Create a Password View Policy with the CLI
To create a password view policy from the CLI, use the addPasswordViewPolicy command.
capam32
To create a password view policy from the CLI, use the
addPasswordViewPolicy
command.Follow these steps:
- Specify the Password View policy. For example:capam_command adminUserID=admin capam=mycompany.com cmdName=addPasswordViewPolicy PasswordViewPolicy.name=PasswordViewPolicy PasswordViewPolicy.description=Test PasswordViewPolicy.changePasswordOnView=true PasswordViewPolicy.checkinCheckoutRequired=true PasswordViewPolicy.authenticationRequired =true PasswordViewPolicy.checkinCheckoutInterval=60 PasswordViewPolicy.dualAuthorization=true PasswordViewPolicy.passwordViewRequestMaxDays=7 PasswordViewPolicy.passwordViewRequestMaxInterval=60 PasswordViewPolicy.dualAuthorizationInterval=60 PasswordViewPolicy.changePasswordOnConnectionEnd=true PasswordViewPolicy.changePasswordOnSessionEnd=false PasswordViewPolicy.enableOneClickApproval=true PasswordViewPolicy.approvers=approver1,approver2 PasswordViewPolicy.emailNotificationRequired=true PasswordViewPolicy.emailNotificationToDualAuthApprovers=false PasswordViewPolicy.emailNotificationToActiveUsers=true PasswordViewPolicy.emailNotificationUsers=user1,user2
- Enter your password at the prompt.Credential Manager returns an XML command string. For example:<CommandResult> <cr.itemNumber>0</cr.itemNumber> <cr.statusCode>400</cr.statusCode> <cr.statusDescription>Success.</cr.statusDescription> <cr.result> <PasswordViewPolicy> <name>PasswordViewPolicy</name> <readOnly>false</readOnly> <description>Test</desription> <enableOneClickApproval>true</enableOneClickApproval> <changePasswordOnView>true</changePasswordOnView> <emailNotificationRequired>true</emailNotificationRequired> <dualAuthorizationRequired>true</dualAuthorizationRequired> <passwordViewRequestMaxDays>14</passwordViewRequestMaxDays> <passwordViewRequestMaxInterval>60</passwordViewRequestMaxInterval> <dualAuthorizationInterval>60</dualAuthorizationInterval> <changePasswordOnConnectionEnd>true</changePasswordOnConnectionEnd> <changePasswordOnSessionEnd>false</changePasswordOnSessionEnd> <approvers>approver1,approver2</approvers> <approverIDs>[]</approverIDs> <emailNotificationUserIDs>[]</emailNotificationUserIDs> <checkinCheckoutRequired>true</checkinCheckoutRequired> <checkinCheckoutInterval>60</checkinCheckoutInterval> <passwordChangeInterval>60</passwordChangeInterval> <emailNotificationForDualAuthApprovers>false</emailNotificationForDualAuthApprovers> <authenticationRequired>true</authenticationRequired> <emailNotificationForActiveUsers>true</emailNotificationForActiveUsers> <emailNotificationUsers>user1,user2</emailNotificationUsers> <ID>1016</ID> <createDate>Wed Nov 17 07:46:45 UTC 2010</createDate> <createUser>admin</createUser> <extensionType /> <hash>uO9WFJd7m5RNv2N/3ZgIqVGU00M=</hash> <updateDate>Wed Nov 17 07:46:45 UTC 2010</updateDate> <updateUser>admin</updateUser> </PasswordViewPolicy> </cr.result> </CommandResult>
The previous example creates a policy that is named
PasswordViewPolicy
. This new policy specifies:- An account password must be changed once it is viewed.
- Only one person at a time can view an account password.
- The person must authenticate before viewing an account password.
- After a password is checked out, a password is automatically checked in after 60 minutes.
- After a connection is established, that password is automatically changed after that session is closed or times out.
- When the password is viewed, an email must be sent to the list of identified approver.
- The email sent to list of approvers must contain two URLs (one to approve and another to deny the password view request).
- When the password is viewed, an email is sent to the list of identified users.
Customize Reasons for Viewing Password
Use the
setPasswordViewReasons
CLI command to customize the list of reasons for viewing a password that is displayed to GUI users. See setPasswordViewReasons for details.