Schedule account discovery jobs
Depending on your security policies and routines, you may schedule certain scans to run on a daily or periodic basis. It is a good practice to run discovery scan checks more often–perhaps every week or even several times a week, depending on the importance or risk level of these assets.
As a best practice, you may want to discover privileged accounts manually and check if you have missed including any account for password management. Generally, it is a good idea to scan during off-hours, when more bandwidth is free and work disruption is less likely.
The account discovery engine uses the concept of management accounts to discover accounts on integrated assets. It helps in reconciling whether the vault consists of all privileged accounts which can be useful in environments that contain a large number of assets and privileged accounts. Furthermore, filtering out dead assets and discovering new accounts from the discovery job helps reduce manual efforts and risk from unknown accounts.
If you schedule a scan to run on a repeating basis, note that a future scheduled scan job will not start until the preceding scheduled scan job is completed. If the preceding job is not completed by the time the next job is scheduled to start, an error message appears in the scan log.
This chapter consists of the following:
Supported platforms for account discovery
Windows Operating System ( Server/Desktop)
Linux/Unix Operating Systems
Oracle Database
MySQL Database
Microsoft SQL database
Prerequisites for discovering privileged accounts
The system uses management accounts for discovering other privileged accounts. Management accounts with required privileges can be part of the vault or can be separately configured in the system. Refer to section on Configuring credentials for more details. You can configure and provide as many management accounts as available in your platform environments.
Privilege requirement for executing Account Discovery Jobs
Category | Type | Min privilege required for onboarding | Minimum privilege required for onboarding and resetting password |
|---|---|---|---|
Operating system |
| 'Read only' administrator account | 'Delegated Password Reset' privileges 'Read only' administrator account |
Operating system |
| 'Administrator' privilege | 'Administrator' privilege |
Operating system |
| 'root' or 'root equivalent privilege | 'root' or 'root equivalent privilege |
Database |
| 'sys admin' privilege | 'sys admin' privilege |
Database |
| 'sys admin' privilege | 'Alter user' privilege |
Database |
| 'sys admin' privilege | 'sys admin' privilege |
The platforms list above will help you relate it with your own systems and further ahead help you configure credentials and schedule the jobs.
Steps for adding a discovery job
Attributes | Description |
|---|---|
Job details | |
Job Title | Enter a unique title for your scan job. |
Asset type | Select the desired asset type from the drop-down menu. |
Asset category | Select the asset category from the drop-down menu. |
Schedule type | Select a schedule type whether you would like to initiate this job once or schedule a recurring job. If you select a recurring job, you can choose days this job must be executed on. For example, you want to schedule a job every second day at 5:pm to scan your network. Recur every: 2 days |
Group Name | Select the groups on the Active Directory to be scanned. |
Task Start | Select the date when the task begins |
Schedule Time | You can either choose "Any" or schedule a proper time from when to start the task and when to end the task |
Action | |
Onboard accounts | If you do not wish to onboard accounts discovered in a scan, you may set the Onboard Accounts option as 'No'. Refer to the section on Handling assets & accounts Manually for more details. If you wish to onboard discovered accounts automatically to the Sectona PAM system, set Onboard Accounts option as 'Yes'. Please note that the password of the accounts will be reset when the accounts are on-boarded in the PAM by discovery. Refer to the section on Auto Onboarding discovered accounts for more details. |
| Exclude Account(s) | If you want to exclude accounts from the account discovery, you can mention the names of the accounts separated by a comma. |
| Tags (optional) | You can associate an account with your desired single or multiple tags like Infosec, Banking Core Server, ATM Switches, etc. Refer to section Applying conditions with tags for more information about adding context with tags. |
| Account Category | Select an account category like "Interactive account" or "Service account." |
| Enforce Password Change (optional) | You can disable this option by unchecking the Active checkbox to exclude the account from the scheduled password rotation job. |
Owner (optional) | If you have listed owner information for all assets, please include it here. |
Tick the Active checkbox and click on the Save button to add the account discovery job in the system.
Click on the Save + Run Now button to start the account discovery immediately.
One needs to start the service Schedule based discovery of account from the system for working of account been discovered
Viewing job status and history information
To monitor discovery job stats anytime, take the following steps:
Go to Manage and click on Account Discovery.
Click on the 'action' button of the discovery job and then click on View Discovery History.
You can view detailed history status along with actions performed by clicking on any of the jobs in the Start On column.
| Description | Representation |
|---|---|
| Action |  |
Disabling a scheduled job
To disable a job anytime, take the following steps:
Go to Manage and click on the Account Discovery.
Click on the job title of the discovery you wish to disable.
Uncheck the Active checkbox to disable the job from executing it next time.