Add Databases to Password Safe

There are two ways to discover and manage database instances:

  • Auto-discover using a scan template, and then auto-manage using a Smart Group. Use this method for SQL Server and Oracle.
  • Manually add and manage databases. Use this method for MongoDB, MySQL, Sybase ASE, and Teradata.

Auto Discover and Manage Database Instances

The following scan types include database instance data in the scan results:

  • Detailed Discovery Scan: This scan requires credentials and it deploys a scan agent to the scan targets. Besides systems, this scan provides associated information on services, scheduled tasks, users, and databases.
  • Advanced Discovery Scan: This scan performs the same operations of the detailed scan, but provides information on all associated attributes.

After you run a scan, the assets are displayed on the Assets page. At this point, you can create a Smart Rule to manage the database instances.

  1. From the left menu, click Smart Rules.
  2. Click + Create Smart Rule.

Smart Rule for adding databases to Password Safe management showing filters.

  1. Select or create a new category and provide a name and description for the Smart Group.
  2. For selection criteria, select Address Group, and then select the group that includes the database instances.
  3. Add another condition, select Host Database Instance, and then select the database types.
  4. For the actions, select Show asset as Smart Group.
  5. Add more actions of Manage Assets using Password Safe, and then select the platforms, account name formats, functional accounts, and other desired settings, ensuring to use the default port numbers for the databases:
    • Oracle: 1521
    • SQL Server: 1433
  6. Click Create Smart Rule.

An Oracle database can be part of a database cluster. If several nodes are found through discovery, only a single database managed system is created. Cluster fail over is supported.

The Smart Rule auto-excludes the functional account assigned for that system, as well as the sa account for MS SQL Server systems, from Password Safe onboarding. The sa account is excluded as a precaution against it being inadvertently onboarded by mistake. If you want Password Safe to manage the sa account, you can either manually create the managed account or use the Create Managed Account on each system Smart Rule action in a Managed System Based Smart Rule.

To view the contents of a new or edited Smart Rule, once it has been saved, click View Results. You are taken to the associated grid, where the contents of the Smart Rule are listed. If the Smart Rule is actively processing when View Results is clicked, a banner displays letting you know it is still processing.

 

The View Results button displays only if you have permissions to the grid corresponding to the Smart Rule, i.e. Assets, Managed Accounts, Managed Systems. Also, the Smart Rule must be saved with Show <entity> as Smart Group selected under Actions to view the results.

The Smart Rule must process to display the contents in the grid; therefore, we recommend viewing the results of a Smart Rule before adding additional actions that may make changes to accounts and assets in your network. Once you have viewed the results of the Smart Rule using only the Show <entity> as Smart Group action and you have confirmed it contains your desired items, you can add additional actions to the Smart Rule.

Manually Add Database Instances

You can manually add the following database instance types. When selecting the database platform, ensure the correct port number is displayed.

  • Mongo: 27017
  • MS SQL Server: 1433
  • MySQL: 3306
  • Oracle: 1521
  • PostgreSQL: 5432
  • SAP HANA: 30015
  • Sybase ASE: 5000
  • Teradata: 1025

Manually Add Databases to Assets Managed by Password Safe

  1. From the left menu, click Assets.
  2. Click the vertical ellipsis button for the asset, and then select Go to Advanced Details.
  3. Under General Data, click Databases.
  4. Click + Add Database above the grid.
  5. Provide a name, select the platform, add a version, leave the default port, and then click Save Database.

Manually Add Databases to Password Safe Management

  1. From the left menu, click Assets.

Screenshot of the Database Host Icon in the Assets Grid

  1. Assets that host database instances are indicated by a Database Host icon in the Solution column.

 

  1. Click the vertical ellipsis button for the desired asset, and then select Go to Advanced Details.

Add Database Instance to Password Safe Management

  1. Under General Data, click Databases.
  2. Click the vertical ellipsis button for the desired instance, and then select Add to Password Safe.
  3. On the Create New Managed System form, expand Credentials and select the functional account.
  4. Select other settings as desired, and then click Create Managed System.

 

Manage Database Instance Accounts

Once the database instances are managed, create a managed accounts Smart Rule to manage the database instance accounts. The steps are the same for both auto-discovered or manually added database instances.

  1. From the left menu, click Smart Rules.
  2. Select Managed Account from the Smart Rule type filter dropdown.
  3. Click + Create Smart Rule.
  4. Select Managed Accounts from the Category dropdown.
  5. Provide a meaningful Name and Description for the Smart Rule.

Managed accounts Smart Rule to manage the database instance accounts. showing selection criteria and actions.

  1. Select the criteria to match on the database instance account name, filtering out any named functional accounts.
  2. Select Yes from the Discover accounts for Password Safe Management list.
  3. From the Discover accounts from list, select the smart group where the database instance resides.
  4. In the Actions section, select Show managed account as a Smart Group from the list.
  5. Select Manage Account Settings from the list.
  6. Select a password rule, and either auto-manage the accounts or do not.
  7. Click Create Smart Rule.

To view the contents of a new or edited Smart Rule, once it has been saved, click View Results. You are taken to the associated grid, where the contents of the Smart Rule are listed. If the Smart Rule is actively processing when View Results is clicked, a banner displays letting you know it is still processing.

 

The View Results button displays only if you have permissions to the grid corresponding to the Smart Rule, i.e. Assets, Managed Accounts, Managed Systems. Also, the Smart Rule must be saved with Show <entity> as Smart Group selected under Actions to view the results.

The Smart Rule must process to display the contents in the grid; therefore, we recommend viewing the results of a Smart Rule before adding additional actions that may make changes to accounts and assets in your network. Once you have viewed the results of the Smart Rule using only the Show <entity> as Smart Group action and you have confirmed it contains your desired items, you can add additional actions to the Smart Rule.

When using MYSQL with multiple accounts with the same name, Password Safe can only support rotating the password on all instances of the username using a functional account.

Discover Accounts for SAP HANA Databases

Most database platforms leverage the Discovery Scanner to discover the asset and then find the accounts in the database . SAP HANA, however, does not use the Discovery Scanner. With the SAP HANA database platform, you must manually create the asset and then leverage a managed account Smart Rule for account discovery.

For more information, please see Add Assets to Password Safe.

When creating the managed account Smart Rule, select the following under Selection Criteria:

Managed accounts Smart Rule to manage the database instance accounts. showing selection criteria and actions.

  • User Account Attribute from the first dropdown list.
  • Account Name from the second list.
  • The appropriate operator from the third list, i.e. contains, equals (=), starts with, etc.
  • Enter the appropriate value in the next field.
  • Yes from the Discover Accounts for Password Safe Management dropdown list.
  • An existing asset Smart Group that contains the SAP HANA asset(s) in your environment, from the Discover Accounts From dropdown list.

 

For more information, please see Work with Smart Rules.