I'm trying to understand when and how Control Compliance Suite (CCS) fetches passwords from a CyberArk vault during a data collection/CER job.

The example scenario is the following:

- there is one common scan credential for all Windows servers in a domain

- there is a data collection job for all Windows Server 2019 in that domain, this job runs for 2 hours

In this scenario, when does CCS fetch the password for the scan user? Only once at the beginning of the job? Or does it get the password for every asset separately when it starts scanning the given asset? Or does it get the password periodically, e.g. every 5 minutes?

What would happen if CyberArk changes the scan user's password while the job is still running? Would CCS notice logins are failing and re-fetch the password, or would data collection fail due to invalid credentials?

Release : CCS Infra Release 12.6.1

CCS fetches the password from CyberArk at the beginning of the data collection job.

If CyberArk changes the password even 5 minutes after the data collection starts, then any assets that have not already been completed will fail with an error about the username/password being invalid.

It is recommended to not change the password during a data collection job.