Layer7 Privileged Access Management

Expand all | Collapse all

CA PAM: How are break glass/reconcilation accounts confugured in CA PAM?

Jump to Best Answer
  • 1.  CA PAM: How are break glass/reconcilation accounts confugured in CA PAM?

    Posted 04-18-2016 02:16 AM

    In a scenario where all the privileged accounts are managed by CA PAM, and for some reason PAM appliance is down during business hours. Meanwhile administrators need to access the target systems for various issues, how can we achieve that.



  • 2.  Re: CA PAM: How are break glass/reconcilation accounts confugured in CA PAM?
    Best Answer

    Posted 04-26-2016 10:42 AM

    saush02,

         That is a very common question that I have experienced when deploying CA PAM.  The answer really depends in enterprise's security requirements.  Some of the sites that I have worked with have created master accounts for each of their primary systems (LDAP, TACACs, Linux, SQL...) and set these accounts up in PAM with Password View Policies that do not rotate the account, then they have had a designated 'Trusted Agent' print or copy these accounts and passwords, store them in a security envelope in a safe or sufficiently secured area that meets enterprise security requirements. 

         Others have used the Credentials Management command line tools (Reference the CA-PAM_CM_Implementation_Guide-v2.pdf) to export specific accounts on a regular basis and save them, while keeping the password expiration implemented and updating their break glass accounts according to the credential rotation schedule.  This is really something that needs to be discussed internally within the organization.

         Proper deployment and management of PAM can help reduce outages with cluster replication, and true redundant systems for management (i.e. power, infrastructure, alternate site..etc.).

     

    v/r

    David



  • 3.  Re: CA PAM: How are break glass/reconcilation accounts confugured in CA PAM?

    Posted 04-22-2019 08:11 AM

    Please can you explain me about this 

     Password View Policies that do not rotate the account, then they have had a designated 'Trusted Agent' print or copy these accounts and passwords, store them in a security envelope in a safe or sufficiently secured area that meets enterprise security requirements. 
    Is it possible to view the list of password of the device ??
    Is possible to print the password of all the target group of devices ???

    Please help me??

    Thank you in advance



  • 4.  Re: CA PAM: How are break glass/reconcilation accounts confugured in CA PAM?

    Posted 05-05-2016 04:49 AM

    Hi Shubham,

    Is your question answered? If yes, can you please mark it as answered?

    Thank you,

    Lluis Domenech

    CA Support Delivery Manager