Password-less accounts and use cases
Cyberwatch offers a way to create password-less accounts also commonly qualified as “robot accounts” or “service accounts”. This documentation explains how to use these accounts and which use cases can be covered using this feature.
Note that it is not possible to directly login with these accounts as it is with a standard user account. These accounts can only be used through the Impersonation feature in Cyberwatch.
The main benefits offered by these accounts are the possibility to generate configurations globally used in the information system, generally using a service account, and that should not be linked to a standard user account that could be modified/deactivated or removed. Possible use cases are presented below.
This also ensures none of these configurations are linked to a specific user account, and that the deactivation/removal of this account leads to a nullification of its API keys or any other potential configurations.
Possible use cases identified
API keys
Instead of being linked to a real user account, API keys can be generated on a password-less account.
Some API keys can be used in configurations or automation that can have an impact on the whole information system, for example:
- API keys allowing the agent register in Cyberwatch, configured in a GPO or any other deployment automation software
- scripts making calls to the Cyberwatch API developed for automatic tasks
Automatic email reports
Password-less accounts also have an email address configurable.
This offers, for example, the possibility to configure automatic periodic reports to be sent to a mailing list or external e-mail addresses not associated with a Cyberwatch user.
The creation of a scheduled export requires the Administrator role to have permission to access email addresses in addition to the current user’s one.
Creating a password-less account
Creating a password-less account can be done using the steps below.
- Go to the Administration > Users > + Add form
- Fill in the
Full name
,Login
andEmail
fields. These properties can be modified later if necessary - Select the desired
Role
and keepLocal account
as theAuthentication provider
- DO NOT provide a password, and confirm the account creation
- The account should be created successfully and be available from the users list
Using a password-less account
Using a password-less account is only possible through the use of the Impersonation feature.
To do so, open the password-less account edition page.
On the right, a modal Impersonation
will let you open a new session using the impersonated account.
Once the impersonation is effective, this account behaves exactly as a standard user account.
A red icon in the top right corner of the software, next to the “My Profile” button, indicates that an impersonation is currently running, and allows to terminate it.