Expiration and rotation of generic target account passwords
Article ID: 406387
Updated On:
Products
Issue/Introduction
You have a set of generic accounts in PAM. These are for credentials that may be defined in a credential source that PAM could be integrated with, such as Active Directory accounts, but that also have passwords stored in some legacy applications that require additional manual work when updating the account password. Long term the goal is to move away from having passwords stored in multiple places, but for now you are stuck with a procedure that does not allow automatic password synchronization by a PAM workflow. What you would like to do is have PAM either send notifications when the age of the password reaches X days, or have PAM change the password of the generic account after X days. The latter would not break the applications, because the old password would still be valid in the credential source, but force the administrator to set the new password so that PAM users can use the credentials again. Is it possible to have PAM send notifications when a certain password age is reached, or define jobs that automatically update generic account passwords on a defined schedule?
Resolution
PAM currently does not support this use case. The recommendation is to use PAM's A2A feature to integrate applications with PAM and have them retrieve passwords instead of storing them in files. Scheduled account password update jobs only act on synchronized accounts that allow PAM to update the password in the remote credential source. Doing it for generic accounts would not be right. Aside from the fact that this would get the account out of sync with the credential source, the time of the account update would not be the time the password was changed in the credential source and therefore should not be the basis for calculating the next change.
As of August 2025 PAM does not have a feature for notifications based on password age. There is an open enhancement request in the PAM community, Password expiry Notification. If you like to see this idea implemented, please vote it up, add your comments as applicable, and work with your Broadcom account team to engage PAM Product Management.
Additional Information
It is possible to use remote CLI or Rest API calls to retrieve the password age for each target account, see e.g. the script attached to KB Target Accounts report with last password update time and user.
This could be the starting point for a utility that retrieves this information and then uses it to send notifications for accounts exceeding a certain age. Which email address to send a notification to could be stored in one of the two descriptor fields that each account has.
Feedback
