Account check-out and check-in
Auditing and control requirements demand full identification and monitoring of users who access privileged accounts during any given period. In addition, to guarantee accountability, each user must be the only user who accesses a privileged account.
How it works
The Master Policy enables organizations to permit users to check out a ‘one-time’ password and lock it so that no other users can retrieve it at the same time. After the user has used the password, the user checks the password back into the Vault. This ensures exclusive usage of the privileged account, enabling full control and tracking for the password.
If the organizational policy determines that a password can only be used once, the Master Policy can also be configured to change the password’s value before unlocking it and making it available to other users. If a CPM is installed, this can be done automatically.
PSM can automatically unlock these exclusive accounts after a PSM session ends. For detail, see Automatically unlock accounts.
See how account check-out and check-in works in the following video:
View checked-out accounts
If an account is checked out, and therefore locked, a 
icon appears in the Account list on the line of the locked account.
In the Accounts page, in Views, click Locked accounts; the PVWA displays the Locked accounts view, which lists the accounts that are locked by your user.
You can check for accounts that have been checked-out by other users in the Safes where you are an owner.
| ■ | In the Accounts list, display any list of accounts; all the locked accounts are marked with the Locked account icon. |
Users who have the ‘View Safe Members’ authorization can see the name of the user who has locked the account when they place the mouse over the locked icon.
Release exclusive accounts
After retrieving an exclusive account, you can release it through the Password Vault Web Access. If you do not release the account manually, one of the following processes happens, depending on the way the account is managed:
|
Account is managed... |
How it is released... |
|---|---|
|
Automatically by the CPM |
The CPM will release it automatically after the period of time specified in the platform. |
|
Manually |
The account must be released manually. A notification is sent to a user who is authorized to release the password and change it. |
Authorized users can release accounts in the following pages:
-
In the Locked Accounts list, select the account to release.
-
From the Manage drop-down menu, select Release.
| ■ | If the account is managed automatically by the CPM, it is released and the password is changed, so that it can be used by other users. |
| ■ | If the account is managed manually, a notification is sent to a user who is authorized to change the password. The account is released automatically after it has been changed. |
This procedure is only for administrators who have the Unlock accounts permission, to enable users to access an account urgently when it is locked by another user.
|
Only give Safe members the ‘Unlock accounts’ authorization if it is essential. This action could result in more than one user retrieving the same password, with no accountability over who performed operations using this account during this period of time. |
-
In the Accounts list, select the account to release, then click Edit; the Edit Account window appears.
-
Click Show advanced section; the advanced options appear.
These details indicate that the account is locked, the name of the user, and the date and time when the account was locked.
The locked account cannot be changed until it has been released, so while it is locked, the Save buttons are disabled. As soon as the account is released, the Save button is enabled, and the password and account properties can be changed.
-
Click Release,
or,
If the account is a member of an account group, click Release Group. To release other accounts in the account group, release them in the same way.
The account is now unlocked.
|
This bypasses the standard release workflow and should only be used in emergencies. |
This release will not trigger a password change.
In addition, administrators can release locked accounts in the following page:
Display the Account Details page of the account to release, then click Release to return the account to the Safe.
| ■ | If the account is managed automatically by the CPM, it is released and the password is changed immediately. |
| ■ | If the account is managed manually, a notification is sent to a user who is authorized to change the password. The account is released automatically after it has been changed. |
If a user requires an account urgently when it is locked by another user, a user with the ‘Unlock Accounts’ authorization can unlock it in the Edit Account page so that it can be used.
|
Only give Safe members the ‘Unlock accounts’ authorization if essential. This action could result in more than one user retrieving the same password, with no accountability over who performed operations using this account during this period of time. |
