Password Access Workflow in IT Glue

For partners subscribed to Select and Enterprise plans.

Introduction

Follow this article to set up a Password Access workflow in IT Glue or GlueConnect so that you may receive instant notifications each time a sensitive password is accessed. Once this workflow is set, you can stay aware of all actions made to view or copy high-security level passwords in the platform.

This real-time knowledge allows you to audit day-to-day password-related actions efficiently, be immediately aware of any potential misuse or suspicious activities, and reduce the time gap between a potential compromise/exposure and the subsequent check performed after by an administrator.

Prerequisites

  • You must be a Manager or Administrator within IT Glue to create workflows.
    • For partners using GlueConnect: If you have already Delegating cross-account access using GlueConnect with GlueConnect, you will be notified each time users from an external IT Glue account access your passwords once you set up the Password Access workflow in the primary account.
  • Review our Quick guide for workflows or Flags and Workflows KB articles for all details regarding how to create workflows in IT Glue.

Instructions

  1. Navigate to Account > Workflows. Then, click on the green + New button to be taken to the new workflow setup screen.
    Workflows.png
  2. Select the Password Access trigger. This is an instant trigger meaning whenever the trigger criteria is met, an instant notification will be sent as defined in the workflow actions. Click Next.
    Choose_Trigger_Password.png
  3. Configure the new trigger by giving it a brief but descriptive name. Enter a notification failure email address. If the trigger fails, this given email address will receive an alert. Click Next.
    Configure_Trigger.png
  4. Add action(s) as desired before clicking Next. Selections include:
    1. Email notification,
    2. Web hook, or
    3. Slack notification.
      Choose_Action.png
  5. Add filter(s) by clicking the green + Filter button before clicking Next. Selections include:
    1. Password
    2. Organization
    3. Organization status
    4. Updated by
    5. Password category
    6. Description
    7. Username
    8. URL
    9. Notes
      Workflows___IT_Glue7.png

      Configure_Filter_Password.png

      NOTE  Sections 4a to 4e contain Any of and None of operators. Selections 4f to 4i contain Contains, Does Not Contain, Starts With, Ends With operators.

  6. Configure the action. Enter an Action Name, Subject, Body, and at least one recipient. To add more recipients, click the plus (+) icon. Click Next.
    Configure_Action.png
    1. Optional: Click the Need Help? button at the bottom of the screen to access available variables. You can insert these variables into the Subject and/or Body fields where they will be dynamically replaced with the respective content from the notification or asset. Click Next.
      Workflows___IT_Glue5.png
  7. Click the Test Action button. If your test fails or needs to be revised, you can fix it before you put the notification into production. You will see a green "Notification Sent" banner if the test was successful.
    Test_Action.png
    mceclip0.png
  8. Toggle the Status switch to ON and click Finish to save all your changes.
    Quick_guide_for_workflows___IT_Glue_9.png

Various triggers across the platform

Review the following areas and actions in IT Glue that will trigger a notification for passwords accessed:

  • GlueConnect - A user has accessed a password in a GlueConnected account.
  • Password Show Page - A user has clicked the Show Password button, Copy to clipboard icon, or PDF button on the Password show page for the current password or one of its previous versions.
  • PDF exports - A user has generated an export from an asset that contains embedded passwords.
  • List view exports - A user has generated an export from the Password list view page or Flexible Asset containing embedded passwords.
  • Runbooks - A user has downloaded a runbook containing unmasked passwords. This trigger does not apply to runbooks containing masked (values hashed) passwords.
  • Account or Organization exports - A user has downloaded an export file from either Export Data.
  • Global password exports - A user has clicked the Export button from either the General or Embedded tabs in Global > Assets > Passwords > Export.
  • Password list view - A user has copied a password from the Password list view.
  • At-Risk Password Report - A user has clicked the Export button in either the At Risk or All Accessed tabs in Global > Reports > Passwords > Generate an At-Risk Password Report.
  • Core & Flexible Assets -
    • A user has viewed, copied, or exported a password to PDF inside a Core or Flexible Asset.
    • A Core or Flexible Asset containing a password is shown in Edit mode.
    • A user has exported Global Core or Flexible Assets that contain passwords.
    • A user has generated a Core or Flexible Asset list view export.
  • Search - A user has clicked the Show Password or the Copy to clipboard icon on a password’s search result.
  • IT Glue Chrome Extension - A user has clicked the Show Password button or copied the password.
  • IT Glue Mobile App - A user has tapped the Show Password button or copied the password.
  • API - The Password Access workflow will trigger a notification if a password is accessed via the IT Glue API
    • Show Passwords endpoint is called
    • Update Passwords endpoint is called and show_password=true
    • Bulk Update endpoint is called and show_password=true