Credentials
Credentials store the authentication details OrbisID uses to connect to target systems. All passwords are encrypted at rest using AES-256-GCM.
Viewing Credentials
Navigate to Systems > Credentials to see all stored credentials. The table shows:
- Name - descriptive label
- Username - the account used to authenticate
- Password Source - either Static (stored password) or Vault Script (retrieved dynamically from a PAM vault)
- Systems - number of systems using this credential
Creating a Credential
- Click Add Credential
- Fill in the fields:
| Field | Required | Description |
|---|---|---|
| Name | Yes | A descriptive label (e.g., "AD Service Account - PROD") |
| Username | Yes | The username to authenticate with |
| Password Source | Yes | Static Password or PAM Vault Script |
Static Password
Enter the password directly. It is encrypted with AES-256-GCM before being stored in the database.
PAM Vault Script
Instead of storing a password, OrbisID can retrieve it dynamically from your PAM vault (CyberArk, BeyondTrust, Delinea, etc.) at scan time using a script that runs on the Scan Agent.
Configure:
| Field | Description |
|---|---|
| Script Mode | Path (script already on the agent host) or Upload (upload to OrbisID) |
| Script Path | For Path mode: absolute path to the script on the agent |
| Vault Parameters | Key-value pairs passed to the script (e.g., safe, object, folder) |
The script receives a JSON payload on stdin containing the vault parameters and must output the password on stdout. See Scan Agent - PAM Vault Scripts for the full specification.
Script Versioning
When using Upload mode, each uploaded script is stored as a version. You can:
- Upload new versions at any time
- View the version history
- Activate a specific version (the active version is used during scans)
Editing a Credential
- Select a credential from the list
- Click Edit
- Modify the fields as needed
- Click Save
When editing, the password field is blank. Leave it empty to keep the existing password, or enter a new value to replace it.
Deleting a Credential
Credentials can only be deleted if no systems are currently using them. Unassign the credential from all systems first, then delete it.
Security
- Passwords are encrypted using AES-256-GCM with the
ENCRYPTION_KEYconfigured in your environment - Passwords are never returned in API responses
- All credential operations are recorded in the Audit Log
- Vault scripts avoid storing passwords in the database entirely