Specifying Local Admin Accounts
You can identify any account you add to the Privileged Access Service as the local administrative account for a specific system. However, some system types require you to specify a local administrative account if you want to manage any local account passwords. The account you designate as the local administrative account must have sufficient privileges to set and rotate passwords for other accounts. In addition, the local administrative account you specify for any system should be a dedicated account that is used exclusively by the Privileged Access Service.
You can have the password for the local administrative account managed by the Privileged Access Service to avoid password changes by other users who have administrative privileges. If you want to manage the password for the local administrative account, there are restrictions on the actions available. For example, you cannot select the Login action because that action could be used to compromise the login shell for the local administrative account. Similarly, because the local administrative account is used internally to manage passwords for other accounts, you cannot select the Checkout, Rotate Password, or Delete actions when you select an account currently designated as the local administrative account.
If you need to set or change the local administrative account after adding a system, you must have the Edit permission on the system and the Grant permission on the account. You have these permissions by default if you are the owner who adds the system and account to the Privileged Access Service.
Only the systems that require a local administrative account support this option.
| System type | Administrative account |
|---|---|
| UNIX | You must specify a valid local administrative account to manage password operations for other accounts. Domain Administrative accounts for Unix are also supported, see "Set domain administrative accounts." |
| Windows | You cannot add a local administrative account for Windows systems. Domain Administrative accounts for Windows are supported, see "Set domain administrative accounts." |
| Cisco AsyncOS | You must specify a valid local administrative account to manage password operations for other accounts. |
| Cisco IOS | You cannot add a local administrative account for Cisco IOS systems. |
| Cisco NX-OS | You cannot add a local administrative account for Cisco NX-OS systems. |
| Juniper Junos OS | You cannot add a local administrative account for Juniper Junos OS systems. |
| HP NonStop OS | You cannot add a local administrative account for HP NonStop OS systems. |
| IBM i | You cannot add a local administrative account for IBM i systems. |
| Generic SSH | You cannot add a local administrative account for Generic SSH systems. |
| Check Point Gaia | You must specify a local administrative account to manage the password for expert mode operations. The administrative account is not required to manage the password for other accounts. |
| Palo Alto Networks PAN-OS | You must specify a valid local administrative account to manage password operations for other accounts. |
| F5 Networks BIG-IP | You must specify a valid local administrative account that is a member of the Administrator role to manage password operations for other accounts. |
| VMware VMkernel | You must specify a valid local administrative account to manage password operations for other accounts. |
For more information about system settings, see the system-specific settings.
