Using a plugin to define access to passwords

You can define a plugin that can be used to determine user access controls when viewing passwords using pamutil . This plugin is configured from Manage the system > Privileged access > Options > General > Account access request > RES PWD ACL PLUGIN .

This plugin only applies to KMKeyGetByAccount and RecoverKeyByAccount API functions and is intended to simplify management of large numbers of OTP API callers with limited permissions. It determines whether users will be able to retrieve the passwords of accounts directly.

The plugin point will receive a KVGroup in the following format:

   "" "" = {
      "userid" = "<ID of user calling the API function>";
      "managedaccount" = "<ID of managed account of the password being viewed>";
      "managedsystem" = "<ID of managed system of the managed account>";
   }

It must return a KVGroup in the following format:

    "output" "plugin_passwordacl" = {
        "acl" "" = {
            "view" = "<permission>"
        }
        "retval" = "0"
    }

Where "<permission>" can be either "allow" or "deny".

If "view"="allow" , the user will be granted access to view the password for this API call only, bypassing all other access control checks. Likewise, if "view"="deny" , the user will be denied access, bypassing all other access control checks.

It is acceptable to return a KVGroup with no view pair. In this case processing will continue as though the plugin had not been called at all, and the user’s permissions will be determined based on their user group memberships as usual.