5.7 Application to Application Password Management

Organizations depend on a large number of business applications, web services, and custom software to fulfill business communications and other transactions. These applications require access to other applications and database servers to get business-related information. This communication process is usually automated by including the application credentials in clear text in configuration files and scripts. It is difficult for the administrators to identify, change, and manage these credentials. As a result, the credentials are left unchanged, which might lead to unauthorized access to sensitive systems.

The Application to Application Password Management (AAPM) feature eliminates the need to store credentials in clear text in the application. Instead, the application can query Privileged Account Manager for the credentials using REST API. In this way, the application credentials are secured, and you can achieve password rotation automatically by assigning strong and unique passwords without any manual intervention.

The following illustration explains the working of the AAPM feature:

5.7.1 Configuring AAPM

By using API tokens in the REST API request, users can check out credentials of applications such as databases, LDAP, cloud services, and shared keys.

To enable a user to generate an API token:

  1. Add Privileged Account Manager users to the appropriate user group. For more information, see Enabling Users to Generate API Tokens.

  2. Create a resource for the required application, add credentials for check out, and add appropriate rules for application credential checkout.

    For more information about credential checkout configurations, see the following:

    • Database

    • Cloud services

    • Applications

    • Shared Keys

    For more information about how to add a credential, see Contextual Help.

    Using this feature, a user can check out multiple credentials for the same application either by directly checking out the application credentials from the user console or checking out credentials using API tokens. As Privileged Account Manager allows multiple credentials checkout for an application, you must have an adequate number of credentials in Privileged Account Manager for simultaneous access to the application.

Enabling Users to Generate API Tokens

You can allow Privileged Account Manager users to generate API tokens from the user console by adding them to the API Users group, which is created by default.

To allow LDAP users to generate API tokens, you must first add these users to the Framework User Manager and then continue with the following procedure.

To add a user to API Users group:

  1. Click Framework User Manager > API Users.

  2. Click Edit in the Group Information task pane.

  3. In the Members section, select the user whom you want to generate API tokens from the user console.

    You can also add a user to the group by dragging and dropping the user onto the API Users group.

  4. To allow API tokens to skip secondary authentication, select Bypass Secondary Authentication in the Secondary Authentication section.

    For more information about the Framework User Group configuration, see Modifying a User Group.

5.7.2 Viewing Activities Performed Using API Tokens

You can run a report that lists the activities performed using API tokens, such as credential check-in and check-out. You can identify the operation performed using the API token by using the value in the column Password Check Out Token Details and Password Check In Token Details.

  1. Click Reports > Password Management.

  2. Select Settings > Filter.

  3. Select the optional columns Password Check Out Token Details and Password Check In Token Details.

  4. Select Apply.

For more information about Privileged Account Manager reports, see Managing Reports.