Manage PUPM Disconnected Privileged Accounts

ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

Manage PUPM Disconnected Privileged Accounts

book

Article ID: 49708

calendar_today

Updated On:

Products

CA Virtual Privilege Manager CA Privileged Identity Management Endpoint (PIM) CA Privileged Access Manager (PAM)

Issue/Introduction

Description:

A disconnected privileged account is an account that PUPM does not manage. To manage the passwords for these accounts you can create a privileged access role "Target System Manager". Users that are assigned with this role must manually reset the passwords for the appropriate privileged accounts. Each time a privileged account is checked out or checked in, a notification can automatically be triggered to notify the role members that the account was used and the password must be changed.

Solution:

Follow these steps:

Log into CA Access Control Enterprise Management as a user with administrative privileges.
Go to Users and Roles, Roles, Privileged Access Roles and select Create Role.
Select the Create a Copy of a role option.
Search for the PUPM Target System Manager role.
Leave the following tasks:
- Manual Password Reset
- Show Previous Account Passwords
- View Endpoint
- View Privileged Account
- Force Check-In
- Endpoint Password Restore Point
Specify the appropriate members rule, as follows:

Member Rule: "Users where MemberOf = "AD GROUP"
Scope Rules: "Endpoint where CUSTOM1_INFO contains STRATUS ACCOUNTS"
"Privileged Account where Disconnected System = True" AND "CUSTOM1_INFO contains STRATUS ACCOUNTS"
Save the role.

Email Notifications

By default PUPM does not trigger an email notification when a privileged account is checked in. That option must be enabled in the Access Control Management Console.

Create a new email templatefor the CheckInAccountPasswordEvent. Place The template in the following directory:

JBOss_HOME\server\default\deploy\IdentityMinder.ear\custom\emailTemplates\default\completed\CheckInAccountPasswordEvent.tmpl

Following is an example of the email template:

<!-- Define the E-mail Properties --->
<%
   _to = _util.getNotifiers("ADMIN"); 
   _cc = "" ;
   _bcc = "" ;   
   if(_eventContextInformation.getPrimaryObjectAttribute("DISCONNECTED_SYSTEM", "") == "true" ){         
      _to = "_eventContextInformation.getPrimaryObjectAttribute("CUSTOM2_FIELD", "") + [email protected]?;
     }
 
   _subject = "Password for privileged account " + _eventContextInformation.getPrimaryObjectName() + " was checked back in";
%>
<!--- Start of Body --->
<html>
<head>
<meta http-equiv="Content-Type" content="text/html;charset=UTF-8">
</head>

<body text="Navy">
<br>Endpoint Type: <b><%=_eventContextInformation.getPrimaryObjectAttribute("NAMESPACE", "")%></b>
<br>Endpoint Name: <b><%=_eventContextInformation.getPrimaryObjectAttribute("ENDPOINT_NAME", "")%></b>
<br>Container: <b><%=_eventContextInformation.getPrimaryObjectAttribute("CONTAINER", "")%></b>
<br>Account Name: <b><%=_eventContextInformation.getPrimaryObjectAttribute("ACCOUNT_NAME", "")%></b>
<br>Disconnected System: <b><%=_eventContextInformation.getPrimaryObjectAttribute("DISCONNECTED_SYSTEM", "")%></b>
<br>Account Group: <b><%=_eventContextInformation.getPrimaryObjectAttribute("DEPARTMENT_INFO", "")%></b>
<br>Password Resetter Team: <b><%=_eventContextInformation.getPrimaryObjectAttribute("CUSTOM3_INFO", "")%></b>
<br>Account Owner: <b><%=_eventContextInformation.getPrimaryObjectAttribute("OWNER_INFO", "")%></b>

<p class=MsoNormal>
   <font size=2 face=Arial>
         <span style='font-size:10.0pt;font-family:Arial'>
    <a href="https://acentm.com/iam/ac">Login here to manual reset the password<o:p></o:p></span>
   </font>
</p>

</body>
</html>

Note: The attributes specified for =_eventContextInformation.getPrimaryObjectAttribute match the field names used in the feeder.

Environment

Release:
Component: SEOSWG

Feedback

thumb_up Yes

thumb_down No