Setting access challenge policies

You can set access challenge policies for individual secrets or folders. For example, you might want to require multi-factor authentication for users who have permission to view, edit, retrieve, or replace secrets if certain conditions are met.

An authentication rule specifies the conditions to be evaluated and the authentication profile specifies the challenges presented when the conditions specified are true. You can configure new authentication rules and authentication profiles just for secrets and folders or select and use rules and profiles you have previously created.

Policy inheritance

Also note the following behavior for multi-factor authentication inheritance:

  • Multi-factor authentication policies are inherited and apply to Retrieve, Move, and Delete actions for folders and secrets.
  • Folders and secrets take on authentication policies of the closest parent. For instance, a secret in Production/DevSys will take on the policies of the folder DevSys, not Production, if no polices are applied to the secret.
  • Multi-factor authentication policies set for a folder or secret, take precedence over any policy set for a parent folder.

To set access policies for secrets and folders:

  1. In the Admin Portal, click Resources, then click Secrets to display the list of secrets or folders.
  2. Select the secret or folder to display its details.

    • For Secrets, click the secret to display its details.
    • For Folders, click the check box next to the folder name and then click Edit from the Actions menu.
  3. Click Policy.
  4. Select a default access challenge profile, if an appropriate profile exists, or click Add Rule to configure one or more authentication challenge rules.
  5. Click Save.

For more information about how to configure authentication rules and profiles, see Creating authentication rules and Creating authentication profiles.