Hi Fumiko, Credential Manager roles, target groups and user groups are discussed in detail in our online documentation. Here is a brief summary to allow users access to a configured set of accounts:
- Create a CM role (Credentials > Manage Credential Groups > Credential Roles) that allows listing and updates of target accounts. An example for a set of privileges in a role that lets you view, verify and update target accounts would be "getMostRecentPasswordHistory,getPasswordHistory,getPasswordViewPolicy,getTargetAccount,listTargetAccounts,searchTargetAccount,searchTargetApplication,searchTargetServer,updatePasswordHistory,updateTargetAccount,updateTargetAccountPassword,verifyAccountPassword,viewAccountPassword". Depending on your use cases, you may want to use a different set of privileges.
- Create a target group (Credentials > Manage Targets > Target Groups) and configure it to include all accounts that you want a specific user or user group to be able to manage. When you create a new target group, you will see what possibilities you have, I won't go into detail here.
- Create a CM group (Credentials > Manage Credential Groups > Credential Groups) and assign it the new role and target group.
- Edit the user(s) of interest, add the Password Manager role under Roles, and specify the new CM group under "Credential Manager Groups". Now log in as that user and verify that you can manage the target accounts included in the new target group, and only those. These accounts will also be available to the user for device access.
Original Message:
Sent: 09-12-2019 08:18 AM
From: Fumiko Nishimura
Subject: Dual authorization without setting a password
Hi Ralf,
Thank you for your helpful response.
Your guess is toataly correct.
>Is it that the customer wants to require approval for access to devices that can only be accessed through PAM?
Yes.
>We have customers who configure Credential Management roles and groups so that users can use and also manage selected target accounts.
Maybe that is what you want.
Yes,I think so.
Please let me know how I should configure Credential Manager roles.
I will try to check the operetion on my machine before providing a solution to my customer.
Thank you in advance.
Fumiko
Original Message:
Sent: 09-11-2019 10:29 AM
From: Ralf Prigl
Subject: Dual authorization without setting a password
Hi Fumiko, Can you explain the use case behind this question? Given that the user knows the credentials w/o using PAM, dual authorization for use of the target account doesn't seem to make sense. Is it that the customer wants to require approval for access to devices that can only be accessed through PAM? We have customers who configure Credential Management roles and groups so that users can use and also manage selected target accounts. Maybe that is what you want. The users would then be able to edit their target accounts and update the password so it matches again the password in AD. You could have a PVP in place that requires dual authorization for password view.
Original Message:
Sent: 09-09-2019 02:08 AM
From: Fumiko Nishimura
Subject: Dual authorization without setting a password
Hi All,
Please let me know if I can provide a solution.
My customer want to do below.
- definately use "dual Authorization" when using AD account.
- the password of AD account is changed by user (Not PAM).
*PAM can hold the password, but there will be mismatch someday.
The user know the password , so it is OK to enter a password when connecting.
*I understand it is abnormal (Normally, the user does not know the password).
Do you have a good ideas for solving my customer wish?
Thank you in advance.
Fumiko Nishimura
------------------------------------------------
Sep 11, 2019
Is there anyone who knows about that?
Could you please tell me what I should do ?