Skip to content

Database Account Management

Database account management in the 12Port PAM platform allows for secure handling of database credentials, execution of SQL scripts on database servers, and automated or on‑demand password rotation and verification tasks.

Database account management in PAM centralizes storage, lifecycle management and automated operations for database credentials used by applications, services and administrators. The PAM system can:

  • Store database administrator and database user credentials as managed assets.
  • Execute SQL scripts against database servers (for verification, account changes, or other maintenance tasks).
  • Rotate and verify credentials for supported database engines automatically on schedule or manually on demand.

Why this is Important

Managing database accounts centrally and automating rotation reduces risk and operational overhead:

  • Security: Regularly changing credentials limits the window of exposure from credential compromise.
  • Least privilege & auditability: Centralized control makes it possible to grant, rotate and revoke credentials with full audit trails.
  • Operational consistency: One DB administrator asset can manage multiple database user accounts so connections and scripts are reused and standardized.
  • Reliability: Verification scripts ensure rotations succeed and credentials remain valid after change.

Use Cases

Database account management in PAM enables secure, automated handling of credentials across a variety of operational scenarios. Below are common use cases that highlight how password rotation and verification can be applied in practice.

  • Automated scheduled rotation: Periodically rotate DB user passwords (e.g., daily/weekly/monthly) and automatically verify connectivity and privileges post‑rotation.
  • On‑demand rotation: Rotate a specific DB user password immediately after an incident, suspected compromise, or administrative request.
  • Credential verification: Run verification scripts after rotation to confirm the new credentials work and that roles/privileges remain intact.
  • Maintenance and bulk operations: Use managed DB Administrator connections to execute custom SQL scripts for bulk account updates, schema changes dependent on credential operations, or emergency fixes in a controlled, auditable way.

Supported Databases

Database account management (credential set and verification) and script execution is supported for most versions of:

  • Oracle RDBMS
  • MS SQL Server
  • IBM Informix DB
  • MySQL
  • MariaDB
  • PostgreSQL

Each supported database will include both a Set Password and Verify Password script. For example, MS SQL Set Password and MS SQL Verify Password.

Database Connection Strings

Define connection strings once per database in the DB Administrator asset. Many fields are optional (for example, port is optional when the standard port is used). In some environments additional options (security keys, HSM references, etc.) may be required and can be passed in the connection string.

Example connection strings: 

IBM Informix Direct:
jdbc:informix-direct://host:9088/myDatabase:informixServer=myInformixServer

IBM Informix SQLi:
jdbc:informix-sqli://host:9088/mydb:INFORMIXSERVER=myserver;

MariaDB:
jdbc:mariadb://localhost:3306/mydatabase

MS SQL Server:
jdbc:sqlserver://host:1433;databaseName=mydatabase

MS SQL Server with selected instance:
jdbc:sqlserver://host\SQLEXPRESS;databaseName=mydatabase

MySQL:
jdbc:mysql://host:3306/mydatabase

Oracle with SID:
jdbc:oracle:thin:@host:1521:ORCL

Oracle with Service:
jdbc:oracle:thin:@//host:1521/myservice

PostgreSQL:
jdbc:postgresql://host:5432/mydatabase

SQL Script Placeholders

12Port can run SQL scripts on target databases that may include placeholders that are replaced at execution time (for example, $${User} and $${new_password}). Example:

ALTER USER '$${User}' IDENTIFIED BY '$${new_password}';

Placeholders use clear, descriptive names so scripts are easily maintained.

Asset Configuration

To support database password rotation, the 12Port PAM platform includes two asset types, DB Administrator and DB User, that work together to manage and rotate credentials securely. This model mirrors the existing LDAP account management, where a privileged account (DB Administrator) performs operations on behalf of standard user accounts (DB User).

  • DB Administrator and DB User asset types are introduced to represent database administrator accounts and regular database user accounts respectively.
  • DB Administrator behaves like LDAP Administrator accounts in the software: it is used as a privileged shadow account to perform operations on DB User accounts (for example, to rotate a DB User password).
  • Configure the database connection once in the DB Administrator asset. A single DB Administrator can manage multiple DB Users for the same database connection.


  1. Login with a Site Administrator account and navigate to Management > Asset Types.
  2. Locate the DB Administrator and DB User types and use Actions > Unhide on both.
  3. Optionally, use the Edit > Tasks action and remove the scripts that are not relevant to your use case. For example, if you are only managing MS SQL database accounts, you can remove all scripts other than MS SQL Set Password and MS SQL Verify Password. This can be done on both asset types.
  4. Navigate to Database > Assets and from the container where these assets will be managed, use the Add > DB Administrator option.
  5. Enter the required DB Adminstrator connection information including the Account and Connection URL as described in the examples above in the Database Connection Strings section.
  6. In this same container, use the Add > DB User option to create a new asset for the database user credentials. Assign the DB Administrator asset as the Shadow Member to each DB User asset. A single DB Administrator asset can be used to manage multiple DB User assets by assigning it as a Shadow Member to each.
  7. From the DB User asset, use the Execute option to perform an on-demand Set Password or Verify Password task.
  8. Finally, use the Asset's Reports > Jobs option to monitor the status of the task and confirm its completion.

Tip

By default, each Task is only configured to be executed on-demand (interactive). This can be changed so that the task execution is automated (for example, every Sunday) by modifying the task list on the Asset Type directly, or by making the task list on the asset unique. From the task list, use the Actions > Edit option to set a custom Trigger like Schedule to configure automation.