Variables for App Launching

Privileged Identity provides variables to pass the username, password, target server, etc., when launching an application from the command line or web automation scripts.


  1. DEMO\Broberts logs into the web application.
  2. DEMO\Broberts clicks on launch app, causing a secondary account, DEMO\AppLaunchLogin, to connect to the jump server. This action initiates and launches the liebsoftlauncher.exe program.
  3. Liebsoftlauncher connects back to the web service and retrieves program settings, including target system, target user name, and target password. This connects him to a server called DB2012 as SA with the SA password.

The following elements are defined using the following variables:

  • DEMO\Broberts = $(SourceAppLogin) or $(UserEnteredLoginUsername)
  • DEMO\AppLaunchLogin = NOT EXPOSED
  • DB2012 = $(RemoteAccessTarget_TargetName)
  • SA = $(Username) or $(AccountName_FullyQualified)
  • SA Password = $(Password) or $(Password_Raw)

Following is a list of all possible variables:

  • $(UserEnteredLoginUsername): Same as $(SourceAppLogin), the account used to log in to the web application.
  • $(UserEnteredLoginUsername:RemoveNTStyleNamespace): This element prunes the domain name from the user name. From the example above, DEMO\Broberts becomes simply Broberts.
  • $(UserEnteredLoginUsername:ReplaceBackslashWithDot): This element retains the domain name with the username but replaces the slash with a dot. From the example above, DEMO\Broberts becomes DEMO.Broberts. Use this variable when a name is required that will not be interpreted as a path for creating directories.
  • $(SourceAppLogin) - Same as $(UserEnteredLoginUsername), the account used to log into the app triggering the launcher.
  • $(Username): This is the name of the target account. From the example above, SA.
  • $(AccountName_FullyQualified): Building on the $(Username) variable, this will pre-pend the domain prefix to the account name, if applicable.
  • $(Password): The regex-escaped password (for example, pass\"word ).
  • $(Password_Raw): The raw, un-escaped password.
  • $(RemoteAccessTarget_TargetName): The target host which the application connects to.
  • $(LauncherPath): The path to the application launcher.
  • $(SessionID): The GUID for the launcher link.
  • $(PrivateKey): The file path for the DER encoded private key (if available).
  • $(PrivateKeyPassphrase): The pass phrase, if present for $(PrivateKey).
  • $(PuttyKey): The file path for the PuTTY-encoded private key (if available).

These variables are used in line and are replaced by Privileged Identity when the application is launched. For example, if the user goes to the SQL Server database instance on a server called DB2012 and connects with the built-in (and managed) SA account from the website, the command line syntax would be:

-S $(RemoteAccessTarget_TargetName) -U $(Username) -P $(Password) - nosplash

The switches ( -S, -U, and -P ) are part of the SMSS.EXE executable. The subsequent values of $(RemoteAccessTarget_TargetName), $(Username), and $(Password) would be replaced by the name of the server (DB2012), the name of the account (SA), and the password for SA respectively.