Creating a secret

To create a secret:

1. Go to Secrets > Secret List.

   Alternatively, go to Folders, and select a folder where you intend to add a secret.

   From the Create dropdown, select Secret, and skip to step 3.

2. In Secret List, select Create.

   The Create New Secret in: dialog appears.

3. Select the folder where you intend to add the secret.

   The folder is already selected if you are creating secret from inside a folder.

4. Select Create Secret.

   The General pane opens.

   

5. To switch to either Service Setting or Secret Permission tab, select the tab.

   

   

6. Enter the following information:

   Name	Name of the secret.
   Folder	The folder where the secret is added. See Folders. The folder is already selected in step 2. Use the dropdown, if you want to change the folder.
   Template	From the dropdown, select a template. Select Create to create a new template. See Creating secret templates. To change the template after selecting one: Select the pen icon. In the Convert Secret Template pane, select a template to transfer old field values to new fields where applicable. Click OK.
   Associated Secret	Enable and then from the dropdown, select an associated secret for the new secret being created. When enabled, changing password or verifying password requires credentials from the associated secret. Note: The option is disabled by default.
   Description	Optionally, enter a description.
   Fields	Select a field in the table and then select edit to add a value. The options in the fields depend on the selected template. For fields where a host is required when using the FortiPAM browser extension, enter the URL instead.
   Secret Settings Some settings may not be configurable as they are protected by the policy that applies to the folder where the secret is added. The owner of the secret must configure password verification and change settings before the secret utilizes the password changer and password verification. However, a user can manually trigger these actions if they have sufficient permissions.
   Automatic Password Changing	Enable/disable automatic password changing. When enabled, password changer for secrets is activated to periodically change the password.
   Recursive	Displays the password changing schedule based on your selections for the related settings.
   Start Time	The date and time when the recurring schedule begins. Enter date (MM/DD/YYYY) and time or select the Calendar icon and then select a date and time.
   Recurrence	From the dropdown, select from the following three frequencies of recurrence: Daily Weekly Monthly
   Repeat every	The number of days/weeks/months after which the password is changed (1- 400).
   Occurs on	Select from the following days of the month when the password is automatically changed: First Second Third Last Last Day Day When you select Day, select + to add days of the month when the password is automatically changed. Select days of the week when the password is automatically changed. Note: The option is only available when Recurrence is set as Weekly or Monthly.
   Automatic Password Verification	Enable/disable automatic password verification. When enabled, password changer for secrets is activated to periodically verify the password, and check if the target server is still available.
   Interval (min)	The time interval at which the secret passwords are tested for accuracy, in minutes (default = 60, 5 - 44640).
   Start Time	The date and time when the Interval(min) begins. Enter date (MM/DD/YYYY) and time or select the Calendar icon and then select a date and time.
   Session Recording	Enable/disable session recording. When enabled, user action performed on the secret is recorded. The video file is available in the log for users with appropriate permission.
   Proxy Mode	Enable/disable the proxy mode. When enabled, FortiPAM is responsible to proxy the connection from the user to the secret. In the proxy mode: Web launcher is available to users who have the permission to view the secret password. Web launcher is disabled for users who do not have the permission to view the secret password. When disabled, the non-proxy (direct) mode is used. See Modes of operation. In the non-proxy mode: Web launcher is available to users who have the permission to view the secret password. Web launcher is disabled for users who do not have the permission to view the secret password. When launchers are disabled, the Launch option is unavailable and a tooltip is displayed instead:
   Tunnel Encryption	Enable/disable tunnel encryption. When launching a native launcher, FortiClient creates a tunnel between the endpoint and FortiPAM. The protocol stack is HTTP/TLS/TCP. The HTTP request gives information on the target server then FortiPAM connects to the target server. After that, two protocol options exist for the tunnel between FortiClient and FortiPAM. One is to clear the TLS layer for better throughput and performance. The other is to keep the TLS layer. The launcher's protocol traffic is inside the TLS secure tunnel. If the launcher's protocol is not secure, like VNC, it is strongly recommended to enable this option so that the traffic is in a secure tunnel. When there is an HTTPS Man In The Middle device, e.g., FortiGate or FortiWeb between FortiClient and FortiPAM, you must enable the Tunnel Encryption option. Otherwise, the connection will be disconnected, and the launching will fail.
   Antivirus Scan	Enable/disable antivirus scan. When enabled, it enforces an antivirus profile on the secret. See AntiVirus.
   Antivirus Profile	From the dropdown, select an antivirus profile.
   Requires Checkout	Enable/disable requiring checkout. When enabled, a user has exclusive access to a secret for a limited time. At a given time, only one user can check out a secret. Other approved users must wait for the secret to be checked in or wait for the checkout duration to lapse before accessing the secret. See Check out and check in a secret.
   Checkout Duration	The checkout duration, in minutes (default = 30, 3 - 120).
   Checkin Password Change	Enable/disable automatically changing the password when the user checks in.
   Renew Checkout	Enable/disable renewing checkouts.
   Max Renew Count	When Renew Checkout is enabled, enter the maximum number of renewals allowed for the user with exclusive access to the secret (default = 1, 1 - 5).
   Requires Approval to Launch Secret	Enable/disable requiring approval to launch a secret. When enabled, users are forced to request permission from the approvers defined in the approval profile before gaining access. From the dropdown, select an approval profile. Use the search bar to look up an approval profile. Use the pen icon next to the approval profile to edit it. See Make a request and Approval flow.
   Requires Approval to Launch Job	When enabled, users are forced to request permission from the approvers defined in approval profile before being able to perform a job on a secret. From the dropdown, select an approval profile. Use the search bar to look up an approval profile. Use the pen icon next to the approval profile to edit it. See Make a request and Approval flow.
   Service Settings Turn on/off the service settings. You can individually toggle on or off each service, controlling whether or not FortiPAM is allowed to use the specific service to connect to the secret. The port used by each service specified in the template can also be overridden to use a custom port specific to the secret.
   SSH Service	Enable/disable SSH service. Note: SSH Filter, RSA Sign Algorithm, and Connect over SSH with, and SSH Auto-Password options are only available when Template is already selected.
   Port	Use the template default port or disable and enter a port number.
   SSH Filter	Enable/disable using an SSH filter profile. See SSH filter profiles.
   SSH Filter Profile	From the dropdown, select an SSH filter profile. Note: The option is only available when SSH Filter is enabled. Use the search bar to look up an SSH filter profile.
   RSA Sign Algorithm	To improve compatibility with different SSH servers, select a sign in algorithm for RSA-based public key authentication: RSA SHA-256 signing algorithm RSA SHA-512 signing algorithm RSA SHA-1 signing algorithm (default)
   Connect over SSH with	If the setting is set to Self (default), the secret launches SSH with its own username and password. If the setting is set to Associated Secret, the secret launches SSH with the associated secret's username and password.
   SSH Auto-Password	Enable or disable automatically delivering passwords to the server when the user enters privileged commands (e.g., sudo in Unix system and enable in Cisco devices) in the SSH shell terminal. For secrets using Cisco server info template, an associated secret must be set to enable this feature. Note: The option only works when Proxy Mode is enabled.
   RDP Service	Enable/disable RDP service. Note: Block RDP Clipboard, RDP Security Level, RDP Restricted Admin Mode, and Keyboard Layout options are available only when Template is already selected.
   Port	Use the template default port or disable and enter a port number.
   Block RDP Clipboard	Enable/disable allowing users to copy/paste from the secret launcher.
   RDP Security Level	Select a security level when establishing a RDP connection to the secret: Best Effort (default): If the server supports NLA, FortiPAM uses NLA to authenticate. Otherwise, FortiPAM conducts standard RDP authentication with the server through RDP over TLS. NLA: Network Level Authentication (CredSSP). When an RDP launcher is launched, FortiPAM is forced to use CredSSP (NLA) to authenticate with the target server. RDP: FortiPAM uses the standard RDP encryption provided by the RDP protocol without using TLS (Web-RDP only). TLS: RDP over TLS. FortiPAM uses secured connection with encryption protocol TLS to connect with the target server.
   RDP Restricted Admin Mode	Enable/disable RDP restricted admin mode. Restricted admin mode prevents the transmission of reusable credentials to the remote system to which you connect using remote desktop. This prevents your credentials from being harvested during the initial connection process if the remote server has been compromised. Note: The option is only available when RDP Security Level is set as Best Effort or NLA.
   Keyboard Layout	From the dropdown, select a keyboard layout (default = English, United States)
   VNC Service	Enable/disable VNC service.
   Port	Use the template default port or disable and enter a port number.
   LDAPS Service	Enable/disable LDAPS service.
   Port	Use the template default port or disable and enter a port number.
   SAMBA Service	Enable/disable SAMBA service.
   Port	Use the template default port or disable and enter a port number.
   Secret Permission By default, secret permission is the same as the folder where they are located. When customizing secret permission, ensure that you log in with an account with Owner or Edit permission to the secret or the folder where the secret is located.
   Launch Device Control	Enable to limit the permission of launching by ztna-ems-tag. You can choose whether to match all the tags or only one of them.
   Device Tags	Select + to add ZTNA tags or groups. Use the search bar to look up a ZTNA tag or ZTNA tag group. Only permitted devices with the selected tags are allowed to launch.
   Device Match Logic	Define the match logic for the device tags: OR: Devices with any of the selected tags are allowed to launch. AND: Devices must acquire all the selected tags to launch.
   Inherit Permission	Enable to inherit permissions that apply to the folder where the secret is located. The option is enabled by default.
   User Permission	The level of user access to the secret. See User Permission. This option is only available when Inherit Permission is disabled. For column settings, see Tables.
   Group Permission	The level of user group access to the secrets. See Group Permission. This option is only available when Inherit Permission is disabled. For column settings, see Tables.

7. Click Submit.

   See Launching a secret and Example secret configurations example.

User Permission

1. In step 5 when Creating a secret, select Create in User Permission.

   The New User Permission window opens.

   

2. Enter the following information:

   Users	Select + and from the list, select users in the Select Entries window. To add a new user: From the Select Entries window, select Create and then select +User Definition. The New User Definition wizard opens. Follow the steps in Creating a user, starting step 2 to create a new user. Use the search bar to look up a user. Use the pen icon next to a user to edit it.
   Permission	From the dropdown, select an option: None: No access. List: Ability to list secrets. You cannot see detailed information on secrets. View: Ability to view secret details and launch a secret. Edit: Ability to create/edit secrets and launch the secrets. Owner: The highest possible permission level with the ability to create, edit, delete, and launch secrets.

3. Click OK.

From the list, select a user and then select Edit to edit the user. From the list, select users and then select Delete to delete the users.

Group Permission

1. In step 5 when Creating a secret, select Create in Group Permission.

   The New Group Permission window opens.

   

2. Enter the following information:

   Groups	Select + and from the list, select user groups in the Select Entries window. To add a new user group: From the Select Entries window, select Create. The Create New User Group window opens. Follow the steps in Creating user groups, starting step 3. Use the search bar to look up a user group. Use the pen icon next to a user group to edit it.
   Permission	From the dropdown, select an option: None: No access. List: Ability to list secrets. You cannot see detailed information on secrets. View: Ability to view secret details and launch a secret. Edit: Ability to create/edit secrets and launch the secrets. Owner: The highest possible permission level with the ability to create, edit, delete, and launch secrets.

3. Click OK.

From the list, select a user group and then select Edit to edit the user group. From the list, select user groups and then select Delete to delete the user groups.