Announcing the Saviynt Knowledge Exchange unifying the Saviynt forums, documentation, training,
and more in a single search tool across platforms. Read the announcement here.

PAM Bootstrapping Non-Shared Accounts

New Contributor III
New Contributor III


We have an implementation that requires no shared accounts be used. Is there a way to bootstrap endpoints that doesn't use shared local/domain accounts and only uses unique domain accounts as the privileged access method?

So instead of user's using a CPAM shared domain account, the requirement is that the user's have unique CPAM managed domain accounts used to access endpoints.

We need to bring these endpoints under PAM protection and accessed through the designated admin accounts.


Saviynt Employee
Saviynt Employee

Hi jdfranco, can you please let us know for which endpoints are you trying to achieve this use case. Do you want this domain account for AD endpoints or windows endpoints.

New Contributor III
New Contributor III

These would be windows server endpoints

Saviynt Employee
Saviynt Employee

@jdfranco Yes, this is possible. One of the common examples is the usage of a- (a dash) accounts in Active Directory. These are personal accounts unique to each user and are usually assigned to the server admins

Before looking at how to implement this use case, here is an important aspect to verify :

  1. How are these designated admin accounts that each user has identified? They should have a proper naming convention like a-<user's login id> or a-<user's firstname+lastname>

Having such naming convention makes it easier to implement this use case

Here is how it has to be implemented: 

  1. Onboard your Active Directory to Saviynt CPAM and pam enable the admin accounts in scope
  2. Bootstrap your domain joined windows servers by mentioning the admin accounts alone in PAM_CONFIG (no local shared accounts should be mentioned in the config)
  3. Create a copy of the Out of the box analytical control "PAMDefaultUserAccountAccessControl" and customize it to show only the a- accounts applicable for the logged in user
  4. Mention this custom analytical control in PAM_CONFIG for Windows servers before onboarding your windows servers
  5. Make sure these unique admin accounts have access to the windows servers

modified query would look like this (modified part in bold)

 select acc.accountkey as 'id', as 'name' from accounts acc where acc.endpointkey = ${endpointkey} and acc.accountconfig like '%\"pamState\"%ENABLED%' and acc.accountkey = IF('null'=${accountkey}, acc.accountkey, ${accountkey}) UNION select acc1.accountkey as 'id', acc1.NAME as 'name' from accounts acc1 inner join account_attributes accattrb on acc1.ACCOUNTKEY = accattrb.ACCOUNTKEY where accattrb.ATTRIBUTE_NAME = 'MEMBER_ENDPOINTKEY' and accattrb.ATTRIBUTE_VALUE = ${endpointkey} and acc1.accountconfig like '%\"pamState\"%ENABLED%' and (CONCAT('a-', ${username}) = and acc1.accountkey = IF('null'=${accountkey}, acc1.accountkey, ${accountkey});



Nagesh K