View Retrospective Approval Requests in the CLI

If the password view policy specifies retrospective approval, requests to view a password are sent to the approver.
capam33

Make a Request to View a Password Using the CLI

If the password view policy specifies retrospective approval, requests to view a password are sent to the approver.
In such cases, the XML command string that is returned from the operation:
  • Contains a status code of 400, indicating successful operation
  • Excludes all account details except a warning message indicating that the request has been forwarded for processing
Follow these steps:
  1. Search target accounts to retrieve the target account ID:
    Windows: capam_command adminUserID=admin capam=mycompany.com cmdName=searchTargetAccount ^ TargetAccount.userName=breakglassaccount Linux: capam_command adminUserID=admin capam=mycompany.com cmdName=searchTargetAccount \ TargetAccount.userName=breakglassaccount
  2. Enter your password at the prompt.
    Credential Manager returns the following XML command string. Note the ID value. In this example, it is
    1005
    .
    <CommandResult> <cr.itemNumber>0</cr.itemNumber> <cr.statusCode>400</cr.statusCode> <cr.statusDescription>Success.</cr.statusDescription> <cr.result> <TargetAccount> <privileged>true</privileged> <aliases /> <password>{1}3d2876d75f730fcf7b00f974816aa97b</password> <lastUsed /> <passwordViewPolicyID>1013</passwordViewPolicyID> <accessType /> <cacheBehavior>useCacheFirst</cacheBehavior> <cacheDuration>30</cacheDuration> <compoundServerList>[]</compoundServerList> <lastVerified /> <lastViewed /> <targetApplicationID>1001</targetApplicationID> <userName>dualaccountnew</userName> <compoundAccount>false</compoundAccount> <passwordVerified>false</passwordVerified> <synchronize>false</synchronize> <targetApplication /> <cacheAllow>true</cacheAllow> <targetServerAlias /> <ID>1005</ID> <Attribute.extensionType>mssql</Attribute.extensionType> <Attribute.useOtherAccountToChangePassword>false </Attribute.useOtherAccountToChangePassword> <Attribute.cspm_serverkeyid>1</Attribute.cspm_serverkeyid> <Attribute.descriptor1 /> <Attribute.descriptor2 /> <createDate>Tue Nov 16 12:44:50 UTC 2010</createDate> <createUser>admin</createUser> <extensionType>mssql</extensionType> <hash>FIRqOhKpXV1sg1rsroJzlYHmzH4=</hash> <updateDate>Tue Nov 16 12:44:50 UTC 2010</updateDate> <updateUser>admin</updateUser> </TargetAccount> </cr.result> </CommandResult>
  3. View the password. Use the ID provided by the output of the previous command:
    Windows: capam_command adminUserID=admin capam=mycompany.com cmdName=viewAccountPassword ^ TargetAccount.ID=1005 reason=Poweroutagereason reasonDetails=Recover Tuesday pm ^ PasswordViewRequest.requestPeriodStart="2010-11-16 16:58" ^ PasswordViewRequest.requestPeriodEnd="2010-11-16 17:05" Linux: capam_command adminUserID=admin capam=mycompany.com cmdName=viewAccountPassword \ TargetAccount.ID=1005 reason=Poweroutagereason reasonDetails=Recover Tuesday pm \ PasswordViewRequest.requestPeriodStart="2010-11-16 16:58" \ PasswordViewRequest.requestPeriodEnd="2010-11-16 17:05"
  4. Enter your password at the prompt.
    Credential Manager immediately returns the requested password in the following XML command string.  Internally, a retrospective approval request is generated and sent to the account owner for retrospective approval.
    <CommandResult> <cr.itemNumber>0</cr.itemNumber> <cr.statusCode>400</cr.statusCode> <cr.statusDescription>Success.</cr.statusDescription> <cr.result> <TargetAccount> <userName>qa</userName> <targetApplicationID>1007</targetApplicationID> <accessType></accessType> <targetApplication></targetApplication> <passwordVerified>true</passwordVerified> <compoundServerList>[]</compoundServerList> <synchronize>true</synchronize> <ownerUserID>-1</ownerUserID> <compoundAccount>false</compoundAccount> <cacheBehavior>useCacheFirst</cacheBehavior> <cacheDuration>30</cacheDuration> <compoundServerIDs>null</compoundServerIDs> <passwordViewPolicyID>1001</passwordViewPolicyID> <cacheAllow>true</cacheAllow> <lastUsed>Tue Nov 27 17:34:00 UTC 2018</lastUsed> <serverKeyId>-1</serverKeyId> <cacheBehaviorInt>1</cacheBehaviorInt> <targetServerAlias></targetServerAlias> <lastVerified>Fri Nov 09 16:34:10 UTC 2018</lastVerified> <lastViewed>Tue Nov 27 17:34:00 UTC 2018</lastViewed> <aliases></aliases> <password>n3wp@ss</password> <privileged>true</privileged> <Attribute.keyOptions></Attribute.keyOptions> <Attribute.verifyThroughOtherAccount>false</Attribute.verifyThroughOtherAccount> <Attribute.discoveryAllowed>false</Attribute.discoveryAllowed> <Attribute.publicKey></Attribute.publicKey> <Attribute.privateKey></Attribute.privateKey> <Attribute.protocol>SSH2_PASSWORD_AUTH</Attribute.protocol> <Attribute.otherAccount></Attribute.otherAccount> <Attribute.descriptor2></Attribute.descriptor2> <Attribute.discoveryGlobal>false</Attribute.discoveryGlobal> <Attribute.descriptor1></Attribute.descriptor1> <Attribute.extensionType>unixII</Attribute.extensionType> <Attribute.useOtherAccountToChangePassword>false</Attribute.useOtherAccountToChangePassword> <Attribute.passphrase></Attribute.passphrase> <Attribute.passwordChangeMethod>DO_NOT_USE_SUDO</Attribute.passwordChangeMethod> <createTime>1541781247000</createTime> <createDate>Fri Nov 09 16:34:07 UTC 2018</createDate> <extensionType>unixII</extensionType> <updateDate>Fri Nov 09 16:43:30 UTC 2018</updateDate> <createUser>super</createUser> <updateTime>1541781810000</updateTime> <updateUser>super</updateUser> <hash>gSRczWKdl0hlGnCf0szsI5kSKbY=</hash> <ID>1005</ID> </TargetAccount> </cr.result> </CommandResult>

Acknowledge or Decline a Request Using the CLI

Use the following procedure to acknowledge or decline a password view request from the CLI using the
updatePasswordViewRequestStatus
command.
Follow these steps:
  1. Search target accounts to retrieve the target account ID:
    capam_command adminUserID=admin capam=mycompany.com cmdName=searchPasswordViewRequestByApprover
  2. Enter your password at the prompt.
    Credential Manager returns the following XML command string. Note the ID value. In this example, it is
    4
    .
    <CommandResult> <cr.itemNumber>0</cr.itemNumber> <cr.statusCode>400</cr.statusCode> <cr.statusDescription>Success.</cr.statusDescription> <cr.result> <PasswordViewRequest> <endDate>Fri Nov 30 22:21:00 UTC 2018</endDate> <startDate>Fri Nov 30 22:21:00 UTC 2018</startDate> <ssoType></ssoType> <requestorID>1000</requestorID> <targetAccountID>1005</targetAccountID> <approverID>-1</approverID> <referenceCode></referenceCode> <reasonDescription>view</reasonDescription> <approvalReason></approvalReason> <approvalReasonDescription></approvalReasonDescription> <approverIPAddress></approverIPAddress> <viewStatus>1</viewStatus> <reason>view</reason> <status>11</status> <createTime>1543616479000</createTime> <createDate>Fri Nov 30 22:21:19 UTC 2018</createDate> <extensionType></extensionType> <updateDate>Fri Nov 30 22:21:19 UTC 2018</updateDate> <createUser>super</createUser> <updateTime>1543616479000</updateTime> <updateUser>super</updateUser> <hash>XtwwNcuGn48O7UrSSekcq5g3Mlo=</hash> <ID>1059</ID> </PasswordViewRequest> </cr.result> </CommandResult>
  3. Change the status of the password view request to acknowledged or declined. Use the ID provided by the output of the previous command:
    Windows: capam_command adminUserID=admin capam=mycompany.com ^ cmdName=updatePasswordViewRequestStatus PasswordViewRequest.ID=4 ^ PasswordViewRequest.status=acknowledged Linux: capam_command adminUserID=admin capam=mycompany.com \ cmdName=updatePasswordViewRequestStatus PasswordViewRequest.ID=4 \ PasswordViewRequest.status=acknowledged
  4. Enter your password at the prompt.
    Credential Manager returns the following XML command string.
    <CommandResult> <cr.itemNumber>0</cr.itemNumber> <cr.statusCode>400</cr.statusCode> <cr.statusDescription>Success.</cr.statusDescription> <cr.result> <PasswordViewRequest> <endDate>Fri Nov 30 22:21:00 UTC 2018</endDate> <startDate>Fri Nov 30 22:21:00 UTC 2018</startDate> <ssoType></ssoType> <requestorID>1000</requestorID> <targetAccountID>1005</targetAccountID> <approverID>1000</approverID> <referenceCode></referenceCode> <reasonDescription>view</reasonDescription> <approvalReason></approvalReason> <approvalReasonDescription></approvalReasonDescription> <approverIPAddress></approverIPAddress> <viewStatus>1</viewStatus> <reason>view</reason> <status>9</status> <createTime>1543616479000</createTime> <createDate>Fri Nov 30 22:21:19 UTC 2018</createDate> <extensionType></extensionType> <updateDate>Fri Nov 30 22:36:23 UTC 2018</updateDate> <createUser>super</createUser> <updateTime>1543617383416</updateTime> <updateUser>super</updateUser> <hash>ouVRldocSDru0WMQlQ/cXDmyRfg=</hash> <ID>1059</ID> </PasswordViewRequest> </cr.result> </CommandResult>

Update the Acknowledge or Decline Reasons for a Request Using the CLI

The reasons to be populated in the
Reason
drop-down list while acknowledging or denying the password view request using the GUI, can be updated using the
setSystemProperty
command.
To update the list of acknowledgement reasons, use:
Windows: cspmserver_admin cmdName=setSystemProperty propertyName=ViewPasswordAcknowledgeReasons ^ propertyValues=reason1 Linux: cspmserver_admin cmdName=setSystemProperty propertyName=ViewPasswordAcknowledgeReasons \ propertyValues=reason1
To update the list of denial reasons, use:
Windows: cspmserver_admin cmdName=setSystemProperty propertyName=viewPasswordDeclineReasons ^ propertyValues=reason1|reason2 Linux: cspmserver_admin cmdName=setSystemProperty propertyName=viewPasswordDeclineReasons \ propertyValues=reason1|reason2
The
|
character delimits multiple reasons.