Automated password change capability

To avoid our ARIS administrators have permanent access to high privileges to their Personal Accounts (PA) as they have those high privileges to perform user management tasks.

The suggestion is to have a Non-Personal Account (NPA) instead, which can be used by the administrators, for a limited time to do user management tasks. Currently, the downside of that is that the administrators use the NPA so often that they will remember the password of the NPA. So, in fact, they are permanently able to do everything.

Within ING, we have with some other applications, the capability to change passwords automatically by a connected-managed password vault CyberArk. The use case is, on high level:

1. User asks access to ARIS NPA in CyberArk for limited time period

2. User gets authorised (4-eyes principle) in CyberArk

3. CyberArk provides NPA and password to user

4. User uses NPA to perform administration work in ARIS (UMC)

5. Uses finishes work , and notifies CyberArk or time is up

6. CyberArk submits NPA password changes to ARIS

7. ARIS changes the password of the NPA and response it to CyberArk

8. CyberArk stores this new password for future use.