ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

Question About Scheduled Job Password Updates and Password View Policies

book

Article ID: 238508

calendar_today

Updated On:

Products

CA Privileged Access Manager (PAM)

Issue/Introduction

In PAM, target accounts are currently configured with a Password View Policy that will rotate the password after a certain amount of time. These same accounts also have a scheduled job that rotates the password once every 7 days. 

If a target account's password is viewed and is set to have its password changed shortly after the scheduled job rotates its password, will the scheduled job negate password rotation by the password view policy?

Environment

Privileged Access Manager, all versions

Resolution

The scheduled job would not negate the password view policy's password rotation, the account's password would be updated twice.

When the password is viewed, the PVP causes a one-time scheduled job to be created as seen in the screenshot below. Another scheduled job running would not be able to delete the one created by the password view policy.

If it is desired that a scheduled job cannot rotate the password while in use by a PVP, configure the PVP for check-out/check-in. If an account is checked out while a scheduled job is running, the scheduled job will produce an error such as the one below.

Attachments