Previous Topic: Manually Start the Polling TaskNext Topic: Discover Service Accounts


How to Set Up Password Consumers

Password consumers are applications, Windows services, and Windows scheduled tasks that use privileged accounts and service accounts to execute a script, connect to a database, or manage a Windows service, scheduled task, or RunAs command. Password consumers let you remove hard-coded passwords from application scripts and enforce a password policy on service accounts.

There are two groups of password consumers:

Software development kit password consumers get, check out, and check in privileged account passwords. All other types of password consumer get privileged account passwords, but do not check out or check in passwords.

The following process explains the tasks that users in your enterprise must complete to set up password consumers. Users must have the specified role to complete each process step. A user with the System Manager admin role can perform every CA ControlMinder Enterprise Management task in this process.

To set up password consumers, users do the following:

  1. A system administrator configures the endpoints, as follows:
    1. Installs CA ControlMinder on endpoints that use database, Windows Run As, and software development kit password consumers.

      The system administrator enables the SAM Integration feature during the installation process.

      Note: You do not need to install CA ControlMinder on the endpoint to use Windows Scheduled Task or Windows Service password consumers.

    2. Performs additional configuration steps on endpoints that use the following password consumers:

    The endpoints are configured to use password consumers.

  2. The SAM Target System Manager role creates password policies in CA ControlMinder Enterprise Management. Password policies set password rules and password expiration intervals for privileged and service accounts.
  3. The SAM Target System Manager creates endpoints in CA ControlMinder Enterprise Management. Endpoints are devices that are managed by privileged and service accounts. You can create endpoints in CA ControlMinder Enterprise Management or use the SAM feeder to import endpoints.

    Note: If you have already created your endpoints when you set up privileged accounts, do not complete this step.

  4. To create database, Windows Run As, or software development kit password consumers, users do the following:
    1. The SAM Target System Manager discovers or creates privileged accounts in CA ControlMinder Enterprise Management.

      This user can discover and create privileged accounts in CA ControlMinder Enterprise Management or use the SAM feeder to import privileged accounts.

    2. The System Manager creates database, Windows Run As, and software development kit password consumers in CA ControlMinder Enterprise Management.

      The System Manager associates database, Windows Run As, and software development kit password consumers with privileged accounts as part of the password consumer creation task.

  5. To create Windows Scheduled Task or Windows Service password consumers, the SAM Target System Manager discovers service accounts.

    CA ControlMinder Enterprise Management creates password consumers for each service and scheduled task that it discovers.

    Note: CA ControlMinder Enterprise Management discovers only services that are run by accounts for which you can change the password. For example, CA ControlMinder Enterprise Management discovers services that are run by your computer's Administrator account or domain accounts, but does not discover services that are run by the NT AUTHORITY\Local Service account.

    Password consumers are now set up for your enterprise.

The following diagram illustrates the privileged access role that performs each process step:

The flowchart shows the privileged access role that performs each step of the process to set up password consumers.