Credential management
From the Privileged Identity Manager Service Center, a privileged administrator can create, modify, and delete credentials, specify the credential type, and connect it to an identity provider so that you can rotate passwords or SSH Keys automatically on the resource.
- Password-authenticated credential
- Credentials that require passwords to authenticate into privileged accounts.
- SSH Key-authenticated credential
- Credentials that require SSH keys to authenticate into privileged accounts.
Connected and disconnected credentials
- Connected
- Connected credentials are associated with an identity provider, with an equivalent Identity adapter available for the target system. You can manage passwords or SSH Keys of these credentials, such as configure automatic password or SSH Key rotation, which is often a compliance requirement.
- Disconnected
- Disconnected credentials exist as standalone objects (user ID and password or SSH Key) in the credential vault. These credentials simply use the credential vault as secure, controlled storage. You cannot configure automatic password or SSH Key rotation for disconnected credentials.
You typically want to configure connected credentials. For example, in deployments where users can view passwords or download SSH Keys in the self-service console, and the password or SSH Key is known by a IBM® Security Privileged Identity Manager user, you want to rotate the password or SSH Key automatically to minimize the risk exposure window. You can do this by enabling Change password or key upon check in.
- Configure the credentials for automatic logon with Privileged Access Agent or Privileged Session Gateway. Disable the Allow view password
or key download to user option for the self-service console.Note: Privileged Access Agent does not support SSH Key credentials
- Perform periodic manual password rotation on the target systems, and manually update the
passwords that are stored in IBM Security Privileged Identity Manager.Note: SSH Keys that are stored in IBM Security Privileged Identity Manager cannot be updated.
| Connected | Disconnected |
|---|---|
| Adding credentials in the Privileged Identity Manager Service Center | Adding credentials in the Privileged Identity Manager Service Center |
| Connecting a credential to an identity provider | |
| Resetting credential passwords and SSH Keys | |
| Configuring a reset interval for credentials | |
| Disconnecting a credential from an identity provider |
Exclusive and non-exclusive credentials
Exclusive credentials are privileged credentials that require check-out and can only be used by one user at a time. Non-exclusive credentials can be used concurrently by multiple users and are configured to not require check-outs.
It is recommended to configure exclusive credentials, which are credentials that require check-out.
- Accountability and forensics. Only a single user can use the credential at a time.
- Auditability. Allows the user enter a justification for using the credential.
- Security. Allows passwords or SSH Keys of credentials to be rotated by enabling Change password or key upon check in in the Administrative console.
- Used in App ID scenarios. For the application identity management scenarios, where credentials are consumed by applications, credentials must be configured to not require checkouts.
- Only a single privileged credential available on the target system. For example, network devices only offer a single fixed 'admin' privileged credential, but different users require concurrent access to this single privileged credential.
| Exclusive credentials | Non-exclusive credentials |
|---|---|
| Configuring the credential default settings | Configuring the credential default settings |
| Specifying non-exclusive shared access credentials | |
| Checking in credentials in a credential pool | Application identity management |