Manage PUPM Disconnected Privileged Accounts

Document ID : KB000049708
Last Modified Date : 14/02/2018
Show Technical Document Details

Description:

A disconnected privileged account is an account that PUPM does not manage. To manage the passwords for these accounts you can create a privileged access role "Target System Manager". Users that are assigned with this role must manually reset the passwords for the appropriate privileged accounts. Each time a privileged account is checked out or checked in, a notification can automatically be triggered to notify the role members that the account was used and the password must be changed.

Solution:

Follow these steps:

  1. Log into CA Access Control Enterprise Management as a user with administrative privileges.

  2. Go to Users and Roles, Roles, Privileged Access Roles and select Create Role.

  3. Select the Create a Copy of a role option.

  4. Search for the PUPM Target System Manager role.

  5. Leave the following tasks:

    • Manual Password Reset

    • Show Previous Account Passwords

    • View Endpoint

    • View Privileged Account

    • Force Check-In

    • Endpoint Password Restore Point

  6. Specify the appropriate members rule, as follows:

    Member Rule: "Users where MemberOf = "AD GROUP"
    Scope Rules: "Endpoint where CUSTOM1_INFO contains STRATUS ACCOUNTS"
    "Privileged Account where Disconnected System = True" AND "CUSTOM1_INFO contains STRATUS ACCOUNTS"

  7. Save the role.

Email Notifications

By default PUPM does not trigger an email notification when a privileged account is checked in. That option must be enabled in the Access Control Management Console.

  1. Create a new email templatefor the CheckInAccountPasswordEvent. Place The template in the following directory:

    JBOss_HOME\server\default\deploy\IdentityMinder.ear\custom\emailTemplates\default\completed\CheckInAccountPasswordEvent.tmpl

Following is an example of the email template:

<!-- Define the E-mail Properties --->
<%
   _to = _util.getNotifiers("ADMIN"); 
   _cc = "" ;
   _bcc = "" ;   
   if(_eventContextInformation.getPrimaryObjectAttribute("DISCONNECTED_SYSTEM", "") == "true" ){         
      _to = "_eventContextInformation.getPrimaryObjectAttribute("CUSTOM2_FIELD", "") + ?@mydomain.com?;
     }
 
   _subject = "Password for privileged account " + _eventContextInformation.getPrimaryObjectName() + " was checked back in";
%>
<!--- Start of Body --->
<html>
<head>
<meta http-equiv="Content-Type" content="text/html;charset=UTF-8">
</head>

<body text="Navy"> <br>Endpoint Type: <b><%=_eventContextInformation.getPrimaryObjectAttribute("NAMESPACE", "")%></b> <br>Endpoint Name: <b><%=_eventContextInformation.getPrimaryObjectAttribute("ENDPOINT_NAME", "")%></b> <br>Container: <b><%=_eventContextInformation.getPrimaryObjectAttribute("CONTAINER", "")%></b> <br>Account Name: <b><%=_eventContextInformation.getPrimaryObjectAttribute("ACCOUNT_NAME", "")%></b> <br>Disconnected System: <b><%=_eventContextInformation.getPrimaryObjectAttribute("DISCONNECTED_SYSTEM", "")%></b> <br>Account Group: <b><%=_eventContextInformation.getPrimaryObjectAttribute("DEPARTMENT_INFO", "")%></b> <br>Password Resetter Team: <b><%=_eventContextInformation.getPrimaryObjectAttribute("CUSTOM3_INFO", "")%></b> <br>Account Owner: <b><%=_eventContextInformation.getPrimaryObjectAttribute("OWNER_INFO", "")%></b>

<p class=MsoNormal> <font size=2 face=Arial> <span style='font-size:10.0pt;font-family:Arial'> <a href="https://acentm.com/iam/ac">Login here to manual reset the password<o:p></o:p></span> </font> </p>

</body> </html>

Note: The attributes specified for =_eventContextInformation.getPrimaryObjectAttribute match the field names used in the feeder.