Check Out An Account Using the CLI

You can use the CLI to require that an account is checked out to view the password.
capam32
You can use the CLI to require that an account is checked out to view the password.

Check Out an Account to View the Password

Using the CLI, you can require an account check-out using the 
addPasswordViewPolicy
 command and the parameter 
PasswordViewPolicy.checkinCheckoutRequired=true
Example:
capam_command capam=capamServer adminUserID=admin cmdName=addPasswordViewPolicy
PasswordViewPolicy.name=restrictedAccounts PasswordViewPolicy.changePasswordOnView=true
PasswordViewPolicy.checkinCheckoutRequired=true PasswordViewPolicy.checkinCheckoutInterval=240
When a user views the password, message displays indicating that the account is checked out.
Use the following procedure to view an account password from the CLI.
 
Follow these steps:
 
  1. Search target accounts to retrieve the target account ID:
    capam_command adminUserID=admin capam=mycompany.com cmdName=searchTargetAccount TargetAccount.userName=account1
  2. Enter your password at the prompt.
    Credential Manager returns the following XML command string. Note the ID value. In this example, it is 
    1
    .
    <CommandResult> <cr.itemNumber>0</cr.itemNumber> <cr.statusCode>400</cr.statusCode> <cr.statusDescription>Success</cr.statusDescription> <cr.result> <TargetAccount> <Attribute.descriptor2>Lab</Attribute.descriptor2> <Attribute.changePasswordAfterViewing>true</Attribute.changePasswordAfterViewing> <Attribute.descriptor1>Vienna</Attribute.descriptor1> <ID>1</ID> <createDate>Mon Nov 12 15:42:43 UTC 2007</createDate> <updateDate>Mon Nov 12 15:42:43 UTC 2007</updateDate> <createUser>admin</createUser> <updateUser>admin</updateUser> <hash>q3/BaUy9uPvtbUkKgIrXvgseGt8=</hash> <targetApplicationID>1</targetApplicationID> <userName>account1</userName> <password>14adc6a1a720e58ee52032364b98f95b</password> <accessType>A</accessType> <cacheAllow>true</cacheAllow> <cacheDuration>20</cacheDuration> <privileged>false</privileged> <synchronize>false</synchronize> <passwordVerified>false</passwordVerified> <lastVerified>Mon Nov 12 15:42:43 EST 2007</lastVerified> </TargetAccount> </cr.result> </CommandResult>
  3. View the password. Use the ID provided by the output of the previous command.
    capam_command adminUserID=admin capam=mycompany.com cmdName=viewAccountPassword TargetAccount.ID=1 reason=Power Outage reasonDetail=Recovery
  4. Enter your password at the prompt.
    Credential Manager returns the following XML command string.
    <CommandResult> <cr.itemNumber>0</cr.itemNumber> <cr.statusCode>400</cr.statusCode> <cr.statusDescription>Success.</cr.statusDescription> <cr.warningMessage>You have this account checked out.</cr.warningMessage> <cr.result> <TargetAccount> <Attribute.descriptor2>Lab</Attribute.descriptor2> <ID>1</ID> <privileged>false</privileged> <aliases/> <password>cspmpw</password> <targetApplicationID>1</targetApplicationID> <passwordViewPolicyID>6</passwordViewPolicyID> <cacheBehavior>useCacheFirst</cacheBehavior> <cacheAllow>true</cacheAllow> <targetServerAlias/> <accessType/> <userName>cspmuser</userName> <cacheDuration>30</cacheDuration> <synchronize>false</synchronize> <lastVerified>Wed Sep 10 14:31:08 UTC 2008</lastVerified> <passwordVerified>false</passwordVerified> <Attribute.descriptor1>Vienna</Attribute.descriptor1> <createDate>Wed Sep 10 15:31:08 UTC 2008</createDate> <createUser>admin</createUser> <hash>GiymUJ8e6bKzDrQgkbp/tPRZPXQ=</hash> <updateDate>Wed Sep 10 15:31:08 UTC 2008</updateDate> <updateUser>admin</updateUser> <extensionType>windows</extensionType> </TargetAccount> </cr.result> </CommandResult>

Check In an Account Password Using the CLI

Use the following procedure to check in an account password using the 
checkInAccountPassword
 command.
 
Follow these steps:
 
  1. Search target accounts to retrieve the target account ID of the account that was previously checked out:
    capam_command adminUserID=admin capam=mycompany.com cmdName=searchTargetAccount TargetAccount.userName=account1
  2. Enter your password at the prompt.
    Credential Manager returns the following XML command string. Note the ID value. In this example, it is 
    1
    .
    <CommandResult> <cr.itemNumber>0</cr.itemNumber> <cr.statusCode>400</cr.statusCode> <cr.statusDescription>Success</cr.statusDescription> <cr.result> <TargetAccount> <Attribute.descriptor2>Lab</Attribute.descriptor2> <Attribute.changePasswordAfterViewing>true</Attribute.changePasswordAfterViewing> <Attribute.descriptor1>Vienna</Attribute.descriptor1> <ID>1</ID> <createDate>Mon Nov 12 15:42:43 UTC 2007</createDate> <updateDate>Mon Nov 12 15:42:43 UTC 2007</updateDate> <createUser>admin</createUser> <updateUser>admin</updateUser> <hash>q3/BaUy9uPvtbUkKgIrXvgseGt8=</hash> <targetApplicationID>1</targetApplicationID> <userName>account1</userName> <password>14adc6a1a720e58ee52032364b98f95b</password> <accessType>A</accessType> <cacheAllow>true</cacheAllow> <cacheDuration>20</cacheDuration> <privileged>false</privileged> <synchronize>false</synchronize> <passwordVerified>false</passwordVerified> <lastVerified>Mon Nov 12 15:42:43 EST 2007</lastVerified> </TargetAccount> </cr.result> </CommandResult>
  3. Check in the password. Use the ID provided by the output of the previous command.
    capam_command adminUserID=admin capam=mycompany.com cmdName=checkInAccountPassword TargetAccount.ID=1
  4. Enter your password at the prompt.
    Credential Manager returns the following XML command string.
    <CommandResult> <cr.itemNumber>0</cr.itemNumber> <cr.statusCode>400</cr.statusCode> <cr.statusDescription>Success.</cr.statusDescription> <cr.result> <PasswordViewRequest> <status>1</status> <targetAccountID>1</targetAccountID> <startDate>Wed Sep 10 15:34:00 UTC 2008</startDate> <endDate>Wed Sep 10 19:34:00 UTC 2008</endDate> <requestorID>1</requestorID> <approverID>-1</approverID> <ID>3</ID> <createDate>Wed Sep 10 14:34:51 UTC 2008</createDate> <createUser>admin</createUser> <hash>fcWQRQVNDoGOFxpvM/DLZGlu6l4=</hash> <updateDate>Wed Sep 10 15:34:51 UTC 2008</updateDate> <updateUser>admin</updateUser> <extensionType/> </PasswordViewRequest> </cr.result> </CommandResult>

Force an Account Check-In Using the CLI

When you check out an account, this action restricts others from viewing the password and from changing the account. However, sometimes the administrator must override this restriction. If an administrator wants to access a checked-out account, the administrator can force a check-in of the account on behalf of another user. When the administrator forces a check-in, any required activities for that operation also occur, for example, an update of the account password.
 
Follow these steps:
 
  1. Search target accounts to retrieve the target account ID of the account that was previously checked out:
    capam_command adminUserID=admin capam=mycompany.com cmdName=searchTargetAccount TargetAccount.userName=account1
  2. Enter your password at the prompt.
    Credential Manager returns the following XML command string. Note the ID value. In this example, it is 
    1
    .
    <CommandResult> <cr.itemNumber>0</cr.itemNumber> <cr.statusCode>400</cr.statusCode> <cr.statusDescription>Success</cr.statusDescription> <cr.result> <TargetAccount> <Attribute.descriptor2>Lab</Attribute.descriptor2> <Attribute.changePasswordAfterViewing>true</Attribute.changePasswordAfterViewing> <Attribute.descriptor1>Vienna</Attribute.descriptor1> <ID>1</ID> <createDate>Mon Nov 12 15:42:43 UTC 2007</createDate> <updateDate>Mon Nov 12 15:42:43 UTC 2007</updateDate> <createUser>admin</createUser> <updateUser>admin</updateUser> <hash>q3/BaUy9uPvtbUkKgIrXvgseGt8=</hash> <targetApplicationID>1</targetApplicationID> <userName>account1</userName> <password>14adc6a1a720e58ee52032364b98f95b</password> <accessType>A</accessType> <cacheAllow>true</cacheAllow> <cacheDuration>20</cacheDuration> <privileged>false</privileged> <synchronize>false</synchronize> <passwordVerified>false</passwordVerified> <lastVerified>Mon Nov 12 15:42:43 EST 2007</lastVerified> </TargetAccount> </cr.result> </CommandResult>
  3. Check in the password. Use the ID provided by the output of the previous command.
    capam_command adminUserID=admin capam=mycompany.com cmdName=forceCheckInAccountPassword TargetAccount.ID=1
  4. Enter your password at the prompt.
    Credential Manager returns the following XML command string.
    <CommandResult> <cr.itemNumber>0</cr.itemNumber> <cr.statusCode>400</cr.statusCode> <cr.statusDescription>Success.</cr.statusDescription> <cr.result> <PasswordViewRequest> <status>1</status> <targetAccountID>1</targetAccountID> <startDate>Wed Sep 10 15:34:00 UTC 2008</startDate> <endDate>Wed Sep 10 19:34:00 UTC 2008</endDate> <requestorID>1</requestorID> <approverID>-1</approverID> <ID>3</ID> <createDate>Wed Sep 10 14:34:51 UTC 2008</createDate> <createUser>admin</createUser> <hash>fcWQRQVNDoGOFxpvM/DLZGlu6l4=</hash> <updateDate>Wed Sep 10 15:34:51 UTC 2008</updateDate> <updateUser>admin</updateUser> <extensionType/> </PasswordViewRequest> </cr.result> </CommandResult>