Description:
A disconnected privileged account is an account that PUPM does not manage. To manage the passwords for these accounts you can create a privileged access role "Target System Manager". Users that are assigned with this role must manually reset the passwords for the appropriate privileged accounts. Each time a privileged account is checked out or checked in, a notification can automatically be triggered to notify the role members that the account was used and the password must be changed.
Solution:
Follow these steps:
Email Notifications
By default PUPM does not trigger an email notification when a privileged account is checked in. That option must be enabled in the Access Control Management Console.
Following is an example of the email template:
<!-- Define the E-mail Properties ---> <% _to = _util.getNotifiers("ADMIN"); _cc = "" ; _bcc = "" ; if(_eventContextInformation.getPrimaryObjectAttribute("DISCONNECTED_SYSTEM", "") == "true" ){ _to = "_eventContextInformation.getPrimaryObjectAttribute("CUSTOM2_FIELD", "") + [email protected]?; } _subject = "Password for privileged account " + _eventContextInformation.getPrimaryObjectName() + " was checked back in"; %> <!--- Start of Body ---> <html> <head> <meta http-equiv="Content-Type" content="text/html;charset=UTF-8"> </head>
<body text="Navy"> <br>Endpoint Type: <b><%=_eventContextInformation.getPrimaryObjectAttribute("NAMESPACE", "")%></b> <br>Endpoint Name: <b><%=_eventContextInformation.getPrimaryObjectAttribute("ENDPOINT_NAME", "")%></b> <br>Container: <b><%=_eventContextInformation.getPrimaryObjectAttribute("CONTAINER", "")%></b> <br>Account Name: <b><%=_eventContextInformation.getPrimaryObjectAttribute("ACCOUNT_NAME", "")%></b> <br>Disconnected System: <b><%=_eventContextInformation.getPrimaryObjectAttribute("DISCONNECTED_SYSTEM", "")%></b> <br>Account Group: <b><%=_eventContextInformation.getPrimaryObjectAttribute("DEPARTMENT_INFO", "")%></b> <br>Password Resetter Team: <b><%=_eventContextInformation.getPrimaryObjectAttribute("CUSTOM3_INFO", "")%></b> <br>Account Owner: <b><%=_eventContextInformation.getPrimaryObjectAttribute("OWNER_INFO", "")%></b>
<p class=MsoNormal> <font size=2 face=Arial> <span style='font-size:10.0pt;font-family:Arial'> <a href="https://acentm.com/iam/ac">Login here to manual reset the password<o:p></o:p></span> </font> </p>
</body> </html>
Note: The attributes specified for =_eventContextInformation.getPrimaryObjectAttribute match the field names used in the feeder.