Configuring password rotation policy

Changing and resetting privilege account passwords frequently reduces the risk of password misuse and to meet the compliance. Sectona PAM platform password rotation policy is designed to achieve the same. By configuring flexible password rotation policies you can enable privileged account password change or reset scheduled jobs.

This section demonstrates the following:

Before you begin

Ensure you have configured a password policy to link with the rotation policy. Refer to Configuring password policy
Ensure you have the PasswordManagementService app service started to push schedule.

Configuring a new password rotation policy

Login as an admin user.
Navigate to Policies → Click on Rotation Policy from the Password Management section.
Click on +Add Rotation Policy.
Policy name: Enter a desired name for the policy.
Rotate password: Enable this option and select a rotation time interval for setting up the rotation policy trigger interval.
You can schedule the rotation policy to trigger in one of the following ways:
Once: Triggers the password rotation policy on very immediate PasswordManagementService App Service trigger.
Daily: Triggers the policy on every 24 hours from start date and time.
Weekly triggers the policy on every 7 days from start date and time.
Monthly triggers the policy on every 30 days from start date and time.
Recur every default value=1. You can define your desired Recur Every value for recurrences like every 1 month or every 2 weeks.
Schedule time uncheck any checkbox to select the desired time in which the policy should get triggered. You can keep this value as any to trigger the policy as per the PasswordManagementService trigger time.
Start on select start day for policy to be activated. Default is next day.
Valid till (optional) only enable if you want the rotation policy to stop rotating passwords after a certain number of days.
Password policy select a configured password policy from the drop-down list.
Reset Password for Out of Sync accounts Use this option when you do want the password to be reset by a password rotation policy . You will need an admin-level management account preconfigured to perform this operation.
Tick the Enforce Rotation After Every Session checkbox in you want to change the password of your account after every session. Mention the accounts that you want to exclude from this configuration in Exclude Account(s) text filed.
Click on the Save button to save the policy configuration.

Modifying existing password rotation policy

Login as an admin user.
Navigate to Policies → Click on Rotation Policy from Password Management section.
Click on a rotation policy name which you want to modify.
After modifying the rotation policy click on the Update button to save the changes.

Viewing linked assets of the rotation policy

You can check the list of assets that have been assigned a particular rotation policy. This highlight will help you to get a consolidated view of assets with the same rotation policy. In addition to this, you will get information such as the Asset Type, Asset Category, Hostname, and IP Address of the asset.

To view the list of linked assets, follow the steps below:

Navigate to the policy option and select the rotation policy from the sidebar.
Select the policy on which you want permissions and click on the 'action' icon.
Click on the Linked Assets option from the drop-down list.
A new page will appear in front of you with a list of assets linked with the rotation policy.

Description	Representation
Action

While password rotation is configured through PAM, it is recommended to disable the "change password on next login" policy on target servers and devices. We recommend naming the rotation policies based on the associated Asset Types for which the policy is configured. To enable rotation policy as per the defined parameters, you need to start PasswordManagementService in App Services.