Configure dual accounts

This topic describes how to configure dual account password management.

To support rotation of the two accounts before a Central Policy Manager password change, the two accounts are grouped into a rotational group.


This feature supports rotation of precisely two accounts only.

Account rotation flow

Under rotational group platform configuration:

  1. The CPM detects that the rotational group requires a password change, based on its platform settings.

  2. DualAccountStatus of both accounts is switched between Active and Inactive.

  3. The CurrInd of the group is updated to the index of the active account.

  4. The inactive account is marked for a password change.

  5. Based on the GracePeriod property of the Rotational group platform, the password change is delayed, allowing the Credential Provider to refresh its cache and start working with the current active account.

  6. When the grace period has ended, the CPM initiates a password change task for the inactive account.

Configure support for dual account password management

This section describes how to configure dual account password management.

If your account platforms have the address, username, password, and account properties, and no other mandatory properties, you can configure dual account password management using:

This is the recommended approach for such account platforms.

For account platforms that do not include these properties or that have other mandatory properties, use the manual configuration.

Configure the password change interval for dual accounts

The following section describes how to set the interval for an automatic password change in the PVWA/Privilege Cloud portal.

In Dual Account configuration, a password is changed only after the Account Rotation process is completed and the GracePeriod has ended.

Therefore, to comply with your organizational password change policy, the following formula can be used to calculate the password’s expiration period (Require password change every X days) in the Rotational Group platform settings:

  • There is an organizational audit requirement that passwords will be changed every 30 days.

  • The Rotational Group has 2 members.

  • Set the expiration period of the Rotational Group to 15 days.

To set the interval for automatic password change in the PVWA/Privilege Cloud:

  1. Go to Administration > Platform Management > Rotational Policy > Edit > Automatic Password Management > Password Change, and Change PerformPeriodicChange to Yes.

  2. Go to Policies > Master Policy > Password Management > Require password change every X days. Select Add Exception. Select <platform you created earlier> > Next. Edit the value to the amount of days wanted.


Account usages are not supported in automatic Dual Account configuration.

When initiating a manual password change on an account that is a member of a Rotational Group, the Synchronize the current account's password with the group's password option is not supported.

Selecting this option will cause the specific account’s password to be out of sync with the Credential Provider cache.