Hello ​@SFA ,

1. Since your application supports API to change the password, you can develop a custom plugin using Resource Kit SDK and directly directly call the APIs using System.Net.Http library or other supported libraries of your choice. Most reliable method to change the password using APIs.

2. You can also use the Resource Kit SDK Plugin for PowerShell Scripts, but it is not a straight forward approach because plugin is executing the third party script. Make sure your PowerShell script should return proper exit codes to the Custom Plugin.

3. Propagation Actions will only trigger when there is a successful password change. To have a successful password change, you can create a dummy account on your Windows system and use this account for password change and to trigger propagation action.

If you have expertise in C# for Custom Plugin development, I would suggest to go with option 1, else option 2.

I would avoid option 3 (propagation actions), because it is dependent on a dummy account on Windows systems and from my experience, I observed sometimes propagation action fails to properly execute the PowerShell scripts.

Based on your use case, you want to onboard certain accounts (probably local or DB) to Password Safe and then perform a password rotation on these accounts on Password Safe alone without updating it to a managed system. What application or host will then retrieve the credentials and is that through API? 

If this is the use case then Secret Safe might be more suitable where it will only be updated on the Password Safe solution without updating the managed system. You might be able to trigger password generation through Secret Safe API based on Password Policy. Take a look at the secret safe API if this fits your use case.

Secrets Safe APIs

Actually we need to provide access to the application via Pam and manage passwords for the application account,We have APIs from the application to update with new password. We don’t want to just store in secret safe. So how would we go about this if we go with secret safe, the account will need to be added as managed account as we need to provide access to the account via application to the user as well.So was thinking wrt the above link for custom plugin which is what we need. but getting an error currently.

oh just read through your comment once again, so I can use the PUT Secrets-Safe/Secrets/{secretId:guid}/ with PasswordRuleId  which will generate a password and then pass that password to the API of application...ok but if I am using custom platform via application host. I need a Linux machine right? because I have the script on a windows machine currently...hmm...and tried to get application host option but its not seen on windows managed system...hmm or can i build a dummy platform pointing to the PS1 script in change step on UVM appliance, and then trigger these API's?

​@SFA 

Since your application supports APIs, I would suggest to directly call the APIs in the Custom Plugin using System.Net.Http library or any supported library of your preference. This is the most reliable approach.

As mentioned in your question, you can call the PowerShell scripts in the Custom Plugin, but it is not a straight forward approach due to multiple layers.