Symantec Privileged Access Management

Expand all | Collapse all

Password Policy at PMDB level

  • 1.  Password Policy at PMDB level

    Posted 11-21-2016 08:38 AM



    Setting up password policy at PMDB level is good idea ?

    Many PROD servers are connected with PMDB.


    When i set password policy on a particular server, every time due to gracelogin the users is unable to login.

     I tried to ignore gracelogin by doing grace- in pass policy but still , the user is only able to login once.

    How could i ignore gracelogin when i apply pass policy in seos.


    Thanks in advance.



  • 2.  Re: Password Policy at PMDB level

    Posted 11-21-2016 08:40 AM

    gracelogin becomes 0.

    I can set gracelogin as higher number but i dont want any limit for gracelogins...

  • 3.  Re: Password Policy at PMDB level

    Broadcom Employee
    Posted 11-22-2016 09:59 AM

    Hi TeamV,


    Using PMDB to manage your password policy is neither 'good' nor 'bad'. Most customers seem to prefer to use the newer Advanced Policy Management (APM) instead, but both options should work and it is really a matter of which way you prefer to manage the policy.


    According to the documentation the grace value must be between 0 and 255. When you think about what a grace login actually is, it makes more sense (to me at least) that you wouldn't want to have this unlimited for a few reasons.

    1- It may directly go against a corporate password policy.

    2- It would allow users the unlimited ability to use an expired password without having to change it. Why bother having a password expiration if you are going to negate it by allowing someone to keep using it forever?


    You should consider using interval- to remove the password expiration instead.


    • grace(nLogins)
      Sets the maximum number of grace logins that are permitted before the user is suspended. The number of grace logins must be from 0 through 255 inclusive.

    setoptions Command Set Options - CA Privileged Identity Manager - 12.9.01 - CA Technologies Documentation 


    Hope this helps,


  • 4.  Re: Password Policy at PMDB level

    Posted 11-23-2016 02:45 AM

    Thanks for the reply Chris.


    The challenge here is,

    We already have subscribers on PMDB and if we deploy password policy at PMDB, it will set the grace login as the number we will set and the users must change the password before the grace login becomes 0.

    This case is okay for all the users who can change the password but what about the batch users or any applications users which may use new session for every login, for these users, password must be changed with sepass command and if not then application or batch or cron may be down.

    Please correct if i am wrong.

    If there any way, that we can set the password policy but users does not have dependency to change their password immateriality ?





  • 5.  Re: Password Policy at PMDB level

    Posted 11-23-2016 02:46 AM

    Read the last word as Immediately.