In an enterprise when a user uses the shared account credentials for privileged access to any application or database, this can lead to security vulnerability as the users can use the shared account credentials without any time limit. If the privileged access to shared accounts are not managed, auditing becomes difficult and leads to security risk.
Privileged Account Manager (PAM) manages the access and the security of the privileged account credentials through the Enterprise Credential Vault. For more information about Enterprise Credential Vault, refer Section 8.0, Enterprise Credential Vault. Privileged Account Manager securely stores the shared account credentials of the application or database in Enterprise Credential Vault. The password checkout feature helps in retrieving the credentials from Enterprise Credential Vault. The password checkout feature helps in managing the account credentials and provides the following capabilities:
Provide available shared account credentials and deny access if all the credentials are in use.
Provide users access to application or database for a fixed time period.
After every session, reset the password of the account in the target application to maintain the password security.
A Privileged Account Manager administrator can create a privileged account for an application/ database and save the application/ database administrator credential. These credentials will be used only when resetting or checking-in the password. So, when a user requests for credentials to connect to Oracle database or any application, Privileged Account Manager checks for the login credentials that are available for that application, then provides the credentials to the user. An administrator can monitor the commands that a user runs on any application and audit the report based on the defined risk score.
The following sections provide details on configuring, accessing and managing shared account credentials by using the password checkout feature.