Onboarding rules
This topic describes how to create and manage predefined rules that automatically onboard newly discovered accounts. This minimizes the time it takes to onboard and securely manage accounts, reduces the time spent on reviewing pending accounts, and prevents human errors that may occur during manual onboarding.
Overview
After accounts are discovered, as described in
Accounts that cannot be filtered by any of the rules are added to the Pending Accounts list and can be reviewed and onboarded manually, as described in
Filter rules based on rule properties. For details, see Rule properties.
Create onboarding rules
Create rules to onboard newly discovered accounts automatically, and provision them in the Vault without any human intervention.
Onboarding rules apply only to accounts that are discovered as part of Discovery that runs on Windows and Unix machines using CPM Scanner.
Create an onboarding rule:
-
In the Privilege Cloud Portal, click Accounts > Onboarding Rules.
-
Click Create rule.
The New onboarding rule wizard appears.
-
Select system type. Select the system type of the account that will be uploaded by this rule, then click Next.
-
Select Scope. Select the scope of the onboarding rule. For details on the rule scope, see Rule properties.
Before proceeding to the next step, the system checks that this scope is not defined in another rule, which will cause a conflict. If another rule with the identical scope exists, the add onboarding rule wizard will not proceed to the next step.
-
Assign to platform. Select the platform that accounts onboarded by this rule will be associated with.
-
Store in Safe. Select the Safe where accounts onboarded by this rule will be stored.
-
Define rule properties. specify the unique name of the rule and, optionally, add a description of the rule.
Basic password settings are displayed beneath the rule description. The reconcile account specified for the selected platform is used after onboarding to reconcile the onboarded account and set new credentials. If no reconcile account is set for the platform, the account is onboarded but the reconcile will not succeed and the account credentials will not be managed automatically.
-
Summary. A summary of the onboarding rule is displayed.
-
Review the rule summary, make sure that all the details are correct, and then click Create rule.
The rule is created and added to the top of the list in the Onboarding Rules page.
Edit or delete a rule
-
To edit or delete a rule, select the rule in the list, click the Ellipsis button next to that rule, and then click Edit Rule or Delete Rule.
When editing a rule, the precedence of the rule does not change.
Rule properties
|
Details |
Description |
Valid values |
|---|---|---|
|
Rule scope |
||
|
System type |
The type of system on which accounts were discovered. |
Windows/Unix |
|
Machine type |
The type of machine on which accounts were discovered. |
Any/Workstation/ Server |
|
Account type |
The type of account that was discovered. |
Local |
|
Account category |
The category of account that was discovered. |
Any/Privileged/ Non-privileged |
|
Refine by keyword |
A keyword used to identify the rule. |
Rule name/description/ username/machine name |
|
Destination |
||
|
Platform |
The platform that the onboarded account will be associated with. |
Any active platform |
|
Safe |
The name of the Safe where the onboarded account will be stored. |
Safe name |
|
Rules grid |
||
|
Priority |
The order in which the rules are run. This is based on creation time. The most recently created rule will have a precedence of 1, the next most recently created rule will have a precedence of 2, and so on. When a new account is discovered, it is first compared to the rule with precedence 1 to check if the account matches the rule's filters. If so, the account is onboarded according to the rule. If not, the account is compared to the next rule by precedence, and so on. |
Number |
|
Rule name |
The name of the rule. |
|
|
Description |
A description of the rule. |
|
|
System type |
The system filter applied to discovered accounts by this rule. |
Windows/Unix |
|
Machine type |
The machine filter applied to discovered accounts by this rule. |
Any/Workstation/ Server |
|
Account type |
The account type filter applied to discovered accounts by this rule. |
Local |
|
Last onboard |
The last time an account was onboarded by this rule. |
|
Watch how to create and manage Onboarding rules in the following video:
