Create linked accounts

This topic describes how to create and manage linked accounts.

Overview

Linked accounts enable you to use more than one account for the password management process.

There are various situations in which an additional account is required to help manage a privileged account.

The following table describes the possible linked accounts:

Linked account type	Description
Logon account	An account that contains the password required to log on to a remote machine in order to perform a task using the regular account. A common use case for using a logon account is managing root accounts on a Unix system. The best practice for Unix systems is to disallow the root user from logging in using SSH. However, SSH is what the CPM uses to sign in to a system to manage the password. To manage the root password without violating this practice, the CPM establishes the session with a non-root account and then SUs to root (the target account). This is done using a linked account called a logon account. The logon account can be defined on the target account level or on the platform level, making it available to all accounts associated with the platform. Note: Logon accounts can also be defined for PSM and PSM for SSH connections. In this case, they can be retrieved from the account level only.
Reconcile account	An account that contains the password used in reconciliation processes. For details, see Reconcile passwords. The reconcile account can be defined on the target account level or on the platform level, making it available to all accounts associated with the platform.
Other additional accounts	Additional accounts can be used in various cases. For example: Enable password - when managing network devices. Jump account - when using a custom plugin in a complex work flow requiring to first log on to a jump server. These accounts can be defined only on the account level.

Linked account type

Description

Logon account

An account that contains the password required to log on to a remote machine in order to perform a task using the regular account.

A common use case for using a logon account is managing root accounts on a Unix system.

The best practice for Unix systems is to disallow the root user from logging in using SSH. However, SSH is what the CPM uses to sign in to a system to manage the password. To manage the root password without violating this practice, the CPM establishes the session with a non-root account and then SUs to root (the target account). This is done using a linked account called a logon account.

The logon account can be defined on the target account level or on the platform level, making it available to all accounts associated with the platform.

Note: Logon accounts can also be defined for PSM and PSM for SSH connections. In this case, they can be retrieved from the account level only.

Reconcile account

An account that contains the password used in reconciliation processes. For details, see Reconcile passwords.

The reconcile account can be defined on the target account level or on the platform level, making it available to all accounts associated with the platform.

Other additional accounts

Additional accounts can be used in various cases. For example:

Enable password - when managing network devices.
Jump account - when using a custom plugin in a complex work flow requiring to first log on to a jump server.

These accounts can be defined only on the account level.

The type of linked accounts allowed are determined in the platform settings. Not every platform supports every type of linked account.

Link an additional account to a target account

Associate a linked account that already exists on the account level.

You need the following permissions to perform this task:

Retrieve accounts
Update password properties

To link an additional account to a target account:

In the Privilege Cloud Portal, in the Accounts View, click Additional details & actions in classic interface, and then select the target account from the accounts list.
In the Account Details window, in the CPM pane, in the accounts section, you can associate either a logon account or a reconciliation account.
If a default logon account has been configured for the platform that manages this account, that account is listed. You can associate another logon account or leave the default account as it is.
If a default logon account has not been configured, select the required account, then click Associate.

Create a new account and link it immediately

You need the following permissions to perform this task:

Retrieve accounts
Add accounts

To create a new account and link it immediately:

In the Privilege Cloud Portal, in the Accounts View, click Additional details & actions in classic interface, and then select the target account from the accounts list.
In the Account Details window, in the CPM pane, in the additional accounts section, click Create New.
In the Add Account Credentials window, specify the account properties for the new linked account, then click Link.

The new account is created and linked immediately to the original account. The details of the linked account are listed in the additional accounts section.

Watch the following video to learn how to add and link a reconcile account:

qfrmltbnmz