Checking out passwords

[BrianWagner]

We have RPM and I have it changing 2 builtin administrator accounts on our desktops and laptops. I only want 1 of the 2 accounts to be able to be checked out. I cant seem to find anything that will allow me to restrict checking out passwords except for actually turning on or off the feature entirely.

[Chris]

With RPM version 482, the only option to restrict access to a particular account is to use Account Masks, available from the SETTINGS | DELEGATION menu of the management console. Here you will filter the the accounts that a particular entity can see. For example, to show all accounts that begin with the word admin, the account mask would be admin*. Your second option is to use the Self Recovery Rules where you can expressly map out a particular account on a particular system that a particular entity can check out. Self recovery also has to be turned on as a website option to enable the feature to work.

In the forthcoming RPM - post version 482 - there will be a "Per Account Delegation" where you will be able to delegate that a particular account can be recovered or requested, etc.

[BrianWagner]

So basically if I wanted to mask out for instance the account named userhelp for any user that can login to RPM and check out passwords would be to go to Manage Web Application, Manage Delegation, Delegation Rules, Account Masks. Then highlight all users and add the mask of *userhelp**

[Chris]

Setting the account mask as described would ensure that they only see the account names that include the phrase "userhelp".