Symantec Privileged Access Management

  • Private Community
 View Only

 PAM(Ver.4.0.2)'s Password History window.

MARUBUN SUPPORT's profile image
MARUBUN SUPPORT posted Dec 05, 2022 03:07 AM
Hi Supports,

I have a question about CA Privileged Access Manager(Ver.4.0.2)'s Password History.
(cf. https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/privileged-access-manager/4-0-2/implementing/protect-privileged-account-credentials/delegate-password-management-tasks-to-groups/Configure-a-PAM-User-to-View-the-Password-History-of-Target-Accounts.html)

"ScheduledJob" is displayed in place of "Changed By" in the Password History window.
Please tell me the reason why "ScheduledJob" is displayed and the timing(condition) when it changes to the changed user name.

Best Regards,
Marubun Support
Joseph Fry's profile image
Broadcom Employee Joseph Fry posted Dec 06, 2022 10:51 AM
If I am understanding your question correctly, the reason you see scheduledjob as the "changed by" is because the password was changed by a scheduled job.

Scheduled jobs are used any time PAM changes the password in response to a Password View Policy.  The only time you would see a user name in the "changed by" field is if a pam administrator explicitly changed the password.

Keep in mind that non-admin users cannot change passwords, so only admin users or scheduled job will ever appear here.

NOTE: the above is accurate to the best of my understanding, I haven't verified it.
MARUBUN SUPPORT's profile image
MARUBUN SUPPORT posted Dec 07, 2022 07:36 PM
Hi Joseph-San,

Thank you for your response.

I have one question about "Scheduledjobs".

When non-admin changes the password, "Scheduledjobs" appears in the "Changed By" field of Password History.
I think that even if "Scheduledjobs" is displayed in the "Changed By" field, the PIM administrator actually changed the password (only the notation is "Scheduledjobs").
Is it correct?

Best Regards,
MARUBUN SUPPORT
Ralf Prigl's profile image
Broadcom Employee Ralf Prigl posted Dec 07, 2022 07:54 PM
Hello, Can you clarify what you mean with "non-admin"? Only a PAM user with administrative rights can initiate a password update. I suspect you confuse the user that initiates a workflow with the target account that is used to update the password of another target account, or maybe updates its own password. The "Changed By" column refers to who initiated the workflow in PAM, not which account logged on to the credential source to perform the update. If you are logged on to PAM as user "super" and update a target account password, then "Changed By" will be "super". If you have a scheduled job defined that updates all accounts in a target group, then the scheduled job initiates the workflow, rather than a PAM user, and "Changed By" will be "ScheduledJob" for all account updates performed by the scheduled job.