Click HERE to see how Saviynt Intelligence is transforming the industry. |
04/26/2023 11:01 AM
Hi Team,
We have a usecase from the client where they want to manage the service account via CPAM and the password rotation should be done via 'Manage Service Account' feature.
Please let us know how we can configure it.
04/27/2023 07:56 AM
@riyazullah1 Thanks for posting your question. What is the target application involved here? Are you trying to onboard a service account whose creds should not get rotated after every checkout/checkin? If yes and if the target does not have a connection from Saviynt, you can onboard the service account to one of the generic credential endpoints. If the target has a connection from saviynt then you have to make sure that in the Endpoint's PAM Attributes tab, the "configuration" property has the entry "rotateKey":"false" in it.
Also, manual password rotation is done through the Home -> Change Password -> Reset Password for service account option.
Thanks
Nagesh K
04/27/2023 08:03 AM
The target applications are Windows and UNIX endpoints and the service account we are referring is related to the Backup, VA, any other generic account (not application account). Password should not be rotated until and unless client requests for the password rotation via the Manage service account and please be informed that client is not looking for the standard credentials vault usecase.
04/27/2023 01:37 PM
@riyazullah1 Thanks for the info. Are these accounts supposed to be made available for end users for credential checkout?
Thanks
Nagesh K
05/15/2023 07:51 AM
Hi @NageshK
Windows, UNIX will have a local account which is consumed by security solutions like Tenable, Tripwire, Forcescout etc. The customer wants these local accounts to be managed by Saviynt as service account and the password rotation will be done by Saviynt based on the customer request.
These endpoints should not be visible to any other users for Credential check-in/check-out.
05/17/2023 07:47 AM
@riyazullah1 Thanks for the clarification. For such accounts, you can add a customproperty value (ex: customproperty10 = 'Not_for_checkout') and use this to customize the out of the box account visibility control "PAMDefaultUserAccountAccessControl" to add the condition to filter out these kinds of accounts. Then these accounts will not show up for end user request and at the same time gives you the ability to provide a new pwd through "Home -> left nav -> Change Password -> Reset Service Account Password"
Thanks,
Nagesh K