If you've never setup elevated access before, please use the link below to learn more about it and how to set it up correctly.
Setup Elevated Access – Evo Support (evosecurity.com)
In this article we assume you're running into an issue which stops you from using Elevated Access, please follow these steps below to troubleshoot.
Account
The shared account that you add as a shared account needs to be an administrator. Typically a new administrator is added to prevent any conflict with existing accounts.
Adding a new Domain Administrator account and adding it to the appropriate group being synced over is the first part. Once the sync completes and the account is copied over you can then start to add permissions for the account.
Permissions
After you add a shared account to your tenant for utilization with Elevated Access, you need to make sure users have permissions to use the shared account.
You can view this in My Company -> Vault. You can follow this KB article for how to add a Shared/Domain Account.
Once the account is added, you need to make sure that the appropriate users/groups have the permissions to use the shared account.
You can view information on setting up Elevated Access permissions here
You'll want to ensure that users/groups are added to assignments that allow them to use the shared account. Once you confirm that the appropriate users are set with permissions, you can attempt to test access to the shared account.
Testing
After the agent is installed, test access by logging out of the system and logging in with the user's Evo credentials (Either LDAP based credentials, Azure based credentials or Evo Cloud credentials)
Verify Agent Settings
Check your Secure Login token and secret key. The token and secret key are used for elevated access; if they're mismatched, elevated access feature will not work. If there's any typo, "space", or weird format in those keys, elevated access will not work as well. Please double check those keys and make sure you copy them over as plain text.
- You can use "Connection Test" on Secure Login to test the elevated access. For elevated access you'll need to use your full Evo Login email address and password.
Role-Based Permissions
Check user's Role-Based Permissions. In order to use Elevated Access, the user must be given at least the "Can be an Elevated Admin" permission. Login to Evo portal -> Access -> Role-Based Permissions Tab -> Select one of your permission groups. Make sure the permission is checked.
Most common errors you will see if the user does not have the right permission.
Desktop error (Unexpected Login Failure):
Evo portal error activity log: Access Denied:
Verify Elevated Access permissions
Even though the user has the right role-based permissions, you still need to give them access to the domain account(s). Login to Evo portal -> Access -> Elevated Access and edit (pencil icon on the right); make sure the correct domain account(s) is checked and the user(s) or user group(s) is checked as well.
The most common error you will see for this access is like the photo below (User not configured for shared account).
If elevated access still does not work for you after these steps above, please feel free to submit a ticket with a log archive ("Build Log Archive") on both Secure Login app and LDAP Agent app, we will try our best to assist you.