Adding privileged accounts and passwords

If you have existing scripts that access protected systems or privileged accounts, you might have existing local account profiles defined in the /etc/passwd file for which you want to manage passwords. If you have an existing local account, you can use the csetaccount command interactively or in a script to add the local account and corresponding password to the Privileged Access Service.

For example, you can type the following command to set the password interactively for the local root account and add the password for the account to the Privileged Access Service:

csetaccount root

This command prompts you for the account password, then stores the account name and password as an unmanaged password in the Privileged Access Service.

To protect the passwords for accounts with privileged access, you can have the passwords managed by the Privileged Access Service. For example, you might have a local administrative account of myoracle that require access to the root account on a remote computer.

If you wanted the Privileged Access Service to manage the password for the myoracle account, you can add the account by running the-following command interactively or in a script:

csetaccoount --managed true myoracle

If you type the correct password for the account, the account is added to the Privileged Access Service and a new randomly-generated password is set. You can verify the new account is listed for the system in the Admin Portal.

If you view details for the account, you can confirm the account password is managed by the Privileged Access Service.

Integrating with other Privileged Access Services

If you don’t already have local accounts for running services and scripts, you can create them using a program such as useradd or by using Access Manager, adedit, or the Access Module for PowerShell if your organization uses additional Privileged Access Service. If you use Privileged Access Services for privilege elevation , you can also define command rights and roles for users who have access to privileged account passwords.

For an example that illustrates how to use client commands in a notification script to set randomly-generated passwords for local accounts, then store those passwords in the Privileged Access Service, see the sample script in the /usr/share/centrifycc/samples/localacctmgmt directory.

Selecting the password storage location

Passwords can be stored securely in the Privileged Access Service or in a key management appliance such as SafeNet KeySecure. However, configuring the password storage location is done separately from adding passwords to the Privileged Access Service. For information about configuring the password storage location, see Managing password storage.