Manage account groups
This topic describes how to manage account groups.
What are account groups
Account groups are accounts that share a secret (password or key) and for which secrets are managed together, whether the secret change is scheduled or initiated by a user.
To associate accounts to an account group, all target accounts must be in the same Safe.
Accounts that belong to a group have two platforms assigned to them:
- Target platform. This is the typical platform associated with an account, which includes the CPM plugin that performs the password change on the target machine.
- Group platform. This platform determines when the password is changed and password policy.
|
Account groups can contain an unlimited number of accounts. However, the number of accounts defined in a group affects the time it takes to perform tasks done on account groups. For example, changing the password for a group of 10 accounts equals to 10 X (the time it takes to change one account). Make sure to consider this when deciding on the group size. |
Before you Create an account group you must first Create a group platform.
In account groups that contain one-time or exclusive passwords, all the members of the group are changed automatically after the one-time password has been used or after an exclusive password has been checked in. For details, see Manage exclusive accounts groups and Manage one-time accounts in groups.
Create a group platform
This platform determines when the password policy and scheduled password change for all the accounts that belong to the same account group.
When you create an account group, first create the group platform, then create the group members (accounts), and finally link them to the group.
Users who are members of the Vault Admins group can manage account group platforms.
To create a group platform:
-
In the Privilege Cloud Portal, click the Administration
button, and then click Platform Management. - On the Platform Management page, click the Groups tab.
-
Select the Sample Password Group Platform, and then, in the Platform Preview pane, click Duplicate.
-
Enter a name and a description for the new group platform, then click Save & Close.
-
Select the new group platform that you created, and then click Edit.
-
Specify the group manager account management properties.
These properties determine how the CPM manages members of the account group. Most of these properties cannot be defined for individual group members and must be defined in the group manager.
For details, see Group manager platform properties.
-
Click Apply to save the new configurations and apply them immediately or click Save to save the new configurations and apply them after the period of time specified in the RefreshPeriod parameter.
Create an account group
Before you create an account group, you must first Create a group platform.
To create a new account group:
- On the Accounts View page, in the Details tab, click on the edit icon next to Account Groups.
- Next to the Group Name, click New.
- Enter a name for the group, select the platform for managing the account group's password, and then click Save.
To add an account to an existing group:
- On the Accounts View page, in the Details tab, click on the edit icon next to Account Groups.
- From the Group Name list, select the group to which you want to add the account, and then click Save.
Manage exclusive accounts groups
All the accounts in exclusive accounts groups are locked when any account in the group is retrieved. Each account can only be retrieved after it has been changed and released.
After this type of group is released, all members of the group will be changed before they are released. From the time when the password change process begins until the last password in the account group has been changed, the group is not fully available. This means that group members that have not yet been changed, cannot be retrieved.
Follow the instructions in Edit a platform and edit the following platform settings to ensure that these accounts are maintained as exclusive accounts in groups:
Property | Description |
|---|---|
UnlockIfFail | In both the group platform and the target platform, set UnlockIfFail to No, to ensure that all the accounts in the group are released only after their passwords have been changed. When set to Yes, if the password change process fails, the account will be unlocked and can be accessed, but it will not be changed. |
ResetOveridesMinValidity ResetOverridesTimeFrame | In the target platform, set ResetOveridesMinValidity and ResetOverridesTimeFrame to Yes, to ensure that accounts are released immediately after they are changed. |
ImmediateInterval | In the group platform, make sure that the value of ImmediateInterval is higher than the value of this property in the target platform. |
MinValidityPeriod | In the target platform, specify the number of minutes between the last time that an account was retrieved and when the entire group is replaced. |
Manage one-time accounts in groups
When a one-time account in a group is retrieved, the group isn’t locked and all other members are still available for other users. However, after the time specified in the MinValidityPeriod elapses, all the passwords in the entire group of accounts are changed.
In the target platform, follow the instructions in Edit a platform and edit MinValidityPeriod to specify the number of minutes between the last time that an account was retrieved and when the entire group is replaced.
