Erasing Secrets
Task 1: Configuring Secret Erase
-
Ensure that you have a workflow license for Secret Server.
-
Go to Admin > Roles in Secret Server:
-
Create a new role named "Secret Erase Requester" or "Secret Erase Administrator" (see Creating Roles for details), assigning it the "Erase Secret" permission:
You can name the role anything you desire, but we recommend the above for clarity.
The "Erase Secret" role permission allows users with the role to create secret erase requests and view secret erase administration pages.
-
Go to Admin > Groups. The Groups tab of the User Management page appears:
-
Create a group named "Secret Erasers" and give it the "Secret Eraser" role:
-
Click the Members tab to add yourself to the Secret Erasers group.
-
Go to Admin > Workflows:
-
Create a "Secret Erase Requests" workflow template, assigning it the Secret Erase Request type. The Designer tab for the new workflow appears:
-
Assign one or more users or groups as approvers by typing each in the search text box in the Add Groups / Users section and then clicking your choice when it appears. It then appears in the Approvers list box.
We chose to have the approvers be the same group as those that can make the requests, but you can choose any groups or users you like or make a group just for approvals. The important thing is the same user cannot both make the request and approve it—that way, a single person cannot make an irreversible, potentially very harmful, mistake. -
Click the Save button. The result looks like this:
-
Go to Admin > Configuration:
-
Click the Security tab.
-
Click the Edit button at the bottom of the page. The page becomes editable.
-
Click to select the Enable Secret Erase check box in the Secret Erase section. The Secret erase Workflow dropdown list appears:
-
Click the Secret Erase Workflow dropdown list and select Secret Erase Request.
-
Click the Save button. Secret Erase is now set up.
Task 2: Erasing a Secret
-
Ensure the following requirements are met for the secret you intend to erase—ensure the secret:
- Is inactive
- Is owned by you
- Does not have a pending secret erase request
- Is not double-locked
- Is not checked out by another user
- Is not a discovery secret
- Is not a domain sync secret
-
For purposes of this instruction, create a secret for testing in your personal folder. For now, do not use an existing one to ensure all the requirements are met.
-
You can erase the secret via a dashboard bulk operation or from the Options button on the General tab of the secret itself. For a bulk operation, erase is accessed by the More Bulk Options button. Erase Secrets is in the Security section of the More Bulk Options popup. See Running Dashboard Bulk Operations.
If the "Erase Secrets" link does not appear in the Security section (when erasing from the dashboard) or "Erase" is not available on the Option button (when erasing from the General tab) you may have not properly configured secret erase (see Task 1) or the secret might not meet one of the requirements above. -
When you click the Erase Secrets link, the Erase Secrets popup appears:
Here, you are essentially setting up a erase secrets request. The access request is sent to the users or user group you designated earlier.
-
Use the calendar and time widgets to set the Erase After Date. It must be minimum of 24 hours away to give the erase secrets request time to process. If you set it to less than that, you cannot continue the process.
-
Type your reasoning for permanently erasing the secret or secrets in the Reason text box. This is not tedium—the granter will need this to decide whether to let you take this irreversible, destructive action. Specifically, explain why a deactivation is not sufficient.
-
Click the Erase button. A confirmation popup appears:
-
Pause a second, and make sure you are sure.
-
Click the Erase Secrets Forever button.
-
When the erase request is approved, the secret or secrets will be erased by an automated process after the "erase after" date and time arrives.