We are delighted to share our new EIC Delivery Methodology for efficiently managing Saviynt Implementations and delivering quick time to value. CLICK HERE.

Manage Service account via CPAM with manual password rotation

riyazullah1
New Contributor
New Contributor

Hi Team,

We have a usecase from the client where they want to manage the service account via CPAM and the password rotation should be done via 'Manage Service Account' feature. 

Please let us know how we can configure it.

5 REPLIES 5

NageshK
Saviynt Employee
Saviynt Employee

@riyazullah1 Thanks for posting your question. What is the target application involved here? Are you trying to onboard a service account whose creds should not get rotated after every checkout/checkin? If yes and if the target does not have a connection from Saviynt, you can onboard the service account to one of the generic credential endpoints. If the target has a connection from saviynt then you have to make sure that in the Endpoint's PAM Attributes tab, the "configuration" property has the entry "rotateKey":"false" in it.   

Also, manual password rotation is done through the Home -> Change Password -> Reset Password for service account option. 

 Thanks

Nagesh K

The target applications are Windows and UNIX endpoints and the service account we are referring is related to the Backup, VA, any other generic account (not application account). Password should not be rotated until and unless client requests for the password rotation via the Manage service account and please be informed that client is not looking for the standard credentials vault usecase.

NageshK
Saviynt Employee
Saviynt Employee

@riyazullah1 Thanks for the info. Are these accounts supposed to be made available for end users for credential checkout? 

Thanks

Nagesh K

Hi @NageshK 

Windows, UNIX will have a local account which is consumed by security solutions like Tenable, Tripwire, Forcescout etc. The customer wants these local accounts to be managed by Saviynt as service account and the password rotation will be done by Saviynt based on the customer request.

These endpoints should not be visible to any other users for Credential check-in/check-out.

NageshK
Saviynt Employee
Saviynt Employee

@riyazullah1 Thanks for the clarification. For such accounts, you can add a customproperty value (ex: customproperty10 = 'Not_for_checkout') and use this to customize the out of the box account visibility control "PAMDefaultUserAccountAccessControl" to add the condition to filter out these kinds of accounts. Then these accounts will not show up for end user request and at the same time gives you the ability to provide a new pwd through "Home -> left nav -> Change Password -> Reset Service Account Password"

Thanks,

Nagesh K