Account Provisioning
Account provisioning is a two step process namely role configuration & provisioning. ALM already has various default roles available in the system with flexibility to customize roles. Users with account lifecycle privileged in PAM Roles would be able to access this feature. This section covers how you can add new roles and provision new accounts. This section covers:
Defining customer roles in ALM
For enabling user provisioning to a new non-default role, you need to add configure role settings. Steps to add custom roles are as follows:
PAM administrator authenticates Sectona.
Go to Manage → Account Lifecycle. It will show Configure option. Click on Configuration → Choose Asset Category as per the requirement.
Choose Asset Type as per the requirement.
Based on the role you will be creating, define name for role.
Choose Method based on asset you have selected and role you will be creating.
Add Role Command as per the organizations' needs and save the configuration. Once this role is configured, the admin can use this role to assign the provision account when required.
Consider creation of provision account on Microsoft SQL server using role command: CALL master..sp_addsrvrolemember @loginame = N'%Username%', @rolename = N'sysadmin'
. Sectona enables user to login to the server and add the account into the specified account group, say sysadmin
.
Provisioning a new account
Accounts can be provisioned to roles defined in the system. Typical flow of provisioning a user is as follows:
PAM administrator authenticates Sectona.
Go to Manage → Account Lifecycle → Click on +Provision Account → Add account details and choose a role for the account.
Give description about the account you will be provisioning.
Select the user of the provision account under User Identity
Add account prefix and account name details. User can create provision account by adding prefix to account name.
Choose Account password as per requirement. Password can be set as static as well as can be generated based on policy assigned to the asset.
Enabling password change will allow Sectona to change password of the provision account and visa versa.
Enter name of the owner. This is optional.
User can set a date for creating a provision account. You can immediately create a provision account or you can specify the date for the same.
User can set date of expiry for deprovision of a provisioned account.
Tags can be given to provision account while creating provision account.
Provide asset details as needed and save the configuration.
Based on the inputs given by the administrator, PAM will create a provision account for the user within no time.
Once accounts are provisioned, account can be accessed by policies configured in the system for Password Checkout or Access
Provisioning uses default password policy applied at asset level. For configuring password policies refer Configuring password policy .
Ensure management accounts with sufficient rights are configured in Management Accounts for respective assets.