Checking out account passwords
When you add accounts to the Privileged Access Service, you store the passwords for those accounts securely in a local repository, in the Privileged Access Service, or in an external key management appliance.
If you have the Checkout permission, you can check out the password for a stored account to use it for access to a system, domain, or database. When you check out a password, you choose whether to display or copy it to the clipboard for use. The password remains checked out until either you check it back in or the Privileged Access Service checks it automatically.
The maximum length of time you are allowed to keep a password checked out is configured using a system, domain, database, or account policy. However, you can extend the checkout time for a password that is currently checked out, if needed. For more information about extending the checkout time, see Extending the password checkout time.
To check out an account password:
- In the Admin Portal, click Resources, then click Accounts to display the list of accounts.
You can check out an account password from any list of accounts. For example, the action is available if you are viewing the list of accounts for any specific system, domain, or database. Selecting Accounts is simply the most direct path to performing this task.
Type a search string or select a filter to display local accounts, domain accounts, or database accounts.
Select an account to display the account details.
Click Permissions to verify you have the Checkout permission.
You must have the Grant permission to verify permission settings. If you are a member of the System Administrator role, your user account has this permission by default.
Click the Actions menu, then click Checkout or Request Checkout.
If the account is configured to require the approval of a designated user or role, click Request Checkout to request access from the designated user or role. If your request is approved, you have limited period of time to check out the account password. For more information about the “request and approval” work flow, see Managing access requests.
For more information about the “request and approval” work flow, see Enabling request and approval workflow and Managing access requests.
Click Show Password to view the password for the selected account as plain text or click Copy Password to copy the password without viewing it.
Depending on how authentication rules and authentication profiles are configured, you might be required to respond to one or more authentication challenges before viewing or copying the stored password. If you are able to authenticate successfully, the checkout proceeds.
Password checkouts are recorded as recent activity in the dashboard, in your workspace, and in the list of system, domain, or database activity.
After you take the appropriate action on the remote computer, close the session to log off and check in the password. You can check in the password from any location where the account you have checked out is visible. For more information about checking in a password, see Logging on without a password.