Use Account Discovery to Add Target Accounts

The following application types offer Account Discovery:
capam322
HID_accountDiscovery
A subset of out-of-the-box target applications offers the Account Discovery feature. Account Discovery is a mechanism to add target accounts easily. You can use it is an alternative to manually adding target accounts.
The following application types offer Account Discovery:
If you discover accounts using Amazon AWS integration, the 
Address
 field of the device must include the fully qualified domain name or IP address. If a
 
device using AWS integration has already been discovered, recreate the device. 
Account Discovery Prerequisites
Before you can use Account Discovery, you must configure the targets that the appliance searches for discovery. For any managed target, configure the following items:
  1. Target servers. See Device Discovery.
  2. Target Applications. Configure one of the target applications that support Account Discovery.
  3. Target Accounts for each target application that supports Account Discovery.
    When you add a target account, the 
    Discovery Allowed
     option is available. Selecting this option indicates that the account is available for discovery. Select this option only for accounts that you want to scan for discovery. 
     You can use an account to scan only for other accounts that support the same target application. For example, use a Windows domain account that is configured with an Active Directory target application to scan for other accounts that use the  Active Directory application type. You cannot use the Windows domain account to scan for local accounts that are configured with a Windows Proxy target application.
    For UNIX accounts, selecting Discovery Allowed also adds the checkbox 
    Allow multiple server discovery for this type of application
    . This checkbox indicates that the account is a discovery account for any server and application of this type. For example, if you have 20 servers with a common account and password, use one account and select this box. Then for any discovery job with this application type selected, this account is used as a credential for discovery.
Discover Accounts Using a Scan
To discover accounts, follow these steps:
  1. Go to 
    Credentials, Discovery
    .
  2. Select 
    Discovery
     from the Targets Menu.
  3. Create a Scan Profile:
    1. From the Scan Profiles tab, select 
      Add
      .
    2. On the Profile tab, complete the fields.
    3. On the Servers tab, move Available Servers to Selected Servers with the arrow button. The listed available servers are managed devices.
    4. The Purge Interval field sets the number of days that discovered devices are deleted, unless the devices are discovered by another profile. The Purge Interval default is set on the Global Settings page, under Basic Settings, as Scan Purge Interval.
  4. Run the scan.
    1. Create a schedule to run the scan or run it on demand.
      • Use the Schedule tab to create an optional schedule. Once you select a frequency, other fields appear. Select the appropriate time intervals. Select OK to save the Scan Profile.
      • To run the scan on demand rather than on a schedule, select OK to save it. Select the Scan Profile from the Scan Profiles list, and select the Run button above the list.
    2. Once a scan is running, monitor its progress on the Scan Profile Jobs tab. You can also cancel the job on this panel by selecting Cancel Job. Once it is complete, view a summary of its results on the Scan Profile History tab. The Scan Profile Jobs and other tables are refreshed according to the default setting on the Global Settings page. Table Refresh Interval is in the Basic Settings section, and defaults to 60 seconds.
      Selecting 
      Delete
       for a highlighted profile deletes its Scan Profile History. 
      Delete
       also deletes any Accounts that are associated with that Profile unless they are associated with another Profile.
After a scan is complete, you can:
View the Scan Results
Select the Scan Profile History tab to view the results of the account discovery scans. Each row shows a Scan Profile, its latest Discovery time, and a summary of the scan results. The summary shows a count of discovered accounts, how many are new, and not found. "Not found" Accounts were discovered by a previous run of the same Scan Profile, but are now missing. The Summary shows the same information about SSH Keys. See SSH Key Discovery for more information. The Summary also shows a count of any errors that were encountered. These numbers refer only to the latest run of this scan profile.
Use the 
Filter 
button to filter the display on the page. You can use asterisks and percent signs as multiple-character wildcards.
View Summary Details
The View Summary Details button opens the Scan Results window. The Scan Information tab displays the Scan Profile name and the Job Time. The Discovered Accounts, New Accounts, and Not Found Accounts tabs list the Account Names in each respective category. For information about the Discovered Keys, New Keys, and Not Found Keys, see SSH Key Discovery. The Logs tab displays a table including each action that is taken regarding this scan.
To see all scans that have run for a given Profile, select the View Scans button above the Summary. Clicking the Summary numbers lists the accounts or keys that are discovered in the same panel as View Summary Details. You can also select the View Summary Details button to get to this panel.
View Account Scan Results
To see information about the discovered accounts, go to the Scan Profile History panel and select 
Scan Profile, View Account Scan Results
. The account name, the device where it was found, the application, and a timestamp are displayed. A checkbox indicates whether Credential Manager manages the account.
On the history panel, are the following controls:
  •  
    Filter:
     Filter the display on the page by column values. You can use asterisks and percent signs as multiple-character wildcards.
  •  
    Export: 
    Create a CSV file with a row for each Discovered Account listed.
  •  
    View
    : Show the data for one row whose Account Name box is checked. In the Logs tab, it displays log information that is not shown in the Account Scan results panel.
  •  
    Manage
    : Bring an account under management. To manage accounts, select one or more accounts names. Then select 
    Manage
    . The Manage Discovered Accounts window opens.
View All Scans
To see all discovered accounts rather than only the accounts for a given scan, select the 
Discovered Accounts
 tab. The displayed table lists each Account Name, Device Name, Application Name, Latest Discovery Time, and whether it Is Managed.
On this tab are the following controls:
  •  
    Filter:
     Filter the display on the page by column values. You can use asterisks and percent signs as multiple-character wildcards.
  •  
    Export: 
    Create a CSV file with a row for each Discovered Account listed.
  •  
    View
    : Show the data for one row whose Account Name box is checked. In the Logs tab, it displays log information that is not shown in the Account Scan results panel.
  •  
    Manage
    : Bring an account under management. To manage accounts, select one or more account names then select 
    Manage
    . The Manage Discovered Accounts window opens.
Bring Discovered Accounts Under Management
To manage an account from the Discovered Accounts window, follow these steps:
  1. From the Discovered Accounts tab, select 
    Manage
    . The Manage Discovered Accounts window opens.
  2. Select a synchronization option. This option is not available if the application type is 
    Generic
    .
    •  
      Update only the Password Authority Server
      . Passwords are only updated in Credential Manager. Credential Manager and target system passwords can differ.
    •  
      Update both the Password Authority Server and the target system
      . Password updates are performed in both Credential Manager and the target system to maintain consistency.
      For the Windows Proxy and Windows Remote application types, the discovered accounts have the 
      Force password change
       option enabled automatically.
  3. For most target account types, a 
    Password Change Process
     option is available. This option lets you select whether the managed account can change its own password or whether another, higher-privilege account must do that. If you select 
    Use the following account to change the password
    , a field appears below the legend so that you can select the password-changing account.
    Some application types allow an account password to be updated from another account (for example, root). If this situation applies, select that account. The account that is used to change the password must already be registered in Credential Manager.
  4. To generate a random password for each account, select the 
    Generate credential for each account
     checkbox.
  5. Select whether the account type is Privileged Account or an A2A account (A2A is available only with a license). If you select A2A, more fields appear. You can set the Cache Behavior to use the Cache or the Server first, or not use a cache. You can also set the Cache Expiry in days.
  6.  
    Password View Policy
     allows you to select a policy, including a Default policy. Access Password View Policies from the Workflow menu.
  7. Enter a 
    Password
    . The Account Details page (Accounts option on the Targets menu) has more options that are not presented here. Once an Account is managed, you can access it from the Accounts page.
  8. (Optional) For or customer convenience, enter a value for the 
    Access Type
     to define dynamic target groups. This field is only for reference and is not used by Credential Manager.
  9. (Optional) If you are using target groupings, enter 
    Descriptors.
     
  10. Select 
    OK
     to save.
Update Discovered Accounts (Windows Proxy or Windows Remote Accounts Only)
To add new tasks and services to Windows Proxy or Windows Remote Accounts, follow these steps:
  1. Select 
    Credentials
    Discovery
  2. On the Scan Profiles tab, select 
    Run
     for the Profile with the account you want to update. If a Profile does not exist, select 
    Add
    . Give it a 
    Name
    . On the Servers tab, select the Server that is associated with the Proxy or Remote Account. Select 
    Run
  3. Select the 
    Discovered Accounts
     tab.
    Windows Proxy or Windows Remote accounts that have updates available display a green checkbox under the Updates Available column. 
  4. Select the 
    Update
     button for the Windows Proxy or Windows Remote account with updates available.
    The Update Discovered Accounts windows appears. Available Services and Scheduled Tasks appear on their respective tabs. 
  5. Select 
    OK
    .
  6. Select 
    Yes
     when you are prompted to Update Selected Accounts.
    The managed Services and Scheduled Tasks appear on their tabs on the Account, under Credentials, Manage Targets, Accounts. 
To remove tasks and services from Windows Proxy or Windows Remote Target Accounts, follow these steps:
  1. Select 
    Credentials
    Manage Targets
    Accounts
    .
  2. Select the account that you want to modify.
  3. Select 
    Update
    .
  4. Select the Services or Tasks tab.
  5. Select the service or task you want to delete. Select the 
    Delete
     icon.