Add and Manage Vault Account Policies

Vault account policies provide a method to define account settings related to password rotation and credential checkout and apply those settings to multiple accounts at once.

Vault account policies give admins the ability to specify the following account settings:

  • Enable scheduled password rotation and set the maximum password age or deny scheduled password rotation.
  • Allow or deny the automatic rotation of credentials after the credential is checked in.
  • Allow or deny credentials to be checked out simultaneously.

If a setting in an account policy is not defined, it inherits the settings from the global default account policy, configured from the Vault > Options page in /login.

The global default account policy must define an option for each setting. If an account does not have a setting defined using a specific policy, it inherits the policy from the account group. If the account group does not have a setting defined using a specific policy, it inherits the policy from the global default account policy.

Multiple account policies that apply to a single Vault account are applied in the following order, from top to bottom:

  • The account policy associated with the Vault account
  • The account policy associated with the Vault's account group
  • The global default account policy settings

If multiple account policies define a setting, then the value from the first applied policy is used.

Add an Account Policy

  1. From the /login interface, go to Vault > Account Policies.
  2. Click Add.

Screenshot of the Add Account Policy page in Privileged Remote Access /login.

  1. Provide a Display Name, Code Name, and Description for the policy.

Code Name and Description are optional. Code Name is for integration purposes. If you do not set a code name, Privileged Remote Access creates one automatically.

  1. Under Permissions:
    • Allow or deny the ability to automatically rotate account passwords when the specified maximum password age is reached.
      • If automatic password rotation is allowed, set the Maximum Password Age.
    • Allow or deny the ability to automatically rotate credentials after check in.
    • Allow or deny simultaneous checkouts for accounts.
  1. In the Allowed Users section, add a user and select their Vault role from the New Member Role dropdown, and then click Add.
  2. Click Save at the top of the page.

 

After an account policy is created, it is listed in the grid on the Account Policies page. You can copy or edit any of the listed polices by clicking the Copy or Edit button for the policy in the grid and modifying the settings as required.