The Password Checkout feature allows security to be enhanced primarily by preventing more than one user from using any specific secret at any given time (but also includes options for rotating the secret’s password automatically, forcing the password to be checked in by an Owner/Editor of a secret so as to log the user out of the secret immediately, etc).
So when a secret is in use by one user, no other user can use this secret, since its password is “checked out” exclusively by the current user. After a user finishes using a secret (i.e. logs out / is logged out, or the connection is closed), the secret’s password is returned back to the vault, so that the secret once again becomes available for exclusive use by any user, since its password is then “checked in” again.
Furthermore, in the event of more than one person sharing the same user account credentials, the secret can still only be used by one person at any one time, and the person who used the secret can be identified.
To be able to configure the Password Checkout functionality, a user must have the Owner or Editor permission for the secret.
To configure the Password Checkout functionality for any secret, on the Password Management page (see below), while adding (or editing) a secret, on the Security tab, do the following;
• Requires check out: Select this checkbox to enable the feature, so that only one user can exclusively check out the secret's password (i.e. log in to the secret) at any given time.
• Change password on check in: Select this checkbox for the password to be rotated every time the secret's password is checked back in (i.e. every time a user logs out / is logged out of the secret).
• Check in automatically after: Select this checkbox to specify a time period, after the expiry of which the secret's password will be automatically checked back in (i.e. after which the current user of the secret will be forcibly logged out).
• Force Check In: Click this button to manually check the secret's password back in (i.e. to forcibly log out the current user) immediately.
To view information about the status of the Password Checkout functionality for all secrets, do either (or both) of the following:
• Open the Password Management page to view the list of secrets, where the Password Checkout status is displayed in the (padlock icon) column by the icon if the secret's password in currently checked out (with more details displayed in the corresponding hint). The Password Rotation Status filter can also be used.
• Open the Ekran System Connection Manager to use secrets, where the Password Checkout status (if enabled) is displayed in in the Details column (with more details displayed in the corresponding hint).
NOTE: More detailed information is available on other pages, by clicking on the relevant links in the text above.
NOTE: The Password Checkout functionality is completely independent to the Access Approval functionality (on the Restriction Types tab), so they can both therefore function at the same time, in which case the user will need to request and receive approval before they can use the secret.