Account types

Accounts are associated with targets, and therefore policies:

  • Also appear by target type.
  • Some policies can be overridden per target.

The account policy types are:

  • Checkout lifetime
  • Password checkout challenge rules
  • Secret access key checkout challenge rules
  • Enable periodic password rotation
  • Password complexity profile
  • Domain administrative account

Checkout lifetime

The maximum number of minutes administrators are allowed to have a password checked out. After the number of minutes specified, the Centrify PAS automatically checks the password back in. The minimum checkout lifetime is 15 minutes. If the policy is not defined, the default checkout lifetime is 60 minutes.

You can extend the checkout time for a password as long as you do so before the initial checkout period expires. For example, if the maximum checkout lifetime is 60 minutes and you extend the checkout time before the 60 minute period is over, the password expiration is reset to the 60 minute checkout lifetime.

For more information about configuring the Checkout lifetime policy, see Extend the password checkout time.

Password checkout challenge rules

You can configure authentication rules and authentication profiles to protect access to the account password for specific accounts. Based on the rules you define, users attempting to check out the password for an account with access to a specific system might be required to provide a password, enter the passcode from a text message, or answer a phone call to authentication their identity. The authentication rule defines the conditions for when a specific authentication profile should be used. The authentication profile defines the types of challenges presented and whether one factor or two factor authentication is required. You can also define a default authentication profile to use if the conditions you specify for the checkout rules are not met.

If you don’t create any authentication rules or authentication profiles for password checkouts, users with the appropriate permission can check out stored account passwords without being challenged to re-authenticate their identity or provide multi-factor authentication.

Secret access key checkout challenge rules

If you have the Checkout permission, you can check out the password for a stored account to use it for access to a system. When you check out a password, you choose whether to display or copy it to the clipboard for use.

Note:    Show Password is only active for 15 seconds. Centrify PAS will hide the password after 15 seconds as a security measure.

Enable periodic password rotation

Select Yes if you want to rotate managed passwords automatically at the interval you specify. Select No if you want to prevent password rotation for the selected system.

If you select Yes, you should also specify the password rotation interval in days. Type the maximum number of days to allow between automated password changes for managed accounts. You can set this policy to comply with your organization's password expiration policies. For example, your organization might require passwords to be changed every 90 days. You can use this policy to automatically update managed passwords at a maximum of every 90 days. If the policy is not defined, passwords are not rotated according to the setting in Settings > Resources > Security Settings tab.

Password complexity profile

Select an existing password generation profile or add a new profile for the selected system. If you don’t select or add a profile, the default password generation profile for the system type is used. For more information about adding and editing password complexity profiles, see Configure password profiles.

Domain administrative account

A domain administrative account enables Centrify PAS to:

  • Unlock a domain account if needed.
  • Reset the domain account password, in case the password does not match what is stored.

The domain administrative account is also used in the zone workflow feature to update account domain objects

Without a policy, a customer can only have one domain administrative account per domain. This means the account must have permissions for all the domain accounts.

With a policy, multiple domain administrative accounts are enabled. Therefore a customer can have a different administrator for each set of accounts, reducing the quantity of granted permissions to each domain administrative account.

See Set domain administrative accounts for more information.