Skip to content

Managing System Credentials

Credentials broker connectivity to critical systems in Infrastructure as a Service (IaaS) environments such as Amazon Web Services, Microsoft Azure, and Google Cloud Platform. They are the secrets that are used to access these and other targets. Credentials could be user name/password combinations or public keys. Either way, they are stored within a secure vault. Managed credentials are rotated in accordance to the credential policy associated with that credential.

Credentials used to access targets are obfuscated, removing the ability for users to access targets outside of Workload Privilege Management. All of the credentials are configured for one-time use that is only valid for the particular session/connection.

Follow the guidelines below to configure credential policies, automate credential orchestration, add and edit credentials manually, and review credential statuses. If you have SailPoint Cloud Access Manager, you can use auto discovery to find targets and set credentials. Once credentials are set up, you can begin using credentials.

Configuring Credential Policies

Credential policies are how you can enforce password standards for expiration, length, and composition. Your license comes with a default tenant policy configured for industry best practices. You can create multiple policies and assign them to different connections. These policies can set standard, privileged, or administrative access.

Adding a Credential Policy

  1. Select ADMIN from the top toolbar.
  2. Select Credential Policies from the left menu.
  3. Select Add Policy. The Add Credential Policy page will appear.
  4. Create a Credential Policy Name.
  5. Enter the number of days between password changes.

    1. Workload Privilege Management calculates five days prior to expiration when managed credentials will be automatically changed. For unmanaged credentials, an email notification will be sent to the credential owner and all watchers.
  6. Select options to require passwords to include a number, special character, uppercase letter, or to meet a minimum length.

  7. Select Save.

Editing a Credential Policy

In the Credential Policies page, select the Edit icon to change the credential policy.

Viewing Credential Policy History

Click on the History icon to view a credential policy's event history.

See Monitoring System Activity and Access for more information about viewing event history logs and reports.

Automating Credential Orchestration

Workload Privilege Management uses an automation engine to rapidly create managed connections and credentials, dozens or hundreds at a time. This engine automates the agents that are connected to the target to reach out and create local users on that target.  

You can quickly create credentials on multiple targets using the Credential Orchestration wizard. In the wizard, you will be guided through selecting targets, setting up credentials, scheduling orchestration jobs, and finishing the process.  

To get started: 

  1. Select AUTOMATION from the top toolbar. 
  2. Select Credential Orchestration from the left menu. 
  3. Select BEGIN CREDENTIAL ORCHESTRATION from the middle screen. 


You can save your orchestration template at any time by selecting SAVE TEMPLATE in the upper right. This will save your current settings in the Saved Jobs section of the left menu.

Selecting Targets

  1. Select the Target operating system drop-down menu to choose your operating system. When you select the target operating system, Cloud, for example, a list is returned with all of the cloud targets available. You can also search and refine searches to find your desired target(s).  

  2. Select the checkbox next to each target you want and select Next.


Setting Up Credentials

Automated credential orchestration uses a privileged account that the target device recognizes as having sufficient permissions to create or modify credentials on that same target. To set up credentials, you must choose if these credentials will be managed or unmanaged.   

Managed credentials are credentials that the system will rotate based on the credential policy or any time the password is exposed to human eyes. Managed credential orchestration will attempt to reach out to the selected targets and create/update the credential(s) defined in the orchestration process.

Unmanaged credentials are credentials that a user knows exist on the target systems. These credentials are not managed by Workload Privilege Management and must be rotated manually by a user or administrator. Unmanaged credential orchestration can be used to generate credentials within Workload Privilege Management only.

Best Practice

Choose Managed credentials so they will adhere to an established credential policy managed by Workload Privilege Management. 

Setting Up Managed Credentials

  1. After you've selected your target, choose Managed.

  2. Under System Credentials to use for New Credential Creation, you can optionally use pre-set vault credentials to quickly set up the credential information. Read more about managing vault credentials. Alternatively, you can establish a system credential using a user name and password.

  3. Fill out the the Credentials to Create form where you must:

    1. Create a user name.
    2. Set credential policies.
    3. Set access level. There are two access levels you can assign to a credential: standard or privileged. Standard access levels allow you to interrogate information within Workload Privilege Management without being able to alter the system. If you have privileged credentials, you will be able to make changes to the system. When an administrator selects a privileged access level, the Requires approval option will automatically be toggled on. This means that you will be prompted for a reference number to integrate with ticketing systems (such as ServiceNow, which we offer) before access is granted.  
    4. Set access groups. Access groups allow administrators to isolate which users can see which credentials, connections, and targets in a simplified manner. Select the access group(s) you want from the drop-down menu. Once you finish creating your credential, select ADD. You can continue to add credentials in this way.  
    5. Set authentication type.
    6. Set if the credential requires approval.
    7. Select ADD.
    8. You can continue to add credentials by selecting the green +.
  4. When you are done adding credentials, select NEXT.

Setting Up Unmanaged Credentials

  1. After you've selected your target, choose Unmanaged.

  2. Fill out the the Credentials to Create form (See step 3 in Setting Up Managed Credentials for example).

  3. When you are done adding credentials, select NEXT.

Scheduling Orchestration Job

Once you've established your targets and credentials, you can determine when the credential orchestration job is run: immediately or later. You will be notified via email when the job is complete. Select SUBMIT JOB to complete the process.

When you finish scheduling your orchestration job, Workload Privilege Management reaches out to each of the selected targets. Secure connections are created to each target using the credentials provided. Those credentials are added to the connection group that was selected. You and other users with access to those connections will then be able to access web applications and other targets.  

Viewing Jobs and Events

Select Queued Jobs List in the left menu to see jobs that are scheduled and have passed. You can select any job in the list to see more information about it.

Select Saved Jobs to see any automated credential orchestration templates you saved.

You can also see credential orchestration activity with event descriptions to support advanced analytics. See Monitoring System Activity and Access for more information on reports.

When your job is complete, select Connections and navigate to the target to which you just orchestrated connections. You will see that the created credentials are available to be used.  

Now that credentials are configured for a target, you can establish connections.  

Adding and Editing a Credential Manually

Instead of using automated credential orchestration, administrators can add credentials manually.

  1. Select ADMIN from the top toolbar.
  2. Expand Privileged Access Management in the left menu and select Credentials.
  3. Select Add Credential or the Edit icon to change the credential information.


    You can create a target and credential policy from this menu.

  4. You can select what kind of credential it is: local, domain, or user.

    1. A local credential indicates that the credential is local to the defined target and cannot be associated to any other target. For example, a credential assigned to the AWS Management Console target can only be used to connect to AWS Management Console.
    2. A domain credential indicates that the credential is associated to a domain and can be associated to any target that is also associated to the same domain.
    3. A user credential indicates that the credential is associated to a user within Workload Privilege Management and can only be used by that user in most scenarios.

      User Credential Exception

      User credentials can be used by users with the USER_CREDENTIAL_OTHER permission. This permission allows you to use user-specific credentials that are assigned to another user as long as the credential was created by someone other than the user it is currently assigned to within Workload Privilege Management.

  5. Set the access level, credential policy, and, optionally, any access groups with which you want to associate this credential.

  6. Expand Authentication and set the authentication information for the credential. Check the box if you want Workload Privilege Management to manage the credential.
  7. Expand Notifications to add watchers. They will be notified when the credential reaches the expiration grace period, expires, changes, fails, or succeeds.
  8. Expand Check In/Out to set the expiration period and holddown override. The expiration period is the amount of time until the credential is automatically checked back in. The holddown override is the period of time that will elapse before the checked out credential is automatically checked back in. This is to disallow users from checking out credentials for extended periods of time. An override of a checked-out credential can only be executed if you have OOB_CREDENTIAL_OVERRIDE permission.
  9. Select Save.

Viewing Credential Status

You can view the status of all of your credentials to determine which ones are checked out or expired, when the password was last rotated, when the next password rotation for managed credentials is scheduled to occur, and what alerts have been identified. Hover over the alert icon to see more details.

Select ADMIN from the top toolbar. Expand Privileged Access Management in the left menu and select Credentials. From this page you can add, edit, view the history of, and delete credentials, as well as export the status to a CSV.

Status Definitions

Status Description
Active The credential is in a state that meets the credential policy. This means it has not gone past its expiration without being rotated and has been verified by making a connection to the target.
Expired The credential policy expiration date has passed and the password needs to be rotated.
Stale The credential has been made visible to human eyes and has not yet been rotated.
Unverified The system does not know if the credential can be used to make connections or not.