In most cases, you configure automatic credential rotation for managed accounts by setting policies globally or for individual Systems, domains, or databases. In order to successfully rotate an account password, you must have the rotate permission for the accounts you want to rotate.
There are scenarios, however, where you might want to generate a new credential for an account or multiple accounts on demand. For example, if there’s suspicious activity involving a particular account(s) or a risk that an account or set of accounts has been compromised, you might want to invalidate the existing credential and have the Privileged Access Service generate a new credential without waiting for the end of the automated credential rotation period.
You can select to rotate credentials for one or multiple individual managed accounts or you can select all accounts associated with a set. If you select multiple accounts or a set that includes managed and unmanaged accounts, only managed accounts are rotated.
If you rotate a credential while an account is currently checked out, the credential that has been checked out will no longer be valid and cannot be used to log on or start any new sessions. If there are any existing open sessions that used the checked out credential, those sessions can continue.
SSH key-based accounts
When an SSH key-based account is shared and rotated, it changes permission on that SSH key. For example: once the SSH key is rotated, a user who previously had permission to the shared SSH key will no longer have permission once the key is rotated. Once rotated, the shared key is replaced with a new key for the account.
The following steps detail how you can rotate passwords or SSH keys on demand.
To rotate credentials on demand
- In the Admin Portal, click Resources, then click Accounts to display the list of accounts.
- In the Sets section, click Managed Accounts to filter the list of accounts displayed.
- Select the managed account or multiple managed accounts requiring password rotation. You can also select all accounts associated with the set.
- Click the Actions menu or right-click the Set. For accounts with passwords, select Rotate Password. For accounts using SSH keys, select Rotate SSH Key.
- Select Yes to confirm that you want to rotate the selected passwords. Any passwords already checked out are also rotated. You will receive an email notification of the password rotation activity when multiple account passwords are rotated. You can either open the CSV file to view activity or click the link in the email to view the Job History page.
Note: When an SSH key is rotated, the permissions on the key change. After rotation, permissions default to minimum required settings. Permissions are not duplicated.