It is possible to provision a target account of a disconnected endpoint? something like how in CA PIM.
the reason is, what we have a customer that wish store only credentials with out to provisioning endpoints.The cause of this, is can to apply view policies and to execute check in/ check out.
Please let me to know.
Hi Adolfo, Every target account in PAM has to be associated with a target application, and the target application with a device. You can define one fake device, a target application of type Generic for this device, and then create the target accounts for this target application.
Yes, i had did that test, but it don´t work. CA PAM Show a error when apply some view policy, please refer to attached image.
How you can synchronize in this case the target account, if the device is fake?
Adolfo, I have to ask back: How would you synchronize an account if you don't want any reference to where it comes from/is stored? Obviously in that case you cannot synchronize it. If you want to synchronize it you must configure a device and a target application of the correct type so that PAM knows where to go and what method to use to update the account password in whatever credential source it belongs to. Can you define your use case more clearly? Credentials that are stored in PAM only and don't exist anywhere else cannot be of use to anyone.
Yes i know, but the case is, we need store a credential of a disconnected target in CA PAM like a Vault,but, if you review the last message, i try to assign a View Policy (is necessary) to the target account, but CA PAM shows Error. I wan't to synchronize neither account, it was a example that mean that is necessary that exist a real device for can synchronize any credentials. In the last example we try with a fake device but it don`t work. In conclusion, it is possible store a credencial in CA PAM like a Vault? like a CA PIM?
Hi Adolfo, Yes, you can store unsynchronized passwords, but then you cannot associate it with a password view policy that has any "Change Password on …” option set, because you don't know how to change the password. You say you don't want it synchronized. So why would you want to associate it with such a PVP? It still doesn't make sense to me.
The reason is that customer wish change the credential on view and when some user do check in or check out.
Adolfo, But if PAM changes the password without changing credentials anywhere else, how would anybody use the account? What would they check it out for?
Of the same way than ca pim in Disconnected Endpoint.
El mié., 8 de ago. de 2018 8:40 PM, prira01 <
CA Communities <https://communities.ca.com/?et=watches.email.thread>Re: Target Account disconnected reply from Ralf Prigl<https://communities.ca.com/people/prira01?et=watches.email.thread> in *CAPrivileged Access Management* - View the full discussion<https://communities.ca.com/message/242133887-re-target-account-disconnected?commentID=242133887&et=watches.email.thread#comment-242133887>
CA Communities <https://communities.ca.com/?et=watches.email.thread>
Re: Target Account disconnected
reply from Ralf Prigl
<https://communities.ca.com/people/prira01?et=watches.email.thread> in *CA
Privileged Access Management* - View the full discussion
Hello Ralf,Sorry, i haven't explain me very well, the intention is Every time that change the password for a privileged account on a disconnected endpoint in CA PAM , the custumer must also manually change the account password on the unmanaged endpoint. For that reason is necessary to apply a PVP to credential in CA PAM.
Hi Adolfo, a target application of type "Xsuite API Key” lets you turn on the synchronize option and associate it with a "Change Password in View” policy. This can be tied to a fake device. For API keys PAM is the credential source and store. But your use case still doesn't make sense to me. A "Change Password on View” policy will change the password AFTER the user views it. So the user cannot set the new password, only the old one. If he views the new password later on, PAM will kick off another job to change it again. PAM and manually updated accounts on disconnected devices will never be in sync, except for the short time between when the password is viewed (and used to change the password on the disconnected device) and when the scheduled job updates it. What am I missing?
Yes you are right, no make a sense to apply PVP if the customer have to change manually the credentials.
Thanks for your help.