Entreprise Vault - administration
- Administration Overview
- Validate Master Password Reset Request
- Grant Trustelem Account Recovery Permissions
- Administration application
- Manage Account Recovery
- Manage Data Recovery
Administration Overview
The Trustelem Administrator is required to perform certain actions:
Grant Master Password Recovery Permissions to certain users so that these users can unblock users who have forgotten their passwords.
Some Users are given the rights to Manage Account Recovery for other Users. If you have Account Recovery rights, you can Validate a Master Password Reset Request when a user requests to reset their Master Password.
After account recovery creation, all users can Reset their Master Password after they have unlocked their account for the first time.
Validate Master Password Reset Request
A Vault Administrator is required to validate all Master Password Reset Requests. At each creation of a Master Password Reset Request by a user, Vault Administrators are notified by email.
This procedure details the steps to be followed by a Vault Administrator to Validate a Master Password Reset Request.
Click Tools and then Recovery. The Master Password Confirmation prompt is displayed.
Enter your Master Password and click Ok. The Recovery Screen is displayed.
Alternatively, click Cancel to cancel the operation.
Click the Rescue users who have created a reset master password request link.
The Account Recovery Screen is displayed.
In the In progress tab, Master Password Reset Requests that are currently in progress are displayed.
Requests that have not yet been treated have Waiting for administrator validation status.
Click the Approve button to validate the Master Password Request. This should only be done where it is clear that this is a request from a valid user.
Alternatively, click the Dismiss button to deny the Master Password Request.
For validated requests, the following screen is displayed. A Reset confirmation message is displayed.
An email is sent to the user with a reset link which allows them to reset their master password.
Grant Trustelem Account Recovery Permissions
As an Vault Administrator, follow this procedure to Grant Password Recovery Permissions in the Trustelem application to an User.
Users with this permission can unblock users who have forgotten their passwords.
Grant Recovery Permissions
Connect to Trustelem.
Select the User to give Password Recovery permissions to and click the Modify button. The User Update screen is displayed.
In the Attributes section, click the Add an Attribute button. A blank line is added to the Trustelem Attributes table.
Complete the fields as follows:
- NAME : recovery_account
- TYPE : bool
- VALEUR : true
Click the Save button to save the new attribute to the User.
The Trustelem attribute recovery_account displays in the Attribute List.
This User can now unblock users who have forgotten their passwords.
Administration application
The vault administration application allow administrators to have a global view of the Vault uses in your enterprise. Some settings are available to fit your requirements.
To add an access to this application, the Trustelem administrator have to add access permission to this application to desired users.
The application has four sections :
- Indicators dashboard
- Users list
- Shared vault list
- Parameters
Indicators dashboard
The dashboard indicators allow you to have an overview of the use of WALLIX Enterprise Vault in your company.
Each user who creates their account has a personal vault.
You also have an overview of the number of created Shared vault.
For each of them, you can see the number of items and the number of attachments.
You can see which client are used by your users.
Users list
Only users who have created their vault account are list in this screen. To create his vault account, a user have to connect to the vault and create his master password.
If a Trustelem administrator delete users or remove authorizations to access the Vault application, corresponding users are highlighted.
Administrators can force users to reset their master password or change their encryption key at the next connection. If the administrator delete the vault account by clicking the trash, user data cannot be recovered.
In this list you can check the status of the users. In the lifecycle of Trustelem users, users with a Vault account can be unauthorized to access to the vault application or can be deactivated.
Shared vault list
The Shared vault list give you an overview of the Shared vault usage. You have a list of shared and for each the list of administrator and regular users.
When in the lifecycle of your users you have shared vault without active administrators or without any active user, a warning is displayed.
Settings
The settings page allows you to personalize of your enterprise vault according to your choices and security policies.
You have options to configure :
- Security and confidentiality
- Logs : choose logs to activate for your enterprise vault.
- Recovery : you can activate and configure recovery.
Manage Account Recovery
This is only available for users who have been granted the recovery option by a Trustelem Administrator.
Creation of Recovery Keys
The first user with Recovery Permissions who unlocks his vault creates the recovery keys. The Unlock screen displays a message indicating that the recovery keys have been created.
Recovery keys are created only once. The user who create the keys can share them with the procedure Activate Account Recovery Rights for a User.
Where a new account is created with this option, the message will also be displayed on the Account Creation Screen.
Activate Account Recovery Rights for a User
This procedure details the steps to be followed by a User with Recovery Permissions to Activate Account Recovery Rights for another User.
This is the the second step in the process. The first step is carried out by the Vault Administrator, who adds the recovery_account attribute to the user account.
Click Tools and then Recovery. The Master Password Confirmation prompt is displayed.
Enter your Master Password and click Ok. The Recovery Screen is displayed.
Alternatively, click Cancel to cancel the operation.
Click the Manage users with recovery account rights link.
The Account Recovery Screen is displayed.
A list of users who have been given Recovery Account Rights by the Vault Administrator is displayed.
Users waiting for their access to be validated have a Status of Waiting.
Click the Activate access link beside a User to activate their Account Recovery Rights within the Vault.
The user's Status is changed to Access Validated. They have a Remove Access link beside their name.
Deactivate Account Recovery Rights for a User
To deactivate Account Recovery Access for a User, click the Remove Access link beside their name.
Manage Data Recovery
This is only available for users who have recovery options. These options have to be granted by a Trustelem Administrator.
Quick start
Prerequisites:
- in the Vault administration application:
- recovery data policy activation
-
set the recovery_data attribute to the users who want to recover user data
- recovery data policy activation
-
set up the approbators group(s)
As a authenticated user, the standard workflow to access to user data is:
- Create a data recovery request (described here)
- Notification is sent to the approbators, waiting for their vote
- If the request is approved, an email is sent to the user who emit the request
- The user has to re-log in and can now access to the user data (see an example below)
Approbators group management
All the data recovery requests enforce a validation process that consists to be approved by all approbators group. In each group, a quorum is defined so, when the quorum is reached, the request is considered validated by the group.
A validation group is composed by one or several Trustelem Vault users.
You can edit each group by clicking on the desired property (name, quorum or users list), add a brand-new approbators group. or remove a whole group. Here is what you get when you want to modify the approbators of a specific group:
Note: only a valid Vault user is allowed to be added to a group.
When a data recovery request is submitted, an email is sent to each approbators.
Create Data Recovery Request
This section is only authorized to Vault users with specific rights (i.e. the recovery_data attribute and the cipher key shared). For more information about how the authorizations are granted, see the grant data recovery permissions page.
To perform a data recovery request, go to the "Create a data recovery request" section to perform the request:
The user can emit a new data recovery request for a specific Vault user included in the droplist component. The user can cancel the request for any reason if needed until the request is approved or refused.
An history of the already emitted requests is available at the bottom of the page.
Here you will find all the request statuses available:
- Waiting for administrator validation: the request has been emitted and no approbator already votes;
- Approved: so, rather self-explanatory;
- Cancelled: the user who creates the request has manually cancelled the request (cf "Cancel" button);
- Request expired: the request reaches the configured timeout. The timeout policy is defined in the vault administration application;
- Data recovery session ended: an approbation has manually revoked the data recovery session (see the manage requests page).
Manage Data Recovery Requests
This section is only authorized to approbators (i.e. the user must be included in at least approbation group). On the "In progress" tab, you can monitor the current open and non-resolved data recovery requests.
Until the approbator votes, all the vote options are displayed. After voting, either the "Approve" or the "Dismiss" button is hidden, depending how the approbator votes. Non-resolved status means that at least one approbator has submitted his vote but all the emitted votes are not sufficient to reach each of the group quorum.
On the "Ended" tab, you have the complete data recovery requests history, regardless of who requested it and regardless of which account was target by the recovery process.
Grant Trustelem Data Recovery Permissions
As an Vault Administrator, follow this procedure to Grant Data Recovery Permissions in the Trustelem application to an User.
Users with this permission can create data recovery requests.
Grant Recovery Permissions
Connect to Trustelem.
Select the User to give Password Recovery permissions to and click the Modify button. The User Update screen is displayed.
In the Attributes section, click the Add an Attribute button. A blank line is added to the Trustelem Attributes table.
Complete the fields as follows:
- NAME : recovery_data
- TYPE : bool
- VALEUR : true
Click the Save button to save the new attribute to the User.
The Trustelem attribute recovery_data displays in the Attribute List.
This User can now create data recovery requests.
To manage approbator groups for data recovery, the user must have an attribute recovery_data_workflow. After that he can manage approbators groups.
Share cipher key
In order to enable completely the data recovery permissions, you have to share the cipher key.
Important: This step must be done after granting the recovery_data attribute.
Go to the recovery home page (Tools > Recovery in default navigation bar) and click on the "Share cipher keys" link as below:
The cipher key management page is displayed. You can now share the cipher key with any user who has the recovery_data attribute:
Congratulations! The user can now create a data recovery request for any vault user.