Onboard accounts in vault
Accounts can authenticate using passwords, SSH keys or secrets-based authentication. Keys and secrets are collectively referred to as secrets in this documentation. Sectona provides the capability to work with secure storage of key-based authentication and rotation of secrets automatically as per password rotation policies.
Normally, SSH keys consist of a pair of the public key and private key. SSH keys are used for authenticating the remote machine without entering a password. SSH keys are more secure than traditional passwords because the private key generated is never shared. Even the private key is encrypted with a password to hide the contents of the private key. The system is capable of saving the private key along with the passphrase and also rotating the private key along with the passphrase. SSH key management is supported on the following platforms Red Hat, Solaris, HP-UX, IBM AIX supporting OpenSSH.
This section describes in details the following:
Add an account via application interface
To add a local account from the account management interface, follow the below steps:
Login to the system and select EPM from the product navigator.
Click on Manage → Manage Accounts from the sidebar → All Accounts to open the accounts inventory page.
Click on +Add Account button → New Account from the drop down menu.
- On the opened New Account form, enter the details.
Click on the Save button and select the Save option → the account is now on-boarded in the system.
To add a local account from the asset management interface, follow the steps below:
Login to the system and select EPM from the product navigator.
Navigate to Manage → Select Manage Assets → All Assets to open assets inventory page.
- Click on the (3 dot) more options icon of the asset on which you desire to add the account and select Associate Accounts.
You will be redirected on the accounts page of the selected asset host-name.
Click on the + Add New Account button to add a new account and fill in the credentials or edit existing accounts linked the selected asset.
Click on the Save button and select the Save option → The account is now on-boarded in the system.
General Parameters for on-boarding an account
Attributes | Description |
|---|---|
Account Name | Enter the privilege account name |
Account Owner (optional) | Enter the Account owner name |
| Host Name | Select the host name from the drop down list |
Account Category | Select and account category like “Interactive account" or “Service account” |
| Tags (optional) | You can associate an account with your desired single or multiple tags like Infosec, Banking Core Server, ATM Switches, etc. Refer section Tags for more information about adding context with tags. |
| Status | By default, an account’s status is active, you can deactivate an account if it's not going to be in use anymore. Let's say you have an application team user who is leaving the organization, you can disable his/her account in the system to ensure that it is not being used by any other user and also you will always have previous trails and logs associated with that account in the system. |
| Password | Enter the password for the account |
Enforce Password Change (optional) | Enabling this option will include this account by default in the scheduled password rotation job. |
Adding accounts in bulk
Sectona PAM platform provides an option to on-board multiple accounts in the system manually using the bulk import option. Follow the below steps to bulk on-board accounts in the system:
Login to the system and select EPM from the product navigator.
Click on Manage → Manage Accounts from the sidebar → All Accounts to open the accounts inventory page.
Click on +Add Account button → select Import Bulk Accounts.
On the new page → Select the desired Account Category → Interactive Account/Service Account.
Tags (optional): Add relevant tags to this user. Refer section Tags for more information about adding context with tags.
Enable Enforce Password Change for including accounts for schedule-based password change job.
Toggle this option to keep the accounts active in the system.
Download the Import format by clicking on the Download format button.
Follow the below steps to fill-up the Import format sheet and upload data in the system:
Open the downloaded Import format.
Enter the Asset Type like Windows server or Unix Based.
Enter Host-name/IP specify any one of them.
Enter DB Instance (optional) this is required only if the account is being on-boarded for a Database asset.
Enter Account Name followed by Password.
Enter Access Key and Secret Access Key (only applicable if the account authentication type is selected as Key Based + Secret Key).
Select all the columns and copy from the sheet.
Click on the Next button → Paste the copied text → Click on the Next button → Review the list of accounts and click Finish to on-board the list of accounts in system.
Using the bulk method, you can add upload up to 1000 accounts at a time.
For Key Based authenticated accounts only the asset details and account names are required to be filled in the Import format sheet and the Key can be uploaded from the web portal directly.
Account on-boarding via account discovery
There are two scenarios of on-boarding accounts via account discovery:
Configuring a new discovery job and on-boarding newly discovered accounts
On-boarding existing discovered accounts from discovery view
Configuring a new account discovery job and on-boarding discovered accounts
Login to the system and select EPM from the product navigator.
Navigate to Manage → Select Manage Accounts→ Account Discovery to open assets inventory page.
Click on Account and then click on +Add Account Discovery.
Job Title enter a desired job title.
Asset Type select an asset type associated with the selected asset category.
- Discovery Job Onboard Account is set when an account’s status is active, you can deactivate an account if it's not going to be in use anymore.
Schedule Type select Once for running the job one time. Select Recurring followed by Recur Every value for running the job on a schedule basis.
Task Start select a date from when the discovery job process should be enabled. (only applicable for scheduled discovery job).
Schedule Time select a time when the discovery job should trigger. (only applicable for scheduled discovery job).
Toggle Account Onboarding as the Yes (Reset Password) option to auto onboard the discovered accounts in the system directly. Select No for just discovering the accounts.
Exclude Account(s) enter one or more account names in comma separated format like admin, administrator, etc. which you want to exclude from the discovery job.
- Tags (optional): Add relevant tags to this user. Refer section Tags for more information about adding context with tags.
Account Category: Select and account category like “Interactive account" or “Service account”
- Enforce Password Change enable for including the accounts for schedule-based password change job.
- Owner enter the name of the account owner (only applicable if Onboard Accounts is selected as Yes).
- Toggle this option to keep the accounts active in the system.
Click on the Save button and select Save + Run Now option to trigger the discovery job immediately.
To onboard the discovered accounts, follow the below steps:
If you have chosen Yes in onboard accounts field then the system will reset the current password for the discovered accounts.
On-boarding manually existing discovered accounts from discovery view
- Login to the system and select EPM from the product navigator.
- Navigate to Manage → Select Manage Accounts→ Account Discovery to open assets inventory page.
A list of discovered Assets and Accounts will be displayed.
Click on the Accounts tab to open the list of discovered accounts.
Select Onboard option.
A pop-up will be opened, enter the account password → Click on Save and select the Save option to onboard the account in the system.
Account on-boarding via management APIs
Refer to the section Develop to work with management APIs to allow onboarding of accounts via management APIs.
| Icon | Title |
|---|---|
| Account |
|
| Onboard |
|
Related How-to Articles
- Add an Azure account
- Add AWS account
- Add Cisco Switch account manually
- Adding AD account for Windows manually
- Add Linux accounts in bulk
- Add Unix Account manually
- Create a Windows local account manually
- Create local Windows accounts in bulk
- Create MYSQL database account manually
- Create Oracle database account manually
- How to add accounts in bulk
- How to add a VMware ESXi/ESX account manually?
- How to add a vSphere local account manually?
- How to add database accounts in bulk?
- How to add SSH key authenticated account for Linux/ UNIX?
- Manually adding a Cisco router account
- Manually adding firewall (FortiGate, Cisco) account
- Manually adding vCenter/vSphere local account