Move accounts between safes

This topic describes how to move and account from one safe to another.

Overview

When you move accounts between safes, the original account is deleted from the source safe and is fully created in the target safe. When you move an account all of its dependencies are moved as well.

You can move an individual account or an account group (including all group members).

What is not moved?

The following information is not moved from the source safe to the target safe:

what is not moved?	Description
Audit records	All records of activity on the accounts that are moved are left in the source safes.
Password versions	All previous versions of accounts that are saved in the safe according to the safe history configurations are left in the source safe.
Requests	All requests for access and confirmations that have been received from authorized users.
Object Level Access Control configurations	Specific access control at account level.
Linked accounts	Accounts that are associated with the accounts that are moved are not updated with the new safe details. In addition, accounts that are referenced in platforms, such as reconcile accounts, should be updated with the new safe name.
One-time passwords	Accounts that are configured for one-time use and have been used but not changed before they are moved to the new safe, are not changed before they are used again.
PSM recordings	When accounts that are connected to PSM recordings are moved to a different safe, the connection between the account and the recording is lost. Relevant recordings can be found by performing a search through the Monitoring page.
Moving exclusive account groups	When members of exclusive account groups are moved to a different safe, we recommend moving all the members in the group and not just some of them. If only some of the members of the group are moved, the rest of the members in the group are locked and they must be released manually before they become available to other users. For more information about exclusive accounts, see Lock and release an account.

Before you move accounts

Make sure that:

In the source safe	In the target safe
You have the following permissions: List passwords Retrieve passwords Update password properties Delete passwords Access Safe without confirmation (if you don not have this permission, you must have a confirmed request so that you can access the password)	You have the following permissions: List passwords Create passwords Update passwords Update password properties
Check the current CPM status for the account: Is the CPM currently performing an account management task? Passwords that are in the process of being managed cannot be moved. Wait until the CPM has completed its tasks, then move the password. Has the account been marked for a CPM management task? Because the account is disabled before it is moved, the CPM will not be able to complete its management tasks on this account. You can either wait until the CPM has finished its management tasks on this account and then move it, or move it and it will be managed in the target safe.	The name of the password being moved is unique. If there is an account with the same name that is not deleted, in the target safe, the account will not be moved.
If passwords are in exclusive mode, make sure that the password is not locked. Locked passwords cannot be moved. Wait until the password has been released then move the password.	In the platform that the password is linked to, check that the target safe is listed in the AllowedSafes parameter. This ensures that the same platform can be applied to passwords after they have been moved.

In the source safe

In the target safe

You have the following permissions:

List passwords
Retrieve passwords
Update password properties
Delete passwords
Access Safe without confirmation

(if you don not have this permission, you must have a confirmed request so that you can access the password)

You have the following permissions:

List passwords
Create passwords
Update passwords
Update password properties

Check the current CPM status for the account:

Is the CPM currently performing an account management task? Passwords that are in the process of being managed cannot be moved. Wait until the CPM has completed its tasks, then move the password.
Has the account been marked for a CPM management task? Because the account is disabled before it is moved, the CPM will not be able to complete its management tasks on this account. You can either wait until the CPM has finished its management tasks on this account and then move it, or move it and it will be managed in the target safe.

The name of the password being moved is unique. If there is an account with the same name that is not deleted, in the target safe, the account will not be moved.

If passwords are in exclusive mode, make sure that the password is not locked. Locked passwords cannot be moved. Wait until the password has been released then move the password.

In the platform that the password is linked to, check that the target safe is listed in the AllowedSafes parameter. This ensures that the same platform can be applied to passwords after they have been moved.

Move accounts

Perform this procedure after you review the Before you move accounts.

To move accounts:

In the Privilege Cloud Portal, in the Accounts View, click Additional details and actions in classic interface.
Select the accounts that you want to move, and then click Modify > Move.

A message appears, describing the implications of moving an account. Review them carefully.
In the Move Accounts dialog box, select the target safe from the list, and then click OK.
Accounts that were not moved successfully are disabled for automatic CPM management in the source safe. Enable them manually so that they are managed automatically according to your enterprise policies.
Check that all the accounts that were moved to a target safe are associated with the correct platforms.
If required, recreated links to linked accounts. (For more information about linked accounts, see Create linked accounts.)
1. For each account that was moved, display the Account Details, and in the CPM tab, check if the original password is used as a logon or reconcile account.
2. If so, in the additional passwords section, click Associate to re-link either the logon account or the reconcile account.
3. From the list of accounts, select the account that was moved, and then click Associate.
  
  The selected account is associated with the original account and is listed in the CPM pane of the Account Details page.
Check in the UI &Workflows parameters of the platform settings if any of the moved accounts are used in platforms as a reconcile account, and update the safe name to indicate its new location.

For accounts that were configured for account level permissions, recreate these access permissions, based on the safe members in the new safe.

If all the members of a group have been moved to another safe, the group manager object in the source safe will be deleted and cannot be undeleted. If necessary, the group in the source safe must be recreated manually.

If you moved only some of the members of a group that is configured for exclusive mode, the rest of the members in the group in the source safe are locked and they must be released manually before they become available to other users. This can be done by releasing any of the group members in the source safe.

For more information about exclusive accounts, see Lock and release an account.

Manage your accounts