Depending on your security policies and routines, you may schedule certain scans to run on a daily or periodic basis. It is a good practice to run discovery scan checks more often–perhaps every week or even several times a week, depending on the importance or risk level of these assets.
As a best practice, you may want to discover privileged accounts manually and check if you have missed including any account for password management. Generally, it is a good idea to scan during off-hours, when more bandwidth is free and work disruption is less likely.
The account discovery engine uses the concept of management accounts to discover accounts on integrated assets. It helps in reconciling whether the vault consists of all privileged accounts which can be useful in environments that contain a large number of assets and privileged accounts. Furthermore, filtering out dead assets and discovering new accounts from the discovery job helps reduce manual efforts and risk from unknown accounts.
If you schedule a scan to run on a repeating basis, note that a future scheduled scan job will not start until the preceding scheduled scan job is completed. If the preceding job is not completed by the time the next job is scheduled to start, an error message appears in the scan log.
The system uses management accounts for discovering other privileged accounts. Management accounts with required privileges can be part of the vault or can be separately configured in the system. Refer to section on Configuring credentials for more details. You can configure and provide as many management accounts as available in your platform environments.
Privilege requirement for executing Account Discovery Jobs
Category
Type
Min privilege required for onboarding
Minimum privilege required for onboarding and resetting password
Select the desired asset type from the drop-down menu.
Asset category
Select the asset category from the drop-down menu.
Schedule type
Select a schedule type whether you would like to initiate this job once or schedule a recurring job.
If you select a recurring job, you can choose days this job must be executed on.
For example, you want to schedule a job every second day at 5:pm to scan your network.
Recur every: 2 days Task Start: 01 Jan 2018 Schedule Start Time: 4.30 pm to 5.15 pm
Group Name
Select the groups on the Active Directory to be scanned.
Task Start
Select the date when the task begins
Schedule Time
You can either choose "Any" or schedule a proper time from when to start the task and when to end the task
Action
Onboard accounts
If you do not wish to onboard accounts discovered in a scan, you may set the Onboard Accounts option as 'No'. Refer to the section on Handling assets & accounts Manually for more details.
If you wish to onboard discovered accounts automatically to the Sectona PAM system, set Onboard Accounts option as 'Yes'. Please note that the password of the accounts will be reset when the accounts are on-boarded in the PAM by discovery. Refer to the section on Auto Onboarding discovered accounts for more details.
Exclude Account(s)
If you want to exclude accounts from the account discovery, you can mention the names of the accounts separated by a comma.
Tags (optional)
You can associate an account with your desired single or multiple tags like Infosec, Banking Core Server, ATM Switches, etc.