Manual Policy Configuration

This process normally runs automatically, so the manual configuration below is not required. It is optional. For information on the automated process, see Step 2: Secure Access.

For more details about these settings, see Identity Policies.

Follow the steps below to manually configure the platform for allow-list authentication, similar to existing Secret Server behavior. The steps configure an Allow List identity policy that mirrors the default policy but is scoped to a specific group membership so that only the specified users can meet the profile. You can then set the default policy to deny access to any users who do not meet the new profile that is configured.

  1. Navigate to the Groups page.

  2. Create a new group.

  3. Name the group to indicate that it defines all users who can authenticate to the platform, such as Acme Platform Users.

  4. Add the cloudadmin user to the group

  5. Add any other users that are currently using the platform to the group, either directly or by a group that they are a member of.

  6. Navigate to the Identity Policies page.

  7. Add a new policy.

  8. Name the policy to indicate that it will control how most users authenticate to the platform, such as Acme Default Authentication Policy.

  9. Leave the policy disabled.

  10. Add a description if desired.

  11. Target specific groups, and select the group that was configured above.

  12. In the new policy, click the Authentication tab.

  13. Edit the Services section.

    1. Enable authentication policy controls.

    2. Set the Default Authentication Profile to Default Other Login Profile.

    3. Save the section.

  14. Edit the Authentication Rules section.

    1. Add a rule named, Identity cookie is not present.

    2. Select the Default New Device Login Profile.

    3. Add a filter by selecting Identity Cookie and setting Is not present for the condition.

    4. Save the filter, rule and section.

      If saving any of these settings causes an error:

      • Ensure that all steps above have been completed correctly,

      • Ensure that the cloudadmin user can meet the requirements of the two authentication profiles configured above.

  15. Open the Overview tab and enable the policy.

  16. Navigate back to Identity Policies.

  17. Edit the default policy.

  18. Open the Authentication tab and edit the Authentication rules section.

  19. Select the row and delete any authentication rules.

  20. Save the section.

  21. Edit the Services section.

  22. Set the Default Authentication Profile to Deny platform authentication.

  23. Save the section.