Manage dual accounts

The Dual Accounts deployment method eliminates any edge case delays that may be encountered when using the Single Account deployment method.

This feature is supported for all Credential Provider products.

Dual accounts vs Single account

Using the Single Account deployment method, delays may be incurred in edge cases such as when a password is requested exactly when CPM is changing that password.

Dual Accounts ensures no such delays are incurred when the application needs credentials because a password that is currently used by an application will never be changed. This is especially recommended in high load and critical applications.

The Dual Accounts method ensures seamless, safe access to a system, database, or application. With this type of account rotation, there are no blackout periods when passwords expire.

For optimal performance guidelines, see Recommendations for best performance.
Dual accounts support account password reconciliation on the active account, as well as performing periodic password reset operations (using associated reconciliation accounts). For more information, see the following sections in the Privileged Access Security docs:
- Account password reconcilliation
- Resetting passwords using the reconciliation account (ChangePasswordInResetMode)

How it works

Two accounts with identical privileges are assigned: one active ( A), one inactive (B). There is always an active account, which remains untouched during password rotation. This ensures business continuity, with no delays.

Rotation 1

At the set date for password rotation, account A, the first account in use, is deactivated, and B is activated.

While the second account B is active, there is a grace period. At the end of the grace period the password of the deactivated first account A is reset. This allows all applications to register the change and switch to using the newly active account.

Rotation 2

At the next set date for password rotation, account B is deactivated. Account A is now active.

Deactivated account B has its password reset at the end of this grace period.

Dual Account properties

The Dual Account solution uses two account properties to determine which accounts are valid for use at any given time.

Property	Description
DualAccountStatus	This property flags accounts as Active or Inactive. Dual accounts pairs will always have one active account and one inactive account.
VirtualUsername	This property identifies two identically provisioned accounts in a dual accounts pair under one virtual username.

On each target system, there must be two accounts with identical permissions, the dual accounts pair, used by the application to connect to the system. In the Vault/Privilege Cloud, one account is tagged as active and the other account is tagged as inactive (using the DualAccountStatus property), while on the target system (e.g. database), they are both enabled. Secrets Manager does not enable or disable accounts on target systems.

A typical example is when an application connects to a remote database.

The BillingApp application regularly requests an account password from the Credential Provider in order to connect to a DB2 database, located on 10.0.0.1.

When using the Dual Account solution, two accounts must reside on the DB2 database. Both accounts have the same value for their VirtualUsername property, which links them and creates the dual accounts pair. These accounts will be used by the BillingApp application to connect to the database when required. One account is always Active and one account is always Inactive.