Tectia Advanced Login also allows user to view account password

book

Article ID: 102852

calendar_today

Updated On:

Products

CA Virtual Privilege Manager CA Privileged Identity Management Endpoint (PIM) CA Privileged Access Manager (PAM)

Issue/Introduction

I want to provide a Tectia Advanced Login session to a certain group of users via SAM, however I don't want them to be able to see the privileged account's password. I did not allow users to view or check-out the password through the role I created, however when we test their access they still have an option to check out the password. This is bad - I don't want them to be able to use the password and log in from some other device. I want all of their access to come through the ENTM. Is there a way to prevent exposing the privileged account password when I set up Tectia Advanced Login?

Environment

Release:
Component: SEOSWG

Resolution

Unfortunately, unless you are using either ActiveX (which is in your 12.8 ENTM environment if I recall correctly), or you can use the Guacamole feature, which is in our later releases (12.9+). What these features do is automatically RDP or SSH into the targeted endpoint without seeing the privileged account password within the web browser. 

Even the Password History roles and tasks you can add to a user account will not suffice for what you are looking for. In fact, within the Password History feature, you will also be able to see the current privileged account's password as well, along with the older revised passwords that were once used.