top of page
Writer's pictureSandeep Pawar

Login account vs Reconcile accounts

In Privileged Access Management (PAM) systems like CyberArk or Delinea Secret Server, the terms Logon Accounts and Reconcile Accounts have distinct roles related to credential management:


1. Logon Accounts:


• Purpose: Used to access target systems or applications on behalf of users or processes.

• Functionality: These accounts contain the necessary credentials (username and password) to log into the target system or application. The PAM system can retrieve and inject these credentials when a user requests access, ensuring secure authentication without exposing the actual password to the user.

• Example: If you want to log in to a database server, the Logon Account would be the account stored in the PAM system to facilitate this access.


2. Reconcile Accounts:


• Purpose: Used to reset, update, or synchronize passwords for managed accounts.

• Functionality: A Reconcile Account has elevated privileges and is specifically responsible for resetting passwords when there’s a mismatch or after they have been rotated. It ensures the credentials stored in the PAM system remain in sync with the credentials on the target system.

• Example: If the PAM system detects that the stored password for a particular account is incorrect, the Reconcile Account can reset that password without manual intervention, ensuring proper access control.


Key Differences:


• Logon Accounts are used for accessing systems, while Reconcile Accounts are used for managing and maintaining the consistency of account passwords.

• Logon Accounts usually don’t have the privilege to change passwords, whereas Reconcile Accounts require higher privileges to perform password resets.


Both accounts are crucial for the seamless operation of a PAM solution, ensuring secure and automated credential management.


Thanks


45 views0 comments

Recent Posts

See All

Comments


bottom of page