Skip to main content

Example: Create an OTP API user

This example demonstrates how to create an OTP API user that can be used to retrieve managed account passwords using pamutil .

Requirements

This example requires managed accounts to be onboarded. See Example: Onboard users from an Active Directory target for an example.

Create an OTP API group

  1. Log into Front-end (PSF) as a team trustee for the corporate AD accounts team.

  2. Use the Team: Update PDR.

  3. Select the Corporate AD Accounts Team.

  4. Add a new group called OTP API Trustee.

  5. Provide this group with OTP trustee privileges.

  6. Submit the request.

  7. Use the Team: Management Group Membership PDR.

  8. Add a user to the OTP API Trustee group.

    OTP trustees are users who can make OTP API account management requests.

Create an OTP_User

  1. Log into Front-end (PSF) as a user from the OTP API Trustee group created in Create an OTP API group .

    Only an otp_api trustee can see the PAMUtil: Create OTP API User PDR.

  2. Click the PAMUtil: Create OTP API User PDR.

  3. Choose the Corporate AD Accounts Team as the System Team.

  4. Click Next .

  5. Add a PAM OTP Account Description

  6. Select the managed accounts onboarded earlier.

    3510.png

  7. Click Submit.

The PAMUtil: Create OTP API User PDR creates a managed account that appears in the PAM_OTP_ACCOUNTS managed system policy in the format of PAM_UTIL_ <guid> , and a product administrator profile to manage the account.

3511.png

Check out the account

  1. Log into Front-end (PSF) as a user from the OTP API Trustee group created earlier.

  2. Click Privileged access from the Privileged access to managed systems section.

  3. Click Accounts from the Filter panel .

  4. Select the PAM OTP account from the Results panel.

    3513.png

  5. Click Request check-out.

  6. Click Submit.

  7. Authorize the request.

  8. Click Check out from the Actions panel.

    The PAM OTP account can now be used by the product administrator profile created earlier, to retrieve credentials of managed accounts it has access to using pamutil.

    Warning

    Do not check out the vault account again because it will be randomized on check-out and then the one used with pamutil will be wrong as it does not get updated with the new, randomized password.

In this section: