Securden Unified PAM

Privileged Access Management FAQs

This page outlines product troubleshooting tips and frequently asked questions on Securden Unified PAM. Should you need further technical assistance, feel free to write to support@securden.com

Frequently Asked Questions

plus icon minus icon
Does Securden provide release notes for each released version, and if so, are these release notes made available through your website?

Yes. Securden provides comprehensive release notes for each new version upgrade on product releases. We follow this practice diligently to keep customers well-informed at every stage, aligning with NERC CIP compliance. The release notes are labeled category-wise as product enhancement, new features, security fixes, and bug fixes for easy reference. Customers can access these release notes from the website. Also, the release notes are sent to customers via email.

plus icon minus icon
How to configure time delays during remote sessions over custom application launcher?

Securden facilitates launching connections with remote IT assets and applications. To handle such cases, you can navigate to Admin >> Remote Connections >> Custom Application Launcher and add a time delay (measured in milliseconds) for Securden to wait before filling the data.

plus icon minus icon
How to add SSL certificate to the Securden server?

You can upload your SSL certificate to the Securden server by following the instructions below.

  • Step 1: Download OpenSSL (if you don't already have it installed) from http://www.slproweb.com/products/Win32OpenSSL.html. Ensure the 'bin' folder under the OpenSSL installation is included in the 'PATH' environment variable.
  • Step 2: Copy your certificate (e.g. certificate.pfx) and paste it in the system from where you can execute OpenSSL exe. The *.pfx file is in PKCS#12 format and includes both the certificate and the private key.
  • Step 3: Run the following commands to export the private key openssl pkcs12 -in certificate.pfx -nocerts -out securden-key.pem -nodes openssl rsa -in securden-key.pem -out securden-key.pem
  • Step 4: Run the following command to export the certificate openssl pkcs12 -in certificate.pfx -nokeys -out securden-cert.pem Once you execute the above steps, you will get an SSL certificate and a private key.
  • Step 5: Copy the certificate and private key created above and navigate to /conf directory and paste the keys.
  • Step 6: In services.msc, restart Securden Vault Service. This replaces the self-signed certificate with your certificate.
plus icon minus icon
How to configure access to the Securden Password Vault mobile application?

You can download the Securden Password Vault mobile application from the App Store or Google Play Store. For that, you'll need to enter the server URL on the mobile application to access the interface.

plus icon minus icon
Is it possible to configure the Securden server to run on port 443?

Yes, it is possible to customize the server port to 443. To do this,

  • Navigate to the Securden installation folder\Conf and open the server.properties file with WordPad or Notepad++.
  • Restart Securden PAM service (Not required to restart Securden Web service as it is dependent of the PAM service)
  • Try to access just the URL https://securden_server
plus icon minus icon
Can passwords be automatically rotated upon expiration?

Yes, password rotation can be achieved by enabling the 'Expired Password Rotation' Option available in the Admin >> Notifications >> Expired Password Rotation. Consequently, passwords will be rotated automatically for accounts that support remote password reset when they expire or are about to expire. The expiration days can be enforced by specifying the Password Age in the password policy. The new password gets updated in both the end machine and Securden database, so you don't have to manually change the passwords anywhere.

plus icon minus icon
Is there a way to convert a work account to a personal account?

Yes, there is a way to convert a personal account to a work account but vice versa is not possible. To store personal information, try recreating the accounts being added by selecting the category as 'Personal'.

plus icon minus icon
When two or more servers have been configured for high availability purposes, will updating the primary server alone update the software on the secondary (application) server as well?

No, the application server has to be updated separately. However, the upgrade process will be completed in a few minutes, and the operation will be seamless.

plus icon minus icon
Will this update cause any downtime in the application?

Yes, both servers will be stopped during the upgrade process. Hence, we recommend scheduling a maintenance window to upgrade the servers.

plus icon minus icon
Does the update need a server reboot or service post-updating the application?

Yes. The services should be stopped during the upgrade. Once the upgrade is completed, the services can be started.

plus icon minus icon
What are the precautions to be taken before updating?

You need to take a backup of the Securden installation folder after stopping the service.

Here’s a quick summary of the upgrade steps:

  • Before initiating the upgrade, while the server is running, navigate to Admin >> Maintenance & Upgrades >> Product Upgrades section and check the steps to upgrade.
  • Now, stop the Securden service on the secondary server first. We are doing this to avoid failover.
  • Then, you can stop the service on the primary server. Take a backup of the Securden installation folder.
  • Initiate the upgrade on the primary server. You can follow the upgrade steps in the section mentioned above.
  • Once the upgrade is completed, start the service and log in to the primary server to check its version.
  • Now, you can initiate the upgrade on the secondary server. Once it is completed, log in to check its server version.

Note: You should start or stop the Securden PAM Service alone. Web Service - Securden PAM is dependent on the main service. Hence, it will be started automatically once the main service is started.

plus icon minus icon
On finishing the installation of the new Securden system, the encryption key has been relocated to a different directory on the server. Is that good enough? What are the security implications if someone could copy that key and the database to another location?

As a security best practice, we recommend having the encryption key and database backup file in different locations.

Secure the encryption key in a safe drive or a remote location with strict access control that allows the key to be accessed only by the Securden application or the account used to run Securden services. And enforce MFA to secure user access to the Securden application.

However, if someone gets access to the database and the encryption key, they cannot decrypt the information as we have an application layer encryption in place. They need to install the exact version of the Securden application and restore the database. Even after restoring the database, they would have to log in as an admin/user to view passwords, which might not be possible if you enforce MFA for user authentication.

plus icon minus icon
What should be done if the login to the PAM solution works but results in a white page? The login screen reappears when the white page is refreshed.

Instances like this are rarely encountered after a product upgrade. To prevent such occurrences, it is advisable to clear the browser cache and attempt logging in again.

plus icon minus icon
What should be done on receiving the error message ‘Domain controller is not reachable’?
  • Navigate to Admin >> Configurations.
  • Under the General section, locate 'Do you want to check the Active Directory port before initializing the connection with the AD? If yes, specify the time duration in seconds after which the check times out.' Increase the default Value in seconds to 4, if that doesn't work change the value to 5.
plus icon minus icon
How will Securden software recognize the same password in two different accounts?

In Securden, when a password is added/modified by a user, it is compared with the passwords that are owned by that user. However, when an account with the same password is shared, we do not check if the password is reused.

If an account is created by "admin", that account's password is compared with the accounts that are owned by "admin". Hence, it is possible to have two accounts (1 owned and 1 shared) with the same password and still not shown as 'Password is reused' for that user.

plus icon minus icon
Will there be any data flow outside our environment for PAM? If so, what would be the confidentiality and security assurance?

Absolutely not. In the on-prem model, there is no cloud component involved. There is absolutely no data flow outside of your environment. Internet connectivity is not required for the functioning of the product. There is only one reporting feature that requires internet connectivity – dark web monitoring. Even in the case of this optional dark web monitoring feature, only partial hashes of the passwords are taken and are compared against the dark web. You may disable this reporting feature if you don’t need that.

plus icon minus icon
Would there be any updates for the on-prem installation of the PAM software?

Yes. We release major and minor upgrades periodically. The upgrades are released as upgrade packs. You may download the upgrade pack and apply through the upgrade manager tool that comes with the product. The upgrade process typically takes only a minute or two. The upgrade process is NOT sequential. That means, you may move to the latest version from ANY version you might be in in a single hop. So, you may plan upgrades at your convenience.

plus icon minus icon
How to expand the scope of usage for PAM in the future, and how will additional user access be unlocked if required? Could you please outline the process for this expansion?

Very simple. It just requires a revised license key. Whenever you need to increase the license count, you may write to sales@securden.com. You will receive the revised license key immediately. We will co-term the additional licenses with the existing subscription and pro-rate the pricing for the remaining subscription period alone.

plus icon minus icon
How to manage passwords of the local accounts present in non-domain systems? It is stated that the endpoint does not need an agent. If so, are native tools required to manage it?

Yes, you are correct. Agents are not required for managing local account passwords, as it is carried out using WMI. As a prerequisite, Securden needs device connectivity, admin credentials (for remote operations), and WMI for all local users. By default, WMI remains disabled for all local users except for the built-in administrator accounts. Below are the links that would help you enable WMI on specific computers and in bulk using GPO:

Enabling WMI access on a specific Windows machine:
https://www.securden.com/documents/WMI-Access-for-All-Users.pdf

Enabling WMI on multiple machines:
https://www.securden.com/documents/WMI-Access-For-All-Users-GPO.pdf

plus icon minus icon
How to manage local admin accounts on a Windows server that are not listed in Active Directory but exist locally on the target system? Additionally, what specific ports need to be opened from Securden to the target system?

You can manage the local admin accounts on non-domain joined computers by adding the accounts to Securden first. Then you need to open TCP port 135 AND Windows Management Instrumentation (WMI) service should be running. Once you ensure these, you will be able to manage local admin accounts.

Complete information about the ports used by Securden PAM is available in this document. Please refer to that:

PAM - Ports.pdf
plus icon minus icon
Should an agent be installed on the target system for RDP, or is Securden using the standard MS Windows RDP feature?

No, you need not install any agent on the target system. Securden simply uses the Windows RDP.

There are two ways in which you can launch connections – Web-based RDP and using native apps. While web-based RDP works out-of-the-box, for launching connections using native apps, a lightweight Securden launcher utility needs to be installed on client machines. Nothing needs to be installed on target systems.

plus icon minus icon
Any data written to the secondary server does not get synchronised back to the primary server when the primary server fails. Following the database crash, a new "data" folder is also being created. How to determine the cause of the data not syncing back?

Once the primary server is up and running again, the data stored on your secondary server gets automatically synced with the primary. However, you need to ensure there are no network disruptions between the servers.

Also, once the primary is back online, it remains in 'Standby' mode. You are requested to visit the HA page on your primary server to make it the 'Master' again. If the primary server goes down, by default, administrators or super administrators will receive the failover email.

plus icon minus icon
How do we ensure users can manage their personal accounts in Securden without manually assigning personal folders to each user?

Yes, users can manage personal accounts using Securden without a separate folder assigned by the administrator. When users add accounts to the PAM interface, they can choose if the accounts are Work or Personal accounts.

Note: The personal accounts added to Securden cannot be accessed by anyone other than the user who added them.

The users can filter and view their personal accounts by navigating to Accounts, clicking on the drop-down symbol against All Accounts and clicking Personal Accounts.

plus icon minus icon
Can a Remote Gateway Server (jump server) be used for SSH, like how it can be used for RDP?

Jump hosts (called remote gateway in the UI) can be configured for all types of remote connections. When a remote gateway is configured in Securden, all remote connections (SSH and RDP) will be routed through the designated gateway.

plus icon minus icon
Is there a way to manually trigger the expiration notification for testing purposes?

As of now, we don't have a specific option to manually trigger email notifications for testing purposes. However, you can simulate this by creating an account, setting its expiration for tomorrow, and configuring the account expiration notification to be sent one day in advance. This way, you'll receive an email notification for expiration.

plus icon minus icon
What are the steps to be followed to apply the license key?
  • Download the license file (Securden-PAM-License.txt)
  • Log in to Securden web interface and navigate to Admin tab
  • Find License under General section
  • Apply the downloaded license file
plus icon minus icon
What are the ways to add Active Directory accounts to Securden?

You can add an Active Directory account into Securden Unified PAM in one of the following two ways:

  1. By discovering the account from Active Directory
  2. By adding the account manually

(i) Discovering the account from the Active Directory:
This method leverages Active Directory to automatically discover and import accounts.

  • Launch AD Discovery: Access the account discovery feature in Securden, from Accounts >> Add >> Discover Accounts.
  • Configure AD Parameters: Provide the necessary details such as the AD domain, credentials, and specific organizational units (OUs) or groups to target for the discovery.
  • Import: Once the discovery process is complete, the accounts get imported into the Securden vault/PAM

For detailed steps, please refer to the Securden Unified PAM Administrator Guide.

(ii) Adding an AD account manually to the Securden server:
When you manually add an AD account to Securden, ensure that it is added as a Windows domain account type. Additionally, the account should have:

  • The domain controller’s IP address
  • The username should match the same account name
  • The password should be updated
  • The connectivity from the Securden server to the Active Directory

Once these fields are filled in correctly, the account will be added to Securden and synchronized with the Active Directory. Once synchronized, any changes made to the account in the AD will automatically be reflected in Unified PAM.

plus icon minus icon
Is it possible to restrict the visibility of user’s work passwords to the administrator role in a web interface?

Only super administrators have the implicit permission to view passwords of work accounts stored in the database. By default, administrators cannot view passwords of users unless they are explicitly shared by the owner to the administrator. Even when sharing these accounts, the owners can select the level of access to the account the administrator can have.

There are four permission levels with which you can share an account:

  • Open Connection allows launching RDP, SSH sessions with target machines, and auto-filling credentials for web applications without showing the underlying password in plain text in the GUI.
  • View lets the user view the details and password.
  • Modify allows editing of the password.
  • Manage grants all privileges and is considered concurrent ownership.
plus icon minus icon
When a user leaves, is there a method to transfer their accounts to someone else who can then access the passwords?

Yes, absolutely. When a user leaves the organization, it's possible to transfer their accounts to someone else who is allowed to access their credentials. This can be executed in three simple steps:

  • First, select the user about to leave the organization and click on the Transfer Ownership button transfer ownership present against each user in the left side pane of the Users section.
  • Select what items you want to share from the list.
  • Once the preferences are set, select the user to which the accounts are to be transferred from the drop-down and click Transfer.

plus icon minus icon
Where do I access the cloud storage backups?

You will have to just point the backup location in the product to the cloud storage (drive location) and the backup gets pushed to the destination drive in an encrypted state. In case the server crashes or goes down, you can download the latest DB backup from the cloud storage and get the product back online by performing disaster recovery.

plus icon minus icon
Will users be able to view and launch web applications through the 'Custom Application Launcher' when connecting from an Android device?

Securden only facilitates launching connections through custom application launchers on the Windows operating system (OS). Hence, when users log in from Android devices, they won't see the options for connecting via custom application launchers.

plus icon minus icon
When uploading documents containing Swedish characters, the letters appear distorted. Is there a way to change the encoding of the documents to UTF-8, or is there another solution available?

This patch accountmanagement_views.pye would help you overcome the issue faced with the uploaded documents. You can also try using the steps mentioned below:

  1. Navigate to \Privileged_Account_Manager\pam\accountmanagement
  2. Rename accountmanagement_views.pye to accountmanagement_views.pye.old
  3. Download accountmanagement_views.pye and paste it on the above-mentioned location
  4. Restart Securden PAM Service
  5. Now, you can check the issue by uploading the document.
plus icon minus icon
In Securden EPM, can the installed agents identify local accounts on endpoints located in offices or remote areas?

As of now, the local accounts cannot be discovered by deploying agents on the endpoints. The agent based (account) discovery feature is currently unavailable. For domain members, you can use the Windows Account Discovery for discovering the local accounts. However, for workgroup, we recommend you get the accounts added manually or imported via csv in bulk.

plus icon minus icon
When migrating Securden database to a new SQL server, where to find the configuration within the product to determine which product the database is tied to? How to go about the configuration update?

By default, Securden comes with PostgreSql, has a backend database. You can find the details of the database in the 'server.properties' file under the \PAM\conf folder. With regards to migrating the backend database, we have a detailed guide. You may refer to the guide and try migrating the database.

plus icon minus icon
What are the steps to refresh passwords for IIS/Scheduled tasks?

These are the steps to refresh passwords for IIS App Pools, Schedule Tasks, and other Windows dependencies in Securden.

  1. To refresh the passwords for dependencies, start by ensuring the particular machine is discovered in Securden. If not, navigate to Accounts >> Add >> Discover Accounts to import into Securden.
  2. Once the machine is imported into Securden, it will automatically retrieve all dependencies. Now, select the account from Securden and attempt to change the password. The changes made will automatically propagate to dependencies as well. This method allows you to refresh the accounts of IIS/Schedule tasks.
  3. If you wish to automate the process, go to the Folders tab and choose the specific folder containing the account you're looking for. On the right side of the Securden GUI, select 'Remote Password Reset.' Now, you can define the periodicity for rotating the passwords.
plus icon minus icon
Is it possible to migrate from an external MS-SQL DB to PostgreSQL on the Securden EPM server, and if yes, is there a documentation on that process?

No, it is not possible to migrate from MS-SQL server to PostgreSQL. The only option would be for us to perform a fresh installation using PostgreSQL.

plus icon minus icon
How to identify the accounts that are used in the task scheduler?

In order to identify the accounts used in the task scheduler, you should ensure that the account and the computer on which the service account runs are imported into the Securden server. Once they are imported, Securden can fetch its dependencies, including the task scheduler.

plus icon minus icon
What to do if local accounts (from the Administrators group) are deleted from a machine, but cannot be removed from the list of accounts?

Securden discovers the local accounts on the computers through Windows discovery. Once the local admin accounts are discovered, we do not have an option to synchronize those accounts based on the changes made. Hence, when a local account is deleted from a server, Securden Unified PAM will not remove it from the UI automatically.

plus icon minus icon
If users are removed from AD groups, will their logins still appear in the product's user list?

In Securden, when a user is deleted or disabled from the Active Directory, we disable the user, and he will be restricted to logging into the Securden UI. However, when a user is removed from an AD group and if the user is still present on the AD, then we pull the changes into Securden, and the user will not be part of the particular AD group anymore. Whereas the user will be active within Securden and will be able to login to the Securden UI with his AD credentials.

plus icon minus icon
Can Securden Unified PAM allow an approver to be within the same user group as the user placing the request?

Securden Unified PAM allows designated approvers to verify and approve privilege elevation requests within the same user group. For security reasons, self-approval is not allowed.

plus icon minus icon
Can the Securden Unified PAM software use Google SAML integration and allow users to login to the PAM portal?

Yes, Securden Unified PAM can integrate with Google SAML-based SSO and allow users to log in to the PAM portal.

plus icon minus icon
Is it possible to allow only one-time remote access to a target device?

Yes, you can configure Securden Unified PAM to allow one-time access to a target device. If a user logs off or disconnects, they will need to request access again for subsequent sessions.

plus icon minus icon
Can a user access multiple target devices at the same time?

Yes, Securden allows users to access multiple target devices simultaneously. However, you should ensure the server on which Securden Session Manager (SSM) is deployed has enough RDS CAL licenses to perform this operation.

plus icon minus icon
Can Securden Unified PAM tool timeout from web GUI if there is no keyboard or mouse activity?

Securden Unified PAM can be configured to time out a web session if there is no keyboard or mouse activity. You can set the timeout duration to suit your requirements. To do this, you need to log in as a super administrator and navigate to Admin >> Customization >> Configurations >> How long should the web session be active (in minutes) when things are idle? Enter the desired time period (in minutes) and click Save.

plus icon minus icon
Is it possible to fast-forward video recording of mouse and keyboard movement?

At present, other than native RDP recording, all other recording types have fast-forward options. Alternatively, ‘seek’ can be used to traverse Native RDP recordings.

plus icon minus icon
Is it possible to export passwords from Securden Password Vault to CSV format?

Currently, we support exporting accounts in XLS format alone. Hence, as a workaround, we recommend exporting the accounts in XLS format and then converting the data into a CSV file. You can navigate to Accounts >> More >> Export Work Accounts, based on your preference, you can either choose 'Yes' or 'No' to mask or display the passwords on the exported XLS file.

plus icon minus icon
While replacing an old Windows server with a new server, is it feasible to install a primary Securden instance on the new server and have both the old and new servers running concurrently until the old server is decommissioned and the new server goes live? Alternatively, is there another recommended approach to handle this migration?

It is not recommended to run both the old and new servers concurrently. As a security best practice, we always recommend decommissioning the old server once you have completely migrated to a new server to avoid any data overwriting issues between the servers.

To migrate the Securden Installation from one server to another, you may follow the instructions available in the help documentation.

plus icon minus icon
Is it possible to synchronize the active users alone when synchronizing the users in Securden with Active Directory?

Yes. When attempting to sync, only the active users from Azure AD will be synchronized with the Securden server.

plus icon minus icon
When synchronizing Azure AD with Securden, new users are automatically assigned the default 'user' role. How can we assign them a custom role?

This can occur if ‘Schedule Sync’ under the ‘Groups’ tab is enabled. In that case, you need to check the option configured under Groups >> Select the Azure AD Group >> More Actions >> Group Setting >> ‘When importing users, what should be the user role?’. For this setting, select the required custom role from the drop-down menu.

plus icon minus icon
Is it possible to enforce two-factor authentication for users based on their roles? For example, can two-factor authentication be enforced specifically for Admin or Super Admin roles?

We don't have the option to enforce two-factor authentication based on user roles. However, enforcing two-factor authentication specifically for Admin/Super Admin roles can be achieved by importing groups from Active Directory.

Please follow the steps below:

  • Create a group in Active Directory (AD) and add users with Admin/Super Admin roles.
  • Import the group from the Groups tab by selecting "Import Groups from AD" and assigning the desired role.
  • Configure two-factor authentication (2FA) and choose the desired method of authentication.

Whenever a new user is added to this AD group, use the ‘Sync’ button on the Securden server to add the respective user to the group. The sync can also be scheduled to run periodically.

plus icon minus icon
Is it possible to export accounts and all associated data in XML or CSV file format?

We do not have the option to export Work/Personal Accounts to XML/CSV format. However, we can export accounts in the XLS format.

Please follow the steps below:

  • Navigate to the Account tab, click the More drop-down menu, and select Export Work Accounts for work accounts or Export Personal Accounts for personal accounts.
  • You can also achieve this through Offline Access, which provides all passwords accessible to the user as an HTML file.
  • Navigate to the Account tab, click the More drop-down menu, and select Offline Access.

Note: The offline copy can be opened only using the passphrase. If you forget the passphrase, you will not be able to access the offline copy. You need to export an offline copy afresh.

plus icon minus icon
How do we associate privileged assets with users added to Securden Unified PAM?
  • Navigate to Admin >> Remote sessions and Recordings >> Domain Account-Assets Association.
  • On the page that opens, click ‘Add’
  • Provide a Name (Asset Identifier) and Description for this association.
  • Select the devices that will be part of this association.
  • Choose whether to associate the assets with Users/User Groups or Associate with Accounts/Folders or both.
  • Click ‘Save.’

The specified association is applied to the chosen users and accounts.

plus icon minus icon
How to create a password policy that generates passwords with no special characters?

You can create a password policy that denies any special characters by declaring the special characters you want to exclude under 'Denied characters'.

  • Navigate to Admin >> Account Management >> Password Policy
  • Click Add Policy or Edit Policy icon beside an existing policy to make amendments to an existing password policy.
  • In the Denied Characters field, input all the characters that you wish to exclude: @ % + /! # $ ^ : , () []} {~ - _ .

You can retain the check box unchecked for 'minimum special characters' under 'Enforce Complexity Rules'. This will make sure that no special characters are allowed for passwords created using this policy.

plus icon minus icon
Does Securden deny the creation of a new folder if a folder with the same name already exists?

Securden does not restrict the creation of duplicate folders. However, a folder path will be displayed, allowing users to differentiate multiple folders with the same name using the folder path.

plus icon minus icon
While importing accounts / passwords by file, is it possible to create those accounts with different account types?

No. During import, all the accounts from a single file will be imported using only one account type. If you want to have different account types, you need to upload multiple files with each file mapped to a specific account type.

plus icon minus icon
How do we retrieve passwords from the Securden Vault in case of an organization blackout? What are the recommended steps and best practices for handling such situations within the same data center?

Securden allows you to take a periodic backup (automated) of the entire database, and this helps you recover the data from the backup in the event of unlikely scenarios, like a disaster or installation failure. To access backup files, backup needs to be stored in ‘Device storage/Network drive or cloud storage’.

In addition to this, the Securden Super Administrator can take a periodic encrypted HTML backup, and the individual users can take offline access to have the credentials accessible offline.

As mentioned above, you can take a backup of the database and use it for recovery of data. As a best practice for handling such situations, it is recommended to have a standby server configured in the same subnet thus ensuring nil network disruption and uninterrupted access to passwords in the event of the primary server going down for any reason.

plus icon minus icon
Is it possible to set up a high availability configuration for Securden Password Vault at a disaster recovery site outside the organization?

Yes, you can set up the High-Availability architecture at a disaster recovery site outside the corporate premises. The only requirement is that you need to ensure there is network connectivity between the primary and secondary servers.

plus icon minus icon
What are the steps involved in ensuring synchronization between the organization and disaster recovery vaults?

To ensure proper synchronization between the organization (primary server) and the disaster recovery vault (secondary or high-availability server),

  • Ensure that both the servers are on the same product version
  • Ensure there is no network disruption between the primary and the secondary servers
plus icon minus icon
Can the offline codes be generated specifically for a user?

Yes, the offline codes can be generated specifically for a user, if the following configuration is enabled.

  • Navigate to Admin >> Customization >> Configurations
  • Under Offline Access, go to the question "Do you want to allow offline automatic approval for privilege elevation requests if the user who is raising the request has already generated offline access codes?"
  • After completing the above steps, a dialog box labeled ‘Configure Offline Automatic Approval’ will appear. Here, you can define the maximum number of codes a user can generate for specific purposes, such as application access and full admin access. Additionally, you can set the maximum duration for which the user can maintain elevated access.
  • Once configured, click ‘Save’.
plus icon minus icon
Why can’t a folder owner edit accounts they’ve imported into that folder?

There are two concepts here – folder owner and account owner. Adding an account to the folder will not make the folder owner the account owner. Folder owners will be allowed to edit the accounts they own AND those added to the folder by others.

If you are a folder owner, you should be able to edit the accounts that you have imported to the folder. You won't have permission to edit the account only if there's a permissions conflict, such as when another administrator has shared the account with you at the 'View' level.

You can find out what prevents you from editing an account from the "Reports" section. In Reports >> Account Access Report, click the specific account that you can't edit. You can trace the sharing mechanism to see what permissions are assigned to you.

plus icon minus icon
Can only ‘owned accounts’ be edited? If so, how can someone gain ownership of an account if they don't currently have it?

Yes, only owned accounts can be edited. You can use the “transfer ownership” feature to own an account. The current owner of the account will have to transfer the ownership to you.

Alternatively, the Super Administrator can transfer account ownership from one user to another. This can be done from the ‘Accounts’ tab. Select the required account from the ‘More’ drop-down and then select ‘Transfer Ownership’.

plus icon minus icon
Does Securden Password Vault support migration of passwords? How easy is it to transition from an existing password management system to Securden, and can passwords be migrated to other solutions from Securden?

Yes, Securden offers support for migrating from other password management solutions. While we offer out-of-the-box support to migrate passwords from LastPass and KeePass, migrating from other solutions is also simple.

Typically, if your existing solution allows exporting of data as a CSV or XLSX, the process would be very simple. If they offer export in other formats too, our team can help. There would be some manual effort involved in recreating certain settings and policies, for which you can contact https://www.securden.com/password-manager/technical-support.html

plus icon minus icon
What are the differences between the built-in Administrator and Super Administrator role?
  • A built-in Administrator handles key administrative tasks in PAM, including user onboarding, approving or rejecting privilege elevation requests, and other essential activities. The Super Administrator role can be disabled if it's not needed, as it holds the highest level of privilege and full control over all privileged accounts within PAM.
  • Super Administrators function as an emergency "break glass" account, where they have the ability to bypass standard access controls and access all passwords (for work accounts) stored in Securden. This feature is designed to ensure password access during critical emergencies.
  • A Super Administrator has all the capabilities of an Administrator but also can view all work accounts added to the product, a privilege that an Administrator does not have.
  • Ownership and sharing concepts do not apply to the Super Administrator. Instead, an Administrator is responsible for owning and managing the sharing of accounts.
  • Scheduled tasks for backing up all work accounts as an encrypted HTML file can only be created by Super Administrators. To activate this feature, navigate to Admin > High Availability > Passwords Backup (Encrypted HTML File).
  • Super Administrators can manage the settings for other Super Administrators. To configure this, log in as a Super Administrator and go to Admin > Configurations > ‘Only Super Administrator can control other Super Administrator(s)’.
plus icon minus icon
How do I customize the logo and branding in the product UI?

Securden allows you to customize the logo, theme, and login customization throughout the UI. To customize it,

  • Navigate to the Admin pane in the Securden user interface. In the Customization section, select Logo, Theme, and Login Customization.
  • In the GUI that opens, you can customize the logo, theme, login page text, color theme, and authentication options.
  • Click Save. The changes will be reflected in the Securden user interface.
plus icon minus icon
Where can we change the credentials Securden uses to connect to the Active Directory?
  • To change the Active Directory domain administrator credentials in Securden, log in to the Securden UI and navigate to Admin > Integrations > Active Directory Domains. You’ll see a list of domains. Click the edit icon next to the intended domain, and in the GUI that opens, you’ll find the option to modify the credentials at the bottom. Once you’ve furnished the new credentials, click Save. The updated credentials will be saved to Securden.
plus icon minus icon
Does Securden store or access any customer information?

Securden does not have access to any of its client data. The customer retains full control of their data, and nothing is ever transmitted to Securden. There is no built-in connection between the Securden software and any external sources that would allow for such transmission.

As a result, Securden does not receive, handle, or process any data from its customers, including personally identifiable information (PII). The only data Securden collects is through sales/marketing forms filled out on our website, such as for product evaluations, demos, or price quotes. This data collection is limited to what is submitted via these forms and is not obtained through any other means.

Note: Securden does not and cannot collect any data via the product interface. Our privacy notice describes how we handle the data collected through sales and marketing forms.

Read our privacy policy for more information on how we collect and process customer information. https://www.securden.com/privacy-policy.html

plus icon minus icon
How can I add a user manually instead of from an Active Directory?

To add a user manually from Active Directory,

  • Navigate to the Users pane in the Securden UI.
  • Click Add and select Add Users manually.
  • In the GUI that opens, enter the mandatory user details such as First Name, Last Name, Email, Username, and Password.
  • You can set the access level of each user by assigning them a specified user role. You can select from the five predefined user roles: Super Administrator, Administrator, Auditor, Account Manager, and User. You also have the provision to create any number of custom user roles.
  • Fields like Phone number, Department, and Location are not mandatory, but you can add them to ensure precise user information for efficient management.
  • You can choose to enable or disable two factor authentication for the added user.
  • Click Save to add the user.

Note: Once saved and when the new user logs in, the system will prompt the user to reset the password initially created by the administrator.

plus icon minus icon
Is it possible to create a subdomain for sending access data to customers or partners?

Currently, Securden doesn’t have an option to create a subdomain specifically for sending access data to customers or third parties. However, we do offer alternative methods to facilitate secure access sharing:

  • Share Accounts with Users or User Groups: You can share accounts with specific users or user groups added in Securden, granting them granular access permissions specific to their job roles.
  • Share with Third Parties: If you need to provide access to external vendors or business partners on a temporary basis, you can use the "Share with Third Parties" feature. You’ll have to simply provide the email address of the recipient, and our system will send them a secure link to access the account.

You can find the "Share with Third Parties" option under "Account" > (select the account) > "Actions" > "Share with Third Parties".

plus icon minus icon
How can I find the previous password for an automatically rotated account if the rotation failed and the Securden server is out of sync with the AD?

To rotate a password using Securden, it's essential that Securden is in sync with the Active Directory (AD). When you initiate a password rotation, Securden will first attempt to update the password on the Active Directory. If this is successful, Securden will then update the password in its records. However, if the AD is not in sync or for other reasons the password reset fails, Securden will not update the password in its system at all. The old password will be retained in the Securden UI. You can simply check the current password, which is actually the previous password. If you want to check older passwords, click on the particular account and switch to the History tab. You will be able to see the previous password records for that account.

plus icon minus icon
Is it possible to view the password history for an account in Securden?

Yes. It is possible to check the history of passwords by navigating to Accounts >> (select the account) >> History. Here you'll be able to see the list of passwords that's been used since the account was added or imported into Securden.

plus icon minus icon
Will the Securden Agents be automatically upgraded when the server gets updated?

Yes, this can be achieved through configuration settings. Navigate to Admin >> Configurations >> Do you want to enable/disable the Securden Agent to be upgraded automatically? Click Change and select Yes. Securden agents will then be automatically upgraded as and when you upgrade the primary server.

 
Securden Help Assistant
What's next?
Request a Demo Get a Price Quote

Thanks for sharing your details.
We will be in touch with you shortly

Thanks for sharing your details.
We will be in touch with you shortly