Set Up Shadow Accounts

Shadow accounts allow users to connect to a system with a specific application and choose which account to connect with. The normal paradigm requires users to go the Managed Passwords section and find the target system and local account for the application. While this works for many scenarios, it is not very flexible, and it does not address the need be able to connect domain or directory accounts to other systems or applications.

With a shadow account, users can go to the system or application in the Systems View of the web application and choose to launch an application. A list of applications is presented, and users can determine which account, local or central (domain or directory), to connect with.

To use shadow accounts, the View Systems and Allow Remote Sessions global delegation permissions must be assigned. Once permissions are granted, additional configuration to map shadow accounts must be performed.

Even when users have All Access privileges, shadow accounts are first mapped and associated with application permissions. To use shadow accounts, a per-application rule must be established for the target user. Follow the steps below to add a new shadow account mapping.

  1. Open the management console.
  2. Go to Delegation > Web Application Identity to Shadow Account Mappings.

Select Enrolled Identities

  1. Click Add Mapping.


Select Stored Password

  1. Select the target identity from the list of available identities. Click OK.


Delegation Identity to Shadow Account Mappings

  1. Select from the available managed/stored identities and click OK. The new mappings will now be in the list of available mappings.
  2. Click OK.
  3. Go to Delegation > Web Application Remote Application Permissions.


Select Enrolled Identities

  1. Click Add in the lower left corner of the Remote Application Permissions dialog to add a new application permission. Select the identity and click OK.


Remote Applications

  1. A list of remote applications will be presented. Select the target application to make available. Click OK.


Shadow Account Restriction

  1. A Shadow Account Restriction prompt appears. Click Yes to assign one or more shadow accounts the user may use when launching the specified application.


Delegation Identity to Shadow Account Mappings

  1. Based on the selected user, a list of available corresponding mappings is presented. Select the mapping configured for the target user and selected applications. Click OK.


System Target Restriction

  1. A System Target Restriction prompt appears. If it is desired to restrict the applications and or shadow account mappings to specific list of systems, click Yes. Otherwise, click No.


Choose Management Set

  1. If Yes is selected, a list of management sets are presented.


Web Application Remote Application Permissions

  1. Select the desired management set and click OK.
  2. The new mapping is presented in the Web Application Remote Application Permissions dialog. Any undesired mappings may be deleted. Reports may be generated from this page.


Systems View

  1. To use the mappings, the user must go to the Systems View in the web application.


Launch App

  1. Click Launch App next to the desired target system. If Launch App is not visible, it means the user does not have either the Allow Remote Sessions permission, or a Shadow Account Mapping is not present.