Previous Topic: Discover Service AccountsNext Topic: Password Consumer Example: Windows Run As


Create a Password Consumer

The password consumers are applications, Windows services, and Windows scheduled tasks that use privileged accounts and service accounts to execute a script, connect to a database, or manage a Windows service, scheduled task, or RunAs command.

There are two groups of password consumers:

You provide different information to create password consumers from each group. By default, you must have the System Manager role to create a password consumer.

Note: Complete this task if you create a password consumer of types software development kit, database, and Windows Run As. We recommend that you use the Discover Service Accounts Wizard to create Windows Scheduled Task or Windows Service password consumers.

Follow these steps:

  1. In CA ControlMinder Enterprise Management, click Privileged Accounts, Password Consumers, Create Password Consumer.

    The Create Password Consumer: Password Consumer Search screen page appears.

  2. (Optional) Select an existing password consumer to create the password consumer as a copy of it, as follows:
    1. Select Create a copy of an object of type Password Consumer.
    2. Select an attribute for the search, type in the filter value, and click Search.

      A list of password consumers that match the filter criteria appears.

    3. Select the object that you want to use as a basis for the new password consumer.
  3. Click OK.

    The Create Password Consumer task page appears. If you created the password consumer from an existing object, the dialog fields are prepopulated with the values from the existing object.

  4. Complete the following fields in the General tab:
    Name

    Defines the name that you want to refer to this password consumer by.

    Description

    (Optional) Defines the information that you want to record for this password consumer (free text).

    Consumer Type

    Specifies the type of the password consumer.

    Application Path

    (Software development kit, database, Windows Run As, Windows Scheduled Task) Defines the full pathname of the password consumer on the endpoint.

    • For software development kit password consumers, specify the pathname of the application that performs the password request.
    • For database password consumers, specify the pathname of the application that connects to the database.
    • For Windows Run As password consumers, specify the pathname of the application that the user executes.
    • For Windows Scheduled Task password consumers, specify the pathname of the scheduled task.

    Note: You can use wildcards (*) and CA ControlMinder variables in the pathname, for example, <!AC_ROOT_PATH>\bin\acpwd.exe.

    Enabled

    Specifies that the password consumer is enabled, that is, that SAM accepts requests from this consumer or enforces password change on this consumer.

  5. Click the Privileged Accounts tab and specify the privileged accounts that are associated with the password consumer.

    If you create a software development kit, database, or Windows Run As password consumer, the password consumer can get the passwords for the privileged accounts that you specify.

    If you create a Windows Scheduled Task or Windows Service password consumer, SAM forces a password change for the password consumer when the passwords for these privileged accounts are changed.

  6. Specify the entities that can use the password consumer. Do one of the following:
  7. Click Submit.

    CA ControlMinder Enterprise Management creates the password consumer.

More information:

Types of Password Consumers