Manage PUPM Disconnected Privileged Accounts


Article ID: 49708


Updated On:


CA Virtual Privilege Manager CA Privileged Identity Management Endpoint (PIM) CA Privileged Access Manager (PAM)



A disconnected privileged account is an account that PUPM does not manage. To manage the passwords for these accounts you can create a privileged access role "Target System Manager". Users that are assigned with this role must manually reset the passwords for the appropriate privileged accounts. Each time a privileged account is checked out or checked in, a notification can automatically be triggered to notify the role members that the account was used and the password must be changed.


Follow these steps:

  1. Log into CA Access Control Enterprise Management as a user with administrative privileges.

  2. Go to Users and Roles, Roles, Privileged Access Roles and select Create Role.

  3. Select the Create a Copy of a role option.

  4. Search for the PUPM Target System Manager role.

  5. Leave the following tasks:

    • Manual Password Reset

    • Show Previous Account Passwords

    • View Endpoint

    • View Privileged Account

    • Force Check-In

    • Endpoint Password Restore Point

  6. Specify the appropriate members rule, as follows:

    Member Rule: "Users where MemberOf = "AD GROUP"
    Scope Rules: "Endpoint where CUSTOM1_INFO contains STRATUS ACCOUNTS"
    "Privileged Account where Disconnected System = True" AND "CUSTOM1_INFO contains STRATUS ACCOUNTS"

  7. Save the role.

Email Notifications

By default PUPM does not trigger an email notification when a privileged account is checked in. That option must be enabled in the Access Control Management Console.

  1. Create a new email templatefor the CheckInAccountPasswordEvent. Place The template in the following directory:


Following is an example of the email template:

<!-- Define the E-mail Properties --->
   _to = _util.getNotifiers("ADMIN"); 
   _cc = "" ;
   _bcc = "" ;   
   if(_eventContextInformation.getPrimaryObjectAttribute("DISCONNECTED_SYSTEM", "") == "true" ){         
      _to = "_eventContextInformation.getPrimaryObjectAttribute("CUSTOM2_FIELD", "") + [email protected]?;
   _subject = "Password for privileged account " + _eventContextInformation.getPrimaryObjectName() + " was checked back in";
<!--- Start of Body --->
<meta http-equiv="Content-Type" content="text/html;charset=UTF-8">

<body text="Navy"> <br>Endpoint Type: <b><%=_eventContextInformation.getPrimaryObjectAttribute("NAMESPACE", "")%></b> <br>Endpoint Name: <b><%=_eventContextInformation.getPrimaryObjectAttribute("ENDPOINT_NAME", "")%></b> <br>Container: <b><%=_eventContextInformation.getPrimaryObjectAttribute("CONTAINER", "")%></b> <br>Account Name: <b><%=_eventContextInformation.getPrimaryObjectAttribute("ACCOUNT_NAME", "")%></b> <br>Disconnected System: <b><%=_eventContextInformation.getPrimaryObjectAttribute("DISCONNECTED_SYSTEM", "")%></b> <br>Account Group: <b><%=_eventContextInformation.getPrimaryObjectAttribute("DEPARTMENT_INFO", "")%></b> <br>Password Resetter Team: <b><%=_eventContextInformation.getPrimaryObjectAttribute("CUSTOM3_INFO", "")%></b> <br>Account Owner: <b><%=_eventContextInformation.getPrimaryObjectAttribute("OWNER_INFO", "")%></b>

<p class=MsoNormal> <font size=2 face=Arial> <span style='font-size:10.0pt;font-family:Arial'> <a href="">Login here to manual reset the password<o:p></o:p></span> </font> </p>

</body> </html>

Note: The attributes specified for =_eventContextInformation.getPrimaryObjectAttribute match the field names used in the feeder.


Component: SEOSWG