Skip to main content

Quick start guide

This quick start admin guide is divided into two parts.
First, the BUILD, which explains the operations to be carried out before starting to use the Enterprise Vault.
Secondly, the RUN, which lists the product life operations that can be performed.

BUILD

Enterprise Vault user creation and management uses WALLIX ONE IDaaS (or Trustelem), so the BUILD phase will involve configuring both Enterprise Vault and WALLIX ONE IDaaS.

1/ Subscription creation

When you subscribe to WALLIX ONE Enterprise Vault, you'll need to provide several pieces of information: among others the name of your company, and the names of future administrators.

Your company name will be used to create a WALLIX ONE IDaaS subscription.

For instance, MyCompany could have the subscription named "mycompany.trustelem.com".

The list of admins provided will be automatically provisioned when the subscription is created.
They will receive an email with :

So, your first action as an administrator is to create your account using the link provided in the email, and then to go on the WALLIX ONE IDaaS administration page.

2/ Setup WALLIX ONE IDaaS

When you log on to the admin page, the subscription is empty, except for the first administrators. So you'll need to configure it.
There are 3 main things to do on WALLIX ONE IDaaS:

  • Add Enterprise Vault applications
  • Add users
  • Give users access to Enterprise Vault
2.1/ Add Enterprise Vault applications

There are two applications to add:

  • One for administrators, which includes auditing, logs and security policies.
  • The other for users, in which secrets are managed, as well as a few administrative tasks such as recovery.

Go to Apps, then Add an application, then select WALLIX Enterprise Vault and WALLIX Enterprise Vault administration.

2025-vault-2.png

2.2/ Add users

If you want to use directory or IDP users, you can do the following setup.

But if you want to use local users, you don't want to create them right away: they'll receive enrollment emails, while the rest of the setup isn't ready yet. That said, you can still create user groups, as they will be used for the next steps.
For instance, you can create a "Users" group, and an "Admins" group.

Go to Groups, then Create.

2025-vault-3.png

2.3/ Give users access to Enterprise Vault

You need to define who can access Enterprise Vault and how. To do this, you'll add permissions.
Permissions can be 1-factor, usually login and password, or two-factor with an additional secret.

Full documentation is available here:

Here's a summary of the main steps:

  1. Create permissions for users and administrators, usually in 2-factor mode.
    Go to Access rules, select Create, then choose your apps et your groups

    2025-vault-4.png
    Internal & External zone depend of the users public IP which is compared to what is provided in Security > General > Internal network.

  2. Enable the desired multi-factors in Security, Authentication factors, Login column

    image.png

  3. In the same page, create an enrollment campaign to automate the 2nd factor enrollment

    image.png

    You'll probably want to use "enrollment during login", which allows the form to be displayed directly after authentication if the user doesn't yet have a 2nd factor.

3/ Setup Enterprise Vault admin application

The next step is to define Enterprise Vault administration policies. 
Today there are 3 policies:

  • Log: which information do you want to log?
  • Recovery: do you allow master password reset ? Do you allow data recovery?
  • Security: do you allow to list existing users in the forms that offer it in the user application?

If you want to use Recovery features, it is very important to enable it right now.
Indeed, if a user hasn't logged in AFTER you've activated the option, it won't be possible to help him if he loses his master password.

  1. Go to your user dashboard (your_name.trustelem.com) with an account that has access to the admin app
  2. Click the Admin app
  3. Go to Settings
  4. Enable the desired settings, then Save each categories

image.png

4/ Add the Enterprise Vault specific recovery rights for user

This step is only necessary if you want to use recovery.

There are 2 types of recovery:

Each requires specific rights, which are controlled by WALLIX ONE IDaaS.
To carry out a data recovery action, a validation is required, with a quorum to be reached.
Defining quorum members also requires a specific right.

  1. Go to WALLIX ONE IDaaS admin dashboard, then click Users
  2. Select a User, click Edit and Add attribute
  3. For recovery account:
    name: recovery_account
    kind: bool
    value: true
  4. For recovery data:
    name: recovery_data
    kind: bool
    value: true
  5. For recovery data quorum:
    name: recovery_data_workflow
    kind: bool
    value: true

image.png
Of course, recovery_data and recovery_data_workflow should never be assigned to the same person.

The first user with data/account recovery rights will automatically have the encryption keys needed for these operations. However, this will not be the case for subsequent administrators.
The first admin will have to share these keys via the recovery key sharing page on the user application.
(Settings > Recovery keys > Activate access)

Notes

  • WALLIX ONE IDaaS administration page should always be secured using multi-factor authentication. To do so you need to enroll a 2nd factor for the admin accounts, then enable multi-factor using the option Authentication level for Trustelem admin console on Security settings > General.

  • More information about WALLIX ONE IDaaS is available here: https://trustelem-doc.wallix.com/books/trustelem-administration

Now you're all set, you can create local users if you need to, and communicate about the availability of this new application.

RUN

Back to top