuration/advancedview/mainmenufc/import.md new file mode 100644 index 0000000000..37b0c314de --- /dev/null +++ b/docs/passwordsecure/9.3/configuration/advancedview/mainmenufc/import.md @@ -0,0 +1,69 @@ +--- +title: "Import" +description: "Import" +sidebar_position: 70 +--- + +# Import + +## What is an import? + +If another password management tool was used before Netwrix Password Secure, these data can be +imported into Netwrix Password Secure. The formats .csv and especially Keepass (.xml) are supported. +Both variants can be set up in the import wizard, which is started via the Main menu/Import. + +![Import](/images/passwordsecure/9.2/configuration/advanced_view/mainmenu/import/installation_with_parameters_57-en.webp) + +## Requirements + +Whether the user is permitted to import data is controlled by the corresponding +[User rights](/docs/passwordsecure/9.3/configuration/advancedview/mainmenufc/userrights/user_rights.md). + +![installation_with_parameters_58](/images/passwordsecure/9.2/configuration/advanced_view/mainmenu/import/installation_with_parameters_58.webp) + +## The import wizard + +The wizard supports the import of data into Netwrix Password Secure in four steps. + +Select type + +![installation_with_parameters_59](/images/passwordsecure/9.2/configuration/advanced_view/mainmenu/import/installation_with_parameters_59.webp) + +The first step is to define the file that is to be used for the import. It is only possible to +proceed to the second step when the defined type corresponds to the stated file to be imported. The +second step is the settings. + +Settings + +![installation_with_parameters_60](/images/passwordsecure/9.2/configuration/advanced_view/mainmenu/import/installation_with_parameters_60.webp) + +1. The settings are used to firstly define the level in the hierarchy for saving the imported + structure. As can be seen in the example, the import will take place in the main organisational + unit. One of the existing organisational units can also be defined as a parent instance via the + drop-down menu. +2. The slider defines whether the imported structures should be imported as an organisational unit + or as a tag. If the slider is fully moved to the left, only tags are created. If it s moved to + the right, all objects are imported as an organisational structure. In addition, every object can + be configured separately via the context menu that is accessed using the right mouse button. It + is also possible to ignore folders. + +NOTE: No folders exist in Netwrix Password Secure. For this reason, it is necessary to define +whether a folder is saved as an organisational structure or as a tag during the import. The same +process is also used for the migration. + +Assignment of the form fields + +![installation_with_parameters_61](/images/passwordsecure/9.2/configuration/advanced_view/mainmenu/import/installation_with_parameters_61.webp) + +The third step is to assign the forms from the file to be imported to already existing forms. As +form fields may also have different names, the assignment process must be carried out manually via +drag & drop. Depending on which form was selected on the top line, form fields from the list on the +right can now be assigned to the form fields to be imported via drag & drop. It is also possible to +create new forms. + +Finish + +![installation_with_parameters_62](/images/passwordsecure/9.2/configuration/advanced_view/mainmenu/import/installation_with_parameters_62.webp) + +In the final step, the configured settings are summarised as a list of the objects to be imported. +The button “Finish” closes the wizard and starts the import. diff --git a/docs/passwordsecure/9.3/configuration/advancedview/mainmenufc/main_menu_fc.md b/docs/passwordsecure/9.3/configuration/advancedview/mainmenufc/main_menu_fc.md new file mode 100644 index 0000000000..769c9c539f --- /dev/null +++ b/docs/passwordsecure/9.3/configuration/advancedview/mainmenufc/main_menu_fc.md @@ -0,0 +1,23 @@ +--- +title: "Main menu" +description: "Main menu" +sidebar_position: 30 +--- + +# Main menu + +## What is the Main menu/Backstage? + +All settings that are not linked to a particular module are defined in the Backstage (main menu). +This makes it easy to access the settings at any time and in any module. + +![Main menu](/images/passwordsecure/9.2/configuration/advanced_view/mainmenu/installation_with_parameters_56-en.webp) + +- [Extras](/docs/passwordsecure/9.3/configuration/advancedview/mainmenufc/extras/extras.md) +- [Account](/docs/passwordsecure/9.3/configuration/advancedview/mainmenufc/account.md) +- [General settings](/docs/passwordsecure/9.3/configuration/advancedview/mainmenufc/general_settings.md) +- [User settings](/docs/passwordsecure/9.3/configuration/advancedview/mainmenufc/usersettings/user_settings.md) +- [User rights](/docs/passwordsecure/9.3/configuration/advancedview/mainmenufc/userrights/user_rights.md) +- [Administration](/docs/passwordsecure/9.3/configuration/advancedview/mainmenufc/administration.md) +- [Import](/docs/passwordsecure/9.3/configuration/advancedview/mainmenufc/import.md) +- [Export](/docs/passwordsecure/9.3/configuration/advancedview/mainmenufc/export/export.md) diff --git a/docs/passwordsecure/9.3/configuration/advancedview/mainmenufc/userrights/_category_.json b/docs/passwordsecure/9.3/configuration/advancedview/mainmenufc/userrights/_category_.json new file mode 100644 index 0000000000..2c2eb8b19a --- /dev/null +++ b/docs/passwordsecure/9.3/configuration/advancedview/mainmenufc/userrights/_category_.json @@ -0,0 +1,10 @@ +{ + "label": "User rights", + "position": 50, + "collapsed": true, + "collapsible": true, + "link": { + "type": "doc", + "id": "user_rights" + } +} \ No newline at end of file diff --git a/docs/passwordsecure/9.3/configuration/advancedview/mainmenufc/userrights/overview_of_all_user_rights.md b/docs/passwordsecure/9.3/configuration/advancedview/mainmenufc/userrights/overview_of_all_user_rights.md new file mode 100644 index 0000000000..cf524ad8cc --- /dev/null +++ b/docs/passwordsecure/9.3/configuration/advancedview/mainmenufc/userrights/overview_of_all_user_rights.md @@ -0,0 +1,116 @@ +--- +title: "Overview of all user rights" +description: "Overview of all user rights" +sidebar_position: 10 +--- + +# Overview of all user rights + +This section lists all of the existing user rights. If a right is explained in more detail in +another section, you can navigate directly to this section by clicking on the link in the Section +column. The rights are grouped according to categories to provide a better overview + +| Category: General | Section | +| ------------------------- | ---------------------- | +| Can overwrite permissions | Form field permissions | +| Can inherit permissions | Form field permissions | + +| Category: Configuration | Section | +| ------------------------------------------------------------------------------------------------------------------- | ------- | +| Can add seal | | +| Can apply password masking | | +| Can change form for a password | | +| Can close tab of own organisational unit in LightCliet | | +| Can edit filter | | +| Can export | | +| Can import | | +| Can manage password form fields | | +| Can manage password images | | +| Can manage seal templates | | +| Can manage tags | | +| Can print | | +| Category: Mobile synchronisation | Section | +| --- | --- | +| Can synchronise with mobile devices | | +| Category: New records | Section | +| --- | --- | +| Can add new Active Directory profiles | | +| Can add new RDP applications | | +| Can add new SSH applications | | +| Can add new SSO applications | | +| Can add new web applications | | +| Can add new SAML applications | | +| Can add new users | | +| Can add new documents | | +| Can add new forms | | +| Can add new organisational units | | +| Can add new Password Resets | | +| Can add new passwords | | +| Can add new roles | | +| Can add new tags | | +| Can add individual passwords via Basic view | | +| Can add new passwords images | | +| Can add new Entra ID profiles | | +| Category: Offline mode | Section | +| --- | --- | +| Offline mode | | +| Timespan for how long the offline mode can be used without connection to the server | | +| Categorie: Rights | Section | +| --- | --- | +| If non-administrators select “Override permissions” when moving items, keep existing permissions for administrators | | +| Category: Rights templates | Section | +| --- | --- | +| Can edit members when using a rights template | | +| Can manage rights templates | | +| Can view selection of rights templates | | +| Can switch standard rights template | | +| Category: Security | Section | +| --- | --- | +| Is database administrator | | +| Can manage Active Directory profiles | | +| Can authorize other users to use personal passwords | | +| Can manage records for an application | | +| Can manage autologin | | +| Can set owner rights | | +| Can manage database sessions | | +| Can permanently delete the deleted users | | +| Can permanently delete the deleted organisational structures | | +| Can view deleted organisational structures | | +| Can permanently delete the deleted roles | | +| Can view deleted roles | | +| Can manage locked users | | +| Can edit global settings | | +| Can export HTML WebViewer | | +| Can change security level options | | +| Can manage password rules | | +| Can create personal records | | +| Can configure standard password rules | | +| Can carry out batch processing for permissions based on a filter | | +| Can manage password images | | +| Category: Visibility User right new | Section | +| --- | --- | +| Display application module | | +| Display notification module | | +| Show discovery service module | | +| Display document module | | +| Display form module | | +| Display logbook module | | +| Display organisational structure module | | +| Display Password Reset module | | +| Display password module | | +| Display roles module | | +| Category: System tasks | Section | +| --- | --- | +| Can manage Active Directory system tasks | | +| Can manage system task reports | | +| Can manage discovery service system tasks | | +| Can manage Emergency WebViewer export system tasks | | +| Can manage WebViewer export system tasks | | + +NOTE: There is a version selection box in the user rights. The options that were newly added in the +selected version are correspondingly marked in the list. + +![installation_with_parameters_115](/images/passwordsecure/9.2/configuration/advanced_view/mainmenu/user_rights/overview_user_rights/installation_with_parameters_115.webp) + +This makes it easier for administrators to correctly configure new options before they release the +update for all employees. diff --git a/docs/passwordsecure/9.3/configuration/advancedview/mainmenufc/userrights/user_rights.md b/docs/passwordsecure/9.3/configuration/advancedview/mainmenufc/userrights/user_rights.md new file mode 100644 index 0000000000..d59b1a129b --- /dev/null +++ b/docs/passwordsecure/9.3/configuration/advancedview/mainmenufc/userrights/user_rights.md @@ -0,0 +1,75 @@ +--- +title: "User rights" +description: "User rights" +sidebar_position: 50 +--- + +# User rights + +## What are user rights? + +In the user rights, access to functionalities is configured. Amongst tother things, this category +includes both the visibility of individual [Client Module](/docs/passwordsecure/9.3/configuration/advancedview/clientmodule/client_module.md), as +well as the use of the import, export or management of rights templates functions. A complete +listing is directly visible in the user rights. + +## Administration of user rights + +Managing all user rights exclusively at the level of the user would be a time intensive process and +thus require a disproportionate amount of care and maintenance. In the same way as with the +[Authorization and protection mechanisms](/docs/passwordsecure/9.3/configuration/webapplication/authorization_and_protection_mechanisms.md), +an approach can be used in which several users are grouped together. Nevertheless, it must still be +possible to additionally address the specific requirements of individual users. Some +functionalities, on the other hand, should be available to all users. In order to do this, Netwrix +Password Secure offers a three-step concept. + +![installation_with_parameters_111](/images/passwordsecure/9.2/configuration/advanced_view/mainmenu/user_rights/installation_with_parameters_111.webp) + +When it comes to user rights, the focus is always on the user. The user can receive user rights in +one of the following three ways: + +1. The **personal user right** only applies to a specific user. This is always configured via + the[Organisational structure](/docs/passwordsecure/9.3/configuration/advancedview/clientmodule/organisationalstructure/organisational_structure.md). + +**User rights to role**s apply to all members of a role and are specified in the +[Roles](/docs/passwordsecure/9.3/configuration/advancedview/clientmodule/roles.md) + +1. The **global user right** applies to all users of a database without exception. You can configure + it in the client settings. + +How a user receives a user right is irrelevant. The only important thing is that the user actually +receives a required right in one of the three ways mentioned above. It is recommended that you link +user rights to roles and, if necessary, supplement them with global user rights. + +**CAUTION:** In addition to personal and global user rights (as opposed to settings), user rights +are assigned via roles and not via organisational units! + +NOTE: Only those user rights that the current user possesses themselves can be issued. However, all +rights can be removed. + +![installation_with_parameters_112](/images/passwordsecure/9.2/configuration/advanced_view/mainmenu/user_rights/installation_with_parameters_112.webp) + +## Configuring the security level + +The **security level** is an essential element that is also specified in the user rights. This is +the basis for the configuration of the [User settings](/docs/passwordsecure/9.3/configuration/advancedview/mainmenufc/usersettings/user_settings.md). + +![installation_with_parameters_113](/images/passwordsecure/9.2/configuration/advanced_view/mainmenu/user_rights/installation_with_parameters_113.webp) + +## Searching within user rights + +Due to the large number of possible configurations, the search function helps you to quickly find +the desired configuration. This process is based as usual on the List +[Search](/docs/passwordsecure/9.3/configuration/advancedview/operationandsetup/search.md). + +![installation_with_parameters_114](/images/passwordsecure/9.2/configuration/advanced_view/mainmenu/user_rights/installation_with_parameters_114.webp) + +#### Database administrator + +Special attention should be given to the right Is database administrator. This right has the +following effects: + +- The user can also issue rights that he does not possess himself. +- The user can only have their rights removed by other database administrators. +- The user can unlock other users on the Server Manager. +- The user can also remove other users from the rights if they have the owner right. diff --git a/docs/passwordsecure/9.3/configuration/advancedview/mainmenufc/usersettings/_category_.json b/docs/passwordsecure/9.3/configuration/advancedview/mainmenufc/usersettings/_category_.json new file mode 100644 index 0000000000..6ac028f85d --- /dev/null +++ b/docs/passwordsecure/9.3/configuration/advancedview/mainmenufc/usersettings/_category_.json @@ -0,0 +1,10 @@ +{ + "label": "User settings", + "position": 40, + "collapsed": true, + "collapsible": true, + "link": { + "type": "doc", + "id": "user_settings" + } +} \ No newline at end of file diff --git a/docs/passwordsecure/9.3/configuration/advancedview/mainmenufc/usersettings/overview_of_all_user_settings.md b/docs/passwordsecure/9.3/configuration/advancedview/mainmenufc/usersettings/overview_of_all_user_settings.md new file mode 100644 index 0000000000..374f18d86f --- /dev/null +++ b/docs/passwordsecure/9.3/configuration/advancedview/mainmenufc/usersettings/overview_of_all_user_settings.md @@ -0,0 +1,169 @@ +--- +title: "Overview of all settings" +description: "Overview of all settings" +sidebar_position: 10 +--- + +# Overview of all settings + +This section lists all of the existing settings. If a setting is explained in more detail in another +section, you can navigate directly to this section by clicking on the link in the Section column. +The settings are grouped according to categories to provide a better overview + +| Category: General | Section | +| -------------------------------------------- | ------- | +| Number of allowed widgets | | +| Mark notifications as read when opening them | | +| Can search for updates | | +| Allow a tab to be opened multiple times | | +| Display module name on dashboard | | +| Open quick search in new tab | | +| Edit tab after opening | | +| Close tab after saving | | +| Close tab after discarding | | +| Tab width | | +| Restore last tabs opened | | +| Ask for favicon download | | + +| Category: Display | Section | +| ------------------------------------------------------------------------ | ------- | +| Customizable window caption | | +| Display fold-down details in permissions view | | +| Change lists when widening in table view | | +| Display path for the organisational structure in the header | | +| Scaling value for the user interface | | +| Display kind of password in full client | | +| Display kind of passwords in Basic view | | +| Switch logo view on mouse over in Basic view | | +| Category: Browser | Section | +| --- | --- | +| Standard browser | | +| Category: Dashboard | Section | +| --- | --- | +| Display dashboard on startup | | +| Display remaining amount of data in the widget | | +| Category: Record | Section | +| --- | --- | +| Number of initially loaded records | | +| Display records as “about to expire” if the remaining days are less than | | +| Apply form changes to passwords | | +| Display total number of filter results | | +| Maximal number of search results for all | | +| Categorie: Documents | Section | +| --- | --- | +| Document history | | +| Permitted document extensions | | +| Maximum size in MB | | +| Category: Print | Section | +| --- | --- | +| Font size | | +| Category: Real-time update | Section | +| --- | --- | +| Refresh notifications in real time | | +| Category: Filter | Section | +| --- | --- | +| Display mode | | +| Jump to filter on quick search | | +| Can use filter negation | | +| Automatically use last filter | | +| Display mode status when starting the program | | + +| Category: Footer area | Section | +| --------------------------------------------------------------------------------------------------------------- | ------- | +| Show notifications in the footer area | | +| Show documents in the footer area | | +| Display footer area | | +| Show history in the footer area | | +| Show logbook in the footer area | | +| Show metadata in the footer area | | +| Show Password Resets in the footer area | | +| Category: Configuration | Section | +| --- | --- | +| Display animation in SSO configuration window | | +| You must enter a reason for establishing the RDP connection | | +| You must enter a reason for establishing the SSH connection | | +| Netwrix Password Secure user directory | | +| Default form (for Basic view) | | +| Start Basic view on next login | | +| Include subordinated organisational units in Basic view | | +| Category: Reading pane | Section | +| --- | --- | +| Orientation for Active Directory | | +| Orientation for applications | | +| Orientation for notifications | | +| Orientation for reports | | +| Orientation for documents | | +| Orientation for forms | | +| Orientation for logbook | | +| Orientation for organisational structure | | +| Orientation for Password Reset | | +| Orientation for passwords | | +| Orientation for rules | | +| Orientation for roles | | +| Orientation for seal templates | | +| Orientation for system tasks | | +| Orientation for forwarding rules | | +| Size of profile image in reading area | | +| Category: Mobile synchronisation | Section | +| --- | --- | +| Validity of the mobile database without synchronisation in days (0 = no limit on validity) | | +| Maximum number of login attempts before deleting the database (0 = unlimited) | | +| Category:Offline mode | Section | +| --- | --- | +| Automatic synchronisation after an interval in minutes (0 for deactivated) | | +| Offline synchronisation after saving a record | | +| Path where the offline database should be saved (empty for standard) | | +| Category:Proxy | Section | +| --- | --- | +| Address | | +| User name | | +| Password | | +| Use Windows proxy | | +| Category:Rights | Section | +| --- | --- | +| Clear user field after adding | | +| Inherit permissions for new objects (without rights template) | | +| Existing passwords inherit changes to the permissions for organisational units | | +| Permission search: Add gradually | | +| Delete user from the permissions for new objects when the user creating the new object is authorized via a role | | +| Hide deleted users and roles in permissions | | +| Category:Security | Section | +| --- | --- | +| Change rule for the user password | | +| Disconnect database connection due to inactivity after | | +| Deactivate inactive users | | +| Length of validity of the multifactor authentication token (minutes) | | +| Confirmation of authenticity on login | | +| Minimum score for password quality level “good” | | +| Minimum score for password quality level “strong” | | +| Display password in quick view | | +| PKI: Enforce validity period for certificates | | +| PKI: Certificate hash methods | | +| PKI: Checking mode for certificate chains | | +| Time period after which inactive sessions will be deleted from the server | | +| Category:SSO | Section | +| --- | --- | +| Browser Extension: Exact domain check | | +| Browser Extension: Automatically send login masks | | +| Browser Extensions: Automatically fill login masks | | +| Browser addons: Show password | | +| Category:Keyboard shortcuts | Section | +| --- | --- | +| Execute script to enter the password in the selected windowk | | +| Execute script to enter the user name in the selected window | | +| Execute script to enter the user name and password in the selected window | | +| Execute script to enter the user name and password in the selected window using the Enter button | | +| Category:Clipboard | Section | +| --- | --- | +| Clearing the clipboard | | +| Clear clipboard on closing | | +| Clear clipboard on minimising | | +| Clipboard gallery | | + +NOTE: There is a version selection box in the settings. The options that were newly added in the +selected version are correspondingly marked in the list. + +![installation_with_parameters_115](/images/passwordsecure/9.2/configuration/advanced_view/mainmenu/user_rights/overview_user_rights/installation_with_parameters_115.webp) + +This makes it easier for administrators to correctly configure new options before they release the +update for all employees. diff --git a/docs/passwordsecure/9.3/configuration/advancedview/mainmenufc/usersettings/user_settings.md b/docs/passwordsecure/9.3/configuration/advancedview/mainmenufc/usersettings/user_settings.md new file mode 100644 index 0000000000..d03c2ec1a9 --- /dev/null +++ b/docs/passwordsecure/9.3/configuration/advancedview/mainmenufc/usersettings/user_settings.md @@ -0,0 +1,79 @@ +--- +title: "User settings" +description: "User settings" +sidebar_position: 40 +--- + +# User settings + +## What are user settings? + +There are many functions within Netwrix Password Secure that can be adapted to the needs of users. +It is also possible to define various parameters for optical representations. This can be inherited +both at \* user level \*, \* global \* and \* organisational units \*. In addition, there is a +security level concept, which categorizes the users into five layers. The administration of settings +can thus be linked to the presence of the required security level. + +## Managing user settings + +You can configure user settings similarly to [User rights](/docs/passwordsecure/9.3/configuration/advancedview/mainmenufc/userrights/user_rights.md). Here too, +there are a total of three possibilities with which a user can define his settings or be configured +from another location. For the sake of easy manageability, it is again a good idea to configure the +users not individually, but to provide several equal users with settings. + +![installation_with_parameters_116](/images/passwordsecure/9.2/configuration/advanced_view/mainmenu/user_settings/installation_with_parameters_116.webp) + +The focus is always on the user, also when it comes to user rights. It can obtain its settings in +one of the following three ways: + +1. Personal settings only apply to a specific user. These are always configured via the + organisational structure module. +2. Settings for organisational structures apply to all members of a role, and are specified in the + organisational structure module +3. Global settings apply to all users of a database without exception. You can configure them in the + client settings. + +**CAUTION:** In addition to personal and global settings (as opposed to authorizations), settings +are not assigned via roles, but via organisational units! + +![installation_with_parameters_112](/images/passwordsecure/9.2/configuration/advanced_view/mainmenu/user_rights/installation_with_parameters_112.webp) + +### Inheritance of user settings + +If you leave the personal settings on the outside, there are two ways to inherit settings: + +1. Global inheritance +2. Inheritance on the basis of membership in organisational units (OU) + +Global settings are configured as usual in the [Main menu](/docs/passwordsecure/9.3/configuration/advancedview/mainmenufc/main_menu_fc.md). The organisational +units are inherited via the +[Organisational structure](/docs/passwordsecure/9.3/configuration/advancedview/clientmodule/organisationalstructure/organisational_structure.md). +All users who are assigned to an organisational unit inherit all user settings for this OU. In the +present case, the users “Jones” and “Moore” inherit all settings from the “IT” organisational unit: + +![inherit permissions](/images/passwordsecure/9.2/configuration/advanced_view/mainmenu/user_settings/installation_with_parameters_117-en.webp) + +The “Settings” button in the ribbon allows you to see the settings for both organisational units and +users. The many setting options can be restricted by the known +[Search](/docs/passwordsecure/9.3/configuration/advancedview/operationandsetup/search.md) mechanisms. + +![installation_with_parameters_118](/images/passwordsecure/9.2/configuration/advanced_view/mainmenu/user_settings/installation_with_parameters_118.webp) + +The diagram shows the settings for the user “Jones”. The search has been filtered by the term +“Detail”. The column **“Inherited from”** shows that some settings have been inherited globally, or +by the organisational unit “IT”. The top two options have no value in the column. This is because +this parameter has been defined at user level. + +NOTE: The inheritance for individual settings can be deactivated in the ribbon! + +## Security levels + +Option groups were created in the global settings to ensure that users can control only those +settings for which they hold permissions. Categorising security levels from 1 to 5 allows you to +combine similar options and thus make them available to the users. + +![user settings](/images/passwordsecure/9.2/configuration/advanced_view/mainmenu/user_settings/installation_with_parameters_119-en.webp) + +The [User rights](/docs/passwordsecure/9.3/configuration/advancedview/mainmenufc/userrights/user_rights.md) define who has the required permissions to change +which security levels. As with all rights, this is achieved either through global inheritance, the +role, or as a right granted directly to the user. diff --git a/docs/passwordsecure/9.3/configuration/advancedview/operationandsetup/_category_.json b/docs/passwordsecure/9.3/configuration/advancedview/operationandsetup/_category_.json new file mode 100644 index 0000000000..3bcf4aaf6d --- /dev/null +++ b/docs/passwordsecure/9.3/configuration/advancedview/operationandsetup/_category_.json @@ -0,0 +1,10 @@ +{ + "label": "Operation and Setup", + "position": 10, + "collapsed": true, + "collapsible": true, + "link": { + "type": "doc", + "id": "operation_and_setup" + } +} \ No newline at end of file diff --git a/docs/passwordsecure/9.3/configuration/advancedview/operationandsetup/dashboardandwidgets/_category_.json b/docs/passwordsecure/9.3/configuration/advancedview/operationandsetup/dashboardandwidgets/_category_.json new file mode 100644 index 0000000000..113bb86a6f --- /dev/null +++ b/docs/passwordsecure/9.3/configuration/advancedview/operationandsetup/dashboardandwidgets/_category_.json @@ -0,0 +1,10 @@ +{ + "label": "Dashboard and widgets", + "position": 80, + "collapsed": true, + "collapsible": true, + "link": { + "type": "doc", + "id": "dashboard_and_widgets" + } +} \ No newline at end of file diff --git a/docs/passwordsecure/9.3/configuration/advancedview/operationandsetup/dashboardandwidgets/dashboard_and_widgets.md b/docs/passwordsecure/9.3/configuration/advancedview/operationandsetup/dashboardandwidgets/dashboard_and_widgets.md new file mode 100644 index 0000000000..81c8cfbada --- /dev/null +++ b/docs/passwordsecure/9.3/configuration/advancedview/operationandsetup/dashboardandwidgets/dashboard_and_widgets.md @@ -0,0 +1,82 @@ +--- +title: "Dashboard and widgets" +description: "Dashboard and widgets" +sidebar_position: 80 +--- + +# Dashboard and widgets + +## What are dashboards and widgets? + +In case of large installations, the amount of information provided by Netwrix Password Secure may +seem overwhelming. Dashboards expand the existing filter possibilities by an arbitrarily +customizable info area, which visually prepares important events or facts + +![Dashboard](/images/passwordsecure/9.2/configuration/advanced_view/operation_and_setup/dashboard_and_widgets/installation_with_parameters_50-en.webp) + +Dashboards are available in almost all [Client Module](/docs/passwordsecure/9.3/configuration/advancedview/clientmodule/client_module.md)s. A +separate dashboard can be set for each individual module. **Widgets** correspond to the individual +modules of the dashboard. There are various widgets, which can be individually defined and can be +configured separately. In the above example, three widgets are enabled and provide information about +current notifications, password quality, and user activity. The **maximum number of possible +widgets** is managed in the[User settings](/docs/passwordsecure/9.3/configuration/advancedview/mainmenufc/usersettings/user_settings.md). + +NOTE: You can close the dashboard using the button in the tab. You can open it again via **View** > +**Show dashboard** in the ribbon. + +NOTE: The display of the dashboard is basically uncritical since the user can only see the data on +which he is also entitled. + +#### Relevant settings + +The following options are available in combination with the dashboard and widgets. + +**Settings** + +- Display dashboard on startup +- Display module names on dashboard +- Number of allowed widgets +- Display remaining amount of data in the widget + +#### Adding and removing widgets + +If the dashboard tab is enabled, you can enable the dashboard editing mode via the ribbon. Adding +and editing widgets is only possible in this mode. + +![Adding and removing widgets](/images/passwordsecure/9.2/configuration/advanced_view/operation_and_setup/dashboard_and_widgets/installation_with_parameters_51-en.webp) + +Use the drop-down menu to select the widget to be added \* (1) . **Then add the widget to the +dashboard using the corresponding button in the ribbon** (2). The maximum number of widgets that can +be added can be configured in the user settings. In editing mode, any widget can be directly removed +from the dashboard via the button on the upper right edge. The processing mode is ended by saving +via the ribbon. + +![Adding widgets](/images/passwordsecure/9.2/configuration/advanced_view/operation_and_setup/dashboard_and_widgets/installation_with_parameters_52-en.webp) + +## Customizing widgets + +In the editing mode, you can customize each widget separately. To do this, select the widget and +switch to the \* widget content tab \* in the ribbon. + +![Customizing widgets](/images/passwordsecure/9.2/configuration/advanced_view/operation_and_setup/dashboard_and_widgets/installation_with_parameters_53-en.webp) + +Separate variables can be customized for each widget. This example shows how often users have had +passwords displayed. Naturally, the variables are distinct for each widget since other information +could be relevant. + +Widget event + +You can select the **Widget Event** option in the ribbon. This activates the interaction of the +widgets. In the following example, this feature was enabled for the Activity widget. As a result, +the dashboard not only displays all activities, but also filters them according to the user selected +in the **Team List** widget. It therefore concerns all activities of the user “Moore”. These are +filtered “live” and displayed in real-time. + +![Widget event](/images/passwordsecure/9.2/configuration/advanced_view/operation_and_setup/dashboard_and_widgets/installation_with_parameters_54-en.webp) + +## Arranging widgets + +In the edit mode, the layout of the widgets is user-defined. Drag & drop allows you to place a +widget in the corresponding position on the dashboard (left, right, top, or bottom). + +![Arranging widgets](/images/passwordsecure/9.2/configuration/advanced_view/operation_and_setup/dashboard_and_widgets/installation_with_parameters_55-en.webp) diff --git a/docs/passwordsecure/9.3/configuration/advancedview/operationandsetup/dashboardandwidgets/keyboard_shortcuts.md b/docs/passwordsecure/9.3/configuration/advancedview/operationandsetup/dashboardandwidgets/keyboard_shortcuts.md new file mode 100644 index 0000000000..9037fb3379 --- /dev/null +++ b/docs/passwordsecure/9.3/configuration/advancedview/operationandsetup/dashboardandwidgets/keyboard_shortcuts.md @@ -0,0 +1,22 @@ +--- +title: "Keyboard shortcuts" +description: "Keyboard shortcuts" +sidebar_position: 10 +--- + +# Keyboard shortcuts + +## Functionality + +Some actions can be executed very efficiently using keyboard shortcuts. These are configured in the +section of the same name within the **global +[User settings](/docs/passwordsecure/9.3/configuration/advancedview/mainmenufc/usersettings/user_settings.md)** + +The following keyboard shortcuts are available: + +- **CTRL+ ALT + U** transfers the user name from the selected record to the active window +- **CTRL+ ALT + S** starts a script that firstly transfers the user name from the selected record to + the active window. The shortcut will then execute a TAB jump and transfer the password. +- **CTRL+ ALT + P** enters the selected password into the active window or field +- **CTRL+ ALT + R** firstly transfers the user name from the selected record to the active window + via the enter key. The shortcut will then execute a TAB jump and transfer the password. diff --git a/docs/passwordsecure/9.3/configuration/advancedview/operationandsetup/filter/_category_.json b/docs/passwordsecure/9.3/configuration/advancedview/operationandsetup/filter/_category_.json new file mode 100644 index 0000000000..dce4f41135 --- /dev/null +++ b/docs/passwordsecure/9.3/configuration/advancedview/operationandsetup/filter/_category_.json @@ -0,0 +1,10 @@ +{ + "label": "Filter", + "position": 20, + "collapsed": true, + "collapsible": true, + "link": { + "type": "doc", + "id": "filter" + } +} \ No newline at end of file diff --git a/docs/passwordsecure/9.3/configuration/advancedview/operationandsetup/filter/advanced_filter_settings.md b/docs/passwordsecure/9.3/configuration/advancedview/operationandsetup/filter/advanced_filter_settings.md new file mode 100644 index 0000000000..4775c589b8 --- /dev/null +++ b/docs/passwordsecure/9.3/configuration/advancedview/operationandsetup/filter/advanced_filter_settings.md @@ -0,0 +1,111 @@ +--- +title: "Advanced filter settings" +description: "Advanced filter settings" +sidebar_position: 20 +--- + +# Advanced filter settings + +## Linking filters + +The two options for linking the filter criteria are very easy to explain using the example of +[Tags](/docs/passwordsecure/9.3/configuration/advancedview/operationandsetup/tags.md). The following options are available: + +1. Logical “Or operator” + +By default, the filter is active in this mode. In the following example, the user wants to find all +records with at least one of the tags ”**Important**” or ”**Development**”. This also means that +records can either have one of the tags, or both. + +![installation_with_parameters_17_839x376](/images/passwordsecure/9.2/configuration/advanced_view/operation_and_setup/filter/advancedfiltersettings/installation_with_parameters_17_839x376.webp) + +Due to the colour coding of the tags in the records, it can be seen that the first two records have +one of the tags, while the third one has both tags. However, all three are included in the results. +**At least one filter criterion must be met.** + +**2. Logical “And operator”** + +This mode is activated directly by the checkbox in the filter. Each filter criterion has its own +checkbox. + +![installation_with_parameters_18](/images/passwordsecure/9.2/configuration/advanced_view/operation_and_setup/filter/advancedfiltersettings/installation_with_parameters_18.webp) + +![installation_with_parameters_19_822x325](/images/passwordsecure/9.2/configuration/advanced_view/operation_and_setup/filter/advancedfiltersettings/installation_with_parameters_19_822x325.webp) + +**In contrast to the “OR link”, the “AND link” must fulfil both criteria**. Accordingly, only those +records that have both the tag **”Important”** and the tag ”Development” are listed in the results +for this example. + +## Filter tab in the ribbon + +The filter management can also be found in the [Ribbon](/docs/passwordsecure/9.3/configuration/advancedview/operationandsetup/ribbon.md). Here, it is +possible e.g. to expand the currently configured filter criteria, save the filter, or simply clear +all currently applied filters. + +![installation_with_parameters_20](/images/passwordsecure/9.2/configuration/advanced_view/operation_and_setup/filter/advancedfiltersettings/installation_with_parameters_20.webp) + +#### Saving, editing, and deleting filters + +In many cases, it is recommended to store defined filters. In this way, it is possible to make +efficient use of filter results from previous searches. The button **“Save filter”** directly +prompts you to assign a meaningful name to this filter. The filter is saved according to the +criteria currently configured in the filter. This filter is now listed in the selection menu and can +now be selected. Note that a selected filter selection is immediately applied to the filter but is +not automatically executed. The filter must be used for this purpose. Both the button in the ribbon, +so also the counterpart in the filter, lead to the same result here. + +![Filter settings](/images/passwordsecure/9.2/configuration/advanced_view/operation_and_setup/filter/advancedfiltersettings/advanced-filter-settings-1-en.webp) + +Deleting and overwriting existing filters is identical in the procedure. The filter, which has been +marked in the selection field, is always deleted. If an existing filter is to be overwritten, the +name of the filter is retained and is overwritten with the filter criteria currently configured in +the filter. + +————————— + +#### **Advanced filter** + +In the “Extended filter” category you can adjust the filter as desired, eg by adding or removing +filter groups. Clicking on **”Edit filter”** activates the processing mode. You can terminate it +with **”Finish editing”.** + +![Filter editing](/images/passwordsecure/9.2/configuration/advanced_view/operation_and_setup/filter/advancedfiltersettings/advanced-filter-settings-2-en.webp) + +New filter groups can now be added via the selection field. For this purpose, the desired filter +type is selected (in the example, the filter group is the seal). The process is completed by +**”adding a filter group”.** Newly added filter groups are always placed at the very bottom of the +filter. + +In **Edit mode**, the filter view changes, in addition to the possible actions in the ribbon. Use +the arrow buttons to adjust the order of the filter groups. The icons “Plus” and “Minus” can be used +to create additional instances of existing filter groups or to remove existing ones. In the +following example, a content filter was added and all other filter groups removed. + +![Filter](/images/passwordsecure/9.2/configuration/advanced_view/operation_and_setup/filter/advancedfiltersettings/advanced-filter-settings-3-en_923x441.webp) + +In this example, only the content filter is used – in two instances! \* The “And” link will now +display all records that contain both the word “password” and the phrase “important”. \* + +#### Negation of filters + +It is often important to be able to negate the filter. + +Activation + +In the “Extended filter” category you have the possibility to activate the negation: + +![allow negation](/images/passwordsecure/9.2/configuration/advanced_view/operation_and_setup/filter/advancedfiltersettings/allow-negation-en.webp) + +It is thus possible to refine very precisely filter results even further. This becomes more and more +important when there are a large number of records in the database and the resulting amount of data +is still unmanageable despite the fact that filters has been appropriately defined. + +![installation_with_parameters_25_752x412](/images/passwordsecure/9.2/configuration/advanced_view/operation_and_setup/filter/advancedfiltersettings/installation_with_parameters_25_752x412.webp) + +Negations are defined directly in the checkbox of an element within a filter group. Without +negations, you can only search e.g. for a tag. Negations make the following queries possible: + +”Deliver all records that have the tag “Development” but are not tagged with “Important”! + +**CAUTION:** In order to effectively use negations, it is important that “and links” are always +enabled. Otherwise operations with negations cannot be modelled mathematically. diff --git a/docs/passwordsecure/9.3/configuration/advancedview/operationandsetup/filter/display_mode.md b/docs/passwordsecure/9.3/configuration/advancedview/operationandsetup/filter/display_mode.md new file mode 100644 index 0000000000..f8a301c2dc --- /dev/null +++ b/docs/passwordsecure/9.3/configuration/advancedview/operationandsetup/filter/display_mode.md @@ -0,0 +1,38 @@ +--- +title: "Display mode" +description: "Display mode" +sidebar_position: 10 +--- + +# Display mode + +## What display modes exist? + +In addition to the already described [Filter](/docs/passwordsecure/9.3/configuration/advancedview/operationandsetup/filter/filter.md), it is possible to switch to structure +view. This alternative view enables you to filter solely on the basis of the organisational +structure. Although this type of filtering is also possible in standard filter view, you are able to +directly see the complete organisational structure in structure view. + +NOTE: As there are no longer any folders in Netwrix Password Secure version 9, the structure view +can not mirror all of the functionalities of the folder view in version 7. However, the structure +view has been modelled on the folder view to make the changeover from the previous version easier. + +![installation_with_parameters_15](/images/passwordsecure/9.2/configuration/advanced_view/operation_and_setup/filter/displaymode/installation_with_parameters_15.webp) + +As you can see, only the organisational structure is visible in this view. This view is the ideal +choice for users who want to work in a highly structural-based manner. + +## Relevant options + +There are three relevant [User settings](/docs/passwordsecure/9.3/configuration/advancedview/mainmenufc/usersettings/user_settings.md) +associated with the display mode: + +![installation_with_parameters_16](/images/passwordsecure/9.2/configuration/advanced_view/operation_and_setup/filter/displaymode/installation_with_parameters_16.webp) + +- **Display mode:** It is possible to define whether the standard filter, structure filter or both + are displayed. If the last option is selected, you can switch between both views. +- **Jump to filter on quick search:** If you are using structure view, it is possible to define + whether the system should automatically jump to the standard filter if you click the quick search + (top right in the client) +- **Display mode status when starting the program:** This setting defines which display mode is + displayed as default when starting the program. diff --git a/docs/passwordsecure/9.3/configuration/advancedview/operationandsetup/filter/filter.md b/docs/passwordsecure/9.3/configuration/advancedview/operationandsetup/filter/filter.md new file mode 100644 index 0000000000..c66d4e1ae4 --- /dev/null +++ b/docs/passwordsecure/9.3/configuration/advancedview/operationandsetup/filter/filter.md @@ -0,0 +1,98 @@ +--- +title: "Filter" +description: "Filter" +sidebar_position: 20 +--- + +# Filter + +## What is a filter? + +The freely configurable filters of the PSR client provide all methods for easy retrieval of stored +data. The filter criteria are always adapted according to the module in which you are currently +located. When you select one or several search criteria, and click on “Apply filter”, the results +will be displayed in the list view. If necessary, this process can be repeated as desired and +further restrictions can be added. + +## Relevant rights + +The following option is required for editing filters: + +**User right** + +- Can edit filter + +![Filter](/images/passwordsecure/9.2/configuration/advanced_view/operation_and_setup/filter/installation_with_parameters_10-en.webp) + +## Who is allowed to use the filter? + +The filter is an indispensable working tool because of the possibility to restrict existing results +according to individual requirements. Consequently, all users can use the filter. It is, of course, +possible to place restrictions for filter criteria. This means that the filter criteria available to +individual employees can be restricted by means of +[Authorization and protection mechanisms](/docs/passwordsecure/9.3/configuration/webapplication/authorization_and_protection_mechanisms.md). +For example, an employee can only filter for the [Forms](/docs/passwordsecure/9.3/configuration/advancedview/clientmodule/forms/forms.md) password +if he has the read permission for that form. + +**CAUTION:** There are no permissions for [Tags](/docs/passwordsecure/9.3/configuration/advancedview/operationandsetup/tags.md). This means that any employee can +use any tags. The display order in the filter is determined by the frequency of use. This process is +not critical to security, since tags do not grant any permissions. They are merely a supportive +measure for filtering. + +## Application example + +Filter without criteria + +By selecting the desired criteria and applying the filter using the button of the same name, the set +of all the records corresponding to the criteria is displayed in the list view. If you used the +filter without criteria, you would obtain a list of all records to which you generally have +authorization. + +![editing criteria](/images/passwordsecure/9.2/configuration/advanced_view/operation_and_setup/filter/installation_with_parameters_11-en.webp) + +As you can see, 133 records are not really manageable. In most situations you will need to reduce +the number of records by adding filters. + +**Adding filter criteria** + +The filter **organization** can be applied directly to the authorizations to restrict the number of +records according to the authorizations granted. In this case, the logged-on user holds rights for +various areas. However, it would like to see only those records which are assigned to the **Own +passwords** area within the organisational structure. In addition, there should be further +restrictions, which could be formulated as in the following sentence: “Deliver all records from my +own passwords that were created with the form **password** and which contain the expression **2016** +and the tag **Administrator**. + +![Adding filter criteria](/images/passwordsecure/9.2/configuration/advanced_view/operation_and_setup/filter/installation_with_parameters_12-en.webp) + +As can be seen, the filter delivers the desired results. The extent to which the filter criteria +match the three remaining data sets is assigned in colour. + +**CAUTION:** When filtering with several criteria, such as forms, content and tags, all filter +criteria must be complied with. It is therefore a logical “AND operation”. Other possible methods +for linking criteria are described in detail in the Advanced Filter Settings. + +**Content filter** + +The term \* 2016 \* is part of the description in the \* My Schufa \* record, part of the +description of \* Wordpress 2016 \* and Microsoft Online 2016 . **Since the search** \***”in all +fields”** is activated in the content filter, all three records are also included in the results, +and are displayed in the list view. You can also configure the content filter to search for +expressions in a specific field. The icon next to the expression **”in all fields”** opens the +content filter configuration in a modal window. As can be seen, the content filter has been +configured to only search in the form **password** and then only in the form field **Internet +address:** + +![installation_with_parameters_13](/images/passwordsecure/9.2/configuration/advanced_view/operation_and_setup/filter/installation_with_parameters_13.webp) + +![Content filter](/images/passwordsecure/9.2/configuration/advanced_view/operation_and_setup/filter/installation_with_parameters_14-en.webp) + +It is very easy to abstract, because of the present example, that the filter can be adapted to your +personal requirements. It is thus the most important tool to be able to retrieve data once stored in +the database. + +**CAUTION:** The effectiveness of the filter is closely linked to data integrity. Only when data is +kept clean, efficient operation with the filter is ensured. It is important that employees are +trained in the correct handling of the filter tool as well as when creating the records. Workshops +show the best success rate in this context. If you require further information, contact us under +mail to: sales@passwordsafe.de. diff --git a/docs/passwordsecure/9.3/configuration/advancedview/operationandsetup/list_view.md b/docs/passwordsecure/9.3/configuration/advancedview/operationandsetup/list_view.md new file mode 100644 index 0000000000..70040b8c79 --- /dev/null +++ b/docs/passwordsecure/9.3/configuration/advancedview/operationandsetup/list_view.md @@ -0,0 +1,91 @@ +--- +title: "List view" +description: "List view" +sidebar_position: 30 +--- + +# List view + +## What is the list view? + +The list view is located centrally in the Netwrix Password Secure client, and is a key element of +daily work. There are also list views in Windows operating systems. If you click on a folder in +Windows Explorer, the contents of the folder are displayed in a list view. The same is true in +Netwrix Password Secure version 9. + +However, instead of folders, the content of the list view is defined by the currently applied +filter. \* This always means that the list view is the result of a filtered filter \*. For the +currently marked record in list view, all existing form fields are output to the reading pane. With +the two tabs “All” and “Favourites, the filter results can be further restricted. + +![List view](/images/passwordsecure/9.2/configuration/advanced_view/operation_and_setup/listview/installation_with_parameters_26-en.webp) + +At the bottom of the list view, the number of loaded records and the time required for this are +shown. + +NOTE: For more than 100 list elements, only the first 100 records are displayed by default. This is +to prevent excessive database queries where the results are unmanageable. In this case, it makes +sense to further refine the filter criteria. By pressing the “All” button in the header of the list +view, you can still manually switch to the complete list. + +## Searching in list view + +Through the search field, the results found by the filter can be further refined as required. After +you have entered the search term, the results are automatically limited to those records which +correspond to the criteria (after about half a second). The search used for the search is +highlighted in yellow. + +![installation_with_parameters_27](/images/passwordsecure/9.2/configuration/advanced_view/operation_and_setup/listview/installation_with_parameters_27.webp) + +## Detailed list view + +The default view displays only limited information about the records. However, the width of the list +view is flexible and can be adjusted by mouse. At a certain point, the view automatically changes to +the detailed list view, similar to the procedure in Microsoft Outlook. All form fields are displayed + +![Table view](/images/passwordsecure/9.2/configuration/advanced_view/operation_and_setup/listview/installation_with_parameters_28-en.webp) + +## Favourites + +Regularly used records can be marked as favourites. This process is carried out directly in the +[Ribbon](/docs/passwordsecure/9.3/configuration/advancedview/operationandsetup/ribbon.md). A record marked as a favourite is indicated with a star in list view. + +![Favourite](/images/passwordsecure/9.2/configuration/advanced_view/operation_and_setup/listview/installation_with_parameters_29-en.webp) + +You can filter for favourites directly in the list view. For this purpose, simply switch to the +“Favourites” tab + +![installation_with_parameters_30](/images/passwordsecure/9.2/configuration/advanced_view/operation_and_setup/listview/installation_with_parameters_30.webp) + +#### Othersymbols + +Every record displayed in list view has multiple icons on the right. These give feedback in colour +about both the password quality and the [Tags](/docs/passwordsecure/9.3/configuration/advancedview/operationandsetup/tags.md) used. Mouseover tooltips provide +more precise details. + +![installation_with_parameters_31](/images/passwordsecure/9.2/configuration/advanced_view/operation_and_setup/listview/installation_with_parameters_31.webp) + +NOTE: The information visible underneath the password name is taken from the info field for the +associated form and will be explained separately + +## Workingwith records + +All records that correspond to the filter criteria are now displayed in list view. These can now be +opened, edited, or deleted via the ribbon. Many functions are also available directly from the +context menu. You can do this by right-clicking the record. Multiple selection is also possible. To +do this, simply highlight the desired objects by holding down the Ctrl key. + +![installation_with_parameters_32](/images/passwordsecure/9.2/configuration/advanced_view/operation_and_setup/listview/installation_with_parameters_32.webp) + +#### Opening and editing data sets + +By double-clicking, as with the context menu (right mouse button), all records can be opened from +the list view in a separate tab. Only in this view can you make changes. This detail view opens in a +separate tab, the list view is completely hidden + +![editing dataset](/images/passwordsecure/9.2/configuration/advanced_view/operation_and_setup/listview/installation_with_parameters_33-en.webp) + +NOTE: Working with data records depends of course on the type of the data record. Whether passwords, +documents or organisational structures: The handling is partly very different. For more information, +please refer to the respective sections on the individual +[Client Module](/docs/passwordsecure/9.3/configuration/advancedview/clientmodule/client_module.md) diff --git a/docs/passwordsecure/9.3/configuration/advancedview/operationandsetup/operation_and_setup.md b/docs/passwordsecure/9.3/configuration/advancedview/operationandsetup/operation_and_setup.md new file mode 100644 index 0000000000..e62783a4ef --- /dev/null +++ b/docs/passwordsecure/9.3/configuration/advancedview/operationandsetup/operation_and_setup.md @@ -0,0 +1,97 @@ +--- +title: "Operation and Setup" +description: "Operation and Setup" +sidebar_position: 10 +--- + +# Operation and Setup + +## Client structure + +The modular structure of the client ensure that the required functionalities are always in the same +place. Although the module selection gives access to the various areas of Netwrix Password Secure, +the control elements always remain at the positions specified for this purpose. This intuitive +operating concept ensures efficient work and a minimum of training time. + +![Operation](/images/passwordsecure/9.2/configuration/advanced_view/operation_and_setup/operation-and-setup-1-en.webp) + +![Dashboard](/images/passwordsecure/9.2/configuration/advanced_view/operation_and_setup/operation-and-setup-2-en.webp) + +1. [Ribbon](/docs/passwordsecure/9.3/configuration/advancedview/operationandsetup/ribbon.md) + +2. [Filter](/docs/passwordsecure/9.3/configuration/advancedview/operationandsetup/filter/filter.md) + +3. [List view](/docs/passwordsecure/9.3/configuration/advancedview/operationandsetup/list_view.md) + +4. [Reading pane](/docs/passwordsecure/9.3/configuration/advancedview/operationandsetup/reading_pane.md) + +5. [Tags](/docs/passwordsecure/9.3/configuration/advancedview/operationandsetup/tags.md) + +6. [Search](/docs/passwordsecure/9.3/configuration/advancedview/operationandsetup/search.md) + +7. [Dashboard and widgets    ](/docs/passwordsecure/9.3/configuration/advancedview/operationandsetup/dashboardandwidgets/dashboard_and_widgets.md) + +## TABs + +Tabs offer yet another option within the to present related information in a separate area. This tab +navigation enables you to display, quickly access and switch between relevant information. The +results for a filter with specific criteria can thus be retained without the original result being +overwritten + +when a new filter is applied. In parallel, detailed information about records can also be found in +their own tabs. It is of course possible to adjust the order of the tabs via drag & drop according +to your individual requirements. + +![Dashboard](/images/passwordsecure/9.2/configuration/advanced_view/operation_and_setup/installation_with_parameters_2-en.webp) + +#### Standard tab + +Depending on the active module, the All passwords tab will be renamed to the corresponding module by +default. (All documents, all forms, etc.) + +![Standard tab](/images/passwordsecure/9.2/configuration/advanced_view/operation_and_setup/standard-tab-en.webp) + +Although the name suggests that all records in the database are displayed, the records displayed in +list view correspond to the criteria that have been defined in the filter. The tab closes and can be +restored by reusing the filter. + +## Client footer information + +Independently of the module chosen, various information is displayed in the footer area of the +client. The icons are also provided with a meaningful mouse-over text, which provides additional +information. + +- Connection to database +- Feedback in case connection is insecure +- Last name, first name (user name) of the logged-in user + +![installation_with_parameters_4](/images/passwordsecure/9.2/configuration/advanced_view/operation_and_setup/installation_with_parameters_4.webp) + +- [Ribbon](/docs/passwordsecure/9.3/configuration/advancedview/operationandsetup/ribbon.md) +- [Filter](/docs/passwordsecure/9.3/configuration/advancedview/operationandsetup/filter/filter.md) +- [List view](/docs/passwordsecure/9.3/configuration/advancedview/operationandsetup/list_view.md) +- [Reading pane](/docs/passwordsecure/9.3/configuration/advancedview/operationandsetup/reading_pane.md) +- [Tags](/docs/passwordsecure/9.3/configuration/advancedview/operationandsetup/tags.md) +- [Search](/docs/passwordsecure/9.3/configuration/advancedview/operationandsetup/search.md) +- [Dashboard and widgets](/docs/passwordsecure/9.3/configuration/advancedview/operationandsetup/dashboardandwidgets/dashboard_and_widgets.md) +- [Shortcut key](/docs/passwordsecure/9.3/configuration/advancedview/operationandsetup/dashboardandwidgets/keyboard_shortcuts.md) + +## Orientation + +It is possible to change the alignment of the following objects: + +- [Active Directory link](/docs/passwordsecure/9.3/configuration/advancedview/clientmodule/organisationalstructure/directoryservices/activedirectorylink/active_directory_link.md) +- [Applications](/docs/passwordsecure/9.3/configuration/advancedview/clientmodule/applications/applications.md) +- [Notifications](/docs/passwordsecure/9.3/configuration/advancedview/clientmodule/notifications.md) +- [Reports](/docs/passwordsecure/9.3/configuration/advancedview/mainmenufc/extras/reports.md) +- [Documents](/docs/passwordsecure/9.3/configuration/advancedview/clientmodule/documents.md) +- [Forms](/docs/passwordsecure/9.3/configuration/advancedview/clientmodule/forms/forms.md) +- [Logbook](/docs/passwordsecure/9.3/configuration/advancedview/clientmodule/logbook.md) +- [Organisational structure](/docs/passwordsecure/9.3/configuration/advancedview/clientmodule/organisationalstructure/organisational_structure.md) +- [Password Reset](/docs/passwordsecure/9.3/configuration/advancedview/clientmodule/passwordreset/password_reset.md) +- [Password rules](/docs/passwordsecure/9.3/configuration/advancedview/mainmenufc/extras/password_rules.md) +- [Roles](/docs/passwordsecure/9.3/configuration/advancedview/clientmodule/roles.md) +- [Seal templates](/docs/passwordsecure/9.3/configuration/advancedview/mainmenufc/extras/seal_templates.md) +- [System tasks](/docs/passwordsecure/9.3/configuration/advancedview/mainmenufc/extras/systemtasks/system_tasks.md) +- Forwarding Rules +- Profil picture in the reading pane diff --git a/docs/passwordsecure/9.3/configuration/advancedview/operationandsetup/print.md b/docs/passwordsecure/9.3/configuration/advancedview/operationandsetup/print.md new file mode 100644 index 0000000000..ea4814196c --- /dev/null +++ b/docs/passwordsecure/9.3/configuration/advancedview/operationandsetup/print.md @@ -0,0 +1,96 @@ +--- +title: "Print" +description: "Print" +sidebar_position: 70 +--- + +# Print + +#### What can the print function do? + +It is often necessary to print out data stored in Netwrix Password Secure for documentation +purposes. The Print function is available in numerous areas of Netwrix Password Secure for this +purpose. It is possible to print out records such as e.g. passwords or also information about +organisational units and much more. + +#### Relevantrights + +The following rights are relevant. + +**Record rights** + +- The **Print** right for the relevant record is required in each case. + +User right + +- Can print + +#### Availability + +The print function is available in the following modules: + +- Passwords +- Documents +- Organisational structure +- Roles +- Forms + +#### Using the print function + +The print function can be called up via the ribbon. + +![installation_with_parameters_44](/images/passwordsecure/9.2/configuration/advanced_view/operation_and_setup/print/installation_with_parameters_44.webp) + +Firstly, it is necessary to select whether you want to print a table or a detailed view. The amount +of data can also be defined. The individual menu items are described in detail further down in this +section. After making your selection, the data is firstly prepared for printing. Depending on the +amount of data, this may take a few minutes. The print preview is then opened. + +![print password](/images/passwordsecure/9.2/configuration/advanced_view/operation_and_setup/print/installation_with_parameters_45-en.webp) + +NOTE: The print preview accesses the functions of the printer driver. Depending on the printer or +driver being used, the appearance and functions offered by the print preview may vary. The +individual functions will thus not be described in detail here. + +The printing process is ultimately started via the **print preview**. It is also possible to save +the view or adjust the layout before printing. + +#### Selecting the data to be printed + +There are different options available for adapting the printing result to your personal +requirements. The individual menu items will be explained here using the example of printing +passwords. + +###### Table view (current selection) + +All **selected** records will be printed out. In the following example, **Adobe** and **Anibis.ch** +are thus printed out. + +![selected data](/images/passwordsecure/9.2/configuration/advanced_view/operation_and_setup/print/installation_with_parameters_46-en.webp) + +The data is printed here in table form. + +![print password](/images/passwordsecure/9.2/configuration/advanced_view/operation_and_setup/print/installation_with_parameters_47-en.webp) + +#### Tableview (current filter) + +All currently **filtered** records will be printed out here. In this example, all seven records are +thus printed out. + +![filtered password](/images/passwordsecure/9.2/configuration/advanced_view/operation_and_setup/print/installation_with_parameters_48-en.webp) + +They are printed out – as described above – in table form. + +#### Detailed view (current selection) + +This option also prints out the currently selected records. However, a detailed view is printed out +in this case. + +![print filtered passwords](/images/passwordsecure/9.2/configuration/advanced_view/operation_and_setup/print/installation_with_parameters_49-en.webp) + +#### Detailed view (current filter) + +This function can be used to print out all filtered records in detailed view as described above. + +NOTE: It should be noted that the amount of data generated via this function can quickly become very +large. diff --git a/docs/passwordsecure/9.3/configuration/advancedview/operationandsetup/reading_pane.md b/docs/passwordsecure/9.3/configuration/advancedview/operationandsetup/reading_pane.md new file mode 100644 index 0000000000..27c4e3d631 --- /dev/null +++ b/docs/passwordsecure/9.3/configuration/advancedview/operationandsetup/reading_pane.md @@ -0,0 +1,59 @@ +--- +title: "Reading pane" +description: "Reading pane" +sidebar_position: 40 +--- + +# Reading pane + +## What is the reading pane? + +The reading pane on the right side of the client always corresponds to the detailed view of the +selected record in the list view and can be completely deactivated via the ribbon. In addition, you +can configure here the arrangement of the reading pane – either on the right, or underneath the +[List view](/docs/passwordsecure/9.3/configuration/advancedview/operationandsetup/list_view.md). + +![Reading area](/images/passwordsecure/9.2/configuration/advanced_view/operation_and_setup/readingpane/installation_with_parameters_34-en.webp) + +## Structure of the reading pane + +The reading pane is divided into two areas: + +1. **Details area** +2. Footer area + +![installation_with_parameters_35](/images/passwordsecure/9.2/configuration/advanced_view/operation_and_setup/readingpane/installation_with_parameters_35.webp) + +1. Details area + +Depending on which record you have selected in [List view](/docs/passwordsecure/9.3/configuration/advancedview/operationandsetup/list_view.md), the +corresponding fields are displayed here. In the header, the assigned [Tags](/docs/passwordsecure/9.3/configuration/advancedview/operationandsetup/tags.md), as +well as the +[Organisational structure](/docs/passwordsecure/9.3/configuration/advancedview/clientmodule/organisationalstructure/organisational_structure.md) +are displayed. + +**CAUTION:** It should be noted that the details area cannot be used for editing records! Although +it displays all of the data, editing is only possible if the record has been opened. + +2. Footer area + +In the footer area of the reading pane, it is possible to display various information for the +currently selected record. The button can be activated via the button provided. It is hidden by +default. + +![Footer area](/images/passwordsecure/9.2/configuration/advanced_view/operation_and_setup/readingpane/installation_with_parameters_36-en.webp) + +The logbook, linked documents, history, notifications and password resets can be accessed separately +here via the tabs. The individual elements can be viewed with a double-click, as well as by using +the quick view (space bar). Double clicking always opens a separate tab, the quick view merely opens +a modal window + +Visibility of the individual tabs within the footer section is secured via separate +[User rights](/docs/passwordsecure/9.3/configuration/advancedview/mainmenufc/userrights/user_rights.md): + +![installation_with_parameters_37](/images/passwordsecure/9.2/configuration/advanced_view/operation_and_setup/readingpane/installation_with_parameters_37.webp) + +The same options can also be found in the settings. A tab is only displayed if it has been activated +both in the rights and also in the settings. This makes it possible to specify (for example via the +administrator) whether a user is permitted to view the tab or not. The user can then define +themselves which tabs they want to be displayed. diff --git a/docs/passwordsecure/9.3/configuration/advancedview/operationandsetup/ribbon.md b/docs/passwordsecure/9.3/configuration/advancedview/operationandsetup/ribbon.md new file mode 100644 index 0000000000..1575524ec3 --- /dev/null +++ b/docs/passwordsecure/9.3/configuration/advancedview/operationandsetup/ribbon.md @@ -0,0 +1,54 @@ +--- +title: "Ribbon" +description: "Ribbon" +sidebar_position: 10 +--- + +# Ribbon + +## What is the ribbon? + +The ribbon is the central control element of Netwrix Password Secure version 9. It is available in +all modules. Netwrix Password Secure is almost always operated via the ribbon in the header area of +the PSR client. + +![Ribbon](/images/passwordsecure/9.2/configuration/advanced_view/operation_and_setup/ribbon/installation_with_parameters_5-en.webp) + +The features available within the ribbon are dynamic, and are based on the currently available +actions. Various actions can be performed, depending on which object is selected. The module +selected also affects the features that are available in the ribbon. Of course, the most important +actions can also be controlled via the context menu (right mouse button). + +![Ribbon - Item](/images/passwordsecure/9.2/configuration/advanced_view/operation_and_setup/ribbon/ribbon-1-en.webp) + +This mainly affects the very often used features such as opening, deleting or assigning tags. +However, a complete listing of the possible actions is always only possible directly in the ribbon. +This ensures that the context menu can be kept lean. + +## Access to the client main menu (backstage) + +The button at the top left of the ribbon provides access to the +[Main menu](/docs/passwordsecure/9.3/configuration/advancedview/mainmenufc/main_menu_fc.md): + +![installation_with_parameters_7](/images/passwordsecure/9.2/configuration/advanced_view/operation_and_setup/ribbon/installation_with_parameters_7.webp) + +## Ribbon tabs + +There are tabs in the header area of the ribbon that summarize all available operations. By default, +module-independent **Start, View, and Filter** is available. If the footer of the +[Reading pane](/docs/passwordsecure/9.3/configuration/advancedview/operationandsetup/reading_pane.md) is opened (1), further tabs will be visible in the +ribbon (2). These contain, according to the selection made in the footer, other possible actions. + +![Ribbon Tabs](/images/passwordsecure/9.2/configuration/advanced_view/operation_and_setup/ribbon/installation_with_parameters_8-en.webp) + +#### Content tabs + +Double-clicking on an object in the [List view](/docs/passwordsecure/9.3/configuration/advancedview/operationandsetup/list_view.md) opens a new tab with its +detailed view. Depending on which form field you have selected, the corresponding content tab opens +in the ribbon. + +![Content tabs](/images/passwordsecure/9.2/configuration/advanced_view/operation_and_setup/ribbon/installation_with_parameters_9-en.webp) + +Depending on the selected form field, further actions are offered in the Content tab. In the +Password field, this is, for example, calling the password generator or the screen keyboard, or the +possibility to copy it to the clipboard. diff --git a/docs/passwordsecure/9.3/configuration/advancedview/operationandsetup/search.md b/docs/passwordsecure/9.3/configuration/advancedview/operationandsetup/search.md new file mode 100644 index 0000000000..c408931d9d --- /dev/null +++ b/docs/passwordsecure/9.3/configuration/advancedview/operationandsetup/search.md @@ -0,0 +1,52 @@ +--- +title: "Search" +description: "Search" +sidebar_position: 60 +--- + +# Search + +## What is search? + +With the help of the search, it is possible to find data stored in the database efficiently +according to selected criteria. Basically, there are 2 search modes: + +1. Quick search + +In the upper right section of the ribbon, there is a search field, which scans the module that is +currently open. This is a full-text search that scans all fields and tags except the password field. + +![quick search](/images/passwordsecure/9.2/configuration/advanced_view/operation_and_setup/search/installation_with_parameters_41-en.webp) + +The fast search is closely linked to the [Filter](/docs/passwordsecure/9.3/configuration/advancedview/operationandsetup/filter/filter.md), because search queries are +converted directly into one or several content filters. You can also separate search terms using +spaces, for example, **Cook Daniel**. Note that this search creates two separate content filters, +which are logically linked with “and” +. This means that both words must occur in the data record. +The sequence is irrelevant. If the ordering needs to be taken into account, the search term must be +enclosed in quotation marks: **“Cook Daniel”**. The search is not case sensitive. No distinction is +made between upper and lower case. + +NOTE: You can access quick search directly via \* Ctrl + Q\*! + +Negations in the quick search + +Negations restrict the results to such an extent that certain criteria may not be met. The following +example searches for all records that contain the expression \* Delphi , **but not the expression +swiss. The notation, which must be entered in the quick search, is: Delphi -swiss** + +![quick search](/images/passwordsecure/9.2/configuration/advanced_view/operation_and_setup/search/installation_with_parameters_42-en.webp) + +2. List search + +With the list search in the header of the [List view](/docs/passwordsecure/9.3/configuration/advancedview/operationandsetup/list_view.md), the results of the +filter can be searched further. This type of search is available in almost every list. Scans only +the currently filtered results. Password fields are not searched. The search is live, so the result +is further refined with every additional character that is entered. Automatic “highlighting” takes +place in yellow colour. + +![list search](/images/passwordsecure/9.2/configuration/advanced_view/operation_and_setup/search/installation_with_parameters_43-en.webp) + +A direct database query is performed when the filter is executed. The list search only searches +within the query already made. + +NOTE: The list search is hidden by default and can be activated with “Ctrl + F” diff --git a/docs/passwordsecure/9.3/configuration/advancedview/operationandsetup/tags.md b/docs/passwordsecure/9.3/configuration/advancedview/operationandsetup/tags.md new file mode 100644 index 0000000000..e5f9aa2813 --- /dev/null +++ b/docs/passwordsecure/9.3/configuration/advancedview/operationandsetup/tags.md @@ -0,0 +1,51 @@ +--- +title: "Tags" +description: "Tags" +sidebar_position: 50 +--- + +# Tags + +## What are tags? + +The tag system is ubiquitous in Netwrix Password Secure. It can be used to classify and describe +almost every object. An object can have several such tags. These are always displayed in the header +area of the data record. Optionally, tags can be provided with colours or a description. They +determine the aesthetics of Netwrix Password Secure, and are optically a great help, in order not to +loose the overview even in case of large amounts of data. + +NOTE: Tags have no permissions. Any user can use any tag! + +## Relevant rights + +The following option is required for creating new tags. + +User rights + +- Can add new tags + +## Adding tags to records + +Tags can be directly added when creating new records and also when editing records. The procedure is +the same. In Edit mode, the tags are always at the bottom. + +![Tags in dataset](/images/passwordsecure/9.2/configuration/advanced_view/operation_and_setup/tags/installation_with_parameters_38-en.webp) + +The operation is intuitive. From the third entered letter, existing tags are searched for full text. +If the desired tag has been found, it can be added. Both the navigation with mouse, thus also with +keyboard, is possible. If a new tag is to be created, this can be done directly with “Return”. + +![installation_with_parameters_39](/images/passwordsecure/9.2/configuration/advanced_view/operation_and_setup/tags/installation_with_parameters_39.webp) + +## Tags in the ribbon + +If you edit a record and mark an existing or new tag, a corresponding content tab appears in the +ribbon. Here, the tag manager can be opened as well as the colour and description of the tag can be +adapted directly. + +![Tags in password](/images/passwordsecure/9.2/configuration/advanced_view/operation_and_setup/tags/installation_with_parameters_40-en.webp) + +## Management of tags + +A separate section is available under Extras in the client for the tag manager. This is explained in +a special section. diff --git a/docs/passwordsecure/9.3/configuration/advancedview/permissionconceptandprotective/_category_.json b/docs/passwordsecure/9.3/configuration/advancedview/permissionconceptandprotective/_category_.json new file mode 100644 index 0000000000..15e0af1775 --- /dev/null +++ b/docs/passwordsecure/9.3/configuration/advancedview/permissionconceptandprotective/_category_.json @@ -0,0 +1,10 @@ +{ + "label": "Permission concept and protective mechanisms", + "position": 40, + "collapsed": true, + "collapsible": true, + "link": { + "type": "doc", + "id": "permission_concept_and_protective" + } +} \ No newline at end of file diff --git a/docs/passwordsecure/9.3/configuration/advancedview/permissionconceptandprotective/automatedsettingofpermissions/_category_.json b/docs/passwordsecure/9.3/configuration/advancedview/permissionconceptandprotective/automatedsettingofpermissions/_category_.json new file mode 100644 index 0000000000..bde6770d7b --- /dev/null +++ b/docs/passwordsecure/9.3/configuration/advancedview/permissionconceptandprotective/automatedsettingofpermissions/_category_.json @@ -0,0 +1,10 @@ +{ + "label": "Automated setting of permissions", + "position": 20, + "collapsed": true, + "collapsible": true, + "link": { + "type": "doc", + "id": "automated_setting_of_permissions" + } +} \ No newline at end of file diff --git a/docs/passwordsecure/9.3/configuration/advancedview/permissionconceptandprotective/automatedsettingofpermissions/automated_setting_of_permissions.md b/docs/passwordsecure/9.3/configuration/advancedview/permissionconceptandprotective/automatedsettingofpermissions/automated_setting_of_permissions.md new file mode 100644 index 0000000000..094f7faf90 --- /dev/null +++ b/docs/passwordsecure/9.3/configuration/advancedview/permissionconceptandprotective/automatedsettingofpermissions/automated_setting_of_permissions.md @@ -0,0 +1,30 @@ +--- +title: "Automated setting of permissions" +description: "Automated setting of permissions" +sidebar_position: 20 +--- + +# Automated setting of permissions + +## Reusing permissions + +Netwrix Password Secure generally differentiates between multiple methods for setting permissions: + +1. Manual setting of permissions +2. Inheritance of permissions within organisational structures +3. Using predefined rights + + - In the manual setting of permissions, the desired permissions are directly configured for each + record. Automatic processes and inheritance are **not** used in this case. + - Both the use of predefined rights and also the inheritance from organisational structures are + based on the **automated reuse** of already granted permissions according to previously + defined rules. + +The following diagram deals with the question: **How do users or roles receive the intended +permissions?** + +![manual vs automated settings](/images/passwordsecure/9.2/configuration/advanced_view/permissionconcept/automated_settings/automated-setting-of-permissions-1-en.webp) + +NOTE: Inheritance from organisational structures is defined by default in the system. This can be +configured in the settings. The relevant setting is “Inherit permissions for new objects (without +permission template)”. diff --git a/docs/passwordsecure/9.3/configuration/advancedview/permissionconceptandprotective/automatedsettingofpermissions/inheritance_from_organizational.md b/docs/passwordsecure/9.3/configuration/advancedview/permissionconceptandprotective/automatedsettingofpermissions/inheritance_from_organizational.md new file mode 100644 index 0000000000..95441490b0 --- /dev/null +++ b/docs/passwordsecure/9.3/configuration/advancedview/permissionconceptandprotective/automatedsettingofpermissions/inheritance_from_organizational.md @@ -0,0 +1,89 @@ +--- +title: "Inheritance from organisational structures" +description: "Inheritance from organisational structures" +sidebar_position: 10 +--- + +# Inheritance from organisational structures + +## Organisational structures as a basis + +The aim of organisational structures is to reflect the hierarchies and dependencies amongst +employees that exist in a company. Permissions are granted to these structures as usual via the +ribbon. Further information on this subject can be found in the section +[Permissions for organisational structures](/docs/passwordsecure/9.3/configuration/advancedview/clientmodule/organisationalstructure/permissionsfororganisational/permissions_for_organisational.md). +As a specific authorization concept is generally already used within organisational structures, this +is also used as the basis for further permissions. This form of inheritance is technically +equivalent to granting permissions based on **affiliations to a folder**. When creating a new +record, the record receives the permissions in accordance with the defined permissions for the +organisational unit. + +![explanation of authorization](/images/passwordsecure/9.2/configuration/advanced_view/permissionconcept/automated_settings/inheritance_from_organisational_structures/inheritance-1-en.webp) + +## Relevant user settings + +Whether this form of inheritance should be applied is defined via the settings in the ribbon. It can +be configured in more detail using two settings. + +**CAUTION:** If a predefined rights exists, this will always overwrite inherited permissions from +organisational structures + +Inherit permissions for new objects (without rights template) This setting is relevant for newly +created records. + +![setting inherit permission](/images/passwordsecure/9.2/configuration/advanced_view/permissionconcept/automated_settings/inheritance_from_organisational_structures/inheritance-2-en.webp) + +The following values can be configured: + +Off: Permissions from OUs are not inherited organisational unit: When creating new objects, +permissions are set in accordance with the defined rights for the target organisational unit. This +setting is active by default. organisational unit and user: As well as inheriting permissions for +organization units, the configured permissions for the user are now also inherited when creating +private records. \*If inheritance for the users is also activated, the creation of private records +is in itself no longer possible. When creating new records to be saved in the organisational unit +for the logged-in user, the permissions for the record are now granted in accordance with the +permissions for the user. + +Existing passwords inherit changes to the permissions for organisational units + +![setting inherit from OU to password](/images/passwordsecure/9.2/configuration/advanced_view/permissionconcept/automated_settings/inheritance_from_organisational_structures/inheritance-3-en.webp) + +This option means that changes to permissions for an organisational unit will be inherited by all +passwords for this organisational unit. This setting is active by default. When inheriting +permissions, a dialogue will be displayed that offers you the following options: + +Increase or reduce permissions: The permissions for the passwords are retained and are only +increased or reduced by the change. Overwrite permissions: The permissions for the passwords are +completely overwritten. This means that all permissions for a password are firstly removed and then +the new permissions for the organisational unit are inherited. Cancel inheritance: The permissions +are not inherited but are only changed in the organisational unit. \*The permissions are only +inherited by existing passwords within the organisational unit. Therefore, the permissions are not +inherited downwards throughout the entire structure. + +Example case This example shows the creation of a new record in the organisational structure +“marketing”. It is defined in the settings for the stated organisational structure that permissions +should be inherited by new objects in accordance with the organisational structure. + +The permissions for the organisational unit “marketing” are shown below: + +![example of permissions](/images/passwordsecure/9.2/configuration/advanced_view/permissionconcept/automated_settings/inheritance_from_organisational_structures/inheritance-4-en.webp) + +A new password is now created in the organisational unit “marketing”. + +![new password](/images/passwordsecure/9.2/configuration/advanced_view/permissionconcept/automated_settings/inheritance_from_organisational_structures/inheritance-5-en.webp) + +It is important that no preset is defined for this organisational unit. The permissions for the +record just created are now shown. + +![permissions example](/images/passwordsecure/9.2/configuration/advanced_view/permissionconcept/automated_settings/inheritance_from_organisational_structures/inheritance-6-en.webp) + +## Conclusion + +The permissions for the “storage location” are simply used when creating new objects. Two conditions +apply here: + +The value “organisational unit” must be selected in the settings for the inheritance of permissions +There must be no [Predefining rights](/docs/passwordsecure/9.3/configuration/advancedview/permissionconceptandprotective/predefiningrights/predefining_rights.md) for the +affected organisational structure This process is illustrated in the following diagram: + +![process for inheritance of permissions](/images/passwordsecure/9.2/configuration/advanced_view/permissionconcept/automated_settings/inheritance_from_organisational_structures/inheritance-7-en.webp) diff --git a/docs/passwordsecure/9.3/configuration/advancedview/permissionconceptandprotective/manualsettingofpermissions/_category_.json b/docs/passwordsecure/9.3/configuration/advancedview/permissionconceptandprotective/manualsettingofpermissions/_category_.json new file mode 100644 index 0000000000..c53f3cdaa2 --- /dev/null +++ b/docs/passwordsecure/9.3/configuration/advancedview/permissionconceptandprotective/manualsettingofpermissions/_category_.json @@ -0,0 +1,10 @@ +{ + "label": "Manual setting of permissions", + "position": 10, + "collapsed": true, + "collapsible": true, + "link": { + "type": "doc", + "id": "manual_setting_of_permissions" + } +} \ No newline at end of file diff --git a/docs/passwordsecure/9.3/configuration/advancedview/permissionconceptandprotective/manualsettingofpermissions/manual_setting_of_permissions.md b/docs/passwordsecure/9.3/configuration/advancedview/permissionconceptandprotective/manualsettingofpermissions/manual_setting_of_permissions.md new file mode 100644 index 0000000000..60a54252ea --- /dev/null +++ b/docs/passwordsecure/9.3/configuration/advancedview/permissionconceptandprotective/manualsettingofpermissions/manual_setting_of_permissions.md @@ -0,0 +1,94 @@ +--- +title: "Manual setting of permissions" +description: "Manual setting of permissions" +sidebar_position: 10 +--- + +# Manual setting of permissions + +## What is the manual setting of permissions for records? + +In contrast to the +[Automated setting of permissions](/docs/passwordsecure/9.3/configuration/advancedview/permissionconceptandprotective/automatedsettingofpermissions/automated_setting_of_permissions.md), the +manual approach does not utilize any automatic processes. This method of setting permissions is thus +carried out separately for every record – this process is not as recommended for newly created data. +If you want to work effectively in the long term, the automatic setting of permissions should be +used. However, the manual setting of permissions is generally used when editing already existing +records. + +## Adding additional users with permissions + +In the previous section, it was clarified that permissions are granted either directly to the user +or to several users grouped in a role. With this knowledge, the permissions can be set manually. In +the [Passwords](/docs/passwordsecure/9.3/configuration/advancedview/clientmodule/passwords/passwords.md), there are three different ways to access +the permissions in the list view: + +1. Icon in the ribbon +2. Context menu of a data record (right-click) +3. Icon at the right edge of the reading pane + +![different ways to access the permissions](/images/passwordsecure/9.2/configuration/advanced_view/permissionconcept/manual_settings/manual-setting-of-permissions-1-en.webp) + +NOTE: The icon on the right of the reading pane shows the information whether the record is personal +or public. In case of personal data records, the user that is logged on is the only one who has +permissions! + +The author is created with all permissions for the record. As described in the +[Permission concept and protective mechanisms](/docs/passwordsecure/9.3/configuration/advancedview/permissionconceptandprotective/permission_concept_and_protective.md), you can now +add roles and users. 'Right click - Add' inside the userlist or use the ribbon "User and roles" to +add a user. The filter helps you to quickly find those users who should be granted permissions for +the record in just a few steps. + +![add user and role](/images/passwordsecure/9.2/configuration/advanced_view/permissionconcept/manual_settings/manual-setting-of-permissions-2-en.webp) + +The search [Filter](/docs/passwordsecure/9.3/configuration/advancedview/operationandsetup/filter/filter.md)opens in a separate tab and can be +configured as usual. + +![seach filter](/images/passwordsecure/9.2/configuration/advanced_view/permissionconcept/manual_settings/manual-setting-of-permissions-3-en.webp) + +**Multiple selection** is also enabled. It allows to add several users via the Windows standard +Ctrl/Shift + left mouse button. + +## Set and remove permissions + +By default, all added users or roles receive only the “Read” permission on the record. The “Read” +permission at the beginning is sufficient to view the fields of the data record and to use the +password. "Write" permission allows you to edit a data record. **The permission “Authorize” is +necessary to authorize other users to the record**. This is also a requirement for +the[Seals](/docs/passwordsecure/9.3/configuration/advancedview/permissionconceptandprotective/protectivemechanisms/seals/seals.md). + +![setting all permissions example](/images/passwordsecure/9.2/configuration/advanced_view/permissionconcept/manual_settings/manual-setting-of-permissions-4-en.webp) + +## Transferring permissions + +A simple right-click on a user can be used to copy and transfer permission configurations of users +or roles to others in the context menu. In this context, the use of permission templates is also +very practical. In the “Template” area of ​​the ribbon, you can save configured permissions, +including all users, and reuse them for other records. + +![preset menu](/images/passwordsecure/9.2/configuration/advanced_view/permissionconcept/manual_settings/manual-setting-of-permissions-5-en.webp) + +The transfer of permissions and their reuse can be an important building block to create and +maintain entitlement integrity. This method cannot rule out misconfigurations, but it will minimize +the risk significantly. Of course, the correct configuration of these templates is a prerequisite. + +## The add permission + +The “add" permission holds a special position in the authorization concept. This permission controls +whether a user/role is permitted e.g. to create a new record within an organisational structure. +Consequently, this permission can only be set in the +[Organisational structure](/docs/passwordsecure/9.3/configuration/advancedview/clientmodule/organisationalstructure/organisational_structure.md). + +## The owner permission + +The "owner" permission can be set for a user. This permission is more of **a guarantee**. Once +assigned, there is no way to remove the user or role. This is only possible by the user or the role +itself, as well as by users with the permission “Is database administrator”. + +![owner permission](/images/passwordsecure/9.2/configuration/advanced_view/permissionconcept/manual_settings/manual-setting-of-permissions-6-en.webp) + +The owner permission prevents other users who have the “Authorize” permission from removing someone +with the owner permission from the record. + +**CAUTION:** The owner permission does not protect a record from being deleted. Any user who has +deletion permission can delete the record! diff --git a/docs/passwordsecure/9.3/configuration/advancedview/permissionconceptandprotective/manualsettingofpermissions/multiple_editing_of_permissions.md b/docs/passwordsecure/9.3/configuration/advancedview/permissionconceptandprotective/manualsettingofpermissions/multiple_editing_of_permissions.md new file mode 100644 index 0000000000..0a39ed6221 --- /dev/null +++ b/docs/passwordsecure/9.3/configuration/advancedview/permissionconceptandprotective/manualsettingofpermissions/multiple_editing_of_permissions.md @@ -0,0 +1,123 @@ +--- +title: "Multiple editing of permissions" +description: "Multiple editing of permissions" +sidebar_position: 20 +--- + +# Multiple editing of permissions + +## How to edit multiple permissions? + +As part of the manual modification of permissions, it is also possible to edit multiple records at +the same time. Various mechanisms can be used to select the records to be edited. You are able to +select the records in [List view](/docs/passwordsecure/9.3/configuration/advancedview/operationandsetup/list_view.md) or you can use +the filter as part of the multiple editing function. Both scenarios are described below. + +### User permissions for batch processing + +This mode is inactive by default and needs to be activated in the user rights. + +- Can carry out batch processing for permissions based on a filter + +## Multiple editing via list view + +Individual permissions can be added or remove via **Multiple editing within list view**. The +existing permissions will **not be overwritten**. + +## Selecting the records + +In list view, Shift or Ctrl + mouse click can be used to select multiple records. Permissions can +also be granted for these records via the selection. The marked records are displayed in a different +color. 6 records are marked in the following image. + +![password list](/images/passwordsecure/9.2/configuration/advanced_view/permissionconcept/manual_settings/multiple_editing_of_permissions/multiple-editing-of-permissions-1-en.webp) + +## Dialogue for configuring the permissions + +A new tab will be opened in the ribbon above the "Permissions" button in which the permissions can +be configured. The tab will display the number of records that will be affected by the defined +changes. + +![rights for selected passwords](/images/passwordsecure/9.2/configuration/advanced_view/permissionconcept/manual_settings/multiple_editing_of_permissions/multiple-editing-of-permissions-2-en.webp) + +NOTE: As the already granted permissions for the selected records may differ, it is not possible to +display the permissions here. + +## Adding permissions + +To add a permission, a user or role is selected first in the ribbon under **Search and add** or +**Search**. The permissions are then selected as usual in the ribbon. The +:material-plus-circle-outline: symbol indicates that permissions will be added. In the following +example, Mr. Steiner receives read permission to all selected records. In contrast, Mr. Brewery +receives all permissions. + +## Reducing permissions / removing users and roles from the permissions + +If you want to remove permissions, it is also necessary to add the user or the desired role to be +edited. Clicking on **Reduce permissions** now means that permissions will be removed. This is +indicated by the :material-minus-circle-outline: symbol. The selected permissions will be removed. + +NOTE: If the **read** permission is to be removed for a user or role, the user will be completely +removed from the permissions. + +## Examples + +In the following example, Mr. Steiner receives read permissions to all selected records. In +contrast, Mr. Brewery receives all permissions: + +![rights for selected passwords](/images/passwordsecure/9.2/configuration/advanced_view/permissionconcept/manual_settings/multiple_editing_of_permissions/multiple-editing-of-permissions-3-en.webp) + +The read permission will be removed for Mr. Steiner. As removing the read permissions means that no +other permissions exist for the record, Mr. Steiner is completely removed from the permissions. The +authorize, move, export and print permissions are being removed from Mr. Brewery. Assuming that he +previously had all permissions, he will then have read, write and delete permissions remaining: + +![edit rights for selected passwords](/images/passwordsecure/9.2/configuration/advanced_view/permissionconcept/manual_settings/multiple_editing_of_permissions/multiple-editing-of-permissions-4-en.webp) + +## Batch processing using a filter + +In some cases it is necessary to edit the permissions for a very large number of records. On the one +hand, a maximum limit of 1000 records exists and on the other hand, handling a very large number of +records via list view is not always the best solution. The **Batch processing using a filter** mode +has been developed for this purpose. This is directly initiated via the ribbon. + +![Batch processing using a filter](/images/passwordsecure/9.2/configuration/advanced_view/permissionconcept/manual_settings/multiple_editing_of_permissions/multiple-editing-of-permissions-5-en.webp) + +In the subsequent dialogue, you define whether you want to expand, reduce or completely overwrite +existing permissions. If you select **expand or reduce** at this stage, the same logic as for +**editing via list view** is used. No permissions will thus be overwritten. + +In the option **overwrite permissions**, the existing permissions are removed and then replaced by +the newly defined permissions. + +**CAUTION:** It is important to proceed with great caution when overwriting permissions because this +function can quickly lead to a large number of records becoming unusable. + +![permissions adapted on a filter](/images/passwordsecure/9.2/configuration/advanced_view/permissionconcept/manual_settings/multiple_editing_of_permissions/multiple-editing-of-permissions-6-en.webp) + +The filter itself defines the selection criteria for the records to be edited. The currently +configured filter will be used as default. The records that will be affected by the changes are also +not displayed in this view. Only the number of records is displayed. In the following example, 9 +passwords are being edited to add the read permission the role "Sales". + +![permissions change for selected records](/images/passwordsecure/9.2/configuration/advanced_view/permissionconcept/manual_settings/multiple_editing_of_permissions/multiple-editing-of-permissions-7-en.webp) + +## Seals and password masking + +Sealed or masked records cannot be edited using batch processing. If these types of passwords are +selected, a dialogue will be displayed when carrying out batch processing to inquire how these +records should be handled. + +![security warning because of sealed or masked passwords](/images/passwordsecure/9.2/configuration/advanced_view/permissionconcept/manual_settings/multiple_editing_of_permissions/multiple-editing-of-permissions-8-en.webp) + +It is possible to select whether the affected records are skipped or whether the seal or password +masking should be removed. If the **remove** option is selected, the process needs to be confirmed +again by entering a PIN. + +![security warning](/images/passwordsecure/9.2/configuration/advanced_view/permissionconcept/manual_settings/multiple_editing_of_permissions/multiple-editing-of-permissions-9-en.webp) + +**CAUTION:** The removal of seals and password masking cannot be reversed! + +NOTE: Depending on the number of records, editing records may take a long time. This process is +carried out in the background for this reason. A hint will indicate that the permissions process has +been completed. diff --git a/docs/passwordsecure/9.3/configuration/advancedview/permissionconceptandprotective/manualsettingofpermissions/right_templates.md b/docs/passwordsecure/9.3/configuration/advancedview/permissionconceptandprotective/manualsettingofpermissions/right_templates.md new file mode 100644 index 0000000000..8f8ccc8392 --- /dev/null +++ b/docs/passwordsecure/9.3/configuration/advancedview/permissionconceptandprotective/manualsettingofpermissions/right_templates.md @@ -0,0 +1,22 @@ +--- +title: "Right templates" +description: "Right templates" +sidebar_position: 10 +--- + +# Right templates + +## Using right templates + +Once they have been configured, permissions can be constantly reused. The functionality **Saving +permissions as a template** in the ribbon is used for this purpose. The templates are globally +available and can also be used for other records. + +NOTE: When saving templates, always select a name that will also allow it to be safely +differentiated from other templates if you have a large number of right templates. + +Nevertheless, the use of right templates merely reduces the amount of work and still envisages the +manual setting of permissions. Automatic process for the issuing of permissions also exist in +Netwrix Password Secure and will be covered in the section +[Predefining rights](/docs/passwordsecure/9.3/configuration/advancedview/permissionconceptandprotective/predefiningrights/predefining_rights.md) and also under +"[Inheritance from organisational structures](/docs/passwordsecure/9.3/configuration/advancedview/permissionconceptandprotective/automatedsettingofpermissions/inheritance_from_organizational.md)". diff --git a/docs/passwordsecure/9.3/configuration/advancedview/permissionconceptandprotective/permission_concept_and_protective.md b/docs/passwordsecure/9.3/configuration/advancedview/permissionconceptandprotective/permission_concept_and_protective.md new file mode 100644 index 0000000000..2297a44571 --- /dev/null +++ b/docs/passwordsecure/9.3/configuration/advancedview/permissionconceptandprotective/permission_concept_and_protective.md @@ -0,0 +1,138 @@ +--- +title: "Permission concept and protective mechanisms" +description: "Permission concept and protective mechanisms" +sidebar_position: 40 +--- + +# Permission concept and protective mechanisms + +## What is the permission concept? + +With Netwrix Password Secure version 9 we provide the right solution to all conceivable demands +placed on it with regards to permission management. [Roles](/docs/passwordsecure/9.3/configuration/advancedview/clientmodule/roles.md) are a +great way to efficiently manage multiple users without losing the overview. We've created multiple +methods to manually or automatically manage your permissions. More information can be seen in the +chapter +[Multiple editing of permissions](/docs/passwordsecure/9.3/configuration/advancedview/permissionconceptandprotective/manualsettingofpermissions/multiple_editing_of_permissions.md) + +Alongside the definition of manual and automatic setting of permissions, the (optional) setting of +[Protective mechanisms](/docs/passwordsecure/9.3/configuration/advancedview/permissionconceptandprotective/protectivemechanisms/protective_mechanisms.md) forms +part of the authorization concept. The protective mechanisms are thus downstream of the permissions. +The interrelationships between all of these elements are illustrated in the following diagram. + +![Authorisation concept](/images/passwordsecure/9.2/configuration/advanced_view/permissionconcept/permission_concept_1-en.webp) + +NOTE: Applying some form of permissions is **obligatory**. Applying a protective mechanism is +**optional**. + +NOTE: The configuration of visibility is a technical part of the permissions process. However, this +mechanism has a “protective character” and is thus listed under protective mechanisms. + +## Basic mechanics of the permission concept + +These three pillars are irrevocable and always impact permissions of every type. + +### The three pillars of the permission concept + +The reproduction of company-specific permission structures can vary greatly in terms of effort. The +basic concept is based on only a few rules which always apply without exception. Despite the +innumerable individual adjustment screws, these basic rules can be summarized in three essential +steps. + +### 1. Permissions only for users or roles + +If the permission for a data record is to be defined, there are basically only two possibilities: + +1. Permission for a **user** +2. Permission for a **role** + +A role is technically nothing more than a summary of multiple users with the same permissions. It +is, of course, a good idea to manage these roles in accordance with your company’s activities. The +role “Administrators” can therefore be provided with more extensive authorizations than, for +example, the role “Sales Assistance”. This role-based inheritance allows the organization to +maintain the overview in a larger corporate structure as well as a simple procedure when adding new +employees. Instead of having to entitle him individually, this is simply added to his role. + +![Permission only for users or roles](/images/passwordsecure/9.2/configuration/advanced_view/permissionconcept/permission_concept_2-en.webp) + +It is obvious to proceed with the organization of accesses using the concept of roles as a basis and +only to grant rights individually to employees in exceptional cases. The unplanned absence of +personnel must also be taken into account in such concepts. Working with roles defuses such risks +significantly. + +NOTE: + + +``` +Permissions are always granted to only one user or role! + +``` + +### 2. Membership in roles + +The key point is membership in a role. If an employee can use the authorizations according to the +roles assigned to him, **he must be a member of the role**. Only members see the records that have +been authorized for the role. + +![Membership in roles](/images/passwordsecure/9.2/configuration/advanced_view/permissionconcept/permission_concept_3-en.webp) + +NOTE: + + +``` +A small technical digression into the nature of the encryption can be very helpful with the basic understanding. Each role has a key pair. The first key is used to encrypt data. Access to this information is only possible with the second key. The membership in a role is equivalent to this second key. + +``` + +### 3. Membership vs. permissions for roles + +The admin user in Netwrix Password Secure must pay particular attention to the interplay between +users and roles. This dynamics is crucial for understanding the concept of authorization, in order +to ensure maximum software adaptability to any corporate structure. The following diagram +illustrates this with an example of two users. + +![Membership vs permissions for roles](/images/passwordsecure/9.2/configuration/advanced_view/permissionconcept/membership_permission.webp) + +- **User 1** is a member of the role, and is therefore authorized for all records that are assigned + to the role. However, it has only “read rights” for the role itself. This means, it can see the + role, but cannot “Edit, move, or delete” it. +- **User 2** has all rights for the role. It can add additional users to the role by means of + “authorize”. The crucial point, however, is that it is not a member of the role. It cannot, + therefore, see any records for which the role is authorized. + +In practice, the first user would be a classic user that is assigned, for example, to the Sales role +by the administrators, and can view the records accordingly. The second user could be one of those +administrators. This user has extensive rights for the role. It can edit it, and add users to it. +However, it cannot see any data that is assigned to sales. It lacks membership in the role. + +NOTE: + + +``` +As a member of a role, it must have at least the “read” right for the role! + +``` + +## Specific example and configuration + +Similar to the previous section Permission concept and protective mechanisms for roles, the +configuration of a role will be illustrated using two users. The configuration is performed in the +[Roles](/docs/passwordsecure/9.3/configuration/advancedview/clientmodule/roles.md). By double-clicking on the role “IT-Consultants” in the +[List view](/docs/passwordsecure/9.3/configuration/advancedview/operationandsetup/list_view.md), you can open their detailed view. + +![roles list view](/images/passwordsecure/9.2/configuration/advanced_view/permissionconcept/permission_concept_5-en.webp) + +- The user “Holste” is a member of the role and can, therefore, access those records for which the + role has permissions. He has the obligatory read right for the role, which is the basic + requirement in order to be a member of the role. Which exact rights it has to the data record is + not defined within the role! This is set out in the following section. +- The user “Administrator” has all rights to the role, but is not a member! Thus, it cannot see any + records that are authorized for the role. However, it has all rights to the role and can therefore + print, assign other users to the role, and delete them. + +![explanation of the authorization through a role](/images/passwordsecure/9.2/configuration/advanced_view/permissionconcept/permission_concept_6-en.webp) + +This example clearly shows the advantages of the concept. The complete separation of administrative +users from regular users brings significant advantages. Of course, one does not necessarily exclude +the other. An administrator can, of course, have full access to the role and also be a member in it! +The boundaries between the two often overlap, and can be freely defined in Netwrix Password Secure. diff --git a/docs/passwordsecure/9.3/configuration/advancedview/permissionconceptandprotective/predefiningrights/_category_.json b/docs/passwordsecure/9.3/configuration/advancedview/permissionconceptandprotective/predefiningrights/_category_.json new file mode 100644 index 0000000000..280c13033d --- /dev/null +++ b/docs/passwordsecure/9.3/configuration/advancedview/permissionconceptandprotective/predefiningrights/_category_.json @@ -0,0 +1,10 @@ +{ + "label": "Predefining rights", + "position": 30, + "collapsed": true, + "collapsible": true, + "link": { + "type": "doc", + "id": "predefining_rights" + } +} \ No newline at end of file diff --git a/docs/passwordsecure/9.3/configuration/advancedview/permissionconceptandprotective/predefiningrights/predefining_rights.md b/docs/passwordsecure/9.3/configuration/advancedview/permissionconceptandprotective/predefiningrights/predefining_rights.md new file mode 100644 index 0000000000..699c7782ce --- /dev/null +++ b/docs/passwordsecure/9.3/configuration/advancedview/permissionconceptandprotective/predefiningrights/predefining_rights.md @@ -0,0 +1,84 @@ +--- +title: "Predefining rights" +description: "Predefining rights" +sidebar_position: 30 +--- + +# Predefining rights + +## What are predefined rights? + +[Permissions for organisational structures](/docs/passwordsecure/9.3/configuration/advancedview/clientmodule/organisationalstructure/permissionsfororganisational/permissions_for_organisational.md) +can be carried out separately for every record. Although this method enables you to very closely +control every intended permission structure, it is not really efficient. On the one hand, there is +too much configuration work involved, while on the other hand, there is a danger that people who +should also receive permissions to access data are forgotten. In addition, many users should not +even have the right to set permissions. “Predefining rights” is a suitable method to simplify the +permissions and reduce error rates by using automated processes. This page covers the configuration +of predefined rights, please also refer to the sections +[Working with predefined rights](/docs/passwordsecure/9.3/configuration/advancedview/permissionconceptandprotective/predefiningrights/working_with_predefined_rights.md) +and their +[Scope of validity for predefined rights](/docs/passwordsecure/9.3/configuration/advancedview/permissionconceptandprotective/predefiningrights/scope_of_validity_for_predefined.md). + +## Organisational structures as a basis + +[Organisational structure](/docs/passwordsecure/9.3/configuration/advancedview/clientmodule/organisationalstructure/organisational_structure.md) +can be very useful in many areas in Netwrix Password Secure. In this example, they provide the basic +framework for the automated granting of rights. In the broadest sense, these organisational +structures should always be entered in accordance with existing departments in a company. The +following example specifically focuses on an IT department. The following 3 hierarchies +([Roles](/docs/passwordsecure/9.3/configuration/advancedview/clientmodule/roles.md)) have been defined within this IT department: + +- **IT employee** +- **IT manager** +- **Administrator** + +## Predefine rights + +In general, a senior employee is granted more extensive rights than those granted to a trainee. This +hierarchy and the associated permission structure can be predefined. In the +O[Organisational structure](/docs/passwordsecure/9.3/configuration/advancedview/clientmodule/organisationalstructure/organisational_structure.md) +module, we now select those OUs (departments) for which rights should be predefined and select +\*predefine rights” in the ribbon. + +![button of predefined rights](/images/passwordsecure/9.2/configuration/advanced_view/permissionconcept/predefining_rights/predefined-rights-1-en.webp) + +- **Creating the first template group:** A new window will appear after clicking on the icon for + adding a new template group (green arrow) in which a meaningful name for the template group should + be entered. + +![add template](/images/passwordsecure/9.2/configuration/advanced_view/permissionconcept/predefining_rights/predefined-rights-2-en.webp) + +Roles and users can now be added to this template via the ribbon or through the context menu (right +mouse click). This was already completed in the example. The role **IT employee** only has the "read +permission", the **IT manager** also has the "write permission" and the capability of managing +permissions. **Administrators** possess all available permissions. Configuration of the permission +structures is explained in +[Manual setting of permissions](/docs/passwordsecure/9.3/configuration/advancedview/permissionconceptandprotective/manualsettingofpermissions/manual_setting_of_permissions.md). + +![example permissions](/images/passwordsecure/9.2/configuration/advanced_view/permissionconcept/predefining_rights/predefined-rights-3-en.webp) + +## Adding other template groups + +It is also possible to configure several different right templates within one department. This may +be necessary e.g. if there are several areas of competency within one department which should each +receive different permissions. Alongside the **IT general** area, the template groups **Exchange** +and **Firewall** have also been defined below. + +![Standard template](/images/passwordsecure/9.2/configuration/advanced_view/permissionconcept/predefining_rights/predefined-rights-4-en.webp) + +A **default template group** can be defined directly next to the drop-down menu for selecting the +template group (green arrow). This is always pre-configured when you select “IT” as the OU to save +records. + +## Issuing tags for predefining rights + +In the same way that permissions are defined within right templates, it is also possible to +automatically set **tags**. Their configuration is carried out in the same way as issuing +[Tags](/docs/passwordsecure/9.3/configuration/advancedview/operationandsetup/tags.md) for records. + +![tags for predefining rights](/images/passwordsecure/9.2/configuration/advanced_view/permissionconcept/predefining_rights/predefined-rights-5-en.webp) + +This process ensures that a special tag is automatically issued when using a certain template group. +Example cases can be found in the +[Working with predefined rights](/docs/passwordsecure/9.3/configuration/advancedview/permissionconceptandprotective/predefiningrights/working_with_predefined_rights.md). diff --git a/docs/passwordsecure/9.3/configuration/advancedview/permissionconceptandprotective/predefiningrights/relevant_user_rights.md b/docs/passwordsecure/9.3/configuration/advancedview/permissionconceptandprotective/predefiningrights/relevant_user_rights.md new file mode 100644 index 0000000000..b9616e4527 --- /dev/null +++ b/docs/passwordsecure/9.3/configuration/advancedview/permissionconceptandprotective/predefiningrights/relevant_user_rights.md @@ -0,0 +1,33 @@ +--- +title: "Relevant user rights" +description: "Relevant user rights" +sidebar_position: 20 +--- + +# Relevant user rights + +## User rights for predefined rights + +The user rights section provides all of the basic information required for handling user rights . +Nevertheless, the four user rights related to “predefining rights” are explained below. + +![global user rights](/images/passwordsecure/9.2/configuration/advanced_view/permissionconcept/predefining_rights/relevant_user_rights/relevant_user_rights_1-en.webp) + +- **Can switch default rights templates:** When selecting the rights template, a diverse range of + rights template groups can be selected. To be able to select a different template to the default + template, the right “Can switch default rights templates” is required. If this right has not been + granted, you are forced to use the default template. +- **Can manage rights templates:** If the user has the right to manage rights templates, they can + open the management function for the rights template via the button “predefine rights”. To receive + full rights to manage the rights templates for an organisational unit, the rights “read” and + “authorize” are required for the corresponding organisational unit. +- **Can view selection of rights templates:** This right controls whether the rights template + selection function is displayed or not when creating new records. If this right has not been + granted, the user is thus not able to see for which roles and users the user rights are being + defined. +- **Can remove members from rights templates:** Roles defined within the rights templates cannot be + removed without this right. If this right has not been granted, the roles defined in the templates + are always authorized for records in this organisational structure. If the user right is + activated: The user can remove the roles via the “x” icon: + +![Permissions](/images/passwordsecure/9.2/configuration/advanced_view/permissionconcept/predefining_rights/relevant_user_rights/relevant_user_rights_2-en.webp) diff --git a/docs/passwordsecure/9.3/configuration/advancedview/permissionconceptandprotective/predefiningrights/scope_of_validity_for_predefined.md b/docs/passwordsecure/9.3/configuration/advancedview/permissionconceptandprotective/predefiningrights/scope_of_validity_for_predefined.md new file mode 100644 index 0000000000..a9788ab0e2 --- /dev/null +++ b/docs/passwordsecure/9.3/configuration/advancedview/permissionconceptandprotective/predefiningrights/scope_of_validity_for_predefined.md @@ -0,0 +1,29 @@ +--- +title: "Scope of validity for predefined rights" +description: "Scope of validity for predefined rights" +sidebar_position: 30 +--- + +# Scope of validity for predefined rights + +In general, all of the predefined rights for an organisational structure are applied to all +underlying objects. These objects could be passwords, forms, form fields documents, users, +applications or also other nested organisational structures in the hierarchy. In the following +example, the rights template **IT general** has been defined for the organisational unit **IT**. + +![rights template](/images/passwordsecure/9.2/configuration/advanced_view/permissionconcept/predefining_rights/scope_of_validity/scope_of_validity_1-en.webp) + +If this type of “preset” has been defined, the corresponding icon is displayed at the corresponding +level (= green arrow). As no other icons exist below this level, this means that the preset is valid +for all underlying objects. + +The following example shows how a preset can be defined for when the “password” form is used that +not only grants the existing permissions to the roles but also provides the sales manager with read +rights. + +![working with rights template](/images/passwordsecure/9.2/configuration/advanced_view/permissionconcept/predefining_rights/scope_of_validity/scope_of_validity_2-en.webp) + +As can be seen, the preset “IT general” is valid for all objects. An exception here is the +“password” form because a unique preset has been defined for this form (blue arrow). As a result, +all records created using the “password” form receive permissions as defined in this preset (incl. +the sales manager). diff --git a/docs/passwordsecure/9.3/configuration/advancedview/permissionconceptandprotective/predefiningrights/working_with_predefined_rights.md b/docs/passwordsecure/9.3/configuration/advancedview/permissionconceptandprotective/predefiningrights/working_with_predefined_rights.md new file mode 100644 index 0000000000..0fc0f1becd --- /dev/null +++ b/docs/passwordsecure/9.3/configuration/advancedview/permissionconceptandprotective/predefiningrights/working_with_predefined_rights.md @@ -0,0 +1,68 @@ +--- +title: "Working with predefined rights" +description: "Working with predefined rights" +sidebar_position: 10 +--- + +# Working with predefined rights + +## Using predefined rights when creating passwords + +After you have configured [Predefining rights](/docs/passwordsecure/9.3/configuration/advancedview/permissionconceptandprotective/predefiningrights/predefining_rights.md), you can then use them to +create new records. Proceed here as follows: + +- Select the password module +- “New password” via the ribbon +- Select a form + +In the next window to appear, the organisational unit “IT” and the template group “Exchange” are +selected. + +![predefined rights](/images/passwordsecure/9.2/configuration/advanced_view/permissionconcept/predefining_rights/working_with_predefining_rights/working_with_predefined_rights_1-en.webp) + +Here is the underlying rights template as a comparison: + +![example for predefined rights](/images/passwordsecure/9.2/configuration/advanced_view/permissionconcept/predefining_rights/working_with_predefining_rights/working_with_predefined_rights_2-en.webp) + +The relationship between them is obvious. It can be immediately seen that by selecting the +organisational unit “IT” based on the rights configured in the rights template, permissions are +granted for the roles “IT management” and also “Administrators”. **The underlying tags “IT” and +“Exchange” are also set.** + +## Preview of the permissions to be set + +When using rights templates, the permissions to be granted can be very quickly classified via a +**color table**. The actual permissions can also be viewed as usual via the +[Ribbon](/docs/passwordsecure/9.3/configuration/advancedview/operationandsetup/ribbon.md). The following color key is used with the +associated permissions: + +| **Color** | **Permission** | +| --------- | -------------- | +| Green | Read | +| Yellow | Write | +| Orange | Delete | +| Red | Authorize | + +Other rights also exist that are, however, not separately indicated by a color. The overview in the +ribbon can be used to see whether the “move”, “export” and “print” rights are set or not. The +permissions for the selected role/user are always displayed – in this case for the role “IT +management”. + +![predefined rights permiissions](/images/passwordsecure/9.2/configuration/advanced_view/permissionconcept/predefining_rights/working_with_predefining_rights/working_with_predefined_rights_3-en.webp) + +## Conclusion + +The [Manual setting of permissions](/docs/passwordsecure/9.3/configuration/advancedview/permissionconceptandprotective/manualsettingofpermissions/manual_setting_of_permissions.md) enables +the configuration of rights for both existing and also new records. The option of +[Predefining rights](/docs/passwordsecure/9.3/configuration/advancedview/permissionconceptandprotective/predefiningrights/predefining_rights.md) represents a very efficient alternative. Instead of +having to separately grant permissions for every record, a “preset” is defined once for each +organisational structure. Once this has been done, it is sufficient in future to merely select the +organisational structure when creating a record. The permissions are then set automatically. This +process is particularly advantageous for those users who should not set their permissions +themselves. + +![predefined rights diagram](/images/passwordsecure/9.2/configuration/advanced_view/permissionconcept/predefining_rights/working_with_predefining_rights/working_with_predefined_rights_4-en.webp) + +**CAUTION:** The configuration of permissions can be carried out manually or automatically as +described. If you want to change previously set permissions later, this has to be done manually. +Retrospectively defining rights is not possible. diff --git a/docs/passwordsecure/9.3/configuration/advancedview/permissionconceptandprotective/protectivemechanisms/_category_.json b/docs/passwordsecure/9.3/configuration/advancedview/permissionconceptandprotective/protectivemechanisms/_category_.json new file mode 100644 index 0000000000..2b4a3080aa --- /dev/null +++ b/docs/passwordsecure/9.3/configuration/advancedview/permissionconceptandprotective/protectivemechanisms/_category_.json @@ -0,0 +1,10 @@ +{ + "label": "Protective mechanisms", + "position": 40, + "collapsed": true, + "collapsible": true, + "link": { + "type": "doc", + "id": "protective_mechanisms" + } +} \ No newline at end of file diff --git a/docs/passwordsecure/9.3/configuration/advancedview/permissionconceptandprotective/protectivemechanisms/password_masking.md b/docs/passwordsecure/9.3/configuration/advancedview/permissionconceptandprotective/protectivemechanisms/password_masking.md new file mode 100644 index 0000000000..31cb339a38 --- /dev/null +++ b/docs/passwordsecure/9.3/configuration/advancedview/permissionconceptandprotective/protectivemechanisms/password_masking.md @@ -0,0 +1,67 @@ +--- +title: "Password masking" +description: "Password masking" +sidebar_position: 30 +--- + +# Password masking + +## What is password masking? + +The safest passwords are those that you do not know. Password masking follows this approach. It +prevents the password from being shown, while allowing the use of the automatic sign-on. You can +apply it via the button of the same name in the ribbon. + +![button password masking](/images/passwordsecure/9.2/configuration/advanced_view/permissionconcept/predefining_rights/protective_mechanisms/password_masking/password_masking_1-en.webp) + +## Relevant rights + +The following option is required to apply password masking. + +### User right + +- Can apply password masking + +### Required permissions + +In the same way as for the [Seals](/docs/passwordsecure/9.3/configuration/advancedview/permissionconceptandprotective/protectivemechanisms/seals/seals.md) configuration, the **authorize permission** +for the record is required to apply or remove the masking. Users who have the **authorize +permission** for a record can continue to use the record without limitations after applying password +masking. Password masking only applies to users without the "can apply password masking" right. + +NOTE: Password masking can only be applied to records with an existing password! + +## Applying password masking + +The icon in the ribbon allows users with the required permissions to apply password masking +following a confirmation prompt. By default, the privacy is for all those who have at least reading +permission, but not the permission **authorize**. + +### Password masking via form field permissions + +As an alternative, you can also apply password masking via the +[Form field permissions](/docs/passwordsecure/9.3/configuration/advancedview/clientmodule/passwords/form_field_permissions.md). In the +[List view](/docs/passwordsecure/9.3/configuration/advancedview/operationandsetup/list_view.md) of a record, there is a separate +button in the ribbon for that purpose. Ensure that the password field is highlighted. + +![form field permissions](/images/passwordsecure/9.2/configuration/advanced_view/permissionconcept/predefining_rights/protective_mechanisms/password_masking/password_masking_2-en.webp) + +The special feature when setting or editing masking via the form field permissions is that you can +individually select users to whom masking will be applied. In the following example, masking has +been specified only for the role of “trainees”, although the “IT” role does not have the **authorize +permission** either. In addition to the name of the role or the user, the icon symbolizes the fact +that visa protection applies to trainees. + +![example password masking](/images/passwordsecure/9.2/configuration/advanced_view/permissionconcept/predefining_rights/protective_mechanisms/password_masking/password_masking_3-en.webp) + +NOTE: Use the icon in the ribbon to apply password masking to all users who have read permission on +the record, but not the **authorize permission**. If you wish to specify more precisely for which +users the password masking should be applied, this is also possible via the form field permissions. + +NOTE: It is important to note that the login mask for records with password masking will be "sent +automatically", even if the setting **Browser Extensions: Automatically send login masks** has been +deactivated. + +**CAUTION:** The password masking only applies to those users who are authorized at the time of +attachment to the record. If a record has the password masking and a user get´s authorized the +record is **not protected** for this user. The password masking should then be removed and reset. diff --git a/docs/passwordsecure/9.3/configuration/advancedview/permissionconceptandprotective/protectivemechanisms/protective_mechanisms.md b/docs/passwordsecure/9.3/configuration/advancedview/permissionconceptandprotective/protectivemechanisms/protective_mechanisms.md new file mode 100644 index 0000000000..b3faa425c3 --- /dev/null +++ b/docs/passwordsecure/9.3/configuration/advancedview/permissionconceptandprotective/protectivemechanisms/protective_mechanisms.md @@ -0,0 +1,62 @@ +--- +title: "Protective mechanisms" +description: "Protective mechanisms" +sidebar_position: 40 +--- + +# Protective mechanisms + +## What are protective mechanisms? + +The primary goal of Netwrix Password Secure is to ensure data security at all times. The +authorization concept is naturally the most important component when it comes to granting users the +intended level of permissions for accessing data. Specifically, this makes it possible to make +certain information only available to selected employees. Nevertheless, it is still necessary to +have protective mechanisms above and beyond the authorization concept in order to handle complex +requirements. + +- [Visibility](/docs/passwordsecure/9.3/configuration/advancedview/permissionconceptandprotective/protectivemechanisms/visibility.md) is not separately configured but is instead directly + controlled via the authorization concept (read permission). Nevertheless, it represents an + important component within the existing protective mechanisms and is why a separate section has + been dedicated to this subject. +- By configuring [Temporary permissions](/docs/passwordsecure/9.3/configuration/advancedview/permissionconceptandprotective/protectivemechanisms/temporary_permissions.md), it is + possible to grant users or roles temporary access to data. +- [Password masking](/docs/passwordsecure/9.3/configuration/advancedview/permissionconceptandprotective/protectivemechanisms/password_masking.md) enables access to the system without + having to reveal the passwords of users. The value of the password remains constantly hidden. +- To link the release of highly sensitive access data to a double-check principle, it is possible to + use [Seals](/docs/passwordsecure/9.3/configuration/advancedview/permissionconceptandprotective/protectivemechanisms/seals/seals.md). The configuration of users or roles with the permissions to issue a + release is possible down to a granular level and is always adaptable to individual requirements. + +The following diagram shows a summary of how the existing protective mechanisms are integrated into +the authorization concept. + +![protective mechanism diagram](/images/passwordsecure/9.2/configuration/advanced_view/permissionconcept/predefining_rights/protective_mechanisms/protective_mechanisms-en.webp) + +In the interplay of the +[Authorization and protection mechanisms](/docs/passwordsecure/9.3/configuration/webapplication/authorization_and_protection_mechanisms.md), +almost all conceivable scenarios can be depicted. It is worth mentioning again that the +authorization concept is already a very effective tool, with limited visibility of passwords and +data records. This concept is present everywhere in Netwrix Password Secure, and will be explained +in more detail below. + +## Visibility as a basic requirement + +It should always be noted that **visibility** is always a basic requirement for applying further +protective mechanisms. A record that is completely hidden from a user (= no read permission) can +naturally not be given any further protective mechanisms. + +NOTE: The visibility of a record is always the basic requirement for applying further protective +mechanisms + +## Combining multiple protective mechanisms + +In principle, there are a diverse range of possibilities for combining the above-mentioned +protective mechanisms. Temporary access to a “masked” record is possible just as having a “masked” +record which is additionally secured by a double-check principle is also possible. **Nevertheless, +it should be noted that temporary permissions in combination with seals always pose a risk.** If +releasing a seal requires approval from a person who only possesses or possessed temporary +permissions or will only possess them in future, this could naturally conflict with the configured +release criteria. + +**CAUTION:** The combination of seals and temporary permissions is not recommended if the user with +permissions to issue a release has only been given temporary permissions. diff --git a/docs/passwordsecure/9.3/configuration/advancedview/permissionconceptandprotective/protectivemechanisms/seals/_category_.json b/docs/passwordsecure/9.3/configuration/advancedview/permissionconceptandprotective/protectivemechanisms/seals/_category_.json new file mode 100644 index 0000000000..bb90850646 --- /dev/null +++ b/docs/passwordsecure/9.3/configuration/advancedview/permissionconceptandprotective/protectivemechanisms/seals/_category_.json @@ -0,0 +1,10 @@ +{ + "label": "Seals", + "position": 40, + "collapsed": true, + "collapsible": true, + "link": { + "type": "doc", + "id": "seals" + } +} \ No newline at end of file diff --git a/docs/passwordsecure/9.3/configuration/advancedview/permissionconceptandprotective/protectivemechanisms/seals/release_mechanism.md b/docs/passwordsecure/9.3/configuration/advancedview/permissionconceptandprotective/protectivemechanisms/seals/release_mechanism.md new file mode 100644 index 0000000000..674cdd9552 --- /dev/null +++ b/docs/passwordsecure/9.3/configuration/advancedview/permissionconceptandprotective/protectivemechanisms/seals/release_mechanism.md @@ -0,0 +1,67 @@ +--- +title: "Release mechanism" +description: "Release mechanism" +sidebar_position: 20 +--- + +# Release mechanism + +## What is the release mechanism? + +A sealed password will not be released until the number of approvals required in the seal has been +granted. Releases can be granted by anyone who has been defined as having the required permissions +to issue the release in the seal. The mechanism describes the complete process from the first +release request to the final grant of the release and the breaking of the seal. + +## Users and roles in the release mechanism + +As noted in the previous sections, seals always restrict the right of a user to view a specific +password. Even if the configuration is usually done at the level of the role, each user is naturally +responsible for his own request when carrying out the release. Even if a seal is defined for a role, +technically separate seals are created for each individual member of the role. + +NOTE: Requests or releases are only valid for the respective user! + +**CAUTION:** If a user is a member of several roles of a seal, the "stronger" right is always +applied. Release rights have a priority over read rights + +## 1. Requesting a release + +In order to release a seal for sealed passwords, this must be requested from the user with the +required permissions to issue the release. Within the Netwrix Password Secure client, this can be +done via the buttons **Reveal** and **Seal** in the ribbon, as well as via the **Icon in the +password field** of the data record in the reading pane. + +![seal protection](/images/passwordsecure/9.2/configuration/advanced_view/permissionconcept/predefining_rights/protective_mechanisms/seals/release_mechanism/release_mechanism_1-en.webp) + +A modal window opens, which can be used to request the seal. The reason for the entry will be +displayed to the users with the required permissions to issue the release. + +![start seal process](/images/passwordsecure/9.2/configuration/advanced_view/permissionconcept/predefining_rights/protective_mechanisms/seals/release_mechanism/release_mechanism_2-en.webp) + +All user with the required permissions to issue the release will be notified that the user has +requested the seal. This can be viewed via the module +[Notifications](/docs/passwordsecure/9.3/configuration/advancedview/clientmodule/notifications.md), as well as in the Seal +overview. + +## 2. Granting a release + +The [Seal overview](/docs/passwordsecure/9.3/configuration/advancedview/permissionconceptandprotective/protectivemechanisms/seals/seal_overview.md) can be opened via the seal symbol in the +ribbon directly from the mentioned notification. It is indicated by the corresponding icon that +there is a need for action. All relevant data for a release are illustrated within the seal +overview. The reason given in the release is also evident. + +![seal overview](/images/passwordsecure/9.2/configuration/advanced_view/permissionconcept/predefining_rights/protective_mechanisms/seals/release_mechanism/release_mechanism_3-en.webp) + +If the release is granted, the Inquirer Im **Module Notifications** will be informed. You can also +open the seal directly from the ribbon and see the now released state. + +![notification seal status](/images/passwordsecure/9.2/configuration/advanced_view/permissionconcept/predefining_rights/protective_mechanisms/seals/release_mechanism/release_mechanism_4-en.webp) + +## 3. Breaking the seal + +As soon as the requesting user has received the number of the required releases, he will be informed +via the notifications as usual. The seal can now be broken. From this point on, the user will be +able to see the password. + +![broken seal](/images/passwordsecure/9.2/configuration/advanced_view/permissionconcept/predefining_rights/protective_mechanisms/seals/release_mechanism/release_mechanism_5-en.webp) diff --git a/docs/passwordsecure/9.3/configuration/advancedview/permissionconceptandprotective/protectivemechanisms/seals/seal_overview.md b/docs/passwordsecure/9.3/configuration/advancedview/permissionconceptandprotective/protectivemechanisms/seals/seal_overview.md new file mode 100644 index 0000000000..88f6a6cf3d --- /dev/null +++ b/docs/passwordsecure/9.3/configuration/advancedview/permissionconceptandprotective/protectivemechanisms/seals/seal_overview.md @@ -0,0 +1,57 @@ +--- +title: "Seal overview" +description: "Seal overview" +sidebar_position: 10 +--- + +# Seal overview + +## What is the seal overview? + +Users with the required permissions to issue the releases receive access to the current state of the +existing seals at any time via the seal overview. The overview is accessible via the ribbon as well +as the icon in the password field of the reading pane. + +![button seal](/images/passwordsecure/9.2/configuration/advanced_view/permissionconcept/predefining_rights/protective_mechanisms/seals/seals_overview/seal_overview_1-en.webp) + +## The four states of a seal + +The seal overview provides an overview of all users who have access to the sealed data set. This is +also the case when they receive the seal on the membership of a role. Functions for editing and +removing existing seals are also available. In addition, the current state of the seal is displayed +in the form of a release matrix. There are a total of **four states**, in which a seal can be: + +![states of seal](/images/passwordsecure/9.2/configuration/advanced_view/permissionconcept/predefining_rights/protective_mechanisms/seals/seals_overview/seal_overview_2-en.webp) + +#### 1. Sealed + +If a data record for a user **is sealed**, the user is prevented from seeing the password by the +seal. This corresponds to the condition when a seal has been newly installed. By resetting a request +via the icon at the right edge of the screen, current requests from individual users are also +returned to the "sealed" state. + +#### 2. Release process + +If a user has requested a release, it is in the **release process**. This status is highlighted by +an icon next to the user name, since a possible release can be actively granted by the authorized +user. These so-called **important entries** can also be filtered in the headline of the seal +overview in via the column. The maximum duration of an release request can be configured in the +advanced seal settings. If the deadline has elapsed without sufficient releases being made, the +request is deleted and the state “sealed” is restored. + +#### 3. Released + +If a release is granted, a seal is approved as **released**. The maximum duration of a granted +release can be limited in the advanced seal settings. The user then has, for example, 24 hours to +accept the release and break the seal. + +#### 4. Broken + +The actual **seal breach** is obtained by acquiring knowledge of the release and by actively +breaking the seal after a security query. Viewing the password is irrelevant. Once broken seals can +be manually reset by the icon to the right of the broken seal column. The state “Sealed” is +restored. + +**CAUTION:** It makes no sense to re-seal already visible passwords. The user was able to view the +password. Therefore, it is not monitorable whether the password has been saved, for example, by +screenshot. In such cases, a new password is the only way to guarantee 100% password security! diff --git a/docs/passwordsecure/9.3/configuration/advancedview/permissionconceptandprotective/protectivemechanisms/seals/seals.md b/docs/passwordsecure/9.3/configuration/advancedview/permissionconceptandprotective/protectivemechanisms/seals/seals.md new file mode 100644 index 0000000000..e39c9c212c --- /dev/null +++ b/docs/passwordsecure/9.3/configuration/advancedview/permissionconceptandprotective/protectivemechanisms/seals/seals.md @@ -0,0 +1,149 @@ +--- +title: "Seals" +description: "Seals" +sidebar_position: 40 +--- + +# Seals + +## What are seals? + +Passwords are selectively made available to the different user groups by means of the +[Authorization and protection mechanisms](/docs/passwordsecure/9.3/configuration/webapplication/authorization_and_protection_mechanisms.md). +Nevertheless, there are many scenarios in which the ability to view and use a record should be +linked to a release issued in advance. In this context, the seal is an effective protective +mechanism. This multi-eye principle protects passwords by securing them with granular release +mechanisms. If you want to see a password, this must be requested and released. The release can also +be temporary. + +## Relevant rights + +The following option is required to add a seal. + +## User right + +- Can add seal + +## Required permissions + +Firstly, the user must have the **authorize permission** for the record in order to create seals. +The read permission to all users and roles that are contained in the seal is also required. The +exact configuration of password masking and permissions for records is described in detail in the +Authorization concept section. + +## What exactly is sealed? + +Technically speaking, the password itself is not sealed. It is the permission to see a password +field that is protected by a seal. This allows for the most sensitive configurations, in which one +group can use the password without restrictions, but the same password is sealed for other users. +The wizard assists users in applying seals, as well as in future maintenance. + +**CAUTION:** The complete data set is never sealed! Only the permission to view a password is +protected by a seal. + +**CAUTION:** Be Aware" Only records that are protected with a password can be sealed! + +## Seal wizard + +All seal configurations are performed in the wizard. Both the application of new seals as well as +the processing and removing are possible. The current state of a seal can also be viewed in an +overview, which is accessible via the button in the ribbon. When the seal wizard is opened via the +ribbon, the wizard appears in the case of unsealed data sets, which runs in **four steps** through +the configuration of the seal. + +![seal button](/images/passwordsecure/9.2/configuration/advanced_view/permissionconcept/predefining_rights/protective_mechanisms/seals/seals_1-en.webp) + +#### 1. Apply seal + +![multi-eye principe](/images/passwordsecure/9.2/configuration/advanced_view/permissionconcept/predefining_rights/protective_mechanisms/seals/seals_2-en.webp) + +All objects that are sealed are displayed at the beginning. Depending on the data record, this can +be one object, or several. It is also possible to use existing +[Seal templates](/docs/passwordsecure/9.3/configuration/advancedview/mainmenufc/extras/seal_templates.md). Optionally, you can +enter a reason for each seal. + +#### 2. Multi-eye principle + +The seal logic is the most basic element of this protective mechanism. Here, you define for which +users or roles the record should be sealed or released in the future. All those for whom the record +is to be sealed are displayed in red, while all users with the required permissions to issue a +release are displayed in blue. + +![example permissions](/images/passwordsecure/9.2/configuration/advanced_view/permissionconcept/predefining_rights/protective_mechanisms/seals/seals_3-en.webp) + +NOTE: All users and roles for which the data set is not sealed and which are not authorized for +release are displayed in green. These can use the data record independently of the seal. + +To avoid having to perform any configuration manually, roles and users are copied directly from the +authorizations of the data record. Compare with the "permissions" for the record (can be viewed via +the ribbon). + +![example permissions](/images/passwordsecure/9.2/configuration/advanced_view/permissionconcept/predefining_rights/protective_mechanisms/seals/seals_4-en.webp) + +Supervisors should issue the releases for their employees. Therefore, the checkbox also follows the +existing authorizations. The following **scheme** is used: + +NOTE: All users and roles that have the **authorize permission** to the record are "authorized to +issue a release" for the seal by default. All users and roles that do not have the **authorize +permissions** to the record are copied directly into the "Sealed for" column. + +Here is a closer look at the permissions of the role **Administrators** on the record: + +![example multi-eye principe](/images/passwordsecure/9.2/configuration/advanced_view/permissionconcept/predefining_rights/protective_mechanisms/seals/seals_5-en.webp) + +## Adjusting the seal logic + +Although standard authorizations are used as a basis for the sealing concept, these can be adapted. +The number of releases generally required is as configurable as the required number of releases from +a role. In the following example, the seal has been extended so that a total of three release +authorizations are required in order to release the seal **(Multi-eye principle)**. The role of the +administrators has been marked in the mandatory column. This means that it must grant at least one +release. In summary: A total of three releases must be made, whereby the group of administrators +must grant at least one release. + +![edit seal](/images/passwordsecure/9.2/configuration/advanced_view/permissionconcept/predefining_rights/protective_mechanisms/seals/seals_6-en.webp) + +In order to be not only dependent on existing authorizations on the data set, other users can also +be added to the seal. The role accounting under "sealed for" has been added below. + +![define permission for the seal](/images/passwordsecure/9.2/configuration/advanced_view/permissionconcept/predefining_rights/protective_mechanisms/seals/seals_7-en.webp) + +NOTE: When a role or a user is added to a seal, these users also receive permissions on the record +according to the authorization granted in the seal. A role that is added under "Sealed for" receives +the **Read permission** on the record. When you add authorization permissions, these will include +the **Read**, **Write**, **Delete**, and **Authorize** permission. + +**CAUTION:** All the roles that were once added to the seal can no longer be removed via the seal +logic. This is only possible directly via the authorizations of the data record! + +NOTE: It is possible to seal records for a user who is also authorized to issue a release. In this +constellation, it is important to ensure that at least one other user is authorized to issue a +release. In principle, you should never be able to issue a release for yourself. + +#### 3. Advanced settings + +Advanced seal settings allow you to adjust the multi-eye principle. Both the time validity of a +release request as well as a granted release can be configured. Multiple break defines whether after +the breaking of a seal by a user, other users may still break it. + +![advanced settings](/images/passwordsecure/9.2/configuration/advanced_view/permissionconcept/predefining_rights/protective_mechanisms/seals/seals_8-en.webp) + +#### 4. Saving the seal + +Before closing the wizard, it is possible to save the configuration for later use in the form of a +template. [Seal templates](/docs/passwordsecure/9.3/configuration/advancedview/mainmenufc/extras/seal_templates.md) can be +optionally provided with a description for the purpose of overview. + +![save seal](/images/passwordsecure/9.2/configuration/advanced_view/permissionconcept/predefining_rights/protective_mechanisms/seals/seals_9-en.webp) + +## Summary + +The permissions already present on the data set form the basis for any complex seal configurations. +It is freely definable which users have to go through a release mechanism before accessing the +password. The roles, which may be granted, are freely definable. An always accessible +[Seal overview](/docs/passwordsecure/9.3/configuration/advancedview/permissionconceptandprotective/protectivemechanisms/seals/seal_overview.md) allows all authorized persons to view the current +state of the seals. The section on the[Release mechanism](/docs/passwordsecure/9.3/configuration/advancedview/permissionconceptandprotective/protectivemechanisms/seals/release_mechanism.md) +describes in detail the individual steps, from the initial release request to the final release. + +- [Seal overview](/docs/passwordsecure/9.3/configuration/advancedview/permissionconceptandprotective/protectivemechanisms/seals/seal_overview.md) +- [Release mechanism](/docs/passwordsecure/9.3/configuration/advancedview/permissionconceptandprotective/protectivemechanisms/seals/release_mechanism.md) diff --git a/docs/passwordsecure/9.3/configuration/advancedview/permissionconceptandprotective/protectivemechanisms/temporary_permissions.md b/docs/passwordsecure/9.3/configuration/advancedview/permissionconceptandprotective/protectivemechanisms/temporary_permissions.md new file mode 100644 index 0000000000..8c1ab52484 --- /dev/null +++ b/docs/passwordsecure/9.3/configuration/advancedview/permissionconceptandprotective/protectivemechanisms/temporary_permissions.md @@ -0,0 +1,47 @@ +--- +title: "Temporary permissions" +description: "Temporary permissions" +sidebar_position: 20 +--- + +# Temporary permissions + +## What are temporary permissions? + +So far, we have covered permissions that were valid for an unlimited period. However, a permission +can also be granted in advance with a time restriction. Examples are users who stay in the company +for a limited time, such as interns or trainees. + +## Configuration + +When configuring the +[Manual setting of permissions](/docs/passwordsecure/9.3/configuration/advancedview/permissionconceptandprotective/manualsettingofpermissions/manual_setting_of_permissions.md), you can +specify a temporary release for each role. The start date as well as the end date is selected here. +You can start the configuration using the **Extras** area in the ribbon. + +![temporary permission](/images/passwordsecure/9.2/configuration/advanced_view/permissionconcept/predefining_rights/protective_mechanisms/temporary_permissions/temporary_permissions-en.webp) + +In this example, the role "trainees" was granted the read permission to a data set for two weeks. + +## Color scheme + +The colors in the "time period" column provide information on the current status of the granted +permissions: + +- **Brown:** The temporary permission is configured but is still inactive. The selected time period + is still in the future. +- **Green:** The temporary permission is active. +- **Red:** The time period for the temporary permissions has already expired. + +NOTE: Temporary permissions can also be assigned to multiple roles and users at the same time. You +can select multiple users and roles as usual with Ctrl/Shift + left mouse button! + +## Special features of the authorization system + +Due to their very nature, temporary permissions leave lots of potential for incorrect +configurations. Conceivable constellations include a situation when the only user with all rights +only has temporary permissions. When these permissions expire, there is no longer any user with full +permissions. To prevent this happening, users with temporary permissions are handled differently. + +**CAUTION:** There must always be one user who has the “authorize” right to a record, who does not +only have temporary permissions. diff --git a/docs/passwordsecure/9.3/configuration/advancedview/permissionconceptandprotective/protectivemechanisms/visibility.md b/docs/passwordsecure/9.3/configuration/advancedview/permissionconceptandprotective/protectivemechanisms/visibility.md new file mode 100644 index 0000000000..b224f8dbc1 --- /dev/null +++ b/docs/passwordsecure/9.3/configuration/advancedview/permissionconceptandprotective/protectivemechanisms/visibility.md @@ -0,0 +1,40 @@ +--- +title: "Visibility" +description: "Visibility" +sidebar_position: 10 +--- + +# Visibility + +## Visibility of data + +The use of a [Filter](/docs/passwordsecure/9.3/configuration/advancedview/operationandsetup/filter/filter.md) is generally the gateway to +displaying existing records. Nevertheless, this aspect of the visibility of the records is closely +interwoven with the existing permissions structure. Naturally, a user can always only see those +records for which they have at least a read Permission. This doctrine should always be taken into +consideration when handling records. [Tags](/docs/passwordsecure/9.3/configuration/advancedview/operationandsetup/tags.md) are not +subject to any permissions and can thus always be used as filter criteria. Nevertheless, the +delivered results will only contain those records for which the user themselves actually has +permissions. A good example here is the tag “personal record”. Every user can mark their own record +as personal – yet each user will naturally only be able to find their own personal records. + +## Creating independently working environments + +The possibility of separately defining the visibility of individual objects is one of the special +features within the Netwrix Password Secure authorization concept. Irrespective of whether handling +records, documents, organisational structures, roles or forms: it is always possible to define +whether a user or a role possesses a read permission to the object or not. The permissions for each +of these objects can be defined separately via the ribbon in the permissions dialogue. This approach +enables the creation of independently existing departments within a database. The permissions +structure for the SAP form can be seen below. It shows that only the sales manager and the +administrators are currently permitted to create new records of type SAP. + +![example permissions on a form](/images/passwordsecure/9.2/configuration/advanced_view/permissionconcept/predefining_rights/protective_mechanisms/visibility/visibility-en.webp) + +In general, each department can independently use forms, create passwords and manage hierarchies in +this way. Especially in very sensitive areas of a company, this type of compartmentalization is +often required and also desired. + +NOTE: An alternative also supported by Netwrix Password Secure is for each department to set up +their own MSSQL database. However, this physical separation requires considerably more +administration work than the above-mentioned separation of data based on permissions and visibility. diff --git a/docs/passwordsecure/9.3/configuration/autofilladdon/_category_.json b/docs/passwordsecure/9.3/configuration/autofilladdon/_category_.json new file mode 100644 index 0000000000..52e6e25746 --- /dev/null +++ b/docs/passwordsecure/9.3/configuration/autofilladdon/_category_.json @@ -0,0 +1,10 @@ +{ + "label": "Autofill Add-on", + "position": 60, + "collapsed": true, + "collapsible": true, + "link": { + "type": "doc", + "id": "autofill_add-on" + } +} \ No newline at end of file diff --git a/docs/passwordsecure/9.3/configuration/autofilladdon/autofill_add-on.md b/docs/passwordsecure/9.3/configuration/autofilladdon/autofill_add-on.md new file mode 100644 index 0000000000..4fa7aecf05 --- /dev/null +++ b/docs/passwordsecure/9.3/configuration/autofilladdon/autofill_add-on.md @@ -0,0 +1,65 @@ +--- +title: "Autofill Add-on" +description: "Autofill Add-on" +sidebar_position: 60 +--- + +# Autofill Add-on + +## What is the Autofill Add-on? + +The Autofill Add-on is responsible for the automatic entry of login data in applications. This +enables logins without knowledge of the password, which can be a particularly valuable tool in +combination with +[Password masking](/docs/passwordsecure/9.3/configuration/advancedview/permissionconceptandprotective/protectivemechanisms/password_masking.md). +The +[Authorization and protection mechanisms](/docs/passwordsecure/9.3/configuration/webapplication/authorization_and_protection_mechanisms.md) +is used to define which users should receive access. + +However, the password remains hidden because it is entered by Netwrix Password Secure. + +#### Requirements + +The Autofill Add-on is installed together with the Netwrix Password Secure client and can then be +used by users (assuming they have sufficient permissions). A separate installation is thus not +necessary. A desktop link is created for both the client and also for the Autofill Add-on. + +User rights + +The right **Can create web applications** is required for creating new web applications\* + +NOTE: The agent can control multiple databases at the same time + +#### Functionality + +The functionality of the Autofill Add-on is illustrated in the following diagram. + +![Automatic entries diagram](/images/passwordsecure/9.2/configuration/autofill_add-on/installation_with_parameters_125-en.webp) + +RDP and SSH +sessions(![1](/images/passwordsecure/9.2/configuration/autofill_add-on/1.webp) +) are not automatically started via the Autofill Add-on. Applications are created for this purpose +in the Netwrix Password Secure client. The creation and use of these connections is explained in +detail in the corresponding section. + +Automatically starting all other types of connection is the task of the **Autofill Add-on**. The +following types of connections exist: + +- Entering login data in Windows applications: Alongside the above-mentioned RDP and SSH sessions, + other Windows applications can also be automated + (![2](/images/passwordsecure/9.2/configuration/autofill_add-on/2.webp)). + A major difference is that the two above-mentioned connections are set up and “embedded” in a + separate tab. Other applications, such as e.g. VMware, are directly started as usual. In these + cases, the Autofill Add-on takes over the communication between the application server and the + Windows applications. + +NOTE: For entering data on websites, the record must contain at least the following fields: User +name, password, URL. + +#### Conclusion + +As the Autofill Add-on is directly connected to the application server, login data can also be +entered without the main client. Exceptions are the RDP and SSH connections. These are forced to +remain part of the client. The Autofill Add-on thus acts as a lean alternative for the use of the +client with the two limitations mentioned. Naturally, all of the steps completed are still entered +in the logbook and are always traceable. diff --git a/docs/passwordsecure/9.3/configuration/autofilladdon/configuration_autofill_add-on.md b/docs/passwordsecure/9.3/configuration/autofilladdon/configuration_autofill_add-on.md new file mode 100644 index 0000000000..f41c588795 --- /dev/null +++ b/docs/passwordsecure/9.3/configuration/autofilladdon/configuration_autofill_add-on.md @@ -0,0 +1,43 @@ +--- +title: "Configuration" +description: "Configuration" +sidebar_position: 10 +--- + +# Configuration + +## Starting the Autofill Add-on + +The Autofill Add-on can be directly started via the desktop link that is automatically created when +it is installed. The login data correspond to the normal user data for the client. + +![Login SSO](/images/passwordsecure/9.2/configuration/autofill_add-on/configuration/installation_with_parameters_129-en.webp) + +To log in, the desired database and the associated login data are firstly selected. The Autofill +makes all of the databases configured on the client available. It is also possible to create +profiles as usual so that the connection data for certain databases can be used efficiently in the +future. + +NOTE: The agent accesses the same configuration file as the client. All changes to profiles will +thus also affect the client. New profiles can thus also be created via the Autofill. + +#### Context menu functionality + +After successfully logging in, the Autofill Add-on firstly runs in the background. Right click on +the icon in the system tray to open the context menu. + +![icon options](/images/passwordsecure/9.2/configuration/autofill_add-on/configuration/installation_with_parameters_130-en.webp) + +- **Disconnect**: Connect to database/disconnect from database. (All connections are shown for + multiple databases) +- **Login** enables you to log into another database +- **Disable/Enable agent** allows you the option of temporarily disabling automatic login +- A diverse range of variables can be defined via the **Settings** +- **Reload all Data** + +Settings + +![settings sso agent](/images/passwordsecure/9.2/configuration/autofill_add-on/configuration/installation_with_parameters_131-en.webp) + +- The desktop notifications display various information, such as when data is entered +- Start with Windows includes the Autofill Add-on in the autostart menu diff --git a/docs/passwordsecure/9.3/configuration/basicview/_category_.json b/docs/passwordsecure/9.3/configuration/basicview/_category_.json new file mode 100644 index 0000000000..15a94b2924 --- /dev/null +++ b/docs/passwordsecure/9.3/configuration/basicview/_category_.json @@ -0,0 +1,10 @@ +{ + "label": "The Basic view", + "position": 30, + "collapsed": true, + "collapsible": true, + "link": { + "type": "doc", + "id": "basic_view" + } +} \ No newline at end of file diff --git a/docs/passwordsecure/9.3/configuration/basicview/basic_view.md b/docs/passwordsecure/9.3/configuration/basicview/basic_view.md new file mode 100644 index 0000000000..bca147482d --- /dev/null +++ b/docs/passwordsecure/9.3/configuration/basicview/basic_view.md @@ -0,0 +1,31 @@ +--- +title: "The Basic view" +description: "The Basic view" +sidebar_position: 30 +--- + +# The Basic view + +![light-client-en](/images/passwordsecure/9.2/configuration/basic_view/light-client-en.webp) + +## What is the Basic view about? + +The Basic view is a lean tool for every end user. It guarantees quick and easy access to the daily +needed passwords. Although the Basic view has a limited range of functions, it can be operated +intuitively and without previous knowledge or training by any user. The Basic view is designed for +up to 50 passwords. The Basic view introduces to professional password management. It is also the +ideal tool for the daily handling of passwords. + +![image1](/images/passwordsecure/9.2/configuration/basic_view/image1.webp) + +## Requirements & required rights + +You don’t need any special permission to use the Basic view. However, the handling of the Basic +views can be set via rights and settings. Read more in chapter +[To do for Administration](/docs/passwordsecure/9.3/configuration/basicview/todoforadministration/to_do_for_administration.md). + +#### Installation + +The Basic view is installed directly with the Web Application, so you don’t need any special +installation. For further information, visit the +chapter[Installation Client](/docs/passwordsecure/9.3/installation/installationclient/installation_client.md) diff --git a/docs/passwordsecure/9.3/configuration/basicview/checklist_of_the_basic_view.md b/docs/passwordsecure/9.3/configuration/basicview/checklist_of_the_basic_view.md new file mode 100644 index 0000000000..0f58657d3a --- /dev/null +++ b/docs/passwordsecure/9.3/configuration/basicview/checklist_of_the_basic_view.md @@ -0,0 +1,40 @@ +--- +title: "Checklist of the Basic view" +description: "Checklist of the Basic view" +sidebar_position: 20 +--- + +# Checklist of the Basic view + +## Checklist for setting the Basic view + +This checklist helps the administrator in setting the Basic view. To work smoothly with the Basic +view, the following points must be observed: + +1. Select form + +The stored form must cover all required field types. At least required: **Text, username, password, +URL** + +2. Set display of the Basic view or Advanced view + +The setting **Display passwords in Basic view & display passwords in Advanced view** allows you to +configure the display of both clients. The passwords can be displayed with an icon, logo or in text +form. + +3. Are users in the right organisational unit? + +Check if the user is in the correct organisational unit. The **add** right to the organisational +unit is also required so that users can create passwords in the Basic view. + +4. Define user as Basic view user + +You can either define the user directly as Basic view user. This works by changing the user type +accordingly. Alternatively, you can activate the setting **Start Basic view at next login.** This +will prompt the user to log in to the Basic view. + +![image2](/images/passwordsecure/9.2/configuration/basic_view/checklist/image2.webp) + +5. Add default applications (optional) + +It is advised to create the applications, which shall be stored as passwords, beforehand. diff --git a/docs/passwordsecure/9.3/configuration/basicview/password_management.md b/docs/passwordsecure/9.3/configuration/basicview/password_management.md new file mode 100644 index 0000000000..fc468a0f2c --- /dev/null +++ b/docs/passwordsecure/9.3/configuration/basicview/password_management.md @@ -0,0 +1,68 @@ +--- +title: "Password management" +description: "Password management" +sidebar_position: 60 +--- + +# Password management + +## Creating passwords + +This chapter deals with the main functionality of Basic view, namely the secure storage and +management of passwords. It should be noted that a password can be stored in different ways. + +NOTE: The required settings and rights are given by the in-house administration. Further information +can be found here: To do for the administration + +#### Create with application + +**Prerequisite:** An existing application is available. It does not matter whether this is an SSO, +web, RDP, or SSH application. + +![create password](/images/passwordsecure/9.2/configuration/basic_view/password_management/create-password-en.webp) + +NOTE: Managing and creating the corresponding applications is the responsibility of the in-house +administration. How to create an application can be read here and in the following chapters. + +Clicking on the existing application opens a window that asks for the user name and password. + +![create-password-light](/images/passwordsecure/9.2/configuration/basic_view/password_management/create-password-light.webp) + +Once these fields are filled in, the record is created. + +![created record](/images/passwordsecure/9.2/configuration/basic_view/password_management/apple-icon-en.webp) + +Now the record can be opened by clicking on the corresponding tile. + +#### Create without application + +Alternatively, it is also possible to create a data set without an application. + +By clicking on the + symbol or right click ->New or CTRL+N a new window opens. In this window, the +information relevant for the stored form is entered in the Password tab. It is also possible to +assign the data record to each organizational unit to which the creating user is authorized. It does +not matter in which tab the user is located. If a rights template is defined for the selected +organizational unit, then this template will take effect at this point. It is also possible to +define one or more corresponding tags for the data set. + +![create new password](/images/passwordsecure/9.2/configuration/basic_view/password_management/create-new-password-en.webp) + +![create-light-client](/images/passwordsecure/9.2/configuration/basic_view/password_management/create-light-client.webp) + +In the next step, an application can be added to the newly created data record, if one already +exists. To do this, go to the Linked Applications tab. + +![linked applications](/images/passwordsecure/9.2/configuration/basic_view/password_management/linked-applications-en.webp) + +Then the whole process is completed by clicking the "Finish" button. + +![netwrix logo](/images/passwordsecure/9.2/configuration/basic_view/password_management/netwrix-logo-en.webp) + +## Changing and deleting passwords + +In order to change or delete passwords you should stay on the corresponding tile with the mouse +cursor. The control button will appear. + +When you click the button, you will be offered the "Edit" and "Delete" options, among others. + +![options record light client](/images/passwordsecure/9.2/configuration/basic_view/password_management/options-en.webp) diff --git a/docs/passwordsecure/9.3/configuration/basicview/start_and_login_basic_view.md b/docs/passwordsecure/9.3/configuration/basicview/start_and_login_basic_view.md new file mode 100644 index 0000000000..6a94328cd6 --- /dev/null +++ b/docs/passwordsecure/9.3/configuration/basicview/start_and_login_basic_view.md @@ -0,0 +1,52 @@ +--- +title: "Start and Login" +description: "Start and Login" +sidebar_position: 30 +--- + +# Start and Login + +## Starting the Web application + +To start the Basic view, the Web application must be started first. + +As soon as the login mask appears, the login data of the corresponding user are entered there. It is +essential to ensure that the variant set up by the administrator is used. There are several options +for this: + +local user: + +e.g. administrator (user name administrator) + +![image3](/images/passwordsecure/9.2/configuration/basic_view/start_and_login/image3.webp) + +AD User: + +There are 2 possibilities here: + +1. username like the local user (e.g. administrator) + +2. domain and username (e.g. nps\administrator) + +![image4](/images/passwordsecure/9.2/configuration/basic_view/start_and_login/image4.webp) + +**CAUTION:** Please ask your administrator if you are not sure which login details apply to you! + +#### Change to the web view of the Basic view + +As soon as the login was successful, you are now either: + +- directly in the web view of the Basic view, because the user is a Basic view user. + +or + +- in the Web Application. To switch from the Web Application to the Basic view web view, you have to + click on your profile name. There you will be offered the option **"Switch to the Basic view"**. + +![switch to lightclient](/images/passwordsecure/9.2/configuration/basic_view/start_and_login/switch-to-lc-wc-en.webp) + +The Basic view web view is in no way inferior to the Basic view. The same functions are given except +for the download of the favicons (icon, symbol or logo used by web browsers to mark a website in a +recognizable way). + +![LightClient in WebClient](/images/passwordsecure/9.2/configuration/basic_view/start_and_login/wc-lc-en.webp) diff --git a/docs/passwordsecure/9.3/configuration/basicview/tab_system.md b/docs/passwordsecure/9.3/configuration/basicview/tab_system.md new file mode 100644 index 0000000000..142059e7fd --- /dev/null +++ b/docs/passwordsecure/9.3/configuration/basicview/tab_system.md @@ -0,0 +1,42 @@ +--- +title: "Tab system" +description: "Tab system" +sidebar_position: 50 +--- + +# Tab system + +## What is the tab system? + +The tab system helps to structure the passwords in order to manage and find them more easily. For +this purpose, several tabs can be created and switched between them with a click. + +![tabs LightClient](/images/passwordsecure/9.2/configuration/basic_view/tab_system/tabs-lc-en.webp) + +## Personal and public tabs + +Basic view distinguishes between personal and public tabs. The personal tab contains the passwords +that are exclusively in the organizational unit of the logged-in user. In Advanced view, these are +the passwords assigned to the personal organizational unit + +![tabs](/images/passwordsecure/9.2/configuration/basic_view/tab_system/tab-lc-1-en.webp) + +Furthermore, public tabs are also available. These correspond to the public + +organizational units on the Advanced view. It is also possible to store all public organizational +units as public tabs. No upper limit is set here. + +![public tab](/images/passwordsecure/9.2/configuration/basic_view/tab_system/public-tab-en.webp) + +## Showing and hiding tabs + +The public tabs can be shown and hidden as needed. The X closes the current tab. + +![close tab](/images/passwordsecure/9.2/configuration/basic_view/tab_system/close-tab-en.webp) + +A public tab can be displayed again with a simple click on the +. + +![select organisational unit](/images/passwordsecure/9.2/configuration/basic_view/tab_system/select-ou-en.webp) + +In the subsequent dialog, only the desired organizational unit must be selected and confirmed with +OK. All organizational units to which the user is authorized are available here. diff --git a/docs/passwordsecure/9.3/configuration/basicview/todoforadministration/_category_.json b/docs/passwordsecure/9.3/configuration/basicview/todoforadministration/_category_.json new file mode 100644 index 0000000000..2477c2f261 --- /dev/null +++ b/docs/passwordsecure/9.3/configuration/basicview/todoforadministration/_category_.json @@ -0,0 +1,10 @@ +{ + "label": "To do for Administration", + "position": 10, + "collapsed": true, + "collapsible": true, + "link": { + "type": "doc", + "id": "to_do_for_administration" + } +} \ No newline at end of file diff --git a/docs/passwordsecure/9.3/configuration/basicview/todoforadministration/errorcodes_of_the_lightclient.md b/docs/passwordsecure/9.3/configuration/basicview/todoforadministration/errorcodes_of_the_lightclient.md new file mode 100644 index 0000000000..ddbeb82e9d --- /dev/null +++ b/docs/passwordsecure/9.3/configuration/basicview/todoforadministration/errorcodes_of_the_lightclient.md @@ -0,0 +1,51 @@ +--- +title: "Errorcodes of the Basic view" +description: "Errorcodes of the Basic view" +sidebar_position: 10 +--- + +# Errorcodes of the Basic view + +## Error codes for administration + +If problems with the Basic view should appear, they are classified by error codes. These codes help +the administration to stop problems even more quickly and solve them. There are 7 different types of +error codes: + +SavePasswordUnknown + +An unexpected error has occurred. Further information can be found in the event display of the +application server. + +SavePasswordPlausibilityField + +The plausibility has not been fulfilled when saving a password. The mandatory fields of the +deposited form should be checked. + +![installation_with_parameters_156_795x595](/images/passwordsecure/9.2/configuration/basic_view/administration/errorcodes/installation_with_parameters_156_795x595.webp) + +NoDefaultForm + +No standard form was selected. The form can be stored in the settings under **Standard form (for the +Basic view).** + +![installation_with_parameters_157](/images/passwordsecure/9.2/configuration/basic_view/administration/errorcodes/installation_with_parameters_157.webp) + +DefaultFormNotFound + +The rights of the form must be checked. The user must have at least the permission to read the form. + +DefaultFormMissingFields + +The form has been set correctly. However, the field types in the form must be checked. At least +required: Text, user name, password, URL. + +DefaultFormImpossiblePlausibility + +When creating a password for an application, there is a field which is not displayed. Therefore, the +plausibility in fields should be checked. + +NoValidOrganisation + +Is only relevant for the web view of the Basic view. It is activated if you want to create a +password using the add-on and the user does not have an OU in which to create it. diff --git a/docs/passwordsecure/9.3/configuration/basicview/todoforadministration/to_do_for_administration.md b/docs/passwordsecure/9.3/configuration/basicview/todoforadministration/to_do_for_administration.md new file mode 100644 index 0000000000..b5253b7db6 --- /dev/null +++ b/docs/passwordsecure/9.3/configuration/basicview/todoforadministration/to_do_for_administration.md @@ -0,0 +1,73 @@ +--- +title: "To do for Administration" +description: "To do for Administration" +sidebar_position: 10 +--- + +# To do for Administration + +## Conditions for using the Basic view + +The Basic view allows end users to easily manage their passwords in Netwrix Password Secure without +any training or prior knowledge. In order to ensure proper operation, the administration has to make +a few preparations first. This will be further discussed in the following. + +NOTE: To make the Basic view transition as easy and smooth as possible for the user, the +administration can orient towards this checklist. + +#### Relevant rights and settings + +This section lists the rights and settings the user needs to work with the Basic view. The +administration can adjust these rights and settings at its own discretion. + +#### Rights + +| User right | Chapter | +| ---------------------------------------------------------- | ------- | +| Can add individual passwords in the basic view | | +| Can close tab of own organisational unit in the basic view | | + +#### Settings + +| Settings | Chapter | +| ----------------------------------------------------------- | ------- | +| Include subordinated organisational units in the basic view | | +| Start web application in basic view on next login | | +| Display kind of passwords in the basic view | | +| Switch logo view on mouse over in the basic view | | + +## Password Management in the Basic view + +There are several ways to provide/create passwords in the Basic view. + +#### Predefined passwords + +Predefined passwords have already been created on the FullClient. Basic view users must at least +obtain the right to read a record in order to use the password. + +![installation_with_parameters_154](/images/passwordsecure/9.2/configuration/basic_view/administration/installation_with_parameters_154.webp) + +#### Creating passwords via applications + +In order to use applications on the Basic view, the administration must first create them on the +FullClient. By clicking on the application, the end user can easily generate secure passwords. To be +able to use the application, the user needs at least the authorization to **read**. + +Further information on this topic can be found in the chapter +[Applications](/docs/passwordsecure/9.3/configuration/advancedview/clientmodule/applications/applications.md). + +![installation_with_parameters_155](/images/passwordsecure/9.2/configuration/basic_view/administration/installation_with_parameters_155.webp) + +#### Creating passwords via applications without applications + +Please consider the following rights and settings so that Basic view users can create new passwords. + +User rights: + +- Can create individual passwords in the Basic view + +Setting: + +**Default form** Otherwise, no form can be assigned to the new password. + +- Add right to the organisational unit of the user diff --git a/docs/passwordsecure/9.3/configuration/basicview/view.md b/docs/passwordsecure/9.3/configuration/basicview/view.md new file mode 100644 index 0000000000..8c8b27209d --- /dev/null +++ b/docs/passwordsecure/9.3/configuration/basicview/view.md @@ -0,0 +1,64 @@ +--- +title: "View" +description: "View" +sidebar_position: 40 +--- + +# View + +## The view of the Basic view + +The Basic view interface is arranged in tiles. If a logo/icon has been stored for a password in the +image management, this can optionally be displayed with the associated data record. If the logo of +the password is not available, a reduced Outlook view is displayed. + +1. view of a Basic view button with stored logo + +![apple-logo](/images/passwordsecure/9.2/configuration/basic_view/view/apple-logo.webp) + +2. view of a Basic view button without logo, but with deposited web address + +![mindfactory-logo](/images/passwordsecure/9.2/configuration/basic_view/view/mindfactory-logo.webp) + +3. view of a Basic view button without stored web address/logo + +![sql-server-log](/images/passwordsecure/9.2/configuration/basic_view/view/sql-server-log.webp) + +Click on the tile to open the application. + +![SSO LightClient](/images/passwordsecure/9.2/configuration/basic_view/view/sso-lc-en.webp) + +The tiles can be dragged and dropped to the desired position + +![move tiles](/images/passwordsecure/9.2/configuration/basic_view/view/move-tiles-en.webp) + +## Mouseover + +As with add-ons, the control button is displayed as soon as you hover the mouse over the +corresponding elements. This process is known as "mouseover". + +![View LightClient](/images/passwordsecure/9.2/configuration/basic_view/view/view-lc-en.webp) + +When you click the button, the following options become visible: + +- -New (A new record can be created.) +- -Edit (The selected record can be edited.) +- Move (The selected record can be moved to another organisational unit) +- Move to bin (the selected record can be deleted.) +- -Copy username (the username of the selected record will be copied to the clipboard). +- -Copy password (the password of the selected record will be copied to the clipboard). +- Typing assistance (Use this view to easily type out passwords) +- -Refresh (The record will be updated.) + +You can only perform the above operations if you are sufficiently authorized. Please point this out +to your in-house administrator if this is not the case for you. + +**CAUTION:** You can only execute the mentioned operations if you are sufficiently authorized. +Please point this out to your in-house administrator if this is not the case for you. + +## Image management + +Usually, the setup of logos/icons in the i**mage management** is done by the in-house +administration. You can learn more about this in the FullClient +[Image management](/docs/passwordsecure/9.3/configuration/advancedview/mainmenufc/extras/image_manager.md) +documentation. diff --git a/docs/passwordsecure/9.3/configuration/browseraddons/_category_.json b/docs/passwordsecure/9.3/configuration/browseraddons/_category_.json new file mode 100644 index 0000000000..8b9ec7085c --- /dev/null +++ b/docs/passwordsecure/9.3/configuration/browseraddons/_category_.json @@ -0,0 +1,10 @@ +{ + "label": "Browser Add-ons", + "position": 50, + "collapsed": true, + "collapsible": true, + "link": { + "type": "doc", + "id": "browser_add-ons" + } +} \ No newline at end of file diff --git a/docs/passwordsecure/9.3/configuration/browseraddons/applications_add-on.md b/docs/passwordsecure/9.3/configuration/browseraddons/applications_add-on.md new file mode 100644 index 0000000000..0bc1f16d00 --- /dev/null +++ b/docs/passwordsecure/9.3/configuration/browseraddons/applications_add-on.md @@ -0,0 +1,89 @@ +--- +title: "Applications" +description: "Applications" +sidebar_position: 10 +--- + +# Applications + +## What are applications? + +Data can be entered on many websites without further configuration. The website is scanned in order +to find data entry fields in which the user name and password can then be entered. No further steps +are thus necessary. For websites where data cannot be entered directly, it is necessary to create an +application manually. These applications correspond to working guidelines that precisely define +which information should be entered into which target field. The full script that describes the +assignment is called an “**application**”. + +![registration with and without application](/images/passwordsecure/9.2/configuration/browseradd-ons/applications/installation_with_parameters_142-en.webp) + +The diagram starts with the user navigating to a website. The application server is then checked to +see whether a record has been saved for this website for which the currently registered user also +has the required permissions. If this is the case, the information required for the login is sent to +the Browser Extension in encrypted form. The password is only decrypted in the add- on shortly +before it is entered. There are two ways in which the information is entered: **Data entry without +application** and **Data entry with application**. + +Data entry without application + +The data entry without application process is sufficient for most websites because the fields can be +directly assigned (mapping). The system checks in the background whether a login mask has been found +for any websites visited. The URL is now used to check if there are any records in the linked +websites that would fit the page. It is only necessary for the hostname including the domain suffix, +such as .de or .com, to match. The data are then entered. In this case, the user name is transmitted +to the first user name field that can be found on the page. The password is also entered into the +first password field found on the page. If automatic login has been activated in the settings, this +is also carried out by clicking the login button. + +#### Data entry with application + +It is not possible to automatically recognise the fields that must be filled on some websites. An +application needs to be created in these cases. If more than two fields need to be transferred, it +is also necessary to create an application. In this context, “application” means instructions that +are used to enter information into the fields. It thus assigns fields in the record to the +associated fields on the website. This mapping process only needs to be configured once. The +applications is responsible for entering data in the fields on the website from then on. In the +following example, the data entry process is carried out from the client. Naturally, this is also +possible via [Browser Add-ons](/docs/passwordsecure/9.3/configuration/browseraddons/browser_add-ons.md). The procedure remains the same. + +![installation_with_parameters_143](/images/passwordsecure/9.2/configuration/browseradd-ons/applications/installation_with_parameters_143.webp) + +The URL is checked to see whether the record matches the web page. It is only necessary for the +hostname including the domain suffix (“.de” or “.com”) to match. + +## Creating applications + +**CAUTION:** The user right Can add new web applications is required in order to create applications + +If the login mask on a website cannot be automatically completed, it is necessary to manually create +an application. To create an application, the desired website is first called up. The add-on is then +started via the relevant icon. The menu item “Create application\* can be found here + +![create application](/images/passwordsecure/9.2/configuration/browseradd-ons/applications/installation_with_parameters_144-en.webp) + +A modal window now opens. The actual application is now created here. + +![modal application window](/images/passwordsecure/9.2/configuration/browseradd-ons/applications/installation_with_parameters_145-en.webp) + +The following options are available: + +- **Advanced options** allows you to define a delay separately for each field when entering the + data. This is sensible when the process of entering the data would otherwise not run smoothly on + sluggish websites. +- The **Move** setting can be used to change the position of the modal window if it covers the login + window + +To capture, click on the first field to be filled on the website. It will be directly added to the +list in the modal window. For better identification, fields that belong together are marked in +colour. + +![choosed application field](/images/passwordsecure/9.2/configuration/browseradd-ons/applications/installation_with_parameters_146-en.webp) + +The field type (e.g. INPUT) and the field label are displayed in the field itself. In addition, an +action is proposed which fits the field type, such as e.g. entering the user name. The action can +naturally be adjusted if required. Once all fields have been captured, the system checks whether the +actions are correct. Finally, the application can be saved. + +![example for a application](/images/passwordsecure/9.2/configuration/browseradd-ons/applications/installation_with_parameters_147-en.webp) + +The saved application is now available for the user and can be used via the add-on. diff --git a/docs/passwordsecure/9.3/configuration/browseraddons/browser_add-ons.md b/docs/passwordsecure/9.3/configuration/browseraddons/browser_add-ons.md new file mode 100644 index 0000000000..933e5b0da3 --- /dev/null +++ b/docs/passwordsecure/9.3/configuration/browseraddons/browser_add-ons.md @@ -0,0 +1,128 @@ +--- +title: "Browser Add-ons" +description: "Browser Add-ons" +sidebar_position: 50 +--- + +# Browser Add-ons + +Passwords can also be used in the browser using the browser add-on. You can search for passwords in +the add-on, transfer them to the clipboard or enter them in the input mask of the website +automatically. The automatic login may require applications. + +In order to provide the data, the add-on needs a connection to the database. This can be set up +directly in server mode. + +Currently, add-ons are available for the following browsers: + +- Microsoft Edge +- Google Chrome +- Mozilla Firefox +- Safari + +![Add-on Browser](/images/passwordsecure/9.2/configuration/browseradd-ons/addon-connections-en.webp) + +## Installation + +Please find more information about the installation on: Installation Browser Add-ons + +## Connection via server mode + +If the installation of the browser extension has been carried out, the user can now open the desired +browser. A window appears in which the security of the connection is confirmed. Pairing is performed +with a simple click. A new icon will also be displayed in the desired browser from this point +onwards: + +![Icon Add-on](/images/passwordsecure/9.2/configuration/browseradd-ons/addon-icon-en.webp) + +If the icon is displayed as shown, it means that although the add-on has been installed. + +## Database profiles + +The server mode must know which database profile it is connected to. There are two ways of setting +up a database profile: + +First, the database profile can be created manually. Therefore, he following information is +required: IP address, Web Application URL and database name. Please note that /api is appended to +the end of the IP address. + +![database profil](/images/passwordsecure/9.2/configuration/browseradd-ons/manual-database-profile-en.webp) + +It is also possible that the database profile is filled out automatically. For this, you need to log +on to a database via Web Application. By clicking on the add-on in the Web Application, its profile +can be taken over. Now all necessary information such as profile name, IP address, Web Application +and database name are transferred. + +![Adopt WebClient profile](/images/passwordsecure/9.2/configuration/browseradd-ons/adopt-database-profile-en.webp) + +## The server mode benefits + +The server mode offers the following advantages: + +- No terminal service is required in terminal server operation + +**CAUTION:** Please note that SSO applications only work via Autofill Add-on. If you are in server +mode and the Autofill Add-on has not been started, SSO applications do not work! + +After successful connection, the number of data records available for the current Internet page is +displayed on the icon. + +![record found](/images/passwordsecure/9.2/configuration/browseradd-ons/record-found-en.webp) + +## Settings + +All settings that relate to the add-on are made centrally on the client. The user settings system +can be used to enter them globally per organisational unit or per user. The following options have a +direct impact on the add-ons and can be found in the SSO category: + +- Browser add-ons: Automatically send login masks ensures that the login is automatically completed + after the access data has been entered. It is thus not necessary to click the relevant button + manually +- About browser add-ons: Automatically fill login masks ensures that access data is entered without + the need for any confirmation when a website is recognised. + +The default browser option also has an impact on the add-ons. This setting defines the browser in +which the websites are opened from the client. + +NOTE: It is important to note that the login mask for records with password masking will be ”sent +automatically\*, even if the setting Browser add-ons: Automatically send login masks has been +deactivated. + +## Working with add-ons + +NOTE: A record can only be used for entering data if it has a form field of type "URL". + +The subscript number mentioned in the previous section is only available with active logins and +therefore already says a lot about the “Number of possible entries”. For example, if the number “2” +is shown, you can directly select the account you want to log in with. + +![Addon list](/images/passwordsecure/9.2/configuration/browseradd-ons/addon-records-list.webp) + +Previously, the prerequisite was that you had to navigate manually to the precise website via the +browser that you actually wanted to use. This navigation can now also be handled by Netwrix Password +Secure – as described in the following section. + +## Search and navigation + +It is currently assumed that the user has to navigate manually to the website on which they want to +automatically enter login data. This way of working is possible but is not convenient enough. The +add-on can be used in a similar way to bookmarks. The search field can be used to search for the +record in the database. The prerequisite is again that the record contains a URL. + +![Record usage](/images/passwordsecure/9.2/configuration/browseradd-ons/addon-records-usage-en.webp) + +The screenshot shows that the URL and the name of the record (Wikipedia) are searched. The results +for the search are displayed and can be selected using the arrow buttons or the mouse. The selected +website will be opened in a separate tab. + +## Several passwords for one website + +If a user opens a page and multiple passwords with the autofill function are possible for this +website, no entries will be made unlike in older versions. Instead, the following message appears in +a pop-up: + +![Multiple entries](/images/passwordsecure/9.2/configuration/browseradd-ons/addon-multiple-passwords-en.webp) + +However, if the autofill function is only activated for one password but multiple passwords are +possible, the password with the autofill function is entered. If the user clicks on a record in the +pop-up, this record is entered as normal (as was the case previously). diff --git a/docs/passwordsecure/9.3/configuration/browseraddons/how_to_save_passwords.md b/docs/passwordsecure/9.3/configuration/browseraddons/how_to_save_passwords.md new file mode 100644 index 0000000000..076a3fcd74 --- /dev/null +++ b/docs/passwordsecure/9.3/configuration/browseraddons/how_to_save_passwords.md @@ -0,0 +1,46 @@ +--- +title: "How to save passwords" +description: "How to save passwords" +sidebar_position: 20 +--- + +# How to save passwords + +This chapter describes how to store passwords via add-on. + +**CAUTION:** You can only save passwords in server mode! + +## New access data + +With the setup and login via server mode, the access data can now be added automatically. When +visiting a website whose credentials have not yet been stored in Netwrix Password Secure, you get +automatically asked whether they should be created. + +![new password detected](/images/passwordsecure/9.2/configuration/browseradd-ons/how_to_save_passwords/addon-create-password-en.webp) + +By confirming, you will be directly forwarded to the Web Application and registered there. If there +are less fields in the deposited or selected form than in the login mask, the missing fields are +automatically created as web form fields by default. + +![WebClient prefilled](/images/passwordsecure/9.2/configuration/browseradd-ons/how_to_save_passwords/webclient-prefilled-form-en.webp) + +Known access data + +If you log in to a login screen with changed access data, you can update this automatically. To do +this, log on to the login screen of the changed page as usual. Thereupon a message appears that new +access data has been recognized. Now you can optionally decide to create a new dataset or update an +already known dataset. + +![data was recognized](/images/passwordsecure/9.2/configuration/browseradd-ons/how_to_save_passwords/installation_with_parameters_151-en.webp) + +- **Save password**: The password will be exchanged without opening the Web Application. +- **check changes**: The Web Application is opened and you are logged in. The previous password has + been replaced by the new one. However, the storage must be carried out manually. + +![data was recognized](/images/passwordsecure/9.2/configuration/browseradd-ons/how_to_save_passwords/installation_with_parameters_152-en.webp) + +The following prerequisites apply so that a data record is considered to already exist: + +- The URL must be identical. +- The user name must be identical. +- The entry must be made by the add-on and the change must only affect the password. diff --git a/docs/passwordsecure/9.3/configuration/configuration.md b/docs/passwordsecure/9.3/configuration/configuration.md new file mode 100644 index 0000000000..8125627f38 --- /dev/null +++ b/docs/passwordsecure/9.3/configuration/configuration.md @@ -0,0 +1,10 @@ +--- +title: "Configuration" +description: "Configuration" +sidebar_position: 40 +--- + +# Configuration + +The following pages will provide you with in-depth information how to configure the different +Netwrix Password Secure components and features. diff --git a/docs/passwordsecure/9.3/configuration/mobiledevices/_category_.json b/docs/passwordsecure/9.3/configuration/mobiledevices/_category_.json new file mode 100644 index 0000000000..69696042ea --- /dev/null +++ b/docs/passwordsecure/9.3/configuration/mobiledevices/_category_.json @@ -0,0 +1,10 @@ +{ + "label": "Mobile devices", + "position": 70, + "collapsed": true, + "collapsible": true, + "link": { + "type": "doc", + "id": "mobile_devices" + } +} \ No newline at end of file diff --git a/docs/passwordsecure/9.3/configuration/mobiledevices/autofill/_category_.json b/docs/passwordsecure/9.3/configuration/mobiledevices/autofill/_category_.json new file mode 100644 index 0000000000..f4d1f53a0e --- /dev/null +++ b/docs/passwordsecure/9.3/configuration/mobiledevices/autofill/_category_.json @@ -0,0 +1,6 @@ +{ + "label": "Autofill", + "position": 60, + "collapsed": true, + "collapsible": true +} \ No newline at end of file diff --git a/docs/passwordsecure/9.3/configuration/mobiledevices/autofill/autofill_in_android.md b/docs/passwordsecure/9.3/configuration/mobiledevices/autofill/autofill_in_android.md new file mode 100644 index 0000000000..1bc304c41e --- /dev/null +++ b/docs/passwordsecure/9.3/configuration/mobiledevices/autofill/autofill_in_android.md @@ -0,0 +1,47 @@ +--- +title: "Autofill in Android" +description: "Autofill in Android" +sidebar_position: 20 +--- + +# Autofill in Android + +With autofill, the credentials are transferred from the Netwrix Password Secure app directly to the +login screens. This works for websites in the browser as well as for other apps. + +#### Requirements + +For automatic registration, the service must be enabled in the User Help¹ and Show via other apps¹ +Netwrix Password Secure App must be enabled. + +#### Autofill + +The login data is entered as soon as the app finds a corresponding mask on a web page or in an app. +In some masks the process starts automatically, in others it is necessary to type in the first +field. + +There are two possible scenarios. + +- The **Netwrix Password Secure app** displays all matching passwords. The user selects the desired + password and the app enters it. +- Selection of a password in the Netwrix Password Secure App. This dialog opens automatically if no + password is found. + +No password found + +If no password is found that matches the app or the website called up, the desired password must +first be selected. + +Exactly one password found + +If there is a data set that contains exactly the URL that is called up, the corresponding password +can be suggested. A simple click on the password is then sufficient to pass the data to the website +or app. + +Multiple passwords found + +If several matching passwords are found in the database, the desired one must be selected. + +NOTE: Depending on the current state, it may be necessary to authenticate on the app before +selecting or confirming the password to be entered. The database then has to be unlocked via the +password or Touch ID first. diff --git a/docs/passwordsecure/9.3/configuration/mobiledevices/autofill/autofill_in_ios.md b/docs/passwordsecure/9.3/configuration/mobiledevices/autofill/autofill_in_ios.md new file mode 100644 index 0000000000..bf098c6a41 --- /dev/null +++ b/docs/passwordsecure/9.3/configuration/mobiledevices/autofill/autofill_in_ios.md @@ -0,0 +1,56 @@ +--- +title: "Autofill in iOS" +description: "Autofill in iOS" +sidebar_position: 10 +--- + +# Autofill in iOS + +The most important comfort feature of the Netwrix Password Secure app is probably the autofill. With +autofill, the credentials from the Netwrix Password Secure app are transferred directly to the login +screens. This works both with websites in the browser and with other apps. + +#### Requirements + +In order to ensure automatic registration, a few prerequisites must be met. First of all, the +automatic registration must be set up in the settings. If the **iOS keychain** is not needed, it +should be deactivated. This makes handling a bit easier. Finally, a database connection must exist +and access to passwords must be possible. + +#### Autofill + +**Autofill** always occurs when a login mask is found. No matter whether this is in an app or on a +website. For some login masks, the auto-enrollment process starts automatically. For other masks, +you have to type once into the first field. The autofill itself can be divided into three different +scenarios. + +Dialog + +Depending on the configuration and scenario, the dialog for entry can have different +characteristics: + +- First, one or more passwords are displayed that match the current page or app. These can be + selected and entered with a click. +- It is also possible to open the dialog for selecting a password. If no password is found, this + dialog is displayed directly. +- Finally, the iOS keychain can also be opened. If this function is not needed, it can be + deactivated. The corresponding option will then no longer be offered. + +No password found + +If no password is found that matches the app or the website, the desired password must first be +selected. + +Exact password found + +If there is a data record that contains exactly the URL that is called up, the corresponding +password can be suggested. A simple click on the password is then sufficient to pass the data to the +website or app. + +Several passwords found + +If several matching passwords are found in the database, the desired one must be selected. + +NOTE: Depending on the current state, it may be necessary to authenticate to the app before +selecting or confirming of the password to be entered. The database then has to be unlocked via the +password, Touch ID or Face ID. diff --git a/docs/passwordsecure/9.3/configuration/mobiledevices/mobile_devices.md b/docs/passwordsecure/9.3/configuration/mobiledevices/mobile_devices.md new file mode 100644 index 0000000000..3f7642b534 --- /dev/null +++ b/docs/passwordsecure/9.3/configuration/mobiledevices/mobile_devices.md @@ -0,0 +1,55 @@ +--- +title: "Mobile devices" +description: "Mobile devices" +sidebar_position: 70 +--- + +# Mobile devices + +## The new Netwrix Password Secure Mobile App – mobile and simple! + +With version 8.10 we have created the perfect complement to the client: **The Netwrix Password +Secure Mobile App!** + +With its **convenient** interface, the Netwrix Password Secure Mobile App offers the perfect +prerequisite for every user to find their way around **quickly** and **easily**. + +For detailed documentation of the **Netwrix Password Secure Mobile App** + +NOTE: Please note that as of version 8.10.0, the previous version 7 App is no longer compatible. + +#### Security is our ambition + +No matter whether you work with a smartphone or a tablet, you benefit from the highest possible +security on all iOS and Android devices. All passwords are not only available on the mobile device, +but can also be automatically transferred to websites. So you can use highly complex and therefore +secure passwords and don’t have to remember them anymore. The Netwrix Password Secure Mobile App +thus combines security and convenience. In addition, the use of a local database ensures that +passwords can be accessed even when no + +#### Functions + +The functionalities of **password management, SSO, synchronization** and **tab system** are even +more extensive and detailed in the specially created **documentation**. + +### Password management + +The new **Netwrix Password Secure mobile app** keeps all **passwords** safe. They can not only be +stored securely but also structured conveniently. + +### SSO + +The most important convenience feature of the Netwrix Password Secure Mobile app is the possibility +of entering passwords directly into log-in masks of other apps or browser pages. The configuration +and correct use can be found out in the corresponding chapters for **iOS** and **Android**. + +### Synchronization + +Since the data exchange between mobile database and server database is done automatically in the +background, there is no need to worry about the actuality of the data. + +### Tab system + +With the new and simplified tab system, the handling for the individual user has been made +uncomplicated and clear. The affiliation of the passwords is visible at a glance. The exact handling +of the tab system can be read in the chapter **Tabs**. diff --git a/docs/passwordsecure/9.3/configuration/mobiledevices/passwords_mobileapp.md b/docs/passwordsecure/9.3/configuration/mobiledevices/passwords_mobileapp.md new file mode 100644 index 0000000000..05bafbdea5 --- /dev/null +++ b/docs/passwordsecure/9.3/configuration/mobiledevices/passwords_mobileapp.md @@ -0,0 +1,85 @@ +--- +title: "Password Management" +description: "Password Management" +sidebar_position: 50 +--- + +# Password Management + +In principle, there are two types of passwords. **Global** and **personal** passwords. + +#### Global passwords + +Global passwords are passwords that are assigned to an organizational unit. These passwords are +usually used by more than one user. + +![Mobile App - global passwords](/images/passwordsecure/9.2/configuration/mobiledevices/passwords/global-passwords-ma-en.webp) + +Prerequisites + +The following prerequisites must be met in order to create new global passwords: + +- User right **Can create new passwords** +- **Add right** to the corresponding organizational unit + +#### Personal passwords + +Personal passwords are passwords to which only the creating user is authorized. + +![MobileApp - personal passwords](/images/passwordsecure/9.2/configuration/mobiledevices/passwords/personal-passwords-ma-en.webp) + +Requirement + +The following user rights are required to create personal passwords: + +- Can create new passwords +- Can create personal records + +#### Create passwords + +When creating a new record, it is necessary to know whether it is a personal or a global password. +Because according to this criterion you should select the appropriate tab and click on the + located +in the upper right corner. + +![create new password](/images/passwordsecure/9.2/configuration/mobiledevices/passwords/create-new-password-ma-en.webp) + +After that, select the required **form**. + +![select form](/images/passwordsecure/9.2/configuration/mobiledevices/passwords/select-form-ma-en.webp) + +Then, once you have filled in all the relevant information of the selected form, one click on +**Save** is enough to create the password. + +![new entry MobileApp](/images/passwordsecure/9.2/configuration/mobiledevices/passwords/new-entry-ma-en.webp) + +#### Editing passwords + +To edit a password, click on the corresponding password and select the pencil icon. + +![editing password](/images/passwordsecure/9.2/configuration/mobiledevices/passwords/new-entry-ma-2-en.webp) + +As soon as you click on the pencil icon again in the new window, in the so-called read-only view, +you can edit all existing fields. + +![edit passwordfield MobileApp](/images/passwordsecure/9.2/configuration/mobiledevices/passwords/edit-passwordfield-ma-en.webp) + +![edit passwordfield](/images/passwordsecure/9.2/configuration/mobiledevices/passwords/edit-entry-ma-2-en.webp) + +#### Delete + +Passwords can currently only be deleted via the Full- or Web Application. + +#### Tags + +Tags can be added or removed both when creating and editing a password. + +![MobileApp - Tags](/images/passwordsecure/9.2/configuration/mobiledevices/passwords/edit-tag-ma-en.webp) + +It is also possible to create a completely new tag. + +This is possible by searching in the tag selection in the search field for a tag that does not +already exist. + +You will then be offered the option of creating this previously non-existent tag. + +![Mobileapp - select/create tag](/images/passwordsecure/9.2/configuration/mobiledevices/passwords/select-tag-ma-en.webp) diff --git a/docs/passwordsecure/9.3/configuration/mobiledevices/securitymd.md b/docs/passwordsecure/9.3/configuration/mobiledevices/securitymd.md new file mode 100644 index 0000000000..2267b13359 --- /dev/null +++ b/docs/passwordsecure/9.3/configuration/mobiledevices/securitymd.md @@ -0,0 +1,38 @@ +--- +title: "Security" +description: "Security" +sidebar_position: 10 +--- + +# Security + +#### Your security is our ambition + +Security is a top priority for Netwrix Password Secure - right from the conception stage, it sets +the course for all further developments. Of course, security was also taken into account during the +development of the Netwrix Password Secure app and the latest technologies were used. The following +encryption techniques and algorithms are currently used: + +Global + +- AES 256 / RSA 4096 encrypted +- PBKDF2 with up to 100,000 iterations +- End to end encrypted (like all Netwrix Password Secure App Clients) +- No direct connection to Netwrix Password Secure Server required. Connection is via web server. +- MDM (Mobile Device Management) support +- Passwords can be used offline when server access is not available +- Fast incremental data synchronization +- Easy connection between Netwrix Password Secure Mobile Apps and the server via QR code +- Easy navigation between private and shared passwords +- Automatic reconciliation of data using real-time updates +- Two-factor authentication +- Synchronization with multiple databases possible +- Expiration date of databases to ensure automatic deletion +- Server and app side security settings. Who is allowed to use the app and to what extent? + +iOS + +- Full support of FaceID and TouchID for passwordless login to the Netwrix Password Secure Mobile + app. +- Password AutoFill support. Passwords are automatically entered in other apps and Safari. (No + copy/paste or typing) diff --git a/docs/passwordsecure/9.3/configuration/mobiledevices/settings_mobileapp.md b/docs/passwordsecure/9.3/configuration/mobiledevices/settings_mobileapp.md new file mode 100644 index 0000000000..5bcbe95af7 --- /dev/null +++ b/docs/passwordsecure/9.3/configuration/mobiledevices/settings_mobileapp.md @@ -0,0 +1,75 @@ +--- +title: "Settings" +description: "Settings" +sidebar_position: 70 +--- + +# Settings + +As soon as you are logged in to the **Netwrix Password Secure App**, you can access the **settings** +via the three dots at the very top left of the screen. These will be briefly explained here. + +![MobileApp - settings](/images/passwordsecure/9.2/configuration/mobiledevices/settings/settings-ma-en.webp) +![MobileApp - settings](/images/passwordsecure/9.2/configuration/mobiledevices/settings/settings-2-ma-en.webp) + +#### General + +Hide personal tab + +In some use cases personal passwords are not needed on the mobile device. If this is the case you +can hide the tab with the personal passwords. + +Show all passwords in search tab + +If this option is deactivated, a search will always refer to the opened tab only. This can be useful +if there are several records in the database which have the same name and can only be distinguished +by the affiliation to an organizational unit. + +#### Security + +Touch ID / Face ID + +Here the login via Face ID or Touch ID can be activated and deactivated. + +Automatic logout + +Automatic logout from the app can be enabled and configured here. + +#### Synchronization + +Automatic synchronization + +How to synchronize with the main database is configured here. The following options are available: + +- **Any type of connection:** as long as there is a connection, synchronization will take place. No + matter if it is a WLAN connection or a connection via the mobile network. +- **Only for WLAN connection:** Synchronization only takes place if there is a connection via WLAN. +- **Disabled:** It is not synchronized + +NOTE: Costs may be incurred for synchronization via the mobile network! + +Synchronize now + +Starts the synchronization. This can also be started outside the settings at any time by simply +swiping down. More information can also be found in the chapter +[Synchronization](/docs/passwordsecure/9.3/configuration/mobiledevices/synchronization.md). + +Fix sync errors + +This menu item first checks for errors caused by the synchronization. If there are such errors you +get the possibility to repair them or to overwrite them with the current state of the server +database. + +#### Logging + +Logging + +Here you can activate or deactivate the logging. + +Show log file + +If logging is active, the log file can be displayed here. + +Delete log file + +Logs that are no longer needed can be deleted here. diff --git a/docs/passwordsecure/9.3/configuration/mobiledevices/setupmobiledevice/_category_.json b/docs/passwordsecure/9.3/configuration/mobiledevices/setupmobiledevice/_category_.json new file mode 100644 index 0000000000..237f0e7607 --- /dev/null +++ b/docs/passwordsecure/9.3/configuration/mobiledevices/setupmobiledevice/_category_.json @@ -0,0 +1,10 @@ +{ + "label": "Setup", + "position": 20, + "collapsed": true, + "collapsible": true, + "link": { + "type": "doc", + "id": "setup_mobile_device" + } +} \ No newline at end of file diff --git a/docs/passwordsecure/9.3/configuration/mobiledevices/setupmobiledevice/biometric_login.md b/docs/passwordsecure/9.3/configuration/mobiledevices/setupmobiledevice/biometric_login.md new file mode 100644 index 0000000000..21f0e5c984 --- /dev/null +++ b/docs/passwordsecure/9.3/configuration/mobiledevices/setupmobiledevice/biometric_login.md @@ -0,0 +1,15 @@ +--- +title: "Biometric login" +description: "Biometric login" +sidebar_position: 30 +--- + +# Biometric login + +Depending on the operating system used (iOS or Android), logging in to the app can also be done +using biometric factors such as fingerprint or facial recognition. Directly during the first login, +the app suggests (depending on the type of smartphone) the use of Touch ID or fingerprint or Face ID +or facial recognition. Clicking **Yes** here is sufficient to log in to the database in the future +using the respective biometric feature. + +![setup face ID](/images/passwordsecure/9.2/configuration/mobiledevices/setup/biometric_login/setup-face-id-en.webp) diff --git a/docs/passwordsecure/9.3/configuration/mobiledevices/setupmobiledevice/installation_of_the_app.md b/docs/passwordsecure/9.3/configuration/mobiledevices/setupmobiledevice/installation_of_the_app.md new file mode 100644 index 0000000000..802549b9a1 --- /dev/null +++ b/docs/passwordsecure/9.3/configuration/mobiledevices/setupmobiledevice/installation_of_the_app.md @@ -0,0 +1,34 @@ +--- +title: "Installation of the App / Requirements" +description: "Installation of the App / Requirements" +sidebar_position: 10 +--- + +# Installation of the App / Requirements + +The Netwrix Password Secure app is installed as usual via the Apple Store or Google Playstore. The +apps can be found under the following links: + +![App store](/images/passwordsecure/9.2/configuration/mobiledevices/setup/installation_app/appstore-icon.webp) + +![Google Play](/images/passwordsecure/9.2/configuration/mobiledevices/setup/installation_app/android-icon.webp) + +#### Requirements + +The **Netwrix Password Secure Apps** can be installed on the following systems: + +**iOS:** at least version 10.14 + +**Android:** at least version 8.0 + +**Web Application**: Since the app connects via the Web Application, it is mandatory to have it +installed. The documentation of the Web Application installation can be seen in the chapter +[Installation Web Application](/docs/passwordsecure/9.3/installation/installationwebapplication/installation_web_application.md) + +**Port**: The connection is made via https port 443, which must be enabled on the server side. + +[User rights](/docs/passwordsecure/9.3/configuration/advancedview/mainmenufc/userrights/user_rights.md)**:** The users need the +right **Can synchronize with mobile devices.** + +[Database properties](/docs/passwordsecure/9.3/configuration/servermanger/databaseproperties/database_properties.md): It must +be ensured that the Enable mobile synchronization option is set. diff --git a/docs/passwordsecure/9.3/configuration/mobiledevices/setupmobiledevice/linking_the_database.md b/docs/passwordsecure/9.3/configuration/mobiledevices/setupmobiledevice/linking_the_database.md new file mode 100644 index 0000000000..ec2263d832 --- /dev/null +++ b/docs/passwordsecure/9.3/configuration/mobiledevices/setupmobiledevice/linking_the_database.md @@ -0,0 +1,57 @@ +--- +title: "Linking the database" +description: "Linking the database" +sidebar_position: 20 +--- + +# Linking the database + +First, an existing database must be linked to the Netwrix Password Secure app in order to finally +synchronize the data. During linking, an encrypted database is created on the mobile device, which +provides the data even without a network connection. + +There are two ways to create a link. + +#### Manual linking + +If the database is to be linked manually, the dialog for creating the link is first called up via +the + in the top right-hand corner. Here the address of the Web Application is entered and confirmed +with a click on Connect. + +![Create link](/images/passwordsecure/9.2/configuration/mobiledevices/setup/linking_database/create-link-ma-en.webp) + +In the next step, all available databases are displayed. The desired one can be selected by clicking +on it. + +![choose link](/images/passwordsecure/9.2/configuration/mobiledevices/setup/linking_database/choose-created-link-en.webp) + +Finally, the login with user name and password takes place. In addition, a meaningful name can be +assigned. + +![log in with your data](/images/passwordsecure/9.2/configuration/mobiledevices/setup/linking_database/integration-ma-en.webp) + +#### Link via QR code + +Fulluser + +The quickest way to create a link is via a QR code. To do this, first log in to the client. You will +find the corresponding QR code in the Backstage under Account: + +![QR-code](/images/passwordsecure/9.2/configuration/mobiledevices/setup/linking_database/link-via-qr-code-en.webp) + +Then click on the button for the QR code in the app. In the following dialog, the QR code is simply +photographed from the monitor. The mobile database is now created directly in the background and +linked to the database on the server. In the next step, you can give the database profile a +meaningful name and log in directly: + +![log in with your data](/images/passwordsecure/9.2/configuration/mobiledevices/setup/linking_database/integration-ma-en.webp) + +LightUser + +Using the Light view, the user must click on their user account and click on the **Account** option + +![Account LightClient](/images/passwordsecure/9.2/configuration/mobiledevices/setup/linking_database/account-lc-2-en.webp) + +This will open a window where you can use the QR code to scan the database. + +![QR code lightclient](/images/passwordsecure/9.2/configuration/mobiledevices/setup/linking_database/account-lc-3-en.webp) diff --git a/docs/passwordsecure/9.3/configuration/mobiledevices/setupmobiledevice/setting_up_autofill.md b/docs/passwordsecure/9.3/configuration/mobiledevices/setupmobiledevice/setting_up_autofill.md new file mode 100644 index 0000000000..58f2a534f1 --- /dev/null +++ b/docs/passwordsecure/9.3/configuration/mobiledevices/setupmobiledevice/setting_up_autofill.md @@ -0,0 +1,33 @@ +--- +title: "Setting up autofill" +description: "Setting up autofill" +sidebar_position: 40 +--- + +# Setting up autofill + +The most important comfort feature of the Netwrix Password Secure App is probably the autofill, i.e. +the possibility to enter access data directly into the input mask. The autofill must first be set up +or configured. + +#### Setting up the autofill under iOS + +In the settings, first select the item Passwords & Accounts and then Automatically fill in. As soon +as Auto-fill is activated, all options for filling in login windows are offered. Here one then +selects Netwrix Password Secure. + +RECOMMENDED: We recommend deactivating the **keychain (iOS)** as well as any other apps offered to +prevent misunderstandings in usage. + +![password options](/images/passwordsecure/9.2/configuration/mobiledevices/setup/setting_up_autofill/password-options-en.webp) + +#### Setting up automatic registration on Android + +In the settings under Operating aids ¹, among the downloaded services, the Netwrix Password Secure +app is activated. + +In addition, you must define in the settings under Show via other apps that Netwrix Password Secure +may be shown via other apps. + +RECOMMENDED: We recommend to use only Netwrix Password Secure for automatic registration and to +deactivate all other apps here. This prevents possible misunderstandings in the operation. diff --git a/docs/passwordsecure/9.3/configuration/mobiledevices/setupmobiledevice/setup_mobile_device.md b/docs/passwordsecure/9.3/configuration/mobiledevices/setupmobiledevice/setup_mobile_device.md new file mode 100644 index 0000000000..ee79e122dc --- /dev/null +++ b/docs/passwordsecure/9.3/configuration/mobiledevices/setupmobiledevice/setup_mobile_device.md @@ -0,0 +1,24 @@ +--- +title: "Setup" +description: "Setup" +sidebar_position: 20 +--- + +# Setup + +## Requirements + +Netwrix Password Secure Mobile Apps automatically synchronize with an existing Netwrix Password +Secure database. The [Web Application](/docs/passwordsecure/9.3/configuration/webapplication/web_application.md) is used as the +interface for this. This must therefore be installed. In addition, the database must be enabled for +use with mobile devices on the [Server Manager](/docs/passwordsecure/9.3/configuration/servermanger/server_manger.md). + +#### Setup and configuration + +The setup and initial configuration of the **Netwrix Password Secure App** is explained in the +following chapters: + +- [Installation of the App / Requirements](/docs/passwordsecure/9.3/configuration/mobiledevices/setupmobiledevice/installation_of_the_app.md) +- [Linking the database](/docs/passwordsecure/9.3/configuration/mobiledevices/setupmobiledevice/linking_the_database.md) +- [Biometric login](/docs/passwordsecure/9.3/configuration/mobiledevices/setupmobiledevice/biometric_login.md) +- [Setting up autofill](/docs/passwordsecure/9.3/configuration/mobiledevices/setupmobiledevice/setting_up_autofill.md) diff --git a/docs/passwordsecure/9.3/configuration/mobiledevices/synchronization.md b/docs/passwordsecure/9.3/configuration/mobiledevices/synchronization.md new file mode 100644 index 0000000000..9fde565ded --- /dev/null +++ b/docs/passwordsecure/9.3/configuration/mobiledevices/synchronization.md @@ -0,0 +1,40 @@ +--- +title: "Synchronization" +description: "Synchronization" +sidebar_position: 40 +--- + +# Synchronization + +The synchronization of data between the mobile database and the server database is extremely +important. On the whole, you don't have to worry about synchronization, because the data is +automatically synchronized in the background. + +Synchronization logic + +First of all, it is important to note how the synchronization has been configured in the +[Settings](/docs/passwordsecure/9.3/configuration/mobiledevices/settings_mobileapp.md). A prerequisite for successful synchronization is that +the configured connection is available. This is done via https port 443, which must be enabled on +the server side. Once the prerequisites have been met, there are the following triggers for +synchronization: + +- A login to the app takes place +- Swipe down in the app +- The synchronization is started in the settings of the app. +- A data record is changed in one of the two databases + +Which dataset is being synchronized? + +In Netwrix Password Secure, each field in a record has a timestamp. During a synchronization +synchronization, these timestamps are checked and the newer field is written to the other database. + +Example: + +Assuming in a record the field "Username" is changed in the Advanced view and the field "Password" +is changed in the App. "password" is changed in the app, you will have different data statuses on +both devices. After a synchronization, you will receive the changed user name and the new password +on both devices. + +Settings for synchronization + +The configuration is described in the chapter [Settings](/docs/passwordsecure/9.3/configuration/mobiledevices/settings_mobileapp.md) diff --git a/docs/passwordsecure/9.3/configuration/mobiledevices/tabs.md b/docs/passwordsecure/9.3/configuration/mobiledevices/tabs.md new file mode 100644 index 0000000000..c805f54acd --- /dev/null +++ b/docs/passwordsecure/9.3/configuration/mobiledevices/tabs.md @@ -0,0 +1,43 @@ +--- +title: "Tabs" +description: "Tabs" +sidebar_position: 30 +--- + +# Tabs + +Once you have successfully logged in, you will find yourself in the view where all the user's +passwords are located. + +![all passwords in mobile app](/images/passwordsecure/9.2/configuration/mobiledevices/tabs/all-passwords-ma-en.webp) + +Here you have the following options: + +Action menu + +With a click on +![three-points-en](/images/passwordsecure/9.2/configuration/mobiledevices/tabs/three-points-en.webp) +the action menu is opened. + +![actions mobile app](/images/passwordsecure/9.2/configuration/mobiledevices/tabs/actions-ma-en.webp) + +The following actions are offered: + +- **Open settings** (more information can be found in the Settings chapter). +- **Close tab** (the option is offered only if you are in one of the organizational units tabs. The + default ones are excluded) +- **Logout** (you will be logged out from the database) +- **Cancel** (closes the action menu and returns to the tab view) + +Tabs + +Below the passwords there is a bar for managing tabs. + +![manage tabs](/images/passwordsecure/9.2/configuration/mobiledevices/tabs/all-passwords-ma-2-en.webp) + +By clicking on the plus sign there is a possibility to add more tabs. + +![add tabs](/images/passwordsecure/9.2/configuration/mobiledevices/tabs/add-tabs-ma.webp) + +These tabs are organizational units that the user can see. By default, the tabs **"All passwords"** +and **"Personal"** are stored. diff --git a/docs/passwordsecure/9.3/configuration/offlineclient/_category_.json b/docs/passwordsecure/9.3/configuration/offlineclient/_category_.json new file mode 100644 index 0000000000..2cd56829c8 --- /dev/null +++ b/docs/passwordsecure/9.3/configuration/offlineclient/_category_.json @@ -0,0 +1,10 @@ +{ + "label": "Offline Add-on", + "position": 90, + "collapsed": true, + "collapsible": true, + "link": { + "type": "doc", + "id": "offline_client" + } +} \ No newline at end of file diff --git a/docs/passwordsecure/9.3/configuration/offlineclient/offline_client.md b/docs/passwordsecure/9.3/configuration/offlineclient/offline_client.md new file mode 100644 index 0000000000..2506a5bbb2 --- /dev/null +++ b/docs/passwordsecure/9.3/configuration/offlineclient/offline_client.md @@ -0,0 +1,58 @@ +--- +title: "Offline Add-on" +description: "Offline Add-on" +sidebar_position: 90 +--- + +# Offline Add-on + +## What is the Offline Add-on? + +The Offline Add-on enables you to work without an active connection to the Netwrix Password Secure +server. If the corresponding setting has been configured +([Setup and sync](/docs/passwordsecure/9.3/configuration/offlineclient/setup_and_sync.md)), the local copy of the server database will be +automatically synchronized according to freely definable cycles. This ensures that you can always +use a (relatively) up-to-date version of the database offline. + +Facts + +- “Microsoft SqlServer Compact 4.0.8876.1” is used for creating offline databases +- The database is encrypted using AES-128 or SHA-256. A so-called “platform default” is used for + this purpose +- In addition, RSA encryption processes are used +- More on this subject…::https://technet.microsoft.com/en-us/library/gg592949(v=sql.110).aspx + +#### Installation + +The Offline Add-on is automatically installed together with the main client. No database profiles +need to be created – this task is performed by the client during the initial synchronization, +together with the creation of the offline database. + +#### Operation + +Operation of the Offline Add-on is generally based on the +[Operation and setup](/docs/passwordsecure/9.3/configuration/servermanger/operation_and_setup_admin_client.md). +Since the Offline Add-on only has a limited range of functions, the following must be taken into +account with regards to its operation: + +- There is no dashboard +- Only the password module is available +- The filter is not available. Records are found using the + [Search](/docs/passwordsecure/9.3/configuration/advancedview/operationandsetup/search.md) +- The automatic login data entry can be performed via the + [Autofill Add-on](/docs/passwordsecure/9.3/configuration/autofilladdon/autofill_add-on.md), independently of the Offline Add-on + +![Offline Client](/images/passwordsecure/9.2/configuration/offlineclient/installation_with_parameters_264-en.webp) + +#### What data is synchronised? + +[Seals](/docs/passwordsecure/9.3/configuration/advancedview/permissionconceptandprotective/protectivemechanisms/seals/seals.md) +enhance the security concept in Netwrix Password Secure to include a double-check principle that can +be defined in fine detail. This means that releases for protected information are linked to the +positive authentication of one or more users. Naturally, it is not possible to issue these releases +when the server is not connected. For this reason, sealed records are not synchronized and thus do +not form part of offline databases. + +Otherwise, all records for which the user has the **export right** are synchronised. + +Records with **password masking** are adopted into the offline database and can be used as normal. diff --git a/docs/passwordsecure/9.3/configuration/offlineclient/setup_and_sync.md b/docs/passwordsecure/9.3/configuration/offlineclient/setup_and_sync.md new file mode 100644 index 0000000000..49b488296d --- /dev/null +++ b/docs/passwordsecure/9.3/configuration/offlineclient/setup_and_sync.md @@ -0,0 +1,86 @@ +--- +title: "Setup and sync" +description: "Setup and sync" +sidebar_position: 10 +--- + +# Setup and sync + +## Setting up the offline database + +It is important to ensure that the right requirements have been met before setting up the Offline +Add-on. The following configurations need to be defined in both the Server Manager and also the user +rights/user settings. + +Requirements + +To set up offline databases, this option must be activated in the Server Manager first. This process +is carried out separately for each database in the database view in the Server Manager in the +“General settings” (right click on the database). This is also possible to do when the database is +initially created. + +![Properties](/images/passwordsecure/9.2/configuration/offlineclient/setup/installation_with_parameters_265-en.webp) + +You will find further information on this subject in the +sections:[ Creating databases](/docs/passwordsecure/9.3/configuration/servermanger/creating_databases.md) and +[Managing databases](/docs/passwordsecure/9.3/configuration/servermanger/managingdatabases/managing_databases.md) + +User rights + +The user requires the “offline mode” right. In addition, how long offline mode can be used without a +server connection can be defined in the user rights. + +![User rights](/images/passwordsecure/9.2/configuration/offlineclient/setup/installation_with_parameters_266-en.webp) + +Creating an offline database + +The synchronization with the offline database can generally be carried out automatically. However, +**the first synchronization must be carried out manually**. The synchronization is started via the +Main menu/Account. + +![account-en](/images/passwordsecure/9.2/configuration/offlineclient/setup/account-en.webp) + +NOTE: The offline databases are stored locally under the following path: %appdata%\MATESO\Password +Safe and Repository Client\OfflineDB + +An offline database must be created per user and client for each online database. This makes it +possible to use several offline databases with an Offline Add-on. + +#### Synchronization + +In order to keep the data always consistent, the offline database must be synchronized regularly. +Synchronization is automatically performed by the client in the background. The interval can be +freely configured in the +[User settings](/docs/passwordsecure/9.3/configuration/advancedview/mainmenufc/usersettings/user_settings.md). The synchronization is +completed every 30 minutes by default. When creating and editing records, it is also possible to +synchronize outside of the synchronization cycle so that the changes are directly available offline. +In addition, the synchronization can also be started manually in Backstage via “Account”. + +A running synchronization is displayed in the icon in the task bar as well as by a status bar in the +client: + +![progress icon](/images/passwordsecure/9.2/configuration/offlineclient/setup/progress-icon-en_64x53.webp) + +![installation_with_parameters_269](/images/passwordsecure/9.2/configuration/offlineclient/setup/installation_with_parameters_269.webp) + +As soon as the synchronization is completed, this is indicated by a hint. + +![notification "offline sync completed"](/images/passwordsecure/9.2/configuration/offlineclient/setup/offline-sync-completed-en_383x75.webp) + +#### Relevant settings + +![installation_with_parameters_271](/images/passwordsecure/9.2/configuration/offlineclient/setup/installation_with_parameters_271.webp) + +Offline mode can be configured and personalized using the four settings mentioned: + +- **Offline synchronization after saving a record**: The synchronization of the offline database is + completed directly after saving a record. It is important to note that this only applies to those + records that are saved by the user who is logged in. Changes made by another user do not trigger + any synchronization! +- **Offline synchronization after login:** If this option is active, the offline database is + synchronized after each restart of the client. +- **Automatic synchronization after an interval**: This setting is used to define the interval at + which a synchronization of the offline database will be periodically carried out. The default + value is 30 minutes. +- **Path where the offline database should be saved**: If this field is left empty, the system + default is used. Otherwise, the storage location for the offline database can be entered directly. diff --git a/docs/passwordsecure/9.3/configuration/sdkapi/_category_.json b/docs/passwordsecure/9.3/configuration/sdkapi/_category_.json new file mode 100644 index 0000000000..ed7af24b66 --- /dev/null +++ b/docs/passwordsecure/9.3/configuration/sdkapi/_category_.json @@ -0,0 +1,10 @@ +{ + "label": "SDK / API", + "position": 80, + "collapsed": true, + "collapsible": true, + "link": { + "type": "doc", + "id": "sdk__api" + } +} \ No newline at end of file diff --git a/docs/passwordsecure/9.3/configuration/sdkapi/migration_guide.md b/docs/passwordsecure/9.3/configuration/sdkapi/migration_guide.md new file mode 100644 index 0000000000..a194cc8bf7 --- /dev/null +++ b/docs/passwordsecure/9.3/configuration/sdkapi/migration_guide.md @@ -0,0 +1,156 @@ +--- +title: "migration_guide" +description: "migration_guide" +sidebar_position: 10 +--- + +## Migration Guide: Breaking Changes - API Login + +Overview: We've enhanced the login authentication process to offer a more dynamic and secure +experience. This update introduces a new method of authentication, effective for servers from +version 8.12 onward. + +**CAUTION:** Important Update: Starting from server version 9.0, the previous login method will no +longer be functional. Users must adopt the new authentication approach provided in our API to +continue accessing the services. + +#### Why was this change done? + +Since version 8.12, our server and clients are supporting authentication methods other than +passwords. Therefore, we have introduced a two-step authentication in our server and our clients. +After entering the username, the server is asked for the main factor for the authentication.With the +release of version 8.12, our server and client applications have expanded their support for +authentication methods beyond traditional passwords. Consequently, to enhance security, a two-step +authentication process has been introduced within both our server and client environments. This +process entails the user inputting their username, followed by a request to the server for the +primary authentication factor. Notably, this change was not initially implemented in our APIs. + +To align our systems with enhanced security standards, we have undertaken the implementation of the +new PBKDF2 hashing iteration count. As part of this transition, we have made the strategic decision +to discontinue the use of the old authentication endpoint. Subsequently, we have diligently +integrated the new authentication mechanism into our APIs to ensure a consistent and secure user +experience. + +Transition details: + +- **Old Method Deprecation**: The previous login method is deprecated and no longer operational with + servers of version 9.0. +- **New Authentication Requirement:** To access our services, users must switch to the updated + authentication method in our APIs, compatible with servers from version 8.12 onward. Versions + older than 8.12 are no longer operational with the API. If you're using such an old version, + please use the old API. + +**CAUTION:** Action Required: Ensure that your server version is 8.12 or later to implement the new +authentication method and seamlessly access our services. Update your integration with the API to +incorporate the revised login interface and maintain uninterrupted service access. + +Below are code examples for the previous and updated authentication methods. + +#### C# + +Previous authentication method (deprecated) + +``` +var database = "your-database"; +var username = "your-username"; +var password = "your-password"; +var psrApi = new PsrApi("your-endpoint"); +var mfaRequest = await psrApi.AuthenticationManager.Login(database, username, password); +while (mfaRequest != null) { +    // Gathering user input for authentication fields +    Console.Write(mfaRequest.DisplayName);  +    foreach (var field in mfaRequest.RequiredFields) +    { +        Console.Write(field.Type.ToString());  +        var mfa = Console.ReadLine(); +        field.Value = mfa; +    }  +    mfaRequest = await psrApi.AuthenticationManager.Login(database, username, password, mfaRequest.RequiredFields); +} +``` + +New authentication method (required for version 9.0 onwards) + +``` +var database = "your-database"; +var username = "your-username"; +var psrApi = new PsrApi("your-endpoint"); +var authenticationFlow = psrApi.AuthenticationManagerV2.StartNewAuthentication(database, username); +await authenticationFlow.StartLogin(); +while (!authenticationFlow.IsAuthenticated) { +    var requirement = authenticationFlow.GetNextRequirement(); +    var selectedRequirement = requirement.PossibleRequirements.FirstOrDefault() as DynamicFillableAuthentication; +    foreach (var field in selectedRequirement.Fields) { +        // Gather user input for authentication fields from the console +        Console.Write(field.Key); +        field.Value = Console.ReadLine(); +} +    await authenticationFlow.Authenticate(selectedRequirement); +} +``` + +#### JavaScript + +Previous authentication method (deprecated) + +``` +const database = 'your-database' +const username = 'your-username' +const password = 'your-password' +let api = new PsrApi('your-endpoint') +let mfaRequest = await psrApi.authenticationManager.login(database, username, password) +while (mfaRequest) { +    for (const field of mfaRequest.requiredFields) { +        field.value = prompt(field.type) +    } +    mfaRequest = await psrApi.authenticationManager.login(database, username, password, mfaRequest.requiredFields); +} +``` + +New authentication method (required for version 9.0 onwards) + +``` +const database = 'your-database' +const username = 'your-username' +let api = new PsrApi('your-endpoint') +await psrApi.authenticationManagerV2.startLogin(database, username) +while (!psrApi.authenticationManagerV2.isAuthenticated) { +    let requirement = await psrApi.authenticationManagerV2.getNextRequirement() +    let selectedRequirement = requirement.PossibleRequirements[0] +    for (const field of selectedRequirement.Fields) { +        // Simulating console interaction to gather user input +        field.Value = prompt(field.Key) +    }  +    await psrApi.authenticationManagerV2.authenticate(selectedRequirement) +} +``` + +#### Implementation explanation + +The API object is created as always: by passing the server address to the constructor. + +After that, the implementation differs slightly between C# and JavaScript. For C#, we’re getting the +authentication flow via **psrApi.AuthenticationManagerV2.StartNewAuthentication("your-database", +"your-username");**. On the resulting instance, the asynchronous method **StartLogin()** needs to be +called and awaited. Using the JavaScript API, we can directly call and await the +**psrApi.authenticationManagerV2.startLogin('your-database', 'your-username)** method. + +After this, you must call the **GetNextRequirement()** method. The result contains the requirements +the user has to fill in. It usually contains a “Fields“ list, where the “Value” needs to be set. The +filled requirements need to be sent to the server via +**psrApi.authenticationManagerV2.authenticate** method. Don’t forget to wait for the result (using +the **await** keyword). + +Now, the authentication via API also provides the possibility to configure a second factor and +change the user password during login. In this case, the result of the **GetNextRequirement** call +has the property “IsConfiguration” set to true. If the user can choose between multiple second +factors, they are all part of the “PossibleRequirements” array. Select the one you want to use, fill +in the fields, and send the requirement via **authenticate** method. + +As soon as the authentication is completed, the **psrApi.authenticationManagerV2.isAuthenticated** +property is set to true. + +For any queries or assistance in transitioning to the new authentication method, please refer to our +updated documentation or reach out to our support team. + +Thank you for your cooperation as we continue to improve security and usability within our API. diff --git a/docs/passwordsecure/9.3/configuration/sdkapi/sdk__api.md b/docs/passwordsecure/9.3/configuration/sdkapi/sdk__api.md new file mode 100644 index 0000000000..a95dcf50cc --- /dev/null +++ b/docs/passwordsecure/9.3/configuration/sdkapi/sdk__api.md @@ -0,0 +1,38 @@ +--- +title: "SDK / API" +description: "SDK / API" +sidebar_position: 80 +--- + +# SDK / API + +API: This interface can be used to "address Netwrix Password Secure externally" in order to, for +example, read data for other programs. The API can only be accessed via our wrappers (SDK) using C# +and JavaScript. + +In the JavaScript version of the API, all enums can be found under the global object "PsrApiEnums". + +## Requirements and download + +The SDK can be downloaded from the Customer Information System. + +## Using the API + +The central object is "PsrApi". It contains various "managers" that contain the entire business +logic. First a "PsrApi" object must be created. The only transfer parameter of this class is the +endpoint of the Netwrix Password Secure WebServices. If the Web Application is in use, +`https://Web Application-url/api` can be used as the endpoint. Otherwise the Netwrix Password Secure +Server, i.e. `app-server01:11016`, must be used directly. + +## Login + +If you do not log in to the system in advance, it is not possible to use the API. The first +parameter for the login method is the desired database, followed by the user name and password. It +is important to note that all methods for running the API that initiate a server call are +implemented asynchronously. “Task” objects are returned in C# and “Promise” objects are returned in +JavaScript. + +## Technical documentation + +You can find the complete technical documentation for the SDK +[here](https://help.passwordsafe.de/api/v9/). diff --git a/docs/passwordsecure/9.3/configuration/servermanger/_category_.json b/docs/passwordsecure/9.3/configuration/servermanger/_category_.json new file mode 100644 index 0000000000..a78a651997 --- /dev/null +++ b/docs/passwordsecure/9.3/configuration/servermanger/_category_.json @@ -0,0 +1,10 @@ +{ + "label": "Server Manager", + "position": 10, + "collapsed": true, + "collapsible": true, + "link": { + "type": "doc", + "id": "server_manger" + } +} \ No newline at end of file diff --git a/docs/passwordsecure/9.3/configuration/servermanger/basic_configuration.md b/docs/passwordsecure/9.3/configuration/servermanger/basic_configuration.md new file mode 100644 index 0000000000..7b9ed245bc --- /dev/null +++ b/docs/passwordsecure/9.3/configuration/servermanger/basic_configuration.md @@ -0,0 +1,88 @@ +--- +title: "Basic configuration" +description: "Basic configuration" +sidebar_position: 10 +--- + +# Basic configuration + +## What is basic configuration? + +Within the basic configuration, the connection to the SQL server or to the databases is defined. The +basic configuration appears the first time the Server Manager is started and can be called up at any +time in the basic configuration. + +![base configuration](/images/passwordsecure/9.2/configuration/server_manager/baseconfiguration/installation_with_parameters_188-en.webp) + +## The basic configuration + +A special wizard is available to carry out the configuration: + +![Baseconfig](/images/passwordsecure/9.2/configuration/server_manager/baseconfiguration/installation_with_parameters_189-en.webp) + +#### Service address + +The service address of the SQL server can be selected via the drop-down menu. It is mandatory to +select the adapter via which the Server Manager can also access the SQL server. + +The loopback address 127.0.0.1 should not be used here. + +#### Service user + +Service user This setting is used to define the service user, which is needed to start the server +service as well as the backup service. The “Use local system” setting starts the services with the +local system account. + +**CAUTION:** The defined service user **needs local administrator** rights to properly configure the +server and create databases. + +#### SQL configuration instance + +Under “SQL Server instance” the database server must be specified, including the SQL instance. For +simplicity, you can copy the server name from the login window of the SQL server. + +![installation_with_parameters_190](/images/passwordsecure/9.2/configuration/server_manager/baseconfiguration/installation_with_parameters_190.webp) + +If the option “Service user” is selected, enter the user that logs on to the SQL Server. Please note +that “dbCreator” rights are necessary to create a configuration database. “dbOwner” rights are +sufficient if the database is created manually on the SQL server and is only accessed here. Enter +the name of the configuration database under “Database”. + +NOTE: Refer to the system requirements for server section for more information about the users. + +#### Expert mode + +Expert mode displays additional menu options for advanced configurations: + +Backup service user + +You can use a dedicated user to run the backup here. The service user is selected by default. + +SQL configuration instance + +This menu item can be configured in expert mode via a so-called connection string. + +Certificate + +The SSL connection certificate can also be configured under this item to protect the client server +connection. By default, a certificate is generated by the Server Manager. However, you can also +choose your own. Further information can be found directly in the section provided for this purpose. + +**CAUTION:** Exchanging or overwriting an existing certificate may cause warnings to the clients if +the certificate is not trusted by each client. + +Allow host mode + +Host mode is no longer supported since version 8.13. + +Activating caching + +Caching is activated by default to improve performance. The so-called SqlBroker is registered for +the database on the SQL server here. The following is cached: + +- The roles of the individual users +- The structure of the organisational units +- All settings + +NOTE: If this option is changed, the server needs to be restarted so that the change can take +effect. diff --git a/docs/passwordsecure/9.3/configuration/servermanger/certificates/_category_.json b/docs/passwordsecure/9.3/configuration/servermanger/certificates/_category_.json new file mode 100644 index 0000000000..1d195a83f7 --- /dev/null +++ b/docs/passwordsecure/9.3/configuration/servermanger/certificates/_category_.json @@ -0,0 +1,10 @@ +{ + "label": "Certificates", + "position": 20, + "collapsed": true, + "collapsible": true, + "link": { + "type": "doc", + "id": "certificates" + } +} \ No newline at end of file diff --git a/docs/passwordsecure/9.3/configuration/servermanger/certificates/certificates.md b/docs/passwordsecure/9.3/configuration/servermanger/certificates/certificates.md new file mode 100644 index 0000000000..13df4862f7 --- /dev/null +++ b/docs/passwordsecure/9.3/configuration/servermanger/certificates/certificates.md @@ -0,0 +1,84 @@ +--- +title: "Certificates" +description: "Certificates" +sidebar_position: 20 +--- + +# Certificates + +Various different certificates are used to guarantee the security of Netwrix Password Secure. The +certificates are essential for the smooth operation of Netwrix Password Secure. It is thus important +that they are carefully backed up. + +## What certificates are used? + +The individual certificates are described in the following sections: + +- [SSL connection certificates](/docs/passwordsecure/9.3/configuration/servermanger/certificates/ssl_connection_certificates.md) +- [Database certificates](/docs/passwordsecure/9.3/configuration/servermanger/certificates/database_certificates.md) +- [Master Key certificates](/docs/passwordsecure/9.3/configuration/servermanger/certificates/master_key_certificates.md) +- [Discovery service certificates](/docs/passwordsecure/9.3/configuration/servermanger/certificates/discovery_service_certificates.md)s +- [Password Reset certificates](/docs/passwordsecure/9.3/configuration/servermanger/certificates/password_reset_certificates.md) + +## Calling up the certificate manager + +There are two ways to open the certificate manager. The certificates for each specific database can +be managed via the ribbon: + +![installation_with_parameters_196_647x73](/images/passwordsecure/9.2/configuration/server_manager/certificates/installation_with_parameters_196_647x73.webp) + +In the **Main menu**, it is also possible to start the certificate manager for all databases via the +**basic configuration:** + +![base configuration](/images/passwordsecure/9.2/configuration/server_manager/certificates/installation_with_parameters_197-en.webp) + +NOTE: Operation of the certificate manager is always the same. The only difference is whether the +certificates are displayed for each database or for all databases. + +#### Checking existing certificates + +After opening the certificate manager, all certificates specific to Netwrix Password Secure will be +displayed. Clicking on the certificate will display further information. + +![installation_with_parameters_198](/images/passwordsecure/9.2/configuration/server_manager/certificates/installation_with_parameters_198.webp) + +Double clicking on a certificate will open the Windows Certificate Manger to provide more detailed +information. + +![installation_with_parameters_199_423x396](/images/passwordsecure/9.2/configuration/server_manager/certificates/installation_with_parameters_199_423x396.webp) + +#### Required certificates / deleting no longer required certificates + +The overview will initially only display those certificates that are being used and are thus +required. Clicking on **All** will also display the no longer required certificates. For example, it +is possible that outdated certificates exist on the machine due to a test installation. These +certificates can be easily deleted via the corresponding button in the ribbon. + +![certificates-ac-4-en](/images/passwordsecure/9.2/configuration/server_manager/certificates/certificates-ac-4-en.webp) + +#### Importing certificates + +Previously backed up certificates can be integrated into the installation via the Import button. +This merely requires you to enter the desired .pfx file and its password. + +#### Exporting certificates + +The relevant certificates will be backed up by clicking on export. A password firstly needs to be +issued here. If a storage location has not yet been entered via the settings, you are firstly asked +to enter it. + +NOTE: SSL connection certificates are not included in this process and are also not backed up. These +certificates can be recreated if necessary. + +#### Settings + +You can define whether every certificate should be saved to its own file in the **settings**. If +this option has not been activated, all relevant certificates will be backed up in one file. In +addition, the storage location is defined in the settings. + +![installation_with_parameters_201_826x310](/images/passwordsecure/9.2/configuration/server_manager/certificates/installation_with_parameters_201_826x310.webp) + +#### Backing up certificates + +If you want to automatically back up the certificates on a cyclical basis, this can be done via the +backup system. Further information can be found in the section Backup management. diff --git a/docs/passwordsecure/9.3/configuration/servermanger/certificates/database_certificates.md b/docs/passwordsecure/9.3/configuration/servermanger/certificates/database_certificates.md new file mode 100644 index 0000000000..88941c3314 --- /dev/null +++ b/docs/passwordsecure/9.3/configuration/servermanger/certificates/database_certificates.md @@ -0,0 +1,33 @@ +--- +title: "Database certificates" +description: "Database certificates" +sidebar_position: 20 +--- + +# Database certificates + +## What is a database certificate? + +A unique certificate is created for each database. This has the name **psrDatabaseKey**: + +![installation_with_parameters_207](/images/passwordsecure/9.2/configuration/server_manager/certificates/installation_with_parameters_207.webp) + +The database certificate **does not encrypt the database.** Rather, it is used for the encrypted +transfer of passwords from the client to the server in the following cases: + +- Creation of a WebViewer via a task +- Creation of an AD profile protected by a master key +- Login of users imported from AD in Master Key mode + +NOTE: The database certificate cannot be replaced by your own certificate. + +NOTE: The expiry date for the database certificate is not checked. The certificate thus does not +need to be renewed. + +**CAUTION:** If the database is being moved to another server, it is essential that the certificate +is also transferred! + +#### Exporting and importing the certificate + +The section [Certificates](/docs/passwordsecure/9.3/configuration/servermanger/certificates/certificates.md) explains how to back up the certificate and link it +again. diff --git a/docs/passwordsecure/9.3/configuration/servermanger/certificates/discovery_service_certificates.md b/docs/passwordsecure/9.3/configuration/servermanger/certificates/discovery_service_certificates.md new file mode 100644 index 0000000000..8e6f9c197a --- /dev/null +++ b/docs/passwordsecure/9.3/configuration/servermanger/certificates/discovery_service_certificates.md @@ -0,0 +1,26 @@ +--- +title: "Discovery service certificates" +description: "Discovery service certificates" +sidebar_position: 40 +--- + +# Discovery service certificates + +## What is a discovery service certificate? + +If a discovery service is created, a corresponding certificate is also created: + +![installation_with_parameters_202](/images/passwordsecure/9.2/configuration/server_manager/certificates/installation_with_parameters_202.webp) + +NOTE: The discovery service certificate cannot be replaced by your own certificate. + +NOTE: The certificates for the discovery service have an expiry date. However, this is not checked. +The certificate thus does not need to be renewed. + +**CAUTION:** If the database is being moved to another server, it is **essential that the discovery +service certificate is also transferred!** + +#### Exporting and importing the certificate + +The section [Certificates](/docs/passwordsecure/9.3/configuration/servermanger/certificates/certificates.md)explains how to back up the certificate and link it +again. diff --git a/docs/passwordsecure/9.3/configuration/servermanger/certificates/master_key_certificates.md b/docs/passwordsecure/9.3/configuration/servermanger/certificates/master_key_certificates.md new file mode 100644 index 0000000000..6022c03417 --- /dev/null +++ b/docs/passwordsecure/9.3/configuration/servermanger/certificates/master_key_certificates.md @@ -0,0 +1,29 @@ +--- +title: "Master Key certificates" +description: "Master Key certificates" +sidebar_position: 30 +--- + +# Master Key certificates + +#### What is a Master Key certificate? + +If Active Directory is accessed via +[Masterkey mode](/docs/passwordsecure/9.3/configuration/advancedview/clientmodule/organisationalstructure/directoryservices/activedirectorylink/masterkey_mode.md), +a certificate will be created. This has the name + +Active Directory: Domain: + +![installation_with_parameters_208](/images/passwordsecure/9.2/configuration/server_manager/certificates/installation_with_parameters_208.webp) + +NOTE: The Master Key certificate cannot be replaced by your own certificate. + +NOTE: The certificates for Master Key mode have an expiry date. However, this is not checked. The +certificate thus does not need to be renewed. + +**CAUTION:** If the database is being moved to another server, it is essential that the Master Key +certificate is also transferred! + +#### Exporting and importing the certificate + +The section certificates explains how to back up the certificate and link it again. diff --git a/docs/passwordsecure/9.3/configuration/servermanger/certificates/nps_server_encryption_certificate.md b/docs/passwordsecure/9.3/configuration/servermanger/certificates/nps_server_encryption_certificate.md new file mode 100644 index 0000000000..60020ef87a --- /dev/null +++ b/docs/passwordsecure/9.3/configuration/servermanger/certificates/nps_server_encryption_certificate.md @@ -0,0 +1,17 @@ +--- +title: "Netwrix Password Secure Server Encryption Certificate" +description: "Netwrix Password Secure Server Encryption Certificate" +sidebar_position: 60 +--- + +# Netwrix Password Secure Server Encryption Certificate + +With the update to the version 8.16.0 the Netwrix Password Secure Server Encryption Certificate will +be added automatically. + +![NPS Server Encryption](/images/passwordsecure/9.2/configuration/server_manager/certificates/nps-server-encryption_1014x771.webp) + +This certificate is important if you will activate an offline license. In future there will be more +features for which this certificate is relevant. + +RECOMMENDED: **Please export this certificate separately!!!** diff --git a/docs/passwordsecure/9.3/configuration/servermanger/certificates/password_reset_certificates.md b/docs/passwordsecure/9.3/configuration/servermanger/certificates/password_reset_certificates.md new file mode 100644 index 0000000000..2634f3be7a --- /dev/null +++ b/docs/passwordsecure/9.3/configuration/servermanger/certificates/password_reset_certificates.md @@ -0,0 +1,28 @@ +--- +title: "Password Reset certificates" +description: "Password Reset certificates" +sidebar_position: 50 +--- + +# Password Reset certificates + +## What is a Netwrix Password Secure certificate? + +If a [Password Reset](/docs/passwordsecure/9.3/configuration/advancedview/clientmodule/passwordreset/password_reset.md) is created, +a corresponding certificate is created. This ensures that the passwords are transferred in encrypted +form. + +![password-reset](/images/passwordsecure/9.2/configuration/server_manager/certificates/password-reset.webp) + +NOTE: The Password Reset certificate cannot be replaced by your own certificate. + +NOTE: The certificates for the Password Reset have an expiry date. However, this is not checked. The +certificate thus does not need to be renewed. + +**CAUTION:** If the database is being moved to another server, it is essential that all Password +Reset certificate is also transferred! + +#### Exporting and importing the certificate + +The section [Certificates](/docs/passwordsecure/9.3/configuration/servermanger/certificates/certificates.md)explains how to back up the certificate and link it +again. diff --git a/docs/passwordsecure/9.3/configuration/servermanger/certificates/ssl_connection_certificates.md b/docs/passwordsecure/9.3/configuration/servermanger/certificates/ssl_connection_certificates.md new file mode 100644 index 0000000000..82669ab9b8 --- /dev/null +++ b/docs/passwordsecure/9.3/configuration/servermanger/certificates/ssl_connection_certificates.md @@ -0,0 +1,99 @@ +--- +title: "SSL connection certificates" +description: "SSL connection certificates" +sidebar_position: 10 +--- + +# SSL connection certificates + +## What is an SSL connection certificate? + +The connection between clients and the server is secured via an SSL certificate. The **latest +encryption standard TLS 1.2** is used here. It is also possible to create a certificate via the +server, as well as to use an existing certificate with a CA. All computers on which a client is +installed must trust the certificate. + +Otherwise, the following message will appear when the client is started: + +**This connection is not trusted!** + +The connection to the server is not considered secure. + +![not_trusted_certificates](/images/passwordsecure/9.2/configuration/server_manager/certificates/not_trusted_certificates.webp) + +NOTE: Windows Server 2012 R2 requires the latest patch level, since it has been delivered with SSL3, +and has been extended to include TLS 1.2 + +**CAUTION:** The service user creates the databases. A separate certificate is also generated for +each database. Therefore, the service user must be a local administrator or a domain administrator, +as otherwise they would have no rights to save data in the certificate store. + +#### Structure of certificates + +The following information applies to both the **Netwrix Password Secure certificate** and also to +your **own certificates:** + +Alternative applicant + +Communication between the client and server can only take place using the path that is stored in the +certificate with the alternative applicant. Therefore, the Netwrix Password Secure certificate +stores all IP addresses for the server, as well as the hostname. When creating your own certificate, +this information should also be saved under the alternative applicant. + +NOTE: All information (including the IP address) are stored as DNS name. + +#### Using the Netwrix Password Secure certificate + +The name of the PSR certificate is **PSR8Server**. This can be done via the +[Basic configuration](/docs/passwordsecure/9.3/configuration/servermanger/basic_configuration.md) in the AdminConsole. The +certificate is saved locally under: + +Local computer -> own certificates -> certificates + +NOTE: The certificate is valid from its creation up to the year 9999 – and is thus valid almost +indefinitely. For this reason, it is not necessary to note any expiry date. + +Distributing the Netwrix Password Secure certificate + +In order for the certificate to be trusted, it can be exported to the server and then imported to +the clients. The following storage location needs to be selected here: + +local computer -> trusted root certificate location -> certificates + +The certificate can be both rolled out and distributed using group guidelines. + +Manually importing the Netwrix Password Secure certificate + +If the Netwrix Password Secure certificate is not rolled out, it is also possible to manually import +the certificate. To do this, firstly open the certificate information. In the warning notification, +the Show server certificate button is available for this purpose. In the following dialogue, select +the option Install certificate… + +![installation_with_parameters_204_415x395](/images/passwordsecure/9.2/configuration/server_manager/certificates/installation_with_parameters_204_415x395.webp) + +A **Certificate import wizard** will open in which **Local computer** should be selected. + +![installation_with_parameters_205_555x405](/images/passwordsecure/9.2/configuration/server_manager/certificates/installation_with_parameters_205_555x405.webp) + +In the next step, the storage location “trusted root certificate location” needs to be manually +selected. + +![installation_with_parameters_206_556x406](/images/passwordsecure/9.2/configuration/server_manager/certificates/installation_with_parameters_206_556x406.webp) + +Finally, the installation needs to be confirmed once again. + +NOTE: The user logged in to the operating system requires rights to create certificates + +#### Using your own certificate + +If a CA already exists, you can also use your own certificate. You can specify this within the +[Basic configuration](/docs/passwordsecure/9.3/configuration/servermanger/basic_configuration.md). Please note that a server +certificate for SSL encryption is used here. The CA must be configured so that all clients trust the +certificate. It is necessary to adhere to the certification path. + +**CAUTION:** When configuring, you must ensure that the clients can access the CA lock lists + +Wildcard certificates + +Wildcard certificates are not supported. In theory, it should be possible to use them but we cannot +help with the configuration. You can use wildcard certificates at your own responsibility. diff --git a/docs/passwordsecure/9.3/configuration/servermanger/creating_databases.md b/docs/passwordsecure/9.3/configuration/servermanger/creating_databases.md new file mode 100644 index 0000000000..6ba623e945 --- /dev/null +++ b/docs/passwordsecure/9.3/configuration/servermanger/creating_databases.md @@ -0,0 +1,58 @@ +--- +title: "Creating databases" +description: "Creating databases" +sidebar_position: 40 +--- + +# Creating databases + +![installation_with_parameters_216](/images/passwordsecure/9.2/configuration/server_manager/creatingdatabase/installation_with_parameters_216.webp) + +[https://www.youtube.com/embed/md7_VEdVuWM?rel=0](https://www.youtube.com/embed/md7_VEdVuWM?rel=0)[https://www.youtube.com/embed/md7_VEdVuWM?rel=0](https://www.youtube.com/embed/md7_VEdVuWM?rel=0) + +## What are databases? + +Databases contain all information on users, records, documents, etc. The changes to objects in +Netwrix Password Secure will also become part of the MSSQL database. Naturally, the regular creation +of backups to secure this data should always have the highest priority. The **MSSQL** relational +database management system is used in Netwrix Password Secure version 9. + +## Creating databases + +The creation of databases is supported by the database wizard, which is started directly from the +ribbon. The individual tabs of the wizard are explained below: + +![database wizard](/images/passwordsecure/9.2/configuration/server_manager/creatingdatabase/installation_with_parameters_217-en.webp) + +Database server + +The first tab can be used to manually select the database server. By default, the value defined in +the Advanced settings is preset. A user can also be entered or the service user can be selected +instead. + +Name + +Enter the name of the new database here. Alternatively, you may select an existing database. A +meaningful name makes it easier to differentiate between databases, especially when using multiple +databases. + +Data + +This setting can be used to define whether a template should be used. The template will provide the +database with ready-made forms and dashboard settings that make it easier to get started. The user +can select from English and German templates. However, it is also possible to proceed without a +template – you will then start with a completely empty database. If you have a backup from Password +Safe version 7, this can be migrated. + +User + +This setting is used to define the first user to be created – normally this is the administrator. If +a migration is active, the user can be deleted after migration. + +#### Finishing the database wizard + +Once a database has been created successfully, , provided it has been selected. If no data migration +has been selected, the new database is created directly, and will be displayed in the database +overview. + +![created new database](/images/passwordsecure/9.2/configuration/server_manager/creatingdatabase/installation_with_parameters_218-en.webp) diff --git a/docs/passwordsecure/9.3/configuration/servermanger/databaseproperties/_category_.json b/docs/passwordsecure/9.3/configuration/servermanger/databaseproperties/_category_.json new file mode 100644 index 0000000000..99ee9711b4 --- /dev/null +++ b/docs/passwordsecure/9.3/configuration/servermanger/databaseproperties/_category_.json @@ -0,0 +1,10 @@ +{ + "label": "Database properties", + "position": 60, + "collapsed": true, + "collapsible": true, + "link": { + "type": "doc", + "id": "database_properties" + } +} \ No newline at end of file diff --git a/docs/passwordsecure/9.3/configuration/servermanger/databaseproperties/database_firewall.md b/docs/passwordsecure/9.3/configuration/servermanger/databaseproperties/database_firewall.md new file mode 100644 index 0000000000..8aaed30693 --- /dev/null +++ b/docs/passwordsecure/9.3/configuration/servermanger/databaseproperties/database_firewall.md @@ -0,0 +1,77 @@ +--- +title: "Database firewall" +description: "Database firewall" +sidebar_position: 30 +--- + +# Database firewall + +## What is the database firewall? + +The database firewall enables you to regulate access to the database. A whitelist policy is used for +this process. Firewall rules are used to allow access to the database in individual cases. + +#### Activating the firewall + +The firewall can be directly activated in the database settings. + +![database firewall](/images/passwordsecure/9.2/configuration/server_manager/database_properties/installation_with_parameters_226-en.webp) + +Access to the firewall is blocked after it has been activated. Login attempts are directly blocked. + +![installation_with_parameters_227](/images/passwordsecure/9.2/configuration/server_manager/database_properties/installation_with_parameters_227.webp) + +#### Firewall rules + +The rules already set are displayed in the section on the right. The icons +![+](/images/passwordsecure/9.2/configuration/server_manager/database_properties/+.webp) +and +![-](/images/passwordsecure/9.2/configuration/server_manager/database_properties/-.webp) +can be used to add or also delete rules. Rules can be edited by double clicking on them. + +![firewall rule](/images/passwordsecure/9.2/configuration/server_manager/database_properties/installation_with_parameters_230-en.webp) + +The following possibilities exist: + +- Access from an individual computer is allowed via the IP address. +- A Range of multiple IP addresses can also be optionally selected. +- It is also possible to regulate access using the Computer name. +- Finally, access can also be allowed for a certain Windows user. For example, the administrator can + be allowed access irrespective of the computer being used. +- The setting Grant access defines whether access is allowed or blocked. This is symbolised by a + corresponding icon. + +Naturally, the rules can also be combined. It is thus possible e.g that only one defined user can +access one database from a certain IP address. + +NOTE: The conditions are always combined using AND operators + +If two or more rules overlap, the rule with the least rights will always be applied. For example, if +a rule allows access from a range of IP addresses but another rule blocks a specific computer within +this range then the rule blocking the computer is applied. + +## Examples + +The functionality of the firewall will be explained in more detail using the following rules: + +![defined firewall rules](/images/passwordsecure/9.2/configuration/server_manager/database_properties/installation_with_parameters_231-en.webp) + +Approving an IP range (Rule 1) + +The first rule in the example allows access from a range of IP addresses from 192.168.150.1 to +192.168.150.254 + +Locking a particular computer (Rule 2) + +The computer with the IP 192.168.150.64 is within the range defined in Rule 1. Access from this PC +is blocked using this rule. + +Blocking an individual user (Rule 3) + +If you want to block a particular user (perhaps because they have left the company) then this is +also possible. + +Computer-independent access for a user (Rule 4) + +This rule grants access to the administrator. It is irrelevant which computer the administrator uses +to log in to the database. diff --git a/docs/passwordsecure/9.3/configuration/servermanger/databaseproperties/database_properties.md b/docs/passwordsecure/9.3/configuration/servermanger/databaseproperties/database_properties.md new file mode 100644 index 0000000000..5691a639db --- /dev/null +++ b/docs/passwordsecure/9.3/configuration/servermanger/databaseproperties/database_properties.md @@ -0,0 +1,34 @@ +--- +title: "Database properties" +description: "Database properties" +sidebar_position: 60 +--- + +# Database properties + +The properties of a database can be opened by double-clicking on the database. No login to the +database is required. + +![installation_with_parameters_225](/images/passwordsecure/9.2/configuration/server_manager/database_properties/installation_with_parameters_225.webp) + +#### Properties + +The following options can be edited: + +- [General settings](/docs/passwordsecure/9.3/configuration/advancedview/mainmenufc/general_settings.md) +- [Syslog](/docs/passwordsecure/9.3/configuration/servermanger/databaseproperties/syslog.md) +- [Database firewall](/docs/passwordsecure/9.3/configuration/servermanger/databaseproperties/database_firewall.md) + +General Settings + +The following can be defined in the General Settings: + +- **Database server** – here the SQL instance can be specified again. +- **SystemTask check interval** – specifies the time interval in which the check interval for + SystemTasks should run (**default set to 60 minutes**) +- **Enable offline access** – Activate/deactivate the Offline Add-on +- **Activate access via web client** – Activate/deactivate the web client (**active by default**) +- **Allow mobile synchronization** – Activate/deactivate synchronization with mobile devices +- **Lock clients if login is incorrect (IP address)** – Lock IP if login is incorrect +- **Enable real-time update** – Enables/disables real-time update between clients **(default is + active)** diff --git a/docs/passwordsecure/9.3/configuration/servermanger/databaseproperties/general_settings_admin_client.md b/docs/passwordsecure/9.3/configuration/servermanger/databaseproperties/general_settings_admin_client.md new file mode 100644 index 0000000000..cf18266eb4 --- /dev/null +++ b/docs/passwordsecure/9.3/configuration/servermanger/databaseproperties/general_settings_admin_client.md @@ -0,0 +1,19 @@ +--- +title: "General settings" +description: "General settings" +sidebar_position: 10 +--- + +# General settings + +## What are general settings? + +Within the general settings, surface settings regarding the colour scheme as well as the language +used are configured. The password for logging in to the Server Manager can also be changed here. + +![General settings](/images/passwordsecure/9.2/configuration/server_manager/database_properties/installation_with_parameters_254-en.webp) + +## Determining the system hash + +This function determines the system hash, and copies it to the clipboard. This hash is used for the +offline license. diff --git a/docs/passwordsecure/9.3/configuration/servermanger/databaseproperties/syslog.md b/docs/passwordsecure/9.3/configuration/servermanger/databaseproperties/syslog.md new file mode 100644 index 0000000000..cdef69d3b5 --- /dev/null +++ b/docs/passwordsecure/9.3/configuration/servermanger/databaseproperties/syslog.md @@ -0,0 +1,17 @@ +--- +title: "Syslog" +description: "Syslog" +sidebar_position: 20 +--- + +# Syslog + +If desired, the server logs and also the +**[Logbook](/docs/passwordsecure/9.3/configuration/advancedview/clientmodule/logbook.md)** can be transferred to a Syslog +server. Double clicking on a database allows you to access its settings. The corresponding menu +items can be found there. + +![installation_with_parameters_232](/images/passwordsecure/9.2/configuration/server_manager/database_properties/installation_with_parameters_232.webp) + +After activating the Syslog interface via the corresponding option, it is possible to configure the +Syslog server. If desired, the entire logbook can also be transferred via another option. diff --git a/docs/passwordsecure/9.3/configuration/servermanger/mainmenu/_category_.json b/docs/passwordsecure/9.3/configuration/servermanger/mainmenu/_category_.json new file mode 100644 index 0000000000..45caf65f25 --- /dev/null +++ b/docs/passwordsecure/9.3/configuration/servermanger/mainmenu/_category_.json @@ -0,0 +1,10 @@ +{ + "label": "Main menu", + "position": 90, + "collapsed": true, + "collapsible": true, + "link": { + "type": "doc", + "id": "main_menu" + } +} \ No newline at end of file diff --git a/docs/passwordsecure/9.3/configuration/servermanger/mainmenu/advanced_settings.md b/docs/passwordsecure/9.3/configuration/servermanger/mainmenu/advanced_settings.md new file mode 100644 index 0000000000..418044d227 --- /dev/null +++ b/docs/passwordsecure/9.3/configuration/servermanger/mainmenu/advanced_settings.md @@ -0,0 +1,38 @@ +--- +title: "Advanced settings" +description: "Advanced settings" +sidebar_position: 40 +--- + +# Advanced settings + +## What are advanced settings? + +Global standard default values are specified in the advanced settings. + +![advanced settings](/images/passwordsecure/9.2/configuration/server_manager/main_menu/installation_with_parameters_263-en.webp) + +#### Database server + +The database server stored here is used as a default value when rebuilding databases. There are 2 +modes: + +Simple mode + +In simple mode, the path to the database server including the user and the associated password can +be specified. You may use the service user for this purpose. + +Extended mode + +In extended mode, the connection string can be specified, which contains both the server, the user +and the password + +SMTP server + +By configuring the SMTP server you define all settings for emails, which the server should send, eg +via the notification system. At the final save, the connection is directly tested for functionality. +The “Save SMTP settings” button becomes active only after a change has been made. + +Log forwarding configuration + +Here you can define the settings which logs will be forwarded via mail diff --git a/docs/passwordsecure/9.3/configuration/servermanger/mainmenu/backupsettings/_category_.json b/docs/passwordsecure/9.3/configuration/servermanger/mainmenu/backupsettings/_category_.json new file mode 100644 index 0000000000..494288a0c3 --- /dev/null +++ b/docs/passwordsecure/9.3/configuration/servermanger/mainmenu/backupsettings/_category_.json @@ -0,0 +1,10 @@ +{ + "label": "Backup settings", + "position": 20, + "collapsed": true, + "collapsible": true, + "link": { + "type": "doc", + "id": "backup_settings" + } +} \ No newline at end of file diff --git a/docs/passwordsecure/9.3/configuration/servermanger/mainmenu/backupsettings/automated_deletion_of_backups.md b/docs/passwordsecure/9.3/configuration/servermanger/mainmenu/backupsettings/automated_deletion_of_backups.md new file mode 100644 index 0000000000..0defce7bf3 --- /dev/null +++ b/docs/passwordsecure/9.3/configuration/servermanger/mainmenu/backupsettings/automated_deletion_of_backups.md @@ -0,0 +1,29 @@ +--- +title: "Automatic backup cleanup" +description: "Automatic backup cleanup" +sidebar_position: 20 +--- + +# Automatic backup cleanup + +It is possible to delete backups automatically after a certain period of time. This can be useful if +you append date and time to the backups and thus generate new files daily. + +![automatic cleanup](/images/passwordsecure/9.2/configuration/server_manager/main_menu/backup_settings/automatic_backup_cleanup/automated-deletion-of-backups-en.webp) + +###### Requirement + +**CAUTION:** It must be ensured that the user who sets up the automated deletion has sysadmin +privileges on the SQL server. + +###### Furnishing + +To be able to use the automatic cleanup, it must be activated first. + +For a proper function of the automatic deletion, the following must be defined: + +- the age of the backups which have to be deleted +- the SQL instance +- all paths where the automatic cleanup of the backup files is to be performed. + +![setup automatic backup cleanup](/images/passwordsecure/9.2/configuration/server_manager/main_menu/backup_settings/automatic_backup_cleanup/automated-deletion-of-backups-2-en.webp) diff --git a/docs/passwordsecure/9.3/configuration/servermanger/mainmenu/backupsettings/backup_management.md b/docs/passwordsecure/9.3/configuration/servermanger/mainmenu/backupsettings/backup_management.md new file mode 100644 index 0000000000..38781c1b96 --- /dev/null +++ b/docs/passwordsecure/9.3/configuration/servermanger/mainmenu/backupsettings/backup_management.md @@ -0,0 +1,85 @@ +--- +title: "Backup management" +description: "Backup management" +sidebar_position: 10 +--- + +# Backup management + +#### Introduction + +Regular backups of the data should always be part of every security concept. If you wish to create +backups directly on the SQL server, you should also include the Netwrix Password Secure databases. +If no central backups are carried out at the SQL level, you can create backup profiles using the +Server Manager. The backups themselves will then be generated on the SQL Server. + +#### Difference between an incremental and full backup + +A complete backup always saves all data in a database. An incremental backup also creates a complete +image of the database as the first step. In future, only the changes since the backup created at the +beginning will be saved. This saves both time and memory capacity. + +#### Backup concept + +It is recommended that an incremental backup is run every hour. In addition, a full backup should be +created once a week. + +#### Managing the backup schedule + +Creating a backup schedule + +You can create a new schedule via the ribbon. This is facilitated by a wizard. All the information +entered under [Backup settings](/docs/passwordsecure/9.3/configuration/servermanger/mainmenu/backupsettings/backup_settings.md) will be used by default. + +A profile name is entered first. The desired databases are also selected. You also need to specify +the directory for the backups. + +![new backup profile - base settings](/images/passwordsecure/9.2/configuration/server_manager/main_menu/backup_settings/backup_management/installation_with_parameters_257-en.webp) + +NOTE: It must be a directory on the SQL server. + +Now set the time interval for creating the backups. A preview on the right will show when the +backups will be created in future. An end date can be optionally entered. + +![new backup profile - interval](/images/passwordsecure/9.2/configuration/server_manager/main_menu/backup_settings/backup_management/installation_with_parameters_258-en.webp) + +In the advanced settings, you can configure whether the backup should be activated directly. It is +also possible to specify whether to create incremental backups. If the date and time are added to +the file name, a new backup is created with each run. If this is not done, the last backup is always +overwritten. The service user can be used to create the backup or a service user can be specified +with a corresponding name and password. + +In addition, you can enter here whether the required certificates should be saved using a backup +task. Further information can be found in the section +[Certificates](/docs/passwordsecure/9.3/configuration/servermanger/certificates/certificates.md). + +![installation_with_parameters_259](/images/passwordsecure/9.2/configuration/server_manager/main_menu/backup_settings/backup_management/installation_with_parameters_259.webp) + +Backup run + +The backups are executed by the SQL server in the background. If an error occurs, this is indicated +in “orange” in the backup list. Information about any errors issued by the SQL server is displayed +under all backups. A backup will be automatically deactivated if it does not run 5x in a row. This +will be marked in the list in red. The schedule cannot be reactivated directly. You will need to +open it and amend it. + +Other backup actions + +A selected schedule can be deleted via the ribbon. The wizard for a schedule can be called up by +double-clicking on it to make any changes. In addition, a backup can be started directly via the +ribbon at any time. The backup service must be running for this purpose. You can also display this +in the history. + +#### Restoring data from a backup + +Restoring data from backups is performed using the database module. Data can only be restored to +existing databases. Firstly, select the required database. You can now select Insert in the ribbon. + +![restore backup](/images/passwordsecure/9.2/configuration/server_manager/main_menu/backup_settings/backup_management/installation_with_parameters_260-en.webp) + +If necessary, firstly enter login data for the user that logs in to the SQL server – although the +service user is generally used here. Now select the backup file. All the backups contained in the +file will then be displayed. Now simply click on Restore to restore the backup to the existing +database. + +![Database restore](/images/passwordsecure/9.2/configuration/server_manager/main_menu/backup_settings/backup_management/installation_with_parameters_261-en.webp) diff --git a/docs/passwordsecure/9.3/configuration/servermanger/mainmenu/backupsettings/backup_settings.md b/docs/passwordsecure/9.3/configuration/servermanger/mainmenu/backupsettings/backup_settings.md new file mode 100644 index 0000000000..6bc2bd279f --- /dev/null +++ b/docs/passwordsecure/9.3/configuration/servermanger/mainmenu/backupsettings/backup_settings.md @@ -0,0 +1,20 @@ +--- +title: "Backup settings" +description: "Backup settings" +sidebar_position: 20 +--- + +# Backup settings + +## What are backup settings? + +Within the backup settings the default values for the execution of backups can be defined. + +![Backup settings](/images/passwordsecure/9.2/configuration/server_manager/main_menu/backup_settings/installation_with_parameters_255-en.webp) + +#### Interval settings + +The interval for backups can be customized as needed. A separate assistant is available for this +purpose. + +![define interval in backup settings](/images/passwordsecure/9.2/configuration/server_manager/main_menu/backup_settings/installation_with_parameters_256-en.webp) diff --git a/docs/passwordsecure/9.3/configuration/servermanger/mainmenu/backupsettings/disaster_recovery_scenarios.md b/docs/passwordsecure/9.3/configuration/servermanger/mainmenu/backupsettings/disaster_recovery_scenarios.md new file mode 100644 index 0000000000..3205a682fe --- /dev/null +++ b/docs/passwordsecure/9.3/configuration/servermanger/mainmenu/backupsettings/disaster_recovery_scenarios.md @@ -0,0 +1,123 @@ +--- +title: "Disaster recovery scenarios" +description: "Disaster recovery scenarios" +sidebar_position: 30 +--- + +# Disaster recovery scenarios + +#### Finding a quick solution in the event of a disaster + +In our experience, Netwrix Password Secure is usually installed in IT in a central location. If the +system fails, it must be possible to gain access to the passwords again as quickly as possible. This +section is designed to help you quickly find a solution in the event of a problem. + +#### Prevention + +It is extremely important to create a sensible recovery plan and to make corresponding preparations. +Unfortunately, it is not possible to supply a finished recovery plan because it always needs to be +created individually. The following points should be taken into account in this process: + +Creating backups + +It is of course essential in the event of a disaster that you can access a backup that is as +up-to-date as possible. Therefore, it is necessary to regularly create +[Backup management](/docs/passwordsecure/9.3/configuration/servermanger/mainmenu/backupsettings/backup_management.md). + +Who is responsible in the event of a disaster? + +The first thing to decide is who should take action in the event of a disaster. Corresponding +deputies should also be defined. The responsible employee should have the corresponding rights +within Netwrix Password Secure. + +Providing the required passwords + +What passwords do those people responsible need in order to restore Netwrix Password Secure? + +- Domain password to log into the specific computer +- Password for the Server Manager +- Access data for the service user +- Access data for the SQL user +- Password for logging into Netwrix Password Secure + +Furthermore, it must be ensured that the responsible user has access to these passwords at all +times. The following options are possible: + +- Store the passwords in the company safe +- Create corresponding [Offline Add-on](/docs/passwordsecure/9.3/configuration/offlineclient/offline_client.md) +- Periodically create a HTML WebViewer file with automatic delivery via a system task including + e-mail forwarding which can be configured in + [Account](/docs/passwordsecure/9.3/configuration/advancedview/mainmenufc/account.md) + +#### Disaster scenarios + +The following section will describe various disaster scenarios including the possible recovery +steps. + +Scenario 1 + +Problem: + +Database is corrupt + +Solution: + +Restore the database from a backup. + +Scenario 2 + +Problem: + +Database server is faulty + +Solution: + +Install the database server on new hardware. If the server name changes as a result, the licence +needs to be reactivated. If the licence has already been activated multiple times, it may be that it +can only be released again by Netwrix. If the SQL instance name changes, the connection to the +database server needs to be reconfigured on the application server. This is carried out via the +basic configuration. + +Any existing offline databases will continue to function properly. + +Scenario 3 + +Problem: + +Application server faulty + +Solution: + +New installation on new hardware. The licence must be reactivated. If the server name has changed, +it may be that the licence can only be released again by Netwrix. The basic configuration must be +completed to restore the connection to the database server. If the server name changes, the database +profile on the client needs to be amended. + +Any existing offline databases need to be recreated! + +Scenario 4 + +Problem: + +Both servers are faulty but passwords from Netwrix Password Secure are required urgently. + +Solution: + +Install the database server and application server on new hardware. The licence must be reactivated. +Restore the database from the backup. The basic configuration must be completed to restore the +connection to the database server. If the licence has already been activated multiple times, it may +be that it can only be released again by Netwrix. + +Any existing offline databases need to be recreated! + +Scenario 5 + +Problem: + +As for Scenario 4 but the Active Directory is also not available. + +Solution: + +As described for scenario 4. If the user was imported in end-to-end mode, you can also log in +without an AD connection. Users imported in Masterkey mode cannot log in. Therefore, it is +recommended that you create special, local emergency users for such cases. diff --git a/docs/passwordsecure/9.3/configuration/servermanger/mainmenu/license_settings.md b/docs/passwordsecure/9.3/configuration/servermanger/mainmenu/license_settings.md new file mode 100644 index 0000000000..da50be8937 --- /dev/null +++ b/docs/passwordsecure/9.3/configuration/servermanger/mainmenu/license_settings.md @@ -0,0 +1,54 @@ +--- +title: "License settings" +description: "License settings" +sidebar_position: 30 +--- + +# License settings + +## What are license settings? + +Licenses for the Netwrix Password Secure are managed within the license settings. In addition, all +current license details are displayed in the window provided for this purpose. + +![License settings](/images/passwordsecure/9.2/configuration/server_manager/main_menu/installation_with_parameters_262-en.webp) + +## Licenses + +**CAUTION:** Version 7 licenses cannot be used for Netwrix Password Secure version 9. “Please +contact us”: http: //www.passwordsafe.de to obtain a version 9 license. + +Licenses are linked via the Netwrix license server. Here are the details: + +- license.passwordsafe.de +- IP: 13.74.32.103 +- Port 443 TCP (standard HTTPS port) + +Ensure that this server is accessible. You may also use Proxy servers. The license is retrieved from +the server and stored in the server configuration. The license will be checked every hour, and +updated as required. The retention time is 30 days. If there is no internet connection, you can +continue to work for 30 days. If this period should cause problems, please contact us. + +#### Integrating and managing licenses + +After purchase, you will receive the required license information in the form of “customer name” and +“password”. Enter this information directly into the License Server Access area. Use the Select and +Activate button to establish a connection to the license server. You can select the acquired +licenses from a list. The license can be now used. + +NOTE: Optionally, you may specify a proxy. By default, the proxy stored in the operating system is +used. + +**CAUTION:** The licence is called up in the context of the service user. If you experience +connection problems, the firewall and, if relevant, the proxy should be checked. + +#### How to activate the license via license file + +1. Transition the file attached to this email to the Netwrix Password Secure Server(s). +2. Open the Netwrix Password Secure Server Manager. +3. Open the main menu and select the License settings area. +4. Open the License file tab. +5. Click Upload license file. + ![license_file_tab](/images/passwordsecure/9.2/configuration/server_manager/main_menu/license_file_tab.webp) +6. Select the file from this email and then click Open. + ![activated_license](/images/passwordsecure/9.2/configuration/server_manager/main_menu/activated_license.webp) diff --git a/docs/passwordsecure/9.3/configuration/servermanger/mainmenu/main_menu.md b/docs/passwordsecure/9.3/configuration/servermanger/mainmenu/main_menu.md new file mode 100644 index 0000000000..7612421e77 --- /dev/null +++ b/docs/passwordsecure/9.3/configuration/servermanger/mainmenu/main_menu.md @@ -0,0 +1,18 @@ +--- +title: "Main menu" +description: "Main menu" +sidebar_position: 90 +--- + +# Main menu + +## What is the main menu? + +The operation and structure of the Main menu/Backstage menu is the same for the +[Main menu](/docs/passwordsecure/9.3/configuration/advancedview/mainmenufc/main_menu_fc.md) on the client. This area can be used +independently of the currently selected module. + +- [General settings](/docs/passwordsecure/9.3/configuration/servermanger/databaseproperties/general_settings_admin_client.md) +- [Backup settings](/docs/passwordsecure/9.3/configuration/servermanger/mainmenu/backupsettings/backup_settings.md) +- [License settings](/docs/passwordsecure/9.3/configuration/servermanger/mainmenu/license_settings.md) +- [Advanced settings](/docs/passwordsecure/9.3/configuration/servermanger/mainmenu/advanced_settings.md) diff --git a/docs/passwordsecure/9.3/configuration/servermanger/managingdatabases/_category_.json b/docs/passwordsecure/9.3/configuration/servermanger/managingdatabases/_category_.json new file mode 100644 index 0000000000..fa9a46e09d --- /dev/null +++ b/docs/passwordsecure/9.3/configuration/servermanger/managingdatabases/_category_.json @@ -0,0 +1,10 @@ +{ + "label": "Managing databases", + "position": 70, + "collapsed": true, + "collapsible": true, + "link": { + "type": "doc", + "id": "managing_databases" + } +} \ No newline at end of file diff --git a/docs/passwordsecure/9.3/configuration/servermanger/managingdatabases/databasesettings/_category_.json b/docs/passwordsecure/9.3/configuration/servermanger/managingdatabases/databasesettings/_category_.json new file mode 100644 index 0000000000..4d4f954e47 --- /dev/null +++ b/docs/passwordsecure/9.3/configuration/servermanger/managingdatabases/databasesettings/_category_.json @@ -0,0 +1,10 @@ +{ + "label": "Database settings", + "position": 10, + "collapsed": true, + "collapsible": true, + "link": { + "type": "doc", + "id": "database_settings" + } +} \ No newline at end of file diff --git a/docs/passwordsecure/9.3/configuration/servermanger/managingdatabases/databasesettings/database_settings.md b/docs/passwordsecure/9.3/configuration/servermanger/managingdatabases/databasesettings/database_settings.md new file mode 100644 index 0000000000..a70d518117 --- /dev/null +++ b/docs/passwordsecure/9.3/configuration/servermanger/managingdatabases/databasesettings/database_settings.md @@ -0,0 +1,25 @@ +--- +title: "Database settings" +description: "Database settings" +sidebar_position: 10 +--- + +# Database settings + +To open the settings of a database, select it and click on "Settings" in the ribbon. Alternatively +you can open the context menu with the right mouse button and click on "Properties". In the next +step you will be asked to enter your admin password. After that a window with the settings will +open. + +#### Settings + +You can now make the following settings: + +- Authentication +- [Multifactor Authentication](/docs/passwordsecure/9.3/configuration/servermanger/managingdatabases/databasesettings/multifactor_authentication_ac.md) +- [Session timeout     ](/docs/passwordsecure/9.3/configuration/servermanger/managingdatabases/databasesettings/session_timeout.md) +- [HSM connection via PKCS # 11](/docs/passwordsecure/9.3/configuration/servermanger/managingdatabases/databasesettings/hsm_connection.md) +- Automatic cleanup +- SAML configuration +- Deletion of users +- More options diff --git a/docs/passwordsecure/9.3/configuration/servermanger/managingdatabases/databasesettings/hsm_connection.md b/docs/passwordsecure/9.3/configuration/servermanger/managingdatabases/databasesettings/hsm_connection.md new file mode 100644 index 0000000000..ffe601dbd5 --- /dev/null +++ b/docs/passwordsecure/9.3/configuration/servermanger/managingdatabases/databasesettings/hsm_connection.md @@ -0,0 +1,49 @@ +--- +title: "HSM connection via PKCS # 11" +description: "HSM connection via PKCS # 11" +sidebar_position: 30 +--- + +# HSM connection via PKCS # 11 + +## What is the HSM connection? + +The HSM connection ensures that the certificates can be outsourced to the HSM. This ultimately leads +to an increased protection because the certificates are not directly in the server’s access. The +connection is effected via PKCS # 11. + +#### Requirements + +In order to be able to connect an HSM, the following conditions have to be met: + +- An executable HSM has to be available. +- The PKCS # 11 drivers have to be installed on the application server. +- The device is set up via the Administrator database on the Server Manager. + +**CAUTION:** Please note, if an HSM is to be used, the database also has to be set up thoroughly. It +is currently not possible to transfer an existing database to an HSM. + +#### Hardware compatibility + +In principle, any HSM should work with the PKCS#11 interface. However, it is recommended to try this +out in a test position or a PoC beforehand. + +#### Installation + +The installation is set up on the Server Manager via the database settings. + +![installation_with_parameters_235](/images/passwordsecure/9.2/configuration/server_manager/managing_databases/database_settings/installation_with_parameters_235.webp) + +- **Library path**: Here you can find the installed PKCS # 11 driver of the HSM. +- **Token-Serial**: The serial number of the token is given here. +- **Token Label**: The name of the token. +- **PIN**: Finally, the PIN is specified for authentication at the token. + +## Use by Netwrix Password Secure + +As soon as the HSM is connected, all server keys are transferred to the HSM. This is the database +certificate. If the AD has been connected in Masterkey mode, the masterkey will also be transferred +to the HSM. Then the certificates are no longer stored in the certificate store of the application +server, but centrally managed by the HSM. All other keys are not stored on the HSM, but derived from +the masterkeys. Therefore, Netwrix Password Secure rarely accesses the HSM, for example, at server +startup or at the AD Sync. As a result, the load on the HSM can be kept low. diff --git a/docs/passwordsecure/9.3/configuration/servermanger/managingdatabases/databasesettings/multifactor_authentication_ac.md b/docs/passwordsecure/9.3/configuration/servermanger/managingdatabases/databasesettings/multifactor_authentication_ac.md new file mode 100644 index 0000000000..311f022a43 --- /dev/null +++ b/docs/passwordsecure/9.3/configuration/servermanger/managingdatabases/databasesettings/multifactor_authentication_ac.md @@ -0,0 +1,23 @@ +--- +title: "Multifactor Authentication" +description: "Multifactor Authentication" +sidebar_position: 10 +--- + +# Multifactor Authentication + +## What is multifactor authentication? + +Multifactor authentication is used to secure the logon to the by an additional factor. The actual +setup takes place in the client. The configured en can then be used by any user + +Activation of different factors + +In the Databases module, select a database and open its settings via the ribbon... + +![Database settings](/images/passwordsecure/9.2/configuration/server_manager/managing_databases/database_settings/mfa-de.webp) + +In the settings you define which second factors can be used. + +NOTE: If you want to use "Encipherment" for PKI certificates without KeyUsageFlag, uncheck the +corresponding checkbox. diff --git a/docs/passwordsecure/9.3/configuration/servermanger/managingdatabases/databasesettings/session_timeout.md b/docs/passwordsecure/9.3/configuration/servermanger/managingdatabases/databasesettings/session_timeout.md new file mode 100644 index 0000000000..8d92779b48 --- /dev/null +++ b/docs/passwordsecure/9.3/configuration/servermanger/managingdatabases/databasesettings/session_timeout.md @@ -0,0 +1,13 @@ +--- +title: "Session timeout" +description: "Session timeout" +sidebar_position: 20 +--- + +# Session timeout + +Here you can set individually for each client when an inactive connection to the application server +is automatically terminated. Select the desired time period in the drop-down menu and save the +setting by clicking on **"Save"**. + +![session timeout](/images/passwordsecure/9.2/configuration/server_manager/managing_databases/database_settings/session-timeout-en.webp) diff --git a/docs/passwordsecure/9.3/configuration/servermanger/managingdatabases/managing_databases.md b/docs/passwordsecure/9.3/configuration/servermanger/managingdatabases/managing_databases.md new file mode 100644 index 0000000000..59344efe61 --- /dev/null +++ b/docs/passwordsecure/9.3/configuration/servermanger/managingdatabases/managing_databases.md @@ -0,0 +1,97 @@ +--- +title: "Managing databases" +description: "Managing databases" +sidebar_position: 70 +--- + +# Managing databases + +## Managing a database + +The available actions can be selected via the context menu that is accessed using the right mouse +button or also via the ribbon. + +![Managing databases](/images/passwordsecure/9.2/configuration/server_manager/managing_databases/installation_with_parameters_234-en.webp) + +## Database settings + +All database settings are saved in the database. It is necessary to log in to the database before +editing the settings. Any user that exists in the database can be used for this purpose. You can +always restore Global settings via the ribbon. + +Multifactor authentication + +This area can be used to configure which services will be used for multi-factor authentication. The +available services are: RSA Secure ID, SafeNet, YubiKey NEO, and YubiKey Nano. After selecting the +required service, specify the respective access data. You must also configure various services. In +this case, you can specify on the client which methods will be used by the individual users. + +Further information on this subject can be found in the +section[Multifactor Authentication](/docs/passwordsecure/9.3/configuration/servermanger/managingdatabases/databasesettings/multifactor_authentication_ac.md). + +PKCS#11 + +Via the PKCS # 11 interface, the server keys can be protected via a hardware security module (HSM). +The interface can be configured here. + +Automatic clean up + +If desired, the logbook, **notifications, session recordings** and also the **historical documents** +can be automatically cleaned up here. You merely have to enter how old the data needs to be before +it is deleted. Logbook entries can be exported before the deletion process. + +**CAUTION:** It is important to note that the logbook is also used for the filter functions. If the +logbook is regularly cleaned up, it is possible that the full functions of the filter will no longer +be available. + +#### Database actions + +Show connection locks + +In the ribbon, all connection locks can be displayed. To do this, you must first log in to the +database. All locked users will be displayed in a list. The following is displayed: + +- User name (if known) +- Reason for lock +- Number of login attempts +- Expiry of the lock. The user can be unlocked by right-clicking on an entry. + +A user can be locked manually using the corresponding button. It is necessary to select the user, +configure the expiration of the lock and specify a reason. + +Show / disconnect sessions + +You can use the corresponding button to display all currently connected clients. After selecting a +session, the connection can be disconnected. + +Migration + +Once a database has been selected, the can be started via the ribbon. This also allows multiple +version 7 databases to be merged into one. + +**CAUTION:** When the migration is started, the database is set to migration mode. For the duration +of the migration, it is not possible to log in to the database – users who are already logged in +will be sent a corresponding message. The sessions will, however, remain open so that users can +continue working as soon as the migration is complete. + +Certificates + +Management of the certificates is very important. This is described in the section certificates. + +Display database users + +This button can be used to call up statistics about the users in the respective databases. It shows +you which users are active in which database. Naturally, this list can also be exported. + +#### Data backup + +Here you can view the history of all backups or also a single backup. + +Show history + +All backups of the database are displayed hierarchically in a sortable list. + +Importing + +A backup can be restored here. This can be done via a file or from the history. The procedure is +described under Backup management diff --git a/docs/passwordsecure/9.3/configuration/servermanger/msp/_category_.json b/docs/passwordsecure/9.3/configuration/servermanger/msp/_category_.json new file mode 100644 index 0000000000..048747ed4d --- /dev/null +++ b/docs/passwordsecure/9.3/configuration/servermanger/msp/_category_.json @@ -0,0 +1,10 @@ +{ + "label": "MSP", + "position": 100, + "collapsed": true, + "collapsible": true, + "link": { + "type": "doc", + "id": "msp" + } +} \ No newline at end of file diff --git a/docs/passwordsecure/9.3/configuration/servermanger/msp/changesintheadminclient/_category_.json b/docs/passwordsecure/9.3/configuration/servermanger/msp/changesintheadminclient/_category_.json new file mode 100644 index 0000000000..e5ccaed2bd --- /dev/null +++ b/docs/passwordsecure/9.3/configuration/servermanger/msp/changesintheadminclient/_category_.json @@ -0,0 +1,10 @@ +{ + "label": "Changes in the Server Manager", + "position": 10, + "collapsed": true, + "collapsible": true, + "link": { + "type": "doc", + "id": "changes_in_the_adminclient" + } +} \ No newline at end of file diff --git a/docs/passwordsecure/9.3/configuration/servermanger/msp/changesintheadminclient/changes_in_the_adminclient.md b/docs/passwordsecure/9.3/configuration/servermanger/msp/changesintheadminclient/changes_in_the_adminclient.md new file mode 100644 index 0000000000..50ab4adf26 --- /dev/null +++ b/docs/passwordsecure/9.3/configuration/servermanger/msp/changesintheadminclient/changes_in_the_adminclient.md @@ -0,0 +1,25 @@ +--- +title: "Changes in the Server Manager" +description: "Changes in the Server Manager" +sidebar_position: 10 +--- + +# Changes in the Server Manager + +#### Navigation + +In the previous on-prem version, there are the modules Databases (1) and Backups (2). + +![Modules in AdminClient](/images/passwordsecure/9.2/configuration/server_manager/msp/changes_in_ac/module-ac-en_606x403.webp) + +In the new MSP version these have been replaced by the modules Customers (1) and Cost Overview (2). + +![AdminClient - MSP module](/images/passwordsecure/9.2/configuration/server_manager/msp/changes_in_ac/module-msp-ac-en.webp) + +In the MSP version, you will find the individual customer databases under the Customers module. + +NOTE: The Backup module has been removed, because Netwrix Password Secure's own backup is not +suitable for environments with multiple customer databases. As a Managed Service Provider, you must +back up your customer databases yourself using appropriate measures. + +The Status and Web Application modules are identical in both versions. diff --git a/docs/passwordsecure/9.3/configuration/servermanger/msp/changesintheadminclient/cost_overview_module.md b/docs/passwordsecure/9.3/configuration/servermanger/msp/changesintheadminclient/cost_overview_module.md new file mode 100644 index 0000000000..5f9917c138 --- /dev/null +++ b/docs/passwordsecure/9.3/configuration/servermanger/msp/changesintheadminclient/cost_overview_module.md @@ -0,0 +1,14 @@ +--- +title: "Cost overview module" +description: "Cost overview module" +sidebar_position: 20 +--- + +# Cost overview module + +In the Cost overview module, all billed customers are displayed. Here you can see all changes in the +number of users and options (1) for the current month (forecast) and the past months at a glance. +This view can be filtered by month (2). If you use your own billing system, you can export the +displayed or filtered values as a CSV file (3). + +![Cost overview](/images/passwordsecure/9.2/configuration/server_manager/msp/changes_in_ac/cost_overview/cost-overview-en_998x722.webp) diff --git a/docs/passwordsecure/9.3/configuration/servermanger/msp/changesintheadminclient/customers_module.md b/docs/passwordsecure/9.3/configuration/servermanger/msp/changesintheadminclient/customers_module.md new file mode 100644 index 0000000000..064b96752d --- /dev/null +++ b/docs/passwordsecure/9.3/configuration/servermanger/msp/changesintheadminclient/customers_module.md @@ -0,0 +1,105 @@ +--- +title: "Customers module" +description: "Customers module" +sidebar_position: 10 +--- + +# Customers module + +#### Creating a new customer + +Creating a new customer is done via the Customers module (1). Here, click on New (2) in the upper +left corner. This applies both to customers in a test phase and to customers who are to be billed +immediately. + +![create-new-customer-msp-en_1035x753](/images/passwordsecure/9.2/configuration/server_manager/msp/changes_in_ac/customers_module/create-new-customer-msp-en_1035x753.webp) + +When creating a new customer, the customer name is specified under **General** (1). + +If (2) is not checked, a test customer is created without billing. This is then a customer in the +test phase. If (2) is checked, a customer will be created who will be charged by Netwrix from the +current month. + +At (3) a date is automatically entered that is four weeks in the future. This date can be changed by +the managed service provider for test customers as well as billed customers, for example to limit +the test period or if the date of a possible termination of a billed customer should be known in +advance. + +![General settings new customer](/images/passwordsecure/9.2/configuration/server_manager/msp/changes_in_ac/customers_module/general-new-customer-msp-en_1029x682.webp) + +Under License (4) the maximum number of users can be specified. Here you have the possibility + +(5) to limit the number up to which new users can be created or not. The options booked by the +customer (6) can be activated or deactivated by ticking them off. All other settings are identical +to the on-prem version. + +![License settings new customer](/images/passwordsecure/9.2/configuration/server_manager/msp/changes_in_ac/customers_module/licence-new-customer-msp-en_1013x675.webp) + +After saving, the test customers are displayed under Test (1) and the customers to be billed under +Billed (2). When you click on a (test) customer, you will see the associated + +information and activated options. By clicking the button Edit (3 + 4) you can make + +adjustments can be made. The contract data can be adjusted by Edit (3). + +The options can be activated or deactivated by Edit (4). + +![overview-1-msp-en](/images/passwordsecure/9.2/configuration/server_manager/msp/changes_in_ac/customers_module/overview-1-msp-en.webp) + +#### Test customer view + +In the view of a test customer, the general contract data can be edited under the general contract +information under Edit (1) and the test customer can be converted to a billed customer. Billing +customers can no longer be converted back to test customers. + +Under Active options, options can be selected and deselected with Edit (2). For test customers, no +billing data is available in the Forecast, Last Months and Cost History fields. + +Since no costs are incurred for test customers, no information is displayed here under User history +(3), Forecast, Last months and Cost history. + +![test-customer-view-msp-en_1024x742](/images/passwordsecure/9.2/configuration/server_manager/msp/changes_in_ac/customers_module/test-customer-view-msp-en_1024x742.webp) + +#### Billed customer view + +Here you can also edit the contract details and activate or deactivate options. Additionally you can +see the user history (4) of the last months, the forecast for the current month (5) including the +expected costs for the users and options, as well as the total amount. Furthermore, you will find +the statements of the last months (6) and a graphical representation of the cost history (7). + +![billed-customer-msp-en_1032x752](/images/passwordsecure/9.2/configuration/server_manager/msp/changes_in_ac/customers_module/billed-customer-msp-en_1032x752.webp) + +#### Deactivating and reactivating a customer + +Both test customers and customers to be billed can be deactivated, e.g. if a test customer cannot +continue testing until later or if a customer to be billed does not pay his invoice. When +deactivating, all data is retained and the customer can be completely restored. + +To deactivate a customer, select the database (1) and then Deactivate (2). + +![deactivate-customer-msp](/images/passwordsecure/9.2/configuration/server_manager/msp/changes_in_ac/customers_module/deactivate-customer-msp.webp) + +A reason (3) can be specified for the deactivation and then the database can be deactivated (4). + +![deactivate-customer-2-msp](/images/passwordsecure/9.2/configuration/server_manager/msp/changes_in_ac/customers_module/deactivate-customer-2-msp.webp) + +To reactivate a deactivated customer, select the deactivated database (1) and then Activate (2). + +![reactivate-customer-msp-en](/images/passwordsecure/9.2/configuration/server_manager/msp/changes_in_ac/customers_module/reactivate-customer-msp-en.webp) + +#### Deleting a customer + +To delete a customer, select the database (1) and then Remove (2). Removal is possible with both +active and deactivated customer databases. + +![remove-customer-msp-en_947x686](/images/passwordsecure/9.2/configuration/server_manager/msp/changes_in_ac/customers_module/remove-customer-msp-en_947x686.webp) + +Deletion must be confirmed (3). + +![confirm-delete-customer-msp-en](/images/passwordsecure/9.2/configuration/server_manager/msp/changes_in_ac/customers_module/confirm-delete-customer-msp-en.webp) + +The following dialog box (4) indicates that the database has been deleted in Netwrix Password +Secure, but you as an MSP are responsible for deleting the database in the SQL server as well as any +existing backups. + +![successfull-deletion-msp-en](/images/passwordsecure/9.2/configuration/server_manager/msp/changes_in_ac/customers_module/successfull-deletion-msp-en.webp) diff --git a/docs/passwordsecure/9.3/configuration/servermanger/msp/msp.md b/docs/passwordsecure/9.3/configuration/servermanger/msp/msp.md new file mode 100644 index 0000000000..62296b76f3 --- /dev/null +++ b/docs/passwordsecure/9.3/configuration/servermanger/msp/msp.md @@ -0,0 +1,15 @@ +--- +title: "MSP" +description: "MSP" +sidebar_position: 100 +--- + +# MSP + +Whether you are a partner or an end user of Netwrix Password Secure - this help will support you in +getting started with MSP and guide you safely through the configuration and operation of the +software. + +We are pleased that you have chosen Netwrix Password Secure for your password protection needs. + +We hope you enjoy discovering your new password manager! diff --git a/docs/passwordsecure/9.3/configuration/servermanger/operation_and_setup_admin_client.md b/docs/passwordsecure/9.3/configuration/servermanger/operation_and_setup_admin_client.md new file mode 100644 index 0000000000..4fc2f23079 --- /dev/null +++ b/docs/passwordsecure/9.3/configuration/servermanger/operation_and_setup_admin_client.md @@ -0,0 +1,115 @@ +--- +title: "Operation and setup" +description: "Operation and setup" +sidebar_position: 80 +--- + +# Operation and setup + +## Structure of the Server Manager + +The structure of the Server Manager is based to a high degree on the structure of the actual client. +The control elements such as the ribbon and the info and detail areas can be derived from the +section dealing with the +client([Operation and Setup](/docs/passwordsecure/9.3/configuration/advancedview/operationandsetup/operation_and_setup.md)). + +NOTE: An initial password is required for the first login on Server Manager. The password is +“admin”. This password should be changed directly after login and carefully documented. + +#### Status module + +![Status Admin Client](/images/passwordsecure/9.2/configuration/server_manager/operation_and_setup/installation_with_parameters_248-en.webp) + +1. Ribbon + +As usual the ribbon can be found above. Because the module is purely informative, there is no +functionality in the ribbon, except for updating the view + +2. Notification area + +- The info area shows the status of the specific services. Click the icon to configure services. By + default, the base configuration is used. If necessary, individual parameters can be replaced or + adapted to personal requirements. +- You can start and stop a specific service via +- On the right side of the info area, the utilization of the processor and main memory is displayed + over two curves. +- In the “Backup service” area, the last backups are displayed using a diagram. There is a green bar + for a successful backup, a red symbolizes a failed backup. Additional information is displayed via + a mouseover. + +3. Server log + +The server logbook shown on the right of the screen monitors and controls the server. It shows all +relevant actions on the server in a comprehensible way, always displaying the last 100 entries. The + +| Action | Color | +| ----------------------------- | ------ | +| Expected actions | black | +| Events that require attention | orange | +| Problems and crashes | red | + +- Expected actions – such as starting and stopping services – are displayed in black +- All events (e.g. failed login attempts) that require attention are displayed in orange +- All problems (e.g. crashes) are marked in red + +The server logbook can be sorted in ascending and descending order by date and description via the +column headings. The period shown can be limited using . + +# Databases module + +Databases are managed in a dedicated module. All relevant information on the existing databases can +also be called up – completely without accessing the SQL server. + +![Databases Admin Client](/images/passwordsecure/9.2/configuration/server_manager/operation_and_setup/installation_with_parameters_252-en.webp) + +1. Ribbon + +2. Database overview + +In the database overview, all databases listed alphabetically. This section can be minimised using +the arrow symbol on the top, left edge. Right-click on one of the databases to display a context +menu with all available functions. + +3. Notification area + +The Info area displays all the information about the database currently selected in the database +overview. This information is ivided into the three subsections “Database summary, Data sets and +Database tables”. + +4. Recent backups + +List of recent backups. Can be sorted by date + +5. Database log + +The database log is used to monitor and control the specific databases. All relevant actions for the +selected database are displayed in a comprehensible manner in one list. The categorisation is +carried out in the same way as the server log according to the colours applied. + +#### Backups module + +There is also a separate module for configuring the backups. This means that all backups can be +configured and managed directly from the Server Manager. + +![backup-ac](/images/passwordsecure/9.2/configuration/server_manager/operation_and_setup/backup-ac.webp) + +1. Ribbon + +2. Backup overview + +All configured backups are listed here. The overview can be minimized to the left. Other functions +are available via right-click + +3. Notification area + +The notification area is divided into three sections. The “Basic settings, Advanced settings and +Info” sections for the selected database can be used + +4. Recent backups + +The last backups are displayed in a list on the right. + +5. All backups + +A tabular overview shows all previous backups. The view can be sorted as usual. Here you can see at +a glance, when which database was saved and whether the backup was successful. diff --git a/docs/passwordsecure/9.3/configuration/servermanger/server_manger.md b/docs/passwordsecure/9.3/configuration/servermanger/server_manger.md new file mode 100644 index 0000000000..b2c1407f2c --- /dev/null +++ b/docs/passwordsecure/9.3/configuration/servermanger/server_manger.md @@ -0,0 +1,22 @@ +--- +title: "Server Manager" +description: "Server Manager" +sidebar_position: 10 +--- + +# Server Manager + +## What is the Server Manager? + +The Server Manager takes care of the central administration of the databases as well as the +configuration of the backup profiles. In addition, it provides the very important interface to the +Netwrix Password Secure license server. Furthermore, it is used for the administration of globally +defined settings, as well as the configuration of profiles for sending emails. +[Installation Server Manager](/docs/passwordsecure/9.3/installation/installation_server_manager.md) + +![Admin Client](/images/passwordsecure/9.2/configuration/server_manager/installation_with_parameters_187-en.webp) + +In this sense, the server service represents the interface between the client and the SQL server. +The Server Manager is responsible for configuring the server service. It allows the central +administration of the databases without having access to the SQL server. This is a huge advantage +with regards to organization and authorizations. diff --git a/docs/passwordsecure/9.3/configuration/servermanger/settlement_right_key.md b/docs/passwordsecure/9.3/configuration/servermanger/settlement_right_key.md new file mode 100644 index 0000000000..3f7d391a2a --- /dev/null +++ b/docs/passwordsecure/9.3/configuration/servermanger/settlement_right_key.md @@ -0,0 +1,90 @@ +--- +title: "Settlement right key" +description: "Settlement right key" +sidebar_position: 50 +--- + +# Settlement right key + +#### Problem Description + +In the version 8.3.0.13378 passwords which cannot be decrypted for other users could be created. In +this case, individual users or even all users do not have the necessary legal key. If a user wants +to reveal an affected password, the following message is displayed: + +![installation_with_parameters_219_706x98](/images/passwordsecure/9.2/configuration/server_manager/settlement_right_key/installation_with_parameters_219_706x98.webp) + +#### Bugfix + +The bug was fixed with the version 8.3.0.14422 Hotfix 1. If an older version is in use, it is +important to update to the latest version 8.4.0.14576. + +#### Review and settlement of records + +When updating to version 8.4.0.14576, the Server Manager is checked for affected data records. + +###### Review via the Server Manager + +The results of the query show which passwords can be fixed by which user. (In this example, the +entries are highlighted in color). + +- Blue = password name +- Yellow = Repairable / Irreparable +- Orange = users / roles who can fix the password + +Reparable records + +Passwords in which users / roles with entitlement right and right key exist: + +![installation_with_parameters_220_584x65](/images/passwordsecure/9.2/configuration/server_manager/settlement_right_key/installation_with_parameters_220_584x65.webp) + +Irreparable records + +Passwords in which users / roles without a legal key or with a legal key but without an +authorization right exist: + +![installation_with_parameters_221_697x40](/images/passwordsecure/9.2/configuration/server_manager/settlement_right_key/installation_with_parameters_221_697x40.webp) + +###### Settlement of reparable records + +Damaged passwords are corrected automatically with the users / roles specified under ‘repairable +with’ when logging on to the client or Web Application. + +The right key can be checked using the form field permissions of password fields. If at least one +user has the right key, the password can be fixed. In the following example, only the user ‘white’ +has the right key and thus only this user can discover and correct the password. + +![installation_with_parameters_222_754x91](/images/passwordsecure/9.2/configuration/server_manager/settlement_right_key/installation_with_parameters_222_754x91.webp) + +When logging on to the database via the client, a cleanup task is started automatically. This task +always runs with the logged in user. In this case – as far as it is possible with the user – all +affected passwords are corrected. Thus, when all users have logged in once, all affected passwords +should be adjusted. + +###### Irreparable records (not repairable) + +Irreparable passwords cannot be corrected automatically. Nevertheless, it may happen that passwords +marked as irreparably can be corrected manually. + +First case + +In the first case, no user / role has the right key on the password. Thus, no user can decrypt or +correct the password. + +![installation_with_parameters_223_757x69](/images/passwordsecure/9.2/configuration/server_manager/settlement_right_key/installation_with_parameters_223_757x69.webp) + +The affected passwords have to be recreated. For the security, a new database with an older backup +can be included. From this database, the affected passwords / data can be taken over into the +current database again. + +Second case + +In the second case, there are users / roles who have the right key but not the right to claim. As +far as the number of irreparable passwords is limited, these can be used to check the form field +permissions manually. + +![installation_with_parameters_224_762x90](/images/passwordsecure/9.2/configuration/server_manager/settlement_right_key/installation_with_parameters_224_762x90.webp) + +For the passwords concerned, the user with the legal key must be given the right of authorization +temporarily to correct. If the corresponding user has the entitlement right, he can reset the legal +key, either automatically when logging in or manually when saving the authorizations. diff --git a/docs/passwordsecure/9.3/configuration/servermanger/setup_wizard.md b/docs/passwordsecure/9.3/configuration/servermanger/setup_wizard.md new file mode 100644 index 0000000000..b405fb24cc --- /dev/null +++ b/docs/passwordsecure/9.3/configuration/servermanger/setup_wizard.md @@ -0,0 +1,74 @@ +--- +title: "Setup wizard" +description: "Setup wizard" +sidebar_position: 30 +--- + +# Setup wizard + +## What is the setup wizard? + +The setup wizard contains all relevant settings for setting up Netwrix Password Secure. The +individual points can also be changed later on. Separate sections are available for each. + +#### Defining the administrator password + +The first step is to define the authentication password for the Server Manager. The initial password +is “admin”. A new password needs to be entered during startup – this new password should be securely +and properly documented. It can be subsequently changed in the +[General settings](/docs/passwordsecure/9.3/configuration/advancedview/mainmenufc/general_settings.md). + +![setup-wizard-ac-en](/images/passwordsecure/9.2/configuration/server_manager/setupwizard/setup-wizard-ac-en.webp) + +NOTE: The initial password is “admin”. + +#### License settings + +The second step is to complete the configuration for successively connecting to the licence server. +This step can also be carried out later “in the [License settings](/docs/passwordsecure/9.3/configuration/servermanger/mainmenu/license_settings.md) + +![setup-wizard-ac-2-en](/images/passwordsecure/9.2/configuration/server_manager/setupwizard/setup-wizard-ac-2-en.webp) + +“license.passwordsafe.de” should be entered in the field “Licence server”. The other access data +(user name and password for the licence server will be sent to you by email). + +If necessary, access data for a possible proxy can also be issued – otherwise the proxy in the +operating system will be used. You can then select and activate the required license by clicking on +the corresponding button. + +#### Database server + +The configuration of the database server is also part of the +[Advanced settings](/docs/passwordsecure/9.3/configuration/servermanger/mainmenu/advanced_settings.md) and can also be edited there later on. + +![setup-wizard-ac-3-en](/images/passwordsecure/9.2/configuration/server_manager/setupwizard/setup-wizard-ac-3-en.webp) + +The database server must be specified along with the associated SQL instance. For simplicity, you +can copy the server name from the login window of the SQL server. + +The user that will be used to create the database on the SQL Server is also specified. The user +therefore needs **dbCreator** rights. Alternatively, you can use the service user for this purpose. +The “Advanced” button allows you to specify a **Connection String.** + +#### SMTP server + +The last step is to configure the SMTP server via which all emails are sent. This is also part of +the [Advanced settings](/docs/passwordsecure/9.3/configuration/servermanger/mainmenu/advanced_settings.md) should it be necessary to make changes +later on. + +![setup-wizard-ac-4-en](/images/passwordsecure/9.2/configuration/server_manager/setupwizard/setup-wizard-ac-4-en.webp) + +Once the data has been entered and successfully tested, the wizard can be completed by clicking on +“Finish”. + +Security notes + +As soon as the setup wizard has been completed, two security notes will be displayed in the +**Status** + +module that need to be confirmed. + +**CAUTION:** It is recommended that you only confirm the security notes when the corresponding point +has actually been carried out. It is absolutely essential to ensure that regular +[Backup management](/docs/passwordsecure/9.3/configuration/servermanger/mainmenu/backupsettings/backup_management.md) are created +and the [Certificates](/docs/passwordsecure/9.3/configuration/servermanger/certificates/certificates.md) are backed up. diff --git a/docs/passwordsecure/9.3/configuration/webapplication/_category_.json b/docs/passwordsecure/9.3/configuration/webapplication/_category_.json new file mode 100644 index 0000000000..c09eaf5cec --- /dev/null +++ b/docs/passwordsecure/9.3/configuration/webapplication/_category_.json @@ -0,0 +1,10 @@ +{ + "label": "Web Application", + "position": 40, + "collapsed": true, + "collapsible": true, + "link": { + "type": "doc", + "id": "web_application" + } +} \ No newline at end of file diff --git a/docs/passwordsecure/9.3/configuration/webapplication/authorization_and_protection_mechanisms.md b/docs/passwordsecure/9.3/configuration/webapplication/authorization_and_protection_mechanisms.md new file mode 100644 index 0000000000..9c1d8d169a --- /dev/null +++ b/docs/passwordsecure/9.3/configuration/webapplication/authorization_and_protection_mechanisms.md @@ -0,0 +1,51 @@ +--- +title: "Authorization and protection mechanisms" +description: "Authorization and protection mechanisms" +sidebar_position: 30 +--- + +# Authorization and protection mechanisms + +## Security and protection on the Web Application + +As with the client, the records can be protected on the Web Application with different mechanisms. +The authorizations on records can also be managed in the Web Application. During the development of +the Web Application, there was always taken care that the operation is identical to the operation of +the client. Since the Web Application is based on HTML, it is unfortunately not possible to render +the client 100% identical. Therefore, the operation may differ in details. These deviations should +be clarified in this chapter. + +#### Permissions and rights concept + +###### Protections + +Password masking + +The password masking follows the familiar logic of the client. Due to this function, reference +should be made to the chapter of +[Password masking](/docs/passwordsecure/9.3/configuration/advancedview/permissionconceptandprotective/protectivemechanisms/password_masking.md). + +There are marginal differences in the operation. The privacy protection is fixed or edited via a +button in the extended menu.. + +![installation_with_parameters_183](/images/passwordsecure/9.2/configuration/web_applicaiton/authorization_and_protection/installation_with_parameters_183.webp) + +The corresponding button is only displayed if the logged in user has the sufficient rights. + +If a record is provided with a privacy protection, this is shown in the header of the password. + +![installation_with_parameters_184](/images/passwordsecure/9.2/configuration/web_applicaiton/authorization_and_protection/installation_with_parameters_184.webp) + +Seal + +The seals also correspond in function to the known logic of the client. In the chapter seal further +explanations can be found. The +[Seals](/docs/passwordsecure/9.3/configuration/advancedview/permissionconceptandprotective/protectivemechanisms/seals/seals.md) +are configured in the extended menu via a button. + +![installation_with_parameters_185](/images/passwordsecure/9.2/configuration/web_applicaiton/authorization_and_protection/installation_with_parameters_185.webp) + +The button is only displayed for the users who have the rights to edit seals. If a record is sealed, +this will be shown in the password field. + +![seal_wc](/images/passwordsecure/9.2/configuration/web_applicaiton/authorization_and_protection/seal_wc.webp) diff --git a/docs/passwordsecure/9.3/configuration/webapplication/functionalscope/_category_.json b/docs/passwordsecure/9.3/configuration/webapplication/functionalscope/_category_.json new file mode 100644 index 0000000000..10f748e3bd --- /dev/null +++ b/docs/passwordsecure/9.3/configuration/webapplication/functionalscope/_category_.json @@ -0,0 +1,10 @@ +{ + "label": "Functional scope", + "position": 10, + "collapsed": true, + "collapsible": true, + "link": { + "type": "doc", + "id": "functional_scope" + } +} \ No newline at end of file diff --git a/docs/passwordsecure/9.3/configuration/webapplication/functionalscope/application.md b/docs/passwordsecure/9.3/configuration/webapplication/functionalscope/application.md new file mode 100644 index 0000000000..a2f807a1b2 --- /dev/null +++ b/docs/passwordsecure/9.3/configuration/webapplication/functionalscope/application.md @@ -0,0 +1,30 @@ +--- +title: "Application" +description: "Application" +sidebar_position: 80 +--- + +# Application + +The following functions are currently available in the **Application module**: + +Web & SAML applications: + +- Create +- Manage +- Delete + +NOTE: A detailed explanation of how to configure SAML can be found in the chapter “Configuration of +SAML” + +General functions: + +- Notifications +- Duplicate +- Move +- Favorite +- Quick view +- Connect password + +NOTE: The Web Application module Applications is based on the client module of the same name +“Applications”. Both modules differ in scope and design, but the operation is almost identical. diff --git a/docs/passwordsecure/9.3/configuration/webapplication/functionalscope/documents_web_application.md b/docs/passwordsecure/9.3/configuration/webapplication/functionalscope/documents_web_application.md new file mode 100644 index 0000000000..8a87958f40 --- /dev/null +++ b/docs/passwordsecure/9.3/configuration/webapplication/functionalscope/documents_web_application.md @@ -0,0 +1,30 @@ +--- +title: "Documents" +description: "Documents" +sidebar_position: 90 +--- + +# Documents + +The following functions are currently available in the **Document module:** + +- New + New document can be added in the following ways: + ◦ Right click -> search + ◦ Search via the navigation bar + ◦ By Drag & Drop (by dragging the document into the window) + +- Open properties +- Update document +- Notifications +- Move +- Favourite +- Quick view +- Export +- Authorizations +- Create external link +- Print +- History + +NOTE: The Web Application module **Documents** is based on the client module of the same name +“Documents”. Both modules differ in scope and design, but the operation is almost identical. diff --git a/docs/passwordsecure/9.3/configuration/webapplication/functionalscope/forms_module.md b/docs/passwordsecure/9.3/configuration/webapplication/functionalscope/forms_module.md new file mode 100644 index 0000000000..bbcc9fad6f --- /dev/null +++ b/docs/passwordsecure/9.3/configuration/webapplication/functionalscope/forms_module.md @@ -0,0 +1,23 @@ +--- +title: "Forms module" +description: "Forms module" +sidebar_position: 50 +--- + +# Forms module + +The following functions are currently available in the **forms module**: + +- Add +- Open +- Delete +- Notifications +- Duplicate +- Favourite +- Quick view +- Permissions +- Print +- Export + +NOTE: The Web Application module **forms** is based on the client module of the same name. Both +modules have a different scope and design but are almost identical to use. diff --git a/docs/passwordsecure/9.3/configuration/webapplication/functionalscope/functional_scope.md b/docs/passwordsecure/9.3/configuration/webapplication/functionalscope/functional_scope.md new file mode 100644 index 0000000000..9e3b2794bb --- /dev/null +++ b/docs/passwordsecure/9.3/configuration/webapplication/functionalscope/functional_scope.md @@ -0,0 +1,28 @@ +--- +title: "Functional scope" +description: "Functional scope" +sidebar_position: 10 +--- + +# Functional scope + +The **Web Application** will act as the basis for a constant enhancement. The current functional +scope will be explained at this point. For the purposes of clarity, the relevant modules will be +described in their own subsections. + +#### General functions + +- Global settings and User settings +- Global User rights + +#### Functions in the individual modules + +- [Password module](/docs/passwordsecure/9.3/configuration/webapplication/functionalscope/password_module.md) +- [Tag system](/docs/passwordsecure/9.3/configuration/webapplication/functionalscope/tag_system.md) +- [Organisational structure module](/docs/passwordsecure/9.3/configuration/webapplication/functionalscope/organisationalstructure/organisational_structure.md) +- [Roles module](/docs/passwordsecure/9.3/configuration/webapplication/functionalscope/roles_module.md) +- [Forms module](/docs/passwordsecure/9.3/configuration/webapplication/functionalscope/forms_module.md) +- [Notifications](/docs/passwordsecure/9.3/configuration/webapplication/functionalscope/notifications.md) +- [Logbook](/docs/passwordsecure/9.3/configuration/webapplication/functionalscope/logbook_web_application.md) +- [Application](/docs/passwordsecure/9.3/configuration/webapplication/functionalscope/application.md) +- [Documents](/docs/passwordsecure/9.3/configuration/webapplication/functionalscope/documents_web_application.md) diff --git a/docs/passwordsecure/9.3/configuration/webapplication/functionalscope/logbook_web_application.md b/docs/passwordsecure/9.3/configuration/webapplication/functionalscope/logbook_web_application.md new file mode 100644 index 0000000000..3308e1b963 --- /dev/null +++ b/docs/passwordsecure/9.3/configuration/webapplication/functionalscope/logbook_web_application.md @@ -0,0 +1,28 @@ +--- +title: "Logbook" +description: "Logbook" +sidebar_position: 70 +--- + +# Logbook + +The **logbook module** exists of the following features: + +- Filter function +- Quick view + +NOTE: The Web Application module logbook is based on the same called client module logbook. Both +modules differ in range and design. However, the handling is almost the same. + +Differences to the logbook on the Client: + +The following options are not available yet in the **Web Application**. If needed, you can use them +on the Client. + +- Documents +- Multifactor authentication +- Report configuration +- Applications +- Password Reset +- Password rules +- Sytem Task diff --git a/docs/passwordsecure/9.3/configuration/webapplication/functionalscope/notifications.md b/docs/passwordsecure/9.3/configuration/webapplication/functionalscope/notifications.md new file mode 100644 index 0000000000..f598d3e458 --- /dev/null +++ b/docs/passwordsecure/9.3/configuration/webapplication/functionalscope/notifications.md @@ -0,0 +1,16 @@ +--- +title: "Notifications" +description: "Notifications" +sidebar_position: 60 +--- + +# Notifications + +- The **permission module** exists of the following features: +- Filter function +- Seal function +- Mark message as read/unread +- Quick view (use button and space bar) + +The Web Application module permissions is based on the same called client module notifications. Both +modules differ in range and design. However, the handling is almost the same. diff --git a/docs/passwordsecure/9.3/configuration/webapplication/functionalscope/organisationalstructure/_category_.json b/docs/passwordsecure/9.3/configuration/webapplication/functionalscope/organisationalstructure/_category_.json new file mode 100644 index 0000000000..2f4190cfcb --- /dev/null +++ b/docs/passwordsecure/9.3/configuration/webapplication/functionalscope/organisationalstructure/_category_.json @@ -0,0 +1,10 @@ +{ + "label": "Organisational structure module", + "position": 30, + "collapsed": true, + "collapsible": true, + "link": { + "type": "doc", + "id": "organisational_structure" + } +} \ No newline at end of file diff --git a/docs/passwordsecure/9.3/configuration/webapplication/functionalscope/organisationalstructure/organisational_structure.md b/docs/passwordsecure/9.3/configuration/webapplication/functionalscope/organisationalstructure/organisational_structure.md new file mode 100644 index 0000000000..ab685e1169 --- /dev/null +++ b/docs/passwordsecure/9.3/configuration/webapplication/functionalscope/organisationalstructure/organisational_structure.md @@ -0,0 +1,73 @@ +--- +title: "Organisational structure module" +description: "Organisational structure module" +sidebar_position: 30 +--- + +# Organisational structure module + +The following functions are currently available in the **organisational structure module**: + +- Adding/editing/deleting/authorizing users / organisational structures +- Notifications +- Drag & Drop +- Filter +- Quick view +- User settings +- User rights +- Changing passwords +- Print + +NOTE: The Web Application module organisational structure is based on the client module of the same +name. Both modules have a different scope and design but are almost identical to use. + +## AD connection in the Web Application + +The Active Directory connection in the Web Application works similiar to the Client. In the chapter +[Active Directory link](/docs/passwordsecure/9.3/configuration/advancedview/clientmodule/organisationalstructure/directoryservices/activedirectorylink/active_directory_link.md) +you can find further information. + +![Organisational structure WebClient](/images/passwordsecure/9.2/configuration/web_applicaiton/functional_scope/organisational_structure/installation_with_parameters_160-en.webp) + +The Web Application offers the following functions: + +- Import +- Manual synchronisation +- Manage profiles + +###### Radius + +You can reach the Radius server, if the import is in the Masterkey mode. The Radius server will be +provided in the Active Directory profile and will therefore deliver the possible authentication +methods in future. You will find further informations in the +[RADIUS authentication](/docs/passwordsecure/9.3/configuration/advancedview/clientmodule/organisationalstructure/directoryservices/activedirectorylink/radius_authentication.md) +chapter. + +![installation_with_parameters_161](/images/passwordsecure/9.2/configuration/web_applicaiton/functional_scope/organisational_structure/installation_with_parameters_161.webp) + +###### Predefining rights + +To **predefine rights** in the Web Application, the procedure is the same as in the Client. +[Predefining rights](/docs/passwordsecure/9.3/configuration/advancedview/permissionconceptandprotective/predefiningrights/predefining_rights.md)) + +Go to the module organisational structure to choose the organisation unit for which the rights shall +be predefined. Then choose **Predefine rights** in the menu bar. + +![installation_with_parameters_162](/images/passwordsecure/9.2/configuration/web_applicaiton/functional_scope/organisational_structure/installation_with_parameters_162.webp) + +**Creating the first template group:** A modal window will appear after clicking on the icon for +adding a new template group (green arrow) in which a meaningful name for the template group should +be entered. + +![installation_with_parameters_163](/images/passwordsecure/9.2/configuration/web_applicaiton/functional_scope/organisational_structure/installation_with_parameters_163.webp) + +Now you can add the appropriate roles and users. + +![installation_with_parameters_164](/images/passwordsecure/9.2/configuration/web_applicaiton/functional_scope/organisational_structure/installation_with_parameters_164.webp) + +You can add users and roles in different ways: + +- Add the appropriate roles and users at the toolbar under **Search and add**. +- Click on the loupe to see all the users and roles. + +![installation_with_parameters_165](/images/passwordsecure/9.2/configuration/web_applicaiton/functional_scope/organisational_structure/installation_with_parameters_165.webp) diff --git a/docs/passwordsecure/9.3/configuration/webapplication/functionalscope/organisationalstructure/user_management.md b/docs/passwordsecure/9.3/configuration/webapplication/functionalscope/organisationalstructure/user_management.md new file mode 100644 index 0000000000..36bb5b7a87 --- /dev/null +++ b/docs/passwordsecure/9.3/configuration/webapplication/functionalscope/organisationalstructure/user_management.md @@ -0,0 +1,20 @@ +--- +title: "User management" +description: "User management" +sidebar_position: 10 +--- + +# User management + +## How are the users managed in the Web Application? + +The user management strongly depends on whether the Active Directory has been connected or not. In +Master Key mode, the Active Directory remains the leading system. In all other modes, the user +administration is carried out via the organisational structure module. + +#### Creating local users + +When creating new users, you must pay attention to whether it is a **User (Basic View)** or a +**Advanced User (View)**. + +![installation_with_parameters_166](/images/passwordsecure/9.2/configuration/web_applicaiton/functional_scope/organisational_structure/user_management/installation_with_parameters_166.webp) diff --git a/docs/passwordsecure/9.3/configuration/webapplication/functionalscope/password_module.md b/docs/passwordsecure/9.3/configuration/webapplication/functionalscope/password_module.md new file mode 100644 index 0000000000..f2b835195d --- /dev/null +++ b/docs/passwordsecure/9.3/configuration/webapplication/functionalscope/password_module.md @@ -0,0 +1,55 @@ +--- +title: "Password module" +description: "Password module" +sidebar_position: 10 +--- + +# Password module + +The **Password Module** currently provides the following functions: + +- Create +- Delete +- Edit +- Uncover password +- Quick search +- Add/edit form fields +- Tagged +- Duplicate +- Move +- Quick view (passwords automatically reveal) +- Favorites +- Filter +- Structural filter +- Authorization/edit rights +- Form field authorizations +- Change password undercover +- Password generator with guidelines +- Copy to clipboard +- Open Internet page +- View logbook +- Display seal/visibility protection +- German/English +- Change user password, if “Change password at next login” is active +- Show notifications +- Keyboard navigation + ◦ ALT+Q: Quick search + ◦ ALT+N: New record + ◦ ALT+S: Save in Edit/New View + ◦ ALT+DEL: Delete selected record + ◦ Arrow up/down in list: Change selection + ◦ Right/left arrow in list: Page forward/backward + ◦ Enter: Open selected record + +- Privacy screen +- Seal +- Print +- Create external link +- History +- Change form +- Export +- WebViewer Export + +NOTE: The Web Application module Password module is based on the module of the same name that is +located in the client. Both modules differ in scope and design, but are nevertheless almost +identical in terms of operation. diff --git a/docs/passwordsecure/9.3/configuration/webapplication/functionalscope/roles_module.md b/docs/passwordsecure/9.3/configuration/webapplication/functionalscope/roles_module.md new file mode 100644 index 0000000000..55a5e66583 --- /dev/null +++ b/docs/passwordsecure/9.3/configuration/webapplication/functionalscope/roles_module.md @@ -0,0 +1,21 @@ +--- +title: "Roles module" +description: "Roles module" +sidebar_position: 40 +--- + +# Roles module + +The following functions are currently available in the **roles module:** + +- Add +- Delete +- Notifications +- Favourites +- Quick view +- Permissions +- User rights +- Print + +The Web Application module **roles** is based on the client module of the same name. Both modules +have a different scope and design but are almost identical to use. diff --git a/docs/passwordsecure/9.3/configuration/webapplication/functionalscope/tag_system.md b/docs/passwordsecure/9.3/configuration/webapplication/functionalscope/tag_system.md new file mode 100644 index 0000000000..8facda3781 --- /dev/null +++ b/docs/passwordsecure/9.3/configuration/webapplication/functionalscope/tag_system.md @@ -0,0 +1,13 @@ +--- +title: "Tag system" +description: "Tag system" +sidebar_position: 20 +--- + +# Tag system + +The tag system currently offers the following functions: + +- Add +- Delete +- Edit diff --git a/docs/passwordsecure/9.3/configuration/webapplication/operation/_category_.json b/docs/passwordsecure/9.3/configuration/webapplication/operation/_category_.json new file mode 100644 index 0000000000..69b8feec7d --- /dev/null +++ b/docs/passwordsecure/9.3/configuration/webapplication/operation/_category_.json @@ -0,0 +1,10 @@ +{ + "label": "Operation", + "position": 20, + "collapsed": true, + "collapsible": true, + "link": { + "type": "doc", + "id": "operation" + } +} \ No newline at end of file diff --git a/docs/passwordsecure/9.3/configuration/webapplication/operation/filter_or_structure_area.md b/docs/passwordsecure/9.3/configuration/webapplication/operation/filter_or_structure_area.md new file mode 100644 index 0000000000..0a91f33e27 --- /dev/null +++ b/docs/passwordsecure/9.3/configuration/webapplication/operation/filter_or_structure_area.md @@ -0,0 +1,38 @@ +--- +title: "Filter or structure area" +description: "Filter or structure area" +sidebar_position: 30 +--- + +# Filter or structure area + +As is also the case on the client, it is possible to select between filter and structure. For this +purpose, the following buttons are available on the navigation bar + +![installation_with_parameters_169](/images/passwordsecure/9.2/configuration/web_applicaiton/operation/filter_or_structure/installation_with_parameters_169.webp) + +1. Filter + +The filter on the Web Application is based on the +[Filter](/docs/passwordsecure/9.3/configuration/advancedview/operationandsetup/filter/filter.md). Therefore, only those +characteristics specific to the Web Application will be described here. + +Using the filter + +Operation of the “Web Application filter” barely differs from the operation of the client filter. It +is only necessary to note that the Clear filter and Apply filter buttons can be found above the +filter. The configuration settings can also be found directly above the Web Application filter. + +Configuring the filter + +The configuration for the filter can be displayed via the following buttons: + +![installation_with_parameters_170](/images/passwordsecure/9.2/configuration/web_applicaiton/operation/filter_or_structure/installation_with_parameters_170.webp) + +New filter groups can be added using **Add filter groups** and the current filter can be reset using +**Reset filter. Advanced mode** provides you with the possibility of deleting or moving individual +filter groups. The **Allow negation of filters** option can also be selected. + +2. Structure + +The structure can be operated in precisely the same way as on the client. diff --git a/docs/passwordsecure/9.3/configuration/webapplication/operation/footer.md b/docs/passwordsecure/9.3/configuration/webapplication/operation/footer.md new file mode 100644 index 0000000000..2b82e0ff90 --- /dev/null +++ b/docs/passwordsecure/9.3/configuration/webapplication/operation/footer.md @@ -0,0 +1,38 @@ +--- +title: "Footer" +description: "Footer" +sidebar_position: 70 +--- + +# Footer + +The footer displays various different information about the currently selected record in multiple +tabs. It can be activated or deactivated using the small arrow on the far right. The footer is +hidden by default. + +![installation_with_parameters_178](/images/passwordsecure/9.2/configuration/web_applicaiton/operation/footer/installation_with_parameters_178.webp) + +1. Notification area + +The notification area shows who last had access to the record. The users are displayed using +corresponding icons or their avatars. Clicking on the user will display their rights. + +2. Logbook + +You can view the last log entries about the record in the logbook tab. + +3. History + +The history can also be displayed via a corresponding tab. + +4. Documents + +The documents tab can be used to access all linked documents. + +5. Notifications + +This tab shows who has subscribed to receive notifications about the record. + +6. Password Resets + +The Password Resets that have been performed can also be listed. diff --git a/docs/passwordsecure/9.3/configuration/webapplication/operation/header.md b/docs/passwordsecure/9.3/configuration/webapplication/operation/header.md new file mode 100644 index 0000000000..38e8066e14 --- /dev/null +++ b/docs/passwordsecure/9.3/configuration/webapplication/operation/header.md @@ -0,0 +1,44 @@ +--- +title: "Header" +description: "Header" +sidebar_position: 10 +--- + +# Header + +The header provides the following functions: + +![Header](/images/passwordsecure/9.2/configuration/web_applicaiton/operation/header/installation_with_parameters_171-en_679x38.webp) + +1. Logo + +The logo acts as a home button. It always takes you back to the standard view. + +2. Display and hide filter + +As is also the case on the client, the filter or structure area can be displayed and hidden. + +3. Modules + +As is also the case on the client, modules like passwords, organisational structures, roles and +forms can be managed here. + +4. Quick search + +The quick search offers you the same functions as the quick search on the client. It searches in all +fields of the complete database except the password field. The tags are still searched. + +5. Quick search + +Upcoming tasks like export, import, print and so on are displayed here. + +6. Notifications + +here you will be informed about incoming notifications. The notification can also be called up by +clicking on it. + +7. Account + +The user who is currently logged in can be seen under account. You can log out by clicking on the +account. It is also possible to call up the settings in +[Account](/docs/passwordsecure/9.3/configuration/advancedview/mainmenufc/account.md). diff --git a/docs/passwordsecure/9.3/configuration/webapplication/operation/list_view.md b/docs/passwordsecure/9.3/configuration/webapplication/operation/list_view.md new file mode 100644 index 0000000000..1420236c23 --- /dev/null +++ b/docs/passwordsecure/9.3/configuration/webapplication/operation/list_view.md @@ -0,0 +1,23 @@ +--- +title: "List view" +description: "List view" +sidebar_position: 50 +--- + +# List view + +## What is list view? + +The central element of the navigation in the Web Application is list view, which clearly presents +the filtered elements. As list view in the Web Application provides the same functions as list view +in the client, we refer you at this point to the +[List view](/docs/passwordsecure/9.3/configuration/advancedview/operationandsetup/list_view.md) section. + +![installation_with_parameters_176](/images/passwordsecure/9.2/configuration/web_applicaiton/operation/list_view/installation_with_parameters_176.webp) + +#### Special features + +The list view differs from that on the client in the following areas: + +- List view cannot be individually configured +- There are – as is usual in a browser – no context menus diff --git a/docs/passwordsecure/9.3/configuration/webapplication/operation/menu.md b/docs/passwordsecure/9.3/configuration/webapplication/operation/menu.md new file mode 100644 index 0000000000..b01fd05742 --- /dev/null +++ b/docs/passwordsecure/9.3/configuration/webapplication/operation/menu.md @@ -0,0 +1,93 @@ +--- +title: "Menu" +description: "Menu" +sidebar_position: 40 +--- + +# Menu + +## What is the menu? + +The ribbon on the client has been replaced by a menu on the Web Application. The menu thus +represents the central operating element on the Web Application. The functions available within the +menu are dynamic and are based on the currently available actions. Different actions are possible +depending on which view is currently being used. + +#### Menu bar + +The menu can take on two forms. In general, the **menu bar** containing the **most important +functions** is displayed. It will be described here using the example of the password module. + +![menu bar](/images/passwordsecure/9.2/configuration/web_applicaiton/operation/menu_bar/installation_with_parameters_174-en.webp) + +1. Expand menu + +The size of the menu can be maximised using this button. + +2. New + +This option can be selected to call up the wizard for adding a new record. + +3. Open + +Displays the selected password and all of its details in the reading pane. + +4. Reveal + +Reveals the password. + +5. Permissions + +This button is used to configure the rights for the record. + +6. Password + +Copies the password to the clipboard. + +###### Advanced menu + +If the menu – as described above – is maximised, **all functions** are then available. The functions +on the menu bar are repeated here. The menu is divided into a number of sections. These correspond 1 +to 1 to the sections of the ribbon on the client. + +![Menu](/images/passwordsecure/9.2/configuration/web_applicaiton/operation/menu_bar/installation_with_parameters_175-en.webp) + +In our example, the menu looks like this: + +1. New Item + +This section offers you more options for editing passwords. These include, for example, **Open** or +also **Delete**. + +2. Actions + +The actions can be used, for example, to mark the password as a Favourite or also to Duplicate it. + +3. Permissions + +This section does not offer any additional functions than simply opening the permissions. + +4. Clipboard + +This section can be used to copy all available fields to the clipboard. + +5. Start + +A website can be called up here. + +NOTE: As already described, the menu is dynamic and thus appears in a variety of different forms. +However, the basic function is always the same: The menu bar contains the basis functions, while the +advanced menu contains all functions. + +6. Extras + +All of the additional functions can be found here. These functions correspond to the main client and +will be described in the next section: + +[Passwords](/docs/passwordsecure/9.3/configuration/advancedview/clientmodule/passwords/passwords.md) + +7. Password Reset + +The functions of the +[Password Reset](/docs/passwordsecure/9.3/configuration/advancedview/clientmodule/passwordreset/password_reset.md) can be found +here. diff --git a/docs/passwordsecure/9.3/configuration/webapplication/operation/navigationbar/_category_.json b/docs/passwordsecure/9.3/configuration/webapplication/operation/navigationbar/_category_.json new file mode 100644 index 0000000000..a2da549604 --- /dev/null +++ b/docs/passwordsecure/9.3/configuration/webapplication/operation/navigationbar/_category_.json @@ -0,0 +1,10 @@ +{ + "label": "Navigation bar", + "position": 20, + "collapsed": true, + "collapsible": true, + "link": { + "type": "doc", + "id": "navigation_bar" + } +} \ No newline at end of file diff --git a/docs/passwordsecure/9.3/configuration/webapplication/operation/navigationbar/navigation_bar.md b/docs/passwordsecure/9.3/configuration/webapplication/operation/navigationbar/navigation_bar.md new file mode 100644 index 0000000000..14cb42bf61 --- /dev/null +++ b/docs/passwordsecure/9.3/configuration/webapplication/operation/navigationbar/navigation_bar.md @@ -0,0 +1,25 @@ +--- +title: "Navigation bar" +description: "Navigation bar" +sidebar_position: 20 +--- + +# Navigation bar + +The navigation bar provides the following functions. + +![navigation bar](/images/passwordsecure/9.2/configuration/web_applicaiton/operation/navigation_bar/installation_with_parameters_172-en_643x142.webp) + +1. Filter + +This function can be used to switch the view to the filter in the left section. You also have the +possibility to switch from filter to structure. + +2. Tabs + +The Tabs represent a secondary navigation function within the Web Application. For each action you +will do a new tab will be opend. + +Example + +![tab system](/images/passwordsecure/9.2/configuration/web_applicaiton/operation/navigation_bar/installation_with_parameters_173-en.webp) diff --git a/docs/passwordsecure/9.3/configuration/webapplication/operation/navigationbar/settings_wc.md b/docs/passwordsecure/9.3/configuration/webapplication/operation/navigationbar/settings_wc.md new file mode 100644 index 0000000000..c12b4acbc8 --- /dev/null +++ b/docs/passwordsecure/9.3/configuration/webapplication/operation/navigationbar/settings_wc.md @@ -0,0 +1,70 @@ +--- +title: "Settings" +description: "Settings" +sidebar_position: 20 +--- + +# Settings + +The settings are called up via the [Navigation bar](/docs/passwordsecure/9.3/configuration/webapplication/operation/navigationbar/navigation_bar.md). The following options are +available: + +#### Language + +You can select German or English here by simply clicking on them. The change is made immediately and +does not require you to restart the browser. + +#### Extras + +Seal management + +Here you have the possibility to manage templates for seals. + +Tag management + +The tag management allows you to manage the tags. + +Image management + +With the image management, you can manage your icons and logos easily and quickly. + +![image management](/images/passwordsecure/9.2/configuration/web_applicaiton/operation/navigation_bar/settings/installation_with_parameters_179-en.webp) + +#### Adding icons and logos + +By clicking on the **New** button, the input mask will open. + +![new image](/images/passwordsecure/9.2/configuration/web_applicaiton/operation/navigation_bar/settings/installation_with_parameters_180-en.webp) + +After filling in and uploading the icon/logo, the process only needs to be saved. + +![save new image](/images/passwordsecure/9.2/configuration/web_applicaiton/operation/navigation_bar/settings/installation_with_parameters_181-en.webp) + +Edit / Delete icons and logos + +If an icon and/or logo is outdated, you can edit or even delete the stored icons/logos. + +![manage image](/images/passwordsecure/9.2/configuration/web_applicaiton/operation/navigation_bar/settings/installation_with_parameters_182-en.webp) + +#### Settings + +The following options can be managed via this menu item: + +- Global user rights +- Global settings +- User settings + +The management of these settings is based on the client. Further information can be found under +global [User rights](/docs/passwordsecure/9.3/configuration/advancedview/mainmenufc/userrights/user_rights.md) and +[User settings](/docs/passwordsecure/9.3/configuration/advancedview/mainmenufc/usersettings/user_settings.md) + +The following settings are not available on the Web Application: + +- Customizable window caption +- Permitted document extensions +- Clipboard gallery +- Category: Proxy + +Account + +Here it is possible to change the password of the logged in user. diff --git a/docs/passwordsecure/9.3/configuration/webapplication/operation/navigationbar/user_menu_wc.md b/docs/passwordsecure/9.3/configuration/webapplication/operation/navigationbar/user_menu_wc.md new file mode 100644 index 0000000000..c9bc19ba0c --- /dev/null +++ b/docs/passwordsecure/9.3/configuration/webapplication/operation/navigationbar/user_menu_wc.md @@ -0,0 +1,39 @@ +--- +title: "User menu" +description: "User menu" +sidebar_position: 10 +--- + +# User menu + +The user menu can be found in the upper right corner of the Web Application. A right click on the +logged in user opens it. + +#### Options in the user menu + +![bin_1](/images/passwordsecure/9.2/configuration/web_applicaiton/operation/navigation_bar/user_menu/bin_1.webp) + +Settings + +All possible settings can be viewed in the following chapter settings. + +Bin + +In the bin you can manage your deleted passwords. + +Help + +A click on help takes you directly to the Netwrix Password Secure documentation page. + +Switch to Basic view + +What the Basic view is able to do in the web view can be inspected here. + +Lock + +This locks the user who is currently logged in and only needs to enter his password to use the web +client again. + +Log out + +The logged in user is logged out. All relevant information is now required to log on again. diff --git a/docs/passwordsecure/9.3/configuration/webapplication/operation/operation.md b/docs/passwordsecure/9.3/configuration/webapplication/operation/operation.md new file mode 100644 index 0000000000..ced8d40187 --- /dev/null +++ b/docs/passwordsecure/9.3/configuration/webapplication/operation/operation.md @@ -0,0 +1,85 @@ +--- +title: "Operation" +description: "Operation" +sidebar_position: 20 +--- + +# Operation + +Operation of the Web Application has been based as far as possible on the operation of the Netwrix +Password Secure client. Nevertheless, there are some differences that need to be noted and they are +described here. + +NOTE: There is also a Basic view in the Web Application. Everything worth knowing can be found at +the following link: web view Basic view + +#### Login + +There is no database profile on the Web Application. All databases approved for the Web Application +will be made available. The following information needs to be entered to log in: + +Database name + +User name + +Password + +![Login WebClient](/images/passwordsecure/9.2/configuration/web_applicaiton/operation/installation_with_parameters_167-en.webp) + +After successfully logging in, the last database name used and the last registered user will be +saved. You thus only need to enter the password for the next login. + +#### Transferring login data via the URL + +The **database name** and **user name** can be transferred directly via the URL. The following +parameters are used here: + +- **database** for transferring the database nam +- **username** for transferring the user name + +The parameters are simply attached to the URL for the Web Application and separated from one another +with a **&**. + +Example + +You want to call up the Web Application under **https://psr_Web Application.firma.com.** In the +process, you want the login mask to be directly filled with the database **Passwords** and the user +name **Anderson**. The following URL is then used: **https://psr_Web +Application.firma.com/authentication/ login?database=Passwords&username=Anderson** + +NOTE: It is possible to only transfer the database. The user name is not absolutely necessary. + +#### Structure + +The Web Application is split into a number of sections that are described below. + +![Operation](/images/passwordsecure/9.2/configuration/web_applicaiton/operation/installation_with_parameters_168-en.webp) + +1. [Header](/docs/passwordsecure/9.3/configuration/webapplication/operation/header.md) + +The header provides access to some essential functions. + +2. [Navigation bar](/docs/passwordsecure/9.3/configuration/webapplication/operation/navigationbar/navigation_bar.md) + +It is possible to switch between module and filter view on the navigation bar. + +3. [Filter or structure area](/docs/passwordsecure/9.3/configuration/webapplication/operation/filter_or_structure_area.md) + +As is also the case on the client, it is possible to select between filter and structure. + +4. [Menu](/docs/passwordsecure/9.3/configuration/webapplication/operation/menu.md) + +The ribbon on the client has been replaced by a menu bar on the Web Application. + +5. [List view](/docs/passwordsecure/9.3/configuration/webapplication/operation/list_view.md) + +The records currently selected using the filter can be viewed in list view. + +6. [Reading pane](/docs/passwordsecure/9.3/configuration/webapplication/operation/reading_pane_webclient.md) + +The reading pane shows you details about the relevantly selected element. + +7. [Footer](/docs/passwordsecure/9.3/configuration/webapplication/operation/footer.md) + +Various information about the record is displayed in the footer. For example, logbook entries or the +history. diff --git a/docs/passwordsecure/9.3/configuration/webapplication/operation/reading_pane_webclient.md b/docs/passwordsecure/9.3/configuration/webapplication/operation/reading_pane_webclient.md new file mode 100644 index 0000000000..2afabe6ccc --- /dev/null +++ b/docs/passwordsecure/9.3/configuration/webapplication/operation/reading_pane_webclient.md @@ -0,0 +1,21 @@ +--- +title: "Reading pane" +description: "Reading pane" +sidebar_position: 60 +--- + +# Reading pane + +## What is the reading pane? + +As with the list view, the reading pane on the Web Application is almost identical to that on the +client. Therefore, we also refer you here to the corresponding +[Reading pane](/docs/passwordsecure/9.3/configuration/advancedview/operationandsetup/reading_pane.md) section. + +![reading_pane](/images/passwordsecure/9.2/configuration/web_applicaiton/operation/reading_pane/reading_pane.webp) + +Various information is displayed on the header – as is the case with the client. For example, the +tags for the records or information on whether the record is public or private. Password masking is +also symbolised here. + +NOTE: There are – as is usual in a browser – no context menus diff --git a/docs/passwordsecure/9.3/configuration/webapplication/problems_with_the_server_connection.md b/docs/passwordsecure/9.3/configuration/webapplication/problems_with_the_server_connection.md new file mode 100644 index 0000000000..1e865a1aa2 --- /dev/null +++ b/docs/passwordsecure/9.3/configuration/webapplication/problems_with_the_server_connection.md @@ -0,0 +1,27 @@ +--- +title: "Problems with the server connection" +description: "Problems with the server connection" +sidebar_position: 40 +--- + +# Problems with the server connection + +If no connection can be established from the Web Application, there are several possible causes: + +Server not started + +First, you should check whether the application server is running. + +Service not started + +The Windows service administration should be used to check whether the **Netwrix Password Secure +Service** has been started. + +Port not released + +Port 11016 TCP must be released on the application server. + +CORS not configured + +Make sure that the CORS configuration has been implemented. Further information can be found in +chapter Installation Web Application diff --git a/docs/passwordsecure/9.3/configuration/webapplication/web_application.md b/docs/passwordsecure/9.3/configuration/webapplication/web_application.md new file mode 100644 index 0000000000..388c0fcc04 --- /dev/null +++ b/docs/passwordsecure/9.3/configuration/webapplication/web_application.md @@ -0,0 +1,28 @@ +--- +title: "Web Application" +description: "Web Application" +sidebar_position: 40 +--- + +# Web Application + +## What is the Web Application + +The previous WebAccess function has been replaced by the **Web Application” in Netwrix Password +Secure version** **8.3.0. The completely newly developed \*Web Application** will act as the basis +for the constant enhancement of the functional scope. The desired objective is to also provide the +full functional scope of the client in the Web Application. The **Web Application** will thus be +constantly enhanced. All of the currently available functions can be viewed in the +[Functional scope](/docs/passwordsecure/9.3/configuration/webapplication/functionalscope/functional_scope.md) section. + +![WebClient](/images/passwordsecure/9.2/configuration/web_applicaiton/installation_with_parameters_159.webp) + +**Netwrix Password Secure Web Application** enables platform-independent access to the database via +a browser. It is irrelevant whether you are using Microsoft Windows, macOS or Linux, it is only +necessary for javascript to be supported. As the **Netwrix Password Secure Web Application** has a +responsive design, it can also be used on all mobile devices such as tablets and smartphones. + +The **Web Application** is based both optically and also in its operation on the Netwrix Password +Secure client. As usual, users can only access the data for which they also have permissions. The +installation is described in the section +[Installation Web Application](/docs/passwordsecure/9.3/installation/installationwebapplication/installation_web_application.md) diff --git a/docs/passwordsecure/9.3/enduser/_category_.json b/docs/passwordsecure/9.3/enduser/_category_.json new file mode 100644 index 0000000000..47348ad344 --- /dev/null +++ b/docs/passwordsecure/9.3/enduser/_category_.json @@ -0,0 +1,10 @@ +{ + "label": "Getting Started for End Users", + "position": 70, + "collapsed": true, + "collapsible": true, + "link": { + "type": "doc", + "id": "overview" + } +} \ No newline at end of file diff --git a/docs/passwordsecure/9.3/enduser/advancedview.md b/docs/passwordsecure/9.3/enduser/advancedview.md new file mode 100644 index 0000000000..4a2f16458c --- /dev/null +++ b/docs/passwordsecure/9.3/enduser/advancedview.md @@ -0,0 +1,20 @@ +--- +title: "Outlook: Advanced View" +description: "Outlook: Advanced View" +sidebar_position: 50 +--- + +# Outlook: Advanced View + +Curious about how you can manage your team in Netwrix Password Secure? + +Learn more about how to … + +- Share passwords masked / only for a limited time (i.e. with working students or interns) +- Separately authorize the disclosure of passwords +- View the password quality and monitor all actions in your team +- View the reasons given by your team members for revealing passwords in plain text +- And much more! + +Simply contact your IT department for further information on the advanced view of Netwrix Password +Secure. diff --git a/docs/passwordsecure/9.3/enduser/browserextension.md b/docs/passwordsecure/9.3/enduser/browserextension.md new file mode 100644 index 0000000000..69c596e1b5 --- /dev/null +++ b/docs/passwordsecure/9.3/enduser/browserextension.md @@ -0,0 +1,49 @@ +--- +title: "Get the Browser Extension" +description: "Get the Browser Extension" +sidebar_position: 10 +--- + +# Get the Browser Extension + +First, Netwrix Password Secure is designed to make and keep your passwords more secure. But this +also means that managing - and logging in with them - is easier and saves time! That's why you need +the browser extension to save yourself the hassle of typing in passwords in future and to be logged +in to all your website accesses with just one click! + +Step 1 – Is your browser extension already installed? You can find out by: + +- Looking for this icon next to the URL input field in your browser. See the icon in the top bar of + the screenshot below. +- Opening the Password Secure Web App, logging in and scrolling down: If not installed yet, you can + find the download link in the footer. See the Download Edge Extension link in the bottom center of + the screenshot below. + +![downloadextension](/images/passwordsecure/9.2/enduser/downloadextension.webp) + +NOTE: If you need more information about installing the browser extension, please visit the +following topic in our documentation: +[Installation Browser Extension](https://helpcenter.netwrix.com/bundle/PasswordSecure_9.0/page/Content/PasswordSecure/Installation/Browser/Installation_Browser_Add-on.htm) + +Step 2 – After downloading, the browser extension is simply dragged and dropped into the browser. +See the Get button in the upper-right section of the screenshot below. + +![getextension](/images/passwordsecure/9.2/enduser/getextension.webp) + +Step 3 – After confirming a security question, it is installed, and an icon appears in the menu bar +to "add the extension". + +![addextension](/images/passwordsecure/9.2/enduser/addextension.webp) + +Step 4 – Please open or reload the web application of Netwrix Password Secure (see link in email +from your administrator) to connect your user profile with the extension. See the lock icon in the +screenshot below. + +![extensionadded](/images/passwordsecure/9.2/enduser/extensionadded.webp) + +Step 5 – Now click on this icon in your browser to open the browser extension. See the Adopt Select +**Adopt Web Application profile**. Done! + +![nodatabaseprofile](/images/passwordsecure/9.2/enduser/nodatabaseprofile.webp) + +RECOMMENDED: If not done yet, bookmark this page to have it quickly at hand! diff --git a/docs/passwordsecure/9.3/enduser/cleanuppasswords.md b/docs/passwordsecure/9.3/enduser/cleanuppasswords.md new file mode 100644 index 0000000000..f97813b05b --- /dev/null +++ b/docs/passwordsecure/9.3/enduser/cleanuppasswords.md @@ -0,0 +1,84 @@ +--- +title: "Clean up Your Passwords" +description: "Clean up Your Passwords" +sidebar_position: 20 +--- + +# Clean up Your Passwords + +For a clean relocation of passwords, it is important to clean up all your passwords beforehand. This +means to check which secrets are still up-to-date or if there are any duplicates you can remove +first! + +## Transer Data from Your Browser + +With Netwrix Password Secure, you now have the right tool to save and manage all your secrets handy +at one place and above all a safe alternative to browser-saved passwords! But how can you now +securely import them to your new solution? + +Simply do this: + +Step 1 – Every time you login to a website now and your browser wants to autofill, this Password +Secure Pop-up will appear, asking you if you would like to save your secret in Netwrix Password +Secure. Just click **Create new**. See the screenshot below. + +![createnew](/images/passwordsecure/9.2/enduser/createnew.webp) + +Step 2 – Now the Web Application will open and automatically transfer the recognized login data, +including URL to a new data set. + +![createpassword](/images/passwordsecure/9.2/enduser/createpassword.webp) + +Step 3 – Choose an organizational unit in which you want to save it and give your new data set a +meaningful name to find it again quickly. (You now also have the option to add further information +and tags.) Now click **Save**. See the box to the right of Organizational unit in the screenshot +above. + +## Check for Weak Passwords + +Your passwords do not automatically become secure after they have been transferred to Netwrix +Password Secure. No matter how well protected a password is - if it is easy for a hacker to guess, +they don't need access to the password manager to use it. This is why our solution automatically +checks the strength of your password and much more. + +Step 1 – Paste your password in the password field. See the box to the right of the Password field +in the screenshot below. + +![passwordfield](/images/passwordsecure/9.2/enduser/passwordfield.webp) + +Step 2 – If it is not classified as "strong" (green), we strongly recommend using the integrated +password generator to assign a new, secure password: Therefore, just click on the white password +generator icon to the right of the password field. See the Strong button in the screenshot above. + +Step 3 – The password generator will open. A secure password is created automatically just click +“Apply”. (Learn more about the possibilities of our password manager in the next chapter.) + +![passwordgenerator](/images/passwordsecure/9.2/enduser/passwordgenerator.webp) + +Step 4 – Now don't forget to replace your password in the target application as well. + +**Great side effect!** The access data stored in your browser is no longer up to date and therefore +no longer a danger! You should also think about deleting these passwords from your browser +permanently. + +## Create Strong Passwords + +The password generator offers three possibilities to create a secure password. To open it, click on +“Create password” and then on the password generator icon right to the password field. + +Step 1 – Create a user defined password which gives you the most options such as including and +excluding special characters or defining the length of the password. + +![userdefined](/images/passwordsecure/9.2/enduser/userdefined.webp) + +Step 2 – Create a phonetic password that is easier to pronounce, but still complex. + +![phonetic](/images/passwordsecure/9.2/enduser/phonetic.webp) + +NOTE: This option is best suited for passwords that must be read and typed in, such as operating +machines without an internet connection. + +Step 3 – Create a password according to a set password rule in your company: If your IT has already +stored password guidelines for you, you can select them here and simply click on apply. + +![rule](/images/passwordsecure/9.2/enduser/rule.webp) diff --git a/docs/passwordsecure/9.3/enduser/createnewentry.md b/docs/passwordsecure/9.3/enduser/createnewentry.md new file mode 100644 index 0000000000..0773246a8e --- /dev/null +++ b/docs/passwordsecure/9.3/enduser/createnewentry.md @@ -0,0 +1,57 @@ +--- +title: "Create a New Entry from Scratch" +description: "Create a New Entry from Scratch" +sidebar_position: 30 +--- + +# Create a New Entry from Scratch + +Follow the steps to create a new entry from scratch. + +Step 1 – First, click _Create new password_ on the upper left in Netwrix Password Secure. + +![createnewpassword](/images/passwordsecure/9.2/enduser/createnewpassword.webp) + +Step 2 – A form will open. Now choose the form you need, such as "Website," on the upper right. See +the form drop-down list in the screenshot below. + +![selectform](/images/passwordsecure/9.2/enduser/selectform.webp) + +Step 3 – Let`s fill out the website form in this example. + +- Choose the organization unit you want to save the password in like the department. + +![selectou](/images/passwordsecure/9.2/enduser/selectou.webp) + +- Choose a permission template to define who else can see your password. + +![permissionstemplate](/images/passwordsecure/9.2/enduser/permissionstemplate.webp) + +- Set a description for your stored password. + +![description](/images/passwordsecure/9.2/enduser/description.webp) + +- Enter the username or email address needed for login. + +![username](/images/passwordsecure/9.2/enduser/username.webp) + +- Enter the password manually or use the password generator by clicking on the button in the middle + (high number). The password generator will open. + +NOTE: To learn more about the generating of passwords, see the +[Clean up Your Passwords](/docs/passwordsecure/9.3/enduser/cleanuppasswords.md) topic for additional information. + +![password](/images/passwordsecure/9.2/enduser/password.webp) + +NOTE: By clicking on the **lock icon** right to the password generator, you can mask and unmask your +password. + +- Enter the website URL that leads to the login. + +![websiteurl](/images/passwordsecure/9.2/enduser/websiteurl.webp) + +- Add one or more tags to categorize your password and find it easier (i.e., "HR" or "Internet"). + +![tags](/images/passwordsecure/9.2/enduser/tags.webp) + +Step 4 – Click **Save**, and you are done! diff --git a/docs/passwordsecure/9.3/enduser/organizepasswords.md b/docs/passwordsecure/9.3/enduser/organizepasswords.md new file mode 100644 index 0000000000..e8efc70ae4 --- /dev/null +++ b/docs/passwordsecure/9.3/enduser/organizepasswords.md @@ -0,0 +1,71 @@ +--- +title: "Organize Your Passwords" +description: "Organize Your Passwords" +sidebar_position: 40 +--- + +# Organize Your Passwords + +## Add a Team Tab + +The tab system is used to structure all your passwords: Tabs help you to make them easier to manage +and find. You can create several tabs and switch between them within one click. + +Follow the steps to add a team tab. + +Step 1 – Click on the **Plus** sign and a form will open. + +![newform](/images/passwordsecure/9.2/enduser/newform.webp) + +Step 2 – You can now search for a specific organizational unit by clicking on the tree on the left +or use the search field to find the unit you need. + +![search](/images/passwordsecure/9.2/enduser/search.webp) + +Step 3 – Click **OK** to close the form and your new team tab will open automatically. + +## Search with Tags + +With a growing number of managed passwords, it becomes even more important to maintain a structure +and overview. Therefore, Netwrix Password Secure works with tags instead of a folder system: You can +assign any number of tags to your passwords to categorize and find them again quickly. + +![assigntags](/images/passwordsecure/9.2/enduser/assigntags.webp) + +To find a password, just use the search field and enter a tag like the department or position you +are in (i.e., "Marketing"). Netwrix Password Secure now not only is searching for tags, but also for +“Marketing” in all Netwrix Password Secure fields (i.e., Content Marketing). + +![searchresults](/images/passwordsecure/9.2/enduser/searchresults.webp) + +NOTE: Optimize your search results by using the **minus sign (-)** to exclude terms: Only results in +which this word does not appear will be displayed (i.e., all social media accounts that are used +outside of marketing = "-social media marketing"). + +## Choose Your View + +Netwrix Password Secure offers two different views - the list and tile view. Just **switch the +button** on the upper right to change views! + +List View + +The screenshot below shows the list view. + +![listview](/images/passwordsecure/9.2/enduser/listview.webp) + +Tile View + +The screenshot below shows the title view. + +![switchbutton](/images/passwordsecure/9.2/enduser/switchbutton.webp) + +When in **tile view**, you can also drag and drop the buttons on another position. By hovering over +them with the mouse, you will see more information like the username, and you can login with one +click. + +![titleview](/images/passwordsecure/9.2/enduser/titleview.webp) + +NOTE: The **list view** is suitable for many data sets while the tile view is particularly favorable +for the most frequently used secrets. + +RECOMMENDED: Use the list view for all shared secrets and the tile view for personal accounts. diff --git a/docs/passwordsecure/9.3/enduser/overview.md b/docs/passwordsecure/9.3/enduser/overview.md new file mode 100644 index 0000000000..0c153f6537 --- /dev/null +++ b/docs/passwordsecure/9.3/enduser/overview.md @@ -0,0 +1,24 @@ +--- +title: "Getting Started for End Users" +description: "Getting Started for End Users" +sidebar_position: 70 +--- + +# Getting Started for End Users + +It is time to set up your new password management solution Netwrix Password Secure! The process +won't take too long, but you should allow yourself a little time to get to know the product. As when +it comes to your IT security, it's important to make sure you get it right. Below is a step-by-step +guide to setting up a password manager and leading you through the first few steps. + +## How to Log In + +Where can I find my username and password? + +You can find your login data in the email provided by your administrator. This email also contains +the following information: + +- Link to the Netwrix Password Secure Web Application +- How to login +- Information about your browser extension +- Bookmark of Netwrix Password Secure diff --git a/docs/passwordsecure/9.3/faq/_category_.json b/docs/passwordsecure/9.3/faq/_category_.json new file mode 100644 index 0000000000..0c7ff6cade --- /dev/null +++ b/docs/passwordsecure/9.3/faq/_category_.json @@ -0,0 +1,6 @@ +{ + "label": "FAQ", + "position": 60, + "collapsed": true, + "collapsible": true +} \ No newline at end of file diff --git a/docs/passwordsecure/9.3/faq/security/_category_.json b/docs/passwordsecure/9.3/faq/security/_category_.json new file mode 100644 index 0000000000..1a38cad5e6 --- /dev/null +++ b/docs/passwordsecure/9.3/faq/security/_category_.json @@ -0,0 +1,6 @@ +{ + "label": "Security", + "position": 10, + "collapsed": true, + "collapsible": true +} \ No newline at end of file diff --git a/docs/passwordsecure/9.3/faq/security/encryption.md b/docs/passwordsecure/9.3/faq/security/encryption.md new file mode 100644 index 0000000000..06ec693fb1 --- /dev/null +++ b/docs/passwordsecure/9.3/faq/security/encryption.md @@ -0,0 +1,43 @@ +--- +title: "Encryption" +description: "Encryption" +sidebar_position: 10 +--- + +# Encryption + +## Used Algorithms + +Safety has always been one of the most basic considerations when designing software. All other +requirements were assessed according to how safe they were. Parallel to the development phase, the +theoretical concepts of external security companies were examined in terms of feasibility, as well +as compliance with IT security standards. Prototypes have been ultimately developed on the basis of +these findings, which form the blueprint for the current Netwrix Password Secure version 9. The +following encryption techniques and algorithms are currently in use: + +- AES-GCM 256 +- PBKDF2 with 623,420 SHA256 iterations (client- and server-side) for the creation of user hashes +- PBKDF2 with 610,005 SHA256 iterations for the encryption of the user keys +- ECC (with the "NIST P-521" curve) for the private-public key procedure + +NOTE: All encryption algorithms used by Netwrix Password Secure are FIPS compliant. + +## Applied cryptographic procedures + +Applied cryptographic procedures The container encryption of the passwords is based on the +aforementioned algorithms. Each container has its own randomly generated salt. Each password, user, +and role has its own key pair. When releases are granted for users and roles, the passwords within +the database are hierarchically encrypted. Netwrix Password Secure also uses the following +cryptographic methods to achieve maximum security: + +To integrate an AD, you can choose between an end-to-end encryption (E2EE – the safest mode) and the +Master Key The server key is protected using the hardware security module (HSM) via PKCS#11 Brute +force protection for logging in by means of automatic blocking of the requesting client Certificate +protection when using applications Certificate request for client/server connection You may use your +own certificate authority (CA) as an option. Latest version of the Secure Sockets Layer (SSL) +Passwords are only encrypted and transported to the client when they have been explicitly requested +in advance. More… + +**CAUTION:** Only secrets are encrypted. Metadata is not encrypted to ensure search speed. Secrets +are usually passwords. However, the customer can decide what kind of data they are. Note that +Secrets cannot be searched for. diff --git a/docs/passwordsecure/9.3/faq/security/high_availability.md b/docs/passwordsecure/9.3/faq/security/high_availability.md new file mode 100644 index 0000000000..1b3ad7ffad --- /dev/null +++ b/docs/passwordsecure/9.3/faq/security/high_availability.md @@ -0,0 +1,43 @@ +--- +title: "High availability" +description: "High availability" +sidebar_position: 30 +--- + +# High availability + +## What is high availability? + +High availability is designed to guarantee the further operation of Netwrix Password Secure in the +event of damage. A series of requirements need to be met in advance in order to use this feature + +**CAUTION:** As the configuration of high availability is complex, it is (generally) implemented +during a consultation. If you are interested in this feature, please contact us directly or contact +your responsible partner. + +#### Requirements + +The following points should be observed during the configuration. + +- It is essential that MSSQL Enterprise Version is used for replicating the database (even in the + case of a replication across multiple locations) +- To achieve a better level of protection, we recommend operating the Netwrix Password Secure + database on its own cluster +- A Netwrix Password Secure application server needs to be licensed for each location. Every + application server has its own configuration database. + +Load balancer + +- To reduce the load on the server, a load balancer can be installed upstream of the application + server +- If no load balancer is used, the distribution of the database profiles for the users is generally + carried out via the registry + +If a database is set up at ”location A” including an AD profile, the certificate needs to exported +there and then imported onto the server at “location B”. The database is replicated using MSSQL +technology and can be integrated as an existing database into Netwrix Password Secure at “location +B”. If the application server at “location A” fails, the server in the registry needs to be replaced +(location B) and rolled out again to users using group rules (GPO). + +NOTE: Only peer-to-peer transaction replication is tested. If a different type of replication is +used, it should be tested in advance. diff --git a/docs/passwordsecure/9.3/faq/security/penetration_tests.md b/docs/passwordsecure/9.3/faq/security/penetration_tests.md new file mode 100644 index 0000000000..bc05ed4133 --- /dev/null +++ b/docs/passwordsecure/9.3/faq/security/penetration_tests.md @@ -0,0 +1,23 @@ +--- +title: "Penetration tests" +description: "Penetration tests" +sidebar_position: 20 +--- + +# Penetration tests + +## External Penetration tests + +The high security standards of Netwrix Password Secure are regularly attested by external pentests +of different providers. New functions in particular are always subjected to penetration tests in +order to have them thoroughly checked before release. The resulting findings enable us to detect and +eliminate potential vulnerabilities in advance. + +## Why we test regularly? + +In pentesting, external and certified security auditors look specifically for security gaps and +weaknesses in the software that an attacker could exploit. Attack scenarios are simulated on the +client side, the source code is checked and the quality of the cryptographic process is assessed. In +this way, the security of Netwrix Password Secure and the data stored in it is tested in advance in +order to be able to offer our customers effective protection and minimize the risk of success of an +attack. diff --git a/docs/passwordsecure/9.3/index.md b/docs/passwordsecure/9.3/index.md new file mode 100644 index 0000000000..f25fed5e95 --- /dev/null +++ b/docs/passwordsecure/9.3/index.md @@ -0,0 +1,25 @@ +--- +title: "Why Netwrix Password Secure?" +description: "Why Netwrix Password Secure?" +sidebar_position: 1 +--- + +# Why Netwrix Password Secure? + +## Users depend on passwords + +Now more than ever in their day-to-day business worldwide. They are used constantly and everywhere, +and they need to be professionally managed. Passwords should be safe, have at least 12 characters, +including uppercase and lowercase as well as special characters. In the best case, a separate access +password should be used for each account. It should be changed regularly. It is hard enough to meet +this challenge in private settings. In a large corporate environment, you wouldn’t be able to +adequately manage this task without the use of a professional password management tool. + +## Scalability + +The scalability of Netwrix Netwrix Password Secure (NPS) makes it suitable for use in SMEs, large +companies, and global corporations. The flexibility required for this task is the driving factor +behind our development to meet the ever-changing requirements of modern and safety-conscious +companies. NPS is the perfect software solution for companies that wish to effectively manage +security-relevant data such as passwords, documents, or certificates at a very high encryption +level. diff --git a/docs/passwordsecure/9.3/installation/_category_.json b/docs/passwordsecure/9.3/installation/_category_.json new file mode 100644 index 0000000000..64ab617b78 --- /dev/null +++ b/docs/passwordsecure/9.3/installation/_category_.json @@ -0,0 +1,10 @@ +{ + "label": "Installation", + "position": 20, + "collapsed": true, + "collapsible": true, + "link": { + "type": "doc", + "id": "installation" + } +} \ No newline at end of file diff --git a/docs/passwordsecure/9.3/installation/installation.md b/docs/passwordsecure/9.3/installation/installation.md new file mode 100644 index 0000000000..7250488faa --- /dev/null +++ b/docs/passwordsecure/9.3/installation/installation.md @@ -0,0 +1,79 @@ +--- +title: "Installation" +description: "Installation" +sidebar_position: 20 +--- + +# Installation + +The following pages will provide you with all the information how to install the different Netwrix +Password Secure components. + +## System landscape + +The following overview presents a basic production Netwrix Password Secure system landscape. Version +9 allows the use of several database servers across all sites. These are then synchronized using +Microsoft SQL server tools. Any number of application servers can be made available for the client +connection. This ensures load distribution, and allows work without significant latency. This +technology offers enormous performance advantages, particularly in the case of installations that +are spread across worldwide locations. + +## Client (presentation layer) + +The client layer handles the representation of all data and functions, which are provided by the +application server. + +## Application server (business logic) + +The application server is entirely responsible for the control of the business logic. This server +only ever delivers the data for which the corresponding permissions are available. The multi-tier +architecture described at the beginning allows the use of several application servers and ensures +efficient load distribution. + +## Database server (data storage) + +Netwrix Password Secure uses Microsoft SQL Server to store data due to its widespread use, and its +ability to ensure high-performance access even in large and geographically scattered environments. +Smaller installations may also use the free SQL Express version. + +## Conclusion + +At least three servers are thus recommended: + +- Database server (MSSQL) +- Application server (Netwrix Password Secure services) +- Web server (IIS, NginX, Apache 2) + +**CAUTION:** For databases in a production system, we recommend using a fail-safe cluster. Microsoft +SQL Server can replicate the data to a different data centre, e.g via WAN. We also recommend +providing a Windows server for each function. Separating the systems makes it easier to expand and +scale the system landscape at a later point. However, it is not absolutely necessary to separate the +systems. Accordingly, all of the components can also be installed on one server in the case of +smaller installations or test environments. + +### Firewall rules / Ports + +## MSSQL Server + +- Port 1433 TCP for communication with application server (incoming) + +### Application server + +- Port 443 HTTPS for connection to the Netwrix Password Secure license server (outgoing) +- Port 11011 TCP for communication with clients or web server IIS (incoming) +- Port 11014 TCP for the backup service (usually does not need to be unlocked) +- Port 11016 TCP for the Web services (incoming; only when using the Web Application) +- Port 11018 TCP for real-time update (incoming) +- Port 1433 TCP for communication with SQL Server (outgoing) + +### Webserver (Web Application) + +- Port 443 HTTPS to access the webserver from the client (incoming) +- Port 11016 for communication to the application server (outgoing) +- Port 11018 for the real-time update (outgoing) + +### Client + +- Port 11011 TCP for communication with the application server (outgoing) +- Port 11018 TCP (outgoing) +- Port 52120 TCP with the add-on (outgoing) diff --git a/docs/passwordsecure/9.3/installation/installation_server_manager.md b/docs/passwordsecure/9.3/installation/installation_server_manager.md new file mode 100644 index 0000000000..0a90111f77 --- /dev/null +++ b/docs/passwordsecure/9.3/installation/installation_server_manager.md @@ -0,0 +1,44 @@ +--- +title: "Installation Server Manager" +description: "Installation Server Manager" +sidebar_position: 20 +--- + +# Installation Server Manager + +## Guide + +The MSI installation files and the associated +[Application server](/docs/passwordsecure/9.3/installation/requirements/application_server.md) can be found in the corresponding +sections. The following step-by-step guide will accompany you through the wizards. + +![Password Secure Server Setup](/images/passwordsecure/9.2/installation/installation_server_manager/installation-admin-client-1-en.webp) + +First you are required to read and accept the license terms. These can also be printed. + +![Password Secure Server Setup](/images/passwordsecure/9.2/installation/installation_server_manager/installation-admin-client-2-en.webp) + +The next step is to define the location. The suggested location can be retained. + +If you want to use Netwrix Password Secure as an identity provider +[Configuration of SAML](/docs/passwordsecure/9.3/configuration/advancedview/clientmodule/applications/configuration_of_saml.md) +must be selected. Otherwise, it will not be installed. + +![Password Secure Server Setup](/images/passwordsecure/9.2/installation/installation_server_manager/installation-admin-client-3-en.webp) + +Start the installation. + +![Password Secure Server Setup](/images/passwordsecure/9.2/installation/installation_server_manager/installation-admin-client-4-en.webp) + +The last step closes the setup and opens (if desired) the Server Manager. + +![Password Secure Server Setup](/images/passwordsecure/9.2/installation/installation_server_manager/installation-admin-client-5-en.webp) + +## Authentication + +After the installation, you can login directly to the Server Manager. + +![Server Authentication](/images/passwordsecure/9.2/installation/installation_server_manager/server-auth-en.webp) + +NOTE: The initial password for the first login is “admin”. It should be changed directly after the +logon. diff --git a/docs/passwordsecure/9.3/installation/installationbrowseraddon/_category_.json b/docs/passwordsecure/9.3/installation/installationbrowseraddon/_category_.json new file mode 100644 index 0000000000..e654bf472d --- /dev/null +++ b/docs/passwordsecure/9.3/installation/installationbrowseraddon/_category_.json @@ -0,0 +1,10 @@ +{ + "label": "Installation Browser Extension", + "position": 50, + "collapsed": true, + "collapsible": true, + "link": { + "type": "doc", + "id": "installation_browser_add-on" + } +} \ No newline at end of file diff --git a/docs/passwordsecure/9.3/installation/installationbrowseraddon/google_chrome.md b/docs/passwordsecure/9.3/installation/installationbrowseraddon/google_chrome.md new file mode 100644 index 0000000000..277b83e401 --- /dev/null +++ b/docs/passwordsecure/9.3/installation/installationbrowseraddon/google_chrome.md @@ -0,0 +1,24 @@ +--- +title: "Google Chrome" +description: "Google Chrome" +sidebar_position: 10 +--- + +# Google Chrome + +## Installing the add-on + +The installation of the Google Chrome Add-on is done directly from the Google Store. You can access +it via the following link: +[Add-on for Google Chrome](https://chrome.google.com/webstore/detail/netwrix-password-secure/bpjfchmapbmjeklgmlkabfepflgfckip). + +Alternatively, you can also access the Google Store via the Autofill Add-on. To do this, right-click +the icon to open the context menu. After a further click on Install Browser Extensions the Google +Chrome Add-on can be selected, whereupon you will be redirected directly to the Google Store. + +The installation is started via Add. + +The add-on is now installed and the icon is added to the browser. + +NOTE: It is also possible to find the Add-on link in the Web Application page footer, if it is not +installed yet. diff --git a/docs/passwordsecure/9.3/installation/installationbrowseraddon/installation_browser_add-on.md b/docs/passwordsecure/9.3/installation/installationbrowseraddon/installation_browser_add-on.md new file mode 100644 index 0000000000..7cdf1f2a39 --- /dev/null +++ b/docs/passwordsecure/9.3/installation/installationbrowseraddon/installation_browser_add-on.md @@ -0,0 +1,14 @@ +--- +title: "Installation Browser Extension" +description: "Installation Browser Extension" +sidebar_position: 50 +--- + +# Installation Browser Extension + +Following browser extensions can be installed:  + +- [Google Chrome](/docs/passwordsecure/9.3/installation/installationbrowseraddon/google_chrome.md) +- [Microsoft Edge](/docs/passwordsecure/9.3/installation/installationbrowseraddon/microsoft_edge.md) +- [Mozilla Firefox](/docs/passwordsecure/9.3/installation/installationbrowseraddon/mozilla_firefox.md) +- [Safari](/docs/passwordsecure/9.3/installation/installationbrowseraddon/safari.md) diff --git a/docs/passwordsecure/9.3/installation/installationbrowseraddon/microsoft_edge.md b/docs/passwordsecure/9.3/installation/installationbrowseraddon/microsoft_edge.md new file mode 100644 index 0000000000..8b6534686f --- /dev/null +++ b/docs/passwordsecure/9.3/installation/installationbrowseraddon/microsoft_edge.md @@ -0,0 +1,18 @@ +--- +title: "Microsoft Edge" +description: "Microsoft Edge" +sidebar_position: 20 +--- + +# Microsoft Edge + +## Installing the add-on + +The installation of the Edge Add-on is done directly from the official Store. The Edge Add-on can be +downloaded from the following link: +[Add-on for Edge](https://microsoftedge.microsoft.com/addons/detail/netwrix-password-secure/ahdfobpkkckhdhbmnpjehdkepaddfhek). + +![Add-on Edge](/images/passwordsecure/9.2/installation/browser/addon-edge-en.webp) + +NOTE: It is also possible to find the Add-on link in the Web Application page footer, if it is not +installed yet diff --git a/docs/passwordsecure/9.3/installation/installationbrowseraddon/mozilla_firefox.md b/docs/passwordsecure/9.3/installation/installationbrowseraddon/mozilla_firefox.md new file mode 100644 index 0000000000..f42bc00077 --- /dev/null +++ b/docs/passwordsecure/9.3/installation/installationbrowseraddon/mozilla_firefox.md @@ -0,0 +1,20 @@ +--- +title: "Mozilla Firefox" +description: "Mozilla Firefox" +sidebar_position: 30 +--- + +# Mozilla Firefox + +## Installing the add-on + +The installation of the Firefox Add-on is done directly from the official Store. The Firefox Add-on +can be downloaded from the following link: +[Add-on firefox](https://addons.mozilla.org/en-US/firefox/addon/password-safe-browser-add-on/). + +After the download, the add-on is simply dragged and dropped into the browser. + +After confirming a security question, it is installed and an icon is created in the menu bar. + +NOTE: It is also possible to find the Add-on link in the Web Application page footer, if it is not +installed yet diff --git a/docs/passwordsecure/9.3/installation/installationbrowseraddon/safari.md b/docs/passwordsecure/9.3/installation/installationbrowseraddon/safari.md new file mode 100644 index 0000000000..1c91616943 --- /dev/null +++ b/docs/passwordsecure/9.3/installation/installationbrowseraddon/safari.md @@ -0,0 +1,15 @@ +--- +title: "Safari" +description: "Safari" +sidebar_position: 40 +--- + +# Safari + +## Installing the add-on + +The Safari Add-on can be downloaded from the following link: +[Add-on Safari](https://download.passwordsafe.de/v9/Netwrix_Password_Secure-9.0.3.dmg). + +To install it, simply double-click on the downloaded file. A window will open where you then only +need to drag and drop the Netwrix Password Secure logo onto the applications. diff --git a/docs/passwordsecure/9.3/installation/installationclient/_category_.json b/docs/passwordsecure/9.3/installation/installationclient/_category_.json new file mode 100644 index 0000000000..81712fa0bb --- /dev/null +++ b/docs/passwordsecure/9.3/installation/installationclient/_category_.json @@ -0,0 +1,10 @@ +{ + "label": "Installation Client", + "position": 30, + "collapsed": true, + "collapsible": true, + "link": { + "type": "doc", + "id": "installation_client" + } +} \ No newline at end of file diff --git a/docs/passwordsecure/9.3/installation/installationclient/installation_client.md b/docs/passwordsecure/9.3/installation/installationclient/installation_client.md new file mode 100644 index 0000000000..f732f49d5b --- /dev/null +++ b/docs/passwordsecure/9.3/installation/installationclient/installation_client.md @@ -0,0 +1,100 @@ +--- +title: "Installation Client" +description: "Installation Client" +sidebar_position: 30 +--- + +# Installation Client + +## Guide + +The MSI installation files and the associated +[Client configuration](/docs/passwordsecure/9.3/installation/requirements/client_configuration.md) can be found in the corresponding +sections. The following step-by-step guide will accompany you through the wizards. + +![installation wizard page 1](/images/passwordsecure/9.2/installation/installation_client/installation-client-1-en.webp) + +You are required to read and accept the terms of service. These can also be printed. + +The next step is to define the location of the client. The suggested location can be retained.You +can also define whether additional components should be installed. + +**CAUTION:** Please only install the Terminal Server Service (for Autofill Add-on) if terminal +server operation is intended! + +![installation wizard page 2](/images/passwordsecure/9.2/installation/installation_client/installation-client-3-en.webp) + +The actual installation starts in the next step. + +![installation wizard page 3](/images/passwordsecure/9.2/installation/installation_client/installation-client-4-en_339x265.webp) + +The last step closes the setup and opens (if desired) the Client. + +![installation wizard page 4](/images/passwordsecure/9.2/installation/installation_client/installation-client-5-en.webp) + +## Installed applications + +There are always several applications installed. + +![client icon](/images/passwordsecure/9.2/installation/installation_client/cllient-en.webp) + +This is the regular Client. + +![offline client icon](/images/passwordsecure/9.2/installation/installation_client/psrofflineclient-en.webp) + +The Offline Add-on allows access to the data without connection to Server Manager. + +![icon_autofill_agent](/images/passwordsecure/9.2/installation/installation_client/icon_autofill_agent.webp) + +The Autofill Add-on is used for SSO applications. + +## Integrating a database + +For connection to the database, the creation of a database profile is obligatory. The following +information is required: + +- Profile name: The name of the profile. This will be displayed on the client in the future +- IP address: The IP address of the Netwrix Password Secure V8 server is stored here +- Database name: Specifies the name of the database + +## Distributing database profiles via the registry + +There is also an option to distribute database profiles. The profiles are specified via a +corresponding registry entry. The next time Netwrix Password Secure is started, the profiles will be +saved in the local configuration file. The database connection can be made with the following keys: + + +``` +HKEY_CURRENT_USER\SOFTWARE\MATESO\Password Safe and Repository 8\DatabaseProfiles +HKEY_LOCAL_MACHINE\SOFTWARE\MATESO\Password Safe and Repository 8\DatabaseProfiles + +``` + +These keys are structured like this: + +- HostIP: Server IP address +- DatabaseName: Name of the database +- LastUserName: The field for the user name can be specified here + +![profil-registry](/images/passwordsecure/9.2/installation/installation_client/profil-registry-en.webp) + +Is the profile set with the following entries? + + +``` +HKEY_LOCAL_MACHINE\SOFTWARE\MATESO\Password Safe and Repository 8\DatabaseProfiles + +``` + +Then the last used date base as well as the last registered user are created with the following ID, +when you log in for the first time: + + +``` +HKEY_CURRENT_USER\SOFTWARE\MATESO\Password Safe and Repository 8\DatabaseProfiles + +``` + +NOTE: When the corresponding registry entry is set and no related database profile exists, the +profile will be created at the next start-up. Please note that profiles created like this cannot be +edited or deleted in the client. diff --git a/docs/passwordsecure/9.3/installation/installationclient/installation_with_parameters.md b/docs/passwordsecure/9.3/installation/installationclient/installation_with_parameters.md new file mode 100644 index 0000000000..e933ad2949 --- /dev/null +++ b/docs/passwordsecure/9.3/installation/installationclient/installation_with_parameters.md @@ -0,0 +1,28 @@ +--- +title: "Installation with parameters" +description: "Installation with parameters" +sidebar_position: 10 +--- + +# Installation with parameters + +## What is installation with parameters? + +The installation of the Netwrix Password Secure client can also be optionally run on the command +line. This method also requires the transfer of parameters. These can be combined with one another. +In this case, the individual parameters are separated from one another by a blank space. The +parameters listed in the following section enable you to adapt the type of client installation. + +## Running on the command line with parameters + +Run the installation via the command line: **MSI-FILE.msi [PARAMETER]** + +**Parameter** + +- **AUTOFILL_ADDON_AUTOSTART=“0”**: Deactivates launching the Autofill Add-on in Windows autostart +- **INSTALL_AUTOFILL_ADDON=“0**”: Deactivates the installation of the Autofill Add-on. In the list + of the components to be installed in the setup, a check mark has not been set but this can be set + again by the user +- **INSTALL_OFFLINE_ADDON=“0”**: Deactivates the installation of the Offline Add-on. In the list of + the components to be installed in the setup, a check mark has not been set but this can be set + again by the user diff --git a/docs/passwordsecure/9.3/installation/installationwebapplication/_category_.json b/docs/passwordsecure/9.3/installation/installationwebapplication/_category_.json new file mode 100644 index 0000000000..c328f38534 --- /dev/null +++ b/docs/passwordsecure/9.3/installation/installationwebapplication/_category_.json @@ -0,0 +1,10 @@ +{ + "label": "Installation Web Application", + "position": 40, + "collapsed": true, + "collapsible": true, + "link": { + "type": "doc", + "id": "installation_web_application" + } +} \ No newline at end of file diff --git a/docs/passwordsecure/9.3/installation/installationwebapplication/apache.md b/docs/passwordsecure/9.3/installation/installationwebapplication/apache.md new file mode 100644 index 0000000000..762531e32a --- /dev/null +++ b/docs/passwordsecure/9.3/installation/installationwebapplication/apache.md @@ -0,0 +1,49 @@ +--- +title: "Apache" +description: "Apache" +sidebar_position: 10 +--- + +# Apache + +In order to integrate the Web Application onto an Apache server, it is first necessary to enter all +of the relevant settings: + +## Document directory + +The folder from which the Web Application should be operated is entered here. The default folder is +/var/www/html + +## SSL certificate path + +It is necessary to enter the directory in which the certificate will be saved here. + +## SSL certificate key path + +Finally, it is necessary to enter where the certificate key is located here. + +![apache-en](/images/passwordsecure/9.2/installation/installation_web_application/apache-en.webp) + +Once all of the settings have been entered, the Web Application can be created via the button in the +ribbon. The folder in which the ZIP file is located will then open automatically. The archive is now +unzipped and the contents copied to the document directory on the web server. + +The configuration for the Apache server has now also been created and can be viewed on the Server +Manager. + +![apache-en-2](/images/passwordsecure/9.2/installation/installation_web_application/apache-en-2.webp) + +The configuration can be selected using CTRL+A and copied. It is then directly integrated onto the +Apache server. + +NOTE: The configuration of the Apache server is always individual. Therefore, it is only possible to +roughly describe the process for a standard installation. + +## Standard configuration + +The file /etc/apache2/sites-available/default-ssl.conf is (for example "nano") opened. Everything +between``and``is now deleted and replaced by the +configuration from the server. Apache is subsequently restarted via systemctl reload apache. + +The Web Application is now ready to use and can be directly started. Further information can be +found at the end of this section under "SCalling up the Web Application". diff --git a/docs/passwordsecure/9.3/installation/installationwebapplication/installation_web_application.md b/docs/passwordsecure/9.3/installation/installationwebapplication/installation_web_application.md new file mode 100644 index 0000000000..2d9627ce52 --- /dev/null +++ b/docs/passwordsecure/9.3/installation/installationwebapplication/installation_web_application.md @@ -0,0 +1,93 @@ +--- +title: "Installation Web Application" +description: "Installation Web Application" +sidebar_position: 40 +--- + +# Installation Web Application + +**CAUTION:** This guide focuses on the initial installation of the Web Application and is not +relevant for further updates. + +## Preparations for installation + +### System requirements + +Please ensured that all [Webserver](/docs/passwordsecure/9.3/installation/requirements/webserver/webserver.md) requirements have been met. + +### SSL certificate + +When the web service is started, the certificate created in the basic configuration is configured +and connected to port 11016. This is the connection certificate for communication between the web +server and the Netwrix Password Secure server. + +### Databases + +All databases that are to be used on the Web Application must be enabled for this purpose. With a +double click on the corresponding database the option "Access via Web Application" can be activated. + +## Installation + +The Web Application is generated by the Server Manager and made available in a ZIP archive. +Depending on the web server, the ZIP archive is created accordingly. The installation also differs +depending on the web server used. Irrespective of the web server used, the following information +firstly needs to be entered: + +### Destination + +Name the folder where the ZIP archive with the Web Application should be placed. + +**CAUTION:** Do not use the Server Manager installation directory + +NOTE: If the web server is created on IIS, execute config.bat to handle integration of the web +server. + +### Server IP + +Please check if the IP address is correct otherwise no connection to the Web Application can be +established. If the IP address is wrong, you have to change it in the basic configuration of the +Server Manager. + +### Web server host address + +Enter the IP address or the host name of the web server. + +### Port + +Enter the port that is used to communicate with the Web Application. + +All of the subsequent steps or the required tasks will be explained in the associated chapters for +each specific web server. + +## Custom Branding + +You can personalize the Web App with your company’s branding by navigating to `Custom branding`. There, upload your logo files and specify the custom text you want to display; the updated branding will appear across the application once saved. + +![Custom branding configuration](/images/passwordsecure/9.3/installation/installation_web_application/configure_custom_branding.webp) + +## CORS configuration + +A button for the so-called CORS configuration can be found on the ribbon. It is essential that this +configuration is carried out before the Web Application can be used. A list of the permitted CORS +domains will be saved as a result. Requests received via the Web Application can then be checked +against this list. The request will only be successfully carried out if the origin header for a +request is available in the permitted domains. + +In order to add a domain, simply enter it at the bottom of the dialogue. Clicking on +:material-plus-circle-outline: will add the entry to the list at the top. + +![cors-en-new](/images/passwordsecure/9.2/installation/installation_web_application/cors-en-new.webp) + +NOTE: In general, it is sufficient to add the IP address which was also saved as the Web server host +address. + +## Calling up the Web Application + +The process for calling up the Web Application is dependent on the configuration of the web server: + +- Web Application in root directory -> `https://hostname` +- Web Application in a subdirectory -> `https://hostname/path-to-subdirectory` +- Port is not set to 443 -> `https://hostname:port/path-to-subdirectory` + +NOTE: In order for the redirect to be used, it is important to ensure on apache and nginx web +servers that no other host listens to port 80. diff --git a/docs/passwordsecure/9.3/installation/installationwebapplication/microsoft_iis.md b/docs/passwordsecure/9.3/installation/installationwebapplication/microsoft_iis.md new file mode 100644 index 0000000000..53771713f1 --- /dev/null +++ b/docs/passwordsecure/9.3/installation/installationwebapplication/microsoft_iis.md @@ -0,0 +1,64 @@ +--- +title: "Microsoft IIS" +description: "Microsoft IIS" +sidebar_position: 20 +--- + +# Microsoft IIS + +If the Web Application is being operated on a Microsoft IIS web server, there are two methods for +integrating it into the system: + +## Create as its own website + +For this option, a website with the name "Web Application" will be directly created on the IIS by +config.bat. The Web Application will be operated here from the standard directory +C:\inetpub\wwwroot. + +## Integrate in existing website + +requires there to be an existing website. Therefore, a website needs to be firstly created on the +IIS web sever. The name of the website then needs to be entered in the Server Manager. It is also +necessary to enter the folder from which the Web Application should be operated under "website +directory". The format here is "/Web Application" + +![IIS installation](/images/passwordsecure/9.2/installation/installation_web_application/installation-webclient-3-en.webp) + +Once all of the settings have been entered, the Web Application can be created via the corresponding +button in the ribbon. When the ZIP archive containing the Web Application has been created, it is +copied to the previously defined directory (C:\inetpub\wwwroot as standard) and unzipped there to +create a new directory. + +## Config.bat + +The file config.bat can be found in the newly created Web Application directory and now needs to be +executed when logged on as the administrator. This will integrate the Web Application into the IIS +web server. + +NOTE: If the system requirements have not been met, you will be informed that the URL Rewrite and/or +Application Request Routing modules need to be installed. In this case, follow the instructions on +the wizard that will then immediately open. In addition, it is necessary to install the WebSocket +Protokoll. Afterwards, config.bat needs to be executed again. + +If the website has been correctly created, this will be correspondingly indicated by the +notification IIS page created. + +![IIS-creating page](/images/passwordsecure/9.2/installation/installation_web_application/installation-webclient-4-en.webp) + +**CAUTION:** Following a successful installation, it is imperative that config.bat is deleted! The +config.bat file should also not be used for an "update" + +## Certificate + +The certificate then needs to be saved. Select the newly created website on the IIS web server. The +bindings can now be opened on the far right. + +![IIS](/images/passwordsecure/9.2/installation/installation_web_application/installation-webclient-5-en.webp) + +Select the https entry and open it for editing. The SSL certificate is then selected here. + +![IIS](/images/passwordsecure/9.2/installation/installation_web_application/installation-webclient-6-en.webp) + +In addition, the Netwrix Password Secure certificate needs to be exported from the Netwrix Password +Secure Server and imported onto the ISS under local computer > trusted root certificate location -> +certificates. Further information can be found in the section "Certificates" diff --git a/docs/passwordsecure/9.3/installation/installationwebapplication/nginx.md b/docs/passwordsecure/9.3/installation/installationwebapplication/nginx.md new file mode 100644 index 0000000000..ab7ec622fb --- /dev/null +++ b/docs/passwordsecure/9.3/installation/installationwebapplication/nginx.md @@ -0,0 +1,50 @@ +--- +title: "nginx" +description: "nginx" +sidebar_position: 30 +--- + +# nginx + +In order to integrate the Web Application onto an nginx server, it is first necessary to enter all +of the relevant settings: + +## Document directory + +The folder from which the Web Application should be operated is entered here. The default folder is +/var/www/html. + +## SSL certificate path + +It is necessary to enter the directory in which the certificate will be saved here. The standard +path here is /etc/nginx/certs/Web Application.crt. + +## SSL certificate key path + +Finally, it is necessary to enter where the certificate key is located here. The default setting is +/etc/nginx/certs/Web Application.key. + +![ngnix installation](/images/passwordsecure/9.2/installation/installation_web_application/installation-webclient-9-en.webp) + +Once all of the settings have been entered, the Web Application can be created via the button in the +ribbon. The folder in which the ZIP file is located will then immediately open. The archive is +unzipped and its contents are copied to the document directory on the web server. + +The configuration for the nginx server was also created together with the ZIP file. This can be +directly viewed on the Server Manager. + +![ngnix installation](/images/passwordsecure/9.2/installation/installation_web_application/installation-webclient-10-en.webp) + +The configuration then still needs to be integrated onto the nginx server. It can be directly copied +on the Server Manager for this purpose. + +NOTE: Every web server configuration is individual. Therefore, it is only possible to outline the +normal process for a standard installation. + +## Standard configuration + +The file /etc/nginx/sites-available/default is firstly opened. For example via "nano". Now search +for the entry `server { }`. The configuration for the Server Manager is then added. Finally, the web +server is restarted using the command systemctl restart nginx. + +The Web Application is now ready to use and can be directly started. diff --git a/docs/passwordsecure/9.3/installation/requirements/_category_.json b/docs/passwordsecure/9.3/installation/requirements/_category_.json new file mode 100644 index 0000000000..af267b40ba --- /dev/null +++ b/docs/passwordsecure/9.3/installation/requirements/_category_.json @@ -0,0 +1,6 @@ +{ + "label": "Requirements", + "position": 10, + "collapsed": true, + "collapsible": true +} \ No newline at end of file diff --git a/docs/passwordsecure/9.3/installation/requirements/application_server.md b/docs/passwordsecure/9.3/installation/requirements/application_server.md new file mode 100644 index 0000000000..bb16428681 --- /dev/null +++ b/docs/passwordsecure/9.3/installation/requirements/application_server.md @@ -0,0 +1,42 @@ +--- +title: "Application server" +description: "Application server" +sidebar_position: 10 +--- + +# Application server + +#### System Components + +| | | | +| ----------------- | ------------------ | ------------------ | +| Attribute | Minimum | Recommended | +| OS | MS Win Server 2019 | MS Win Server 2025 | +| Architecture | x64 | x64 | +| CPU [# Cores] | 4 | 8 | +| RAM [GB] | 16 | 32 | +| Disk Space [GB] | 70 | 100 | +| MS .Net Framework | 4.8 | 4.8.1 | +| MS WMF | 5.1 | 5.1 | + +#### + +#### Required configuration + +- Service User: local admin rights, 'logon as a service' allowed +- PowerShell Execution Policy: RemoteSigned +- Mandatory Ports/firewall rules + + - Port 443 HTTPS for connection to the Netwrix Password Secure license server (outgoing) + - Port 1433 TCP for communication with SQL Server (outgoing) + - Port 11011 TCP for communication with windows applications or web server IIS (incoming) + - Port 11016 TCP for the Web services (incoming; only when using the Web Application) + - Port 11018 TCP for real-time update (incoming) + - Port 11014 TCP for the backup service (usually does not need to be unlocked) + - Port 11015 TCP for Entra ID communication (incoming; only when using the Entra ID + provisioning) + - Port 11019 TCP for using Password Secure as Identity Provider (SAML) (incoming) + +- (Optional) Server needs to be domain-joined (only when using AD provisioning (not Entra ID)) +- (Optional) Provide SMTP-Server details: hostname, port, auth method, protocol (mandatory for a + variety of features) diff --git a/docs/passwordsecure/9.3/installation/requirements/client_configuration.md b/docs/passwordsecure/9.3/installation/requirements/client_configuration.md new file mode 100644 index 0000000000..a04c4f5141 --- /dev/null +++ b/docs/passwordsecure/9.3/installation/requirements/client_configuration.md @@ -0,0 +1,31 @@ +--- +title: "Client configuration" +description: "Client configuration" +sidebar_position: 30 +--- + +# Client configuration + +#### System Components + +NOTE: Our Windows Application (Win App) is not available for MSP-customers! + +| | | | +| --------------------------- | ----------------------------------- | ---------------------- | +| Attribute | Minimum | Recommended | +| OS | Win 10 21H2 19044 Win 11 21H2 22000 | Win 11 23H2 22631.3235 | +| Architecture | x64 | x64 | +| CPU [Cores] | 4 | 8 | +| RAM [GB] | 8 | 16 | +| Disk Space [GB] | 50 | 100 | +| MS .NET Framework | 4.8 | 4.8.1 | +| RDP-Version (if applicable) | 10 | 12 | + +#### Required Configuration + +- Mandatory ports/firewall rules + **a**. Port 11011 TCP for communication with the application server (outgoing) + **b**. Port 11016 TCP for WebSocket communication with the server (outgoing) + +- WAN/VPN connection to application server: MTU-size = 1500 bytes (1472 bytes + 28 bytes for the + header) diff --git a/docs/passwordsecure/9.3/installation/requirements/mobile_apps.md b/docs/passwordsecure/9.3/installation/requirements/mobile_apps.md new file mode 100644 index 0000000000..89a0dc7ea5 --- /dev/null +++ b/docs/passwordsecure/9.3/installation/requirements/mobile_apps.md @@ -0,0 +1,19 @@ +--- +title: "Mobile Apps" +description: "Mobile Apps" +sidebar_position: 50 +--- + +# Mobile Apps + +#### Required Version + +**CAUTION:** Our mobile apps are only supported on devices with the official OS (no jailbreak, not +rooted). + +| | | | +| ---------------- | ------- | ----------- | +| OS | Minimum | Recommended | +| iOS (Apple) | 17.7.1 | 18.1 | +| iPadOS (Apple) | 17.7.1 | 18.1 | +| Android (Google) | 13 | 15 | diff --git a/docs/passwordsecure/9.3/installation/requirements/mssql_server.md b/docs/passwordsecure/9.3/installation/requirements/mssql_server.md new file mode 100644 index 0000000000..2bbab17206 --- /dev/null +++ b/docs/passwordsecure/9.3/installation/requirements/mssql_server.md @@ -0,0 +1,32 @@ +--- +title: "MSSQL Server" +description: "MSSQL Server" +sidebar_position: 20 +--- + +# MSSQL Server + +#### Required Version + +RECOMMENDED: Using MS SQL Server Express can lead to significant performance issues because of the +various limitations. Our recommendation is to use MS SQL Server Standard as a minimum. + +Please follow Microsoft recommendations for system requirements for SQL Server. + +| | | | +| --------------------- | ------- | ----------- | +| Attribute | Minimum | Recommended | +| MS SQL Server Version | 2019 | 2022 | + +**CAUTION:** If you plan to install the MS SQL Server on the machine with the Netwrix Password +Secure application server, please ensure to meet the combined minimum requirements for both systems. + +#### Required Configuration + +1. Service User: dbCreator (only required if the Netwrix Password Secure is used to create databases + (recommended)), dbOwner + **a**. (Optional) Sysadmin (only when using the Netwrix Password Secure Backup Service) +2. Collation: Latin1_General_CI_AS (if the MS SQL Server is using a different collasion, the + database needs to be created manually with the right collation and then be linked to/in Netwrix + Password Secure) +3. Port/firewall rule: Port 1433 TCP for communication with application server (incoming) diff --git a/docs/passwordsecure/9.3/installation/requirements/webserver/_category_.json b/docs/passwordsecure/9.3/installation/requirements/webserver/_category_.json new file mode 100644 index 0000000000..9b0df2001b --- /dev/null +++ b/docs/passwordsecure/9.3/installation/requirements/webserver/_category_.json @@ -0,0 +1,10 @@ +{ + "label": "Webserver", + "position": 40, + "collapsed": true, + "collapsible": true, + "link": { + "type": "doc", + "id": "webserver" + } +} \ No newline at end of file diff --git a/docs/passwordsecure/9.3/installation/requirements/webserver/browser.md b/docs/passwordsecure/9.3/installation/requirements/webserver/browser.md new file mode 100644 index 0000000000..0a3d03a546 --- /dev/null +++ b/docs/passwordsecure/9.3/installation/requirements/webserver/browser.md @@ -0,0 +1,20 @@ +--- +title: "Browser" +description: "Browser" +sidebar_position: 10 +--- + +# Browser + +#### Required Version + +Only the browser extension provided in the store of the supported browser is supported (NOT Chrome +browser extension used in Edge, for example). + +| | | | +| ----------------- | -------------------------- | ----------- | +| Supported Browser | Minimum | Recommended | +| Chrome | Last two Stable releases | Stable | +| Edge | Last three Stable releases | Stable | +| Firefox | ESR | Stable | +| Safari | Latest | Latest | diff --git a/docs/passwordsecure/9.3/installation/requirements/webserver/webserver.md b/docs/passwordsecure/9.3/installation/requirements/webserver/webserver.md new file mode 100644 index 0000000000..9da45043de --- /dev/null +++ b/docs/passwordsecure/9.3/installation/requirements/webserver/webserver.md @@ -0,0 +1,39 @@ +--- +title: "Webserver" +description: "Webserver" +sidebar_position: 40 +--- + +# Webserver + +#### System Components + +| | | | +| --------- | --------------- | ----------------- | +| Webserver | Minimum | Recommended | +| IIS | 10 | 10 | +| Apache | 2.4.58 | 2.4.58 | +| NGINX | 1.24.0 (stable) | 1.25.4 (mainline) | + +#### Required Modules/Extensions + +| | | | | +| --------------------- | ------- | ----------- | ---------- | +| Attribute | Minimum | Recommended | Applies to | +| URL Rewrite mod | 2.1 | 2.1 | IIS | +| ARR | 3.0 | 3.1 | IIS | +| Websocket Protocol | - | - | IIS | +| mod_rewrite module | - | - | Apache | +| mod_proxy module | - | - | Apache | +| mod_ssl module | - | - | Apache | +| mod_proxy_http module | - | - | Apache | + +#### Required Configuration + +Mandatory Ports/firewall rules + +- Port 443 HTTPS to address the web server from the client (inbound) +- Port 11016 for communication with the application server (outgoing) +- Port 11018 for real-time updating (outgoing) +- (Optional) Port 11019 for using Password Secure as Identity Provider (SAML) (outgoing) +- (Optional) Port 11015 for Entra ID SCIM provisioning (outgoing) diff --git a/docs/passwordsecure/9.3/introduction/_category_.json b/docs/passwordsecure/9.3/introduction/_category_.json new file mode 100644 index 0000000000..7a06add9de --- /dev/null +++ b/docs/passwordsecure/9.3/introduction/_category_.json @@ -0,0 +1,10 @@ +{ + "label": "Introduction", + "position": 10, + "collapsed": true, + "collapsible": true, + "link": { + "type": "doc", + "id": "introduction" + } +} \ No newline at end of file diff --git a/docs/passwordsecure/9.3/introduction/introduction.md b/docs/passwordsecure/9.3/introduction/introduction.md new file mode 100644 index 0000000000..9d5cd3dd79 --- /dev/null +++ b/docs/passwordsecure/9.3/introduction/introduction.md @@ -0,0 +1,14 @@ +--- +title: "Introduction" +description: "Introduction" +sidebar_position: 10 +--- + +# Introduction + +## Welcome to the official Netwrix Password Secure documentation! + +All Netwrix product announcements have moved to the Netwrix Community. See announcements for +Netwrix Password Secure in the +[Password Secure](https://community.netwrix.com/c/password-secure/announcements/122) area of the +community. diff --git a/docs/passwordsecure/9.3/introduction/versionhistory/_category_.json b/docs/passwordsecure/9.3/introduction/versionhistory/_category_.json new file mode 100644 index 0000000000..ffb42b5dc3 --- /dev/null +++ b/docs/passwordsecure/9.3/introduction/versionhistory/_category_.json @@ -0,0 +1,10 @@ +{ + "label": "Version History", + "position": 30, + "collapsed": true, + "collapsible": true, + "link": { + "type": "doc", + "id": "version_history" + } +} \ No newline at end of file diff --git a/docs/passwordsecure/9.3/introduction/versionhistory/version_9.0.0.30423.md b/docs/passwordsecure/9.3/introduction/versionhistory/version_9.0.0.30423.md new file mode 100644 index 0000000000..52340922cc --- /dev/null +++ b/docs/passwordsecure/9.3/introduction/versionhistory/version_9.0.0.30423.md @@ -0,0 +1,54 @@ +--- +title: "Version 9.0.0.30423" +description: "Version 9.0.0.30423" +sidebar_position: 100 +--- + +# Version 9.0.0.30423 + +## New + +#### Cross-client change\* + +- The encryption system has undergone significant enhancements to bolster its resistance against + brute force attacks. Moreover, it now aligns with the latest OWASP recommendations. + +#### Extended view (formerly FullClient) + +- Windows clients have transitioned to exclusive compatibility with 64-bit systems, optimizing + available RAM resources and enabling concurrent operation of more RDP sessions (also affects the + SSO and OfflineClient). RDP libraries have also been upgraded to 64-bit. +- In the recycle bin of organizational units, it is now possible to permanently delete objects via + multiple selections. +- The clarity of the user interface has been enhanced by defaulting to icons instead of logos, + offering a more streamlined experience. This adjustment also applies to the Web Application. + +\* This improvement affects all views (normal and advanced view) and Clients (Admin-, Web-, SSO- and +OfflineClient), the browser extension, API, and the server as well as MSP. + +#### MSP + +- Price details can now be customized on a per-customer basis, allowing for greater flexibility and + tailored pricing options. + +## Fixed + +#### Extended view (formerly FullClient) + +- The export now also works when using special separators. +- The export now also works, when text qualifier is empty. +- The "Add" permission for imported organizational units has been corrected. +- The report on "Inactive user accounts" now shows correct data. + +#### Web Application + +- The OTP field can now be reset. + +#### Server + +- The "User deleted" event is now correctly recorded in the logbook. + +#### Browser extensions + +- Even if no URL is stored, the username and password can now be copied from the browser extension + again. diff --git a/docs/passwordsecure/9.3/introduction/versionhistory/version_9.0.1.30479.md b/docs/passwordsecure/9.3/introduction/versionhistory/version_9.0.1.30479.md new file mode 100644 index 0000000000..9b52d3b21f --- /dev/null +++ b/docs/passwordsecure/9.3/introduction/versionhistory/version_9.0.1.30479.md @@ -0,0 +1,29 @@ +--- +title: "Version 9.0.1.30479" +description: "Version 9.0.1.30479" +sidebar_position: 90 +--- + +# Version 9.0.1.30479 + +## Fixed + +#### Extended view + +- After duplicating a password, the quality of the password is recalculated correctly. +- RDP connections now work again on Windows Server 2019. + +#### Web Application + +- The quick view can now be scrolled correctly even if another modal popup is open. + +#### Browser Extension + +- The search in the browser extension now works as expected again. + +#### Server + +- System tasks are no longer deactivated after each run if they were configured with the interval + 'Once' in the past. +- HSM accesses are limited to a minimum now. +- A self-defined password can be used for the WebViewer export again diff --git a/docs/passwordsecure/9.3/introduction/versionhistory/version_9.0.2.30602.md b/docs/passwordsecure/9.3/introduction/versionhistory/version_9.0.2.30602.md new file mode 100644 index 0000000000..1d1c737d0a --- /dev/null +++ b/docs/passwordsecure/9.3/introduction/versionhistory/version_9.0.2.30602.md @@ -0,0 +1,40 @@ +--- +title: "Version 9.0.2.30602" +description: "Version 9.0.2.30602" +sidebar_position: 80 +--- + +# Version 9.0.2.30602 + +## New + +#### Advanced view (formerly FullClient) + +- The fields "user colour" and "initials" have been removed. +- For better readability, the option "Change Active Directory synchronization status" has been + shortened to "Change AD sync state". +- The "Settings" tab doesn`t close anymore when another option is clicked on (This only affects the + Web Application.). + +#### Basic view (formerly LightClient) + +- The "View details" option has been renamed to the more appropriate term "Quick view", which is + already used in the extended view (This only affects the Web Application.). + +## Fixed + +#### Advanced view (formerly FullClient) + +- Uploading a file now also works if no file name (e.g. '.env') is specified. + +#### Web Application: + +- Buttons to multiselect documents and applications have been added in the mobile view. +- The "New organisational unit" dropdown menu closes now when another tab has been opened. +- When multiple objects are selected, the button "Form field permissions" is greyed out now. +- Predefined rights templates for more than one organizational unit can now be edited + simultaneously. + +#### Browser Extension + +- Passwords can now also be copied to the clipboard if no URL is stored. diff --git a/docs/passwordsecure/9.3/introduction/versionhistory/version_9.0.3.30606.md b/docs/passwordsecure/9.3/introduction/versionhistory/version_9.0.3.30606.md new file mode 100644 index 0000000000..dbcbacc840 --- /dev/null +++ b/docs/passwordsecure/9.3/introduction/versionhistory/version_9.0.3.30606.md @@ -0,0 +1,13 @@ +--- +title: "Version 9.0.3.30606" +description: "Version 9.0.3.30606" +sidebar_position: 70 +--- + +# Version 9.0.3.30606 + +## Fixed + +#### DesktopClient + +- The PuTTY Client has been updated to version 0.81. diff --git a/docs/passwordsecure/9.3/introduction/versionhistory/version_9.1.0.30996.md b/docs/passwordsecure/9.3/introduction/versionhistory/version_9.1.0.30996.md new file mode 100644 index 0000000000..6cf5f533f7 --- /dev/null +++ b/docs/passwordsecure/9.3/introduction/versionhistory/version_9.1.0.30996.md @@ -0,0 +1,106 @@ +--- +title: "Version 9.1.0.30996" +description: "Version 9.1.0.30996" +sidebar_position: 60 +--- + +# Version 9.1.0.30996 + +## New + +#### Browser Extension + +- UserVoice Winner: Stored OTPs can now be retrieved directly via the browser extension. +- New improved autofill logic: The autofill function has been completely revised to enable a more + convenient automatic login in the browser. +- Cross-platform authentication is now possible: The Windows app, browser extension and autofill + add-on can now authenticate each other. +- UserVoice Winner: You can now also use htaccess forms for automatic login. +- The SSO agent connection for the browser extension has been deprecated. Here you can find + instructions on how to switch to server mode as well as an FAQ to this topic (This also affects + the autofill add-on.). +- Browser extension profiles can now be configured via policy. +- Opening Netwrix Password Secure from the browser extension now works correctly. + +#### Basic view (formerly Light Client)\* + +- SSO applications can now be connected with passwords. +- The button “Ignore application” has been renamed to “Hide application”. + +\*As the basic view on Windows has been deprecated with version 9.1.0, the basic view from now on +always refers to the web app. + +#### Server + +- Missing data is now migrated to ECC. +- The web server configuration routine for IIS has been improved. +- If you change the deployment mode to "Members of groups only" during AD synchronization, the + checkboxes for synchronization are now ignored. + +## Improvements + +#### Platform-client change\* + +The following names have been changed: + +| Obsolete | New (English) | New (German) | +| ------------------------------------ | ------------------- | ------------------- | +| WebClient | Web application | Web Application | +| LightUser / Basic view User | (Basic) user\* | (Standard) User\* | +| Basic view (Ansicht) | Basic view | Standardansicht | +| FullUser / FullClient User | Advanced user | Advanced User | +| FullClient (Ansicht) | Advanced view | Erweiterte Ansicht | +| Browser Add-on | Browser extension | Browser-Erweiterung | +| App | Mobile application | Mobile Application | +| Desktop Client | Windows application | Windows Application | +| Web Endpoint | Web server | Web Server | +| SSO Agent / SSO Add-on / SSO Service | Autofill add-on | Autofill Add-on | +| OfflineClient | Offline add-on | Offline Add-on | +| AdminClient | Server Manager | Server Manager | +| SAML Service | IdP service | IdP Service | + +\* This improvement affects all views (basic and advanced view), apps and add-ons (Server Manager, +web and Windows app, autofill and offline add-on) the browser extension, API, and the server as well +as MSP. + +#### Basic view (formerly LightClient)\* + +- The basic view on Windows has been deprecated. Basic users can still login via web app. + +#### Browser extension + +- Login errors are now displayed correctly. + +#### Server + +- The quality of secrets stored in the database is now encrypted. + +## Fixed + +#### Advanced view (formerly FullClient) + +- The footer is now displaying the latest four involved users again. +- Resetting to the default settings for actions in the clipboard is no longer saved when canceling. +- Drag & Drop while updating a document is now possible in the web app. + +This only affects the Windows app: + +- Rights from organizational units to passwords can now also be inherited recursively. +- Login security has improved: Credentials for one application can no longer be reused for a + different one. +- Report details are now displayed correctly again. + +#### Server + +- Changing the form of passwords with multiline passwords now works. +- Sorting in the (emergency) web viewer now works correctly. + +#### Server Manager + +- The migration summary no longer shows an error message when all ECC migrations were started + successfully. + +#### API + +- It is no longer possible to attach data to more than one organizational unit. +- Passwords that are changed via the JavaScript API/SDKbuD are encrypted correctly. diff --git a/docs/passwordsecure/9.3/introduction/versionhistory/version_9.1.1.31138.md b/docs/passwordsecure/9.3/introduction/versionhistory/version_9.1.1.31138.md new file mode 100644 index 0000000000..87e4f7f741 --- /dev/null +++ b/docs/passwordsecure/9.3/introduction/versionhistory/version_9.1.1.31138.md @@ -0,0 +1,72 @@ +--- +title: "Version 9.1.1.31138" +description: "Version 9.1.1.31138" +sidebar_position: 50 +--- + +# Version 9.1.1.31138 + +## New + +#### Advanced view (formerly FullClient) + +- To facilitate the management of multiple directory service connections such as Active Directory or + Entra ID, this is now done from a central location and requires only one user right (Can manage + directory service connections). +- The tag filter can now contain more than 10 tags. +- The protection of sensitive data in the process memory has been improved. +- If a browser tab is already open with the web app, this is now used first when creating new access + data via the browser extension (This also applies to the standard view.). + +## Improvements + +#### Server + +- The logging of errors in the realtime connection is now deactivated by default. +- The migration from RSA to ECC has been improved by better performance and by eliminating the + migration of organisational units. +- A new security setting has been added that fully logs access to encrypted passwords. + +#### Server Manager + +- To avoid typing errors when exporting certificates, the password must now be entered twice. +- A new security setting has been added that fully logs access to encrypted passwords. + +## Fixed + +#### Advanced view (formerly FullClient) + +- Offline synchronization now also works for cross-platform login (This also applies to the offline + add-on.). +- The setting “Restore last opened tabs” works again. +- Closing the Windows app works again without unexpected crashes. + +#### Web app + +- The setting “Permitted document extensions” can now be reset in the user settings. +- The “Clipboard gallery” option can now be changed in the user settings and global user settings. +- When uploading many documents, the list can now be scrolled. +- The list of documents to be uploaded can now be searched. + +#### Server + +- Documents with forbidden file extensions can no longer be uploaded. +- The speed of loading filters has been improved. +- An error when loading passwords after replacing the database certificate has been fixed. +- The “Add” right can now only be transferred to organisational units. + +#### Browser extension + +- The automatic entry in iframes now takes the correct address into account again. +- A bug has been fixed that prevented some websites from recognizing the data entered during + automatic entry. +- The fields with the type integer, decimal number and checkbox can be used again for automatic + entry. +- Profiles with long names are now displayed correctly again in the browser extension menu. +- New passwords are now recognized again if the user is logged in to more than one database. +- The cross-platform login in the browser extension now also works if the URL of the web app has + changed. + +#### API + +- After logging out in the JavaScript API, the “isAuthenticated” information is now correct. diff --git a/docs/passwordsecure/9.3/introduction/versionhistory/version_9.1.2.31276.md b/docs/passwordsecure/9.3/introduction/versionhistory/version_9.1.2.31276.md new file mode 100644 index 0000000000..c6b4e456fc --- /dev/null +++ b/docs/passwordsecure/9.3/introduction/versionhistory/version_9.1.2.31276.md @@ -0,0 +1,56 @@ +--- +title: "Version 9.1.2.31276" +description: "Version 9.1.2.31276" +sidebar_position: 40 +--- + +# Version 9.1.2.31276 + +## New + +#### Server & Server Manager + +- You can now assign an alias for each database for login purposes, eliminating the need to disclose + the real database name. +- Individual databases can now be set to read-only mode. + +#### Web App + +- External links created via the web app now contain the database alias if one has been defined. + +#### Browser extension + +- The browser extension is now able to fill out OTP fields. + +## Improvements + +#### Web App + +- It is now possible to define the URL in applications of type Web as a regular expression. + +#### Browser extension + +- The performance of the browser extension has been improved. + +## Fixed + +#### Advanced view + +- The import of CSV files now handles organizational units correctly. +- The quick view and history of passwords can be opened again. +- Spontaneous errors when changing selected passwords have been fixed. +- Web applications with URLs defined as regex are recognized correctly. +- Logging in to the Windows app is possible again if you were last logged in in the standard view. + +#### Web App + +- Entra ID tokens can be regenerated in the profile list. + +#### Server Manager + +- The version of the nginx web server is no longer returned in the header in the standard + configuration. + +#### Browser extension + +- Web applications with URLs defined as regex are now recognized correctly. diff --git a/docs/passwordsecure/9.3/introduction/versionhistory/version_9.1.3.31365.md b/docs/passwordsecure/9.3/introduction/versionhistory/version_9.1.3.31365.md new file mode 100644 index 0000000000..262cc7f39e --- /dev/null +++ b/docs/passwordsecure/9.3/introduction/versionhistory/version_9.1.3.31365.md @@ -0,0 +1,44 @@ +--- +title: "Version 9.1.3.31365" +description: "Version 9.1.3.31365" +sidebar_position: 30 +--- + +# Version 9.1.3.31365 + +## New + +#### Browser extension + +- Based on Manifest V3, a new browser extension for Chrome has been released. + +#### Extended view (on Windows & web) + +- A new filter group “Directory Service Type” has been added, which allows explicit filtering by + users and roles from directory services. + +#### Server + +- The alias of a database is now displayed in the Authenticator app if one is configured, and a new + token is generated. +- The session timeout for new databases is now set to 1 hour instead of the previous 6 hours. + +## Fixed + +#### Extended view + +- An external package with a vulnerability classified as weak has been updated. The vulnerability + could not be exploited via Netwrix Password Secure (This also affects the server & Server Manager + as well as the autofill & offline add-on.). +- The obsolete property “Spaces” has been removed from the password policies (This also affects the + offline add-on.). +- A possible XSS vulnerability in the WebViewer has been closed (This also affects the web app.). +- A problem has been fixed where the password was not saved on the server after a change when it was + copied to the clipboard. +- The cross-client login for the browser extension is now also operational for synchronized Windows + profiles. + +#### Server Manager + +- The configuration script for the web app under IIS now also works if there are spaces in the + target path. diff --git a/docs/passwordsecure/9.3/introduction/versionhistory/version_9.2.0.32454.md b/docs/passwordsecure/9.3/introduction/versionhistory/version_9.2.0.32454.md new file mode 100644 index 0000000000..379e22192a --- /dev/null +++ b/docs/passwordsecure/9.3/introduction/versionhistory/version_9.2.0.32454.md @@ -0,0 +1,74 @@ +--- +title: "Version 9.2.0.32454" +description: "Version 9.2.0.32454" +sidebar_position: 20 +--- + +# Version 9.2.0.32454 + +## New + +#### Web App (Advanced & Basic view) + +- The web app is now available with a new design and can be deployed via Server Manager. For a + limited time, the old web app remains available as an alternative. + +#### Advanced view (on Windows) + +- Additional time periods are now available for the "When revealing password" trigger: 6 hours, 12 + hours, and 1 day. +- API login is now possible with an API key that can be generated directly in the Windows and web + app (This applies to the API and web app in new design.). This simplifies the login process and + increases flexibility for integration. +- For more targeted synchronization, it is now optionally possible to limit the attributes of Active + Directory and Entra ID users to be synchronized (This also applies to the web app and server.). + +## Improvements + +#### Web & Windows App + +- Multiline password fields can only be changed when they are revealed. + +#### Web App + +- To provide a better overview of all password changes, the "Show password" button in the password + history now also displays the encrypted fields of the historical versions. + +#### Server Manager + +- The alias of a database is now displayed in the database list, enabling quicker identification and + management of databases with different names. + +## Fixed + +#### Advanced view (on Windows) + +- Cross-client login now works for database profiles distributed via the registry (This also applies + to the autofill add-on.). +- The values of list fields in passwords are now displayed as expected. +- The Windows app now always starts within the visible area when multiple monitors are used. +- After updating, translations are now loaded correctly on the first start of the Windows app. +- Copying multiple fields to the clipboard while editing a password no longer removes the field + values. +- A bug has been fixed that prevented users from switching the Detail tab in the footer. +- An error in the tag management was resolved, which caused the buttons in the ribbon to disappear. + +#### Web App + +- An unloaded translation in the notifications has been fixed. +- Reloading the web app now correctly shows the "Locked" view again. +- Browser language detection for the web app is now reliable once more. +- Deleted users and roles can now be removed from permissions (This also applies to the Windows + app.). + +#### Browser Extension + +- Excessive console output in the browser extension has been removed. + +#### Server Manager + +- Database login via the Server Manager is now also supported when using IPv6. + +#### API + +- The JavaScript API now again supports the creation of valid users. diff --git a/docs/passwordsecure/9.3/introduction/versionhistory/version_9.2.1.32530.md b/docs/passwordsecure/9.3/introduction/versionhistory/version_9.2.1.32530.md new file mode 100644 index 0000000000..b66370d1fd --- /dev/null +++ b/docs/passwordsecure/9.3/introduction/versionhistory/version_9.2.1.32530.md @@ -0,0 +1,47 @@ +--- +title: "Version 9.2.1.32530" +description: "Version 9.2.1.32530" +sidebar_position: 10 +--- + +# Version 9.2.1.32530 + +## New + +#### Server & Server Manager + +The default name of the configuration database now contains the host name of the server. + +#### API + +The version of the API can now be called up within it. + +## Fixed + +#### Windows App + +Active Directory users in MasterKey mode can change their first factor required for login again. + +The distribution of translation files has been optimized. + +#### Web App + +Password fields of type ‘Heading’ are displayed correctly again (This only applies to the new +design.). + +When creating a new user, the field for assigning roles is readable again (This only applies to the +new design.). + +The distribution of translation files has been optimized. + +#### Browser extension + +A problem with a vulnerable package in the dependencies has been fixed. + +#### API + +The ‘SaveRights’ call is now functional again in the JavaScript API. + +#### Basic view in the web app + +Mouse hover effects in the basic view have been fixed (This only applys to the new design .). diff --git a/docs/passwordsecure/9.3/introduction/versionhistory/version_history.md b/docs/passwordsecure/9.3/introduction/versionhistory/version_history.md new file mode 100644 index 0000000000..cc25f5b553 --- /dev/null +++ b/docs/passwordsecure/9.3/introduction/versionhistory/version_history.md @@ -0,0 +1,30 @@ +--- +title: "Version History" +description: "Version History" +sidebar_position: 30 +--- + +# Version History + +The previously released versions and the corresponding changelogs can be found in the following +sections. + +- [Version 9.2.1.32530](/docs/passwordsecure/9.3/introduction/versionhistory/version_9.2.1.32530.md) + +- [Version 9.2.0.32454](/docs/passwordsecure/9.3/introduction/versionhistory/version_9.2.0.32454.md) + +- [Version 9.1.3.31365](/docs/passwordsecure/9.3/introduction/versionhistory/version_9.1.3.31365.md) + +- [Version 9.1.2.31276](/docs/passwordsecure/9.3/introduction/versionhistory/version_9.1.2.31276.md) + +- [Version 9.1.1.31138](/docs/passwordsecure/9.3/introduction/versionhistory/version_9.1.1.31138.md) + +- [Version 9.1.0.30996](/docs/passwordsecure/9.3/introduction/versionhistory/version_9.1.0.30996.md) + +- [Version 9.0.3.30606](/docs/passwordsecure/9.3/introduction/versionhistory/version_9.0.3.30606.md) + +- [Version 9.0.2.30602](/docs/passwordsecure/9.3/introduction/versionhistory/version_9.0.2.30602.md) + +- [Version 9.0.1.30479](/docs/passwordsecure/9.3/introduction/versionhistory/version_9.0.1.30479.md) + +- [Version 9.0.0.30423](/docs/passwordsecure/9.3/introduction/versionhistory/version_9.0.0.30423.md) diff --git a/docs/passwordsecure/9.3/maintenance/_category_.json b/docs/passwordsecure/9.3/maintenance/_category_.json new file mode 100644 index 0000000000..01a1e6dd4d --- /dev/null +++ b/docs/passwordsecure/9.3/maintenance/_category_.json @@ -0,0 +1,6 @@ +{ + "label": "Maintenance", + "position": 50, + "collapsed": true, + "collapsible": true +} \ No newline at end of file diff --git a/docs/passwordsecure/9.3/maintenance/eccmigration/_category_.json b/docs/passwordsecure/9.3/maintenance/eccmigration/_category_.json new file mode 100644 index 0000000000..615b99fa82 --- /dev/null +++ b/docs/passwordsecure/9.3/maintenance/eccmigration/_category_.json @@ -0,0 +1,10 @@ +{ + "label": "ECC Migration", + "position": 30, + "collapsed": true, + "collapsible": true, + "link": { + "type": "doc", + "id": "ecc_migration" + } +} \ No newline at end of file diff --git a/docs/passwordsecure/9.3/maintenance/eccmigration/ecc_migration.md b/docs/passwordsecure/9.3/maintenance/eccmigration/ecc_migration.md new file mode 100644 index 0000000000..d4f65959ee --- /dev/null +++ b/docs/passwordsecure/9.3/maintenance/eccmigration/ecc_migration.md @@ -0,0 +1,13 @@ +--- +title: "ECC Migration" +description: "ECC Migration" +sidebar_position: 30 +--- + +# ECC Migration + +For a better overview the ECC migration is organized in two sections. One for the administrators and +one for the end user: + +- [Admin Manual](/docs/passwordsecure/9.3/maintenance/eccmigration/ecc_migration_administrator_manual.md) +- [User Manual](/docs/passwordsecure/9.3/maintenance/eccmigration/ecc_migration_user_manual.md) diff --git a/docs/passwordsecure/9.3/maintenance/eccmigration/ecc_migration_administrator_manual.md b/docs/passwordsecure/9.3/maintenance/eccmigration/ecc_migration_administrator_manual.md new file mode 100644 index 0000000000..5776412424 --- /dev/null +++ b/docs/passwordsecure/9.3/maintenance/eccmigration/ecc_migration_administrator_manual.md @@ -0,0 +1,78 @@ +--- +title: "Admin Manual" +description: "Admin Manual" +sidebar_position: 10 +--- + +# Admin Manual + +## Preparation + +Before you execute the migration, you must ensure that the following preparations have been made: + +- Installation of the latest Netwrix Password Secure-Server, Native Client and Web Client +- Check in the [Database properties](/docs/passwordsecure/9.3/configuration/servermanger/databaseproperties/database_properties.md) if the **offline + access** and the **mobile synchronization** are allowed + If that should be the case, **contact your users and make sure that they have to synchronize the + Offline Add-on and the mobile app**. + +**CAUTION:** If the OfflineClient or App does have not yet synchronized items, they are lost after +the migration mode is enabled! + +- Backup all certificates using the Netwrix Password Secure Server Manager + +**CAUTION:** Only certificate backups made through the Server Manager are valid! + +![Certificates](/images/passwordsecure/9.2/configuration/server_manager/ecc_migration/certificates-ac-1-en.webp) + +![Export certificates](/images/passwordsecure/9.2/configuration/server_manager/ecc_migration/certificates-ac-2-en.webp) + +- Delete or restore all non “permanent deleted” users + If you have deactivated or non “permanent deleted“ users it would make sense to delete them + permanently, otherwise the migration would never finalize. Keep in mind, that every E2EE User must + log in, before you can complete the migration. +- Only have **one active Netwrix Password Secure-Server** + In the case of multiple Netwrix Password Secure-Servers, you need to stop all Netwrix Password + Secure-Server services on all servers except on one, which actually is used for the migration. +- For each Entra ID profile you have to create a new token. This token must be stored in the + corresponding Enterprise Application under the Provisioning tag. + +## Migration + +NOTE: During the migration, the database is in read-only mode. So it is possible to read all records +from the database, but it is not possible to add new or edit existing records. + +#### Start migration + +Clicking on the icon **“Start migration”** in the databases' module to start the migration process + +![start migration](/images/passwordsecure/9.2/configuration/server_manager/ecc_migration/start-migration-en.webp) + +Select the database you want to migrate and enter the code-word. + +Remember, The code word is “Start”. Please make sure that you have read the whole documentation. +Otherwise, data loss might occur! + +![select database](/images/passwordsecure/9.2/configuration/server_manager/ecc_migration/start-migration-2-en.webp) + +You should see the message, that the selected databases are now in migration mode: + +![start migration](/images/passwordsecure/9.2/configuration/server_manager/ecc_migration/start-migration-3-en.webp) + +As written in the message, export all required certificates via the Netwrix Password Secure Server +Manager. If you have multiple servers in use import the certificates via the Server Manager at the +end of the migration process. + +**CAUTION:** If certificates are missing the migration cannot be continued. + +#### Watch the migration process + +In the migration process you find all information about the current process, what is already +migrated and what still needs to be migrated + +![migration progress](/images/passwordsecure/9.2/configuration/server_manager/ecc_migration/migration-progress-en.webp) + +After each user has logged into the database and has been successfully migrated, the migration is +complete. + +![migration finished](/images/passwordsecure/9.2/configuration/server_manager/ecc_migration/migration-finished-en.webp) diff --git a/docs/passwordsecure/9.3/maintenance/eccmigration/ecc_migration_user_manual.md b/docs/passwordsecure/9.3/maintenance/eccmigration/ecc_migration_user_manual.md new file mode 100644 index 0000000000..11eb4feb09 --- /dev/null +++ b/docs/passwordsecure/9.3/maintenance/eccmigration/ecc_migration_user_manual.md @@ -0,0 +1,25 @@ +--- +title: "User Manual" +description: "User Manual" +sidebar_position: 20 +--- + +# User Manual + +## Preparation: + +If you use the Offline Add-on and the Mobile app it is necessary to synchronize them before your +admin starts the migration. + +**CAUTION:** If you do not synchronize your data, it is lost and no more accessible after the +migration! + +## Migration + +During the migration every E2EE-User of the database has to log in. Keep the client running until +the message **„Userdata migration finished”** appears. + +![userdata_migration_finished_en](/images/passwordsecure/9.2/configuration/server_manager/ecc_migration/userdata_migration_finished_en.webp) + +NOTE: The migration can only be carried out with the Web Application and NativeClient. A migration +just using the Extension, Autofill Add-on or the Mobile App is not possible. diff --git a/docs/passwordsecure/9.3/maintenance/moving_the_server.md b/docs/passwordsecure/9.3/maintenance/moving_the_server.md new file mode 100644 index 0000000000..afd82dfd11 --- /dev/null +++ b/docs/passwordsecure/9.3/maintenance/moving_the_server.md @@ -0,0 +1,103 @@ +--- +title: "Moving the server" +description: "Moving the server" +sidebar_position: 20 +--- + +# Moving the server + +## Preparations + +It is necessary to make some preparations so that the move can be completed without any problems. + +#### 1. Installing the SQL server + +If the SQL server and the application server are on the same machine, the SQL server should be +installed on the new machine first. It is necessary to observe the +[MSSQL Server](/docs/passwordsecure/9.3/installation/requirements/mssql_server.md) for this process. + +#### 2. Installing the server + +The Netwrix Password Secure application server is installed next (see +[Application server](/docs/passwordsecure/9.3/installation/requirements/application_server.md)). The installation itself +is described under +[Installation Server Manager](/docs/passwordsecure/9.3/installation/installation_server_manager.md). + +#### 3. Basic configuration + +After the server has been installed, the +[Basic configuration](/docs/passwordsecure/9.3/configuration/servermanger/basic_configuration.md) is +completed. A new configuration database will be created on the SQL server as a result. If you want +to retain the old SQL server, it is necessary to give the configuration database a new name. + +#### 4. Deactivating the old server + +The license first needs to be deactivated before it can be activated on the new server (see options +under [License settings](/docs/passwordsecure/9.3/configuration/servermanger/mainmenu/license_settings.md). Now stop +the server so that nothing more can be changed in the database. + +## Backing up the data + +After making these preparations, the data from the old server can be backed up. + +#### 1. Backing up the system + +If using a virtual machine, a backup of it should be created. The old version of the server can then +be restored in the event of problems. + +#### 2. Backing up the database + +In order to transfer the data to the new server, a backup of the database should be created. +Although this is also possible via the Server Manager, we recommend carrying out the backup at the +SQL level: right click on the database, then on Tasks and Backup. The desired target folder is +selected in the following window. + +![insert backup](/images/passwordsecure/9.2/maintenance/sql-backup-en.webp) + +#### 3. Backing up the server certificate + +It is essential that the all available +[Certificates](/docs/passwordsecure/9.3/configuration/servermanger/certificates/certificates.md) are backed up. +Depending on the installation, a different number of certificates are required here. + +## Configuring the new server + +After the backed up data (database and certificate) has been transferred to the new server, it still +needs to be integrated. + +#### 1. Integrating the database at the SQL level + +Firstly, a new database is created on the SQL server. This option can be found in the SQL Management +Studio after right clicking on Databases. It is usually sufficient to simply enter the database +names. + +![integrate the database](/images/passwordsecure/9.2/maintenance/sql-new-db-en.webp) + +As soon as the database has been created, the option Restore (under Tasks) can be selected by right +clicking on the server. The Database is thus selected here. The backup now needs to be selected. It +is also essential to check whether the correct database has been selected in the field "Target". + +![restore db](/images/passwordsecure/9.2/maintenance/sql-restore-en.webp) + +NOTE: This method can be also used to import backups that were directly created from the Server +Manager. + +#### 2. Setting up the server + +After the backup has been installed on the new database, you can be start the Server Manager and run +the setup wizard. The [Setup wizard](/docs/passwordsecure/9.3/configuration/servermanger/setup_wizard.md) is +used for (amongst other things) reactivating the license. It is now possible to enter all of the +desired configurations for the server. + +#### 3. Importing the certificates + +The backed up certificates are imported via the certificate manager. + +#### 4. Integrating the database + +Finally, the database is integrated onto the server via the database wizard. + +## Modifications on the client + +If the IP and/or host name for the server has changed, it is necessary to create/roll out new +database profiles from the client. diff --git a/docs/passwordsecure/9.3/maintenance/update.md b/docs/passwordsecure/9.3/maintenance/update.md new file mode 100644 index 0000000000..efe6cf1c21 --- /dev/null +++ b/docs/passwordsecure/9.3/maintenance/update.md @@ -0,0 +1,111 @@ +--- +title: "Update" +description: "Update" +sidebar_position: 10 +--- + +# Update + +## Reasons for regular updates + +Our development team is constantly working on the further development of the software. This does not +only involve fixing any problems but also primarily the development of new features to adapt the +software as best as possible to the requirements of our customers. Therefore, it is recommended that +you regularly install updates. + +The documentation always refers to the latest version available. If Netwrix Password Secure deviates +from the documentation (e.g. in appearance or also its functional scope), it makes sense to firstly +update to the latest version. + +NOTE: The update check on the server or the client can be used to easily install the latest version. +The update check on the client must be activated in the settings for users beforehand. We recommend +leaving the update check deactivated for normal users! Otherwise these users could independently +attempt to install updates. Since a new client cannot connect to an old server, this results in the +user not being able to log in. + +## Requirements + +The requirements should be checked or established before an update. + +**CAUTION:** Please always check the Changelog for requirements or breaking changes before updating! + +### Check the software maintenance package + +The right to install updates is acquired with the software maintenance package. It is important to +note that you are permitted to install all updates as long as the software maintenance package is +still active. If the software maintenance package has expired, you are only permitted to use those +versions that were released during the term of the software maintenance package. Therefore, you +should check whether the software maintenance package is still active before an update. This can be +easily checked on the Server Manager under +[License settings](/docs/passwordsecure/9.3/configuration/servermanger/mainmenu/license_settings.md). + +### Creating a backup + +An update always involves making a profound change to the existing software. A corresponding +[Backup management](/docs/passwordsecure/9.3/configuration/servermanger/mainmenu/backupsettings/backup_management.md) +should thus be created directly before the update to ensure that no data is lost if a serious +problem arises. + +### Checking compatibility + +An attempt is always made to design the Server Manager so that it is backwards compatible. +Unfortunately this is not always possible. Therefore, you should always check which client version +the Server Manager is compatible with before an update. The version history for the relevant version +will provide this information. + +**CAUTION:** If the password for logging in to the Server Manager on the database has been saved, it +is essential that it is noted down or temporarily saved elsewhere before an update! + +### Latest installation files + +The installation files can be downloaded from the +[customer information system](https://license.passwordsafe.de/kis). Please simply use the access +data that we sent to you by email to log in. + +## Perform update + +### Updating the Server Manager + +The Server Manager is simply installed on top of the existing installation. The password from the +Server Manager should be made available at this point in any case. After the installation of the +Server Manager, the database is only accessible when it is activated. If the password is only in the +Netwrix Password Secure, it should be temporarily stored at this point. + +NOTE: If the service has not been ended in advance, the installation wizard will give you the +opportunity to do so. If the service is still not ended at this stage, the computer will then need +to be restarted. It is thus recommended that the Netwrix Password Secure services are ended before +the update. + +Further information on the installation wizard can be found in the section +[Installation Server Manager](/docs/passwordsecure/9.3/installation/installation_server_manager.md). + +### Patch level update for the databases + +The databases are usually deactivated after updating the Server Manager because they do not yet have +the corresponding patch level. This should be immediately checked. After logging in to the Server +Manager, the module “Databases” is immediately visible. If the databases have been deactivated, you +can reactivate them directly in the ribbon via the corresponding button. The patch level will be +updated during this process. + +### Updating the client + +The updates for the client are also simply installed over the existing installation. Further +information can be found in the section Installation of the client. Naturally, the update can also +be carried out using the installation parameters. + +### Updating the Web Application + +The application server must firstly be updated. A new Web Application +([Installation Web Application](/docs/passwordsecure/9.3/installation/installationwebapplication/installation_web_application.md) +is then created according to the instructions for the web server being used. The document directory +on the web server should now be completely emptied. The Web Application is then unzipped and copied +to the document directory on the corresponding web server. + +**CAUTION:** If the Web Application is being operated on an IIS web server, a new config.bat is +generated for creating the new version. This must not be executed if the Web Application has already +been installed and it must be deleted without fail after a successful update. + +NOTE: If the Web Application is used, the module: `proxy_wstunnel` must be installed when using +Apache. With IIS the `WebSocket Protocol` becomes necessary. Further information can be found in the +chapter [Webserver](/docs/passwordsecure/9.3/installation/requirements/webserver/webserver.md). This applies to version 8.5.0.14896 +or newer. diff --git a/docs/passwordsecure/9.3/msp_system.md b/docs/passwordsecure/9.3/msp_system.md new file mode 100644 index 0000000000..43371e0260 --- /dev/null +++ b/docs/passwordsecure/9.3/msp_system.md @@ -0,0 +1,58 @@ +--- +title: "MSP System" +description: "MSP System" +sidebar_position: 30 +--- + +# MSP System + +To ensure optimal operation, we recommend that the following hardware resources are made available: + +## Microsoft SQL Server + +The following system requirements are the minimum system requirements and should manage around 10 +customers with less than 20 users each. + +- Windows Server 2016 (or newer) +- MSSQL Server 2014 (or newer) +- 4 CPU’s +- 16 GB RAM +- min. 100 GB HDD + +**CAUTION:** Please note, that using a SQL Server with Express edition is not recommended because of +diverse limitations there. + +If your customer's count is growing over time, you should add every 200 users a minimum of at least: + +- 2 CPU’s +- 8 GB RAM + +## Application Server + +The following system requirements are the minimum system requirements and should manage around 10 +customers with 20 users each. + +- Windows Server 2016 (or newer) +- 4 CPU’s +- 16 GB RAM +- min. 50 GB HDD +- .NET Framework 4.8 + +If your customer's count is growing over time, you should add every 200 users a minimum of at least: + +- 1 CPU +- 4 GB RAM + +RECOMMENDED: Currently, we suggest you use an application server to handle a max of about 100 +customers. So if you reach 100 customers, you should set up a second Application Server or use some +sort of load balancing between the application servers. + +**CAUTION:** Every additional 1000 users an additional Web-Endpoint - incl. loadbalancing - is +recommended + +**CAUTION:** Every additional 100 customers/1000 users an additional Application Server - incl. +loadbalancing - is recommended. + +NOTE: Please note that individual variables - like the number of passwords per user - will affect +performance. Especially for MSP-Systems it is required to monitor performance continuously, and add +additional resources on demand. diff --git a/sidebars/passwordsecure/9.3.js b/sidebars/passwordsecure/9.3.js new file mode 100644 index 0000000000..5407b95644 --- /dev/null +++ b/sidebars/passwordsecure/9.3.js @@ -0,0 +1,24 @@ +module.exports = { + sidebar: [ + { + type: 'autogenerated', + dirName: '.', + }, + { + type: 'category', + items: [ + { + type: 'link', + href: '../9_1', + label: '9.1' + }, + { + type: 'link', + href: '../9_2', + label: '9.2' + } + ], + label: 'Older versions' + }, + ], +}; diff --git a/src/config/products.js b/src/config/products.js index ba9a1c4239..dec863814b 100644 --- a/src/config/products.js +++ b/src/config/products.js @@ -373,10 +373,16 @@ export const PRODUCTS = [ categories: ['Privileged Access Management (PAM)'], icon: '', versions: [ + { + version: '9.3', + label: '9.3', + isLatest: true, + sidebarFile: './sidebars/passwordsecure/9.3.js', + }, { version: '9.2', label: '9.2', - isLatest: true, + isLatest: false, sidebarFile: './sidebars/passwordsecure/9.2.js', }, { @@ -386,7 +392,7 @@ export const PRODUCTS = [ sidebarFile: './sidebars/passwordsecure/9.1.js', }, ], - defaultVersion: '9.2', + defaultVersion: '9.3', }, { id: 'pingcastle', diff --git a/static/images/passwordsecure/9.3/installation/installation_web_application/configure_custom_branding.webp b/static/images/passwordsecure/9.3/installation/installation_web_application/configure_custom_branding.webp new file mode 100644 index 0000000000..fe5391def6 Binary files /dev/null and b/static/images/passwordsecure/9.3/installation/installation_web_application/configure_custom_branding.webp differ