Create linked accounts
This topic describes how to create and manage linked accounts.
Overview
Linked accounts enable you to use more than one account for the password management process.
There are various situations in which an additional account is required to help manage a privileged account.
The following table describes the possible linked accounts:
Linked account type |
Description |
---|---|
Logon account |
An account that contains the password required to log on to a remote machine in order to perform a task using the regular account. A common use case for using a logon account is managing root accounts on a Unix system. The best practice for Unix systems is to disallow the root user from logging in using SSH. However, SSH is what the CPM uses to sign in to a system to manage the password. To manage the root password without violating this practice, the CPM establishes the session with a non-root account and then SUs to root (the target account). This is done using a linked account called a logon account. The logon account can be defined on the target account level or on the platform level, making it available to all accounts associated with the platform. Note: Logon accounts can also be defined for PSM and PSM for SSH connections. In this case, they can be retrieved from the account level only. |
Reconcile account |
An account that contains the password used in reconciliation processes. The reconcile account can be defined on the target account level or on the platform level, making it available to all accounts associated with the platform. |
Other additional accounts |
Additional accounts can be used in various cases. For example:
These accounts can be defined only on the account level. |
The type of linked accounts allowed are determined in the platform settings. Not every platform supports every type of linked account.
Link an additional account to a target account
Associate a linked account that already exists on the account level.
You need the following permissions to perform this task:
- Retrieve accounts
- Update password properties
To link an additional account to a target account:
- In the Privilege Cloud Portal, in the Accounts View, click Additional details & actions in classic interface, and then select the target account from the accounts list.
- In the Account Details window, in the CPM pane, in the accounts section, you can associate either a logon account or a reconciliation account.
- If a default logon account has been configured for the platform that manages this account, that account is listed. You can associate another logon account or leave the default account as it is.
- If a default logon account has not been configured, select the required account, then click Associate.
Create a new account and link it immediately
You need the following permissions to perform this task:
- Retrieve accounts
- Add accounts
To create a new account and link it immediately:
- In the Privilege Cloud Portal, in the Accounts View, click Additional details & actions in classic interface, and then select the target account from the accounts list.
- In the Account Details window, in the CPM pane, in the additional accounts section, click Create New.
-
In the Add Account Credentials window, specify the account properties for the new linked account, then click Link.
The new account is created and linked immediately to the original account. The details of the linked account are listed in the additional accounts section.
Watch the following video to learn how to add and link a reconcile account: