Manage dependent accounts

This topic describes dependent accounts and how to create a dependent account.

What are dependent accounts?

Dependent accounts are accounts that represent resources, such as Windows Services or Windows Scheduled Tasks. These resources or dependent accounts are accessed from a target machine and require the same credentials as the target machine. Dependent accounts may also be referred to as usages or service accounts.

When changing a password, the CPM synchronizes the target account password with all other occurrences of that password in any related dependent accounts.

The following diagram shows the procedure for how the CPM changes and synchronizes passwords in accounts on Windows services.

Account usages.png

For a list of out-of-the-box service or dependent accounts, see Service account plugins.

For more information about customized support for additional platforms, contact CyberArk support.

Add a dependent account

Before you add dependent accounts, make sure that the dependent platform is linked to the target platform and that the Search for Usages option is selected at the target platform level. For more information about the Usages option, see Usages - Service accounts (usages) that are required for the selected platform. and SearchForUsages.

After you create a target account, you can add dependent accounts to the target account.

To add a dependent account:

  1. In the PVWA, on the Accounts page, select the target account to which you want to add the dependent account.

  2. On the Account Details page, in the right pane, select the relevant dependency type, and then click Add.

  3. On the Add Dependent Account page, enter the required information, and then click Save.

For more information about adding accounts, see  Add an account in V10 Interface.

Guidelines for calculating the number of dependent accounts you can link to a target account

The number of dependent accounts that you can link to a single target account depends on the following factors:

  • The amount of time it takes the CPM to perform account rotation tasks

  • The time frame that is allocated to complete them

During the rotation of the target account, some services may not be available until all of the services are updated.

Using the CPM account rotation parameter settings, you can calculate approximately how many dependent accounts should be linked to a single target account so that account rotation is completed successfully.

CPM account rotation tasks overview

The CPM performs the following account rotation tasks:

  • Changing or reconciling the target account

  • Changing each dependent account

If the target is part of a group, all members of the group will need to be successfully rotated. It is important to consider the following factors about account rotation for both target and dependent accounts:

  • The first rotation attempt may fail

  • There can be multiple rotation attempts

  • The time to complete a single rotation may vary between platforms

CPM account rotation parameter settings

The following parameters affect how long it takes the CPM to perform account rotations, and the time frame allocated to complete the rotations. These parameters are set on both the target and dependent platforms:

Parameter

Description

MaximumRetries

Set on the target platform. Determines the number of minutes allocated for rotation attempts or retries.

ImmediateInterval

Set on both the target and dependent platforms. Determines the number of minutes it takes before the first rotation attempt.

MinDelayBetweenRetries

Set on both the target and dependent platforms. Determines the number of minutes between retries.

FromHour

ToHour

Execution days

Set on the target platforms. Determines the time frame in minutes that is allocated to the CPM to perform account rotation(s):

How to calculate the number of dependent accounts you can link to a target account

Use the following formula to determine the number of dependent accounts you can link to a target account:

  1. Calculate the maximum target account rotation time in minutes:

    Target platform ImmediateInterval + (Target platform MinDelayBetweenRetries * Target platform MaximumRetries)

    If the plugin runtime includes the service restart time and this is longer than the ImmediateInterval value, use the plugin runtime value instead of the ImmediateInterval value.

  2. Calculate the maximum dependent account rotation time in minutes:

    Dependent platform ImmediateInterval + (Dependent platform MinDelayBetweenRetries * Dependent platform MaximumRetries)

    If the plugin runtime includes the service restart time and this is longer than the ImmediateInterval value, use the plugin runtime value instead of the ImmediateInterval value.

  3. Determine the allocated time frame in minutes for the CPM to run tasks:

    ToHour to FromHour

  4. Take the results from the above steps and put them in the following formula to calculate the number of dependent accounts you can link:

    (Allocated time frame - Maximum target account rotation time) / Max dependent account rotation time

Dependent account calculation example

Using the following settings and scenarios, let's determine the number of dependent accounts that can be linked to a target account.

  • Allocated time frame is 120 minutes (FromHour is set to Sunday 1am and ToHour is set to Sunday 3am)

  • Target and Dependent ImmediateInterval parameter is set to 5 minutes

  • Target and Dependent MinDelayBetweenRetries parameter is set to 5 minutes

  • Target MaximumRetries parameter is set to 5 minutes

  • Dependent MaximumRetries parameter is set to 4 minutes

  • Platform run time is approximately 2 seconds

Using the above information, and assuming the maximum number of retries is used, let's use the parameter settings above to determine the number of dependent accounts that can be linked. We need to first calculate the following:

  • Maximum target account rotation time = Target platform ImmediateInterval + (Target platform MinDelayBetweenRetries * Target platform MaximumRetries)

    5 + (5*5) = 30 minutes

  • Maximum dependent account rotation time = Dependent platform ImmediateInterval + (Dependent platform MinDelayBetweenRetries * Dependent platform MaximumRetries)

    5 + (5*4) = 25 minutes

  • Allocated time frame = 120 minutes

With these results, we can calculate the number of dependent accounts:

(Allocated time frame - Maximum target account rotation time) / Max dependent account rotation time

(120 - 30) / 25 = 3.6 dependent accounts

In the above scenario, our result is that 3 dependent accounts should be linked to a single target account. This is because there is a short allocated time frame for rotation, and the rotation only occurs once a week.

If we make the following changes, we can increase the number of dependent accounts that should be linked to a single target account:

  • Increase the allocated time frame for rotation to 480 minutes, for example, between 1am to 9am, and increase the number of days to 5 days a week

  • Assume that statistically only 1 retry is needed as most likely it will succeed

We will have the following calculation that increases the number of dependent accounts to 47:

  • Maximum target account rotation time = Target platform ImmediateInterval + (Target platform MinDelayBetweenRetries * Target platform MaximumRetries)

    5 + (5*1) = 10 minutes

  • Maximum dependent account rotation time = Dependent platform ImmediateInterval + (Dependent platform MinDelayBetweenRetries * Dependent platform MaximumRetries)

    5 + (5*1) = 10 minutes

  • Allocated time frame = 480 minutes

(Allocated time frame - Maximum target account rotation time) / Max dependent account rotation time

(480 - 10) / 10 = 47 dependent accounts