Onboarding rules

This topic describes how to create and manage predefined rules that automatically onboard newly discovered accounts. This minimizes the time it takes to onboard and securely manage accounts, reduces the time spent on reviewing pending accounts, and prevents human errors that may occur during manual onboarding.


After accounts are discovered, as described in Scan for accounts using Accounts Discovery, they are automatically filtered by the onboarding rules and provisioned in the Vault.

Accounts that cannot be filtered by any of the rules are added to the Pending Accounts list and can be reviewed and onboarded manually, as described in Onboard accounts manually .

Filter rules based on rule properties. For details, see Rule properties.

Create onboarding rules

Create rules to onboard newly discovered accounts automatically, and provision them in the Vault without any human intervention.

Onboarding rules apply only to accounts that are discovered as part of Discovery that runs on Windows and Unix machines using CPM Scanner.

Create an onboarding rule:

  1. In the Privilege Cloud Portal, click Accounts > Onboarding Rules.

  2. Click Create rule.

    The New onboarding rule wizard appears.

  3. Select system type. Select the system type of the account that will be uploaded by this rule, then click Next.

  4. Select Scope. Select the scope of the onboarding rule. For details on the rule scope, see Rule properties.

    Before proceeding to the next step, the system checks that this scope is not defined in another rule, which will cause a conflict. If another rule with the identical scope exists, the add onboarding rule wizard will not proceed to the next step.

  5. Assign to platform. Select the platform that accounts onboarded by this rule will be associated with.

  6. Store in Safe. Select the Safe where accounts onboarded by this rule will be stored.

  7. Define rule properties. specify the unique name of the rule and, optionally, add a description of the rule.

    Basic password settings are displayed beneath the rule description. The reconcile account specified for the selected platform is used after onboarding to reconcile the onboarded account and set new credentials. If no reconcile account is set for the platform, the account is onboarded but the reconcile will not succeed and the account credentials will not be managed automatically.

  8. Summary. A summary of the onboarding rule is displayed.

  9. Review the rule summary, make sure that all the details are correct, and then click Create rule.

    The rule is created and added to the top of the list in the Onboarding Rules page.

Edit or delete a rule

  • To edit or delete a rule, select the rule in the list, click the Ellipsis button next to that rule, and then click Edit Rule or Delete Rule.

When editing a rule, the precedence of the rule does not change.

Rule properties



Valid values

Rule scope

System type

The type of system on which accounts were discovered.


Machine type

The type of machine on which accounts were discovered.

Any/Workstation/ Server

Account type

The type of account that was discovered.


Account category

The category of account that was discovered.

Any/Privileged/ Non-privileged

Refine by keyword

A keyword used to identify the rule.

Rule name/description/ username/machine name



The platform that the onboarded account will be associated with.

Any active platform


The name of the Safe where the onboarded account will be stored.

Safe name

Rules grid


The order in which the rules are run. This is based on creation time. The most recently created rule will have a precedence of 1, the next most recently created rule will have a precedence of 2, and so on.

When a new account is discovered, it is first compared to the rule with precedence 1 to check if the account matches the rule's filters. If so, the account is onboarded according to the rule. If not, the account is compared to the next rule by precedence, and so on.


Rule name

The name of the rule.



A description of the rule.


System type

The system filter applied to discovered accounts by this rule.


Machine type

The machine filter applied to discovered accounts by this rule.

Any/Workstation/ Server

Account type

The account type filter applied to discovered accounts by this rule.


Last onboard

The last time an account was onboarded by this rule.


Watch how to create and manage Onboarding rules in the following video: