Managing account operations
This section provides insights for managing daily or ongoing operations related to privileged accounts
Viewing account inventory
Viewing accounts inventory from the account management interface.
Login as an admin user.
Navigate to Manage → Click on the Accounts from the Account Management section.
List of all the accounts will be displayed.
Viewing account group membership
This section explains and demonstrates the procedure of viewing membership of accounts associated with different types of account groups:
Static group: This type of account group allows you to manage account grouping manually like adding or removing an account from the account group.
Rule-based group: This type of account groups works dynamically as per the defined attributes.
To view which accounts are linked to an account group follow the below steps (applicable for both Static and Rule-based account groups).
Login as an admin user.
Navigate to Manage → Click on Account Groups from the Account Management section.
Click on the Actions button on a desired account group → Select Linked Accounts option.
A pop-up will be opened displaying the list of accounts in the account group.
Update account attributes
Login as an admin user.
Navigate to Manage → Click on Accounts from Account Management section.
Click on the Actions button and select the Manage Account option of an account on which you desire to change the attributes.
A pop-up will be opened displaying the account details.
You can change the details and click on the Update button to update the changed details in the system.
Update account attributes in bulk
Sectona PAM platform provides you an option to update multiple accounts in the system manually using the bulk update option. Follow the below steps to bulk update accounts in the system:
Login as an admin user.
Navigate to Manage → from Account Management section select Accounts.
Click on + Add New Account(s) and select the Update Bulk Accounts option.
A pop-up will open → Select the desired Account Category → Interactive Account / Service Account.
Select an Authentication type for your account like Password or Key Based or Key Based + Secret Key.
Tags (optional): Add relevant tags to this user. Refer to the section on Tags for more information about adding context with tags.
Enforce Password Change enable for including the accounts for schedule-based password change job.
Active check this option to keep the accounts active in the system.
Download the Import format by clicking on the Download format button.
Follow the below steps to fill-up the Import format sheet and upload data in the system:
Open the downloaded Import format.
Enter the Asset Type like Windows server or Unix Based.
Enter Host-name/IP specify any one of them.
Enter DB Instance (optional) this is required only if the account is being on-boarded for a Database asset.
Enter Account Name followed by Password.
Enter Access Key and Secret Access Key (only applicable if the account authentication type is selected as Key Based + Secret Key).
Select all the columns and copy from the sheet.
On the PAM web console click on the Next button → Paste the copied text → Click on Next the button → review the list of accounts and click the Finish button to onboard the list of accounts in the system.
Assigning account to account-group
Accounts can be a part of multiple account groups in the system. Newly added accounts are treated as an account without an account group. The system supports account groups based on static and dynamic attribute-based groups. To add an account to an account group:
Click on the Asset Management tab in the sidebar.
Click on 'action' icon and click on Manage Linked Accounts.
Click on 'action' icon located in front of the account you want to assign to a group and select the Manage Linked Groups option.
Select the groups you want to assign to this account.
Click Save.
| Description | Representation |
|---|---|
| Action |  |
Assigning Account to Account Group Using Account Interface
Click on the Accounts tab in the sidebar.
Click on 'action' icon and click on Manage Linked Groups.
Select the groups you want to assign to this account.
Click Save.
| Description | Representation |
|---|---|
| Action | |
Linking account to asset in AD security-groups
Microsoft Active Directory allows granular control for controlling which privileged user or accounts can access specific assets or servers. This can normally be performed by enabling settings for Remote Desktop Configuration. If you would like to automatically link privileged accounts with assets as per active directory settings, you can use the AD Asset Linking technique. You will no longer need to link individual accounts to assets.
To map active directory accounts assets, follow the below steps:
Navigate to the Manage section and select the Asset Management option from the sidebar.
Select + New Asset(s) and fill in the form details or select existing directory server under Asset Category type as Directory Server.
Browse the account group and server group from the list fetched.
Click Active to activate this mapping.
Click on the Save button.
You need to start the AssetADSyncService service if it is stopped from System Status in the System section.
Sectona automatically onboards any new accounts found in the respective security group. However, assets must be manually added or added as per a specific asset discovery scan job. To exclude the account from AD sync process, tick the Exclude From AD Sync checkbox in Manage Account window.
Configuring account dependencies
Some services in Windows environment might depend on the account configured to handle them. There might be a case when we need to change the password of the corresponding account, we need to either replace an old password in the file, execute a command or a script. Some actions need/can be performed before changing the password of the account, on successful password change and on password change failure.
Procedure to configure account dependency:
Navigate to Manage → Go to Asset Management.
Click on 'action' icon of the account you wish to configure the account dependency.
Click on Manage Accounts to access the Accounts window.
Click on 'action' icon of the account and then click on Configure Dependencies.
The account dependencies window will be displayed.
| Description | Representation |
|---|---|
| Action | |
Parameter | Description |
|---|---|
Type | The type of action you need to perform. The specific action can be Update password in account, Execute command, Replace old password in file, Execute Script, Windows services, Schedule task, IIS pool |
Asset | You can select the asset on which you wish to perform the type of action |
Account | You can select the account on which the type of action can be performed |
File Path | The path of the file required to replace an old password or execute a script |
Parameter | The parameter that will be effected |
Command | The command needed to be executed |
Options | This displays options such as Start, Stop, Restart and Update password which can be used for services, scheduled task, and IIS pool |
Active | Represents the current status of account dependency |
View session initiated by account
To audit any configuration changes by administrators of the system you can track by clicking on the action icon corresponding to the account and then choose Session Activity.
Parameter | Description |
|---|---|
ID | The unique session ID |
Username | The entity who accessed the session |
Asset Type | The type of asset |
Hostname | The hostname of the asset |
IP address | The IP address of the asset |
Account | The account that was accessed |
Login Time | The login time of the account |
Duration | The total duration the account was accessed |
Activity | Displays the activity graph of the corresponding session |
View password change history
To audit any configuration changes by administrators of the system you can track by clicking on action icon corresponding to the account and then choose Password Change History.
Processed On | Initiated By | Status |
|---|---|---|
22 Nov 2018 17:14 | John | Success |
In the above table, a user 'John' initiated a password change process which was successful on timestamp '22 Nov 2018 17:14'. By clicking on the timestamp in 'Processed On' field the following table will be displayed:
Log | Timestamp |
|---|---|
Password/Key updated by user | 22 Nov 2018 17:14:14.363 |
In the above table, the user named 'john' updated a password/Key on timestamp '22 Nov 2018 17:14:14.363'.
Viewing account activity
To view the account activity done by users and administrators, you can track by clicking on the action icon corresponding to the account and choosing the View Account Activity option from the drop-down list. It will display a roadmap of account activities on the screen.
Account activity option shows the following details in a timeline chart
- Account created
- Account Modified
- Password Checkout
- Password Changed/Reset
- Session Taken