non-interactive Reconcile Cyberark accounts : suitable?

sunhux used Ask the Experts™
For the reconcile accounts for Cyberark PAM, is it best practice to
use non-interactive privileged accounts or it has to be interactive

I thought of using non-interactive as such accounts are not subject
to 90-days password expiry & is better secured.  Windows has a
bult-in non-interactive SYSTEM account while UNIX has sys:
are these suitable for use for resetting/recovery?
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Exec Consultant
Distinguished Expert 2018
Can be both and in fact, it is accounting of the id as both still need to be accountable for the activity. You should check your organisation policy as the change of password would still applies for non-interactive one which may be longer like one year compared to interactive user which is 90 days as example. You need to identify the single source of truth instead like where is your identity & access server or AD as the SSOT. I suggest you have an user and not tied to non-interactive inbuilt so that you will not be dependent on device or OS changes. As long as the account comes from SSOT and you tagged its id specific for PAMS and review its usage regularly, you should be alright. Ultimately, you need to make sure in the non-existence of PAMS or account is not working then you need to bypass PAMS and administer directly for fail-safe.

Deployment guide in

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial