Imprivata Documentation | Imprivata Vendor Privileged Access Management | Topic updated: March 12, 2026

Passwords and Accounts

The Passwords & Accounts enables you to configure settings for user accounts, passwords, physical devices, Remote Desktop Protocol (RDP), authentication requirements, authorized networks and API Keys.

User Account Settings

User Account Settings allows you to:

Disable Inactive and Not Registered accounts after a custom number of days.
Notify users about their account disablement.
Set a number of failed login attempts in a given time before being locked out.
Set the unlocking of an account to a time limit or a manual override.
Set the minimum length for a User ID.

Password Settings

Password Settings allows you to set password rules for all user types.

NOTE:

Changes to the system password policy apply to new User accounts, or to Users who reset their password.
To review the Password Policies for VPAM, navigate to the Password Policy documentation.

Physical Device Authentication

Physical Devices Authentication enables administrators to provide a physical device as an authentication process for the server's users. When the Physical Devicce Authentication feature is enabled, users may or may not configure their device. Physical devices that users can use to authenticate are:

An Android device.
Biometric factors built into a computer (like a fingerprint sensor on a Mac, or facial webcam for Windows devices).
Hardware authentication devices, like a YubiKey.

NOTE:
If email authentication is required for users to log in, they will still need to retrieve an email token while logging in.

System Administrators use the Settings > Passwords and Accounts page to configure the authentication options.

Users configure their device with the following process:

Log in and navigate to Admin > My Account.
Click Add Physical Device Authentication in the top right corner of the screen.
If the feature is not enabled, the system does not display this option.
Select the authentication method you want to use.
Follow the prompts to complete the setup.

You can repeat the process to add multiple authentication methods.

RDP Settings

RDP Settings enables you to set the access you have to your customer's assets (specifically drives and printers) during a session. You can also enable your users to override your policy.

Nexus Users Settings

Nexus User Settings enables you to enforce Imprivata VPAM to validate that Multi-Factor Authentication (MFA) was met by Nexus Vendor Reps in their home CPAM server.

CAUTION:
When you select and save Require Multi-Factor Authentication from users, the change immediately requires all Nexus Vendor Reps to have met their home CPAM server's MFA Requirements. If your Vendor Reps have not already configured MFA in a way that Imprivata can validate that MFA is happening, the system will block their connection through the Nexus.
It is recommended that you communicate and schedule the MFA enforcement prior to making this change. Ensure that you share the Multi-Factor Authentication (MFA) Validation for Nexus Connections document to your Vendors before enforcing MFA.

Authorized Networks

Authorized Networks define approved IP addresses or ranges from which Internal User authentication is permitted to access the VPAM server. This means that your internal users must be connected to an authorized network to access the server. This setting does not impact external users, such as customers or vendor reps. A similar setting is available to configure networks for Vendors. Read the Vendor Networks section of Vendor Management.

When you configure Authorized Networks, your server does the following when a login attempt occurs:

If the source IP address matches a defined network, authentication proceeds.
If the source IP address does not match, the system blocks the login or enforces additional policy controls, depending on your configuration.

This control applies at the server authentication layer and governs access to the VPAM server and API access when network restrictions are enforced for API keys.

You can use the feature to add single IP addresses or a range of IP addresses.

TIP:
Use a slash (/) to avoid typing every single IP address when using a range. Follow the example XX.XX.XXX.12/24
This example automatically inputs 13 IP addresses, from XX.XX.XXX.12 to XX.XX.XXX.24

Why Use Authorized Networks

Authorized Networks add a network-level security boundary in addition to standard authentication methods, such as passwords, directory services, SAML, and multi-factor authentication (MFA). Organizations commonly use this feature to:

Restrict Administrative Access: Limit administrator access to trusted networks, such as:
- Corporate LAN ranges
- Approved VPN address pools
- Bastion or jump host networks
Enforce Corporate Network Access: Require users to authenticate only from:
- On-network devices
- Approved VPN connections
- Managed infrastructure
Harden API Access: Restrict API key usage to approved systems, such as:
- Designated application servers
- CI/CD pipelines
- Orchestration hosts

Best Practices and Recommendations

Imprivata recommends the following:

Confirm that your current IP address is included to prevent lockout.
Include all current and planned VPN IP ranges before enabling restrictions.
Maintain alternate administrative access, especially when using SAML.
Document corporate, disaster recovery, and cloud egress IP ranges.
Combine Authorized Networks with MFA for layered protection.
Review high availability (HA) and disaster recovery (DR) architectures to ensure all required systems are included.
Avoid overly restrictive configurations if:
- External vendors require broad or dynamic access.
- Users frequently authenticate from changing networks.
- Public IP addresses are dynamic and unpredictable.

API Keys Settings

The API Keys Settings enable you to set rules for API Keys in your VPAM server. From this page, you can disable API Keys, set expiration dates for API keys and tokens.

Vendor Representative Settings

The Vendor Representative Settings enables you to Allow Self Registration to vendor reps, as long as they have an email address with an Authorized Domain. Read the Authorized Domain section in the Vendor Management documentation.

You can also configure two optional messages:

A Post registration message for vendor reps that are awaiting approval from the users you configure in the Email Notification List of the Vendor.
A Registration failure message for vendor reps that fail to meet requirements for self-registration (see the Authorized Domains and Disqualified Email Addresses section of Vendor Management.)

Configure the Vendor Representative Settings considering the following:

Require approval for Vendor Reps at Login: Vendor Representatives must request access to the system.
Require approval for Vendor Reps per Application based on the Application's Department: Vendor Representatives can log in. They must request access for each individual application.
Require approval for Vendor Reps per Application based on the Vendor's Department: Self registration requires approval before connecting.
No Vendor Rep Approval: Your server is open for any member with the Authorized Domain to access.