The Checkout policies section found in Administration – Modules – Privileged access – Checkout policies allows administrators to create and edit separate policies for Privileged Access Management (PAM) checkout. Checkout policies can then be applied to specific entries and folders (right-click, then Properties – Common – Checkout policies), or configured to be applied by default to everything.
| Option | Description |
|---|---|
| Name | Set a name for the checkout policy. |
| Is default | Apply the checkout policy to every PAM entry/folder by default. |
| Checkout mode | Enable or disable checkouts altogether. |
| Approval mode | Define which requests require approval, if any. |
| Users can approve their own checkout requests | Choose whether users can approve their own requests, and under which condition. |
| MFA on checkout | Require multifactor authentication when checking out an entry. The options are: Default, None, Mandatory, or Mandatory on JIT elevation only. |
| Checkout reason | Choose under which conditions users need to provide a reason for checking out an entry. |
| Check out time (minutes) | Set a default checkout duration in minutes. |
| Max check out time (minutes) | Set a maximum checkout duration, after which no time extensions are allowed. |
| Terminate sessions on check in | Force session termination when the account is checked in. |
Share your feedback