Specifying a local administrative account

You can identify any account you add to the Zero Trust Privileged Access Service as the local administrative account for a specific system. However, some system types require you to specify a local administrative account if you want to manage any local account passwords. The account you designate as the local administrative account must have sufficient privileges to set and rotate passwords for other accounts. In addition, the local administrative account you specify for any system should be a dedicated account that is used exclusively by the Privileged Access Service.

You can have the password for the local administrative account managed by the Privileged Access Service to avoid password changes by other users who have administrative privileges. If you want to manage the password for the local administrative account, there are restrictions on the actions available. For example, you cannot select the Login action because that action could be used to compromise the login shell for the local administrative account. Similarly, because the local administrative account is used internally to manage passwords for other accounts, you cannot select the Checkout, Rotate Password, or Delete actions when you select an account currently designated as the local administrative account.

If you need to set or change the local administrative account after adding a system, you must have the Edit permission on the system and the Grant permission on the account. You have these permissions by default if you are the owner who adds the system and account to the Privileged Access Service.

Only the systems that require a local administrative account support this option.

System type

Administrative account

UNIX

You must specify a valid local administrative account to manage password operations for other accounts. Domain Administrative accounts for Unix are also supported, see Setting domain administrative accounts.

Windows

You cannot add a local administrative account for Windows systems. Domain Administrative accounts for Windows are supported, see Setting domain administrative accounts.

Cisco AsyncOS

You must specify a valid local administrative account to manage password operations for other accounts.

Cisco IOS

You cannot add a local administrative account for Cisco IOS systems.

Cisco NX-OS

You cannot add a local administrative account for Cisco NX-OS systems.

Juniper Junos OS

You cannot add a local administrative account for Juniper Junos OS systems.

HP NonStop OS

You cannot add a local administrative account for HP NonStop OS systems.

IBM i

You cannot add a local administrative account for IBM i systems.

Generic SSH

You cannot add a local administrative account for Generic SSH systems.

Check Point Gaia

You must specify a local administrative account to manage the password for expert mode operations. The administrative account is not required to manage the password for other accounts.

Palo Alto Networks PAN-OS

You must specify a valid local administrative account to manage password operations for other accounts.

F5 Networks BIG-IP

You must specify a valid local administrative account that is a member of the Administrator role to manage password operations for other accounts.

VMware VMkernel

You must specify a valid local administrative account to manage password operations for other accounts.

For more information about system settings, see the system-specific settings.