ISA - Quest Software
Quest One Privileged Account Management
Information Security Administrator (ISA)
Version 2.4
Quest One Privileged Account Management ISA Manual
Table of Contents
1.0
Introduction ................................................................................................................................ 5
2.0
Conventions Used in this Guide .......................................................................................... 5
3.0
Getting Help ................................................................................................................................ 5
3.1 Online User Manuals .................................................................................................................... 5
3.2 Help Bubbles .................................................................................................................................. 6
3.3 Customer Portal ............................................................................................................................ 6
3.4 Contacting Customer Support ................................................................................................... 6
4.0
TPAM Definitions ....................................................................................................................... 6
4.1 Terms .............................................................................................................................................. 6
4.2 User Types ..................................................................................................................................... 7
4.3 Permission Types .......................................................................................................................... 8
5.0
Permission Hierarchy .............................................................................................................. 9
6.0
Accessing TPAM ....................................................................................................................... 11
7.0
Permission Based Home Page ........................................................................................... 13
7.1 Recent Activity Tab .................................................................................................................... 13
7.2 Approvals Tab.............................................................................................................................. 14
7.3 Pending Reviews Tab ................................................................................................................. 15
8.0
Managing Your Own Account ............................................................................................. 15
8.1 User Time Zone Information .................................................................................................... 16
9.0
Application Navigation ......................................................................................................... 17
9.1 Tab Format .................................................................................................................................. 17
9.2 Filter Tab ...................................................................................................................................... 19
9.3 Listing Tab.................................................................................................................................... 20
9.4 Feedback Area ............................................................................................................................. 20
10.0 Configuring Managed Systems .......................................................................................... 21
10.1
System Details Tab ................................................................................................................ 22
10.2
Systems Connection Tab (PPM ISAs only)........................................................................ 25
10.3
System Management Details Tab (PPM ISAs only) ........................................................ 30
10.4
Affinity Tab .............................................................................................................................. 33
10.5
Ticket Systems Tab ............................................................................................................... 34
10.6
Collections Tab........................................................................................................................ 35
10.7
Setting Permissions for PSM and PPM Functionality for Systems ................................ 36
10.8
Adding A System .................................................................................................................... 39
10.9
Managing A System ............................................................................................................... 41
10.10 Clearing a Stored System Host Entry (PPM ISAs only) ................................................. 41
10.11 Testing a System (PPM ISAs only) ..................................................................................... 42
10.12 Duplicating a System ............................................................................................................ 42
10.13 List Systems ............................................................................................................................ 42
11.0 Managing Accounts ................................................................................................................ 43
11.1
Account Details Tab ............................................................................................................... 45
11.2
Account Reviews Tab (PPM ISAs only) .............................................................................. 48
11.3
Account Custom Information Tab ....................................................................................... 48
11.4
Account Management Tab .................................................................................................... 49
11.5
Account Ticket System Tab .................................................................................................. 51
11.6
Managing Services in a Windows Domain Environment (PPM ISAs only) ................. 52
11.7
Accounts Management Logs Tab ........................................................................................ 54
11.8
Account Management Passwords Tab (PPM ISAs only) ................................................ 54
11.9
Account Collections Tab ........................................................................................................ 56
11.10 Setting Permissions for PSM and PPM Functionality for Accounts ............................... 57
2
Quest One Privileged Account Management ISA Manual
11.11 PSM Details General Tab (PSM ISAs only) ....................................................................... 57
11.12 PSM Session Authentication Tab (PSM Customers Only) .............................................. 61
11.13 PSM File Transfer Tab (PSM Customers Only) ................................................................. 61
11.14 PSM Review Requirements Tab (PSM Customers Only) ................................................ 62
11.15 Adding an Account ................................................................................................................. 63
11.16 Managing an Account ............................................................................................................ 63
11.17 Duplicating an Account ......................................................................................................... 64
11.18 Quest One Privileged Command Manager (PSM Customers licensed for PCM only)64
11.19 Account Current Status......................................................................................................... 64
11.20 Manual Password Management (PPM ISAs only) ............................................................ 65
11.21 Password Management (PPM ISAs only) ........................................................................... 66
11.22 Managing Services in a Windows Domain Environment (PPM ISAs only) ................. 67
11.23 List Accounts ........................................................................................................................... 69
11.24 List PSM Accounts (PSM ISAs only) ................................................................................... 70
12.0 Managing Secure File Storage (PPM ISAs only) ........................................................ 71
12.1
Adding a File for Storage ...................................................................................................... 71
12.2
File Ticket System Tab .......................................................................................................... 73
12.3
File Collections Tab ................................................................................................................ 74
12.4
Setting Permissions for Files ............................................................................................... 74
12.5
Updating a Stored File .......................................................................................................... 74
12.6
Reviewing File History and Activity .................................................................................... 75
13.0 Retrieving a Password (PPM ISAs only) ....................................................................... 76
13.1
Viewing Past Passwords ........................................................................................................ 78
14.0 Retrieving Files (PPM ISAs only) ..................................................................................... 79
15.0 Session Management (PSM ISAs only) .......................................................................... 80
15.1
Replaying a Session Log ....................................................................................................... 80
15.2
Monitoring a Live Session..................................................................................................... 82
16.0 Reports........................................................................................................................................ 83
16.1
Report Time Zone Options ................................................................................................... 83
16.2
Report Layout Options .......................................................................................................... 84
16.3
Adjustable Column Widths ................................................................................................... 85
16.4
Report Export Options........................................................................................................... 85
16.5
Activity Report ........................................................................................................................ 85
16.6
ISA User Activity .................................................................................................................... 86
16.7
PSM Accounts Inventory (PSM ISAs only) ........................................................................ 86
16.8
Password Aging Inventory (PPM ISAs only) ..................................................................... 86
16.9
File Aging Inventory (PPM ISAs only) ....................................................................................... 87
16.10 Release-Reset Reconcile (PPM ISAs only) ............................................................................... 87
16.11 User Entitlement..................................................................................................................... 87
16.12 Password Update Activity (PPM ISAs only) ...................................................................... 89
16.13 Password Update Schedule (PPM ISAs only) ................................................................... 89
16.14 Password Testing Activity (PPM ISAs only) ...................................................................... 90
16.15 Password Test Queue (PPM ISAs only) ............................................................................. 90
16.16 Expired Passwords (PPM ISAs only)................................................................................... 91
16.17 Passwords Currently In Use (PPM ISAs only) .................................................................. 91
16.18 Password Requests (PPM ISAs only).................................................................................. 91
16.19 Auto-Approved Releases (PPM ISAs only) ........................................................................ 92
16.20 Password Release Activity (PPM ISAs only) ..................................................................... 92
16.21 File Release Activity (PPM ISAs only) ................................................................................ 93
16.22 Windows Domain Account Dependencies (PPM ISAs only) ........................................... 93
16.23 Auto Approved Sessions (PSM ISAs only) ........................................................................ 93
16.24 PSM Session Activity (PSM ISAs only)............................................................................... 93
16.25 PSM Session Requests (PSM ISAs only) ........................................................................... 94
3
Quest One Privileged Account Management ISA Manual
© 2012 Quest Software, Inc.
ALL RIGHTS RESERVED.
This guide contains proprietary information protected by copyright. The software described
in this guide is furnished under a software license or nondisclosure agreement. This
software may be used or copied only in accordance with the terms of the applicable
agreement. No part of this guide may be reproduced or transmitted in any form or by any
means, electronic or mechanical, including photocopying and recording for any purpose
other than the purchaser’s personal use without the written permission of Quest Software,
Inc.
The information in this document is provided in connection with Quest products. No license,
express or implied, by estoppel or otherwise, to any intellectual property right is granted by
this document or in connection with the sale of Quest products. EXCEPT AS SET FORTH IN
QUEST'S TERMS AND CONDITIONS AS SPECIFIED IN THE LICENSE AGREEMENT FOR THIS
PRODUCT, QUEST ASSUMES NO LIABILITY WHATSOEVER AND DISCLAIMS ANY EXPRESS,
IMPLIED OR STATUTORY WARRANTY RELATING TO ITS PRODUCTS INCLUDING, BUT NOT
LIMITED TO, THE IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR
PURPOSE, OR NON-INFRINGEMENT. IN NO EVENT SHALL QUEST BE LIABLE FOR ANY
DIRECT, INDIRECT, CONSEQUENTIAL, PUNITIVE, SPECIAL OR INCIDENTAL DAMAGES
(INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF PROFITS, BUSINESS
INTERRUPTION OR LOSS OF INFORMATION) ARISING OUT OF THE USE OR INABILITY TO
USE THIS DOCUMENT, EVEN IF QUEST HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH
DAMAGES. Quest makes no representations or warranties with respect to the accuracy or
completeness of the contents of this document and reserves the right to make changes to
specifications and product descriptions at any time without notice. Quest does not make any
commitment to update the information contained in this document.
If you have any questions regarding your potential use of this material, contact:
Quest Software World Headquarters
LEGAL Dept
5 Polaris Way
Aliso Viejo, CA 92656
email: [email protected]
Refer to our Web site (www.quest.com) for regional and international office information.
Trademarks
Quest, Quest Software, and the Quest Software logo are trademarks and registered
trademarks of Quest Software, Inc in the United States of America and other countries.
For a complete list of Quest Software’s trademarks, please see
http://www.quest.com/legal/trademarks.aspx. Other trademarks and registered
trademarks are property of their respective owners.
Third Party Contributions
Quest One Appliance-Based Privileged Account Management Solutions
contain some third party components. Copies of their licenses may be found at
http://www.quest.com/legal/third-party-licenses.aspx.
4
Quest One Privileged Account Management ISA Manual
1.0 Introduction
Total Privileged Access Management (TPAM) is a robust collection of integrated modular
technologies designed specifically to meet the complex and growing compliance and security
requirements associated with privileged identity management and privileged access control.
The Privileged Password Manager (PPM) module provides secure control of administrative
accounts. TPAM is a repository where these account passwords are stored until needed, and
released only to authorized persons. Based on configurable parameters, the PPM module will
automatically update these passwords.
The Privileged Session Manager (PSM) module provides a secure method of connecting to
remote systems, while recording all activity that occurs to a session log file that can be
replayed at a later time. All connections to remote systems are proxied through Privileged
Account Management (PAM) appliance ensuring a secure single access point.
2.0
Conventions Used in this Guide
Element
Bold Italics
Text
Note!
Tip!
Alert!
3.0
Convention
Where ever this symbol is displayed it means there is new functionality or
an entirely new feature being discussed.
Elements that appear in the TPAM interface such as menu options and field
names.
Used to highlight additional information pertinent to the process being
described.
Used to provide best practice information. A best practice details the
recommended course of action for the best result.
Important information about features that can affect performance, security
or cause potential problems with your appliance.
Getting Help
3.1 Online User Manuals
To access online user manuals click the Documents list located in the upper right
hand corner of the application. The manuals that are available to you are based on
your user type and the permissions assigned to your userid.
5
Quest One Privileged Account Management ISA Manual
3.2 Help Bubbles
Throughout the application you will also notice help bubbles ( ) next to many of the
fields in the application. If you hover the mouse over the bubble a pop up window
provides a brief explanation about what the field is used for.
3.3 Customer Portal
The Quest Software Customer Portal is where you can find product updates, user
manuals, WebEx Demos and FAQ’s. To access the Portal you will need a username
and password from the Quest Software Technical Support group. To login go to
https://hq01.e-dmzsecurity.com/edmzcust.
3.4 Contacting Customer Support
Quest Software's world-class support team is dedicated to ensuring successful
product installation and use for all Quest Software solutions.
SupportLink www.quest.com/support
Email at [email protected]
You can use SupportLink to create, update, or view support requests
4.0
TPAM Definitions
4.1 Terms
4.1.1
System
A system is a host computer, network device, or work station for which one or
more account passwords will be maintained. It is also referred to as the
managed system.
4.1.2
Collection
In v2.4 collections can
A collection is a logical association of systems.
also include Accounts and Files. Permissions can be granted to a collection.
All systems contained in the collection, or added to it, will inherit those
permissions. A system can belong to multiple collections. A System cannot
be in the same collection as any of its Accounts or Files.
4.1.3
UserID
A UserID is defined as a user of the TPAM appliance. At the time the UserID is
created the interface (Web or CLI/API) must be determined and cannot
6
Quest One Privileged Account Management ISA Manual
change. There are different types of UserID’s (Basic, UserAdmin, Auditor,
Administrator and Cache User). See section 4.2.
4.1.4
Group
A Group is a logical association of UserIDs. Groups are a mechanism for
easing the burden of assigning Access Policies on systems or collections to
users. Access Policies that are assigned to a group are inherited by all
members in the group. When a user is added to a group, they will
immediately receive all permissions assigned to the group, and all
permissions received through the group are revoked when a user is removed
from the group. Users can be members of multiple groups.
4.1.5
Managed Account
This is the account on the remote system to which a proxied connection can
be made and/or whose password is being stored and maintained through the
PPM portion of TPAM. For example, “root” is likely to be a managed account
on many of the managed UNIX systems.
4.2 User Types
4.2.1
Basic
A Basic user type can be assigned permissions for various functions
throughout the application, such as requestor, reviewer, etc.
4.2.2
Administrator
The Administrator is the most powerful user type for the TPAM User Interface.
This user type can create and delete systems, users, groups, and collections.
The administrator user type may also assign access policies to any user –
including themselves. An administrator may view all reports. It is
recommended that this user type be assigned carefully. The Administrator
may not delete or disable their user ID.
4.2.3
Auditor
The auditor user type permits the individual to view reports, session logs and
system information, but not to make any changes to data or view passwords.
The Auditor may not delete or disable his own account. Auditors may also
review completed password and session requests.
4.2.4
User Administrator
This user type has the authority to manage Basic user types. User
Administrators can disable and enable users, unlock user accounts, and
update account information. The User Administrator does not have the ability
to add users to groups or manage permissions. CLI/API user accounts cannot
be managed by a User Administrator.
4.2.5
Cache User
If your company opted to purchase cache servers along with TPAM you will be
setting up cache user types. A cache user can only retrieve passwords
through the cache server that they are assigned to. A cache user will not have
access to the TPAM interface.
7
Quest One Privileged Account Management ISA Manual
4.3 Permission Types
4.3.1
Denied
This user role was created so that collection permissions could be assigned to
a user and then if there are specific entities within this collection that the user
should not have access to the Denied permission can be set for these entities.
If you are Denied for a System but have access to a specific Account/File on
that System you will still be able to access the Account/File, because Account
or File holds precedence over System.
4.3.2
Information Security Administrator (ISA)
The role of ISA is intended to provide the functionality needed for security
help desk personnel, and as a way to delegate limited authority to those
responsible for resource management.
An ISA permission with a Type of Session allows the user to add and update
all aspects of PSM Only systems, PSM only accounts, and for PSM supported
platforms.
An ISA permission with a Type of Password allows the user to add and update
systems and accounts for all platforms except those that are PSM only.
A user must be assigned an Access Policy with a Type of both Password and
Session and permission of ISA to be able to assign access policies to other
entities. The ISA permission does not allow the user to delete a system.
4.3.3
Approver
An Approver can be set up to approve password, session and or file requests.
An approver can also be set up to only approve sessions that are requesting
specific commands.
4.3.4
Requestor
A Requestor can be set up to request password, session, and or file requests.
A requestor can also be set up to only request sessions that run specific
commands.
Note! A user requesting a session that has an interactive proxy type
must also have an access policy assigned to them that include
password/requestor for that account.
4.3.5
Privileged Access (PAC)
An individual that must go through the request process for passwords, files,
and sessions but once they submit the request it is automatically approved,
regardless of the number of approvers required.
Note! If you have Session /PAC permissions but do NOT have
Password/PAC Permissions on an account, you will only be able to start a
session that is configured for one of the automatic proxy connection types,
since you do not have permissions to access the password.
8
Quest One Privileged Account Management ISA Manual
4.3.6
5.0
Reviewer
The reviewer role permits the individual to view reports on specific systems to
which they have been granted reviewer rights. A Session/Command Reviewer
can also replay sessions and review/comment on these sessions. If the user
has Password Reviewer permissions they can review a password release that
has expired and comment on that password release.
Permission Hierarchy
Because TPAM allows groupings of Users (Groups) and remote systems (Collections), it is
possible - even likely, that a user could appear to have multiple conflicting permissions for a
particular system, account, and or file. To prevent this, TPAM implements a precedence of
permissions.
The precedence, in order of decreasing priority is:
An
An
An
An
An
An
An
An
Access
Access
Access
Access
Access
Access
Access
Access
Policy
Policy
Policy
Policy
Policy
Policy
Policy
Policy
assigned
assigned
assigned
assigned
assigned
assigned
assigned
assigned
to
to
to
to
to
to
to
to
a
a
a
a
a
a
a
a
User for an Account/File (most specific)
User for a System
User for a Collection containing Accounts or Files
User for a Collection of Systems
Group for an Account /File
Group for a System
Group for a Collection containing Accounts or Files
Group for a Collection of Systems (least specific)(*)
(*) This category includes Users who are assigned to any of the “Global XXX” Groups. The
Groups grant their respective permissions to an internally-maintained “All Systems”
collection.
Note! A single “Denied” Access Policy assignment at any level overrides all other
permissions at that level.
When any of the permissions are changed, for instance by adding or removing a user from a
group, the precedence is recalculated, and if necessary, the permissions for the user are
changed to reflect the new level that results.
9
Quest One Privileged Account Management ISA Manual
In the scenario shown above, the groups and users have been assigned
Access Policies which grant the permissions specified. In this situation, the
precedence of permissions will be applied and the effective permissions would
be as follows:
•
•
User A has Approver permission on System C through the Group to
System assignment.
User A has been assigned Reviewer rights on System A, Account B1, and
File C1 via Group A to Collection B assignment. These Review rights on
File C1 take precedence over the Approve rights on System C because
assignment to a Collection containing an Account or File is more specific
10
Quest One Privileged Account Management ISA Manual
•
•
•
•
•
•
than a collection containing just the System. User A may still Approve
requests to all accounts on System C and all of C’s files with the exception
of File C1.
Users A, C, and D have Request rights on System A, Account B1, and File
C1 through Group B. Note that as with above, the Group B to Collection B
assignment of Request rights for User A on File C1 override the Approver
rights from Group A.
Since User A is in both Groups A and B he has both Review and Request
rights on all the items in Collection B. Assignments at the same hierarchy
level are combined.
User B has been Denied access to System B, which includes all Accounts
and Files thereon. Even though the Group A to Collection B assignment
User B grants Review to Account B1 on System B, User B is still denied
access because the User to Collection assignment trumps the Group to
Account in a Collection assignment. If User B had instead been assigned
the Review permission directly (as opposed to through Group A) to
Account B1 that would have replaced the Denied assignment on System B,
but only for that one account.
User B also has Review rights on all Accounts and Files on System A and
File C1 on System C.
User C has been granted explicit ISA rights on Account B1. This User to
Account assignment supersedes both policies User C received via the
Group to Collection assignments, but only for Account B1. User C still has
Review and Request permissions to System A and File C1.
User D has been granted ISA rights over Collection A. This assignment
takes precedence over D’s Request permission on System A which is
through the Group B to Collection B. D still retains the Request
permissions on Account B1 and File C1 from the Group assignment,
however that removes D’s ISA permissions on Account B1 (although D still
has ISA permissions over any other accounts on System B).
Where there is more than one permission granted at the same level of the
permission hierarchy those permissions are combined, as long as one of those
permissions is not “Denied”. If a User is in 3 different groups (A, B, and C)
with policies to the same System (A grants Approver, B grants Reviewer, and
C grants Requestor) the user has all three permissions in effect on that
system. However, if Group B has Denied permissions instead of Reviewer
that takes precedence over all other "Group to System" assignments for that
User on that System.
6.0 Accessing TPAM
To access TPAM, point your browser to TPAM’s IP address or FQDN followed by /egp or
/par. For example, if the IP address for TPAM has been configured as 192.168.1.100 1, the
URL would be https://192.168.1.100/egp/.
Connectivity
To communicate with the TPAM appliance and successfully initiate a session your computer
will need to be able to pass traffic on ports 443 (HTTPS) and 22 (SSH).
1
For additional information and instruction on the initial configuration of the appliance, see the “Quest One Privileged Account
Management Configuration and Administration Manual”.
11
Quest One Privileged Account Management ISA Manual
If TPAM will be accessed via Microsoft Internet Explorer® (IE), there are two important
setting changes to verify or change in the IE configuration:
Pop-Up Blocker
When the /par website is accessed, the initial instance of the browser will be closed and a
new window will open without menu or title bars. Browsers that are configured to block popups often interpret this as a pop-up and the page will not be displayed. Be sure to add the
URL for TPAM to the list of allowed pop-ups. Tip: Holding the Ctrl key will temporarily allow
pop-ups.
User Authentication Settings
It may also be necessary to modify the User Authentication option of the IE Security
Settings. The recommended setting is “Prompt for user name and password”. A setting of
“Automatic logon…” may attempt to pass the username and password from the workstation
or domain to TPAM. This will cause logon failures and may lockout the user’s TPAM account.
12
Quest One Privileged Account Management ISA Manual
7.0 Permission Based Home Page
Your home page is based on the user type and permissions assigned to your user id in the
TPAM application. You can return to the home page from anywhere in the TPAM application
by clicking the home icon located on the far left side of the menu ribbon.
Note! The screen shots in this manual represent a UserID that has been assigned a
Global ISA Access Policy. The screens that you see when you log into the par interface may
or may not have all of these options depending on your permissions.
The first tab that displays is the default message of the day which is configured through
paradmin interface. To immediately approve a session, password or file request click the
blue links.
7.1 Recent Activity Tab
The recent activity tab shows all your activity in the TPAM for the last 7 days.
13
Quest One Privileged Account Management ISA Manual
7.2 Approvals Tab
The Approvals tab will show any requests (Password, File or Session) that require
your approval. Once they are approved or denied you will still see the request in this
list until the release duration expires. By clicking on the request id you will be taken
directly to the appropriate Requests Approval Detail tab so that you can approve or
deny the request. To use the auto-refresh option check the box and enter the number
of minutes you would like the screen refreshed.
14
Quest One Privileged Account Management ISA Manual
7.3 Pending Reviews Tab
If you are an eligible reviewer for any post password releases or sessions you will see
the Pending Reviews tab on your home page. Any password releases or sessions
that are pending review will be seen on this tab. By clicking on the request id you will
be taken directly to the Password Release Review Details or Session Review Details
tab. To use the auto-refresh option check the box and enter the number of minutes
you would like the screen refreshed.
8.0 Managing Your Own Account
Any user may change their password and update individual account details using the My
Info menu option.
To reset your own password, select My Info  Change Password from the menu. Enter
the existing password, the new password desired, and confirm the new password. User
passwords are subject to the requirements of the Default Password Rule.
15
Quest One Privileged Account Management ISA Manual
Other individual account information can also be self managed, such as contact information
and full name. Select My Info  User Details from the menu to make modifications to
your own account information.
A user may not modify the UserID, Last Name, or First Name fields.
8.1 User Time Zone Information
You can edit your time zone information through the My Info  User Details menu
option. The TPAM administrator will also be able to edit your time zone.
If you are in the same time zone as the server and follow the same Daylight Saving
Time (DST) rules the first radio button should be selected.
If you are in a different time zone and/or follow different DST rules and do not want
to follow server time, the second radio button should be selected, and the appropriate
time zone chosen from the list. With this option most dates and times that the user
sees in the application or on reports will be converted to your local time. If a date or
time still reflects server time it will be noted on the screen.
16
Quest One Privileged Account Management ISA Manual
Note! It the Sys-Admin has disabled User Time zone changes in the paradmin
interface the User Time Zone Information block shown above will be visible only
for Administrator users.
Example: TPAM appliance is located in New York, NY on Eastern Time. The user is
located in Los Angeles, CA, which is on Pacific Time. If the user chooses to set their
time zone to Pacific Time, any requests, approvals, etc that they make will be
reflected in Pacific Time to them, and they will have the option to view some reports
in their local time zone. If the TPAM Administrator is in the Eastern Time zone the
admin will see this user’s transactions stamped with the Eastern Time.
Alert! If you are in Daylight Saving Time (DST) you must remember to check
the DST box and uncheck it when it is over. This box does NOT automatically get
changed for you.
You will be automatically redirected to the User Details page when attempting a new
transaction if:
• The server has undergone a DST transition since your last activity.
• The time zone on the server has been changed since your last activity.
• The server has had a patch applied that has rendered your current time zone
obsolete according to Microsoft’s time zone updates.
You will be able to see the server time on the bottom left of your screen and your
local GMT offset (if different from the server) in the middle bottom of the screen. You
will see the time listed in reference to GMT (Greenwich Mean Time), using notation to
indicate the number of hours ahead or behind GMT. So for example US Eastern
Standard Time is 5 hours behind GMT, or GMT -05:00, New Delhi, India is 5 ½ hours
ahead or GMT +05:30.
9.0 Application Navigation
This section provides an overview how to navigate through the user interface.
9.1 Tab Format
One of the first things the user will notice is that upon selecting an action from the
main menu bar the data will be displayed through multiple tabs.
17
Quest One Privileged Account Management ISA Manual
Once a specific System, Account, Collection, etc is selected all of the details about
this entity can be viewed by clicking on the different tabs along the top of the page.
Tabs which do not apply to a given system are disabled. For example, the
Connection and Management Details tabs do not apply to a system unless the
Enable Automatic Password Management option is checked.
18
Quest One Privileged Account Management ISA Manual
9.2 Filter Tab
This tab was developed for companies that are managing a large number of systems,
accounts collections and groups. By entering specific criteria on the Filter tab, the
user will be able to quickly get to the piece of data that they need to review or edit
without searching through thousands of records.
The Max Rows to Display list allows you to limit the number of records returned
even if there are more that meet this criteria.
The Default Filter Settings has choices of Clear, Save and No Action. If Save is
selected then every time the user selects the menu item they will land on the Listing
tab and the same filter will be applied until a new filter is saved or if the filter is
cleared. The saved filters are on a user by user basis, that is if user dlynch saves a
filter it has no effect on a filter saved by glucas.
Once your filter criteria have been entered click the Listing tab to get the results of
your filter.
19
Quest One Privileged Account Management ISA Manual
9.3 Listing Tab
The results from your Filter will be listed in the Listing tab. Notice that in the
example above 2 records actually met the Filter criteria that was entered and the user
choose to only display 50 rows. If 120 records had met the filter criteria only 50
would have been displayed but it would have said Displaying 50 out of 120 rows
meeting filter criteria, warning the user that was all that was returned in the
Listing tab. Once you find the record that you want to work with click the row once
to highlight the row on the screen and then click the tab where you want to go next.
Note! If you are already displaying the Listing tab, clicking the tab label (circled
area below) a second time will refresh the listing from the database based on the
current criteria.
9.4 Feedback Area
The feedback area is located in the bottom center of each window. This area was
created to notify the user what transaction was last completed. As soon as the user
selects a new “entity” i.e. system, account, collection, from the listing then the
Feedback area will be cleared and remain empty until a new transaction occurs.
20
Quest One Privileged Account Management ISA Manual
10.0 Configuring Managed Systems
If your System Administrator has set the “Restrict ISA System Creation” global setting to
“Yes”, you will not be allowed to add systems.
Selecting Systems & Accounts  Systems  Add System or Systems & Accounts 
Systems  Manage Systems will lead to the configuration pages for managed systems. If
modifying an existing system, first select the desired system by entering criteria on the
Systems Management Filter tab, clicking on the Listing tab, clicking on the System Name
you are looking for and then clicking on any of the additional tabs to edit the system
configuration. Below is a description of all the configuration fields on the various tabs.
As a PSM ISA you will NOT be able to access the Connection or Management Details
tabs (except for e-DMZ SPCW systems).
21
Quest One Privileged Account Management ISA Manual
10.1 System Details Tab
10.1.1 System Name
This is the descriptive name of the system. Typically, the hostname will be
used. Within the TPAM, the system name must be unique. The name can be
1-30 characters long, but cannot include empty space (i.e. spaces, carriagereturns, etc.).
10.1.2 Network Address
The IP Address (i.e. 192.168.0.15) or DNS Name (server1.domain.bigco.com)
of the system. It is imperative that this information is entered correctly, as
the back-end automation procedures will use this address to connect to the
remote system to proxy and record the session activity and setting or
checking of the password for the managed account(s).
10.1.3
ISA Policy
You will see this list option when adding a System if your userid is assigned
an Access Policy that contains an ISA permission. From this list you can select
which ISA policy should be applied for your access to this new system once it
has been saved. If you have ISA access granted via a single Access Policy it
will be pre-selected.
22
Quest One Privileged Account Management ISA Manual
Alert! If you select Do not Assign an ISA Policy and do not
assign the System to a Collection that you have access to, you will
NOT have any access to the system after it is saved.
10.1.4 Platform
Choose the appropriate platform for the operating system running on the
remote host. For PSM this field is primarily descriptive, since it is the proxy
connection type that actually determines how the session will be established.
However, if the passwords for this system will be managed by PPM, then it is
very important that this be entered correctly, as the PPM uses it to determine
the most secure and reliable way to manage the passwords on the remote
system.
Note! If you are only a PSM ISA the platform list will only contain PSM
enabled platforms.
Note! A system added to TPAM with a platform type not supported by
PSM will appear in the list of systems on TPAM, and the accounts defined for
that system will appear in the TPAM accounts list for the system – however,
the option to allow sessions will be disabled.
10.1.5 Password Rule
Select the desired password rule to serve as the default for all accounts
defined for the system. If the selection is not changed (or if no other rules
have been defined in TPAM) the Default Password Rule will be selected. The
password rule will govern the construction requirements for new passwords
generated by PPM. Password rules are managed by Sys-Admin users in the
parconfig interface.
10.1.6 Maximum Duration
This is the maximum duration for a password release on the account. If this is
overridden by an Access Policy assignment, the lower of the two durations will
be used. The default duration that the requestor will see for any new
password request is 2 hours, or the maximum duration, whichever is less.
10.1.7 Contact E-mail
Allows support personnel to receive email notifications from TPAM. Alerts or
warnings are sent when the condition of the remote system is not as
expected. This field can be left blank, in which case errors will be logged but
notifications will not be sent. The email address in this field will be the one
notified when Manually managed account passwords are scheduled to be
changed.
10.1.8 Description
The description field may be used to provide additional information about the
system, special notes, business owner, etc.
10.1.9 Enable Automatic Password Management? (PPM ISA’s only)
Tells TPAM whether to automatically manage remote system account
passwords, based upon configuration parameters for each system. Auto-
23
Quest One Privileged Account Management ISA Manual
management includes automatic testing and changing of the passwords.
Checked = Yes, Unchecked = No. This option is available at both the system
and account levels, therefore it is possible to allow TPAM to auto-manage one
account on a specific system, while another account on the same system is
not auto-managed. However, if the option is unchecked at the system
configuration level, no accounts on the system can be auto-managed. If the
appliance has exceeded the number of PPM managed systems that were
licensed this option will not be able to be checked for any new systems until
you check the Disable PPM Functionality checkbox on another managed
system.
10.1.10 Disable PPM Functionality (Only ISA’s with both PPM and PSM
Permission)
This checkbox sets the system to “PSM only” which means you cannot use
any of the PPM features on this system such as password change history,
release logs, password checking and changing, and releasing passwords. The
reason for this is product licensing. You are not limited to the number of “PSM
only” systems you can add, but we will limit the number of managed (PPM)
systems you can add based on the number of licenses you purchased.
10.1.11 Approver Escalation
You have the ability to send an escalation to a specific e-mail address if no
approvers have responded to a Password/File request within X minutes. You
can enter multiple e-mail addresses by separating them with a comma up to
the field maximum of 255 characters.
10.1.12 Delegation Prefix (specific platforms only)
This field can be used to preface the commands that PPM uses to manage
passwords for this system. The delegation prefix can also be used to specify
an absolute path to the command that PPM uses to manage password for the
system.
10.1.13 Computer Name(specific platforms only)
This field is designated for the system’s computer name and is required for
proper password management. If it is not populated, TPAM will attempt to
determine the system’s computer name when the system is tested and
update the field.
The Computer Name field is also used with TPAM’s Autologon feature. You
have the option to have TPAM log the user into the remote system using the
WORKSTATION\USERID format. This will prevent any incorrect logon if the
Default domain is saved as the DOMAIN name versus the Local Workstation.
If a Domain user is selected from the Session Authentication screen in PSM
details, the user credentials will be passed as DOMAIN\USERID. You will
notice with both options that the DOMAIN field is grayed out at login.
24
Quest One Privileged Account Management ISA Manual
10.1.14 System Location Information
There are six customizable fields that you can use to track location
information about each system. These custom fields are enabled and
configured by the System Administrator in the paradmin interface. If these
fields have not been enabled the system location section of this page will not
appear at all on the Details tab.
10.2 Systems Connection Tab (PPM ISAs only)
Note! PSM ISA’s will only see this tab for SPCW systems
Fields available for connection settings will differ according to the platform type of the
managed system.
25
Quest One Privileged Account Management ISA Manual
10.2.1 Alternate Port
Most non-Windows platforms allow alternate ports to be configured for
communication of standard protocols, such as SSH, Telnet, or database ports.
TPAM now supports the ability to specify these system specific ports via the
Connection tab.
10.2.2 Domain Name (specific platforms only)
When the system platform being created represents a central authority such
as Active Directory, BokS, or PowerPassword, the domain name must be
specified. This name cannot be an alias, simple name, or NetBIOS name, but
must be the fully qualified DNS name of the domain.
10.2.3 NetBIOS Domain Name (Windows domains only)
Windows domain systems (Active Directory, NT Domain, or eDMZ SPCW) also
include the NetBIOS Domain Name field. Specify the name of the domain in
NetBIOS format.
10.2.4 Alternate Address (specific platforms only)
When the system platform being created represents a central authority such
as Active Directory, BokS, or PowerPassword, the alternate address field can
26
Quest One Privileged Account Management ISA Manual
contain the network address of an alternate authority (i.e. another domain
controller) for redundancy.
10.2.5 Functional Account
The Functional Account defines the account that will be used to manage the
accounts on the managed system. This account must be defined and
configured on the managed system as defined in the appropriate Client Setup
Instructions. The credential defines whether SSH will use a predefined key
(DSS) to authenticate or a standard password. DSS is the preferred and more
secure way of managing accounts on systems that support SSH. You have the
option to let PPM manage the functional account.
The auto-change parameters for this password may then be configured via
the Account Details tab, as with any other account. This helps to secure the
managed system, by not maintaining a “static” password on a functional
account.
Alert! After a system is “saved” for the first time, any changes
in the system parameters will not automatically be applied to the
functional account, unless the “Propagate to All Accounts” switch on
the Management Details tab has been checked. The auto manage
function will never be propagated to the functional account. It must
be manually set.
10.2.6 PSM Functional Account (eDMZ SPCW platform only)
The PSM functional account is used to provide secure communication during
the session and file transfer during a session. If the PSM enabled account on
the system is configured to use a proxy type of RDP through SSH, the PSM
Functional account will be used during this connection.
10.2.7 Account Credentials
When using DSS key authentication, a function is available to permit specific
configuration of the public/private keys used.
Avail. System Std. Key – will use the single standard SSH keys (either Open
SSH or the commercial key) stored centrally in TPAM. You have the ability to
have up to three active keys simultaneously. These keys are configured in the
paradmin interface. Use the list to select the key you want to retrieve.
27
Quest One Privileged Account Management ISA Manual
Note! When using the System Std. Keys you cannot specify which key
will be used. You may download one or all available keys to put on the
remote system, but TPAM will attempt to use all currently active keys when
communicating with the remote system.
Use System Specific Key – will allow the generation and download of a
specific SSH key to be used with this system only. The key must first be
button, and then downloaded in
generated using the
either Open SSH or Sec SSH (commercial) format.
10.2.8 Enable Password (Cisco and ProxySG only)
Some systems may require the use of very specific accounts for access (ex.
Cisco PIX requires the use of “pix” as the ID, Cisco routers use “cisco” as the
Id, etc.) If the managed device is Cisco device, the password for the Enable
Password must also be specified in the configuration.
10.2.9 SID / Service_Name (Oracle DB only)
Specifies either the Security ID (SID) or the service name for Oracle
databases, and should match the setting in SQLNET.ORA at the database
server.
10.2.10 Connection Timeout
The connection timeout value determines the amount of time in seconds that
a connection attempt to the managed system will remain active before being
aborted. In most cases, it is recommended to use the default value (20
seconds). If there are problems with connection failures with the system, this
value can be increased (for example, connections to Windows systems are
often slower than SSH connections and may require a significantly higher
timeout value).
10.2.11 Server O/S (BoKs platform only)
Select the O/S running on the server from the list.
10.2.12 Expert Password (CheckPoint SB only)
Setting up an Expert Password will allow configuration access to the
system.
28
Quest One Privileged Account Management ISA Manual
10.2.13 Non-Privileged Functional Account (Windows Active Directory only)
If this box is checked any password changes for accounts on this system will
use the account’s current password to log in and make the password change
instead of using the functional account password.
10.2.14 Authentication Method (Cisco Router TEL only)
Username/Password is used when a username is needed when connecting to
the system. Line Definition is used when there is no username to be
specified, it is simply a password on the terminal connection.
10.2.15 Allow Functional Account to be Requested for Password Release
If this box is checked then Requestors on this system can make a request to
release the password for the functional account. If this box is not checked the
functional account passwords are not available for release to a requestor and
will only be accessible to an ISA.
10.2.16 Custom Command (Mainframe platforms only)
If there is a special command that needs to be entered prior to being
prompted for authentication credentials, it is specified by placing the
command in the custom command field.
10.2.17 Use SSL? (specific platforms only)
Check this box if communications between TPAM and the device requires the
SSL option.
10.2.18 Tunnel DB Connection Through SSH (database platforms only)
Database tunneling through SSH provides the ability to securely connect to a
remote database.
29
Quest One Privileged Account Management ISA Manual
Enter the Account Name that you will use to connect to the remote system.
If SSH is not listening on port 22 please provide the correct port you want the
connection forwarded to.
For DBMS accounts, SSH tunneling only uses public key and not manual
passwording for establishing the SSH connections.
Alert! Make sure that the default of “AllowTCP Forwarding” is
set to Yes in the SSH Configuration file of the managed system.
10.3 System Management Details Tab (PPM ISAs only)
The System Management Details tab lists options that once set will be inherited by
all accounts set up on this system. These options can be overridden at the account
level.
30
Quest One Privileged Account Management ISA Manual
10.3.1 Password Check and Reset Options
The automatic password testing function may be enabled or disabled for
managed systems by using the Check Password and Don’t Check
Password radio buttons. If enabled, the option to have the password
automatically reset when a mismatch is found is also available. By default
Reset Password on Mismatch will be selected. When auto reset is disabled
only a notification email will be sent when a password mismatch is
encountered (assuming the system contact email field is populated). Change
Password after any release indicates whether the password for the account
should be automatically reset by PPM following a release to any user
(including ISA users). The option is enabled by default. If disabled, the
password will not be changed after releases, but will still be changed based
upon the Change Frequency settings.
10.3.2 Change Frequency
This specifies the interval at which the password will be automatically
changed, regardless of whether or not the password has been released.
Typically, this will be set to the value specified in your company’s security
policy, which defines password expiration age. Available choices are:
• First Day of the Month – the password will be changed every month, on
the first day of the month
• Last Day of the Month – the password will be changed every month, on
the last day of the month
31
Quest One Privileged Account Management ISA Manual
•
•
Every n Days – this allows you to specify the frequency with which the
password will be changed. The n value can be between 1 (changed every
day) and 999.
None - no scheduled changes.
10.3.3 Change Time
Allows you to specify the time of day when automatic password changes will
take place. This should be set to a time when the system is not scheduled to
be down for regular maintenance and when system activity is not at its peak.
The change time will take place when the TPAM server reaches this time and
not the time in your local time zone.
10.3.4 Default duration for ISA releases of password (can only be entered by
Admin)
The duration for ISA release may be specified up to a maximum of 7 days.
This is the amount of time that will transpire between the initial ISA retrieval
and the automatic reset of the password (if enabled).
10.3.5 Allow ISA to enter Duration on Release (can only be checked by
Admin)
If this checkbox is checked, an ISA may enter a release duration other than
the default when retrieving a password. The duration must be >0 and <= the
max of either ISA Duration (Mgt Details tab) or Max Release Duration (Details
tab). This column was added to the System and Account Imports and Batch
Updates. This flag is also a value that can be pushed to Account and pulled
from System
10.3.6 Propagating Auto Password Management and Management Detail
Settings
Default change settings can be configured differently between systems and
the defined accounts for those systems. If the desire is to ensure consistency
throughout this parent-child relationship, it is possible to push the
configuration of the default change settings from the system object to all child
objects defined for the system.
Using the check boxes, select the desired level of propagation of the current
system settings: Push Defaults to All Accounts and Enable auto
management on All Accounts. To push auto management to all accounts
you must first check Push Defaults to All Accounts and then you will be
able to check the Enable auto management on All Accounts flag if you so
choose . The currently configured default change settings and auto-manage
properties will be changed accordingly on the child objects when the
button is clicked. This is a one-time synchronization and may
still be changed at the account level.
The functional account defined for the system will not receive the Enable
Auto Management on All Accounts setting during a push. The automanage property must be manually enabled for the functional account.
32
Quest One Privileged Account Management ISA Manual
10.4 Affinity Tab
The Affinity option will allow you to optimize performance of session recording and
playback and password checking and changing if you have opted to purchase one or
more DPA servers along with your TPAM appliance. This tab will not be enabled until
you save the system.
10.4.1 PSM DPA Affinity Settings (PSM ISAs Only)
Use the PSM DPA Affinity Settings to optimize session recording and playback.
The default setting will be Allow PSM sessions to be run on any defined
DPA. The default DPA Server name will be LocalServer which is the local
TPAM appliance. If your company purchased and configured additional DPA’s
to optimize performance you will see these listed in the DPA Server Name
column. Enter the Priority number next to each DPA and click the
button.
The priority numbers used in the Affinity settings only have meaning in
relation to each other. For example, 1,2,3 has the same meaning to the
system as 98,99,100. When the appliance goes to figure out which DPA to
use it looks at them in order of priority from lowest to highest and picks the
1st one that has an open slot. A value of 0 (zero) is simply "more important"
than any higher value. If you want to make it so that a particular DPA is
33
Quest One Privileged Account Management ISA Manual
never used for session recording for a given system, then the priority should
be empty (NULL), not zero.
10.4.2 PPM DPA Affinity Settings (PPM ISA’s only)
Use the PPM DPA Affinity Settings to optimize password checking and
changing. The default setting will be Use local PPM appliance for
password checks and changes. If you want to use one of your DPAs for
password checking and changing on this system select the Selected DPA
affinity radio button, enter the Priority number next to each DPA, and click
the
button.
Note! The password checking and changing functionality requires DPA
v3.0+
10.5 Ticket Systems Tab
The options available on this tab will be predetermined by how Ticket Systems were
configured in the paradmin Interface. If no Ticket Systems have been configured and
enabled in the paradmin interface the Ticket System tab will be inaccessible. Any
changes to the settings on this page are recorded in the System Activity Log. These
options will be the defaults for any Accounts or Files added to the system.
34
Quest One Privileged Account Management ISA Manual
10.5.1 Require Ticket Number from:
Check this box if you want to require ticket number validation every time a
password or file request is submitted for this system. If multiple Ticket
Systems are enabled they will be listed in the list for selection. You can
specify the ticket system or allow entry of a ticket number from any system
that is enabled. If this box is not checked users will still be able to enter a
Ticket Number on a request, but will also be able to create a request without
a Ticket Number entered.
10.5.2 Ticket required for:
If Ticket Validation is required then all requestors will be required to provide a
ticket number. You also have the option to require users making requests
through the CLI or API to supply a ticket number prior to retrieving a
password or file. As an ISA you cannot determine if a ticket is required for
ISAs, so this checkbox is disabled.
10.5.3 Send Email to:
If any of the ISA, CLI or API required boxes are left unchecked you also have
the option of entering one or more e-mail addresses (up to 255 characters)
that will receive an e-mail when an ISA, CLI or API user releases or retrieves
a password or file without supplying a ticket.
10.5.4 Propagation
You have the option of pushing the Ticket System settings out to all Accounts
Files. When a new account or file is created it will take on the
and
Ticket System settings of the parent system.
Note! These checkbox values are a onetime update each time they are
checked and the Save Changes button is selected. After that there is no
forcing of the settings to remain in synch. The settings on the Accounts can
be overridden.
10.6 Collections Tab
Systems may be assigned membership to one or more collections. The collections list
shows all for which the user holds the ISA role. By assigning the system to
collections, the system automatically inherits user and group permissions that have
been assigned at the collection level. To modify collection membership, simply click
the Not Assigned or Assigned radio buttons next to each collection name and click
the
button.
Note! An ISA can only assign systems to a collection if they have both PPM and
PSM ISA permissions on the system and the collection.
Note! If a collection is tied to either AD or Generic Integration the system’s
membership status in that collection cannot be changed.
35
Quest One Privileged Account Management ISA Manual
10.7
Setting Permissions for PSM and PPM Functionality for Systems
Select Systems & Accounts  Systems  Manage Systems from the menu.
Once you select the system you want to modify click on the Permissions tab. With
the addition of Access Policies in v2.4 the Permissions tab has changed.
Note! You must be both a PPM and PSM ISA over a system to be allowed
to assign an Access Policy to it. Without PPM and PSM both, you will only be able to
view the permission assignments.
36
Quest One Privileged Account Management ISA Manual
Select the Filter criteria you want and click the Results tab.
37
Quest One Privileged Account Management ISA Manual
On this tab you can assign users and or groups an Access Policy for this System.
First, select an Access Policy from the Access Policy list on the right upper side of
the window. You will see that default Access Policies have been created to reflect the
old PAR and EGP Roles that existed prior to v2.4.Also if you are an existing customer
prior to v2.4, Access Policies will be created for any unique permissions that you had
set up for account aliases. When you select an Access Policy from the list the detailed
permissions describing this Access Policy will be displayed in the rows below. The
buttons in the Access Policy Details area perform the following actions:
Scrolls the currently selected User or Group into view
Applies the currently selected policy to the current row. Assigning a
policy of “Not Assigned” removes the current assignment.
Applies the currently selected policy to all selected rows in the list. You
will be asked to confirm the assignment if more than 10 rows will be
affected.
Removes the currently selected policy from all selected rows in the list.
If a row is not currently set to the selected policy it will not be changed.
You will be asked to confirm the assignment if more than 10 rows will be
affected.
Removes unsaved edits from the current row.
Removes unsaved edits from all currently selected rows.
This icon (
) next to any row in the list simply means that row has been edited
since the last save changes occurred.
You can “Shift+Click” to select a range of rows. The first row you click on will be
surrounded by purple dashed lines. The next row that you “Shift-Click” on will cause
all the rows in between the original row and current row to be highlighted.
38
Quest One Privileged Account Management ISA Manual
If you are already on the Results tab clicking the Results tab label will refresh the list
from the database based on your filter criteria and apply any unsaved changes you
may currently have.
When you are finished assigning/unassigning Access Policies click the
button.
Note! You may re-filter and re-retrieve the results list without losing existing
edits. As the Results tab is reloaded any Groups or Users that you have already
edited will reflect their edited policy assignment. When you click the Save Changes
button all of the Access Policy assignment changes you have done for the system will
be saved. The appliance will save these in batches, informing you of the number of
assignments added, removed, or changed for each batch.
10.8 Adding A System
If your System Administrator has set the “Restrict ISA System Creation” global
setting to “Yes”, you will not be allowed to add systems.
39
Quest One Privileged Account Management ISA Manual
Select Systems & Accounts  Systems  Add System from the menu. After
completing all required fields for the new system (see section 10.0), click the
button to accept. To start adding accounts to the system or view/edit
the functional account you can click the
the Account listing for that system.
button and you will be taken to
10.8.1 Adding a System Using a Template
Templates may be used to quickly create new systems with a given set of
default values via the web interface, CLI or API. Select Systems & Accounts
 Systems  Add System from the menu. Click the
button.
Select a Template from the Listing tab and click the Details tab to enter the
System Name.
Note! A PSM ISA will only be able to select from templates that have all
PPM functions disabled. A PPM ISA will not be able to see templates that are
PSM only.
If the fields are not locked, make any other changes to the individual fields
as needed before saving.
Alert! The System IP address is copied from the template and must be
changed.
10.8.2
ISA Policy
You will see this list option when adding a System if your userid is assigned
an Access Policy that contains an ISA permission. From this list you can select
which ISA policy should be applied for your access to this new system once it
has been saved.
40
Quest One Privileged Account Management ISA Manual
Alert! If you select Do not Assign an ISA Policy and do not
assign the System to a Collection that you have access to, you will
NOT have any access to the system after it is saved.
10.8.3 Adding a System When there is a Default Template
If the administrator has set a template as a “default” template, every time
you add a system it will automatically use this template.
10.9 Managing A System
Select Systems & Accounts  Systems  Manage Systems from the menu. After
selecting the system you want to modify using the Filter and Listing tabs, make the
necessary changes to the system information and click the
accept.
button to
10.10Clearing a Stored System Host Entry (PPM ISAs only)
The
button removes the host entry from TPAM’s knownhosts
file. An example of the necessity for this would be a situation in which the SSH
package on a managed system has been reinstalled, or the OS itself may be
reinstalled. A test of the system would indicate that the host key entry does not
41
Quest One Privileged Account Management ISA Manual
match, and will prevent password authentication because of a perceived “man in the
middle” attack.
10.11Testing a System (PPM ISAs only)
To test connectivity to the system you have configured in TPAM, click the
button.
10.12Duplicating a System
To ease the burden of administration and help maintain consistency, systems can be
duplicated. This allows the administrator to create new systems that are very similar
to those that exist, while only having to modify a few details. To duplicate a system,
select Systems & Accounts  Systems  Manage Systems from the menu.
Select the system to duplicate from the Listing tab and click the
button. A new system object will be created and the system settings page will be
displayed. Make the necessary changes to the system settings, and click the
button. The new system will inherit collection membership,
permissions, affinity and ticket system settings from the existing system.
10.13List Systems
Certain data may be exported from TPAM to Microsoft® Excel® or CSV format. This is
a convenient way to provide an offline work sheet and also to provide data that may
be imported into another TPAM – for example, to populate a lab appliance with data
for testing, without making the lower level changes that restoring a backup would
cause.
Systems are exported using the Systems & Accounts  Systems  List Systems
menu selection. Choose the criteria for the list of systems, which can be filtered to
produce a specific subset of data, or the full list of systems. System Templates will
not be included in the Listing.
With the introduction of Access Policies in v2.4 the PAR and EGP Permissions
tabs on the System Listing have been replaced with a single Permissions tab that
displays the Access Policy assigned to each user for the system.
Note! PPM ISAs will not see any “PSM Only Systems”, or systems with a
platform of PSM Web Access, or e-DMZ SPCW in the listing.
42
Quest One Privileged Account Management ISA Manual
Use the Filter tab to enter your listing criteria and the Layout tab to select the data
set you want exported in your file. Click the
or
to download your file. System Templates will not be included in
the Listing.
11.0 Managing Accounts
Accounts on remote systems can be managed manually from TPAM. Selecting Systems &
Accounts  Add Account or Systems & Accounts  Accounts  Manage Accounts
will lead to the configuration pages for accounts. If modifying an existing account, first
select the desired account by entering criteria on the Filter tab, clicking on the Listing tab,
clicking on the Account Name you are looking for and then clicking on any of the additional
tabs to edit the collection. Below is a description of all the fields on the various tabs.
43
Quest One Privileged Account Management ISA Manual
Using the Filter and Listing tabs, select the account to manage.
44
Quest One Privileged Account Management ISA Manual
11.1 Account Details Tab
11.1.1 Account Name
This is the descriptive name of the account. Within TPAM, all the account
names on one system must be unique. The name can be 2-30 characters
long, but cannot include empty spaces.
11.1.2 Account is Locked (PPM ISAs only)
This checkbox gives Administrators and PPM ISA’s the ability to “lock” and
“unlock” an account. When an account is locked passwords for that account
cannot be retrieved, released or changed. Password requests or session
requests can be submitted but the password or session will not be available
until the account is unlocked.
11.1.3 Password
Enter the active current password for the account. If no password is specified
(left blank), PPM will store the value “default initial password” as the
password for the account.
11.1.4 Password Rule (PPM ISAs only)
Select the desired password rule to serve as the default for the account. If the
selection is not changed (or if no other rules have been defined in TPAM) the
Default Password Rule will be selected. The password rule will govern the
construction requirements for new passwords generated by PPM.
If the account resides on a Windows system, two additional options
are provided:
45
Quest One Privileged Account Management ISA Manual
11.1.5 Change password for Windows Services started by this account?
If this is the Administrator account, or another functional account that runs
system services, this option will ensure that the password change is also
applied to each service the account runs.
11.1.6 Use this account’s current password to change the password?
This may be necessary on Windows XP and Windows Server 2003 where
Encrypting File System or other third-party security products are used, and
rely on authentication certificates stored in that account’s personal store. If
the system is configured with a “non-privileged functional account” then this
setting will default for all accounts added to this system.
11.1.7 Description
This is a free text field where additional descriptive information may be
entered.
Alert! For accounts on LDAP/LDAPS and Novell managed systems you
must enter the actual account name in this field.
11.1.8 Password Management (PPM ISAs only)
By default, the property of the parent system is inherited at the account level
as either None or Automatic. If Manual is selected then the primary contact
account level will receive an email when it is
e-mail at the system and
time to manually reset the password. The contact will keep receiving this
email at regular intervals based on how this is configured by the Sys-Admin in
the Auto Management Agent settings, until the password has been confirmed
to be reset in PPM. If Automatic or Manual, the change frequency and postrelease reset details should be specifically configured for the account on the
Management Details tab.
Alert! The Reset Password option relies on the PPM change
agent. If the change agent is not running, the password will not be
reset. The Manual Password e-mail notification relies on the Man Pwd
Change Agent, if it is not running no email notifications will go out to
reset the password.
11.1.9
Ignore System Access Policies? (PPM ISAs only)
If this box is checked and saved any Access Policies assigned to the System
will not apply to this account. For users of TPAM prior to v2.4 this takes the
place of the Alias Access Only setting.
Alert! If this box is checked the account will not be able to be
requested unless it is in a collection (with appropriate access assigned) or
user/group permissions are assigned directly to the account.
11.1.10 Approvals Required (PPM ISAs only)
The default value is 1, indicating that one single approval will allow the
password release to the requestor (dual control release). This value can be
46
Quest One Privileged Account Management ISA Manual
changed to force multiple approvers to approve each release request. Setting
a value of zero will disable dual control for the account and PPM will autoapprove any request for release and make the appropriate log entry.
11.1.11 Maximum Duration (PPM ISAs only)
This is the maximum duration for a password release on the account. If this is
overridden by an Access Policy assignment, the lower of the two durations will
be used. The default duration that the requestor will see for any new
password request is 2 hours, or the maximum duration, whichever is less.
11.1.12 Notification E-mail (PPM ISAs only)
The e-mail address specified in this field will receive notification of certain
password releases. This would apply to releases by ISA users and CLI/API
users under all circumstances, and authorized requestors when dual control is
not required (number of approvals set to zero). This e-mail address also
receives notification if a manually managed password needs to be changed.
Multiple email addresses can be specified by entering each email address
separated by a comma, up to a maximum of 255 characters.
Any time there is a change made to the notification email address field, an
email will automatically be sent to the old email address with a notification
that this change has occurred.
11.1.13 Simultaneous Privileged Release (PPM ISAs only)
This field allows an Admin or a PPM ISA to grant more than one Privileged
Access User (PAC) to request and retrieve a password/session during the
same or overlapping time period.
Note! If another Requestor already has the password checked out the
PAC users will have to wait for that release window to expire before they can
gain access.
11.1.14 Override Individual Accountability (PPM ISAs only)
The System Administrator must have this global setting turned on in order for
you to check this flag on an account. When the Override Individual
Accountability box is checked more than one requestor will be able to request
this password at the same time or during an overlapping duration. Any
changes made to the Override Individual Accountability checkbox at the
account level will be logged in the Activity Log.
On the Account Management tab, if the account has the Change Password
after any Release box checked, and the password is retrieved then the
password will be changed at the end of each requestors request duration.
If the Do not automatically change the password while a release is
active box is checked, the password will not be changed until the last
requestors’ release duration has expired.
If the System Administrator decides to change the Global Setting from
allowing account override to no longer allowing it, any Accounts that had been
47
Quest One Privileged Account Management ISA Manual
checked to override individual accountability will have their checkboxes
cleared.
The
button allows you to quickly navigate to the System on which a
specific account resides.
11.2 Account Reviews Tab (PPM ISAs only)
The account review settings that were on the Account Details tab in prior releases
are now located on a sub-tab titled Reviews.
11.2.1 Post Release Review Requirements
These settings give you the ability to set review requirements for password
releases. Enter the number of reviews required. Select the radio button to
choose eligible reviewers. If you select Any Authorized Reviewer
(excluding Requestor) any user assigned to an Access Policy with Review
Password permissions or is a member of a Group with a Review Password
permission is eligible to complete the review as well as all Auditors. If you
want someone to receive an e-mail notification if the review is not completed
within X hours, fill out the hour threshold and e-mail address. The password
release is not eligible for review until the release duration has expired. Once
the password release has expired all eligible reviewers will receive an e-mail
notification that there is a password release to review.
11.3 Account Custom Information Tab
There are six customizable fields that you can use to track information about each
account. These custom fields are enabled and configured by the System Administrator
in the paradmin interface. If these fields have not been enabled then this sub-tab will
not be visible.
48
Quest One Privileged Account Management ISA Manual
11.4 Account Management Tab
The location of this tab has changed in v2.4. This is now a sub-tab of the
Details tab.
11.4.1 Check Password
If the Check Password box is selected the password for this account will be
checked by PPM. The check schedule is configured through the paradmin
interface and it can be run as often as daily.
49
Quest One Privileged Account Management ISA Manual
11.4.2 Reset Password on Mismatch
This option is only available if the Check Password box is checked. If this
option is checked the password will be changed when a mismatch condition is
found.
11.4.3 Don’t Check Password
If the Don’t Check Password box is selected the password for this account
will not be checked daily by PPM. Care should be used selecting this option
because a mismatch between the stored password and the actual password
will go undetected.
11.4.4 Change Password after any release
This option indicates whether the password for the account should be
automatically reset by PPM following a release to any user (including ISA
users). The option is enabled by default. If disabled, the password will not be
changed after releases, but will still be changed based upon the Change
Frequency settings.
11.4.5 Do Not Automatically Change the Password while a Release is Active
This is a flag that the admin or PPM ISA can check so that a password will not
be automatically changed by PPM while it still has an active release request
open. For example if a release request for a session or password is open (has
not been canceled, expired or closed) and the password has already been
accessed by the requestor then any scheduled changes will be skipped. The
exception to this rule is if an ISA pulls the password and the Change
Password After Any Release box is checked then the password will be
changed.
11.4.6 Change Frequency
This option instructs PPM to generate a new password and change it on the
managed system for this account only based on the time criteria selected.
11.4.7 Change Time
This option specifies the time of day that the automated password changes
should occur for this account.
11.4.8 Next Change Date
This option indicates the date that the next scheduled password change is to
occur. This date may be changed to alter the current change schedule.
11.4.9 Default duration for ISA releases of password (view only)
This option specifies the amount of time after an ISA user has released the
password before it will be changed. This option will be disabled if the Change
password after any release option is disabled. Maximum value is 7 days.
Minimum value is 15 minutes. Configurable in 15 minute increments.
11.4.10 Allow ISA to enter Duration on Release (view only)
If this checkbox is checked, an ISA may enter a release duration other than
the default when retrieving a password. The duration must be >0 and <= the
max of either ISA Duration (Mgt Details tab) or Max Release Duration (Details
tab). This column was added to the System and Account Imports and Batch
Updates.
50
Quest One Privileged Account Management ISA Manual
11.4.11 Pull Defaults From System
When checked, the default values for password change frequency, change
time, ISA release change parameters, and whether or not the password will
be checked will be pulled from those settings at the system level and
populated at the account level. This is a onetime action and does not prevent
any of these settings from being modified again. This is a good way to ‘reset’
an account’s parameters at any time. This action can be performed as many
times as desired.
11.5 Account Ticket System Tab
The location of this tab has changed in v2.4. This is now a sub-tab of the
Details tab. The options available on this tab will be predetermined by how Ticket
Systems were configured in the paradmin interface and at the System level. If no
Ticket Systems have been configured and enabled in the paradmin interface the
Ticket System tab will be inaccessible.
11.5.1 Require Ticket Number from:
Check this box if you want to require ticket number validation every time a
password or file request is submitted for this system. If multiple Ticket
Systems are enabled they will be listed in the drop down list for selection. You
can specify the ticket system or allow entry of a ticket number from any
system that is enabled. If this box is not checked users will still be able to
enter a Ticket Number on a request.
11.5.2 Ticket required for:
If Ticket Validation is required than all requestors will be required to provide a
ticket number. You also have the option to require users making requests
through the CLI or API to supply a ticket number prior to retrieving a
password or file. As an ISA you cannot determine if a ticket is required for
ISAs, so this checkbox is disabled.
51
Quest One Privileged Account Management ISA Manual
11.5.3 Send Email to:
If any of the ISA, CLI or API required boxes are left unchecked you also have
the option of entering one or more e-mail addresses (up to 255 characters)
that will receive an e-mail when an ISA, CLI or API user releases or retrieves
a password or file without supplying a ticket.
11.5.4 Propagation
You have the option of pulling the Ticket System settings for the Account from
the System defaults. To set the account at the System defaults check this box
and click the
button. To override the system settings, uncheck
this box, edit the settings and click the
button.
Note! If someone goes in at the System level and decides to push the
system settings out to all the accounts, the settings saved here will be
overridden with whatever is set at the system level at that time.
11.6 Managing Services in a Windows Domain Environment (PPM ISAs
only)
If the account managed by PPM is a Windows domain account (the system is defined
as Active Directory or Windows NT Domain), services running on domain member
systems using this account can also be managed in terms of password changes.
The prerequisite for domain members systems to have these service account
password changed is that each system must be configured in TPAM and the domain
functional account must be properly privileged on that system (i.e. member of local
Administrators group).
52
Quest One Privileged Account Management ISA Manual
To specify these systems for automatic password changes at the services level, select
the Dependents tab. Enter your Filter criteria and click the Results tab.
The Results page will display all available Windows systems. Select those with
dependencies on the domain level account by clicking the Dependent radio button
next to each System Name.
When the password for the managed domain account (i.e. Administrator) is changed,
PPM will also enumerate the services on each selected dependant system and change
the password for all services being run by the domain account.
In the example used in the figures above, ‘Administrator’ is a domain account,
specified on a domain controller called Saturn. The system Jupiter is defined as a
dependant system to this account, indicating that there are services running on
Jupiter using the domain Administrator account. When the password for
‘Administrator’ is changed by PPM, each system defined as dependant, such as
Jupiter, will have the password changed for any service using the domain
Administrator password.
53
Quest One Privileged Account Management ISA Manual
11.7 Accounts Management Logs Tab
By clicking on the Logs Tab the user can view detailed history on the password for
the account. There is a Filter tab to allow the user to specify the date range or exact
date of activity you are looking for.
11.7.1 Change Log
This allows you to view the password change history.
11.7.2 Test Log
This allows you to view the log of password test activity.
11.7.3 Release Log
This allows you to view the log of password release activity.
11.7.4 Dependent Change Log
If the account exists on a Windows Domain Controller and could have other
systems dependencies there will be DA (domain account) Change Log tab that
will show the change activity for the account on the dependent systems. This
tab becomes enabled when a change log record is selected that has
associated dependent changes.
11.7.5 Change Agent Log
This tab will show associated change agent log records for the selected entity
but only for changes that occur after a v2.3+ upgrade.
11.8 Account Management Passwords Tab (PPM ISAs only)
11.8.1 Current Password tab
The location of this tab has changed in v2.4. This is now a sub-tab of the
Passwords tab.
54
Quest One Privileged Account Management ISA Manual
The Current Password tab retrieves the password for the account. Enter the
Release Reason in the text box provided. If required enter the Ticket System and
Ticket Number. Click the Password tab to see the current password.
If your System Administrator has decided to configure Reason Codes for your
environment, you will see them available in the list here. Reason codes give you a
quick way to submit a request without having to type in a detailed reason. You may
be required to enter a reason code, they may be optional or they may be disabled.
If the ISA needs to access the current password on behalf of another person they
should enter the original requestors name in the Proxy Release For field. Proxy
releases can be reported on in Password Release Activity Report. The ISA will be able
to enter a longer/shorter duration for the release if the Allow ISA to enter
Duration on Release flag is checked on the Account Management tab.
The password will be displayed for a maximum of 20 seconds. For convenience, the
password may also be copied into the user’s clipboard. This can be done using the
mouse and dragging the password, then right-clicking and selecting “Copy”.
55
Quest One Privileged Account Management ISA Manual
Tip! An easy and quick way to copy the password into the clipboard is to click in
the displayed password text box then use Ctrl+A followed by Ctrl+C.
11.8.2 Account Management Past Password Tab
The location of this tab has changed in v2.4. This is now a sub-tab of the
Passwords tab.
To view past passwords for an account click the Past Passwords tab. Use the Filter
tab to narrow the date range of the passwords you are looking for and then click the
Past Passwords tab next to the Filter tab. This allows you to select a password that
was valid for a specific period of time. This is especially important if the managed
system has been restored from a backup and the password that was effective at the
time of the backup is required.
To view the password for each logged activity, click a row in the results and then click
the Password tab.
11.9
Account Collections Tab
With the addition of account level permissions in v2.4, accounts can now be members
of a collection. See section 10.6 for details on assigning Collection membership.
Note! An account cannot belong to the same collection as its’ parent system, or
vice versa.
56
Quest One Privileged Account Management ISA Manual
11.10
Setting Permissions for PSM and PPM Functionality for Accounts
In v2.4 you can now assign permissions at the Account level. Select Systems,
Accounts, & Collections  Accounts Manage Accounts from the menu. Once
you select the account you want to modify click the Permissions tab.
Refer to section 10.7 for details on how the Permissions tab works.
11.11PSM Details General Tab (PSM ISAs only)
The options for configuring sessions are as follows:
Enable PSM Sessions?
Turn on/off the ability of users to access this account as a recorded session
through PSM. All subsequent options are contingent upon this being checked.
Proxy Connection Type (platform dependent)
Select the type of remote connection compatible with the configuration of the
remote system.
Note! When choosing any of the proxy methods listed below that use
Automatic Login, the password is not automatically reset after the session is
completed because the password is never displayed to the user.
57
Quest One Privileged Account Management ISA Manual
•
•
•
•
•
•
•
•
•
•
•
RDP-Automatic Login Using Password – Connect to the system using
RDP (Terminal services protocol) client and automatically login using the
password retrieved from the local or remote TPAM. This ensures that the
password is never displayed or known to the user.
RDP-Interactive Login – Connect to the system using an RDP client to
which PSM does not provide automatic login. If the password is managed
by PPM, it will be displayed on the screen when the session is started,
otherwise the user must know the account password when the
authentication dialog is presented.
VNC-Interactive Login – Establish a connection to the remote system
using the VNC client. The user must know the VNC password for the
system. If the password is managed by PPM, it will be displayed on the
screen when the session is started, otherwise the user must know the
account password when the authentication dialog is presented.
VNC Enterprise- Interactive Login - Establish a connection to the
remote system using the VNC Enterprise client. The user must know the
VNC password for the system. If the password is managed by a PPM, it
will be displayed on the screen when the session is started, otherwise the
user must know the account password when the authentication dialog is
presented.
Telnet-Interactive Login – Connect to the system using the Telnet
protocol, to which PSM does not provide automatic login. If the password
is managed by a PPM, it will be displayed on the screen when the session
is started, otherwise the user must know the account password when the
authentication dialog is presented.
Telnet-Automatic Login Using Password – Connect to the system
using the Telnet protocol and automatically login using the password
retrieved from the local or a remote TPAM. This ensures that the password
is never displayed or known to the user.
SSH-Automatic Login Using DSS Key – Connect to the system using
SSH and authenticate via DSS private key. The private key must be
previously uploaded to TPAM for this purpose.
SSH - Interactive Login – Establish an SSH session to the remote
system and allow the user to manually enter the password. If the
password is managed by a PPM, it will be displayed on the screen when
the session is started, otherwise the user must know account password
when the authentication prompt is presented.
SSH – Automatic Login Using Password (for UNIX systems only) –
Connect to the system using SSH and automatically login using the
password retrieved from the local or remote TPAM.
RDP Through SSH – Automatic Login Using Password (for eDMZ
SPCW systems only) Connect to the system using RDP client via the SSH
protocol and automatically login using the password retrieved from the
local or remote TPAM.
RDP Through SSH – Interactive Login (for eDMZ SPCW systems only)
Connect to the system using RDP client via the SSH protocol and allow the
user to manually enter the password. If the password is managed by PPM,
it will be displayed on the screen when the session is started, otherwise
the user must know account password when the authentication prompt is
presented.
58
Quest One Privileged Account Management ISA Manual
•
•
•
•
SQLPlus – Automatic Login Using Password - Connect to the system
using the SQLPlus client and automatically login using the password
retrieved from the local or remote TPAM.
SQLPlus –Interactive Login - Establish a connection to the remote
system using the SQLPlus client. The user must know the SQLPlus
password for the system. If the password is managed by PPM, it will be
displayed on the screen when the session is started, otherwise the user
must know the account password when the authentication dialog is
presented.
SQL Window – Automatic Login Using Password - Connect to the
system using the Sql Window Client and automatically login using the
password retrieved from the local or remote TPAM.
SQL Window – Interactive Login - Establish a connection to the remote
system using the SQL Window client. The user must know the SQL
Window password for the system. If the password is managed by PPM, it
will be displayed on the screen when the session is started, otherwise the
user must know the account password when the authentication dialog is
presented.
Custom Connection Profile
You have the ability to create and assign Custom Connection Profiles to an
account. The connection profile can be used to override the default connection
parameters.
Post Session Profile
You have the ability to create and assign Post Session Profiles to an account.
The post session file is used to add additional steps at the end of a session
request.
Color Depth (proxy type dependent)
This is a setting for the number of possible colors displayed in the sessions
you record. You can select a color depth setting of 8 (256 colors) or 16
(65,000 colors) for recording your sessions. For a VNC connection there are
color options of 0 (Very Low) through 3 (Auto Select/Full Color).
Required # of Approvals
This indicates the number of approvers required for each session request. If
the system/account is managed by PPM it is possible to have a different value
configured in PSM for this system/account. In the event of such a conflict, the
value set on PPM for dual control requirement may override the value set
here. This will occur only for connection types that use interactive login
(where the password will be displayed).
Maximum Simultaneous Sessions (proxy type dependent)
Specifies the maximum number of simultaneous sessions that may be
established for the system/account. This option only exists for accounts
configured to auto-authenticate the user. If the password is provided by TPAM
for interactive logon then only one concurrent session will be allowed to
preserve individual accountability.
59
Quest One Privileged Account Management ISA Manual
Default Session Duration
This is the Session Duration that is displayed by default when requesting a
session. It can be changed within the limits set by the Max Password Duration
and the Access Policy session duration. TPAM will not automatically disconnect
the session unless indicated by the global setting.
Session Exceeding Duration Notification
Allows email notifications to be sent to the primary contact specified for the
system if a session exceeds the maximum session time for the request.
Configurable parameters are: frequency (in minutes) of notifications; and
threshold time (in minutes) before initial notification is sent for a session.
Both values must be non-zero for notifications to be sent.
Session Start Notification
When the user starts the session this contact will receive an e-mail
notification.
Enable Clipboard?
If this box is checked the user will be able to use the clipboard function for
copy/paste of text during a session.
Enable Console Connection?
If this box is checked the user will be able connect to the console of the
system they are connecting to. This is an RDP only feature.
Record All Sessions
This box will be checked by default. If you do NOT want any sessions
recorded for this account, UNCHECK the box. Unchecking the box will also
mean that this will be an option at the account alias level.
Enable File Uploads?
If this flag is checked file uploads will be allowed during sessions through this
account. This box will be checked by default.
Enable File Downloads?
You have the ability to download a file from a managed system to the local
pc/network drive during a session. Check the box to enable this option.
60
Quest One Privileged Account Management ISA Manual
11.12PSM Session Authentication Tab (PSM Customers Only)
Authentication Credential Storage Method
•
•
•
•
•
Password Managed by Local TPAM – select this option if the local
TPAM appliance is managing this account.
Use Remote TPAM CLI – select this option if the account is managed by
another TPAM appliance, and specify the CLI UserID to be used to retrieve
the password. The remote TPAM CLI ID now has the capability of using
domain accounts for authentication during a session. Access to the public
key for the CLI ID will be required, and must be supplied to TPAM. When
this method of password retrieval is used, the number of approvals
specified on the remote TPAM is ignored and access to the password is not
limited to a single release.
Use DSS Key – select this option if an authentication key is used for the
account instead of a password. You have the additional options of using a
system standard DSS Key (TPAM 2.1 allows you to configure up to 3
active keys) or having TPAM generate a pair of keys for you.
Not Stored-Specify password during session – select this option if the
account’s password is not stored or managed by any TPAM. When this
option is used the password must be specified when the session is
initiated.
Use Windows Domain Account - select this option if the account’s
password is not stored or managed by any TPAM. The named account is a
placeholder for the domain account TPAM will be using to authenticate to
the system. Through this method you can connect to a system using a
domain account instead of a local account. On the Session
Authentication tab the user name used to log in to the remote session
must be added as an account associated with a Windows Active Directory
System.
11.13PSM File Transfer Tab (PSM Customers Only)
You have the ability to transfer files during a session from the client to the host. The
File Transfer tab is where you can configure this.
61
Quest One Privileged Account Management ISA Manual
File Transfer Method (platform dependent)
Based on the system platform select Windows File Copy, Secure Copy (SCP)
or SCP using the TPAM Functional Account.
File Transfer Share
Enter the share where the files will be located.
If you select Same as Session Authentication then it will use the same
credentials as the session (account name and password or key). If you select
Specify at file transfer time you will be prompted to provide the account
name and password at the time of file transfer.
button. The test Account
To test the file transfer, click the
Name is required when the Specify at file transfer time radio button is
selected. The test Password is required when either the Specify at file
transfer time radio button is selected or the authentication method indicates
the password is not stored.
Alert! There is a 100mb size limit on any files that you transfer.
11.14 PSM Review Requirements Tab (PSM Customers Only)
You have the ability to configure review requirements for recorded sessions. This is to
facilitate the need to make sure all recorded sessions are audited by someone within
your company. See descriptions of the fields below to configure the reviews.
62
Quest One Privileged Account Management ISA Manual
Reviews Required
This number indicates the number of reviewers required to review the
recorded
session. The default is set to 0. Until the specified number of reviews are
attached to a session, the review requirements have not been met.
Selecting the Reviewer
Select whether you want a specific Group, User, Auditor or Any
Authorized Reviewer to be eligible to review the session. Any Authorized
Reviewer is any user that is assigned an access policy which contains a
Review Session permission or is a member of a Group with Review Session
permission and all Auditors.
Review Escalation
The e-mail will be sent if the required review/reviews have not been
completed within the specified time after the requested session duration. You
can enter multiple e-mail addresses by separating them with a comma. If the
review requirements are met prior to the expiration of the escalation time
after the session then the escalation notification will not be sent.
11.15Adding an Account
Select Systems & Accounts  Accounts  Add Account from the menu. Enter
your filter criteria to select the system you want to add the account on and click the
System tab. Select the system or system template and click the Detail tab. After
completing all required fields for the new account (see 9.1 for a description of all
fields), click the
button to accept.
11.16Managing an Account
Select Systems & Accounts  Accounts  Manage Accounts from the menu.
After completing all required fields for the new account (see 9.1 for a description of
all fields), click the
button to accept.
63
Quest One Privileged Account Management ISA Manual
The
button allows you to quickly navigate to the System on which a
specific account resides.
11.17Duplicating an Account
To ease the burden of administration and help maintain consistency, accounts can be
duplicated. This allows the ISA to create new accounts that are very similar to those
that exist, while only having to modify a few details. To duplicate an account, select
Systems, Accounts, & Collections  Accounts  Manage Accounts from the
menu. Select the account to duplicate from the Listing tab and click the
button. A new account will be created and the account details tab will be displayed.
Make the necessary changes to the account parameters, and click the
button. The duplicated account will NOT inherit permissions and collection assignment
from the master account.
Note! The duplicated account will only inherit PSM settings, if the user selects the
PSM Details tab before saving the duplicated account.
11.18Quest One Privileged Command Manager (PSM Customers licensed for
PCM only)
Using PCM you have the capability to specify by account what commands a user can
execute during a session. If your Administrator has configured Access Policies that
are command specific you can assign these access policies to a system/account if you
have both PPM and PSM ISA permissions over the entity.
When the user requests a session for a specific account the Access policy will control
what commands can be executed during that session.
11.19Account Current Status
The
button on the bottom of the Account Management and the
Retrieve Password pages gives Administrators and ISAs the most up to date
information on an account in a central location. After clicking the
button you will see the following page.
64
Quest One Privileged Account Management ISA Manual
Here you see information on the account such as open password requests, open
session requests, scheduled password resets and past reset results. You'll also see if
the current password has been released by the system or if it was manually entered
by a user. Passwords manually entered prior to TPAM 2.1.711 are not reported but
any password set after TPAM 2.1.711 should be reported properly as to whether that
password is known by any user.
11.20Manual Password Management (PPM ISAs only)
Accounts that are not auto-managed by PPM may still take advantage of the secure
storage and release mechanisms, as well as the logging and reporting functions of
TPAM. Password changes for such system accounts can be accomplished in two ways
– PPM generated passwords and User generated passwords.
If the system is auto-managed then PPM will generate the password and attempt to
set it on the managed system. If the system is not managed then PPM will generate
the password and display it for the user to set on the target system and then require
the user to indicate whether or not the password was set successfully on the target
system.
Also for a non-managed account, if the correct password is known and is known to be
incorrect in TPAM, then the correct password can be keyed into the New Password
field of the account details.
PPM Generated Passwords – To take advantage of the password generating ability
of PPM, passwords can be generated for non auto-managed systems. From the
button.
Account Listing tab select an account and click the
Because the system is not managed by PPM, it is not possible for TPAM to reset the
65
Quest One Privileged Account Management ISA Manual
password on the system itself. A new password will be generated. The results of the
password reset will automatically appear on the screen. See below.
Change the password for the account on the remote system manually to the new
password assigned by PPM. When the password has been reset, click the
button. If there are problems encountered changing the password,
click the
button – PPM will discard the new password and perform
a rollback to the previously stored password.
User Generated Passwords – If the password for the non-managed account is to
be maintained independently of PPM, it is desired to keep the password stored in
TPAM synchronized manually, from the Listing tab select the account and click the
Details tab. Enter the new password in the Current Password field and save the
changes. This method is useful if the system belongs to another party, is not
accessible to TPAM, or is otherwise not eligible for auto-management.
Password Release Notification – When a non-managed account’s password has
been released to a user, the defined system contact email address for the system will
receive a notice when the release duration has expired. This provides the opportunity
to have the password manually reset if desired. Early expiration of the release
duration will not change the time of notification.
11.21Password Management (PPM ISAs only)
Password Management allows TPAM Administrators and PPM ISA’s to do a “mass”
forced reset of account passwords that are auto-managed and not a collection
account. This screen also gives you a central location in which to view the current
password status for all passwords. Select Systems & Accounts  Password
Management on the main menu.
Use the Filter tab to enter your search criteria and then click the Listing tab.
66
Quest One Privileged Account Management ISA Manual
In v2.4 we added a Change Schedule Filter on the Password Management
page that allows you to filter based on the reason for a scheduled password change.
Managed Password Reset
To force a reset of all passwords managed by PPM that are not a synchronized
password, click the All checkbox at the top of the page and then click the
button.
To individually select which PPM managed account passwords you want reset check
the checkbox on each individual account and click the
for more than
button to reset just one account password. This
one account or the
will schedule the password reset in the Change queue. To view the change history
select the individual account and click the Logs tab.
Non Managed Password Reset
To reset a password for a system/account not managed by PPM (manual or not
button. A new
managed) select the individual row and click the
password will be generated and presented to you on the screen. Indicate whether the
password update on the non managed system was successful or if it failed by clicking
the appropriate button.
11.22Managing Services in a Windows Domain Environment (PPM ISAs
only)
If the account managed by PPM is a Windows domain account (the system is defined
as Active Directory or Windows NT Domain), services running on domain member
systems using this account can also be managed in terms of password changes.
67
Quest One Privileged Account Management ISA Manual
The prerequisite for domain members systems to have these service account
password changed is that each system must be configured in TPAM and the domain
functional account must be properly privileged on that system (i.e. member of local
Administrators group).
To specify these systems for automatic password changes at the services level, select
the Dependents tab. Enter your Filter criteria and click the Results tab.
68
Quest One Privileged Account Management ISA Manual
The Results page will display all available Windows systems. Select those with
dependencies on the domain level account by clicking the Dependent radio button
next to each System Name.
When the password for the managed domain account (i.e. Administrator) is changed,
PPM will also enumerate the services on each selected dependant system and change
the password for all services being run by the domain account.
In the example used in the figures above, ‘Administrator’ is a domain account,
specified on a domain controller called Saturn. The system Jupiter is defined as a
dependant system to this account, indicating that there are services running on
Jupiter using the domain Administrator account. When the password for
‘Administrator’ is changed by PPM, each system defined as dependant, such as
Jupiter, will have the password changed for any service using the domain
Administrator password.
11.23List Accounts
Accounts are exported using the Systems & Accounts  Accounts  List
Accounts menu selection. Choose the criteria for the list of accounts.
69
Quest One Privileged Account Management ISA Manual
In v2.4 we added password review requirement information to the listing.
Use the Filter tab to enter your listing criteria and the Layout tab to select the data
set you want to view.
11.24List PSM Accounts (PSM ISAs only)
PSM accounts can be listed and exported using the Systems & Accounts 
Accounts  List PSM Accounts menu selection. Choose the criteria for the list of
accounts, which can be filtered to produce a specific subset of data, or the full list of
accounts.
70
Quest One Privileged Account Management ISA Manual
Use the Filter tab to enter your listing criteria and the Layout tab to select the data
set you want to view.
12.0 Managing Secure File Storage (PPM ISAs only)
In addition to the secure storage and release capabilities for passwords, TPAM facilitates the
same secure storage and retrieval controls for files. This functionality can be used for many
file types, but its intent is to securely store and control access to public/private key files and
certificates.
12.1 Adding a File for Storage
To add a new file for secure storage, select Systems & Accounts  Files  Add
File from the menu. Enter your filter criteria to find the system you want and click
the System tab. Select the desired system, then click the Details tab.
71
Quest One Privileged Account Management ISA Manual
Define the File Display Name, which can be more descriptive than the actual
filename. This is the name users will see when requesting access to stored files.
Click the
your local file.
button. This will bring up another window where you can select
The number of Approvals Required to release the file contents indicates the level of
approval control desired. This parameter will accomplish the exact same results as
the similar parameter for stored passwords
The Maximum Duration parameters limit the amount of time an approved user may
release the contents of the stored file. A release Notification email address will
receive a notification whenever the file is retrieved without dual control. Enter any
desired text in Description field.
Click the
button to store the file.
72
Quest One Privileged Account Management ISA Manual
12.2 File Ticket System Tab
Tab to configure Ticket System Integration for the file. The options available on this
tab will be predetermined by how Ticket Systems were configured in the paradmin
interface and at the System level. If no Ticket Systems have been configured and
enabled in the paradmin interface the Ticket System tab will be inaccessible.
Require Ticket Number from:
Check this box if you want to require ticket number validation every time a
file request is submitted for this system. If multiple Ticket Systems are
enabled they will be listed in the list for selection. You can specify the ticket
system or allow entry of a ticket number from any system that is enabled. If
this box is not checked users will still be able to enter a Ticket Number on a
request.
Ticket required for:
If Ticket Validation is required than all requestors will be required to provide a
ticket number. You also have the option to require CLI and API users to
supply a ticket number prior to requesting a file.
Send Email to:
If any of the ISA, CLI or API required boxes are left unchecked you also have
the option of entering one or more e-mail addresses (up to 255 characters)
that will receive an e-mail when an ISA, CLI or API user releases or retrieves
a file without supplying a ticket.
Propagation
You have the option of pulling the Ticket System settings for the File from the
System defaults. To set the file at the System defaults check this box and
click the
button. To override the system settings, uncheck this
box, edit the settings and click the
button.
Note! If someone goes in at the System level and decides to push the
system settings out to all the files, the settings saved here will be overridden
with whatever is set at the system level at that time.
73
Quest One Privileged Account Management ISA Manual
12.3
File Collections Tab
In v2.4 Files can now be members of a collection. Refer to section 11.9 for detail on
assigning collection membership
Note! A file cannot belong to the same collection as its parent system, or vice
versa.
12.4
Setting Permissions for Files
Prior to v2.4 the permissions for files were based on the permissions set at the
System level. In v2.4 you can now assign permissions at the File level. Select
Systems, Accounts, & Collections  Accounts Manage Files from the menu.
Once you select the file you want to modify click the Permissions tab. Refer to
section 15.8 for details on assigning permissions.
12.5 Updating a Stored File
To make changes to an existing stored file, select Systems, Accounts, &
Collections  Files  Manage Files from the menu. Enter your search criteria on
the Filter tab and click the Listing tab. Select the file from the Listing tab and click
the Details tab.
74
Quest One Privileged Account Management ISA Manual
Changes may be made to the description, number of approvals required for release,
email notification, and maximum release duration. Additionally, a new file may be
uploaded to replace the existing stored file, such as when a new key file or certificate
file exists but the desire is to maintain the same display name. The display name for
the file cannot be modified.
12.6 Reviewing File History and Activity
To view file history select Systems, Accounts, & Collections  Files  Manage
Files from the menu. Enter your search criteria on the Filter tab. Click the Listing
tab to select the file you are looking for. Click the File History tab. This report will
show the history of all physical files that have been associated with the file display
name as well as the dates the file was originally stored and replaced. The older files,
though no longer associated with the display name, remain on the appliance and may
be accessed by and administrator using the filename link. Older files may also be
deleted from history.
75
Quest One Privileged Account Management ISA Manual
The Logs tab for stored files will show the activity associated with accessing the file.
The Current File tab will allow you to retrieve the file if you have ISA permission for
the file. Type a release reason in the text box and then click the
button.
13.0 Retrieving a Password (PPM ISAs only)
To quickly retrieve a password go to Retrieve  Retrieve Password. Once you enter your
filter criteria click the Listing tab.
76
Quest One Privileged Account Management ISA Manual
The location of this tab has changed in
Select the account from the Listing tab.
v2.4. This is now a sub-tab of the Passwords tab.
The Current Password tab retrieves the password for the account. Enter the
Release Reason in the text box provided. If required enter the Ticket System and
Ticket Number. Click the Password tab to see the current password.
If your System Administrator has decided to configure Reason Codes for your
environment, you will see them available in the list here. Reason codes give you a
quick way to submit a request without having to type in a detailed reason. You may
be required to enter a reason code, they may be optional or they may be disabled.
If the ISA needs to access the current password on behalf of another person they
should enter the original requestors name in the Proxy Release For field. Proxy
releases can be reported on in Password Release Activity Report. The ISA will be able
to enter a longer/shorter duration for the release if the Allow ISA to enter
Duration on Release flag is checked on the Account Management tab.
77
Quest One Privileged Account Management ISA Manual
The password will be displayed for a maximum of 20 seconds. For convenience, the
password may also be copied into the user’s clipboard. This can be done using the
mouse and dragging the password, then right-clicking and selecting “Copy”.
13.1 Viewing Past Passwords
To view past passwords for an account click the Past Passwords tab. Use the Filter
tab to narrow the date range of the passwords you are looking for and then click the
Past Passwords tab next to the Filter tab. This allows you to select a password that
was valid for a specific period of time. This is especially important if the managed
system has been restored from a backup and the password that was effective at the
time of the backup is required.
78
Quest One Privileged Account Management ISA Manual
To view the password for each logged activity, click a row in the results and then click
the Password tab.
14.0 Retrieving Files (PPM ISAs only)
To quickly retrieve a file go to Retrieve  Retrieve File.
Select the file from the Listing tab. Click the Current File tab. Enter the Release Reason
button. You will be prompted to save the file
in the text box and click the
or open it immediately for viewing.
79
Quest One Privileged Account Management ISA Manual
15.0 Session Management (PSM ISAs only)
The session management menu provides access to session logs and the ability to playback
previous sessions to systems. This answers the critical question “what did they do” with
respect to auditing access to privileged accounts. All user actions, whether performed via
keyboard or mouse are recorded.
15.1 Replaying a Session Log
Select Session Mgmt  Session Logs from the menu.
Note! If the session log is stored on an archive server there may be a delay
while TPAM retrieves the log from its remote storage location.
80
Quest One Privileged Account Management ISA Manual
The remote access session will be displayed and played back in real time. The
playback session may be paused and resumed, moved ahead or back at increased
speed, or continuously played at various speeds.
Using the session playback controls
To manipulate the playback of a session, the controls at the bottom of the
session replay window allow the speed of the playback to be changed, ranging
from ½ normal speed to 16 times normal speed. Replay may be paused at
any point.
The session playback toolbar contains both session information and playback
controls:
• Session system – The name of the remote system to which the session
was established.
• Session UserID – The name of the remote account used to access the
system during the session.
• Slider control – Displays the current position of playback, and when the
session is paused allows a new position to be selected. To reposition
81
Quest One Privileged Account Management ISA Manual
session replay, pause the session and position the slider control to the
desired spot. Resume playback using the pause control. The session
playback will move at maximum speed to the desired playback position.
Note! The session time position is based on network packet timestamps.
This means that the playback control slider may appear to move in an uneven
fashion depending on the ‘data density’ of each packet, especially for very
short recorded sessions. If for some period time there is a minimal amount of
activity followed by a flurry of dialog box openings and keystroke input, this
would cause the uneven control slider movement. Longer session files tend to
provide a smoother control slider movement.
•
•
•
•
•
•
•
•
•
Session time position – Shows the time position being displayed in relation
to the session length: current position / total session time.
Pause control – When green the session is playing. When red the session
is paused. To pause or resume playback simply click the control.
Loop button – selecting this button will set the session to replay over and
over.
.5x – The session will be played at ½ normal speed.
1x – The session will be played at normal speed (real time).
2x – The session will be played at 2 times normal speed.
4x – The session will be played at 4 times normal speed.
8x – The session will be played at 8 times normal speed.
16x – The session will be played at 16 times normal speed.
If a file was transferred during the session you are replaying you can view
information about that file on the File Transfers tab.
15.2 Monitoring a Live Session
You have the ability to monitor a session as it is being recorded. The user running the
session has no indication that their session is being watched. To monitor a live
session select Session Mgmt  Session Logs from the menu. Use the filter criteria
to limit the list of session logs to those desired.
82
Quest One Privileged Account Management ISA Manual
Any live sessions will display Connected in the Status column. Select the session
button. Any user that has
you want to view and click the
permission to playback a session log has permission to monitor a session for that
account.
16.0 Reports
TPAM includes a number of pre-defined reports to aid in system administration, track
changes to objects, and provide a thorough audit trail for managed systems. All reports are
accessed via the Reports menu. The reports can be filtered by criteria that are specific to
each report type.
Note! Access to different reports is based on the user’s permissions. Only TPAM
Administrators and Auditors have access to all reports.
16.1 Report Time Zone Options
There are time zone filter parameters on most of the reports so that the user can
choose to view the report data in their local time zone or the server time zone. These
filter parameters will only be visible if the user is configured with a local time zone.
83
Quest One Privileged Account Management ISA Manual
This filter affects not only the data reported but also the filter dates used to pull the
data.
For example, the server is at GMT time and the user is in Athens, Greece (GMT +2).
When the user enters a date range of 9/16/2009-9/17/2009 with the local time zone
option, the report will pull transactions that happened on the server between
9/15/2009 22:00 through 9/17/2009 21:59.
All reports that use the local time zone filter now have an extra column indicating the
GMT offset that was used to generate the report. This value will either be the current
GMT offset of the server or the user. This column will also appear in reports that are
exported using excel or csv.
16.2 Report Layout Options
The user can select which columns they want to display on the report by clicking on
the Report Layout tab. Also the user can decide which column they want the report
sorted by clicking the radio button in the Sort Column.
Also note the Max Rows to Display list. This limits the number of rows that are
returned on the report even if there are more rows that meet this filter criteria.
84
Quest One Privileged Account Management ISA Manual
16.3 Adjustable Column Widths
The user can adjust the column size of any column on a report by hovering their
mouse over the column edge and holding down the left mouse button and dragging
the mouse to adjust the column width.
16.4 Report Export Options
In addition to exporting the report to an Excel formatted file, the user can also export
the file in a CSV (comma separated value) file format.
Alert! If you expect your report results to be over 64,000 rows you
must use the CSV export option. The Export to Excel option will only export a
maximum of 64,000 rows!
16.5 Activity Report
The activity report contains a detailed history of all changes made by your user id in
TPAM.
85
Quest One Privileged Account Management ISA Manual
16.6 ISA User Activity
The ISA user activity report shows an audit-trail report containing detailed records of
all activities performed by your userid with ISA permissions.
16.7 PSM Accounts Inventory (PSM ISAs only)
The PSM accounts inventory report will show a list of all accounts that are PSM
“enabled”.
16.8 Password Aging Inventory (PPM ISAs only)
The password inventory report will display a list of all managed systems, and all
accounts on those systems that are managed by PPM.
86
Quest One Privileged Account Management ISA Manual
16.9 File Aging Inventory (PPM ISAs only)
Similar to the password inventory report, the file inventory report will display a list of
secure stored files and the systems for which they are managed.
16.10Release-Reset Reconcile (PPM ISAs only)
The purpose of the Release-Reset Reconciliation report is to provide auditable
evidence that passwords have been reset appropriately after being released. The
report can be filtered by date or date range, and sorted by system name, RequestID,
or first release date.
16.11
User Entitlement
In v2.4 we merged the Password, EGP and File User Entitlement reports all into one
User Entitlement report, with additional filters. This report provides a mechanism to
review and audit individual users’ permissions for systems, accounts, commands and
files on an enterprise scale. Based upon selected filter criteria, the report will show
87
Quest One Privileged Account Management ISA Manual
each user and their permissions to each system, whether based upon Collection,
Group, or individual assignment.
To reduce the size of the report for large organizations where numerous systems
belong to collections, use the filters provided such as “Show Only Effective
Permissions”.
Note! The Permission Types filter will be grayed out based on your PPM or PSM ISA
permissions.
Turning on the checkboxes or radio buttons for the options will have the following
effects on the report:
• Expand Collections to show all Systems, Accounts, & Files? When checked
the report will expand any retrieved Collection-level permissions to show all the
Systems, Accounts, and Files in the collection. Permissions are indicated as
being at the Collection level by the presence of the Collection Name as well as
the Permission Source column. When not checked only the Collection itself is
shown.
• Expand Groups to show all Users? When checked the report will expand any
retrieved Group to show all users within this group. Permissions are indicated as
being at the Group level by the presence of a Group name as well as the
Permission Source column. When not checked only the Group itself is shown.
88
Quest One Privileged Account Management ISA Manual
•
•
•
Expand Access Policies to show policy permissions details? When checked
this will expand the Access Policy for each row to show the Permission Type
(Password, Session, etc.) and Permission Name (Requestor, Approver, etc.) for
all detail rows for each Access Policy. When not checked only the Access Policy
Name is displayed.
Show All Permissions When this radio button is selected the report will show all
possible policies for each assignee (User or Group) to each entity (System,
Account, File, or Collection) with the effective permission indicated.
Show Only Effective Permissions When this radio button is selected the report
will show only the effective permission for each assignee to each entity.
Alert! If you select any of the Expand … options you must fill in at least
one of the text filters with a non-wildcard value. For very large data sources
the expansion of Collections, Groups, and/or Access Policies can very easily
create a report beyond the retrieval and display capabilities of a web
browser. For large datasets (10’s of thousands of accounts or thousands of
large collections to expand) it is recommended to rely on the Data Extracts
for unfiltered versions of the Entitlement Report.
16.12Password Update Activity (PPM ISAs only)
The password update report shows an audit-trail report containing detailed records of
all password modifications to all systems managed by PPM.
16.13 Password Update Schedule (PPM ISAs only)
The password update schedule report will show all currently scheduled password
changes and the reason for the change – such as a change due to default change
settings or in response to a password release, etc.
89
Quest One Privileged Account Management ISA Manual
16.14 Password Testing Activity (PPM ISAs only)
The password testing activity report shows the results of automated testing of each
managed account’s password.
16.15 Password Test Queue (PPM ISAs only)
The password test queue report will list all accounts currently queued for password
tests. This is a useful report to view when troubleshooting performance related
issues. A high number of queued password tests can impact system response time if
the check agent is running. This report does not provide a mechanism for exporting
data but does provide for deleting passwords from the test queue. So if there is
some known reason why a large group of password tests will fail such as a network
outage, that group can be filtered out in the report and then deleted. An alternative
would be to just stop the check agent.
90
Quest One Privileged Account Management ISA Manual
16.16 Expired Passwords (PPM ISAs only)
This report allows you to report on currently expired passwords, or passwords that
are going to expire within a certain date range. You can also filter based on whether
the system/account has password management enabled or set to manual.
In v2.4 we added a Reason Code column to the report.
16.17Passwords Currently In Use (PPM ISAs only)
This report defines “In Use” as passwords that:
• Have been retrieved by the ISA/CLI/API that have not yet been reset
• Passwords that have been requested and retrieved, but not yet reset
• If password has been manually reset from the account details or password
management pages but not yet reset by PPM.
• If the password has been manually entered on the Account Details page but
not reset by PPM.
• If the account is created either from the TPAM interface or as a result of Batch
Import Accounts and is assigned a password by the user (as opposed to
allowing the system to generate a random password).
• Passwords manually changed prior to TPAM 2.1.711 will not show as IN USE
16.18Password Requests (PPM ISAs only)
This report allows you to view all password requests within a specified time period
and view details relating to the request. Selecting a row in the report, and clicking on
the Responses, Reviews and Releases tab will give you additional details on the
request.
In v2.4 we added a Reason Code column to the report.
91
Quest One Privileged Account Management ISA Manual
16.19Auto-Approved Releases (PPM ISAs only)
Password and stored file releases made by requestors that did not require dualcontrol approval (auto-approved requests) may be reviewed in the Auto Approved
Releases and Auto Approved File Releases reports.
16.20 Password Release Activity (PPM ISAs only)
The password release activity report displays a history of password releases, based
upon filter criteria selected for the report. The reason text and ticket system
information is also provided in the report.
column to the report.
92
In v2.4 we added a Reason Code
Quest One Privileged Account Management ISA Manual
16.21 File Release Activity (PPM ISAs only)
The file release report is essentially identical to a password release report, but will
show the release activity associated with stored files.
Reason Code column to the report.
In v2.4 we added a
16.22 Windows Domain Account Dependencies (PPM ISAs only)
This report shows which managed domain accounts have dependencies on other
systems.
16.23Auto Approved Sessions (PSM ISAs only)
This report lists all sessions that were auto approved because the account had no
approvals required for session requests.
16.24PSM Session Activity (PSM ISAs only)
This report shows the details on any sessions that occurred within a specified time
period or for a specific system/account.
column to the report.
93
In v2.4 we added a Reason Code
Quest One Privileged Account Management ISA Manual
16.25PSM Session Requests (PSM ISAs only)
This report allows you to view all session requests within a specified time period and
view details relating to the request. Selecting a row in the report, and clicking on the
Responses, Reviews and Releases tab will give you additional details on the
In v2.3.765 we added a “Reviews Required” column to this report. In
request.
v2.4 we added a Reason Code column to the report.
94
Was this manual useful for you? yes no
Thank you for your participation!

* Your assessment is very important for improving the work of artificial intelligence, which forms the content of this project

Download PDF

advertisement