Modifying Account Sets

After you have added an account set, you can modify the details about the set or perform actions on the accounts that are associated with the set. For example, you can:

  • Add and remove members
  • Change the set name or description
  • View recent activity
  • Update the permissions on the set
  • Rotate passwords for the accounts associated with the set
  • Convert unmanaged accounts to managed accounts
  • Delete sets

However, you can’t modify the membership type setting for existing sets. To change a set from manual membership definition to dynamic or from a dynamic query‑based membership definition to manual definition, you must delete the existing set and create a new set.

To modify settings for a account set:

  1. In the Admin Portal, click Resources, then Accounts to display the list of accounts.
  2. In the Sets section, right-click a set name, then click Modify.
  3. Change the set name, set description, or both, as needed.
  4. If the membership definition is dynamic, you can modify the set membership by editing the Query field.
  5. Click Save.

For more information about modifying other account set information, see the following topics:

Modifying Set Membership

For manual sets, you can modify the group membership directly from the account list by selecting the account, right-clicking, then selecting the Add to Set or Delete action. To change the set membership if members are defined using a SQL select statement, modify the query in the Settings for the account set.

Viewing Set Activity

You can click Activity to review recent activity for a set. For example, if a user has created, then modified a set, you might see information similar to the following:

img

To view set-specific activity:

  1. In the Admin Portal, click Resources, then click the section for the type of object you want to view.
  2. In the Sets section, right-click a set name, then click Modify.
  3. Click Activity.

Modifying Set Permissions

You can modify the permissions for a set to enable other users to view, edit, or delete the set or to grant permissions on the set to other users. You can assign permissions for the entire set on both manual and dynamic account sets.

The permissions assigned at the set level do not apply to the members of the set. For the members of dynamic account sets, you can only assign member-level permissions through account-specific or global permissions. For manual accounts sets, however, you can assign member-level permissions for all members of the set.

To assign set-level permissions:

  1. In the Admin Portal, click Resources, then Accounts to display the list of accounts.
  2. In the Sets section, right-click a set name, then click Modify.
  3. Click Permissions.
  4. Click Add to search for and select the users, groups, roles, or computers to which you want to grant set‑specific permissions, then click Add.
  5. Select the appropriate permissions for each user, group, role, or computer you have added.
  6. Click Save.

Modifying Set Member Permissions

You can modify the permissions for the members of a set to control what other users can do on the accounts in the set. For example, you can assign member permissions to enable other users to view, edit, or delete the members of a set or to manage sessions on any member of the set. Member permissions are the same as the permissions you can assign to individual accounts or globally for all accounts. You can only assign member-level permissions on manual account sets, however.

For more information about the permissions you can assign to accounts, see Setting Account Permissions

To assign member-level permissions:

  1. In the Admin Portal, click Resources, then Accounts to display the list of accounts.
  2. In the Sets section, right-click a set name, then click Modify.
  3. Click Member Permissions.
  4. Click Add to search for and select the users, groups, roles, or computers to which you want to grant set‑specific permissions, then click Add.
  5. Select the appropriate permissions for each user, group, role, or computer you have added.
  6. Click Save.

Managing Set Accounts

You can convert all unmanaged accounts in a set into managed accounts using the Manage accounts action from the Accounts page Sets area.

To manage account passwords in a set:

  1. In the Admin Portal, click Resources, then Accounts to display the list of accounts.
  2. In the Sets area, right-click a set name, then click Manage accounts.
  3. Select Yes to confirm that you want to manage passwords for the selected set.
  4. You will receive an email notification of the password rotation activity when multiple account passwords are rotated. You can either open the CSV file to view activity or click the link in the email to view the Job History page.

Rotating Set Passwords on Demand

You can rotate all account passwords associated with a set on‑demand. For example, if there’s suspicious activity involving a particular set of accounts or a risk that a set of accounts has been compromised, you might want to invalidate the existing passwords and have the Privileged Access Service generate a new passwords without waiting for the end of the automated password rotation period.

If you select a set that includes managed and unmanaged accounts, only managed accounts are rotated.

If you rotate a password while an account is currently checked out, the password that has been checked out will no longer be valid and cannot be used to log on or start any new sessions. If there are any existing open sessions that used the checked out password, those sessions can continue.

To rotate passwords in a set on demand:

  1. In the Admin Portal, click Resources, then Accounts to display the list of accounts.
  2. In the Sets section, right-click a set name, then click Rotate passwords.
  3. Select Yes to confirm that you want to rotate the selected passwords.
  4. Any passwords already checked out are also rotated.
  5. You will receive an email notification of the password rotation activity when multiple account passwords are rotated. You can either open the CSV file to view activity or click the link in the email to view the Job History page.