5.12 Privileged Account

The privileged account credentials and domain information are stored in domains and credentials. The user can create multiple credentials for a single domain.The credentials are securely stored in an encrypted form.

5.12.1 Creating an Account Domain for Windows Systems

Adding an Account Domain

  1. Click Command Control on the home page of the console.

  2. In the navigation pane, select Privileged Accounts.

  3. In the task pane, click Add Account Domain.

  4. Specify the following information:

    Name: Specify a name for the domain.

    Type: Select LDAP as the account type for the user.

    Profile: Select the profile for the user.

    LDAP URL: Specify the DNS name. For example: netiq.com

    Base DN: To display the domain name, click Lookup.

    Scope: Select the scope for the user.

    Account: Specify the account name of the domain user. For example: administrator

    User DN: Specify the complete name for the domain user. For example: CN=administrator,CN=Users,DC=netiq,DC=com

    Password: Specify the password for the domain user account.

  5. Click Finish to save the account domain details.

An account domain and a credential is created for the specified domain. To add multiple credentials continue with Adding Credentials

Modifying an Account Domain

  1. Click Command Control on the home page of the console.

  2. In the navigation pane, select Privileged Accounts.

  3. Select the account domain you want to modify.

  4. In the task pane, click Modify Account Domain.

  5. Specify the following information:

    Name: Specify a name for the domain.

    Type: Select LDAP as the account type for the user.

    Profile: Select the profile for the user.

    Base DN: To display the domain name, click Lookup.

    Scope: Select the scope for the user.

    Account: Specify the account name of the domain user. For example: administrator

    Credential: Select a credential for the domain.

  6. Click Finish to save the account domain details.

Deleting an Account Domain

  1. Click Command Control on the home page of the console.

  2. Click Privileged Account in the navigation pane.

  3. Select the account domain you want to delete.

    To select multiple account domains, display the domains in the right pane, press the Ctrl key and select the required account domains one at a time, or press the Shift key to select a consecutive list of account domains.

  4. Click Delete Account Domain in the task pane. The selected account domains are listed.

  5. Click Finish.

    The account domains are deleted, and are also removed from any other account groups, rule conditions, and script entities where they have been defined.

Adding Credentials

To add multiple credentials to the existing account domain do the following:

  1. Click Command Control on the home page of the console.

  2. In the navigation pane, select Privileged Accounts.

  3. Select an Account Domain.

  4. In the task pane, click Add Credential.

  5. Specify the following details:

    Account: Specify the account name of the domain user. For example: administrator.

    User DN: Specify the complete name for the domain user. For example: CN=administrator,CN=Users,DC=netiq,DC=com

    Password: Specify the password for the domain user account.

  6. Click Finish to save the account domain and credential details.

5.12.2 Creating an Account Domain for Linux or Unix Systems

Adding an Account Domain

  1. Click Command Control on the home page of the console.

  2. In the navigation pane, select Privileged Accounts.

  3. In the task pane, click Add Account Domain.

  4. Specify the following information:

    Name: Specify the IP address or full name of the host.

    Type: Select SSH as the type for the user.

    SSH Host: Specify the IP address or the full name of the host.

    SSH Host Key: Click Lookup to populate the host key, otherwise manually specify the SSH host key.

    Credential Type: In the drop-down list select either Password or SSH Private Key.

    Account: Specify the account name of the domain user. Example: root.

    Password: Specify the password for the domain user account, if you have selected credential type as Password.

    Private Key: Generate the key pair and copy the private key content here, if you have selected credential type as SSH Private Key.

    To generate the key pair do the following:

    1. Open an terminal to the remote host and browse to the /root/.ssh folder

    2. Type ssh-keygen -t rsa

      Public and private keys are generated.

    3. Copy the content of the public key from the remote host to the authorized_keys file on the SSH Relay Agent Host.

    4. Copy the content of the private key from the remote host to the Privileged User Manager SSH private key.

    Passphrase: Specify the passphrase that was entered while generating the key pair.

  5. Click Finish to save the account domain details.

Modifying an Account Domain

  1. Click Command Control on the home page of the console.

  2. In the navigation pane, select Privileged Accounts.

  3. Select the account domain you want to modify

  4. In the task pane, click Modify Account Domain.

  5. Specify the following information:

    Name: Specify the IP address or full name of the host.

    Type: Select SSH as the account type for the user.

    SSH Host: Select the host for the user.

    SSH Host Key: Click Lookup to populate the host key, otherwise manually specify the SSH host key.

    Credential: Select a credential for the user.

  6. Click Finish to save the account domain details.

Deleting an Account Domain

  1. Click Command Control on the home page of the console.

  2. Click Privileged Account in the navigation pane.

  3. Select the account domain you want to delete.

    To select multiple account domains, display the domains in the right pane, press the Ctrl key and select the required account domains one at a time, or press the Shift key to select a consecutive list of account domains.

  4. Click Delete Account Domain in the task pane. The selected account domains are listed.

  5. Click Finish.

    The account domains are deleted, and are also removed from any other account groups, rule conditions, and script entities where they have been defined.