Manage your accounts
This section describes how to manage your accounts.
When you log on to the Privilege Cloud Portal, the Accounts View page is displayed. From this page, you can access information on all of your accounts. You can see:
- Account properties
- Compliance status
- When it was last verified
- Activity history
- Password versions
- Account groups
Managing your accounts includes editing your account details, deleting an account, and verifying, reconciling, or changing your password, as described in this section.
In addition, from this page you can also Add individual accounts manually, Connect to a target device and Retrieve account passwords.
Navigate the account page
To access a specific account, in the Accounts View page, double click the account.
The account page displays a high level summary of account activities and history at a glance.
To display more information about accounts, click Additional details & actions in classic interface.
The account page displays the following panes:
A high level summary of account compliance and activities.
|
Display |
Description |
|---|---|
|
Compliance status |
A visual representation that indicates whether the selected account is compliant with the Master Policy and the password policy. |
|
Last verified |
A visual representation that shows when the account was last verified. |
|
Activities |
The last 5 account activities. Click any activity to display more details in the Activities tab. |
|
Dependencies |
The total number of dependent accounts and their status of compliance. |
|
Last access |
Details about when this account was last accessed. |
|
Status |
A set of messages that indicate the CPM status of the account. |
A high level summary of account details.
|
Display |
Description |
|---|---|
|
Account properties |
All the specified account properties. |
|
A list of the accounts that are linked to this account, such as logon account, verification account, and reconcile account. You can link and unlink accounts in the Account Details tab. |
|
|
Account group |
The name and platform of the account group to which this account belongs. Click the account group name to display all the accounts that belong to the group. You can navigate to a different account in the group by clicking the link. |
To link an account:
-
Select the main account that you want to link to, and click the Details tab.
-
Under Linked Accounts, click the Ellipsis button for the type of account that you want to link to the main account - Reconcile, Logon, or other accounts defined in the Platform configuration - and then select Link.
-
Select the relevant account from the list, and click OK.
To unlink an account:
-
Select the relevant account, and click the Details tab.
-
Under Linked Accounts, click the Ellipsis button for the account that you want to unlink, and select Unlink.
-
Click OK to confirm that you want to unlink the account.
A timeline of all account activities.
|
Display |
Description |
|---|---|
|
Timeline |
Scroll down the timeline to view all account activities. |
|
Specific activities |
Click an activity to view more details. |
|
Filters |
Select a user or action to display specific activities. |
A list of all the account versions.
|
Display |
Description |
|---|---|
|
Account versions |
A list of the account versions, the date and time when each version was changed, and the CPM that changed it. |
|
Hide CPM temporary password versions |
A toggle button that hides or displays the temporary password versions that are created during password changes. |
Search for an account
By default, Accounts View page displays all of the accounts you are authorized to see.
To search, you need the following permissions:
- Retrieve accounts (to view credentials)
- Retrieve accounts and Use accounts (to connect to a remote device)
You can use the built-in filters to narrow down the list or search for a specific account. For details, see Filtering options.
Save a view
After you perform a search, you can save the view. To save the view, on the Accounts View page, click Recent. Click the ellipses next to the search name and select Save as. Enter a name for the view and save it. Access the view from the Saved tab.
Filtering options
|
Filter |
Description |
|---|---|
|
All accounts |
A list of all the accounts that you are authorized to access, their properties ,and status. |
|
Recently used |
A list of the accounts you recently used. |
|
You can add accounts to the Favorites list. This is a personalized list. |
|
|
Disabled by CPM |
A list of accounts that have been disabled by the CPM, and are not currently managed automatically. |
|
Locked |
A list of accounts that are locked by your user and other users. |
|
Failed |
A list of accounts that could not be managed successfully, resulting in an error. |
|
Newly added |
A list of new accounts that were added to Privilege Cloud. |
|
Deleted |
A list of accounts that were deleted. Only authorized users can see this view and revert this action. |
|
Disabled by user |
A list of accounts that have been disabled manually by users, and are not currently managed automatically. |
Edit an account
To edit an account, you need the following permissions:
-
Update password properties
-
Rename accounts
-
To edit an account:
-
On the Accounts View, locate the account, click the ellipsis button, and then click Edit.
-
On the Edit Account page, edit the required properties. For details, see Account properties.
Delete an account
To delete an account, you need the following permissions:
- Delete accounts
On the Accounts View, locate the account, click the ellipsis button, and then click Delete.
Verify password
Generally, passwords are handled through Privilege Cloud to make sure that the password on the remote device is synchronized with the corresponding password in Privilege Cloud. However, if a password on the remote device is changed manually and not through the Privilege Cloud, it is no longer synchronized with its corresponding password, and it becomes unavailable when connecting through the Privilege Cloud Portal. It is important to verify that the passwords are synchronized, and if they are not, perform a reconciliation. For details, see Reconcile a password manually.
Password verification can be done:
- Automatically. Depending on the platform.
- Manually. You must have the Initiate CPM password management operations permission.
Verify a password manually:
-
On the Accounts View page, locate and click the account in the grid.
-
On the account's Overview tab, in the Last Verified section, click Verify.
-
Click Verify; a message is displayed indicating that the account is marked for verification. The CPM will verify it during the next password management cycle. When the account is reconciled, the compliance status is updated.
Reconcile passwords
Reconciling a password for an account is synchronizing the password on the target machine with the password in the Vault, making them identical.
Privilege Cloud runs automatic verification processes to make sure that the password in the Vault is identical to the password in the target machine. You can also verify a password manually. For details, see Verify password
Reconciliation can be done automatically, manually, or both. Platform rules determine whether automatic reconciliation will take place when a password is detected as unsynchronized, or whether it can only be launched manually. For details on reconciling a password manually, see Reconcile a password manually.
Reconcile accounts are a type of Create linked accounts. You can define a reconciliation account password that will be used to reset the unsynchronized password at account level. You can store this account in a separate Safe, where it is only accessible to Privilege Cloud for reconciliation purposes. For details, see Define a reconciliation account password.
When a password is reconciled, the unsynchronized password is replaced in the Vault and on the remote device with a new password that is generated according to the relevant platform. You can see details of the last reconciliation process in the Operational Views in the Accounts List.
Define a reconciliation account password
This account will override the account specified in the platform.
To define a reconciliation account password:
-
In the Privilege Cloud Portal, on the Account Details page of the account to link to a reconciliation account.
-
In the CPM pane, either link the current account to an existing account or create a new one.
To link to an existing reconciliation account password:
-
Click Associate; the Accounts list appears.
-
Select an account to use as the reconciliation account password, then click Associate.
-
The selected account is linked to the current account and its name appears in the CPM pane of the account's Account Details page.
To create a new reconciliation account password:
-
Click Create New; the Add Reconcile Account page appears.
-
Define the new reconcile account password, then click Link; the new password is created and its name appears in the CPM pane of the password’s Password Details page.
-
Reconcile a password manually
You must have the following permissions to perform this task:
- Initiate CPM password management operations
To reconcile a password manually:
-
On the Accounts View page, locate and click the account in the grid.
-
On the account's Overview tab, in theCompliance Status section, click Reconcile.
A message is displayed indicating that the account is marked for reconciliation. CPM will reconcile it in the next password management cycle.
When the account is reconciled, the compliance status is updated.
Change password
Passwords can be changed automatically by the CPM or manually by an authorized user.
Change password automatically by CPM
The CPM can change passwords for managed accounts. When you create an account, you can define whether the account's password will be automatically managed by the CPM, using the Allow automatic password management property.
The CPM generates unique and highly secure passwords using the password policy and the random password generation mechanism. So, generally, passwords that are managed by the CPM do not require manual intervention.
Passwords are changed by the CPM in the following scenarios:
|
Scenario |
Description |
|---|---|
|
Password expired |
The expiration period is configured in the Master Policy using the Require password change every X days rule.
|
|
Request timeframe |
A user requests to connect to an account or display a password (dual-control) for a certain timeframe, and that request is approved. Once the timeframe expires, the password is changed (if the user already released the account, it is changed upon release). |
|
Manual initiation |
If the account is managed by the CPM, when the user clicks Change, an immediate change CPM operation is initiated. |
|
One-time and exclusive passwords |
Passwords that are defined as one-time passwords or that are configured for Exclusive Account mode are changed after every use. These are configured in the Master Policy with the |
|
Account groups |
When the password of an account that is a member of a group is changed, the password values for the entire group are also changed. |
Change password manually by user
You have the following options for changing the password:
|
Action |
Description |
|---|---|
|
Trigger the CPM to change the password |
The account is managed by the CPM. CPM changes the password in both the target machine and in Privilege Cloud. You must have the following Safe member authorizations to initiate a password change:
|
|
Change the password manually only in Privilege Cloud. |
You must have the following Safe member authorizations in the safe where the account is stored:
|
To change a password:
-
On the Accounts View page, locate and click the account in the grid.
-
On the account's Overview tab, in the Compliance Status section, click Change.
-
On the pop up, do the following:
Account managed by the CPM
-
Trigger CPM to change password.
Click Change. The CPM will change the password during the next account management cycle.
-
Change the password only in Privilege Cloud.
Click Change password only in the vault, enter the password and confirm it.
Account not managed by the CPM
Change the password only in Privilege Cloud.
Enter the password and confirm it.
-
