Skip Headers
Oracle® Fusion Middleware Administrator's Guide for Oracle Privileged Account Manager
11g Release 2 (11.1.2)

Part Number E27152-05
Go to Documentation Home
Home
Go to Table of Contents
Contents
Go to Index
Index
Go to Feedback page
Contact Us

Go to previous page
Previous
Go to next page
Next
PDF · Mobi · ePub

5 Configuring and Managing Oracle Privileged Account Manager

This chapter explains how to configure and manage Oracle Privileged Account Manager. This information is organized into the following topics:

Note:

You can also use Oracle Privileged Account Manager's command line tool or Oracle Privileged Account Manager's RESTful interface to perform many of the tasks described in this chapter.

If you prefer using these interfaces instead of the Oracle Privileged Account Manager Console, see Appendix A, "Working with the Command Line Tool" or Appendix B, "Working with Oracle Privileged Account Manager's RESTful Interface" for instructions.

5.1 Administering Oracle Privileged Account Manager

This section provides instructions for administrators who must configure and maintain Oracle Privileged Account Manager.

The topics include:

You must be an Oracle Privileged Account Manager administrator with a particular Admin Role to perform the different configuration tasks described in this section.

The following list describes the basic workflow that is performed by Oracle Privileged Account Manager administrator users based on their different Admin Roles:

Note:

An administrator with the Application Configurator Admin Role should have already configured a connection to the Oracle Privileged Account Manager server. See Section 4.3.1, "Configuring a Connection to the Oracle Privileged Account Manager Server" for more information.

Table 5-1 Administrator Workflows Based on Admin Roles

Administrator Responsibility

Security Administrator

  1. Evaluates Oracle Privileged Account Manager's Default Usage Policy and Default Password Policy and, if necessary, modifies these policies or creates new ones.

  2. Adds targets to Oracle Privileged Account Manager.

  3. Adds privileged accounts on that target.

    Note: This role cannot assign grantees to privileged accounts.

  4. Assigns a Password Policy to privileged accounts.

  5. Manages existing targets, accounts, and policies.

User Manager

  1. Assigns grants to accounts.

  2. Creates and manages Usage Policies as needed.

  3. Assigns a Usage Policy to grants.

  4. Manages existing grants and Usage Policy assignments.

Security Auditor

Reviews Oracle Privileged Account Manager reports.


Note:

For more information about these Admin Roles, see Section 2.3.1, "Administration Role Types."

5.1.1 Working with Policies

This section provides information about working with Oracle Privileged Account Manager Usage Policies and Password Policies.

The topics include

5.1.1.1 Policies Overview

In Oracle Privileged Account Manager, there are two types of policies:

  • Password Policy. This policy type captures the password construction rules enforced by a specific target on an associated privileged account. For example, minimum and maximum number of numeric characters. You use a Password Policy to create a password value that Oracle Privileged Account Manager uses to reset a password for a privileged account.

  • Usage Policy. This policy type defines when and how a grantee can use a privileged account. (Default access is 24x7.)

Every privileged account that is managed by Oracle Privileged Account Manager must have an associated Password Policy. A Usage Policy only applies at the level of a grant. You can associate a single Password Policy with multiple privileged accounts and a single Usage Policy with multiple grants.

Note:

For Usage Policies,

  • User grants are given first precedence. If Oracle Privileged Account Manager does not find a user grant, it looks for a group grant.

  • If Oracle Privileged Account Manager looks for a group grant and if the user is a member of multiple granted groups, then any of the groups picked at runtime are given precedence.

Oracle Privileged Account Manager provides a Default Password Policy and a Default Usage Policy. You can choose to use the default policies, to modify these policies, or to create your own, specialized policies.

Note:

Oracle recommends that you make a back-up copy of the default policies if you intend to modify them. You can use the export command as described in Section A.2.13, "export Command."

To review the parameter settings for these policies, see Section 5.1.1.3, "Viewing Policies."

Note:

Only administrators with the Security Administrator Admin Role or the User Manager Admin Role can work with policies.

  • An administrator with the Security Administrator Admin Role can modify the Default Password Policy and Default Usage Policy, create new policies, or delete policies.

    Administrators with the Security Administrator Admin Role can assign Password Policies, but they cannot assign Usage Policies.

  • An administrator with the User Manager Admin Role can only assign a Usage Policy to accounts at the grantee-account pair level. In other words, the User Manager can assign different Usage Policies to different grantees of the same account.

    Administrators with the User Manager Admin Role cannot assign Password Policies.

5.1.1.2 Searching for Policies

Use the following steps to search for a policy:

  1. Select Password Policies or Usage Policies from the Administration accordion, based on which policy type you want to search for.

  2. When the Search Policies portlet displays, enter your search criteria into one or more of the following fields.

    • Policy Name: Enter all or any part of a policy name.

    • Policy Status: Select All (default) from the menu to search for all policies (active and inactive). Select Active or Disabled to limit the search to just active or inactive policies.

  3. Click Search.

Review your search results in the Search Results table.

5.1.1.3 Viewing Policies

To review the parameter settings for a Password Policy or a Usage Policy:

  1. Select Password Policies or Usage Policies from the Administration accordion.

  2. When the Policies page displays, click Search.

    The existing policies will display in the Search Results table. For example, if you searched for Password Policies, then the existing Password Policies are listed.

  3. Use one of the following methods to open a policy:

    • Click the Row number next to the policy name and then click the Open icon located above the Search Results table.

    • Click the policy name (an active link) in the Search Results table.

      For example, clicking the Default Password Policy link opens the Password Policy: Default Password Policy page.

    A Password Policy page contains three tabs:

    • General. Contains parameters used to specify general information about the policy and Password Lifecycle Rules for the policy. Password Lifecycle Rules govern when Oracle Privileged Account Manager must automatically reset an account password.

    • Password Complexity Rules. Contains parameters that govern the complexity requirements for account passwords.

    • Privileged Accounts. Provides information about the privileged accounts currently using that Password Policy.

    A Usage Policy page also contains three tabs:

    • General Fields. Contains parameters used to specify general information about the policy.

    • Usage Rules. Contains parameters that govern the time zone to be associated with checking out a privileged account, when the account can be checked out, and when the check out expires.

    • Grantees. Provides information about the grantees who are authorized to use that account.

5.1.1.4 Modifying the Default Password Policy

After evaluating the Default Password Policy, you may decide you want to modify the settings to better suit your environment.

Note:

Oracle recommends that you make a back-up copy of the default policies if you intend to modify them. You can use the export command as described in Section A.2.13, "export Command."

To modify the Default Password Policy, use the following steps:

  1. Select Password Policies from the Administration accordion.

  2. When the Password Policies page displays, click Search to populate the Search Results table.

  3. Click the Default Password Policy link in the Search Results table to open the Password Policy: Default Password Policy page.

  4. Select the General tab to modify the Policy Description in the General Fields area or to modify any of the following Password Lifecycle Rules:

    Note:

    You cannot edit the Policy Name or Policy Status values for this policy.

    Parameter Description

    Save password history for

    Use the counter and drop menus to specify how many days to save the password history for an account. The password history includes when accounts are checked out, checked in, and when their passwords were reset.

    Expire password after

    Use the counter and drop menus to specify a duration period (number of days, hours, or minutes) after which Oracle Privileged Account Manager must automatically reset the account password. For example, if your enterprise wants a security policy where account passwords must be changed every month, you would set this value to 30 days.

    Every time the account is checked out and its password gets changed (if the policy is configured so that passwords must be changed on checkout/check-in) Oracle Privileged Account Manager tracks the password change time.

    If Oracle Privileged Account Manager detects the account is idle and no password changes have occurred over the specified number of days, then Oracle Privileged Account Manager automatically resets the password to a new, randomized value, which helps the enterprise to automatically enforce the security policy without human intervention. To disable this automatic reset option, set the numeric value to 0.

    Note: The Oracle Privileged Account Manager scheduler periodically checks for accounts where the password maximum age has expired and resets them as described in this section.

    By default, the scheduler makes this check every 60 minutes (based on the passwordcyclerinterval property in the OPAM Global Config configuration entry, whose default setting is 60 minutes). You can view and modify the current interval by using Oracle Privileged Account Manager's getglobalconfig and modifyglobalconfig command line options. For more information, refer to Section A.2.15, "getglobalconfig Command" and to Section A.2.21, "modifyglobalconfig Command."

    Reset password on check-in

    Use this option to specify whether Oracle Privileged Account Manager must auto-generate and set a randomized password during a check-in operation.

    Uncheck this box if you do not want the password to be reset during the check-in operation.

    Reset password on check-out

    Use this option to specify whether Oracle Privileged Account Manager must auto-generate and set a randomized password during a check-out operation.

    Uncheck this box if you do not want the password to be reset during the check-out operation.


    Note:

    • An administrator with the Security Administrator Admin Role can also manually reset a password by using the Reset Password option (described in Section 5.1.3.7.2, "Resetting an Account Password") and Oracle Privileged Account Manager tracks this password change time as well.

    • For higher security, the Reset password on check-in and Reset password on check-out options are both enabled by default, but they can be disabled if required. For example, some enterprises may only require that passwords be reset every 30 days.

    • If your enterprise prefers that passwords not be automatically managed at all; that they are only changed through human intervention, disable all three Password Lifecycle Rules options.

      However, after disabling these three options, the only way to manually change passwords is by using the Reset Password option (described in Section 5.1.3.7.2, "Resetting an Account Password"). Oracle Privileged Account Manager is still useful in this case, as you can reset and centrally manage passwords for multiple systems from one place by using Oracle Privileged Account Manager.

  5. Select the Password Complexity Rules tab to change one or more of the parameters that define the default password requirements.

    Parameter Description

    Characters for Password

    Specify the minimum and maximum number of characters required.

    Alphabetic Characters

    Specify the minimum number of alphabetic characters required.

    Numeric Characters

    Specify the minimum number of numeric characters required.

    Alphanumeric Characters

    Specify the minimum number of alphanumeric characters required.

    Special Characters

    Specify the minimum and maximum number of special characters (such as * or @) required.

    Repeated Characters

    Specify the minimum and maximum number of repeated characters allowed.

    Unique Characters

    Specify the minimum number of unique characters required.

    Uppercase Characters

    Specify the minimum number of uppercase characters required.

    Lowercase Characters

    Specify the minimum number of lowercase characters required.

    Start with Character (not digit)

    Specify the first character required to start a password.

    Required Characters

    Specify characters that are required in a password.

    Allowed Characters

    Specify which characters are permitted in a password.

    Disallowed Characters

    Specify which characters are not permitted in a password.

    Disallowed as Password

    Enable (check) the Account Name box to prohibit the use of an account name in the password.


  6. Select the Privileged Accounts tab to review which accounts are currently using the Default Password Policy.

    Note:

    To specify a different Password Policy for any account listed in the table, click the Account Name link. When the Account page displays, select a different policy name from the Password Policy menu.

  7. When you are finished editing the policy, click Apply to save your changes.

5.1.1.5 Modifying the Default Usage Policy

Use the following steps if you want to modify the Default Usage Policy, to better suit your environment.

Note:

Oracle recommends that you make a back-up copy of the default policies if you intend to modify them. You can use the export command as described in Section A.2.13, "export Command."

  1. Select Usage Policies from the Administration accordion.

  2. When the Usage Policies page displays, click Search to populate the Search Results table.

  3. Select the Default Usage Policy link in the Search Results table to open the Usage Policy: Default Password Policy page.

  4. Select the General Fields tab to modify the Description.

    Note:

    You cannot edit the Policy Name or Policy Status values for this policy.

  5. Select the Usage Rules tab to change one of more of following parameter settings:

    Parameter Description

    Timezone

    Select a time zone from the menu to indicate when the policy will be applied.

    For example, if you set the time zone to GMT, and the policy allows check-outs between 9am to 5pm, you can only check out between 9am-5pm GMT, and not PST.

    Permitted Usage Dates

    Use the Monday through Sunday checkboxes and the From and To drop menus to specify when grantees are allowed to use the account. Select one or more days of the week and the periods of time when grantees can access this account. (Default access is 24x7.)

    Expiration Dates

    Enable one of the following options to change when grantees' access to the account expires:

    • Automatically check in account. Use the counter to specify the number of minutes after last check out.

    • Automatically check in account on this date. Click the Calendar icon to open a Select Date and Time dialog.

      Use the month and year menus or click a day in the calendar to specify an expiration date.

      Use the hours, minutes, and seconds menus and enable the AM or PM buttons to specify an expiration time.

    Note: The Oracle Privileged Account Manager scheduler periodically checks for accounts that have passed their specified expiration date and resets them as described in this section.

    The scheduler makes this check every 60 minutes by default ((based on the policyenforcerinterval property in the OPAM Global Config configuration entry, whose default setting is 60 minutes). You can view and modify the current interval by using Oracle Privileged Account Manager's getglobalconfig and modifyglobalconfig command line options. For more information, refer to Section A.2.15, "getglobalconfig Command" and to Section A.2.21, "modifyglobalconfig Command."


    Note:

    If you are configuring a Usage Policy for a shared privileged account, it is prudent to configure an Automatic check-in option to ensure the account gets checked-in and the password gets cycled in a timely manner.

    In addition, consider limiting how many users can access the shared account and further segregate these users by specifying when they can access the account. By specifying which days of the week and what times of the day each user can access the account, you minimize overlapping checkouts and improve Oracle Privileged Account Manager's auditing ability.

    For more information about shared accounts, see Section 2.4.2, "Securing Shared Accounts."

  6. Select the Grantees tab to view which grantees this policy is assigned.

    Note:

    To specify a different Usage Policy for any grantee listed in the table, click the Account Name link. When the Account page displays, select a different policy name from the Usage Policy menu.

    Tip:

    Clicking the active links in the Grantee Name or Account Name columns enable you to navigate to other screens for additional information.

  7. When you are finished editing the policy, click Apply to save your changes.

5.1.1.6 Creating a Password Policy

To create a Password Policy, use the following steps:

  1. Select Password Policies from the Administration accordion.

  2. When the Password Policies page displays, click Create Password Policy at the top of the Search Results table.

    A new, Password Policy: Untitled page displays with three tabs.

  3. Provide the following information on the General tab:

    1. Policy Name: Enter a name for the new policy.

    2. Policy Status: Click the button to specify whether the policy is Active or Disabled.

      Making the policy Active puts that policy into effect for all of the associated accounts and grants.

      Disabling a policy applies the Default Password Policy to all accounts and grants associated with that disabled policy. If you simply assigned a different policy to those accounts and grants, you would lose all information about the old policy assignment.

    3. Policy Description (optional): Enter a descriptive statement about the new Password Policy.

    4. Password Lifecycle Rules: Configure these parameters to enable Oracle Privileged Account Manager to auto-generate and set a randomized account password under certain conditions, as described in step 4.

  4. Select the Password Complexity Rules tab to specify password complexity rules for this policy. Refer to the table provided in step 5 for a description of these parameter settings.

  5. Select the Privileged Accounts tab to assign the new policy to accounts or grantees. Refer to Section 5.1.1.8, "Assigning Policies" for detailed instructions.

    After assigning this Password Policy to privileged accounts, you can select the Privileged Accounts tab to review which accounts are currently using this policy.

  6. Click Save.

5.1.1.7 Creating a Usage Policy

To create a Usage Policy, use the following steps:

  1. Select Usage Policies from the Administration accordion.

  2. When the Policies page displays, click Create Usage Policy at the top of the Search Results table.

    A new, Usage Policy: Untitled page displays with three tabs.

  3. Provide the following information on the General tab:

    1. Policy Name: Enter a name for the new policy.

    2. Policy Status: Click the button to specify whether the policy status is Active or Disabled.

      Making the policy Active puts that policy into effect for the associated accounts and grants.

      Disabling a policy applies the Default Usage Policy to all accounts and grants associated with that disabled policy. If you simply assigned a different policy to those accounts and grants, you would lose all information about the old policy assignment.

    3. Description (optional): Enter a descriptive statement about the new Password Policy.

  4. Select the Usage Rules tab to define rules for using a privileged account. Refer to the table provided in step 5 for a description of these parameter settings.

  5. Select the Grantees tab to assign the new policy to accounts or grantees. Refer to Section 5.1.1.8, "Assigning Policies" for detailed instructions.

    After assigning this policy, you can select the Grantees tab to review which users or groups are using this policy.

  6. Click Save.

5.1.1.8 Assigning Policies

As previously stated, when you add a new privileged account, the Default Password Policy and Default Usage Policy are automatically assigned to that account.

To assign a different Password Policy or Usage Policy, you must first create the policy as described in Section 5.1.1.6, "Creating a Password Policy" or in Section 5.1.1.7, "Creating a Usage Policy."

Note:

  • Administrators with the Security Administrator Admin Role can assign a Password Policy or a Usage Policy to an account. However, this role can only apply a Usage Policy at the account level.

  • Administrators with the User Manager Admin Role can assign a Usage Policy to accounts at the grantee-account pair level. In other words, the User Manager can assign different Usage Policies to different grantees of the same account.

    The User Manager Admin Role cannot assign Password Policies.

5.1.1.8.1 Assigning Password Policies to Accounts

You can assign Password Policies to an account from the Accounts page, from the Targets page, or from the Policies page.

From the Accounts Page

To assign a Password Policy from the Accounts page,

  1. Locate the account where you want to assign the policy.

    1. Select Accounts in the Administration accordion.

    2. Click Search in the Search Accounts portlet to populate the Search Results table with a list of all available accounts.

      To narrow the results or to locate a particular account, enter search criteria in one or more the Search Accounts fields, and then click Search. For example, if you know the account is assigned to a UNIX target, select unix from the Target Type menu.

  2. When the Search Results display, click the account's Account Name link in the table to open the Account: AccountName page.

  3. On the General tab, select a different policy name from the Password Policy menu.

  4. After selecting the new policy, click Test to verify that the account can be managed by Oracle Privileged Account Manager. You should see a Test Succeeded dialog confirming the test was successful.

  5. Click Apply to finish assigning the policy to the selected account.

From the Targets Page

To assign a Password Policy from the Targets page,

  1. Locate the target where the account is located.

    1. Select Targets in the Administration accordion.

    2. Click Search in the Search Targets portlet to populate the Search Results table with a list of all available targets.

      To narrow the results or to locate a particular target, enter search criteria in one or more the Search Targets fields, and then click Search.

  2. Click the account's Target Name link in the Search Results table to open the Target: TargetName page.

  3. Click the Privileged Accounts tab to view a list of the accounts currently managed on the target.

    Notice that the table lists the Password Policy that is currently assigned to each account.

  4. Locate the account in the Privileged Accounts table, and then click the Account Name link.

  5. When the General tab displays, select a different policy name from the Password Policy menu.

  6. After selecting the new policy, click Test to verify that the account can be managed by Oracle Privileged Account Manager. You should see a Test Succeeded dialog confirming the test was successful.

  7. Click Apply to finish assigning the policy to the selected account.

From the Policies Page

To assign a Password Policy from the Policies page,

  1. Locate the Password Policy that you want to assign to the account.

    1. Select Password Policies in the Administration accordion.

    2. Click Search in the Search Policies portlet to populate the Search Results table with a list of all available Password Policies.

      To narrow the results or to locate a particular policy, enter search criteria in one or more the Search Policies fields, and then click Search.

  2. Locate the policy in the Search Results table, and then click the Policy Name link to open the Password Policy: PolicyName page.

  3. Select the Privileged Accounts tab.

  4. Locate the account and click the Account Name link to open the Account: AccountName page.

  5. When the General tab displays, select a different policy name from the Password Policy menu.

  6. After selecting the new policy, click Test to verify that the account can be managed by Oracle Privileged Account Manager. You should see a Test Succeeded dialog confirming the test was successful.

  7. Click Apply to finish assigning the policy to the selected account.

5.1.1.8.2 Assigning a Usage Policy to Users and Groups

When you add grantees to an account, as described in Section 5.1.4.2, "Granting Accounts to Users" or Section 5.1.4.3, "Granting Accounts to Groups," Oracle Privileged Account Manager adds the user or group name to the Users or Groups table on the Grants tab and automatically assigns the Default Usage Policy.

You can assign a different Usage Policy from the Accounts page or from the Usage Policies page.

Note:

When you create a new Usage Policy for an account, the new policy will not automatically be assigned to the existing grantees on that account. Oracle Privileged Account Manager allows you to assign customized policies to individual grantees, so you do not want the new policy to override those other policy assignments.

However, if you create a new policy for an account and then add new grantees, those (and future) grantees will automatically be associated with that policy because it has become the new default Usage Policy for the account.

From the Accounts Page

To assign a Usage Policy from the Accounts page,

  1. Locate the account where you want to assign the policy.

    1. Select Accounts in the Administration accordion.

    2. Click Search in the Search Accounts portlet to populate the Search Results table with a list of all available accounts.

      To narrow the results or to locate a particular account, enter search criteria in one or more the Search Accounts fields, and then click Search.

  2. Locate the account's Account Name link to open the Account: AccountName page.

  3. Select the Grants tab.

  4. Locate the grantee in the Users or Groups table, and use the Usage Policy menu in that row to select a different policy.

  5. Click Apply to add your changes.

From the Targets Page

To assign a Usage Policy from the Targets page,

  1. Locate the target where the account is located.

    1. Select Targets in the Administration accordion.

    2. Click Search in the Search Targets portlet to populate the Search Results table with a list of all available targets.

      To narrow the results or to locate a particular target, enter search criteria in one or more the Search Targets fields, and then click Search.

  2. Click the account's Target Name in the Search Results table to open that target.

  3. When the Target: TargetName page displays, click the Grants tab to view a list of the grantees currently granted access to that account.

    Notice that the table lists the Usage Policy that is currently assigned to each grantee.

  4. Locate the grantee in the Users or Groups table, and use the Usage Policy menu in that row to select a different policy.

  5. Click Apply to finish assigning the policy to the selected account.

From the Policies Page

To assign a Usage Policy from the Policies page,

  1. Locate the Usage Policy that you want to assign to the account.

    1. Select Usage Policies in the Administration accordion.

    2. Click Search in the Search Policies portlet to populate the Search Results table with a list of all available Usage Policies.

      To narrow the results or to locate a particular policy, enter search criteria in one or more the Search Policies fields, and then click Search.

  2. When the search results display, locate the policy you want to assign in the Search Results table. Click the Policy Name link to open the Usage Policy: PolicyName page.

  3. Select the Grantees tab.

  4. Locate the user or group name in the Grantees table and then click that grantee's Account Name link to open the account.

  5. When the Account: AccountName page displays, click the Grants tab.

  6. Locate the grantee in the Users or Groups table, and use the Usage Policy menu in that row to select a different policy.

  7. Click Apply to add your changes.

5.1.1.9 Deleting Policies

To delete a policy, use the following steps:

  1. Locate and select the policy to be deleted.

  2. Click the Delete icon.

  3. When the Confirm Remove dialog displays, click the Remove button.

    The policy will be deleted. If you had any accounts assigned to that policy, they all will revert to using the applicable Default Policy.

5.1.2 Working with Targets

This section describes the different tasks you can perform when working with targets in Oracle Privileged Account Manager.

Note:

You must be an Oracle Privileged Account Manager administrator with the Security Administrator Admin Role to add, edit, or remove targets.

The topics in this section include:

5.1.2.1 What Are Targets?

A target is a software system that contains, uses, and relies on user, system, or application accounts.

You cannot create targets in, or delete targets from, your environment by using Oracle Privileged Account Manager. Rather, Oracle Privileged Account Manager manages existing targets that were provisioned using other mechanisms.

When you "add" a target in Oracle Privileged Account Manager, you are creating a reference to that target. In effect, you are registering the target and asking Oracle Privileged Account Manager to manage it. When you "remove" a target from Oracle Privileged Account Manager, you are only removing that reference.

Oracle Privileged Account Manager supports LDAP, UNIX, database, and lockbox target types.

A lockbox target provides password vault-like functionality in Oracle Privileged Account Manager. That is, it provides a secure mechanism for storing the passwords (or any kind of sensitive information) associated with privileged accounts in your deployment. This target type is different from the other, conventional Oracle Privileged Account Manager target types in the following ways:

  • Oracle Privileged Account Manager does not interact with lockbox target systems. There is no connectivity to, or operations performed against, these systems.

  • Oracle Privileged Account Manager does not manage the password lifecycle or reset passwords associated with accounts on lockbox targets.

  • Password modifications are handled out-of-band and updated into Oracle Privileged Account Manager as an administrative action. Therefore, Oracle Privileged Account Manager does not randomize the passwords; but rather, they stored as given by the administrator.

A lockbox target may be preferable when you want to centrally store and securely grant privileged account passwords without having Oracle Privileged Account Manager automatically manage those accounts on the target systems. For example, if you want to control how and when the passwords on the those target systems are modified, as opposed to allowing Oracle Privileged Account Manager do so.

Additionally, a lockbox target may be useful when an appropriate ICF connector is unavailable for a specific target type, but you still want to manage access to that system through Oracle Privileged Account Manager.

5.1.2.2 Adding Targets to Oracle Privileged Account Manager

Note:

When adding a target of any Target Type, you must configure a service account (also called an unattended account) with privileges that enable that account to

  • Search for accounts on the target system

  • Modify the passwords of accounts on the target system

You must never use the same account as a service account and as a privileged account to be managed by Oracle Privileged Account Manager.

For additional information about service accounts, see the description for attended and unattended accounts in Section 1.2.1, "Features."

Use the following steps to add a target for Oracle Privileged Account Manager to manage:

  1. Log in to Oracle Privileged Account Manager.

  2. Select Targets from the Administration accordion to open the Targets page.

  3. Click Add, located in the Search Results table toolbar to open a new Target: Untitled page displays with two tabs:.

    • General. Contains two areas with parameters used to specify Basic Configuration and Advanced Configuration information for the target.

    • Privileged Accounts. Lists the privileged accounts currently being managed on the target and enables you to add, open, and remove the accounts that are managed by that target.

  4. On the General tab, use the Target Type menu to select a target type (ldap, unix, database, or lockbox), and then set the remaining configuration parameters.

    Note:

    When you set the target type, the Target: Untitled page refreshes and the configuration parameters change, based on your selection.

    The following sections describe the parameters for each target type:

    You must specify all of the required attributes (indicated by an
    asterisk * symbol).

  5. After setting the target configuration parameters, click Test to check the target's configuration.

    If the configuration is valid, a Test Succeeded message displays.

  6. Click Save to add your new target on the Oracle Privileged Account Manager server.

    Oracle Privileged Account Manager automatically assigns a Target GUID and you can view this read-only value at the bottom of the Basic Configuration parameters section.

You can now associate this target with a privileged account. For instructions, proceed to Section 5.1.3.2, "Adding Privileged Accounts into Oracle Privileged Account Manager."

5.1.2.2.1 ldap Target Type Parameters

When you select the ldap target type, the following basic and advanced configuration parameters display:

Parameter Name Description

Target Name

Enter a name for the new target.

Description

Enter a description for this target.

Organization

Enter the name of an organization to associate with the target.

Domain

Enter the domain of the target server.

Password Policy

Select a Password Policy to apply to the target's service account. Oracle Privileged Account Manager uses this policy to auto-generate passwords.

Host

Enter the host name of the target server.

TCP Port

Enter the TCP/IP port to use when communicating with the LDAP server.

You can use the up/down arrow icons to increment this value.

SSL

Enable this box to use Secure Socket Layer (SSL) when connecting to the LDAP server.

Note: For SSL connectivity, you must import an SSL certificate to the J2EE container hosting Oracle Privileged Account Manager. For more information, see Section 7.1, "Configuring Oracle Privileged Account Manager to Communicate With Target Systems Over SSL."

Principal

Enter the distinguished name (DN) to use when authenticating to the LDAP server.

For example, cn=admin

Password

Enter the user's password.

Base Contexts

Enter one or more starting points in the LDAP tree to use when searching the tree for users on the LDAP server or when looking for groups where the user is a member. Use a pipe (|) to separate values.

Account User Name Attribute

Enter the attribute to be used as the account's user name.
(Default is uid.)


These Advanced Configuration parameters are optional:

Parameter Name Description

Uid Attribute

Enter the name of the LDAP attribute that is mapped to the Uid attribute.

LDAP Filter for Retrieving Accounts

Enter an LDAP filter to control which accounts are returned from the LDAP resource.

If you do not specify a filter, Oracle Privileged Account Manager returns only those accounts that include all of the specified object classes.

Password Attribute

Enter the name of the LDAP attribute that holds the password.

When changing a user's password, Oracle Privileged Account Manager sets the new password to this attribute

Account Object Classes

Enter one or more object classes to use when creating new user objects in the LDAP tree.

Type each object class on its own line. Do not use commas or semicolons to separate entries.

Some object classes require that you specify them in their class hierarchy, using a pipe (|) to separate the values.


5.1.2.2.2 unix Target Type Parameters

When you select the unix target type, the following basic and advanced configuration parameters display:

Parameter Name Description

Target Name

Enter a name for the new target.

Description

Enter a description for this target.

Organization

Enter the name of an organization to associate with the target.

Domain

Enter the domain of the target server.

Password Policy

Select a Password Policy to apply to the target's service account. Oracle Privileged Account Manager uses this policy to auto-generate passwords.

Host

Enter the host name of the target server.

Port

Enter the port used to connect with the UNIX server. You can use the up/down arrow icons to increment this value.

Note: Only the SSH protocol is supported. The default port is 22.

Login User

Enter the user name to use when connecting to this target.

Login User Password

Enter the user's password.

Login Shell Prompt

Enter the shell prompt to display when you log in to the target.

For example, $ or #.

Sudo authorization

Enable this box if the user requires sudo authorization.

Do not enable this box for the root user.

Note: When using sudo authorization, the UNIX connector requires that certain conditions to be met in the target system, such as a specific configuration in the sudoers file. For information about these conditions, refer to "Creating a Target System SUDO User Account for Connector Operations" in the Oracle Identity Manager Connector Guide for UNIX.


The following Advanced Configuration parameter is optional:

Parameter Name Description

Command timeout

Specify how long (in milliseconds) to wait for the command to complete before terminating that command.

Password Expect Expressions

Specify the expressions displayed on the target when setting the user's password. For example, if the Enter password and Re-enter password expressions are displayed when you run the passwd command, then the value for this field can be enter password,re-enter password.

Note: You can provide a regular expression here. Use a comma to separate the two expressions.

Pre-password expectExpression

When you run the passwd command on some targets, prompts can be displayed before the password prompts appear. Specify the prompt expression and the expected input value, using a comma to separate these values.

sudo password expectExpression

Specify the password prompt to be displayed when running a command in sudo mode. The default value is password.


5.1.2.2.3 database Target Type Parameters

When you select the database target type, the following basic and advanced configuration parameters display:

Parameter Name Description

Target Name

Enter a name for the new target.

Description

Enter a description for this target.

Organization

Enter the name of an organization to associate with the target.

Domain

Enter the domain of the target server.

Password Policy

Select a Password Policy to apply to the target's service account. Oracle Privileged Account Manager uses this policy to auto-generate passwords.

Host

Enter the host name of the target server.

Database Connection URL

Enter the JDBC URL used to identify the target system location.
For example,

Oracle:jdbc:oracle:thin:@<host>:

<port>:<sid>

Note: Oracle Privileged Account Manager supports the Oracle, MSSQL, Sybase, and MySQL database types.

Refer to the Oracle Identity Manager Connector Guide for Database User Management for information about which special options are supported.

Admin User Name

Enter the administrator's name to use when connecting to this target.

Note: If you are using the sys user name, you must enter
internal_logon=sysdba in the Connection Properties field, which is located in the Advanced Configuration area. This entry is not required for "system."

Admin User Password

Enter the user's password.

Database Type

Select the type of database (Oracle, MSSQL, Sybase, or MySQL) for which the connector will be used.

If you select an Oracle database target, then no driver jar is required. For other target systems, you must copy one of the following third-party jars:

  • For MSSQL: Copy the sqljdbc4.jar.

  • For MySQL: Copy the mysql-connector-java-5.1.20-bin.jar.

  • For Sybase: Copy the jconn4.jar.

You can use one of the following options to copy the jars:

Option 1: Copy these third-party jars to the WebLogic domain /lib directory, as described in "Adding JARs to the Domain /lib Directory" in Oracle Fusion Middleware Developing Applications for Oracle WebLogic Server.

Option 2: Modify the connector jars to include the third-party jars as follows:

  1. Make a back-up copy of the DBUM connector bundle, which is available in

    ORACLE_HOME/connectors/dbum/bundle/
    
    org.identityconnectors.dbum-1.0.1116.jar
    
  2. Create a temporary/lib folder and put the third-party jars in that folder.

  3. Update the bundle with the third-party jar:

    jar -uvf org.identityconnectors.dbum-1.0.1116.jar lib/JAR_NAME
    
  4. Remove the temporary/lib folder.

  5. Restart all Oracle Privileged Account Manager processes for the change to take effect.

For more information, refer to "Installing the Connector on the Connector Server" in the Oracle Identity Manager Connector Guide for Database User Management.


The following Advanced Configuration parameter is optional:

Parameter Name Description

Connection Properties

Enter connection properties to use while configuring a secured connection.

These properties must be name-value pairs given in following format: prop1=val1#prop2=val2


5.1.2.2.4 lockbox Target Type Parameters

When you select the lockbox target type, only the following basic configuration parameters display:

Parameter Name Description

Target Name

Enter a name for the new target.

Description

Enter a description for this target.

Organization

Enter the name of an organization to associate with the target.

Domain

Enter the domain of the target server.

Host

Enter the host name of the target server.


Note:

You can add configuration parameters to this list by editing the opam-config.xml file as described in Section 3.2.3, "Consuming ICF Connectors."

5.1.2.3 Searching for Targets

If you have administrator privileges, you can search for targets using the following criteria or a combination of these items:

  • Target Name

  • Target Type (All, ldap, unix, database, or lockbox)

  • Host Name

  • Domain

  • Description

To search for a target,

  1. Select Targets in the Administration accordion.

  2. When the Targets tab displays, use the Search portlet parameters to configure your search.

    • For example, to search for a list of all LDAP targets, select ldap from the Target Type menu.

    • To search for all available targets, do not specify any search parameters.

  3. Click Search.

    Review your search results in the Search Results table.

5.1.2.4 Opening a Target

You can open a target to review and edit the target's configuration parameters and its associated privileged account parameters.

Use one of the following methods to open a target:

  • Click the Target Name (an active link) in the Search Results table.

  • Select the target's Row number and then click the Open icon.

The Target: TargetName page opens where you can access the target and privileged account information.

5.1.2.5 Managing a Target's Service Account Password

Oracle Privileged Account Manager provides two options for managing a target's service account passwords:

Note:

5.1.2.5.1 Showing the Service Account Password

If necessary, you can review the stored password for a target's service account by using the Show Password option, located above the Search Results table.

Note:

  • This command is not applicable for the lockbox target type and will return an "Operation not supported" error message.

  • If someone changes a target's service account password from a location other than the current Oracle Privileged Account Manager instance, such as from another Oracle Privileged Account Manager instance in a different domain, the Show Password feature cannot display the new password and connections to the target will fail.

    To resolve this situation, you must update the password in Oracle Privileged Account Manager by editing the target from the Console or from the command line.

  • For additional information about service accounts, see the description on page 1-4.

Use the following steps:

  1. Select Targets in the Administration accordion.

  2. When the Targets tab displays, use the Search portlet to locate the target.

  3. Select the target row number and then click Show Password.

    The Show Current Password dialog displays and provides the following information about the target's service account password:

    • Target Name

    • Service Account Name

    • Current Password

    • Password Change Time

  4. When you are finished, click Close.

5.1.2.5.2 Resetting the Service Account Password

If necessary, you can manually reset the stored password for a target's service account by using the Reset Password option, located above the Search Results table.

Note:

  • This command is not applicable for the lockbox target type and will return an "Operation not supported" error message.

  • For additional information about service accounts, see the description on page 1-4.

Use the following steps:

  1. Select Targets in the Administration accordion.

  2. When the Targets tab displays, use the Search portlet to locate the target.

  3. Select the target row number and then click Show Password.

    The Show Current Password dialog displays and provides the following information about the target's service account password:

    • Target Name

    • Service Account Name

    This dialog also contains two options for resetting the password:

    • New Password: Type a new password into the space provided.

    • Generate password automatically: Enable the checkbox to automatically generate a password, according to the account's Password Policy.

  4. Type a new password or enable the checkbox, and then click Reset.

5.1.2.6 Removing Targets from Oracle Privileged Account Manager

To remove a target, select the target from the Search Results table and then click the Remove icon.

WARNING:

When you remove a target, you also remove all information about the target that is stored in Oracle Privileged Account Manager (including privileged accounts).

Before removing a target, it is critical that you first capture all relevant information from that target. For example, save the Oracle Privileged Account Manager service account password and any current passwords that are associated with the privileged accounts on the target.

5.1.3 Working with Privileged Accounts

This section describes the different tasks you can perform when working with privileged accounts in Oracle Privileged Account Manager.

Note:

Administrators determine which accounts are privileged within a particular deployment, and they must configure Oracle Privileged Account Manager to manage those accounts.

You must be an Oracle Privileged Account Manager administrator with the Security Administrator Admin Role to add and manage accounts.

The topics in this section include:

5.1.3.1 What is a Privileged Account?

An account on a target is considered privileged in a deployment when that account

  • Is associated with elevated privileges

  • Is used by multiple end-users on a task-by-task basis

  • Requires its usage to be controlled and audited

You cannot create accounts in, or delete accounts from, your environment by using Oracle Privileged Account Manager. Oracle Privileged Account Manager only manages existing accounts that were provisioned using other mechanisms.

When you "add" an account in Oracle Privileged Account Manager, you are creating a reference to that account. In effect, you are registering the account and asking Oracle Privileged Account Manager to manage it. When you "remove" the account from Oracle Privileged Account Manager, you are only removing the reference to that account.

Oracle Privileged Account Manager enables you to manage both system and application accounts. As described in the following Managing System Accounts and Managing Application Accounts sections.

5.1.3.1.1 Managing System Accounts

Oracle Privileged Account Manager's primary purpose is to manage privileged system accounts on a supported target system. Oracle Privileged Account Manager does not mandate what constitutes a privileged system account — it can manage any account on a target system. Administrators are responsible for identifying which accounts are privileged. A privileged account is typically a system account that allows a user to perform administration tasks.

Privileged accounts are suitable for management through Oracle Privileged Account Manager if they are used and shared by multiple individuals in the organization and administrators are required to track the use of these accounts.

Administrators perform the following steps to register an account as a privileged account to be managed by Oracle Privileged Account Manager:

  1. Add the target to Oracle Privileged Account Manager (if this has not already been done). See Section 5.1.2.2, "Adding Targets to Oracle Privileged Account Manager" for instructions.

  2. Add the identified privileged account to the target and assign a Password Policy. See Section 5.1.3.2, "Adding Privileged Accounts into Oracle Privileged Account Manager" and Section 5.1.1, "Working with Policies" for instructions.

  3. Grant access to end users directly or by using LDAP roles/groups and assign a Usage Policy. See Section 5.1.4.2, "Granting Accounts to Users" and Section 5.1.1, "Working with Policies" for instructions.

5.1.3.1.2 Managing Application Accounts

Applications use application accounts to connect to target systems at run time. Traditionally, administrators set up these accounts once during installation and then they are forgotten. Consequently, application accounts can potentially cause hidden vulnerabilities in your deployment. For example, passwords might become less secure over time because they were created using outdated policies or commonly used deployment passwords might be compromised.

Oracle Privileged Account Manager enables you to better manage application accounts. In particular, for applications that store their application accounts in the Credential Store. These applications consume the account credentials at run time from the Credential Store through the Credential Store Framework.

For example, because an application account is essentially a special version of a system account, you can register an application account in Oracle Privileged Account Manager as described in Section 5.1.3.1.1, "Managing System Accounts." You can then add the corresponding CSF mappings for every application that depends on that account, which is how CSF uniquely identifies a credential stored within CSF, and how an application finds its credential in CSF. For more information about CSF mapping, see "Guidelines for the Map Name" in the Oracle Fusion Middleware Application Security Guide.

If you register an account's CSF mappings with Oracle Privileged Account Manager, then every time the account's password changes, Oracle Privileged Account Manager can update the CSF entries that correspond to the registered mappings to reflect the new password and the applications continue to work without service interruption.

Note:

Oracle Privileged Account Manager updates, or synchronizes, CSF only when a password change occurs.

For more information about integrating Oracle Privileged Account Manager with CSF, refer to Section 8.3, "Integrating with the Credential Store Framework."

Additionally, you can apply a Password Policy to these applications that periodically cycles the account password. Cycling the password ensures that the application accounts are always compliant with the latest corporate policies and they remain secure. Oracle Privileged Account Manager performs this task with no service interruption.

Finally, its useful to note that Oracle Privileged Account Manager can support an account as both a system account (shared and used by multiple end-users) and as an application account (only used by an application at run time) at the same time. In this configuration, a human end-user who's been granted access can "check-out" the application account to perform manual administrative operations as that application without disrupting application functionality.

5.1.3.1.3 Sharing Accounts

Oracle Privileged Account Manager enables you to specify whether an account is shared or not shared.

  • Shared accounts enable multiple users to check out the account at the same time.

  • Unshared accounts (Default) enable only one user to check out an account at a time.

Because unshared accounts are more secure, Oracle recommends that you designate an account as shared only if there are compelling business reasons to do so. If sharing is necessary, be sure to read Section 2.4.2, "Securing Shared Accounts."

Note:

If you configure a shared account, be aware that a user can still use the password after checking in the account. Oracle Privileged Account Manager does not reset the account password until the last user checks in the account.

This is a security limitation for shared accounts.

5.1.3.2 Adding Privileged Accounts into Oracle Privileged Account Manager

Note:

Accounts are always added to a target, so you must add a target object before you can add an account. Refer to Section 5.1.2.2, "Adding Targets to Oracle Privileged Account Manager" for more information.

Never use the same account as the service account and as a privileged account to be managed by Oracle Privileged Account Manager.

To add a new privileged account

  1. Locate the target where you want to add the account.

    1. Select Targets in the Administration accordion.

    2. Click Search in the Search Targets portlet to populate the Search Results table with a list of all available targets.

      To narrow the results or to locate a particular target, enter search criteria in one or more the Search Targets fields, and then click Search.

  2. Open the target by clicking the Target Name link in the Search Results table.

  3. When the Target: TargetName page displays, select the Privileged Accounts tab.

  4. Click Add in the table toolbar.

    The Account: Untitled page displays with three subtabs:

    • General: Use to specify information needed to add the account.

    • Grants: Use to associate users and groups (grantees) with the account.

    • Credential Store Framework: Use to add or remove Credential Store Framework (CSF) mappings for the account.

    Use these tabs and the instructions provided in the following sections to add an account:

  5. When you are finished, click Save.

5.1.3.2.1 Adding the Account

To add a new account you must complete the Step 1: Set Target and Step 2: Add Account sections on the General tab as follows:

  1. If the Target Name is undefined, click the search icon.

  2. When the Set Target dialog displays, enter a value in the Target Name field and click the Search button to locate the target where you want to add the account.

    For example, if you know the target name begins with "r," you can type an r into the Target Name field and click the Search button.

  3. When the search results display in the Search Results table, select (check) the Row box next to a target name and then click Set.

    The selected Target Name and its Target Type are displayed on the General tab.

  4. In the Step 2: Add Account section, if the Account Name is undefined, click the search icon.

  5. When the Set Account dialog displays, enter a value in the Account Name field and click the Search button to locate the account you want to add.

    For example, if you know the account name begins with "s," you can type an s into the Account Name field and click the Search button.

    Note:

    When you add privileged accounts to a lockbox target, a Password field is also displayed in the Console.

    Oracle Privileged Account Manager does not manage accounts on lockbox targets; therefore it cannot reset the passwords on those accounts. You must provide the password to be used when users check out those privileged accounts.

    For more information about lockbox targets, refer to Section 5.1.2.1, "What Are Targets?"

  6. When the search results display in the Search Results table, select (check) the Row box next to an account name and then click Set.

    Note:

    You must not add the target's service account as a privileged account to be managed by Oracle Privileged Account Manager.

    Note that the selected account is displayed as the Account Name on the General tab.

  7. Enable the Shared Account box to allow multiple users to check out this account at the same time.

  8. Specify a Password Policy.

    Note:

    Oracle Privileged Account Manager automatically assigns the Default Password Policy to new accounts. However, Oracle Privileged Account Manager administrators with the Security Administrator or the User Manager Admin Role can create new policies.

    You can leave the default policy set or choose a different policy from the Password Policy drop-down menu.

    For more information about policies, refer to Section 5.1.1, "Working with Policies."

  9. Click Test to confirm that the account can be managed by Oracle Privileged Account Manager with these settings.

    If the account configuration settings are valid, a Test Succeeded message displays.

You can now add grantees and CSF mappings to the account. Continue to the following sections for more information.

5.1.3.2.2 Adding Grantees

this section provides instructions for adding grantees to a privileged account.

Note:

  • You must be an Oracle Privileged Account Manager administrator with the User Manager Admin Role to add, edit, or delete grantees.

  • Adding a new account does not automatically grant you access to that account. You must complete the process for adding yourself as a grantee.

  • Before adding grantees to an account, be sure to read Section 2.4.4, "Avoiding Assignments through Multiple Paths."

To associate users and groups with a new account, select the Grants tab and then complete the following steps:

  • To associate users, click Add from the Users table toolbar.

    1. In the Add Users dialog, enter a name into the User Name field and click the arrow icon to search for that user.

    2. When the search results display, select (check) each user you want to associate with this account.

    3. When you are finished adding users, click Add and then click Close.

      Oracle Privileged Account Manager adds those user names to the Users table on the Grants tab and automatically assigns the Default Usage Policy. You can assign a different policy by selecting it from the Usage Policy menu.

  • To associate groups, click Add from the Groups table toolbar.

    1. In the Add Group dialog, enter a name into the Group Name field and click the arrow icon to search for that group.

    2. When the search results display, select (check) each group you want to associate with this account.

    3. When you are finished adding groups, click Add and then click Close.

      Oracle Privileged Account Manager adds those group names to the Groups table on the Grants tab and automatically assigns the Default Usage Policy. You can assign a different policy by selecting it from the Usage Policy menu.

5.1.3.2.3 Adding CSF Mappings

Oracle Privileged Account Manager enables you to securely store and synchronize account credentials with the Oracle Credential Store Framework (CSF). This capability is useful for managing the lifecycle of application passwords stored in CSF.

When you configure CSF synchronization for an account, Oracle Privileged Account Manager changes the account password based on the assigned Usage Policy.

Note:

Oracle Privileged Account Manager updates, or synchronizes, CSF only when a password change occurs.

For more information about CSF and how Oracle Privileged Account Manager manages CSF credentials, refer to Section 8.3, "Integrating with the Credential Store Framework."

To add CSF mappings to an account, complete the following steps:

  1. Select the Account Name link in the Search Results table.

  2. When the Account: AccountName page displays, select the Credential Store Framework tab.

  3. Click Add.

    A new row displays in the table with empty fields in each column.

  4. Enter the following information into the empty fields:

    • Administration Server URL. Enter the server URL in this format, protocol://listen-address:listen-port

      For example, if you are using the https protocol and the SSL port is 7002, you would enter

      https://localhost:7002

    • Username and Password. Enter the login credentials of the Oracle WebLogic Server administrator.

      For example, weblogic/welcome1.

    • Mapping. Enter the Map name you created in CSF.

    • Key. Enter the unique Key you created in CSF.

  5. Click Add again to create another mapping. You can create as many CSF mappings as needed.

  6. When you are finished adding information, click Test to validate the mapping.

    A dialog displays with either a success message or an error message.

5.1.3.3 Searching for Privileged Accounts

You can search for accounts by using one or more of the following parameters:

  • Account Name

  • Target Type (All, ldap, unix, database, or lockbox)

  • Target Name

  • Domain

  • Description

To search for an account,

  1. Select Accounts in the Administration accordion.

  2. When the Accounts tab displays, use the Search portlet parameters to configure your search.

    • For example, to search for a list of all accounts on a particular target, enter the target name into the Target Name field.

    • To search for all available accounts, do not specify any search parameters.

  3. Click Search.

    Review your search results in the Search Results table.

    Note:

    You can use the Status menu, located above the Search Results table, to control the search results based on the account status. See the table in Section 3.4.6, "Working with a Search Results Table" for more information.

  4. To perform another search, click Reset.

5.1.3.4 Opening Privileged Accounts

You can open a privileged account to view or edit the configuration parameters for that account.

Use one of the following methods to open an account:

  • Click the Account Name (an active link) in the Search Results table.

  • Select the account Row number and then click Open Account.

The Account: AccountName page opens where you can access information about the associated target, general account parameters, users who have the account checked out, the grantees, and the CSF mapping.

5.1.3.5 Checking Out Privileged Accounts

Any administrator or end user can check out a privileged account if they have been granted access to that account. (See Section 5.1.4, "Working with Grantees" for more information.)

Note:

You must be an administrator with the Security Administration Admin Role to modify or remove an account.

Privileged accounts are not shared by default, which means when one user checks out the account, it becomes unavailable to other users and prevents conflicting actions. However, administrators can configure shared accounts, which enables multiple users to check out the account at the same time. (Refer to Section 5.1.3.1.3, "Sharing Accounts" for more information.)

The steps for checking out an account are as follows:

  1. Select My Accounts in the Administration accordion.

  2. On the My Accounts page, locate the account you want to check out in the Search Results table.

    • If the account is available for check out, the Account Status is Checked In and the Check Out button is displayed.

    • If the account is not available for check out, the Account Status is Checked Out and a More Info button is displayed.

      Click the More Info button for additional information.

    Figure 5-1 Account Available for Checkout

    Figure showing accounts available for checkout

    Note:

    To see who currently has the account checked out, select the account name. When the Account: AccountName page opens, check the Current Reservations table for a list of those users, the Checkout Date, and the Expiration Date.

  3. Click the Check-out button.

  4. The Check-Out Account dialog displays with the Account Name, Target Name, and a blank Comments field. Enter a comment if you choose to, and then click Checkout.

    A Check-Out Account - Success dialog displays. This dialog contains an encrypted Password. You can view this Password in clear text by clicking the Show Password box.

  5. Click Close to close the dialog and return to the Search Results table.

    • For an unshared account, the Account Status changes to Checked-Out, the Check Out button changes to a Check In button, and Oracle Privileged Account Manager lists the account on the My Checked-out Accounts page.

    • For a shared account, the Account Status remains Available, the Check Out button remains, and Oracle Privileged Account Manager lists the account on the My Checked-out Accounts page.

Note:

You can also use the Oracle Privileged Account Manager command line tool or the RESTful interface to check-out accounts.

5.1.3.6 Checking In Privileged Accounts

Any administrator or end user can check in their checked-out accounts. In addition, administrators with the User Manager Admin Role can force an account check-in when necessary.

Regular Check-In

The steps for checking in an account are as follows:

  1. Select My Checked-out Accounts on the Home accordion.

    The My Checked-out Accounts page displays with all of your checked-out accounts listed in the Search Results table.

  2. Select (check) the account(s) you want to check in.

  3. When the Check-in option located above the table becomes active, click the icon.

  4. When the Check-in Accounts dialog displays, click the Check In button.

    If the check-in is successful, Oracle Privileged Account Manager removes the account name(s) from the My Checked-out Accounts table and the account becomes Available for check-out again.

Forcing a Check-In

The steps for forcing an account check in are as follows:

  1. Select Accounts in the Administration accordion, and then search for the account as described in Section 5.1.3.3, "Searching for Privileged Accounts."

  2. Select (check) the account you want to check in.

  3. When the Force Check In option located above the table becomes active, click the icon.

    The Confirm Forced Check In dialog displays, asking you to confirm that you want to check in the account. Be aware that forcing the check in will log out all users that currently have the account checked out.

  4. To proceed, click the Check In button.

    If the check-in is successful, the account becomes Available for check-out again.

Note:

You can also use the Oracle Privileged Account Manager command line tool or the RESTful interface to check-in accounts.

5.1.3.7 Managing Account Passwords

Oracle Privileged Account Manager provides two options for managing account passwords:

Note:

You can also perform both password management actions by using the Oracle Privileged Account Manager command line tool. Refer to Section A.2.44, "showpassword Command" and Section A.2.31, "resetpassword Command" for instructions.

Oracle Privileged Account Manager audits both types of password management actions to keep track of password access.

5.1.3.7.1 Showing an Account Password

If necessary, you can view the password for an account that you have checked out by using the Show Password option, located above the Search Results table. For example, if you forget a password, you can use this feature to view the password again.

Any user can use Show Password to review the current password for a account they have checked out. However, they cannot access passwords after the account is checked back in or view passwords for accounts that are checked out by other users. In these cases, clicking Show Password will cause an error.

Note:

  • Administrators with the Security Administration or User Manager Admin Role, who can access all system and target service accounts, can use this feature to view current the password for both checked out and checked in privileged accounts.

  • If someone changes a target's service account password from a location other than the current Oracle Privileged Account Manager instance, such as from another Oracle Privileged Account Manager instance in a different domain, the Show Password feature cannot display the new password and connections to the target will fail.

    To resolve this situation, you must update the password in Oracle Privileged Account Manager by editing the target through the Console or by using the command line.

To show an account password, use the following steps

  1. Ensure that you have the privileged account checked out.

    Note:

    For most users, if they try to view the password for an account that has already been checked back in, an error will result.

    However, if you are an administrator with the Security Administrator or User Manager Admin Role, you can use this command to reset a password for both checked out and checked-in accounts.

  2. Select Accounts in the Administration accordion.

  3. When the Accounts tab displays, use the Search portlet to locate the account.

  4. Select the account row number and then click Show Password.

    The Current Password dialog displays and provides the following information:

    • Account Name

    • Password

  5. When you are finished click Close.

5.1.3.7.2 Resetting an Account Password

If necessary, you can manually reset the existing password for an account that you have checked out by using the Reset Password option.

If Security Administrators do not want to use randomized password generation, they can manually set a password of their choosing. For example, administrators might prefer to set a simple, easy-to-type password for one time use, such as during a system upgrade.

To reset an account password, use the following steps

  1. Ensure that you have the privileged account checked out.

    Note:

    For most users, if they try resetting the password for an account that has already been checked back in, an error will result.

    However, if you are an administrator with the Security Administrator or User Manager Admin Role, you can use this command to reset a password for both checked out and checked-in accounts.

  2. Select Accounts in the Administration accordion.

  3. When the Accounts tab displays, use the Search portlet to locate the account.

  4. Select the account row number and then click Reset Password.

    The Reset Password dialog displays and provides the following information about the account password:

    • Account Name

    • Target Name

    This dialog also contains a New Password field.

  5. Type a password into the space provided and click Save.

    You can use a password string of your choosing. The string does not have comply with the Oracle Privileged Account Manager Password Policy because the Password Policy is used for randomized password generation.

    A message displays with the name of the selected account and the new password.

5.1.3.8 Removing Privileged Accounts from Oracle Privileged Account Manager

You can remove a privileged account from Oracle Privileged Account Manager by using the Search Accounts page or the Targets page.

WARNING:

When you remove a privileged account, you remove all information about the account that is stored in Oracle Privileged Account Manager.

Before removing a privileged account, it is critical that you first capture all relevant information from that account. For example, save the current password associated with that privileged account.

From the Search Accounts Page

To remove an account from the Search Accounts page,

  1. Locate the account to remove.

    1. Select Accounts in the Administration accordion.

    2. Click Search in the Search Accounts portlet to populate the Search Results table with a list of all available accounts.

      To narrow the results or to locate a particular account, enter search criteria in one or more the Search Accounts fields, and then click Search.

  2. In the Search Results table, select the account to be removed, and then click Remove.

  3. When you are finished, click the Apply button located at the top of the page.

From the Target Page

To remove an account from a target,

  1. Locate the target from which you want to remove the account.

    1. Select Targets in the Administration accordion.

    2. Click Search in the Search Targets portlet to populate the Search Results table with a list of all available targets.

      To narrow the results or to locate a particular target, enter search criteria in one or more the Search Targets fields, and then click Search.

  2. Click the target name in the Search Results table to open the target.

  3. Select the Privileged Accounts tab.

  4. In the Search Results table, select the account to be removed and then click Remove.

  5. When you are finished, click the Apply button located at the top of the page.

5.1.4 Working with Grantees

This section describes the different tasks you can perform when working with grantees in Oracle Privileged Account Manager.

Note:

You must be an Oracle Privileged Account Manager administrator with the User Manager Admin Role to add, edit, or delete grantees.

The topics in this section are:

5.1.4.1 What Are Grantees?

Grantees are users or groups in the ID Store that have been granted access to a privileged account managed by an Oracle Privileged Account Manager administrator. Users cannot check out a privileged account unless they have been granted access to that account.

Oracle Privileged Account Manager evaluates grants in the following sequence:

  1. When a user tries to access and check out an account, Oracle Privileged Account Manager looks for a user grant for that user. If Oracle Privileged Account Manager finds a user grant, then the user is permitted to checkout the account based on that grant and its associated Usage Policy.

  2. If Oracle Privileged Account Manager does not find a user grant, it looks for group grants. A user can be a member of many groups. If Oracle Privileged Account Manager finds a group grant for any one of the user's groups, then the user is permitted to checkout the account based on that group grant and its associated Usage Policy.

  3. If the user is member of multiple groups, and more than one of those groups is available in group grants - then Oracle Privileged Account Manager can pick any one of the matching group grants at runtime. It is indeterministic to say exactly which matching group grant of the multiple ones Oracle Privileged Account Manager will pick at runtime.

  4. If Oracle Privileged Account Manager cannot find a user grant or a group grant, then the user is denied access.

Note:

Before granting privileged accounts to users or groups, be sure to read, Section 2.4.4, "Avoiding Assignments through Multiple Paths."

5.1.4.2 Granting Accounts to Users

Use the following steps to grant access to a privileged account:

  1. Locate the account where you want to grant access.

    1. Select Accounts in the Administration accordion.

    2. Click Search in the Search Accounts portlet to populate the Search Results table with a list of all available accounts.

      To narrow the results or to locate a particular account, enter search criteria in one or more the Search Accounts fields, and then click Search.

  2. Select that account name in the Search Results table.

    The General, Grants, and Credential Store Framework tabs display.

  3. Select the Grants tab.

    If any users are already associated with this account, their names are listed in the table in the Users area.

  4. Click Add to open the Add Users dialog.

  5. In the Add Users dialog, enter all or part of a user name and then click the arrow icon to browse for the user name to add.

    For example, to grant access to the sec_admin user, you can type sec into this field and the search results will include any existing user name containing those letters.

  6. Select (check) one or more user names, and then click Add to make them grantees.

  7. Click Close to close the dialog.

    The new user's name displays in the Users table.

Note:

At this point, the Default Usage Policy is automatically assigned to the user. However, you can use the Usage Policy menu to select a different policy for that user.

5.1.4.3 Granting Accounts to Groups

Use the following steps to grant access to a privileged account:

  1. Locate the account where you want to grant access.

    1. Select Accounts in the Administration accordion.

    2. Click Search in the Search Accounts portlet to populate the Search Results table with a list of all available accounts.

      To narrow the results or to locate a particular account, enter search criteria in one or more the Search Accounts fields, and then click Search.

  2. Select the account name in the Search Results table.

    The General, Grants, and Credential Store Framework tabs display.

  3. Select the Grants tab.

    If any groups are already associated with this account, their names are listed in the table in the Groups area.

  4. Click Add to open the Add Groups dialog.

  5. In the Add Groups dialog, enter all or part of a group name and then click the arrow icon to browse for the group name to add.

    For example, to grant access to the OPAM_USER_MANAGER group, you can type opam into this field and the search results will include any existing group names containing those letters.

  6. Select (check) one or more group names, and then click Add to make them grantees.

  7. Click Close to close the dialog.

    The new group name displays in the Groups table.

Note:

At this point, the Default Usage Policy is automatically assigned to the group. However, you can use the Usage Policy menu to select a different policy for that group.

5.1.4.4 Searching for Grantees

If you have administrator privileges, you can search for grantees by using the following steps

  1. Select User Grantees or Group Grantees in the Administration accordion.

  2. When the User Grantees or the Group Grantees tab displays, use the Search portlet to configure your search.

    • To search for a particular grantee, enter the name into the User Name or Group Name field. For example, to search for the OPAM_USER_MANAGER group, enter opam into the Group Name field.

    • To search for all available grantees, do not specify any search parameters.

  3. Click Search.

    Review your search results in the Search Results table.

  4. To perform another search, click Reset.

5.1.4.5 Opening a Grantee

You can open a grantee to view information about that user or group grantee.

Use one of the following methods to open a grantee from the Grants tab:

  • Click the User Name or the Group Name (an active link) in the Search Results table.

  • Select the user or group Row number and then click the Open icon.

The User: UserName or the Group: GroupName page opens where you can review the information about that grantee and the privileged accounts for which they are granted access.

5.1.4.6 Removing Grantees from an Account

To remove one or more grantees from an account

  1. Open the account and select the Grants tab.

  2. Select the user or group Row number in the Search Results table.

  3. Click the Remove icon.

  4. When you are prompted to confirm the removal, click the Remove button to continue, (or Cancel to terminate the operation).

    The prompt closes and the user or group is removed from the table.

5.1.5 Working with Reports

Oracle Privileged Account Manager reports are real-time reports that provide information about the current status of accounts and targets being managed by Oracle Privileged Account Manager.

Note:

You must be an Oracle Privileged Account Manager administrator with the Security Auditor Admin Role to open and review Oracle Privileged Account Manager reports.

The topics in this section include:

To view a report, expand the Reports accordion and click a Report link. The report information is displayed in the Reports page on the right.

5.1.5.1 Working with Deployment Reports

Select the Deployment Reports link to view information about how targets and privileged accounts are currently deployed.

Information about the deployment is organized into the following portlets:

  • Target and Accounts Deployment table. Provides a list of targets, including their target type and host names. Expand the arrow icon next to a target name to view the accounts associated with that target.

    Tip:

    You can click a link in the Target/Account column to open the configuration page for that target or account.

  • Target Distribution. This portlet illustrates how targets are distributed within your deployment.

  • Account Distribution. This portlet illustrates how accounts are distributed within your deployment, by Organization.

Use the Show and Filter drop-down menus to control how the report content is displayed. For example, use the Show menu to view all targets or filter the results to view a particular target. You can use the Filter menu to view the target and account distribution in bar chart, pie chart or tabular format.

5.1.5.2 Working with Usage Reports

Select the Usage Report link to view information about how privileged accounts are currently being used in your deployment.

This usage information is organized into the following portlets:

  • Account Usage. This portlet provides a list of targets, the target types, host names, and the last checked out date. Expand the arrow icon next to a target name to view the accounts associated with that target.

  • Checked Out Accounts. This portlet illustrates which targets are checked out within your deployment.

Use the Show and Filter drop-down menus to control how the report content is displayed. For example, select Show to view just currently checked out accounts or accounts that were checked out in the last hour, day, or week. You can use the Filter menu to view the report information as a bar chart, pie chart, or in tabular format.

5.1.5.3 Working with Failure Reports

The Failure Report provides information about the current state of target and account failures.

Information about target or account failures is organized into the following portlets:

  • Targets and Accounts Failures. This portlet provides a list of targets, the target status, last error message, and the last failure date. Expand the arrow icon next to a target to view the accounts associated with that target.

  • Target Failures. This portlet illustrates the target failures within your deployment.

  • Account Failures. This portlet illustrates the account failures within your deployment.

Use the Show and Filter drop-down menus to control how the report content is displayed. For example, select Show to view the errors that occurred during the last 24 or 48 hours, the last week, or the last 30 days. You can use the Filter menu to view the report information as a bar chart, pie chart, or in tabular format.

5.1.6 Rebranding Oracle Privileged Account Manager

If necessary, you can rebrand the Login and Oracle Privileged Account Manager pages. The following topics contain instructions for changing the page title, branding text, and logo image on these pages:

Tip:

Create a back-up copy before you modify any files.

5.1.6.1 Customizing the Login Page

You configure branding changes for the Login page in the oinav.ear/oiNavApp-war.war/SignIn.jspx file.

Login Page Title

To change the Login page title, modify the title in af:document "#{signinBean.signInTitle}".

Refer to the following code sample:

<af:document id="d1" title="#{signinBean.signInTitle}" theme="dark"

 initialFocusId="pt1:_pt_it1">

Login Page Branding Text

To change the branding text on the Login page, modify the value of af:outputText "#{signinBean.title}", which is defined in the branding facet.

Refer to the following code sample:

<f:facet name="branding">
  <af:outputText value="#{signinBean.title}" id="ot1"/>
</f:facet>

Login Page Logo Image

To change the logo image on the Login page, perform these steps:

  1. Copy the new image, for example newlogo.png, into the following directory:

    oinav.ear/oiNavApp-war.war/images
    
  2. To skip the default logo, add the following line to the oinav.ear/oiNavApp-war.war/SignIn.jspx file:

    <f:attribute name="brandingLogoCls" value=""/>
    
  3. If the new logo's image size is larger than the default size 30, add the following line to adjust the header size:

    <f:attribute name="globalBrandingSize" value="60"/>
    
  4. Modify the branding facet by replacing newlogo.png, newlogo mouse over text, and new branding text.

    Refer to the following code sample:

    <f:facet name="branding">
      <af:panelGroupLayout layout="horizontal">
        <af:image source="/images/newlogo.png" shortDesc="newlogo mouse over text" id="im1"/>
        <af:spacer width="5"/>
        <af:outputText value="new branding text" id="ot1"/>
      </af:panelGroupLayout>
    </f:facet>
    

5.1.6.2 Customizing the Oracle Privileged Account Manager Page

You configure branding changes for the Oracle Privileged Account Manager page in the oinav.ear/oiNavApp-war.war/opam.jspx file.

Oracle Privileged Account Manager Page Title

To change the page title on the Oracle Privileged Account Manager page, modify the title in af:document "#{resBundle.PRODUCT_OPAM}"

Refer to the following code sample:

<af:document title="#{resBundle.PRODUCT_OPAM}" id="d1" theme="contentBody">

Oracle Privileged Account Manager Branding Text

To change the branding text on the Oracle Privileged Account Manager page, modify the value of af:outputText "#{resBundle.OPAM_PRODUCT_TITLE}", which is defined in the branding facet.

Refer to the following code sample:

<f:facet name="branding">
  <af:outputText value="#{resBundle.OPAM_PRODUCT_TITLE}" id="ot1"/>
</f:facet>

Oracle Privileged Account Manager Page Logo Image

To change the logo image on the Oracle Privileged Account Manager page, perform these steps:

  1. Copy the new image, for example newlogo.png, into the following directory:

    oinav.ear/oiNavApp-war.war/images
    
  2. To skip the default logo, add the following line to the oinav.ear/oiNavApp-war.war/opam.jspx file:

    <f:attribute name="brandingLogoCls" value=""/>
    
  3. If the new logo's image size is larger than the default size 30, add the following line to adjust the header size:

    <f:attribute name="globalHeaderSize" value="30"/>
    
  4. Modify the branding facet by replacing newlogo.png, newlogo mouse over text, and new branding text.

    Refer to the following code sample:

    <f:facet name="branding">
      <af:panelGroupLayout layout="horizontal">
        <af:image source="/images/newlogo.png" shortDesc="newlogo mouse over text" id="im1"/>
        <af:spacer width="5"/>
        <af:outputText value="new branding text" id="ot1"/>
      </af:panelGroupLayout>
    </f:facet>
    

5.2 Working with Self-Service

This section provides instructions for self-service users working with Oracle Privileged Account Manager.

The topics include:

5.2.1 Self-Service Workflow

This section describes the basic workflow for self-service users:

  1. Viewing your accounts

  2. Searching for an account

  3. Checking out the account

  4. Viewing checked-out accounts

  5. Checking in accounts

5.2.2 Viewing Your Accounts

To view a list of all the accounts for which you are currently a grantee, select My Accounts on the Home accordion and then click Search.

The My Accounts page is refreshed and lists all of your accounts in the Search Results table. From this page you can

  • View the account status, the associated target name, target type, and domain.

  • Open an account to review the associated target, account, and Password Policy information. You can also view a list of users who currently have the account checked out.

  • Check out and check in accounts.

  • Filter the list of accounts to displayed in the table to view all of your accounts (default), just your Checked-in accounts, or just your Checked-out accounts.

  • Search your accounts.

5.2.3 Searching for Accounts

You can search for an account by following the instructions provided in Section 5.1.3.3, "Searching for Privileged Accounts."

5.2.4 Checking Accounts Out and In

To check out a privileged account granted to you, see Section 5.1.3.5, "Checking Out Privileged Accounts."

To check an account back in again, follow the instructions provided in Section 5.1.3.6, "Checking In Privileged Accounts."

5.2.5 Viewing Your Checked-Out Accounts

To view a listing of all accounts you currently have checked-out, select My Checked-out Accounts on the Home accordion.

The My Checked-out Accounts page displays with all of your checked-out accounts listed in the Search Results table.

5.2.6 Viewing a Password

You can use the Show Password option, located above the Search Results table on both the My Accounts page or the My Checked-out Accounts page, to view the password for a selected account.

Select the account name, and then click Show Password. The Current Password dialog displays with the Account Name and Password. When you are finished, click Close.

5.3 Moving from a Test Environment to a Production Environment

For information about moving Oracle Fusion Middleware components from one environment to another, see "Moving from a Test to a Production Environment" in Oracle Fusion Middleware Administrator's Guide.

For information about moving Identity Management components, including Oracle Privileged Account Manager, from a test environment to a production environment, see "Moving Identity Management Components to a Target Environment" in Oracle Fusion Middleware Administrator's Guide.