When you add accounts for a domain to the Privileged Access Service, you store the passwords for those accounts securely in a local repository, in the Centrify, or in a key management appliance such as SafeNet KeySecure. If you have the appropriate global- or domain-specific permissions, you can check out the password for a stored account to access a domain computer. When you check out a password, you choose whether to display or copy it to the clipboard for use. The password remains checked out until either you check it back in or the Privileged Access Service checks it automatically.
The maximum length of time you are allowed to keep a password checked out is configured using a domain policy. For more information about configuring the Checkout lifetime policy for a domain, see Setting domain-specific policies.
To check out a password:
- In the Admin Portal, click Resources > Domains to display the list of domains.
- Select a domain to display the domain details.
- Click Accounts.
- Select the appropriate domain account to display the Actions menu.
- Select Checkout or Request Checkout.
If you don’t have the Checkout permission and click Request Checkout, your request is sent to a designated user or to the members of a designated role for approval. If your request is approved, you have limited period of time to check out the account password. For more information about the “request and approval” work flow, see Managing access requests.
Click Show Password if you want to view the password for the selected account as plain text or click Copy Password to copy the password without viewing it.
The checkout is recorded as recent activity in the dashboard and in the list of domain activity.
Log on to the domain computer using the selected account name and password.
After taking the appropriate action, close the session to log off and check in the password. For more information about checking in a password, see Checking in a password.