Previous Topic: Implementing Shared AccountsNext Topic: Discover Privileged Accounts


How to Set Up Shared Accounts

Shared Accounts Management (SAM) is the process through which an organization secures, manages, and tracks all activities associated with the most powerful accounts within the organization. Before you can begin using shared account passwords, you complete several steps that set up CA ControlMinder Enterprise Management for SAM. Users can then start working with the shared accounts that you define.

The following process explains the tasks that users in your enterprise must complete to set up shared accounts. Users must have the specified role to complete each process step. A user with the System Manager admin role can perform every CA ControlMinder Enterprise Management task in this process.

Note: Before you begin this process, verify that email notification is enabled in CA ControlMinder Enterprise Management. If CA ControlMinder Enterprise Management cannot display a password to a user, it emails the password to the user instead.

To set up shared accounts, users do the following:

  1. The SAM Target System Manager creates password policies. Password policies set password rules and limitations for shared accounts.
  2. The SAM Target System Manager creates endpoints in CA ControlMinder Enterprise Management. Endpoints are devices that are managed by shared accounts. You can create endpoints in CA ControlMinder Enterprise Management or use the SAM feeder to import endpoints.
  3. The SAM Target System Manager creates shared accounts for each endpoint. Creating shared accounts lets SAM manage the accounts. You can create shared accounts in CA ControlMinder Enterprise Management or use the SAM feeder to import shared accounts.
  4. (Optional) The System Manager creates login applications, and the SAM Target System Manager modifies SAM endpoints to use the login applications. Login applications let users log in to a shared account from CA ControlMinder Enterprise Management.
  5. The SAM Policy Manager modifies the member policies of privileged access roles. Member policies define the users that can carry out the tasks in a role.

    Note: If you use Active Directory as your user store, we recommend that you modify each member policy to point to a corresponding Active Directory group. You can then add or remove users from a role by adding or removing them from the corresponding Active Directory group. This greatly simplifies administrative overhead.

  6. (Embedded user store) The SAM User Manager specifies the manager of each user.

    Note: Only a manager can approve shared account requests that the user makes. If you use Active Directory as your user store, verify that each user's manager is specified in Active Directory.

  7. (Optional) The System Manager configures the connection to CA Service Desk Manager.

    Integrating with CA Service Desk Manager lets you create multiple approval processes for privileged account requests.

The following diagram illustrates the privileged access role that performs each process step:

The flowchart shows the privileged access role that performs each step of the process to set up privileged access accounts.