View Dual Authorization Requests in the CLI

If the password view policy specifies dual authorization, requests to view a password are sent to the approver.
capam32

Make a Request to View a Password Using the CLI

If the password view policy specifies dual authorization, requests to view a password are sent to the approver.
In such cases, the XML command string that is returned from the operation:
  • Contains a status code of 400, indicating successful operation
  • Excludes all account details except a warning message indicating that the request has been forwarded for processing
Follow these steps:
  1. Search target accounts to retrieve the target account ID:
    Windows: capam_command adminUserID=admin capam=mycompany.com cmdName=searchTargetAccount ^ TargetAccount.userName=dualaccount Linux: capam_command adminUserID=admin capam=mycompany.com cmdName=searchTargetAccount \ TargetAccount.userName=dualaccount
  2. Enter your password at the prompt.
    Credential Manager returns the following XML command string. Note the ID value. In this example, it is
    1005
    .
    <CommandResult> <cr.itemNumber>0</cr.itemNumber> <cr.statusCode>400</cr.statusCode> <cr.statusDescription>Success.</cr.statusDescription> <cr.result> <TargetAccount> <privileged>true</privileged> <aliases /> <password>{1}3d2876d75f730fcf7b00f974816aa97b</password> <lastUsed /> <passwordViewPolicyID>1013</passwordViewPolicyID> <accessType /> <cacheBehavior>useCacheFirst</cacheBehavior> <cacheDuration>30</cacheDuration> <compoundServerList>[]</compoundServerList> <lastVerified /> <lastViewed /> <targetApplicationID>1001</targetApplicationID> <userName>dualaccountnew</userName> <compoundAccount>false</compoundAccount> <passwordVerified>false</passwordVerified> <synchronize>false</synchronize> <targetApplication /> <cacheAllow>true</cacheAllow> <targetServerAlias /> <ID>1005</ID> <Attribute.extensionType>mssql</Attribute.extensionType> <Attribute.useOtherAccountToChangePassword>false </Attribute.useOtherAccountToChangePassword> <Attribute.cspm_serverkeyid>1</Attribute.cspm_serverkeyid> <Attribute.descriptor1 /> <Attribute.descriptor2 /> <createDate>Tue Nov 16 12:44:50 UTC 2010</createDate> <createUser>admin</createUser> <extensionType>mssql</extensionType> <hash>FIRqOhKpXV1sg1rsroJzlYHmzH4=</hash> <updateDate>Tue Nov 16 12:44:50 UTC 2010</updateDate> <updateUser>admin</updateUser> </TargetAccount> </cr.result> </CommandResult>
  3. View the password. Use the ID provided by the output of the previous command:
    Windows: capam_command adminUserID=admin capam=mycompany.com cmdName=viewAccountPassword ^ TargetAccount.ID=1005 reason=Poweroutagereason reasonDetails=Recover Tuesday pm ^ PasswordViewRequest.requestPeriodStart="2010-11-16 16:58" ^ PasswordViewRequest.requestPeriodEnd="2010-11-16 17:05" Linux: capam_command adminUserID=admin capam=mycompany.com cmdName=viewAccountPassword \ TargetAccount.ID=1005 reason=Poweroutagereason reasonDetails=Recover Tuesday pm \ PasswordViewRequest.requestPeriodStart="2010-11-16 16:58" \ PasswordViewRequest.requestPeriodEnd="2010-11-16 17:05"
  4. Enter your password at the prompt.
    Credential Manager returns the following XML command string.
    <CommandResult> <cr.itemNumber>0</cr.itemNumber> <cr.statusCode>400</cr.statusCode> <cr.statusDescription>Success.</cr.statusDescription> <cr.warningCode>4625</cr.warningCode> <cr.warningMessage>This account has dual authorization enabled. A request to view the password has been e-mailed to the approvers of this account on your behalf. </cr.warningMessage> </CommandResult>

Grant, Deny, or Expire a Request Using the CLI

Use the following procedure to approve or deny a password view request from the CLI using the
updatePasswordViewRequestStatus
command.
Follow these steps:
  1. Search target accounts to retrieve the target account ID:
    capam_command adminUserID=admin capam=mycompany.com cmdName=searchPasswordViewRequestByApprover
  2. Enter your password at the prompt.
    Credential Manager returns the following XML command string. Note the ID value. In this example, it is
    4
    .
    <CommandResult> <cr.itemNumber>0</cr.itemNumber> <cr.statusCode>400</cr.statusCode> <cr.statusDescription>Success.</cr.statusDescription> <cr.result> <PasswordViewRequest> <status>1</status> <targetAccountID>1</targetAccountID> <startDate/> <endDate/> <requestorID>3</requestorID> <approverID>-1</approverID> <ID>4</ID> <createDate>Wed Sep 10 14:42:20 UTC 2008</createDate> <createUser>req1</createUser> <hash>RLMwHaMdENv9mlFnoSsoSOJezJw=</hash> <updateDate>Wed Sep 10 15:42:20 UTC 2008</updateDate> <updateUser>req1</updateUser> <extensionType/> </PasswordViewRequest> </cr.result> </CommandResult>
  3. Change the status of the password view request to approved or denied. Use the ID provided by the output of the previous command:
    Windows: capam_command adminUserID=admin capam=mycompany.com ^ cmdName=updatePasswordViewRequestStatus PasswordViewRequest.ID=4 ^ PasswordViewRequest.status=approved Linux: capam_command adminUserID=admin capam=mycompany.com \ cmdName=updatePasswordViewRequestStatus PasswordViewRequest.ID=4 \ PasswordViewRequest.status=approved
  4. Enter your password at the prompt.
    Credential Manager returns the following XML command string.
    <CommandResult> <cr.itemNumber>0</cr.itemNumber> <cr.statusCode>400</cr.statusCode> <cr.statusDescription>Success.</cr.statusDescription> <cr.result> <PasswordViewRequest> <status>1</status> <targetAccountID>1</targetAccountID> <startDate>Wed Sep 10 15:47:00 UTC 2008</startDate> <endDate>Wed Sep 10 16:02:00 UTC 2008</endDate> <requestorID>3</requestorID> <approverID>1</approverID> <ID>1</ID> <createDate>Wed Sep 10 14:42:20 UTC 2008</createDate> <createUser>req1</createUser> <hash>Yc5gR/IpPVh8evYKGipQYa9AGXU=</hash> <updateDate>Wed Sep 10 15:47:09 UTC 2008</updateDate> <updateUser>admin</updateUser> <extensionType/> </PasswordViewRequest> </cr.result>
Use the following procedure to expire a password view request from the CLI using the
expirePasswordViewRequestCmd
command.
Follow these steps:
  1. Search target accounts to retrieve the target account ID:
    capam_command adminUserID=admin capam=mycompany.com cmdName=searchPasswordViewRequestByApprover
  2. Enter your password at the prompt.
    Credential Manager returns the following XML command string. Note the ID value. In this example, it is
    4
    .
    <CommandResult> <cr.itemNumber>0</cr.itemNumber> <cr.statusCode>400</cr.statusCode> <cr.statusDescription>Success.</cr.statusDescription> <cr.result> <PasswordViewRequest> <status>1</status> <targetAccountID>1</targetAccountID> <startDate/> <endDate/> <requestorID>3</requestorID> <approverID>-1</approverID> <ID>4</ID> <createDate>Wed Sep 10 14:42:20 UTC 2008</createDate> <createUser>req1</createUser> <hash>RLMwHaMdENv9mlFnoSsoSOJezJw=</hash> <updateDate>Wed Sep 10 15:42:20 UTC 2008</updateDate> <updateUser>req1</updateUser> <extensionType/> </PasswordViewRequest> </cr.result> </CommandResult>
  3. Change the status of the password view request to approved or denied. Use the ID provided by the output of the previous command:
    Windows: capam_command adminUserID=admin capam=mycompany.com cmdName=expirePasswordViewRequestCmd ^ PasswordViewRequest.ID=4 Linux: capam_command adminUserID=admin capam=mycompany.com cmdName=expirePasswordViewRequestCmd \ PasswordViewRequest.ID=4
  4. Enter your password at the prompt.
    Credential Manager returns the following XML command string.
    <CommandResult> <cr.itemNumber>0</cr.itemNumber> <cr.statusCode>400</cr.statusCode> <cr.statusDescription>Success.</cr.statusDescription> <cr.result> </cr.result>

Update the Approval or Denial Reasons for a Request Using the CLI

The reasons to be populated in the
Reason
drop-down list while approving or denying the password view request using the GUI, can be updated using the
setSystemProperty
command.
To update the list of approval reasons, use:
Windows: cspmserver_admin cmdName=setSystemProperty propertyName=viewPasswordApprovalReasons ^ propertyValues=reason1|reason2 Linux: cspmserver_admin cmdName=setSystemProperty propertyName=viewPasswordApprovalReasons \ propertyValues=reason1|reason2
To update the list of denial reasons, use:
Windows: cspmserver_admin cmdName=setSystemProperty propertyName=viewPasswordDenialReasons ^ propertyValues=reason1|reason2 Linux: cspmserver_admin cmdName=setSystemProperty propertyName=viewPasswordDenialReasons \ propertyValues=reason1|reason2
The
|
character delimits multiple reasons.