Custom connector master account usage
search cancel

Custom connector master account usage


Article ID: 220467


Updated On:


CA Privileged Access Manager (PAM)


Almost all built-in target applications/connectors allow target accounts to be updated by another account, typically a master account that has the privileges to change the passwords of all other accounts from a given credential source that are stored in PAM. Can we use this concept with custom connectors?


Release : 3.4

Component :


The custom connector framework allows specifications of other accounts in the target application specific tab for accounts associated with the custom connector.

The Custom Connector Framework JDK comes with sample connectors that demonstrate this functionality. E.g. the "exampletargetconnector" code includes usage of a master account.

- In file exampletargetconnector\src\main\resources\uiDefinitions.json we find the following tab definition:

        "type": "TARGETACCOUNT",
        "label": "Master Account",
        "required": false

This will add a field where you can define another account to manage a new account's password. The UI will show this field with label "Master Account", and it is optional. Since we specify that this field is of type "TARGETACCOUNT", the PAM target account editor automatically will provide a search button next to the field to look for an existing account.

- In file exampletargetconnector\src\main\java\com\ca\pam\exampleconnector\api\ we can see how this account is retrieved from PAM by passing the "field" value above, "anotherAccount", into the targetAccount.getMasterAccount() method:

        MasterAccount masterAccount = targetAccount.getMasterAccount("anotherAccount");
        String maUserName = "";
        String maPassword = "";
        if (masterAccount != null) {
            TargetAccount masterTargetAccount = masterAccount.getAsTargetAccount();
            maUserName = masterTargetAccount.getUserName();
            maPassword = masterTargetAccount.getPassword();

  Strings maUserName and maPassword are then passed into the credentialsUpdateFromWindows() or credentialsUpdateFromUnix() methods. Those methods will use the master account to connect to the credential source if set. Otherwise the account being updated will be used to connect to the credential source.