Configuring password rotation policy
Changing and resetting privilege account passwords frequently reduces the risk of password misuse and to meet the compliance. Sectona PAM platform password rotation policy is designed to achieve the same. By configuring flexible password rotation policies you can enable privileged account password change or reset scheduled jobs.
This section demonstrates the following:
Before you begin
Ensure you have configured a password policy to link with the rotation policy. Refer to Configuring password policy
Ensure you have the
PasswordManagementService
app service started to push schedule.
Configuring a new password rotation policy
- Login to the system and select PAM from the product navigator.
Navigate to Policies, select Password Policies from the sidebar → click on Rotation.
Click on +Add Policy.
Policy name: Enter a desired name for the policy.
Rotate password: Enable this option and select a rotation time interval for setting up the rotation policy trigger interval.
You can schedule the rotation policy to trigger in one of the following ways:
Once: Triggers the password rotation policy on very immediatePasswordManagementService
App Service trigger.
Daily: Triggers the policy on every 24 hours from start date and time.
Weekly triggers the policy on every 7 days from start date and time.
Monthly triggers the policy on every 30 days from start date and time.
Recur every default value=1. You can define your desired Recur Every value for recurrences like every 1 month or every 2 weeks.Schedule time uncheck any checkbox to select the desired time in which the policy should get triggered. You can keep this value as any to trigger the policy as per the
PasswordManagementService
trigger time.Start on select start day for policy to be activated. Default is next day.
Valid till (optional) only enable if you want the rotation policy to stop rotating passwords after a certain number of days.
Password policy select a configured password policy from the drop-down list.
Reset Password for Out of Sync accounts Use this option when you do want the password to be reset by a password rotation policy . You will need an admin-level management account preconfigured to perform this operation.
- Tick the Enforce Rotation After Every Session checkbox in you want to change the password of your account after every session. Mention the accounts that you want to exclude from this configuration in Exclude Account(s) text filed.
Click on the Save button to save the policy configuration.
Modifying existing password rotation policy
- Login to Sectona and select PAM from the product navigator.
- Navigate to Policies, select Password Policies from the sidebar → click on Rotation.
Click on the edit button of rotation policy name which you want to modify.
After modifying the rotation policy click on the Update button to save the changes.
Viewing linked assets of the rotation policy
You can check the list of assets that have been assigned a particular rotation policy. This highlight will help you to get a consolidated view of assets with the same rotation policy. In addition to this, you will get information such as the Asset Type, Asset Category, Hostname, and IP Address of the asset.
To view the list of linked assets, follow the steps below:
Login to the system and select PAM from the product navigator.
- Navigate to Policies, select Password Policies from the sidebar → click on Rotation.
- Click on the Account button of rotation policy name which you want to modify.
- Click on the Linked Assets tab.
- A new page will appear in front of you with a list of assets linked with the rotation policy.
While password rotation is configured through PAM, it is recommended to disable the "change password on next login" policy on target servers and devices. We recommend naming the rotation policies based on the associated Asset Types for which the policy is configured. You will have to start PasswordManagementService by going to Platform configuration → System Status->App Services.
Related How-to Articles