Skip to content

Automatically Discovering Targets and Creating Credentials

Workload Privilege Management provides an auto discovery option to create policies that can automatically discover targets and create credentials. This feature requires integration with SailPoint Cloud Access Management. Contact your CSM for more information about this service.

If you do not have Cloud Access Management, see Configuring Targets and Connections and Managing System Credentials to complete each process manually.

Using Guardrails in Auto Discovery Policies

The auto discovery feature relies on a Cloud Access Management guardrail. This guardrail is used to query the cloud instances in your cloud environment for those that meet the criteria specified in the guardrail. When instances are found, they are automatically provisioned as targets within Workload Privilege Management. You designate which guardrail to use when you create an auto discovery policy.

See the Cloud Access Management online help for more information on how to set up guardrails that you can use in Workload Privilege Management.

Creating an Auto Discovery Policy

Workload Privilege Management uses an auto discover policy to determine the method by which -- and how frequently -- it will automatically reach out to cloud targets and create credentials on those targets.

To create an auto discovery policy, select AUTOMATION from the top toolbar and select Auto Discovery Policies in the left menu. There you can see any existing policies that you can use to automatically provision targets discovered by Cloud Access Management and connect to those targets within Workload Privilege Management. 

Each auto discovery policy specifies the following:

  • The Cloud Access Management guardrail to use

  • Agent settings

  • Methods for connecting to the targets that the guardrail discovers

  • Accounts for users who will access those targets

  • Credentials you want to make available on the discovered targets

From the Auto Discovery Policies page, select Add New to create a new policy.

The policy wizard guides you through the process required to create the policy required to automatically create connections and credentials to the instances that a guardrail discovers.

Use the General Settings page to specify your policy name, agent settings, and guardrail.

Under Agent Settings, accept the default option to Inherit an agent type from the settings that are defined at the account level. To select a specific agent, choose Gateway Agent. The Agent Groups option allows you to choose groups defined by admins that can be an aggregation of many gateway agents.

Select the guardrail you want to assign to the policy and select Next to select an operator.

Selecting an Operator

You can select one operator user per OS type. Operators are credentials that can create credentials on the discovered targets.

To add a new operator credential:

  1. Select Add New in the top right.

  2. Enter the name and description.

  3. Select the OS type (Windows or Linux)

    a. Windows -- Choose to validate this account using a username/password or an existing vaulted credential.

    b. Linux -- Choose to validate this account using a username/password, username/SSH key, or an existing vaulted credential.


    Operators cannot be edited at this time.

  4. Select Next.

Using a Credential Template

Select an existing credential or select Add New to launch the credential template. Fill out the fields and select the OS type.



From this template you can determine the credential policy, access groups, and access level. Toggle the Requires Approval option to determine if the credential initiates a prompt to use ITSM. This defaults to on for privileged credentials. From this view you can save the credential template or add more templates by selecting Add Another.

Select a credential template and select Next.

Scheduling Your Policy

You can schedule how often you want a policy to run the guardrail query using the specified agent, user, and credential template. Enter names or email addresses to find users to send notifications to. You can schedule a start date or select the checkbox to run now.

When your job runs, you can go to the Queued Jobs List to see the status of the job.