Release control – Manages password requests from authorized users, programs and scripts for the accounts they are entitled to access, via a secure Web browser connection with support for mobile devices. A password request can be automatically approved or require any level of manual approvals.
Change control – Supports configurable, granular change control of shared credentials, including time-based, last-use-based, and manual or forced change.
Auto discovery of:
- Accounts and systems – Instantly discovers new accounts and systems, and then either sends notifications about them to specified users or automatically enrolls them in management.
- Users – Automatically provisions users and maps permissions using your organization’s existing LDAP or Active Directory environment.
Application password support – Replaces hardcoded passwords in scripts, procedures and other programs. Application password management capabilities include:
- Programmatic access – Includes both a command-line interface (CLI) and an application programming interface (API) with access for C++, Java, .NET and Perl. Connectivity is via SSH with DSS key exchange.
- Role-based access – Supports role-based access for the CLI and API. You add a “programmatic” user with either “basic” access or “admin” access. Basic access enables the CLI or API to request account passwords and be granted access for authorized targets or accounts; this is appropriate, for example, for a “Requestor.” Admin access enables the CLI or API to perform administrative tasks.
- Optimal performance – Natively executes approximately 100 call requests per minute. For applications requiring higher performance, the appliance supports an optional cache that supports more than 1,000 password requests a second, satisfying the requirements of your most demanding applications.
- Extensive command set – Includes a comprehensive set of commands that can be executed via the CLI or API. Beyond simple “Get Password” commands, the solution supports extensive admin-level commands to provide tight integration with existing enterprise tools and workflows.
Enterprise-ready integration – Integrates with existing directories, ticketing systems and user authentication sources, including Active Directory and LDAP. It also fully supports two-factor authentication through Defender® or other third-party two-factor authentication products. A robust CLI/API supports end-to-end integration with existing workflows and tools, including reviewer notification and escalation workflows.
Secure appliance – Lacks a console port or console-level interface – the appliance can only be accessed via a secure, role-based Web interface that provides protection from host admin attacks, as well as OS, database or other system-level modifications. The appliance also has an internal firewall that protects against external network-based attacks and provides additional auditing capabilities.
Scalable appliance – Provides secure, enterprise-ready access and management of shared credentials for more than 250,000 accounts at once.
Secure password storage – Encrypts all passwords stored in Privileged Password Management using AES 256 encryption. In addition, the appliance itself also includes full disk encryption using BitLocker™ Drive Encryption.
Robust target support – Manages shared credentials on the widest range of target servers, network devices and applications.
Handheld device support – Supports password request, approval and retrieval via handheld devices, which is configurable on a per-user basis.