Password view policy with Change Password On Connection End and Change Password On View or Auto-Connect not working as expected

book

Article ID: 196826

calendar_today

Updated On:

Products

CA Privileged Access Manager (PAM)

Issue/Introduction

We find that change password interval is not working as expected for option "Change Password On Connection End" . It changes the password immediately on connection end instead of doing it on specified change interval time. In our case its 1440 minutes  (24 hrs).

Cause

The product is working as designed, just not the way the customer expected.

Environment

Release : 3.4

Component : PRIVILEGED ACCESS MANAGEMENT

Resolution

The "Change Password On Connection End" option does not have a change interval associated with it. The change interval comes up for options "Change Password On View", which is selected by default if you choose the Check-Out/Check-In option, or option "Change Password On Auto Connect". It shows up at the bottom of the page and is not visibly tied to a specific option, which may make it look like it would also impact the "Change Password On Connection End" option. But that is not the case, and it will not show in the Password View Policy (PVP) editor if only the "Change Password On Connection End" option is set.

The "Change Password On Connection End" option works independently of the "Change Password On View" and "Change Password On Auto Connect" options and does exactly what its name says, i.e. change the password at the time a connection ends. Because it's decoupled from other options, it typically does not make sense to use it in combination with the "Change Password on Auto Connect" option or the "Check-Out / Check-In" option, specifically when the latter is used in combination with the "Change Password On View" option as is the case by default.

Note that the "Change Password On View" option has a different scope depending on whether the "Check-Out / Check-In" option is set as well. If both are checked, then the check-out of the password will trigger a scheduled job that runs after the configured "Force check-in after" time interval, unless the password is checked in manually before that. This happens even when the password is used for auto-connect rather than direct view. If only "Change Password On View" is checked and NOT "Check-Out / Check-In", then this option only affects direct password view and not auto-connect.

 

In Summary:

"Change Password On Connection End" AND "Change Password On View" AND "Check-Out / Check-In" checked. - Not recommended, it will result in two password changes for one auto-connect session

"Change Password On Connection End" AND "Change Password On View" checked, but NOT "Check-Out / Check-In" - This is OK, no overlap.

"Change Password On Connection End" AND "Change Password On Auto Connect" checked - Not recommended, it will result in two password changes for one auto-connect session