Managing Accounts and Passwords

This document discusses the different ways in which users can manage accounts in PAM360 such as viewing, editing, copying, moving accounts and also to change password, view password history and check integrity of passwords stored in PAM360.

  1. Viewing Accounts
  2. Copying Passwords
  3. Changing Passwords
  4. Verifying Passwords Stored in PAM360
  5. Viewing Password History
  6. Copying Passcard Link
  7. Editing Accounts
  8. Copying Accounts
  9. Moving Accounts

1. Viewing Accounts

Follow the below steps to view an account that is part of a resource.

  1. Navigate to Resources tab.
  2. Click on the particular resource name whose account details you want to view.
  3. The accounts of the respective resource would be displayed in a new dialog box.
  4. By default, passwords are shown in hidden form behind asterisks; to view the passwords in plain text, just click on the respective asterisks. The passwords will be shown for 10 seconds only. After that, they will be automatically hidden. You can also view the passwords by clicking the asterisks again.

You can modify the default 10 seconds from the General Settings page.

1.1 Enforcing Users to Provide a Reason for Viewing Passwords

By default, when a user tries to retrieve the password of a resource, on clicking the asterisks, the passwords appear in plain text. If you want to force your users to provide a reason why access to the password was needed, you can enable the option Enforce users to provide reason when retrieving the passwords in General Settings. Follow the below steps:

  1. Navigate to Admin >> Settings >> General Settings.
  2. In the UI that opens with a list of options, select Password Retrieval.
  3. Click the checkbox Enforce users to provide reason when retrieving the passwords.
  4. Click Save.
  5. After enabling this option, when you click on the asterisks, a pop-up window will open. In that pop-up window, provide a reason for retrieval and click Proceed.

1.2 Allowing password users and auditors to retrieve passwords for which auto logon is configured

Through the auto logon feature, PAM360 provides the option to establish direct connection to the resource eliminating the need for copy-paste of passwords. By default, password users and auditors will be able to retrieve the passwords that are shared with them. However, if auto logon is configured, they might not need access to the passwords. In such cases, you can take a decision to either allow or restrict access to passwords and implement the same through the option "Allow password users and auditors to retrieve passwords for which auto logon is configured" in General Settings.

To enable this option,
  1. Navigate to Admin >> Settings >> General Settings.
  2. In the UI that opens with a list of options, select Password Retrieval.
  3. Click the checkbox Enforce users to provide reason when retrieving the passwords.
  4. Click Save.

2. Copying Passwords

PAM360 leverages clipboard utility of browsers to copy passwords when you intend to copy and paste passwords.

Follow the below steps to copy passwords:
  1. Navigate to the Resources tab.
  2. Switch to Passwords link and click the copy icon present against the desired passwords to copy.
  3. The copied passwords will be available to paste for 30 seconds.

3. Changing Passwords

To change the passwords of user accounts,

  1. Navigate to Resources tab, switch to the Passwords tab or from the Resources tab, click a required resource name to open the Account Details dialog box.
  2. Click the Account Actions icon against the resource whose password you want to change and select Change Password from the drop down list.
  3. In the pop-up form that appears, enter the new password and confirm the same.
  4. Click Save.

Notes:

  • While entering the new password, the password policy set by the administrator for this resource will get enforced, if any.
  • If your account belongs to any of the types - Windows, Windows Domain, Linux, IBM AIX, HP UNIX, Solaris, Mac OS, MS SQL server and Cisco Devices (IOS, CatOS, PIX), you have the option to synchronize the new password in the remote resource too. In such cases of remote synchronization, if there is a failure in updating the password in the resource, password changes will not be saved locally as well.

4. Verifying Passwords Stored in PAM360

Passwords of resources such as servers, databases, network devices and other applications are stored in PAM360. It is possible that someone who has administrative access to these resources could access the resource directly and change the password of the administrative account. In such cases, the password stored in PAM360 will be outdated and not be of any use to the users who access PAM360 for the password. To deal with such possibilities, PAM360 provides an option for checking the validity of passwords at any point of time, both on demand and also at periodic intervals. On demand verification for password validity can be performed for a single account or for all the resources/accounts stored in the PAM360 application.

4.1 Verifying Individual Passwords

Follow the below steps to verify the integrity of the password of a single account:

  1. Navigate to Resources tab, switch to the Passwords tab or from the Resources tab, click a required resource name to open the Account Details dialog box.
  2. Click the Account Actions against the resource whose password you want to verify for synchronization and select Verify Password from the drop down list.
  3. PAM360 will try to establish connection with the target system. Once the connection is established, it tries to log in with the credentials stored in PAM360. If login does not succeed, PAM360 concludes that the password is out of sync.

Notes:

1. Password verification will work only for the accounts for which Remote password reset has been enabled.

2. If PAM360 cannot establish a connection with the system due to some network problem, it will not be considered that the password is out of sync.

4.2 Verifying Passwords in Bulk

Check if the passwords stored in PAM360 are in synchronization with the actual passwords of the resources by running this check.

Follow the below steps to verify the integrity of the passwords in bulk:

  1. Navigate to Groups >> Group Actions >> Find Out of Sync Passwords. A window shows up.
  2. Click Start Now. A success message 'Integrity check scheduled successfully' will be displayed. Now, all the passwords of the selected group will be checked and email notification will be sent to the administrator.

4.3 Scheduled Verification of Passwords in Bulk

You can schedule to check the integrity of the passwords stored in PAM360. Follow the steps below:

  1. Navigate to Groups >> Group Actions >> Periodic Integrity Check. A window shows up with the current and upcoming status of the schedule of the selected group.
  1. Schedule the integrity check or modify the existing schedule by choosing any of the below options:
    1. Once, on a specific day and time
    2. On an interval based on the specified days, from a specific day and time
    3. Monthy, on a specific day and time
    4. Never
  2. Click Schedule.

Now, the integrity check will be run based on the schedule configured, and PAM360 will try to establish connection with the target systems for all the accounts in the selected group for which remote password reset has been enabled. Once the connection is established, it tries to login with the credentials stores in PAM360. If login does not succeed, PAM360 concludes that the passwords are out of sync. A consolidated notification will be emailed to all the administrators and auditors.

Note: If PAM360 cannot establish a connection with the system due to some network problem, it will not be considered that the password is out of sync.

 

4.4 Verifying All Passwords Stored in PAM360

This option is to perform the integrity check for all the passwords stored in PAM360. Once done, an email will be sent to the administrators. Follow the below steps:

  1. Navigate to Reports >> Password Out of Sync
  2. Under that report, click the link Find Out of Sync passwords. In the dialog box that opens, click Start Now.
  3. Once you schedule the check, PAM360 will try to establish connection with the target systems for all the accounts for which remote password reset has been enabled. Once the connection is established, it tries to log in to each resource with the credentials stored in PAM360 respectively. If login does not succeed, PAM360 concludes that the password is out of sync. In case, PAM360 is not even able to establish connection with the system due to some network problem, it will not be taken as password out of sync. A consolidated notification would be emailed to all the administrators and auditors.

5. Viewing Password History

The history of changes done to the passwords are captured in the form of password history. Information such as the old password, modified by whom, from which machine and the time at which it was modified are all captured in history.

To view password history of an account,

  1. Navigate to Resources tab, switch to the Passwords tab or from the Resources tab, click a required resource name to open the Account Details dialog box.
  2. Click the Account Actions icon against the resource whose password history you want to view and select Password History from the drop down list.
  3. In the pop-up for that appears, password history will be displayed.

A passcard typically contains details such as Resource Name, Account Name, Password of the account, Owner of the resource and the DNS name, along with any additional resource or account attributes that might be added to it. To view the passcard of an account, you must be logged into PAM360 and the corresponding resource must be owned by you or shared to you.  The Passcard link provides consolidated details of an individual account in PAM360 as a shareable link.  The link can be accessed by only those to whom the passcard is shared with the relevant privilege (read-only, read-write, or manage).

Follow the below steps to copy the Passcard of an account:

  1. Navigate to Resources tab, switch to the Passwords tab or from the Resources tab, click a required resource name to open the Account Details dialog box.
  2. Click the Account Actions icon beside the required account name and choose Copy Passcard Link from the drop-down.
  3. The Passcard link will be copied to the clipboard and will remain there until you click the Click Here to Clear Clipboard option to erase it. The Click Here to Clear Clipboard option will appear in the top right corner of the page as soon as you copy the Passcard link.
  4. Paste the copied Passcard URL in a new browser window to view its contents. The Passcard will also contain a QR code from which the URL can be scanned and extracted.

7. Editing Accounts

At any point of time, you can edit the details of any of the accounts.

To edit an account,

  1. Navigate to the Resources tab, switch to the Passwords tab or from the Resources tab, click a required resource name to open the Account Details dialog box.
  2. Click the Account Actions icon beside the resource whose password you want to edit and choose Edit Account from the dropdown.
  3. In the pop-up form that appears, edit the required property of the account.
  4. Select the checkbox Use Private Key for Login to authorize remote connections using SSH keys instead of account credentials. Click here to know more about remote connection using SSH keys.
  5. Once you're done, click Save. The required change will get reflected in the view.

8. Copying Accounts

Copy and add accounts under one or more resources. You can then edit the replicated accounts to suit your requirements. The Copy Account feature will come handy when you handle identical accounts of different resources. Remember, the copy action will not create any changes to the account(s) copied.

Follow the below steps to copy one or more accounts:
  1. Navigate to Resources tab and switch to Passwords tab. Select the account(s) to be copied.
  2. To copy a single account, go to Resources tab, click a required resource name to open the Account Details dialog box.  
  3. Then, click the Account Actions icon beside the required account and select Copy Account from the drop down list.
  4. In the Copy Account dialog box, select the resources under which you want the accounts to be copied. Move the required resources to the Destination Resources pane using the arrows.
  5. Select the Inherit Share Permissions option for the new copies inherit the selected account's share permissions i.e., the new account will also be shared with all those who had permission to view the parent account.
  6. Select the Access Control Settings option to retain the access control configuration done for the selected account, during the copy operation. Please note that this copy operation will retain only the Account-level access control configuration. If this option is unchecked during the copy operation (OR) if the selected account does not have any individual access control settings configured, then the resource level access control settings of the destination resource will be applied to this account as well.
  7. Select the Copy Password History option to retain the selected account's password history. Click here for more information on password history.
  8. You can also specify the number of copies required. Click Save. The account(s) will appear under the selected resource(s).

9. Moving Accounts

Move one or more accounts that are part of one resource to another resource. When you do so, the selected account(s) will be removed from the present resource.

Follow the below steps to move one or more accounts:

  1. Navigate to the Resources tab and switch to the Passwords tab. Select the account(s) to be moved.
  2. To move a single account, go to Resources tab, click a required resource name to open the Account Details dialog box.  
  3. Then, click the Account Actions icon and choose  Move Account from the drop-down list.
  4. In the Move Account dialog box, choose a resource from the Move the Selected Account(s) to dropdown.
  5. Select the Inherit Share Permissions option to move the selected account's share permissions i.e., the new account will also be shared with all those who had permission to view the parent account.
  6. Select the Access Control Settings option to retain the access control configuration done for the selected account, during the move operation. Please note that this move operation will retain only the Account-level access control configuration. If this option is unchecked during the move operation (OR) if the selected account does not have any individual access control settings configured, then the resource level access control settings of the destination resource will be applied to this account as well.
  7. Select the Move Password History option to retain the selected account's password history. Click here for more information on password history.
  8. Click Save. The account(s) will be removed from the present resource and it will appear under the selected resource(s).
Top