Manage your accounts

This section describes how to manage your accounts.

When you log on to the Privilege Cloud Portal, the Accounts View page is displayed. From this page, you can access information on all of your accounts. You can see:

  • Account properties
  • Compliance status
  • When it was last verified
  • Activity history
  • Password versions
  • Account groups

Managing your accounts includes editing your account details, deleting an account, and verifying, reconciling, or changing your password, as described in this section.

In addition, from this page you can also Add individual accounts manually, Connect to a target device and Retrieve account passwords.

To access a specific account, in the Accounts View page, double click the account.

The account page displays a high level summary of account activities and history at a glance.

To display more information about accounts, click Additional details & actions in classic interface.

The account page displays the following panes:

Search for an account

By default, Accounts View page displays all of the accounts you are authorized to see.

To search, you need the following permissions:

  • Retrieve accounts (to view credentials)
  • Retrieve accounts and Use accounts (to connect to a remote device)

You can use the built-in filters to narrow down the list or search for a specific account. For details, see Filtering options.

Save a view

After you perform a search, you can save the view. To save the view, on the Accounts View page, click Recent. Click the ellipses next to the search name and select Save as. Enter a name for the view and save it. Access the view from the Saved tab.

Filtering options

Filter

Description

All accounts

A list of all the accounts that you are authorized to access, their properties ,and status.

Recently used

A list of the accounts you recently used.

Favorites

You can add accounts to the Favorites list. This is a personalized list.

Disabled by CPM

A list of accounts that have been disabled by the CPM, and are not currently managed automatically.

Locked

A list of accounts that are locked by your user and other users.

Failed

A list of accounts that could not be managed successfully, resulting in an error.

Newly added

A list of new accounts that were added to Privilege Cloud.

Deleted

A list of accounts that were deleted.

Only authorized users can see this view and revert this action.

Disabled by user

A list of accounts that have been disabled manually by users, and are not currently managed automatically.

Edit an account

To edit an account, you need the following permissions:

  • Update password properties

    • Rename accounts

To edit an account:

  1. On the Accounts View, locate the account, click the ellipsis button, and then click Edit.

  2. On the Edit Account page, edit the required properties. For details, see Account properties.

Delete an account

To delete an account, you need the following permissions:

  • Delete accounts

On the Accounts View, locate the account, click the ellipsis button, and then click Delete.

Verify password

Generally, passwords are handled through Privilege Cloud to make sure that the password on the remote device is synchronized with the corresponding password in Privilege Cloud. However, if a password on the remote device is changed manually and not through the Privilege Cloud, it is no longer synchronized with its corresponding password, and it becomes unavailable when connecting through the Privilege Cloud Portal. It is important to verify that the passwords are synchronized, and if they are not, perform a reconciliation. For details, see Reconcile a password manually.

Password verification can be done:

  • Automatically. Depending on the platform.
  • Manually. You must have the Initiate CPM password management operations permission.

Verify a password manually:

  1. On the Accounts View page, locate and click the account in the grid.

  2. On the account's Overview tab, in the Last Verified section, click Verify.

  3. Click Verify; a message is displayed indicating that the account is marked for verification. The CPM will verify it during the next password management cycle. When the account is reconciled, the compliance status is updated.

Reconcile passwords

Reconciling a password for an account is synchronizing the password on the target machine with the password in the Vault, making them identical.

Privilege Cloud runs automatic verification processes to make sure that the password in the Vault is identical to the password in the target machine. You can also verify a password manually. For details, see Verify password

Reconciliation can be done automatically, manually, or both. Platform rules determine whether automatic reconciliation will take place when a password is detected as unsynchronized, or whether it can only be launched manually. For details on reconciling a password manually, see Reconcile a password manually.

Reconcile accounts are a type of Create linked accounts. You can define a reconciliation account password that will be used to reset the unsynchronized password at account level. You can store this account in a separate Safe, where it is only accessible to Privilege Cloud for reconciliation purposes. For details, see Define a reconciliation account password.

When a password is reconciled, the unsynchronized password is replaced in the Vault and on the remote device with a new password that is generated according to the relevant platform.  You can see details of the last reconciliation process in the Operational Views in the Accounts List.

Define a reconciliation account password

This account will override the account specified in the platform.

To define a reconciliation account password:

  1. In the Privilege Cloud Portal, on the Account Details page of the account to link to a reconciliation account.

  2. In the CPM pane, either link the current account to an existing account or create a new one.

    To link to an existing reconciliation account password:

    1. Click Associate; the Accounts list appears.

    2. Select an account to use as the reconciliation account password, then click Associate.

    3. The selected account is linked to the current account and its name appears in the CPM pane of the account's Account Details page.

    To create a new reconciliation account password:

    1. Click Create New; the Add Reconcile Account page appears.

    2. Define the new reconcile account password, then click Link; the new password is created and its name appears in the CPM pane of the password’s Password Details page.

Reconcile a password manually

You must have the following permissions to perform this task:

  • Initiate CPM password management operations

To reconcile a password manually:

  1. On the Accounts View page, locate and click the account in the grid.

  2. On the account's Overview tab, in the Compliance Status section, click Reconcile.

    A message is displayed indicating that the account is marked for reconciliation. CPM will reconcile it in the next password management cycle.

    When the account is reconciled, the compliance status is updated.

Change password

Passwords can be changed automatically by the CPM or manually by an authorized user.

Change password automatically by CPM

The CPM can change passwords for managed accounts. When you create an account, you can define whether the account's password will be automatically managed by the CPM, using the Allow automatic password management property.

The CPM generates unique and highly secure passwords using the password policy and the random password generation mechanism. So, generally, passwords that are managed by the CPM do not require manual intervention.

Passwords are changed by the CPM in the following scenarios:

Scenario

Description

Password expired

The expiration period is configured in the Master Policy using the Require password change every X days rule.

For details, see Require password change every X days.

Request timeframe

A user requests to connect to an account or display a password (dual-control) for a certain timeframe, and that request is approved.

Once the timeframe expires, the password is changed (if the user already released the account, it is changed upon release).

Manual initiation

If the account is managed by the CPM, when the user clicks Change, an immediate change CPM operation is initiated.

One-time and exclusive passwords

Passwords that are defined as one-time passwords or that are configured for Exclusive Account mode are changed after every use. These are configured in the Master Policy with Enforce one-time password access and Enforce check-in/check-out exclusive access. These passwords are changed after accounts are checked-in manually or automatically after a minimum validity period defined in the Master Policy or based on the request timeframe.

Account groups

When the password of an account that is a member of a group is changed, the password values for the entire group are also changed.

Change password manually by user

You have the following options for changing the password:

Action

Description

Trigger the CPM to change the password

The account is managed by the CPM. CPM changes the password in both the target machine and in Privilege Cloud.

You must have the following Safe member authorizations to initiate a password change:

  • Initiate CPM password management operations

Change the password manually in Privilege Cloud

You must have the following Safe member authorizations in the safe where the account is stored:

  • Update password value

To change a password:

  1. On the Accounts View page, locate and click the account in the grid.

  2. On the account's Overview tab, in the Compliance Status section, click Change.

  3. On the pop up, do the following:

    Account managed by the CPM

    • Trigger CPM to change password.

      Click Change. The CPM will change the password during the next account management cycle.

    • Change the password only in .Privilege Cloud

      Click Change password only in the vault, enter the password and confirm it.

    Account not managed by the CPM

    Change the password only in Privilege Cloud.

    Enter the password and confirm it.