Checking out managed account passwords

If you are authorized to check out passwords, you can retrieve the password for an account to enable you to log on to a target system. After you retrieve the password, it can remain checked out for a configurable period of time. What happens at the end of the allowed checkout period depends on whether the account password is managed by the Privileged Access Service or unmanaged.

If the password is a managed account password:

  • The password you retrieved expires at the end of the checkout period and Privileged Access Service automatically generates a new password for the account.
  • If you check in the password before the end of the checkout period, the check in process also automatically generates a new password for the account.
  • After each password rotation, users can check out the new password.

    Note:   The password rotation ends existing password checkouts. This means any password checkouts will be checked back in.

  • You can use policies to configure the maximum number of minutes a password can be checked out and whether multiple administrators can have a password checked out at the same time.

    Note:   If Workflow is enabled on the user's account, and the user requests permission using Request Checkout, the password can only be checked out during the time period specified by the admin. For example between 1pm - 2pm. This adjusts the checkout duration to ensure the password is checked back in by the end of the time period. For example 2pm.

  • You can also extend the password checkout time for a currently checked out password if you need more time to complete your work. With a managed account password, however, the only valid password is the one known and updated by the Privileged Access Service.