Skip to main content

Accessing administrative passwords

Product administrators, by default, are members of the ALLSUPERUSERS group which have the following hard coded restrictions:

  • Access to the "current password" is blocked on all managed system policies, regardless of whether the UI indicates that the permission boxes are checked.

  • Candidate passwords within the details view of a password conflict are blocked.

These hard-coded restrictions are in place so that all password requests are made via the Requests or OTPAPI to ensure an accurate audit trail. Product administrators can be granted access to passwords for a managed system policy in the rare case this is required. Product administrators must have the "Create managed systems" administrative privilege and belong to a separate, non-ALLSUPERUSERS user group, with the following permissions on a given managed system policy :

  • View properties for this policy or Modify properties for this policy

  • Pre-approved check-out of managed accounts

Warning

It is recommended that you limit product administrator access to passwords because it bypasses authorization workflow and does not leave an audit trail.

Do not use superuser accounts to access privileged accounts once regular user access has been configured, as it can cause conflicts with normal user access.

To access managed system passwords as a product administrator :

  1. Navigate to the Managed accounts page.

  2. Select the account whose passwords you want to access.

  3. Click View to reveal the password.

    This option requires a browser with ActiveX or JavaScript enabled. You have a limited time to access the password.

    The Display disclosure must be configured to view the password on this page. This disclosure will be unavailable if it was only configured to access SSH keys.

    The Current password status field indicates whether the password has been updated on the managed system (password confirmed) or is awaiting a successful reset (password pending confirm).

  4. If your permissions allow it, you can click the Show button to display a list of historical passwords for the account. Click Hide to close the list.

    The passwords are hidden behind View buttons. Click on a button to access the password.

    Warning

    Any time you reveal a password, ensure that you are the only one who can see the screen.

3094.png
In this section: