Manage dual accounts

The Dual Accounts deployment method eliminates any edge case delays that may be encountered when using the Single Account deployment method.

This feature is supported for all Credential Provider products.

Dual accounts vs Single account

Using the Single Account deployment method, delays may be incurred in edge cases such as when a password is requested exactly when CPM is changing that password.

Dual Accounts ensures no such delays are incurred when the application needs credentials because a password that is currently used by an application will never be changed. This is especially recommended in high load and critical applications.

The Dual Accounts method ensures seamless, safe access to a system, database, or application. With this type of account rotation, there are no blackout periods when passwords expire.


How it works

Two accounts with identical privileges are assigned: one active ( A), one inactive (B). There is always an active account, which remains untouched during password rotation. This ensures business continuity, with no delays.

Rotation 1

At the set date for password rotation, account A, the first account in use, is deactivated, and B is activated.

While the second account B is active, there is a grace period. At the end of the grace period the password of the deactivated first account A is reset. This allows all applications to register the change and switch to using the newly active account.

Rotation 2

At the next set date for password rotation, account B is deactivated. Account A is now active.

Deactivated account B has its password reset at the end of this grace period.

Dual Account properties

The Dual Account solution uses two account properties to determine which accounts are valid for use at any given time.




This property flags accounts as Active or Inactive. Dual accounts pairs will always have one active account and one inactive account.


This property identifies two identically provisioned accounts in a dual accounts pair under one virtual username.

On each target system, there must be two accounts with identical permissions, the dual accounts pair, used by the application to connect to the system. In the Vault/Privilege Cloud, one account is tagged as active and the other account is tagged as inactive (using the DualAccountStatus property), while on the target system (e.g. database), they are both enabled. Secrets Manager does not enable or disable accounts on target systems.

A typical example is when an application connects to a remote database.


The BillingApp application regularly requests an account password from the Credential Provider in order to connect to a DB2 database, located on

When using the Dual Account solution, two accounts must reside on the DB2 database. Both accounts have the same value for their VirtualUsername property, which links them and creates the dual accounts pair. These accounts will be used by the BillingApp application to connect to the database when required. One account is always Active and one account is always Inactive.