Skip to main content

Modify the password policy for a managed system policy

By default, Bravura Privilege uses semi-complex password policy to generate random passwords for push mode and local service mode managed system policies . The password policy is set for a managed system policy when the policy is created.

The managed system policy must include password or SSH key authentication types to modify the password policy. You can modify the password policy for each managed system policy. To do this:

  1. Navigate to the Managed system policy information page .

  2. Select the Password policy tab.

  3. Configure the rules defined in Table 1, “Password strength rules.

  4. Click Update.

Note that:

  • If a managed system is a member of multiple managed system policies, it uses the password policy of the managed system’s primary Managed system policy option, which by default is the first policy it joined.

  • It is recommended that you limit the number of managed system policies (with different password policies) a system belongs to. In the event that a managed system policy is removed, all managed systems that were using its password policy will adopt the password policy of the next managed system policy to which they belong. This could result in unexpected behavior if you are not careful in how you construct your managed system policies, password policies, and managed system policy memberships.

  • It is highly recommended that you configure your password policies before Bravura Privilege starts managing system passwords.

You can also write a plugin to decide which password policy to apply to a managed account. The plugin must be identified in the RES PWDPOL GET setting (Manage the system > Privileged access > Options > Password randomization).

Write a custom managed account password policy plugin

Requirements

See Writing plugins for general requirements.

Execution points

The plugin is run when a managed account’s password strength is displayed and when the password is randomized or overwritten.

Input

The plugin has access to the following KVGroup for member attributes:

"" "" = {
      "accountID" = "<account Id>"
            "managedsystem" = "<Managed system ID>"
              "resourcegroupid" = "<Managed system policy id>"
                "sessionid" = "<session id>"
}

Output

The plugin expects the following return value:

"" "" = {
      "retval" = "0"
            "passwordpolicy" = "<global password policy ID>"
            "errmsg" = "<error message>"
}
In this section: