Account Commands
Account commands provide access to managed privileged accounts in your environment. These commands help you discover available accounts, view their details, and check out credentials for temporary use.
grantflow accounts listβ
Display all managed privileged accounts you're eligible to access. This includes service accounts, database credentials, and other shared administrative credentials managed by GrantFlow.
Usageβ
grantflow accounts list [--output table|json|yaml]
Parametersβ
--output- Output format (default: table)
Exampleβ
$ grantflow accounts list
ID NAME SYSTEM DESCRIPTION PASSWORD_LAST_ROTATED ENABLED POLICY_ID
acct-prod-db prod_admin Oracle Production database 2024-10-20T10:30:00Z true policy-123
acct-ad-svc service_account AD Service account 2024-10-15T14:20:00Z true policy-456
acct-azure-sp sp-deployment Azure Service principal 2024-10-18T09:00:00Z true policy-789
Understanding Account Informationβ
Each row represents a managed account you can check out. The columns provide important context about the account and its current state.
The system column indicates which platform or application the account belongs to. Common values include Oracle, SQL Server, Active Directory, Azure, AWS, and various on-premises applications.
The password last rotated timestamp shows when GrantFlow last changed the account's credentials. Most accounts rotate automatically on a schedule to maintain security. If you see an old date, it might indicate the account has rotation disabled or uses certificate-based authentication instead of passwords.
The enabled column indicates whether the account is currently available for checkout. Disabled accounts may be undergoing maintenance, locked due to security events, or temporarily removed from the rotation schedule.
Filtering and Searchβ
While the CLI doesn't currently support built-in filtering for the accounts list command, you can combine it with standard Unix tools:
# Find all Oracle database accounts
grantflow accounts list | grep Oracle
# Use jq to filter JSON output for specific systems
grantflow accounts list --output json | jq '.[] | select(.system == "Azure")'
For more advanced filtering and search capabilities, use the Account Checkout interface in the web portal.
grantflow accounts getβ
Retrieve detailed information about a specific managed account, including its configuration, policy settings, and current status.
Usageβ
grantflow accounts get <account-id> [--output table|json|yaml]
Parametersβ
<account-id>(required) - The ID of the account to retrieve--output- Output format (default: table)
Exampleβ
$ grantflow accounts get acct-prod-db
ID: acct-prod-db
NAME: prod_admin
SYSTEM: Oracle
DESCRIPTION: Production database
PASSWORDLASTROTATED: 2024-10-20T10:30:00Z
ENABLED: true
POLICYID: policy-123
MAXREQUESTMINUTES: 120
MAXCHECKOUTMINUTES: 60
Request and Checkout Limitsβ
The max request minutes value controls how long you can request a checkout for. When you run the checkout command, you can specify any duration up to this limit.
The max checkout minutes value represents the default checkout duration if you don't specify one explicitly. These values help enforce least-privilege principles by limiting how long credentials remain active.
Policy Associationβ
The policy ID references the account policy that governs access to this account. Policies define who can check out the account, approval requirements, permitted checkout windows, and other access controls.
Administrators configure these policies through the web interface. As an end user, you don't need to worry about policy detailsβGrantFlow enforces them automatically when you request checkout.
grantflow accounts checkoutβ
Check out a managed account to receive temporary access to its credentials. This creates a time-limited checkout that grants you the account's username and password (or other authentication material).
Usageβ
grantflow accounts checkout <account-id> --reason <justification> [--duration <minutes>]
Parametersβ
<account-id>(required) - The ID of the account to check out--reason(required) - Business justification for the checkout--duration- Requested checkout duration in minutes (default: 60)
Exampleβ
$ grantflow accounts checkout acct-prod-db \
--duration 30 \
--reason "Database schema migration for release v2.5 - CHANGE-1234"
β Account checked out successfully
Checkout ID: checkout-abc123def456
Expires: 2024-10-24T12:30:00Z
Accessing Credentialsβ
After successfully checking out an account, you'll need to retrieve the actual credentials. The CLI currently creates the checkout but doesn't display the password directly. Navigate to the Account Checkout page in the web interface to view the credentials securely.
This design ensures credentials are displayed securely through the web interface with proper session management and audit logging. Future CLI versions may support credential retrieval through secure terminal output.
Checkout Durationβ
Choose the shortest duration that covers your planned work. If you need more time, you can extend an active checkout through the web interface. Shorter checkouts reduce risk and align with security best practices.
If you request a duration longer than the account's maximum, the CLI returns an error showing the permitted limit. Check the account's configuration with grantflow accounts get to see the maximum allowed duration.
Justification Requirementsβ
Like activation requests, account checkouts require business justification that becomes part of the audit trail. Reference specific work items, change tickets, or operational needs:
- "Emergency password reset for locked user - TICKET-5678"
- "Scheduled database backup verification - OPS-TASK-910"
- "Application deployment following CHANGE-4321"
Clear justification helps auditors understand why credentials were accessed and supports compliance reporting.
Approval Workflowsβ
Depending on the account policy, your checkout request may require approval before granting access. High-risk accounts typically require manager approval, while routine operational accounts may allow immediate checkout.
If approval is required, you'll receive a notification once an approver reviews your request. You can monitor the status through the web interface's Account Checkout page.
Credential Securityβ
When you check out an account, GrantFlow logs the event, who requested access, when they received credentials, and how long the checkout lasted. The system may also record when the credentials are actually used against target systems, depending on integration capabilities.
Always treat checked-out credentials with the same care as your personal credentials. Never share them, store them in unsecured locations, or use them beyond the approved justification.
Misuse of checked-out credentials violates security policy and may result in access revocation. All usage is logged and subject to audit.
Ending a Checkout Earlyβ
If you finish your work before the checkout expires, you can end the session early through the web interface. This is good security hygiene and demonstrates responsible privilege management.
Account Rotationβ
GrantFlow automatically rotates account passwords on a schedule defined by administrators. When rotation occurs, any active checkouts receive the new credentials automatically if they're still within the checkout window.
You don't need to take any action when passwords rotate. The system handles the transition seamlessly, updating both the credential vault and any integrated systems.
Related Topicsβ
- Account Checkout - Web interface for checking out accounts
- Activation Commands - Request role activations
- Audit Commands - View checkout history