Account check-out and check-in

Auditing and control requirements demand full identification and monitoring of users who access privileged accounts during any given period. In addition, to guarantee accountability, each user must be the only user who accesses a privileged account.

How it works

The Master Policy enables organizations to permit users to check out a ‘one-time’ password and lock it so that no other users can retrieve it at the same time. After the user has used the password, the user checks the password back into the Vault. This ensures exclusive usage of the privileged account, enabling full control and tracking for the password.

If the organizational policy determines that a password can only be used once, the Master Policy can also be configured to change the password’s value before unlocking it and making it available to other users. If a CPM is installed, this can be done automatically.

PSM can automatically unlock these exclusive accounts after a PSM session ends. For detail, see Automatically unlock accounts.

See how account check-out and check-in works in the following video:

View checked-out accounts

If an account is checked out, and therefore locked, a icon appears in the Account list on the line of the locked account.

Release exclusive accounts

After retrieving an exclusive account, you can release it through the Password Vault Web Access. If you do not release the account manually, one of the following processes happens, depending on the way the account is managed:

Account is managed...

How it is released...

Automatically by the CPM

The CPM will release it automatically after the period of time specified in the platform.


The account must be released manually. A notification is sent to a user who is authorized to release the password and change it.

Authorized users can release accounts in the following pages:

In addition, administrators can release locked accounts in the following page: