Configuring reconciliation policy
Reconciliation of passwords with vault helps to bring passwords in sync with the vault. This can be a periodic process. Reconciliation policy helps to define reconciliation settings for a group of accounts.
Sectona PAM platform provides you with options to configure a reconciliation policy to either to verify the passwords of privileged accounts whether they are correct or not in the system or to reset the password for the accounts which are out of sync in the system.
It's important to define management accounts for asset types in section Configuration → Account defaults. Passwords for such accounts can be in the account inventory or can be configured separately in account defaults.
This section demonstrates the following:
Configuring a new reconciliation policy
- Login to the system and select PAM from the product navigator.
Navigate to Policies → Click on Reconciliation Policy from the Password Policies section.
Click on +Add Policy.
Policy name: Enter a desired name for the policy.
Verify password: Enable this option and select a reconcile time for policy trigger interval.
You can schedule the reconciliation policy to trigger in one of the following ways:
Once: Triggers the password rotation policy on very immediatePasswordStatusMonitoringService
app service trigger.
Daily: Triggers the policy on every 24 hours from start date and time.
Weekly: Triggers the policy on every 7 days from start date and time.
Monthly: Triggers the policy on every 30 days from start date and time.
Recur every: Default value=1. You can define your desired Recur Every value for recurrences like every 1 month or every 2 weeks.Schedule time: Uncheck any checkbox to select the desired time in which the policy should get triggered. You can keep this value as any to trigger the policy as per the
PasswordStatusMonitoringService
app service trigger time.Start on: Select start day for policy to be activated. Default is next day.
Valid till (optional): Only enable if you want the policy to stop reconciling passwords after a certain number of days.
Reconcile accounts: Enable this option only when you want the system the passwords for the out of sync accounts.
Exclude Account(s) (optional): Enter the account names which you want to exclude from the reconciliation policy.
Click on the Save button to save the policy configuration.
Modifying an existing reconciliation policy
Login to the system and select PAM from the product navigator.
Navigate to Policies → Click on Reconciliation Policy from the Password Policies section.
Click on the edit button next to reconciliation policy name which you want to modify.
After modifying the policy click on the Update button to save the changes.
Viewing linked assets of the reconciliation policy
You can check the list of assets that have been assigned a particular reconciliation policy. This highlight will help you to get a consolidated view of assets with the same reconciliation policy. In addition to this, you will get information such as the Asset Type, Asset Category, Hostname, and IP Address of the asset.
To view the list of linked assets, follow the steps below:
Login to the system and select PAM from the product navigator.
- Navigate to the Policy → Password Policies and select the Reconciliation policy from the sidebar.
- Select the policy on which you want permissions and click on the Account icon.
- Click on the Linked Assets tab.
- A new page will appear in front of you with a list of assets linked with the reconciliation policy.
Icon | Title |
---|---|
Account |
To enable reconciliation policy as per the defined parameters you need to start PasswordStatusMonitoringService which you can find on Platform Configuration → under System section→ System Status.