Implementation Guide › Installing and Customizing a UNAB Host › How to Register a UNIX Host in a One-Way Trust Domain Environment › Create a Password Consumer

Create a Password Consumer

Password consumers are applications, Windows services, and Windows scheduled tasks that use privileged accounts and service accounts to execute a script, connect to a database, or manage a Windows service, scheduled task, or RunAs command.

There are two groups of password consumers:

• Password consumers that get passwords on demand—Software development kit, database, Windows Run As

  Note: You must install CA ControlMinder on the SAM endpoint with the SAM Integration feature enabled to use password consumers that get passwords on demand.

• Password consumers that get passwords on password change—Windows Scheduled Task, Windows Service

You provide different information to create password consumers from each group. By default, you must have the System Manager role to create a password consumer.

Note: Complete this task if you create a password consumer of types software development kit, database, and Windows Run As. We recommend that you use the Discover Service Accounts Wizard to create Windows Scheduled Task or Windows Service password consumers.

Follow these steps:

1. In CA ControlMinder Enterprise Management, click Privileged Accounts, Password Consumers, Create Password Consumer.

   The Create Password Consumer: Password Consumer Search screen page appears.

2. (Optional) Select an existing password consumer to create the password consumer as a copy of it, as follows:
   1. Select Create a copy of an object of type Password Consumer.
   2. Select an attribute for the search, type in the filter value, and click Search.

      A list of password consumers that match the filter criteria appears.

   3. Select the object you want to use as a basis for the new password consumer.
3. Click OK.

   The Create Password Consumer task page appears. If you created the password consumer from an existing object, the dialog fields are pre-populated with the values from the existing object.

4. Complete the following fields in the General tab:

   Name

   Defines the name you want to refer to this password consumer by.

   Description

   (Optional) Defines the information you want to record for this password consumer (free text).

   Consumer Type

   Specifies the type of the password consumer.

   Application Path

   (Software development kit, database, Windows Run As, Windows Scheduled Task) Defines the full pathname of the password consumer on the endpoint.

   • For software development kit password consumers, specify the pathname of the application that performs the password request.
   • For database password consumers, specify the pathname of the application that connects to the database.
   • For Windows Run As password consumers, specify the pathname of the application that the user executes.
   • For Windows Scheduled Task password consumers, specify the pathname of the scheduled task.

   Note: You can use wildcards (*) and CA ControlMinder variables in the pathname, for example, <!AC_ROOT_PATH>\bin\acpwd.exe.

   Service Name

   (Windows Service) Defines the pathname of the Windows service. Specify the pathname exactly as it appears in the Windows service properties page.

   Enabled

   Specifies that the password consumer is enabled, that is, that SAM accepts requests from this consumer or enforces password change on this consumer.

   Status

   (Windows Scheduled Task or Windows Service) Indicates whether the last password change succeeded or failed.

   Last Synchronized Date

   (Windows Scheduled Task or Windows Service) Displays the last successful password synchronization.

   Restart

   (Windows Service) Specifies whether to restart the Windows service after a password change.

5. Click the Privileged Accounts tab and specify the privileged accounts that are associated with the password consumer.

   If you create a software development kit, database, or Windows Run As password consumer, the password consumer can get the passwords for the privileged accounts that you specify.

   If you create a Windows Scheduled Task or Windows Service password consumer, SAM forces a password change for the password consumer when the passwords for these privileged accounts are changed.

6. Specify the entities that can use the password consumer. Do one of the following:
   • To create a software development kit, database, or Windows Run As password consumer, do the following:
     1. Click the Hosts tab and select All Hosts to grant all hosts or host groups access to the privileged account password.

        Note: You can type the name of the host or host group in the Name field, or click "..." to search for a CA ControlMinder host or host group (HNODE or GHNODE object).

     2. Click the Users tab and specify the users or groups who can request the privileged account password, or select All Users to let every user request the privileged account password.

        Specify the name of the user or group as it appears on the endpoint, for example, DOMAIN\user1. Do not specify a CA ControlMinder Enterprise Management user or group.

   • To create a Windows Scheduled Task or Windows Service password consumer, click the Endpoints tab and specify the endpoints on which you want to create the password consumer.
7. Click Submit.

   CA ControlMinder Enterprise Management creates the password consumer.

More information:

Types of Password Consumers