Automatic Account Management

You can configure accounts for automatic management by specifying parameters either in the platform or as an account property. These parameters can be specified by authorized users in the ADMINISTRATION page of the PVWA. For more information about configuring platforms, see Manage platforms v10 interface.

Change passwords

The password change processes determine how frequently passwords are changed and how the changes are initiated. These processes are configured in the Password Change parameters..

The CPM can initiate a password change process before the scheduled time that is specified in a platform. The HeadStartInterval parameter determines the number of days before the account’s expiration that the CPM will initiate a password change process. If, for any reason, a password cannot be changed, the policy is not violated, and there is time to resolve any potential problems.

When the Master Policy enforces check-in/check-out exclusive access, passwords are changed when the user clicks the Release button and releases the account. This is based on the ImmediateInterval parameter in the applied platform. If the user forgets to release the account, it is automatically released and changed by the CPM after a predetermined number of minutes, defined in the MinValidityPeriod parameter specified in the platform.

When the Master Policy enforces one-time password access, passwords are used once, and then changed by the CPM after a predetermined number of minutes, defined in the MinValidityPeriod parameter specified in the platform.

When the Master Policy enforces check-in/check-out exclusive access or one-time password access, passwords that can only be accessed after a dual control request that contains a specified timeframe has been confirmed can be changed automatically by the CPM after the timeframe has expired, according to the PasswordLevelRequestTimeframe parameter. This parameter overrides the MinValidityPeriod parameter and is not relevant if the platform is for a group. This parameter is only relevant when the Master Policy enforces dual control password access approval.

When using timeframe restrictions, it is recommended to decrease the value of the Interval parameter to meet the time window.

You can change one or more passwords immediately in the PVWA, regardless of whether they have been used or reached their expiration period. This is based on the ImmediateInterval parameter in the applied platform. For more information about changing password values in the Password Vault Web Access, refer to Change Passwords.

Password change processes can be restricted to specific days. This means that the CPM will only change passwords on the days of the week specified in the ExecutionDays parameter. The days of the week are represented by the first 3 letters of the name of the day. Sunday is represented by Sun, Monday by Mon, etc.

You can enforce a predefined platform and ensure that only characters that meet the password complexity requirements are specified. The EnforcePasswordPolicyOnManualChange parameter determines whether or not platform rules will be enforced for manual password changes so that end-users will not be able to set non-compliant passwords. Specify either Yes or No. The default value is Yes.

You can control the number of previous password values that users cannot specify when they change a password value manually. The EnforcePasswordVersionsHistory determines the number of previous password values that are stored in the Vault and cannot be specified. Valid values are between 1 and 50, and the default value is 7. Specify -1 to disable this feature.

Verify passwords

The password verification processes determine how frequently passwords are verified and how the verification is initiated. These processes are configured in the Password Verification parameters..

Password verification processes can be initiated manually by users in the PVWA on passwords marked with the VFAllowManualVerification parameter.

The CPM will automatically start a password verification process on passwords marked with the VFPerformPeriodic Verification parameter, according to the number of days specified in the VFVerification Period parameter.

When the Master Policy enforces password changes at predefined intervals, you can specify the timeframe during which passwords will be verified using the VFFromHour and VFToHour parameters. Before or after this time period, the CPM can either verify passwords automatically or in response to a user’s action after the specified number of days have passed.

Password verification can be restricted to specific days. This means that the CPM will only verify passwords on the days of the week specified in the VFExecutionDays parameter. The days of the week are represented by the first 3 letters of the name of the day. Sunday is represented by Sun, Monday by Mon, etc.

Reconcile passwords

The CPM reconciles passwords according to the following Password Reconciliation parameters:

The password reconciliation processes determine how frequently passwords are reconciled and how the reconciliation is initiated. These processes are configured in the Password Reconciliation parameters..

Password reconciliation processes can be initiated manually by users in the PVWA on passwords marked with the RCAllowManualReconciliation parameter.

The CPM will automatically reconcile passwords marked with the RCAutomatic ReconcileWhenUnsynched parameter after it detects a password on a remote machine that is not synchronized with its corresponding password in the Vault.

A reconciliation process will be launched automatically in response to the CPM plugin error codes that are represented in the RCReconcileReasons parameter.

You can specify a timeframe during which passwords will be reconciled. Passwords marked with the RCFromHour and RCToHour parameters will be reconciled during the specified period. After this hour, the CPM can either reconcile passwords automatically or in response to a user’s action after the specified number of days have passed.

Password reconciliation can be restricted to specific days. This means that the CPM will only reconcile passwords on the days of the week specified in the RCExecutionDays parameter. The days of the week are represented by the first 3 letters of the name of the day. Sunday is represented by Sun, Monday by Mon, etc.

The CPM can skip the reconciliation process and disable accounts if they are not linked to a reconciliation account at either platform level or account level, in platforms marked with the IgnoreReconcileOn MissingAccount parameter. This avoids errors being generated by the failed retries operations until the account is disabled by the CPM. An informative message is written to both the PM.LOG and PM_ERROR.LOG to record the reason why the reconciliation was not performed.  This is relevant for reconciliation processes that are initiated manually in the PVWA, as well as processes that occur automatically.

A specific reconciliation account password is used to reset passwords that are reconciled. The  reconciliation account password can either be defined specifically or dynamically.

Account

Description

Specific account

You can specify an account that contains the password that will be used to reset passwords when they are reconciled, with the following parameters:

  • ReconcileAccountSafe

  • ReconcileAccountFolder

  • ReconcileAccountName

Typically, reconcile account passwords are defined this way for Windows accounts to specify a domain account that has the appropriate privileges to reconcile local or domain passwords on multiple machines.

Dynamic rule

Instead of specifying a particular reconciliation account password, you can define a dynamic rule that uses password property values to identify a relevant reconciliation account password. A dynamic rule can be specified either at platform level or at account level.

Typically, passwords in Unix environments are defined dynamically. The rule defines a naming convention that the CPM identifies and uses to match the relevant reconcile account for each system. This eliminates the need to link each Unix password to a relevant reconcile account on the same machine.

The following table lists the parameters that can be used to define a dynamic rule:

Parameter Specifies
%Safe% The name of the Safe where the reconcile account password is stored.
%Folder% The name of the folder where the reconcile account password is stored.
%Name% The name of the password object that will be used as the reconcile account password.
%<Password Property>% The name of any password property that is defined in the reconcile account password.

The following example shows a password that will be reconciled and the dynamic rule that would define a reconciliation account password for it:

Password to reconcile:

Network Device-CiscoSSH-1.1.1.250-CiscoUser

Dynamic rule:

In this example, the platform would use a reconciliation account password in the same Safe and folder as the main password with the following name:

Network Device-CiscoSSH-1.1.1.250-CiscoUserReconcile

Alternatively, if you have configured a password name pattern in the Web Access Options settings page, you can specify ‘%Name%’ instead of specifying all the properties individually, as follows:

reconcile account name

In addition, the UnlockUserOnReconcile parameter in the Additional Policy Settings determines whether the or not the CPM will unlock a locked target account during the reconcile operation, and prevent reconciliation processes from failing due to invalid logon attempts, ensuring continuous account management. The default value is No.

The ChangePasswordInResetMode parameter in the Additional Policy Settings defines whether or not password changes will be performed via reset mode using associated reconciliation accounts, instead of a password change operation. This is configured at platform level. This feature is useful when a one-time password is used with a Directory Services minimum password-age restriction, or when the password policy prevents the user from changing their own password. The default value is No.

Limit Platforms to Specific Safes

Platforms can be restricted to specific Safes, according to the AllowedSafes parameter in the General section of the platform.

This feature is especially relevant if you implement the new reconciliation functionality to prevent automatic reconciliation being performed on every Safe and giving unauthorized users access to passwords.

In large-scale environments, it is very important to enable the CPM to focus its search operations on specific Safes, instead of scanning all Safes it is allowed to see in the Vault.

To limit a platform to Safes called ‘LinuxPasswords’ and ‘AIXPasswords’, specify the following: AllowedSafes=(LinuxPasswords)|(AIXPasswords)

To apply a platform on all Safes, specify AllowedSafes=.*. This is the default value.

Associate logon accounts

The CPM associates logon accounts to enable users to log onto remote machines where they can perform identity management tasks. Logon accounts can be configured in either of the following ways:

Level

Description

Platform

All accounts attached to a specific platform will use the logon account specified in the platform.

Account

A logon account can be initiated manually in the Account Details page. For more information, refer to Create linked accounts.

The following parameters in the Privileged Account Management parameters specify the default logon account that will be associated with each new account.

Parameter

Details
LogonAccountSafe

The name of the Safe, or a dynamic rule that specifies it, where the default logon account that will be used for accounts associated with this platform is stored.

 

PSM cannot access logon accounts if the Master Policy is configured to enforce dual control password access approval.
LogonAccountFolder

The name of the folder, or a dynamic rule that specifies it, where the default logon account that will be used for accounts associated with this platform is stored.
LogonAccountName

The name of the default logon account that will be used for accounts associated with this platform.