Previous Topic: Import the EndpointsNext Topic: Password Composition Rules

Enterprise Administration GuideImplementing Shared AccountsCreate a Password Policy

Create a Password Policy

A password policy for privileged accounts is a set of rules and restrictions that determine permissible privileged account passwords. For example, you can configure the policy to mandate passwords that are at least eight characters long and contain a number and a letter. The password policies also determine an interval at which SAM automatically creates a password for the account.

Note: SAM comes with a predefined password policy that you can use. We recommend that you define password policies that are appropriate for each of your endpoints and adhere to your security requirements.

Follow these steps:

  1. In CA ControlMinder Enterprise Management, click Privileged Accounts, Password Policy, Create Password Policy.

    The Create Password Policy: Configure Standard Search Screen page appears.

  2. (Optional) Select an existing password policy to create the password policy as a copy of it, as follows:
    1. Select Create a copy of an object of type Privileged Account Password Policy, and click Search.

      The list of password policies appears.

    2. Select the object that you want to use as a basis for the new password policy.
  3. Click OK.

    The Create Password Policy task page appears. If you created the password policy from an existing object, the dialog fields are prepopulated with the values from the existing object.

  4. Type a name and an optional description for the password policy.
  5. (Optional) Clear Enabled.

    By default, new password policies are enabled. If the policy you are creating is not approved yet, you can choose to clear this checkbox and leave the policy disabled.

  6. Define the password composition rules.
  7. (Optional) Define a password expiration interval.

    This is a regular interval at which CA ControlMinder Enterprise Management changes passwords automatically. By default, the expiration interval is disabled (set to zero).

  8. (Optional) Define the times, in 24-hour time format, at which CA ControlMinder Enterprise Management can change the password.

    For example, if you create a password policy for a service account, you can specify that CA ControlMinder Enterprise Management can change the password of the account only between 10:00 p.m. and 11:59 p.m. (22:00–23:59) on Sundays.

  9. (Optional) Define the grace period, in days, for an account password change attempt. Once elapsed, SAM traces the password change failure. By default the grace period is set to 0.

    Note: You can export the password change failure in a CSV file for review from the Password Change Failures screen.

  10. Click Submit.

    CA ControlMinder Enterprise Management creates the password policy.

More Information:

Password Composition Rules