Enterprise Administration Guide › Implementing Shared Accounts › How to Set Up Shared Accounts › Create a Privileged or Service Account

Create a Privileged or Service Account

You create privileged and service accounts to manage account passwords on managed and disconnected systems. You use privileged and service accounts for different purposes:

• To let users check-out and check-in privileged account passwords, create a privileged account.
• To set up CLI, database, or Windows RunAs password consumers, create a privileged account.
• To set up Windows Services and Windows Scheduled Tasks password consumers, create a service account.

  Note: You cannot check-out and check-in service account passwords.

To create multiple accounts, use the discover privileged accounts wizard and the discover service accounts wizard to search for privileged and service accounts on the endpoints. To create a single account, provide the privileged or service account details in this window.

Follow these steps:

1. In CA ControlMinder Enterprise Management, click Privileged Accounts, Accounts, Create Privileged Account.

   The Create Privileged Account: Select Privileged Account page appears.

2. (Optional) Select an existing privileged account to create the privileged account as a copy of it, as follows:
   1. Select Create a copy of an object of type Privileged Account.
   2. Select an attribute for the search, type in the filter value, and click Search.

      A list of Privileged Accounts that match the filter criteria appears.

   3. Select the object you want to use as a basis for the new privileged account.
3. Click OK.

   The General tab of the Create Privileged Account task page appears. If you created the privileged account from an existing object, the dialog fields are pre-populated with the values from the existing object.

4. Complete the following fields in the General tab:

   Account Name

   Defines the name you want to refer to this privileged account by.

   Note: Mainframe systems such as RACF, ACF, and Top Secret, use case-sensitive user names. Enter the account name in capital letters.

   Disconnected Account

   Specifies whether the account originates from a disconnected system.

   If you select this option, SAM does not manage the account. Instead, it acts only as a password vault for privileged accounts of the disconnected system. Every time you change the password, you also need to manually change the account password on the managed endpoint.

   Account Type

   Specifies whether the account is a shared (privileged) account or a service account.

   Note: When you create a service account, SAM does not attempt to change the account password.

   Endpoint Name

   Specifies the name of a defined endpoint where your privileged or service accounts reside. CA ControlMinder Enterprise Management lists only those endpoints that are of the type you specified.

   Endpoint Type

   Specifies the type of endpoint where your privileged or service accounts reside.

   Container

   Specifies the name of the container for the privileged or service account. A container is a class whose instances are collections of other objects. Containers are used to store objects in an organized way following specific access rules.

   Password Policy

   Specifies the password policy you want to apply to the privileged or service account.

   Password

   Defines the password you want to use with the new privileged account.

   Note: The new password must comply with the password policy you specify.

   Check out Expiration

   Defines the duration, in minutes, before the checked out account expires.

   Exclusive Account

   Specifies whether only a single user can use the account at any one time. An exclusive account is a restriction imposed on a privileged account that limits use of the account to a single user at a time.

   Exclusive Session specifies that only a single user can use the account, if no open sessions are currently running on the endpoint.

   Change Password on Check Out

   Specifies whether you want CA ControlMinder Enterprise Management to change the password of the privileged account every time it is checked out.

   Note: This option does not apply to service accounts.

   Change Password on Check In

   Specifies whether you want CA ControlMinder Enterprise Management to change the password of the privileged account every time it is checked in by a user or a program, or when the checkout period expires.

   Note: If the account is not exclusive, CA ControlMinder Enterprise Management generates a new privileged account password only when all users have checked in the account.

   Note: This option does not apply to service accounts.

   Login Application Check Out Only

   Specifies whether to allow password check-out only if a login application is defined for the endpoint.

   Note: When this option is enabled, the user cannot display or copy the password to a clipboard.

5. (Optional) Move to the Password Consumers tab.

   If configured, CA ControlMinder Enterprise Management displays the password consumers that use the privileged account.

6. (Optional) Click the Information tab and complete the fields in the tab.

   This tab lets you specify endpoint-specific attributes and use the attributes when you define or modify privileged access roles.

   When a member of the access privileged role logs in to CA ControlMinder Enterprise Management, the user gains access to the privileged access accounts according to the attributes defined in the privileged access role.

   Owner

   Specify the name of the endpoint owner.

   Department

   Specify a name of a department.

   Example: Development

   Custom 1...5

   Specify up to five custom endpoint-specific attributes.

   Note: Specify the custom attributes in the privileged access role Members tab, Member Policy section, Member Rule window.

7. Click Submit.

   CA ControlMinder Enterprise Management creates the new privileged or service account.