Skip to main content
Skip table of contents

Onboarding accounts in vault

Sectona Privileged Access Management platform provides the option to onboard accounts manually, via discovery, using bulk import methods, or using management APIs.

Accounts can authenticate using passwords, SSH keys or secrets-based authentication. Keys and secrets are collectively referred to as secrets in this documentation. Sectona provides the capability to work with secure storage of key-based authentication and rotation of secrets automatically as per password rotation policies.

Normally, SSH keys consist of a pair of the public key and private key. SSH keys are used for authenticating the remote machine without entering a password. SSH keys are more secure than traditional passwords because the private key generated is never shared. Even the private key is encrypted with a password to hide the contents of the private key. The system is capable of saving the private key along with the passphrase and also rotating the private key along with the passphrase. SSH key management is supported on the following platforms Red Hat, Solaris, HP-UX, IBM AIX supporting OpenSSH.

This section describes in details the following:

Add an account via application interface

To add a local account from the account management interface, follow the below steps:

  • Login as an admin user.

  • Navigate to the ManageAccounts to open the accounts inventory page.

  • Click on + Add New account(s) button and select New Account option.

  • Select an Asset Category and Asset Type → Click on Host-name of an asset on which you desire to add a new account.

  • You will be redirected on the Accounts page of the selected asset host-name.

  • Click on + Add New Account button and fill in the credentials.

  • Click on the Save button and select the Save option → the account is now on-boarded in the system.

To add an Active Directory-based account from the account management interface, follow the below steps:

  • Login as an admin user.

  • Navigate to the ManageAccounts to open accounts inventory page.

  • Click on + Add New account(s) button and select the New Account option.

  • Select Asset Category = Directory Server and Asset Type = Windows Active Directory.

  • Click on the Host-name/Domain name.

  • You will be redirected on the Accounts page.

  • Click on + Add New Account button and fill in the details.

  • Click on the Save button and select the Save option → the account will be on-boarded on the Active Directory server.

  • To link this account on target servers, click on the Action arrow of the account and select the Manage Linked Assets option.

  • List of all the assets in the system will be populated on the right side.

  • Select the desired assets on which you want to add this account and click on Save.

To add a local account from the asset management interface, follow the steps below:

  • Login as PAM admin user.

  • Navigate to the Manage → Select Asset Management to open assets inventory page.

  • Click on the Action arrow of an asset on which you desire to add the account and select the Manage Linked Account option.

  • You will be redirected on the accounts page of the selected asset host-name.

  • Click on + Add New Account button and fill in the credentials.

  • Click on the Save button and select the Save option → The account is now on-boarded in the system.

To add an Active Directory-based account from the asset management interface, follow the below steps:

  • Follow the first two steps the same as above.

  • Search for Directory Server from the asset list.

  • Click on Action arrow and select Manage Linked Account option.

  • You will be redirected on the accounts page.

  • Click on + Add New Account button and fill in the credentials.

  • Click on the Save button and select the Save option → the account is now on-boarded in system.

  • To link this account on target servers, click on Action arrow of the account and select Manage Linked Assets option.

  • List of all the assets in the system will be populated on the right side.

  • Select the desired assets on which you want to add this account and click on Save button.

General Parameters for on-boarding an account

Attributes

 Description

Account Type

Select an account type like "AD Account" or a "Local" account

Authentication Type

Select the method of authentication used for the account like "Key Based", "Password" or "Key Based+Secret Key"

  • Password: Provide the password of the account

  • SSH Key: Upload the SSH

  • Key based + Secret Key: Provide the keys as provided by other application

Account Name

Enter the privilege account name

Password

Enter the password for the account

Owner (optional)

Enter the Account owner name

Account Category

Select and account category like “Interactive account" or “Service account”

Only Console Access (optional)

Applicable for console-based access like SQL Plus over SSH. User will need to select a Console Account from the drop-down list for Console Access

Enforce Password Change (optional)

Enabling this option will include this account by default in the scheduled password rotation job.
You can disable this option by unchecking the Active checkbox to exclude the account from the scheduled password rotation job.

Tags (optional)

You can associate an account with your desired single or multiple tags like Infosec, Banking Core Server, ATM Switches, etc.
Refer section Tags for more information about adding context with tags.

Status

By default, an account’s status is active, you can deactivate an account if it's not going to be in use anymore.

Let's say you have an application team user who is leaving the organization, you can disable his/her account in the system to ensure that it is not being used by any other user and also you will always have previous trails and logs associated with that account in the system.

Adding accounts in bulk

Sectona PAM platform provides an option to on-board multiple accounts in the system manually using the bulk import option. Follow the below steps to bulk on-board accounts in the system:

  • Login as an admin user.

  • Navigate to Manage → from Account Management section select Accounts.

  • Click on + Add New Account(s) and select the Import Bulk Accounts option.

  • A pop-up will open → Select the desired Account Category Interactive Account/Service Account.

  • Select an Authentication type for your account like Password or Key Based or Key Based + Secret Key.

  • Tags (optional): Add relevant tags to this user. Refer section Tags for more information about adding context with tags.

  • Enforce Password Change enable for including the accounts for schedule-based password change job.

  • Select the static account group in which you want to add the onboarded accounts from the Linked Account Group drop-down list.
  • Active check this option to keep the accounts active in the system.

  • Download the Import format by clicking on the Download format button.

Follow the below steps to fill-up the Import format sheet and upload data in the system:

  • Open the downloaded Import format.

  • Enter the Asset Type like Windows server or Unix Based.

  • Enter Host-name/IP specify any one of them.

  • Enter DB Instance (optional) this is required only if the account is being on-boarded for a Database asset.

  • Enter Account Name followed by Password.

  • Enter Access Key and Secret Access Key (only applicable if the account authentication type is selected as Key Based + Secret Key).

  • Select all the columns and copy from the sheet.

  • On the PAM web console click on the Next button → Paste the copied text → Click on the Next button Review the list of accounts and click Finish to on-board the list of accounts in system.

Using the bulk method, you can add upload up to 1000 accounts at a time.

For Key Based authenticated accounts only the asset details and account names are required to be filled in the Import format sheet and the Key can be uploaded from the web portal directly.

Account on-boarding via account discovery

There are two scenarios of on-boarding accounts via account discovery:

  • Configuring a new discovery job and on-boarding newly discovered accounts

  • On-boarding existing discovered accounts from discovery view

Configuring a new account discovery job and on-boarding discovered accounts

  • Login as an admin user.

  • Navigate to Manage → Select Account Discovery from the Discovery section.

  • Click on +Add Account Discovery.

  • Job Title enter a desired job title.

  • Asset Category select from the drop-down the desired asset category.

  • Asset Type select an asset type associated with the selected asset category.

  • Schedule Type select Once for running the job one time. Select Recurring followed by Recur Every value for running the job on a schedule basis.

  • Task Start select a date from when the discovery job process should be enabled. (only applicable for scheduled discovery job).

  • Schedule Time select a time when the discovery job should trigger. (only applicable for scheduled discovery job).

  • Action select Onboard Accounts Yes (Reset Password) option to auto onboard the discovered accounts in the system directly. Select No for just discovering the accounts.

  • Owner enter the name of the account owner (only applicable if Onboard Accounts is selected as Yes).

  • Exclude Account(s) enter one or more account names in comma separated format like admin, administrator, etc. which you want to exclude from the discovery job.

  • Click on the Save button and select Save + Run Now option to trigger the discovery job immediately.

  • To onboard the discovered accounts, follow the below steps:

If you have chosen Yes in onboard accounts field then the system will reset the current password for the discovered accounts.

On-boarding manually existing discovered accounts from discovery view

  • Login as an admin user.

  • Navigate to Manage → Click on Discovery View from the Discovery section.

  • A list of discovered Assets and Accounts will be displayed.

  • Click on the Accounts tab to open the list of discovered accounts.

  • Click on the Actions button and select Onboard option.

  • A pop-up will be opened, enter the account password → Click on Save and select the Save option to onboard the account in the system.

Account on-boarding via management APIs

Refer to the section Develop to work with management APIs to allow onboarding of accounts via management APIs.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.