Skip to main content

Hello! 
How do you manage your functional accounts - domain as well as local ?

Domain:

I think it will be easier to manage and enable auto-rotation at more frequent intervals. I think we have to be careful about the managed account rotation while scheduling this. Are there any other risks to availability ?

 

Local functional account:
This is tricky. e.g. for linux systems we will have a localfa added to Passwordsafe. Its initial password remains constant in passwordsafe - so that it can onboard new systems. What would happen if we enable rotation on it ? The initial password of functional account will remain same so that it can onboard other machines but on existing machines , each system will have its own password for localfa and that same password will be used to rotate its password on schedule? What are the possible risks to Availability in this case ?  Is
 

That´s my question too. Is there a clear document how to onboard around 500 linux server with local FA and Local Scan account


Hi ​@Higor  There are couple of KB articles on onboarding steps and managed account creation without scanning for this type of use cases. Also, I saw a few questions with lot of good responses on this forum around onboarding 

 


It is one of those dilemma things, create one account to manage another seems mute.

Things to consider:

  1. Use AD Bridge or similar tool, to allow AD integration for identities.
  2. Consider the use of SSH Keys for your Functional Account, https://beyondtrustcorp.service-now.com/csm?id=kb_article_view&sysparm_article=KB0018143
  3. Best Practice for Functional account https://beyondtrustcorp.service-now.com/csm?id=kb_article_view&sysparm_article=KB0016828
  4. Are scans needed? depending on what you want to accomplish. https://beyondtrustcorp.service-now.com/csm?id=kb_article_view&sysparm_article=KB0017149

Just to name a few for these KBs

Jens

 

 


Reply