TPAM Administrator Manual

TPAM Administrator Manual
Quest One Privileged Account Management
Administrator Manual
Version 2.4
Quest One Privileged Account Management Administrator Manual
© 2011 Quest Software, Inc.
ALL RIGHTS RESERVED.
This guide contains proprietary information protected by copyright. The software described
in this guide is furnished under a software license or nondisclosure agreement. This
software may be used or copied only in accordance with the terms of the applicable
agreement. No part of this guide may be reproduced or transmitted in any form or by any
means, electronic or mechanical, including photocopying and recording for any purpose
other than the purchaser’s personal use without the written permission of Quest Software,
Inc.
The information in this document is provided in connection with Quest products. No license,
express or implied, by estoppel or otherwise, to any intellectual property right is granted by
this document or in connection with the sale of Quest products. EXCEPT AS SET FORTH IN
QUEST'S TERMS AND CONDITIONS AS SPECIFIED IN THE LICENSE AGREEMENT FOR THIS
PRODUCT, QUEST ASSUMES NO LIABILITY WHATSOEVER AND DISCLAIMS ANY EXPRESS,
IMPLIED OR STATUTORY WARRANTY RELATING TO ITS PRODUCTS INCLUDING, BUT NOT
LIMITED TO, THE IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR
PURPOSE, OR NON-INFRINGEMENT. IN NO EVENT SHALL QUEST BE LIABLE FOR ANY
DIRECT, INDIRECT, CONSEQUENTIAL, PUNITIVE, SPECIAL OR INCIDENTAL DAMAGES
(INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF PROFITS, BUSINESS
INTERRUPTION OR LOSS OF INFORMATION) ARISING OUT OF THE USE OR INABILITY TO
USE THIS DOCUMENT, EVEN IF QUEST HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH
DAMAGES. Quest makes no representations or warranties with respect to the accuracy or
completeness of the contents of this document and reserves the right to make changes to
specifications and product descriptions at any time without notice. Quest does not make any
commitment to update the information contained in this document.
If you have any questions regarding your potential use of this material, contact:
Quest Software World Headquarters
LEGAL Dept
5 Polaris Way
Aliso Viejo, CA 92656
email: [email protected]
Refer to our Web site (www.quest.com) for regional and international office information.
Trademarks
Quest, Quest Software, and the Quest Software logo are trademarks and registered
trademarks of Quest Software, Inc in the United States of America and other countries.
For a complete list of Quest Software’s trademarks, please see
http://www.quest.com/legal/trademarks.aspx. Other trademarks and registered
trademarks are property of their respective owners.
Third Party Contributions
Quest One Appliance-Based Privileged Account Management Solutions
contain some third party components. Copies of their licenses may be found at
http://www.quest.com/legal/third-party-licenses.aspx.
2
QUEST
Table of Contents
1.0
Introduction to TPAM ..................................................................................................................... 9
2.0
Conventions Used in this Guide ................................................................................................... 9
3.0
Architectural Overview .................................................................................................................. 9
4.0
Product Licensing ........................................................................................................................ 10
5.0
Resource Requirements .............................................................................................................. 10
6.0
Accessing TPAM .......................................................................................................................... 10
7.0
Recommended Steps for Configuring your TPAM ................................................................... 12
8.0
Getting Help .................................................................................................................................. 13
8.1
Online User Manuals .............................................................................................................. 13
8.2
Help Bubbles ........................................................................................................................... 13
8.3
Customer Portal ...................................................................................................................... 14
8.4
Contacting Customer Support ............................................................................................. 14
9.0
TPAM Definitions ......................................................................................................................... 14
9.1
Terms ........................................................................................................................................ 14
9.2
User Types ............................................................................................................................... 15
10.0
Access Policies ............................................................................................................................ 15
10.1
Adding an Access Policy........................................................................................................ 15
10.2
Making an Access Policy Inactive ...................................................................................... 20
10.3
Reactivating an Access Policy .............................................................................................. 20
10.4
Deleting an Access Policy ..................................................................................................... 20
10.5
Duplicating an Access Policy ................................................................................................ 20
11.0
Permission Hierarchy .................................................................................................................. 21
12.0
Permission Based Home Page ................................................................................................... 23
12.1
Recent Activity Tab ................................................................................................................ 24
12.2
Approvals Tab ......................................................................................................................... 24
12.3
Pending Reviews Tab ............................................................................................................. 25
12.4
Current Requests Tab ........................................................................................................... 26
13.0
Managing Your Own Account ..................................................................................................... 26
13.1
User Time Zone Information ............................................................................................... 27
14.0
Application Navigation ................................................................................................................ 28
14.1
Tab Format .............................................................................................................................. 28
14.2
Filter Tab .................................................................................................................................. 29
14.3
Listing Tab ............................................................................................................................... 30
14.4
Feedback Area ........................................................................................................................ 30
15.0
Configuring Managed Systems .................................................................................................. 31
15.1
System Details Tab ................................................................................................................ 32
15.2
System Template Tab ........................................................................................................... 35
15.3
System Connection Tab ........................................................................................................ 36
15.4
System Management Details Tab ....................................................................................... 41
15.5
Affinity Tab .............................................................................................................................. 43
15.6
Ticket Systems Tab ............................................................................................................... 44
15.7
Collections Tab........................................................................................................................ 45
15.8
Setting Permissions for PSM and PPM Functionality for Systems ................................ 46
15.9
Creating a System Template ............................................................................................... 49
15.10 Adding A System .................................................................................................................... 49
15.11 Managing A System ............................................................................................................... 52
15.12 Clearing a Stored System Host Entry ................................................................................ 52
15.13 Testing a System ................................................................................................................... 52
15.14 Duplicating a System ............................................................................................................ 52
15.15 Deleting Systems ................................................................................................................... 52
15.16 List Systems ............................................................................................................................ 54
15.17 Importing Systems ................................................................................................................ 55
15.18 Batch Updates to Systems ................................................................................................... 58
3
Quest One Privileged Account Management Administrator Manual
15.19 Batch Update Permissions .................................................................................................... 60
16.0
Managing Accounts ..................................................................................................................... 62
16.1
Account Details Tab ............................................................................................................... 62
16.2
Account Reviews Tab............................................................................................................. 66
16.3
Account Custom Information Tab ....................................................................................... 66
16.4
Account Management Tab .................................................................................................... 67
16.5
Account Ticket System Tab .................................................................................................. 69
16.6
Accounts Management Logs Tab ........................................................................................ 70
16.7
Account Management Past Password Tab......................................................................... 71
16.8
Account Management Current Password Tab .................................................................. 71
16.9
Account Collections Tab ........................................................................................................ 73
16.10 Setting Permissions for PSM and PPM Functionality for Accounts ............................... 73
16.11 PSM Details General Tab (PSM Customers Only) ............................................................ 73
16.12 PSM Session Authentication Tab (PSM Customers Only) .............................................. 77
16.13 PSM File Transfer Tab (PSM Customers Only) ................................................................. 77
16.14 PSM Review Requirements Tab (PSM Customers Only) ................................................ 78
16.15 Adding an Account ................................................................................................................. 79
16.16 Managing an Account ............................................................................................................ 80
16.17 Deleting Accounts .................................................................................................................. 80
16.18 Account Current Status......................................................................................................... 81
16.19 Manual Password Management ........................................................................................... 82
16.20 Password Management ......................................................................................................... 83
16.21 Managing Services in a Windows Domain Environment ................................................ 84
16.22 List Accounts ........................................................................................................................... 87
16.23 List PSM Accounts (PSM Customers Only)........................................................................ 88
16.24 Importing System Accounts ................................................................................................ 88
16.25 Batch Update Accounts ......................................................................................................... 90
16.26 Batch Update PSM Accounts (PSM Customers Only) ..................................................... 91
17.0
Configuring Collections .............................................................................................................. 92
17.1
Who Can Manage Collections .............................................................................................. 92
17.2
Adding A Collection ................................................................................................................ 92
17.3
Affinity Tab (PSM Customers Only) .................................................................................... 93
17.4
Set Collection Members:....................................................................................................... 94
17.5
Set Collection Permissions:.................................................................................................. 95
17.6
Managing A Collection ........................................................................................................... 95
17.7
Update Collection ................................................................................................................... 95
17.8
Delete A Collection ................................................................................................................. 95
17.9
Duplicating A Collection ........................................................................................................ 95
17.10 List Collections ........................................................................................................................ 96
17.11 Batch Updates to Collections ............................................................................................... 97
18.0
Managing Secure File Storage .................................................................................................... 98
18.1
Adding a File for Storage ...................................................................................................... 98
18.2
File Ticket System Tab .......................................................................................................... 99
18.3
File Collections Tab .............................................................................................................. 101
18.4
Setting Permissions for Files ............................................................................................. 101
18.5
Updating a Stored File ........................................................................................................ 101
18.6
Reviewing File History and Activity .................................................................................. 102
19.0
Synchronized Passwords ......................................................................................................... 103
19.1
Creating a Synchronized Password .................................................................................. 104
19.2
Adding Subscribers to a Synchronized Password .......................................................... 106
19.3
Subscriber Status ................................................................................................................. 107
19.4
Logs tab.................................................................................................................................. 108
19.5
Manual Reset ......................................................................................................................... 108
19.6
Deleting a Synchronized Password .................................................................................. 108
20.0
Managing User ID’s .................................................................................................................... 108
4
QUEST
20.1
Adding A UserID ................................................................................................................... 108
20.2
Template Tab ........................................................................................................................ 112
20.3
Time Information Tab ......................................................................................................... 113
20.4
UserID Group Membership Tab ......................................................................................... 114
20.5
UserID Permissions Tab ...................................................................................................... 115
20.6
Creating a User Template .................................................................................................. 116
20.7
Managing a UserID .............................................................................................................. 118
20.8
Manage a UserID .................................................................................................................. 120
20.9
Delete UserID........................................................................................................................ 120
20.10 Manage Group Membership ............................................................................................... 120
20.11 Set User Password ............................................................................................................... 120
20.12 Duplicate User....................................................................................................................... 120
20.13 Unlock a User ........................................................................................................................ 120
20.14 List UserIDs ........................................................................................................................... 120
20.15 Import UserIDs: ................................................................................................................... 122
20.16 Batch Update Users ............................................................................................................. 125
21.0
Managing Groups....................................................................................................................... 126
21.1
Default Groups ...................................................................................................................... 126
21.2
Group Details Tab ................................................................................................................ 127
21.3
Group Members Tab ............................................................................................................ 128
21.4
Group Permissions Tab ....................................................................................................... 129
21.5
List Groups ............................................................................................................................ 130
21.6
Duplicating A Group............................................................................................................. 131
21.7
Batch Updates to Groups.................................................................................................... 132
22.0
Active Directory Integrati on ..................................................................................................... 133
22.1
Adding an Active Directory System Mapping ................................................................. 133
22.2
Active Directory System Tab ............................................................................................. 135
22.3
Adding Active Directory User Mappings .......................................................................... 136
22.4
Active Directory User Tab................................................................................................... 138
22.5
Export User and System Mappings .................................................................................. 139
23.0
Generic Integration Tool............................................................................................................ 139
23.1
Configuring a Data Source ................................................................................................. 141
23.2
Adding User Mappings ....................................................................................................... 142
23.3
Completing the Mapping ..................................................................................................... 144
23.4
Export User Mappings ......................................................................................................... 145
23.5
Adding System Mappings ................................................................................................... 145
23.6
Export System Mappings .................................................................................................... 147
24.0
Cache Servers ............................................................................................................................ 147
24.1
Cache Server Details Tab ................................................................................................... 148
24.2
Cache Server WSDL Tab ..................................................................................................... 149
24.3
Cache Server Accounts Tab ............................................................................................... 150
24.4
Cache Server Root Certificates Tab ................................................................................. 151
24.5
Cache Server Users Tab ..................................................................................................... 151
24.6
Cache Server Hosts Tab ..................................................................................................... 151
24.7
Cache Server Permissions Tab .......................................................................................... 152
24.8
Cache Server Current Status ............................................................................................. 152
24.9
Deleting a Cache Server ..................................................................................................... 153
24.10 Adding Cache Server Client Hosts .................................................................................... 153
24.11 Deleting Cache Server Client Hosts ................................................................................. 154
24.12 Cache Server Trusted Root Certificates .......................................................................... 154
25.0
Managing TPAM CLI IDs (PSM Customers Only) ................................................................... 154
25.1
Adding a new CLI User........................................................................................................ 155
25.2
Modifying CLI Users ............................................................................................................. 155
26.0
Quest One Privileged Command Manager (PSM Customers Licensed for PCM Only) ...... 156
26.1
Adding a Command ............................................................................................................. 157
5
Quest One Privileged Account Management Administrator Manual
26.2
26.3
26.4
26.5
27.0
27.1
28.0
28.1
29.0
29.1
29.2
30.0
30.1
30.2
30.3
30.4
30.5
30.6
30.7
31.0
31.1
31.2
31.3
31.4
32.0
33.0
33.1
33.2
33.3
33.4
33.5
33.6
33.7
33.8
34.0
34.1
34.2
34.3
34.4
34.5
35.0
36.0
36.1
36.2
36.3
36.4
37.0
37.1
37.2
37.3
37.4
37.5
37.6
37.7
38.0
Setting the Proxy Type ....................................................................................................... 158
Editing a Command ............................................................................................................. 159
Duplicating a Command ..................................................................................................... 159
Deleting a Command ........................................................................................................... 160
Connection Profiles (PSM Customers Only) ........................................................................... 160
Deleting a Connection Profile ............................................................................................ 161
Post Session Processing Profiles (PSM Customers Only).................................................... 161
Deleting a Post Session Processing Profile ..................................................................... 162
DPA’s ........................................................................................................................................... 162
Adding a DPA ........................................................................................................................ 163
DPA Log Tab .......................................................................................................................... 164
Releasing Passwords ................................................................................................................ 165
Request For Password Release.......................................................................................... 165
Password Request Responses Tab.................................................................................... 170
Password Request Approvers Tab .................................................................................... 171
Password Request Password Tab ...................................................................................... 171
Managing Password Requests ........................................................................................... 171
Canceling a Password Request .......................................................................................... 172
Expiring a Password Release Request ............................................................................. 173
Approving Password Requests ................................................................................................ 174
Password Request Filter Tab.............................................................................................. 174
Password Request Responses Tab.................................................................................... 177
Password Request Approvers Tab .................................................................................... 177
Password Request Conflicts Tab ....................................................................................... 177
Retrieving Passwords................................................................................................................ 178
Releasing Files ........................................................................................................................... 180
Request a File ....................................................................................................................... 180
File Request Response Tab ................................................................................................ 183
File Request Approvers Tab ............................................................................................... 183
Retrieving the Requested File ........................................................................................... 184
Managing File Requests ...................................................................................................... 184
Canceling a File Request..................................................................................................... 186
Duplicating a File Request .................................................................................................. 186
Expiring a File Request ....................................................................................................... 187
Approving File Requests ........................................................................................................... 188
File Request Filter Tab ........................................................................................................ 188
Select Release Request ....................................................................................................... 189
File Request Responses Tab ............................................................................................. 190
File Request Approvers Tab ............................................................................................... 191
File Request Conflicts Tab .................................................................................................. 191
Retrieving Files .......................................................................................................................... 191
Reviewing Password Releases ................................................................................................. 192
Password Release Review Details Tab ............................................................................. 194
Password Release Responses Tab .................................................................................... 195
Password Release Reviews Tab ......................................................................................... 195
Password Release Reviewers Tab ..................................................................................... 195
Quest One Privileged Session Manager (PSM Customers Only) .......................................... 195
Requesting a Session .......................................................................................................... 196
Session Request Responses Tab ....................................................................................... 200
Session Request Approvers Tab ....................................................................................... 201
Connect Options Tab ........................................................................................................... 201
Managing Session Requests............................................................................................... 202
Canceling a Session Request ............................................................................................. 204
Expiring a Session Request ................................................................................................ 204
Approving/Denying System Session Requests (PSM Customers Only) .............................. 205
6
QUEST
38.1
Session Requests Filter Tab ............................................................................................... 205
38.2
Select Session Request ....................................................................................................... 206
38.3
Session Request Responses Tab ....................................................................................... 207
38.4
Session Request Approvers Tab ....................................................................................... 207
38.5
Session Request Conflicts Tab .......................................................................................... 208
38.6
Denying a Session Request after it has been Approved .............................................. 208
39.0
Starting a Remote Session (PSM Customers Only) ............................................................... 208
39.1
Beginning The System Session ......................................................................................... 209
39.2
File Transfer .......................................................................................................................... 212
40.0
Reviewing Sessions (PSM Customers Only) .......................................................................... 214
40.1
Session Review Details Tab ............................................................................................... 214
40.2
Session Review Responses Tab ........................................................................................ 216
40.3
Session Logs Tab .................................................................................................................. 217
40.4
Reviews Tab .......................................................................................................................... 217
40.5
Reviewers Tab ....................................................................................................................... 218
40.6
Comments Tab...................................................................................................................... 218
40.7
File Transfers Tab ................................................................................................................. 219
41.0
Session Management (PSM Customers Only) ........................................................................ 219
41.1
Replaying a Session Log ..................................................................................................... 219
41.2
Resetting Statistics for a Session ..................................................................................... 222
41.3
Monitoring a Live Session................................................................................................... 222
41.4
Viewing Active Sessions ..................................................................................................... 223
41.5
Terminating Active Sessions .............................................................................................. 224
41.6
Archiving Session Logs ....................................................................................................... 224
41.7
Configuring Archive Servers .............................................................................................. 225
41.8
Archive Logs .......................................................................................................................... 228
42.0
Reports ........................................................................................................................................ 228
42.1
Report Time Zone Options ................................................................................................. 228
42.2
Report Layout Options ........................................................................................................ 229
42.3
Adjustable Column Widths ................................................................................................. 230
42.4
Report Export Options......................................................................................................... 230
42.5
Activity Report ...................................................................................................................... 230
42.6
ISA User Activity .................................................................................................................. 231
42.7
Approver User Activity ........................................................................................................ 231
42.8
Requestor User Activity ...................................................................................................... 231
42.9
PSM Accounts Inventory (PSM Customers Only) .......................................................... 231
42.10 Password Aging Inventory ................................................................................................. 232
42.11 File Aging Inventory ............................................................................................................ 232
42.12 Release-Reset Reconcile ..................................................................................................... 232
42.13
42.14
42.15
42.16
42.17
42.18
42.19
42.20
42.21
42.22
42.23
42.24
42.25
42.26
7
User Entitlement ..................................................................................................... 233
Failed Logins ......................................................................................................................... 234
Password Update Activity ................................................................................................... 235
Password Update Schedule ................................................................................................ 235
Password Testing Activity ................................................................................................... 235
Password Test Queue .......................................................................................................... 236
Expired Passwords ............................................................................................................... 236
Passwords Currently In Use ............................................................................................... 236
Password Requests .............................................................................................................. 237
Auto-Approved Releases..................................................................................................... 237
Password Release Activity .................................................................................................. 238
File Release Activity ............................................................................................................. 238
Windows Domain Account Dependencies ....................................................................... 238
Auto Approved Sessions (PSM Customers Only) .......................................................... 238
Quest One Privileged Account Management Administrator Manual
42.27 PSM Session Activity (PSM Customers Only) ................................................................. 239
42.28 PSM Session Requests (PSM Customers Only) .............................................................. 239
43.0
Scheduled Reports .................................................................................................................... 239
43.1
Subscribing to Reports ........................................................................................................ 240
43.2
Browsing Stored Reports .................................................................................................... 241
44.0
Data Extracts .............................................................................................................................. 242
44.1
Data Extract Details Tab ..................................................................................................... 243
44.2
Data Extracts Data Set Tab ............................................................................................... 244
44.3
Data Extract Log Tab ........................................................................................................... 245
44.4
Data Extract Dataset Filenames ....................................................................................... 246
Appendix A: TPAM Hardware Specifications........................................................................... 248
Appendix B: Platform Support Matrix ....................................................................................... 250
Appendix C: Using the TPAM Command Line Interface ..................................................... 252
Appendix D: TPAM ............................................................................................................................. 280
Application Programming Interface (API) Manual .............................................................. 280
8
QUEST
1.0 Introduction to TPAM
Total Privileged Access Management (TPAM) is a robust collection of integrated modular
technologies designed specifically to meet the complex and growing compliance and security
requirements associated with privileged identity management and privileged access control.
The Privileged Password Manager (PPM) module provides secure control of administrative
accounts. TPAM is a repository where these account passwords are stored until needed, and
released only to authorized persons. Based on configurable parameters, the PPM module will
automatically update these passwords.
The Privileged Session Manager (PSM) module provides a secure method of connecting to
remote systems, while recording all activity that occurs to a session log file that can be
replayed at a later time. All connections to remote systems are proxied through Privileged
Account Management (PAM) appliance ensuring a secure single access point.
The Privileged Account Appliance (PAA) has several methods of access:






Configuration interface (HTTPS via direct connection, with network option)
Administrative interface (HTTPS via network access)
User interface (HTTPS via network access)
Admin CLI (SSH via network access)
User CLI (SSH via network access)
User API (SSH client application via network access)
All data stored in the PAA is encrypted in storage and transit. Careful attention has been
placed on the security and audit capabilities of, due to the high security implications of the
data it contains.
To support this high level of security, TPAM is designed to ensure segregation of duties and
dual control. The segregation of duties is accomplished through permission based
authorization. Dual control is accomplished by optionally requiring multiple pre-defined
individuals to be involved in the connection to a system.
2.0 Conventions Used in this Guide
Element
Bold Italics
Text
Note!
Tip!
Alert!
Convention
Where ever this symbol is displayed it means there is new functionality or
an entirely new feature being discussed.
Elements that appear in the TPAM interface such as menu options and field
names.
Used to highlight additional information pertinent to the process being
described.
Used to provide best practice information. A best practice details the
recommended course of action for the best result.
Important information about features that can affect performance, security
or cause potential problems with your appliance.
3.0 Architectural Overview
TPAM is built on the Quest One Password Manager technology (PPM), and the TPAM
appliance includes PPM to perform the system and account management, as well as logging,
reporting, and configuration functions.
9
Quest One Privileged Account Management Administrator Manual
The appliance runs on a hardened Windows 2003 Web Server. An internal firewall is active
on the device, protecting against network threats and OS vulnerabilities. The front end
provides the administrative interface, the automation routines, and the gateway to the
encrypted passwords for the release mechanism. There is no direct access to the OS of the
appliance. All configurations occur via the configuration or administrative interfaces.
In addition to storing sensitive data (such as passwords) in encrypted form, the hard disk of
the appliance is fully encrypted using AES-256 encryption. This prevents exposure of data
should the disk be lost or stolen.
The connections to remote managed systems are accomplished utilizing the most secure
standard methods available. In most cases, this will be SSH. A setup guide is provided to
accomplish the necessary configuration on the remote system. In most cases, this will
include the definition of a functional UserID with password change capability.
If a system is managed by PPM then the appliance also makes connections to these
managed systems to ensure that the stored password is valid on the managed system. Any
‘out of sync’ conditions are reported, and based on the configuration settings, automatically
corrected.
4.0 Product Licensing
The TPAM appliance must be properly licensed. Quest One Privileged Session Manager
(PSM) licenses are based upon the number of concurrent sessions, whether they are proxied
connections to remote systems or the replaying of a log file from a previous session. The
number of TPAM accessible systems is not restricted, only the number of concurrent PSM
sessions.
The Privileged Password Manager (PPM) that comes with TPAM is licensed by number of PPM
managed systems, network devices, desktop devices, or users.
Note! This manual covers both the PPM and PSM modules of TPAM. If you are a
customer that has only bought licenses for PPM please disregard the sections marked “PSM
Customers Only”.
5.0 Resource Requirements
TPAM is an appliance device that requires two IP addresses. Two additional IP addresses are
required for the HA (high availability) option. The 1U hardware design provides a small
footprint for the device and requires minimal rack space.
6.0 Accessing TPAM
To access TPAM, point your browser to TPAM’s IP address or FQDN followed by /egp or
/par. For example, if the IP address for TPAM has been configured as 192.168.1.100 1, the
URL would be https://192.168.1.100/egp/. The initial TPAM administrator account is called
paradmin and the initial password is provided with your licensing information.
1
For additional information and instruction on the initial configuration of the appliance, see the “Quest One Privileged Account
Management Configuration and Administration Manual”.
10
QUEST
Connectivity
To communicate with the TPAM appliance and successfully initiate a session your computer
will need to be able to pass traffic on ports 443 (HTTPS) and 22 (SSH).
If TPAM will be accessed via Microsoft Internet Explorer® (IE), there are two important
setting changes to verify or change in the IE configuration:
Pop-Up Blocker
When the /par website is accessed, the initial instance of the browser will be closed and a
new window will open without menu or title bars. Browsers that are configured to block popups often interpret this as a pop-up and the page will not be displayed. Be sure to add the
URL for TPAM to the list of allowed pop-ups. Tip: Holding the Ctrl key will temporarily allow
pop-ups.
User Authentication Settings
It may also be necessary to modify the User Authentication option of the IE Security
Settings. The recommended setting is “Prompt for user name and password”. A setting of
“Automatic logon…” may attempt to pass the username and password from the workstation
or domain to TPAM. This will cause logon failures and may lockout the user’s TPAM account.
11
Quest One Privileged Account Management Administrator Manual
7.0 Recommended Steps for Configuring your TPAM
Every customer’s environment is different but to make your configuration of TPAM as easy
as possible we have a recommended outline for how you should configure and load data into
your TPAM so you will be able to utilize the product as quickly as possible.
1. Have the TPAM System Administrator complete the configuration procedures
described in the TPAM Configuration and Administrator Manual for the parconfig and
paradmin interfaces, including creating a SysAdmin CLI Account. Download and store
the key outside of the appliance.
2. Create a CLI Account in the /par interface with TPAM Administrator privileges.
Download and store the key outside of the appliance.
3. If you are going to utilize Active Directory or Generic Integration first set up System
Templates and User Templates. See sections 15.9 and 20.6.
4. If you are going to use the Active Directory Integration or Generic Integration
tools, configure them to provision UserID’s for the appliance. See sections 22.0 and
23.0. Do not forget to enable the Integration Agent in the /parconfig interface.
5. If Active Directory was not utilized, load your TPAM users through Import UserIDs.
See section 20.15.
6. Configure any Cache servers you have purchased. See section 24.0.
7. Configure any DPAs you have purchased. See section 29.0.
8. If Active Directory was not used, load the Systems you want to manage through
Import Systems. See section 15.17.
9. If so desired, add any Files to be managed. See section 18.0.
10. If you purchased Cache servers and/or DPAs, go in and make these assignments at
the System level. See sections 15.5 and 24.3.
11. Load the Accounts you want to manage in TPAM through Import Accounts. See
section 16.24.
12. If you want to utilize Collections (buckets of Systems, Accounts and/or Files), other
than the ones created using Active Directory Integration, add your Collections and
then load your Collection membership through Update Collection Membership.
See section 17.11.
13. If you want to utilize Groups (buckets of users), other than the ones created using
Active Directory Integration, add your Groups and then load your Group membership
through Load Group Membership. See section 21.7.
14. If you have purchased a PCM license, configure your PCM Commands by going to
Command Management. See section 26.0.
15. Create your Access Policies. See section 10.0.
12
QUEST
16. Assign Access Policies to Systems, Groups, Accounts, Files, and Collections through
Batch Update Permissions, See section 15.19.
17. If you are a PSM customer you can go ahead and add any PSM Connection
Profiles and Post Session Processing Profiles by going to Profile Management.
See section 27.0.
18. If you are a PSM customer go to Batch Update PSM Accounts and complete this
step to update the PSM settings for accounts. See section 16.26.
19. If you are a PSM customer configure the Archive Servers and retention settings for
your session logs. See section 41.7.
20. Configure your Batch Report subscriptions and Recipients. See section 43.0.
21. Configure your Data Extract Schedule and Data Sets. See section 44.0.
8.0 Getting Help
8.1 Online User Manuals
To access online user manuals click the Documents list located in the upper right
hand corner of the application. The manuals that are available to you are based on
your user type and the permissions assigned to your userid.
8.2 Help Bubbles
Throughout the application you will also notice help bubbles ( ) next to many of the
fields in the application. If you hover the mouse over the bubble a pop up window
provides a brief explanation about what the field is used for.
13
Quest One Privileged Account Management Administrator Manual
8.3 Customer Portal
The Quest Software Customer Portal is where you can find product updates, user
manuals, WebEx Demos and FAQ’s. To access the Portal you will need a username
and password from the Quest Software Technical Support group. To login go to
https://hq01.e-dmzsecurity.com/edmzcust.
8.4 Contacting Customer Support
Quest Software's world-class support team is dedicated to ensuring successful
product installation and use for all Quest Software solutions.
SupportLink www.quest.com/support
Email at support[email protected]
You can use SupportLink to create, update, or view support requests
9.0 TPAM Definitions
9.1 Terms
9.1.1
System
A system is a host computer, network device, or work station for which one or
more account passwords will be maintained. It is also referred to as the
managed system.
9.1.2
Collection
A collection is a logical association of systems.
In v2.4 collections can
also include Accounts and Files. Permissions can be granted to a collection.
All systems contained in the collection, or added to it, will inherit those
permissions. A system can belong to multiple collections. A System cannot
be in the same collection as any of its Accounts or Files.
9.1.3
UserID
A UserID is defined as a user of the TPAM appliance. At the time the UserID is
created the interface (Web or CLI/API) must be determined and cannot
change. There are different types of UserID’s (Basic, UserAdmin, Auditor,
Administrator and Cache User). See section 9.2.
9.1.4
Group
A Group is a logical association of UserIDs. Groups are a mechanism for
easing the burden of assigning Access Policies on systems or collections to
users. Access Policies that are assigned to a group are inherited by all
members in the group. When a user is added to a group, they will
immediately receive all permissions assigned to the group, and all
permissions received through the group are revoked when a user is removed
from the group. Users can be members of multiple groups.
9.1.5
Managed Account
This is the account on the remote system to which a proxied connection can
be made and/or whose password is being stored and maintained through the
PPM portion of TPAM. For example, “root” is likely to be a managed account
on many of the managed UNIX systems.
14
QUEST
9.2 User Types
9.2.1
Basic
A Basic user type can be assigned permissions for various functions
throughout the application, such as requestor, reviewer, etc.
9.2.2
Administrator
The Administrator is the most powerful user type for the TPAM User Interface.
This user type can create and delete systems, users, groups, and collections.
The administrator user type may also assign access policies to any user –
including themselves. An administrator may view all reports. It is
recommended that this user type be assigned carefully. The Administrator
may not delete or disable their user ID.
9.2.3
Auditor
The auditor user type permits the individual to view reports, session logs and
system information, but not to make any changes to data or view passwords.
The Auditor may not delete or disable his own account. Auditors may also
review completed password and session requests.
9.2.4
User Administrator
This user type has the authority to manage Basic user types. User
Administrators can disable and enable users, unlock user accounts, and
update account information. The User Administrator does not have the ability
to add users to groups or manage permissions. CLI/API user accounts cannot
be managed by a User Administrator.
9.2.5
Cache User
If your company opted to purchase cache servers along with TPAM you will be
setting up cache user types. A cache user can only retrieve passwords
through the cache server that they are assigned to. (See section 24.0 on
configuring Cache Servers) A cache user will not have access to the TPAM
interface.
10.0
Access Policies
In v2.4 we have added Access Policies which allow permissions to be assigned at the
System and Account level. Access policies allow permissions to be broken down and
assigned at a more granular level. For example you could create one Access Policy that
would allow someone to review password releases, request password releases and request a
session which would limit them to two commands. In the past you could only have 1 PPM
permission and 1 PSM permission but now with Access Policies this has changed. There are
default Access Policies that are created in the v2.4 patch that mimic the old TPAM roles of
“EGP Requestor”, “PAR ISA” etc, so that existing permission assignments are migrated to
the new Access Policy model and so that the default Global Groups can be supported.
10.1 Adding an Access Policy
To add an Access Policy select Management >Access Policies from the main menu.
15
Quest One Privileged Account Management Administrator Manual
Click the
button.
16
QUEST
Fill out the following fields to set up an Access Policy:
10.1.1 Policy Name
Enter a unique policy name. When assigning Access Policies you will be
selecting this name from a list so make it as descriptive as possible.
10.1.2 Description
The description field may be used to provide additional information about the
Access Policy. This information is only visible to Administrators when editing
the policy.
10.1.3 System Generated
This box will be checked if the Access Policy was automatically crated by
TPAM, upon applying the 2.4 patch. System generated access policies will be
created for backwards compatibility in the migration from system level
permissions and aliases to account level permissions and access policies.
System generated access policies cannot be altered in anyway, only made
inactive. System generated access policies can be duplicated but not deleted.
10.1.4 Active
When adding a new Access Policy the Active checkbox will be checked by
default. You can uncheck the Active box to save the Access Policy without
activating it.
10.1.5 Access Policy Details
A single Access Policy can have multiple detail rows which now allow you
much more granularity in how you assign permissions. In the example below
we created an Access Policy that allows a user to approve session requests,
and review password releases.
First select the Type of entity that you want to grant permissions on, by
checking box/es in the Type section of the page. Then check the applicable
checkboxes in the Permissions section of the page. To add additional Details
for this policy click the
button. Click the
permission/type combination out of the Access Policy.
button to take a
Detail rows should not conflict with each other in the same policy. For
example, if you have one row granting Pwd/Request, you cannot have
another row with Pwd/Denied. Nor are you allowed to have two rows in the
policy which grant the same permission to the same type or command, e.g.,
you cannot have two rows both granting Pwd/Request, however you may
have two (or more) rows granting Command/Request as long as all the rows
reference different PCM Commands.
Note! Commands on Access Policies are not limited by proxy type, so it
IS possible to create an Access Policy that has commands that cannot be
executed on the assigned account due to proxy type limitations. These
differences will be resolved when the session request is created
Note! With the separation of Session and Command as “Types” you can
now use an Access Policy to specify that a user has the ability to Request,
Approve, or Review a session, but not a session using a PCM Command, or
that the user can Approve a session using Command X, but not Command Y.
17
Quest One Privileged Account Management Administrator Manual
Note! There is no way to create a policy that allows a user to “Request,
Approve or Review any Session using any PCM Command”. A separate detail
row must be created for each PCM Command that will be allowed through this
policy.
10.1.6 Information
The data in this section of the page replaces the details that were formerly
configured on the Alias Account Details tab in releases prior to v2.4. This box
only applies when you are setting up Requestor permissions. To override the
settings at the System, Account or File, uncheck the Use defaults check box
and adjust the settings as desired.
Note! Not all settings apply to all types. The checkboxes referencing
Clipboard, File Uploads/Downloads, and Record Sessions only apply to Session
or Command types.
10.1.7 Permission Types
Denied
This user role was created so that collection permissions could be assigned to
a user and then if there are specific entities within this collection that the user
should not have access to the Denied permission can be set for these entities.
If you are Denied for a System but have access to a specific Account/File on
that System you will still be able to access the Account/File, because Account
or File holds precedence over System.
18
QUEST
Information Security Administrator (ISA)
The role of ISA is intended to provide the functionality needed for security
help desk personnel, and as a way to delegate limited authority to those
responsible for resource management.
An ISA permission with a Type of Session allows the user to add and update
all aspects of PSM Only systems, PSM only accounts, and for PSM supported
platforms.
An ISA permission with a Type of Password allows the user to add and update
systems and accounts for all platforms except those that are PSM only.
A user must be assigned an Access Policy with a Type of both Password and
Session and permission of ISA to be able to assign access policies to other
entities. The ISA permission does not allow the user to delete a system.
Approver
An Approver can be set up to approve password, session and or file requests.
An approver can also be set up to only approve sessions that are requesting
specific commands.
Requestor
A Requestor can be set up to request password, session, and or file requests.
A requestor can also be set up to only request sessions that run specific
commands.
Note! A user requesting a session that has an interactive proxy type
must also have an access policy assigned to them that include
password/requestor for that account.
Privileged Access (PAC)
An individual that must go through the request process for passwords, files,
and sessions but once they submit the request it is automatically approved,
regardless of the number of approvers required.
Note! If you have Session /PAC permissions but do NOT have
Password/PAC Permissions on an account, you will only be able to start a
session that is configured for one of the automatic proxy connection types,
since you do not have permissions to access the password.
Reviewer
The reviewer role permits the individual to view reports on specific systems to
which they have been granted reviewer rights. A Session/Command Reviewer
can also replay sessions and review/comment on these sessions. If the user
has Password Reviewer permissions they can review a password release that
has expired and comment on that password release.
Click the
19
button when you are finished creating/editing the policy.
Quest One Privileged Account Management Administrator Manual
10.2 Making an Access Policy Inactive
To make an access policy inactive uncheck the Active checkbox and click the
button. This will remove the Access Policy from assignment and
filter lists, but will not delete it.
Marking an Access Policy inactive when it is assigned to an entity, will display an
extra confirmation section as shown below. You must check the “Yes[…]” checkbox in
order to save the policy as inactive. This will remove the policy from any entity it is
assigned to. If this is a system generated policy it will make the associated Global
XXX Group effectively useless, but it will not change membership in the group.
10.3 Reactivating an Access Policy
Reactivating an inactive system-generated policy will bring back assignments of the
associated global group to the “All Systems” collection. Reactivating a non-system
generated policy simply reactivates the policy – no assignments are restored. Check
the Active box and click the
button.
10.4 Deleting an Access Policy
To delete an Access Policy it must already be flagged as inactive and saved. Click the
button.
Note! If the Policy is referenced by any File, Password or Session Request, or
ISA Password or File retrieval it cannot be deleted until those items age out of the
system.
10.5 Duplicating an Access Policy
To duplicate an Access Policy select the policy you want to duplicate and click the
button. Enter a unique Access Policy name and edit the Access
Policy details as desired and click the
button. Duplicating an Access
Policy duplicates all information about the policy itself (with the exception of the
System Generated setting), but does not duplicate any policy assignments.
20
QUEST
11.0
Permission Hierarchy
Because TPAM allows groupings of Users (Groups) and remote systems (Collections), it is
possible - even likely, that a user could appear to have multiple conflicting permissions for a
particular system, account, and or file. To prevent this, TPAM implements a precedence of
permissions.
The precedence, in order of decreasing priority is:
An
An
An
An
An
An
An
An
Access
Access
Access
Access
Access
Access
Access
Access
Policy
Policy
Policy
Policy
Policy
Policy
Policy
Policy
assigned
assigned
assigned
assigned
assigned
assigned
assigned
assigned
to
to
to
to
to
to
to
to
a
a
a
a
a
a
a
a
User for an Account/File (most specific)
User for a System
User for a Collection containing Accounts or Files
User for a Collection of Systems
Group for an Account /File
Group for a System
Group for a Collection containing Accounts or Files
Group for a Collection of Systems (least specific)(*)
(*) This category includes Users who are assigned to any of the “Global XXX” Groups. The
Groups grant their respective permissions to an internally-maintained “All Systems”
collection.
Note! A single “Denied” Access Policy assignment at any level overrides all other
permissions at that level.
When any of the permissions are changed, for instance by adding or removing a user from a
group, the precedence is recalculated, and if necessary, the permissions for the user are
changed to reflect the new level that results.
21
Quest One Privileged Account Management Administrator Manual
In the scenario shown above, the groups and users have been assigned
Access Policies which grant the permissions specified. In this situation, the
precedence of permissions will be applied and the effective permissions would
be as follows:
•
•
User A has Approver permission on System C through the Group to
System assignment.
User A has been assigned Reviewer rights on System A, Account B1, and
File C1 via Group A to Collection B assignment. These Review rights on
File C1 take precedence over the Approve rights on System C because
assignment to a Collection containing an Account or File is more specific
than a collection containing just the System. User A may still Approve
22
QUEST
•
•
•
•
•
•
requests to all accounts on System C and all of C’s files with the exception
of File C1.
Users A, C, and D have Request rights on System A, Account B1, and File
C1 through Group B. Note that as with above, the Group B to Collection B
assignment of Request rights for User A on File C1 override the Approver
rights from Group A.
Since User A is in both Groups A and B he has both Review and Request
rights on all the items in Collection B. Assignments at the same hierarchy
level are combined.
User B has been Denied access to System B, which includes all Accounts
and Files thereon. Even though the Group A to Collection B assignment
User B grants Review to Account B1 on System B, User B is still denied
access because the User to Collection assignment trumps the Group to
Account in a Collection assignment. If User B had instead been assigned
the Review permission directly (as opposed to through Group A) to
Account B1 that would have replaced the Denied assignment on System B,
but only for that one account.
User B also has Review rights on all Accounts and Files on System A and
File C1 on System C.
User C has been granted explicit ISA rights on Account B1. This User to
Account assignment supersedes both policies User C received via the
Group to Collection assignments, but only for Account B1. User C still has
Review and Request permissions to System A and File C1.
User D has been granted ISA rights over Collection A. This assignment
takes precedence over D’s Request permission on System A which is
through the Group B to Collection B. D still retains the Request
permissions on Account B1 and File C1 from the Group assignment,
however that removes D’s ISA permissions on Account B1 (although D still
has ISA permissions over any other accounts on System B).
Where there is more than one permission granted at the same level of the
permission hierarchy those permissions are combined, as long as one of those
permissions is not “Denied”. If a User is in 3 different groups (A, B, and C)
with policies to the same System (A grants Approver, B grants Reviewer, and
C grants Requestor) the user has all three permissions in effect on that
system. However, if Group B has Denied permissions instead of Reviewer
that takes precedence over all other "Group to System" assignments for that
User on that System.
12.0 Permission Based Home Page
Your home page is based on the user type and permissions assigned to your user id in the
TPAM application. You can return to the home page from anywhere in the TPAM application
by clicking the home icon located on the far left side of the menu ribbon.
23
Quest One Privileged Account Management Administrator Manual
The first tab that displays is the default message of the day which is configured through the
paradmin interface. To immediately make a session, password or file request as well as
approve any pending requests click the links.
12.1 Recent Activity Tab
The recent activity tab shows all activity in TPAM for the last 7 days.
12.2 Approvals Tab
The Approvals tab will show any requests (Password, File or Session) that require
your approval. Once they are approved or denied you will still see the request in this
list until the release duration expires. By clicking on the request id you will be taken
directly to the appropriate Requests Approval Detail tab so that you can approve or
deny the request. To use the auto-refresh option check the box and enter the number
of minutes you would like the screen refreshed. See sections 31.0, 34.0, and 38.0 for
details on approving requests.
24
QUEST
12.3 Pending Reviews Tab
If you are an eligible reviewer for any post password releases or sessions you will see
the Pending Reviews tab on your home page. Any password releases or sessions
that are pending review will be seen on this tab. By clicking on the request id you will
be taken directly to the Password Release Review Details or Session Review Details
tab. To use the auto-refresh option check the box and enter the number of minutes
you would like the screen refreshed.
25
Quest One Privileged Account Management Administrator Manual
12.4 Current Requests Tab
The Current Requests tab will show any request (Password, File or Session) that
you have made. The requests will stay visible on this tab until the release duration
expires. By clicking on the Request ID link you will be taken directly to the Session,
Password or File Request Management tabs so you can see more details on this
request.
13.0 Managing Your Own Account
Any user may change their password and update individual account details using the My
Info menu option.
To reset your own password, select My Info  Change Password from the menu. Enter
the existing password, the new password desired, and confirm the new password. User
passwords are subject to the requirements of the Default Password Rule.
Other individual account information can also be self managed, such as contact information
and full name. Select My Info  User Details from the menu to make modifications to
your own account information.
26
QUEST
A user may not modify the UserID, Last Name, or First Name fields.
13.1 User Time Zone Information
You can edit your time zone information through the My Info  User Details menu
option. The TPAM administrator will also be able to edit your time zone.
If you are in the same time zone as the server and follow the same Daylight Saving
Time (DST) rules the first radio button should be selected.
If you are in a different time zone and/or follow different DST rules and do not want
to follow server time, the second radio button should be selected, and the appropriate
time zone chosen from the list. With this option most dates and times that the user
sees in the application or on reports will be converted to your local time. If a date or
time still reflects server time it will be noted on the screen.
Note! It the Sys-Admin has disabled User Time zone changes in the paradmin
interface the User Time Zone Information block shown above will be visible only
for Administrator users.
Example: TPAM appliance is located in New York, NY on Eastern Time. The user is
located in Los Angeles, CA, which is on Pacific Time. If the user chooses to set their
time zone to Pacific Time, any requests, approvals, etc that they make will be
reflected in Pacific Time to them, and they will have the option to view some reports
in their local time zone. If the TPAM Administrator is in the Eastern Time zone the
admin will see this user’s transactions stamped with the Eastern Time.
Alert! If you are in Daylight Saving Time (DST) you must remember to check
the DST box and uncheck it when it is over. This box does NOT automatically get
changed for you.
You will be automatically redirected to the User Details page when attempting a new
transaction if:
27
Quest One Privileged Account Management Administrator Manual
•
•
•
The server has undergone a DST transition since your last activity.
The time zone on the server has been changed since your last activity.
The server has had a patch applied that has rendered your current time zone
obsolete according to Microsoft’s time zone updates.
You will be able to see the server time on the bottom left of your screen and your
local GMT offset (if different from the server) in the middle bottom of the screen. You
will see the time listed in reference to GMT (Greenwich Mean Time), using notation to
indicate the number of hours ahead or behind GMT. So for example US Eastern
Standard Time is 5 hours behind GMT, or GMT -05:00, New Delhi, India is 5 ½ hours
ahead or GMT +05:30.
14.0 Application Navigation
This section provides an overview how to navigate through the user interface.
14.1 Tab Format
One of the first things the user will notice is that upon selecting an action from the
main menu bar the data will be displayed through multiple tabs.
Once a specific System, Account, Collection, etc is selected all of the details about
this entity can be viewed by clicking on the different tabs along the top of the page.
Tabs which do not apply to a given system are disabled. For example, the
28
QUEST
Connection and Management Details tabs do not apply to a system unless the
Enable Automatic Password Management option is checked.
14.2 Filter Tab
This tab was developed for companies that are managing a large number of systems,
accounts collections and groups. By entering specific criteria on the Filter tab, the
user will be able to quickly get to the piece of data that they need to review or edit
without searching through thousands of records.
The Max Rows to Display list allows you to limit the number of records returned
even if there are more that meet this criteria.
The Default Filter Settings has choices of Clear, Save and No Action. If Save is
selected then every time the user selects the menu item they will land on the Listing
tab and the same filter will be applied until a new filter is saved or if the filter is
cleared. The saved filters are on a user by user basis, that is if user dlynch saves a
filter it has no effect on a filter saved by glucas.
Once your filter criteria have been entered click the Listing tab to get the results of
your filter.
29
Quest One Privileged Account Management Administrator Manual
14.3 Listing Tab
The results from your Filter will be listed in the Listing tab. Notice that in the
example above 2 records actually met the Filter criteria that was entered and the user
choose to only display 50 rows. If 120 records had met the filter criteria only 50
would have been displayed but it would have said Displaying 50 out of 120 rows
meeting filter criteria, warning the user that was all that was returned in the
Listing tab. Once you find the record that you want to work with click the row once
to highlight the row on the screen and then click the tab where you want to go next.
Note! If you are already displaying the Listing tab, clicking the tab label (circled
area below) a second time will refresh the listing from the database based on the
current criteria.
14.4 Feedback Area
The feedback area is located in the bottom center of each window. This area was
created to notify the user what transaction was last completed. As soon as the user
selects a new “entity” i.e. system, account, collection, from the listing then the
Feedback area will be cleared and remain empty until a new transaction occurs.
30
QUEST
15.0 Configuring Managed Systems
Selecting Systems, Accounts, & Collections >Systems  Add System or Systems,
Accounts, & Collections  Systems  Manage Systems will lead to the configuration
pages for managed systems. If modifying an existing system, first select the desired system
by entering criteria on the Systems Management Filter tab, clicking on the Listing tab,
clicking on the System Name you are looking for and then clicking on any of the additional
tabs to edit the system configuration. Below is a description of all the configuration fields on
the various tabs.
Keep in mind that non-managed systems or systems not supported for auto-management
will not allow access to the Connection tab or the Management Details tab (with the
exception of eDMZ SPCW systems)
31
Quest One Privileged Account Management Administrator Manual
15.1 System Details Tab
15.1.1 System Name
This is the descriptive name of the system. Typically, the hostname (for UNIX
systems) or the Machine name (for Windows systems) will be used. Within
TPAM, the system name must be unique. The name can be 1-30 characters
long, but cannot include empty space (i.e. spaces, carriage-returns, etc.).
15.1.2 Network Address
The IP Address (i.e. 192.168.0.15) or DNS Name (server1.domain.bigco.com)
of the system. It is imperative that this information is entered correctly, as
the back-end automation procedures will use this address to connect to the
remote system to proxy and record the session activity and setting or
checking of the password for the managed account(s).
15.1.3
ISA Policy
You will see this list option when adding a System if your userid is assigned
an Access Policy that contains an ISA permission. From this list you can select
which ISA policy should be applied for your access to this new system once it
has been saved. If you have ISA access granted via a single Access Policy it
will be pre-selected.
Alert! If you select Do not Assign an ISA Policy and do not
assign the System to a Collection that you have access to, you will
32
QUEST
NOT have any access to the system after it is saved. (unless you are
a paradmin)
15.1.4 Platform
This drop-down list shows the operating system platforms currently supported
for proxied connections by TPAM as well as Other, which includes all
platforms not currently supported for auto management. Choose the
appropriate platform for the operating system running on the remote host.
For PSM this field is primarily descriptive, since it is the proxy connection type
that actually determines how the session will be established. However, if the
passwords for this system will be managed by PPM, then it is very important
that this be entered correctly, as the PPM uses it to determine the most
secure and reliable way to manage the passwords on the remote system.
Note! A system entered in TPAM with a platform type not supported by
PSM will appear in the list of systems on TPAM, and the accounts defined for
that system will appear in the TPAM accounts list for the system – however,
the option to allow sessions will be disabled.
15.1.5 Password Rule
Select the desired password rule to serve as the default for all accounts
defined for the system. If the selection is not changed (or if no other rules
have been defined in TPAM) the Default Password Rule will be selected. The
password rule will govern the construction requirements for new passwords
generated by PPM. Password rules are managed by Sys-Admin users in the
parconfig interface.
15.1.6 Maximum Duration
This is the maximum duration for a password release on the account. If this is
overridden by an Access Policy assignment, the lower of the two durations will
be used. The default duration that the requestor will see for any new
password request is 2 hours, or the maximum duration, whichever is less.
15.1.7 Contact E-mail
Allows support personnel to receive email notifications from TPAM. Alerts or
warnings are sent when the condition of the remote system is not as
expected. This field can be left blank, in which case errors will be logged but
notifications will not be sent. The email address in this field will be the one
notified when Manually managed account passwords are scheduled to be
changed.
15.1.8 Description
The description field may be used to provide additional information about the
system, special notes, business owner, etc.
15.1.9 Enable Automatic Password Management?
Tells TPAM whether to automatically manage remote system account
passwords, based upon configuration parameters for each system. Auto33
Quest One Privileged Account Management Administrator Manual
management includes automatic testing and changing of the passwords.
Checked = Yes, Unchecked = No. This option is available at both the system
and account levels, therefore it is possible to allow TPAM to auto-manage one
account on a specific system, while another account on the same system is
not auto-managed. However, if the option is unchecked at the system
configuration level, no accounts on the system can be auto-managed. If the
appliance has exceeded the number of PPM managed systems that were
licensed this option will not be able to be checked for any new systems until
you check the Disable PPM Functionality checkbox on another managed
system.
15.1.10 Disable PPM Functionality (PSM Customers Only)
This checkbox sets the system to “PSM only” which means you cannot use
any of the PPM features on this system such as password change history,
release logs, password checking and changing, and releasing passwords. The
reason for this is product licensing. You are not limited to the number of “PSM
only” systems you can add, but we will limit the number of managed (PPM)
systems you can add based on the number of licenses you purchased.
15.1.11 Approver Escalation
You have the ability to send an escalation to a specific e-mail address if no
approvers have responded to a Password/File request within X minutes. You
can enter multiple e-mail addresses by separating them with a comma up to
the field maximum of 255 characters.
15.1.12 Delegation Prefix (specific platforms only)
This field can be used to preface the commands that PPM uses to manage
passwords for this system. The delegation prefix can also be used to specify
an absolute path to the command that PPM uses to manage password for the
system.
15.1.13 Computer Name (specific platforms only)
This field is designated for the system’s computer name and is required for
proper password management. If it is not populated, TPAM will attempt to
determine the system’s computer name when the system is tested and
update the field.
The Computer Name field is also used with TPAM’s Autologon feature. You
have the option to have TPAM log the user into the remote system using the
WORKSTATION\USERID format. This will prevent any incorrect logon if the
Default domain is saved as the DOMAIN name versus the Local Workstation.
If a Domain user is selected from the Session Authentication screen in PSM
details, the user credentials will be passed as DOMAIN\USERID. You will
notice with both options that the DOMAIN field is grayed out at login.
15.1.14 System Location Information
There are six customizable fields that you can use to track location
information about each system. These custom fields are enabled and
configured by the System Administrator in the paradmin interface. If these
fields have not been enabled the system location section of this page will not
appear at all on the Details tab.
34
QUEST
15.2 System Template Tab
You have the ability to add a System and save all the settings for that System as a
template. Templates may be used to quickly create new systems with a given set of
default values via the web interface, CLI or API. Templates can only be created and
edited by TPAM Administrators. Only TPAM Administrators and ISAs may use
templates.
15.2.1 Create a Template from this System
Checking this flag will save this System as a System Template. Once a
template has been created you cannot uncheck this flag,
15.2.2 Use this as the default template
If this box is checked this template will be used when adding all Systems
unless another template is chosen with the Use Template button. Only one
template can be designated as the “Default” at a time. If a template is
designated as the “Default” it will listed in purple font in the Manage Systems
listing.
15.2.3 Retain Collection Membership in the template
When checked this will create the template with all the Collection
memberships currently defined on this system. Systems created from the
template will have the same collection memberships.
Alert! If this system is a member of an AD Integration
Collection, that membership is NOT transferred to the template and
subsequent systems.
35
Quest One Privileged Account Management Administrator Manual
15.2.4 Retain User/Group Permissions in the template
When checked this will create the template with all the User and Group
permissions (Access Policy assignments) currently defined on the system.
Systems created from this template will have the same permissions.
15.2.5 Retain existing Accounts in the template
When creating a template based on an existing system, this allows you to
retain up to 10 accounts from the existing system (including the functional
account). Accounts saved to the template will NOT retain any passwords,
password history, or dependent system information. If you check this box,
then you must check the accounts you want in the list below. The functional
account cannot be unchecked.
15.3 System Connection Tab
Fields available for connection settings will differ according to the platform type of the
managed system.
36
QUEST
15.3.1 Alternate Port
Most non-Windows platforms allow alternate ports to be configured for
communication of standard protocols, such as SSH, Telnet, or database ports.
TPAM now supports the ability to specify these system specific ports via the
Connection tab.
15.3.2 Domain Name (specific platforms only)
When the system platform being created represents a central authority such
as Active Directory, BokS, or PowerPassword, the domain name must be
specified. This name cannot be an alias, simple name, or NetBIOS name, but
must be the fully qualified DNS name of the domain.
15.3.3 NetBIOS Domain Name (Windows domains only)
Windows domain systems (Active Directory, NT Domain, or eDMZ SPCW) also
include the NetBIOS Domain Name field. Specify the name of the domain in
NetBIOS format.
15.3.4 Alternate Address (specific platforms only)
When the system platform being created represents a central authority such
as Active Directory, BokS, or PowerPassword, the alternate address field can
37
Quest One Privileged Account Management Administrator Manual
contain the network address of an alternate authority (i.e. another domain
controller) for redundancy.
15.3.5 Functional Account
The Functional Account defines the account that will be used to manage the
accounts on the managed system. This account must be defined and
configured on the managed system as defined in the appropriate Client Setup
Instructions. The credential defines whether SSH will use a predefined key
(DSS) to authenticate or a standard password. DSS is the preferred and more
secure way of managing accounts on systems that support SSH. You have the
option to let PPM manage the functional account.
The auto-change parameters for this password may then be configured via
the Account Details tab, as with any other account. This helps to secure the
managed system, by not maintaining a “static” password on a functional
account.
Alert! After a system is “saved” for the first time, any changes
in the system parameters will not automatically be applied to the
functional account, unless the “Propagate to All Accounts” switch on
the Management Details tab has been checked. The auto manage
function will never be propagated to the functional account. It must
be manually set.
15.3.6 PSM Functional Account (eDMZ SPCW platform only)
The PSM functional account is used to provide secure communication during
the session and file transfer during a session. If the PSM enabled account on
the system is configured to use a proxy type of RDP through SSH, the PSM
Functional account will be used during this connection.
15.3.7 Account Credentials
When using DSS key authentication, a function is available to permit specific
configuration of the public/private keys used.
Avail. System Std. Key – will use the single standard SSH keys (either Open
SSH or the commercial key) stored centrally in TPAM. You have the ability to
have up to three active keys simultaneously. These keys are configured in the
paradmin interface. Use the list to select the key you want to retrieve.
38
QUEST
Note! When using the System Std. Keys you cannot specify which key
will be used. You may download one or all available keys to put on the
remote system, but TPAM will attempt to use all currently active keys when
communicating with the remote system.
Use System Specific Key – will allow the generation and download of a
specific SSH key to be used with this system only. The key must first be
generated using the
button, and then downloaded in
either Open SSH or Sec SSH (commercial) format.
15.3.8 Enable Password (Cisco and ProxySG only)
Some systems may require the use of very specific accounts for access (ex.
Cisco PIX requires the use of “pix” as the ID, Cisco routers use “cisco” as the
Id, etc.) If the managed device is Cisco device, the password for the Enable
Password must also be specified in the configuration.
15.3.9 SID / Service_Name (Oracle DB only)
Specifies either the Security ID (SID) or the service name for Oracle
databases, and should match the setting in SQLNET.ORA at the database
server.
15.3.10 Connection Timeout
The connection timeout value determines the amount of time in seconds that
a connection attempt to the managed system will remain active before being
aborted. In most cases, it is recommended to use the default value (20
seconds). If there are problems with connection failures with the system, this
value can be increased (for example, connections to Windows systems are
often slower than SSH connections and may require a significantly higher
timeout value).
15.3.11 Server O/S (BoKs platform only)
Select the O/S running on the server from the list.
15.3.12 Expert Password (CheckPoint SB only)
Setting up an Expert Password will allow configuration access to the
system.
15.3.13 Non-Privileged Functional Account (Windows Active Directory only)
If this box is checked any password changes for accounts on this system will
use the account’s current password to log in and make the password change
instead of using the functional account password.
39
Quest One Privileged Account Management Administrator Manual
15.3.14 Authentication Method (Cisco Router TEL only)
Username/Password is used when a username is needed when connecting to
the system. Line Definition is used when there is no username to be
specified, it is simply a password on the terminal connection.
15.3.15 Allow Functional Account to be Requested for Password Release
If this box is checked then Requestors on this system can make a request to
release the password for the functional account. If this box is not checked the
functional account passwords are not available for release to a requestor and
will only be accessible to an ISA.
15.3.16 Custom Command (Mainframe platforms only)
If there is a special command that needs to be entered prior to being
prompted for authentication credentials, it is specified by placing the
command in the custom command field.
15.3.17 Use SSL? (specific platforms only)
Check this box if communications between TPAM and the device requires the
SSL option.
15.3.18 Tunnel DB Connection Through SSH (database platforms only)
Database tunneling through SSH provides the ability to securely connect to a
remote database.
40
QUEST
Enter the Account Name that you will use to connect to the remote system.
If SSH is not listening on port 22 please provide the correct port you want the
connection forwarded to.
For DBMS accounts, SSH tunneling only uses public key and not manual
passwording for establishing the SSH connections.
Alert! Make sure that the default of “AllowTCP Forwarding” is
set to Yes in the SSH Configuration file of the managed system.
15.4 System Management Details Tab
The System Management Details tab lists options that once set will be inherited by
all accounts set up on this system. These options can be overridden at the account
level.
15.4.1 Password Check and Reset Options
The automatic password testing function may be enabled or disabled for
managed systems by using the Check Password and Don’t Check
Password radio buttons. If enabled, the option to have the password
automatically reset when a mismatch is found is also available. By default
Reset Password on Mismatch will be selected. When auto reset is disabled
only a notification email will be sent when a password mismatch is
encountered (assuming the system contact email field is populated). Change
Password after any release indicates whether the password for the account
should be automatically reset by PPM following a release to any user
(including ISA users). The option is enabled by default. If disabled, the
41
Quest One Privileged Account Management Administrator Manual
password will not be changed after releases, but will still be changed based
upon the Change Frequency settings.
15.4.2 Change Frequency
This specifies the interval at which the password will be automatically
changed, regardless of whether or not the password has been released.
Typically, this will be set to the value specified in your company’s security
policy, which defines password expiration age. Available choices are:
• First Day of the Month – the password will be changed every month, on
the first day of the month
• Last Day of the Month – the password will be changed every month, on
the last day of the month
• Every n Days – this allows you to specify the frequency with which the
password will be changed. The n value can be between 1 (changed every
day) and 999.
• None - no scheduled changes.
15.4.3 Change Time
Allows you to specify the time of day when automatic password changes will
take place. This should be set to a time when the system is not scheduled to
be down for regular maintenance and when system activity is not at its peak.
The change time will take place when the TPAM server reaches this time and
not the time in your local time zone.
15.4.4 Default duration for ISA releases of password
The duration for ISA release may be specified up to a maximum of 7 days.
This is the amount of time that will transpire between the initial ISA retrieval
and the automatic reset of the password (if enabled).
15.4.5 Allow ISA to enter Duration on Release
If this checkbox is checked, an ISA may enter a release duration other than
the default when retrieving a password. The duration must be >0 and <= the
max of either ISA Duration (Mgt Details tab) or Max Release Duration (Details
tab). This column was added to the System and Account Imports and Batch
Updates. This flag is also a value that can be pushed to Account and pulled
from System
15.4.6 Propagating Auto Password Management and Management Detail
Settings
Default change settings can be configured differently between systems and
the defined accounts for those systems. If the desire is to ensure consistency
throughout this parent-child relationship, it is possible to push the
configuration of the default change settings from the system object to all child
objects defined for the system.
Using the check boxes, select the desired level of propagation of the current
system settings: Push Defaults to All Accounts and Enable auto
management on All Accounts. To push auto management to all accounts
you must first check Push Defaults to All Accounts and then you will be
able to check the Enable auto management on All Accounts flag if you so
choose . The currently configured default change settings and auto-manage
properties will be changed accordingly on the child objects when the
button is clicked. This is a one-time synchronization and may
still be changed at the account level.
42
QUEST
The functional account defined for the system will not receive the Enable
Auto Management on All Accounts setting during a push. The automanage property must be manually enabled for the functional account.
15.5 Affinity Tab
The Affinity option will allow you to optimize performance of session recording and
playback and password checking and changing if you have opted to purchase one or
more DPA servers along with your TPAM appliance. This tab will not be enabled until
you save the system.
In v2.4 we added the ability to re-enroll a replacement DPA and preserve your
original Affinity settings.
Use the PSM DPA Affinity Settings to optimize session recording and playback. The
default setting will be Allow PSM sessions to be run on any defined DPA. The
default DPA Server name will be LocalServer which is the local TPAM appliance. If
your company purchased and configured additional DPA’s to optimize performance
you will see these listed in the DPA Server Name column. (See section 29.1 on
configuring DPAs).
Enter the Priority number next to each DPA and click the
button.
The priority numbers used in the Affinity settings only have meaning in relation to
each other. For example, 1,2,3 has the same meaning to the system as 98,99,100.
When the appliance goes to figure out which DPA to use it looks at them in order of
priority from lowest to highest and picks the 1st one that has an open slot. A value of
0 (zero) is simply "more important" than any higher value. If you want to make it so
43
Quest One Privileged Account Management Administrator Manual
that a particular DPA is never used for session recording for a given system, then the
priority should be empty (NULL), not zero.
Use the PPM DPA Affinity Settings to optimize password checking and changing. The
default setting will be Use local PPM appliance for password checks and
changes. If you want to use one of your DPAs for password checking and changing
on this system select the Selected DPA affinity radio button, enter the Priority
number next to each DPA, and click the
button.
Note! The password checking and changing functionality requires DPA v3.0+
15.6 Ticket Systems Tab
The options available on this tab will be predetermined by how Ticket Systems were
configured in the paradmin Interface. If no Ticket Systems have been configured and
enabled in the paradmin interface the Ticket System tab will be inaccessible. Any
changes to the settings on this page are recorded in the System Activity Log. These
options will be the defaults for any Accounts or Files added to the system.
15.6.1 Require Ticket Number from:
Check this box if you want to require ticket number validation every time a
password or file request is submitted for this system. If multiple Ticket
Systems are enabled they will be listed in the list for selection. You can
specify the ticket system or allow entry of a ticket number from any system
that is enabled. If this box is not checked users will still be able to enter a
Ticket Number on a request, but will also be able to create a request without
a Ticket Number entered.
44
QUEST
15.6.2 Ticket required for:
If Ticket Validation is required then all requestors will be required to provide a
ticket number. You also have the option to require ISA’s to supply a ticket
number prior to retrieving a password or file as well as requests made
through the CLI or API.
15.6.3 Send Email to:
If any of the ISA, CLI or API required boxes are left unchecked you also have
the option of entering one or more e-mail addresses (up to 255 characters)
that will receive an e-mail when an ISA, CLI or API user releases or retrieves
a password or file without supplying a ticket.
15.6.4 Propagation
You have the option of pushing the Ticket System settings out to all Accounts
and
Files. When a new account or file is created it will take on the
Ticket System settings of the parent system.
Note! These checkbox values are a onetime update each time they are
checked and the Save Changes button is selected. After that there is no
forcing of the settings to remain in synch. The settings on the Accounts can
be overridden.
15.7 Collections Tab
Systems may be assigned membership to one or more collections. The collections list
shows all collections that have been defined to the TPAM appliance if the user
modifying the system is an administrator. If the user modifying the system is an ISA,
only the collections for which the user holds the ISA role will be displayed. By
assigning the system to collections, the system automatically inherits user and group
permissions that have been assigned at the collection level. To modify collection
membership, simply click the Not Assigned or Assigned radio buttons next to each
collection name and click the
button.
Note! A System cannot belong to a collection which already contains any of its
accounts or files. Conversely and account or file cannot be added to a collection that
already contains that entity’s parent system.
45
Quest One Privileged Account Management Administrator Manual
Note! If a collection is tied to either AD or Generic Integration the system’s
membership status in that collection cannot be changed.
15.8
Setting Permissions for PSM and PPM Functionality for
Systems
Select Systems, Accounts, & Collections  Systems  Manage Systems from
the menu. Once you select the system you want to modify click the Permissions
tab. With the addition of Access Policies in v2.4 the Permissions tab has changed. See
section 10.0 for more information on Access Policies.
Select the Filter criteria you want and click the Results tab.
46
QUEST
On this tab you can assign users and or groups an Access Policy for this System.
First, select an Access Policy from the Access Policy list on the right upper side of
the window. You will see that default Access Policies have been created to reflect the
old PAR and EGP Roles that existed prior to v2.4.Also if you are an existing customer
prior to v2.4, Access Policies will be created for any unique permissions that you had
set up for account aliases. When you select an Access Policy from the list the detailed
permissions describing this Access Policy will be displayed in the rows below. The
buttons in the Access Policy Details area perform the following actions:
Scrolls the currently selected User or Group into view
Applies the currently selected policy to the current row. Assigning a
policy of “Not Assigned” removes the current assignment.
Applies the currently selected policy to all selected rows in the list. You
will be asked to confirm the assignment if more than 10 rows will be
affected.
Removes the currently selected policy from all selected rows in the list.
If a row is not currently set to the selected policy it will not be changed.
You will be asked to confirm the assignment if more than 10 rows will be
affected.
Removes unsaved edits from the current row.
Removes unsaved edits from all currently selected rows.
This icon (
) next to any row in the list simply means that row has been edited
since the last save changes occurred.
You can “Shift+Click” to select a range of rows. The first row you click on will be
surrounded by purple dashed lines. The next row that you “Shift-Click” on will cause
all the rows in between the original row and current row to be highlighted.
47
Quest One Privileged Account Management Administrator Manual
If you are already on the Results tab clicking the Results tab label will refresh the list
from the database based on your filter criteria and apply any unsaved changes you
may currently have.
When you are finished assigning/unassigning Access Policies click the
button.
Note! You may re-filter and re-retrieve the results list without losing existing
edits. As the Results tab is reloaded any Groups or Users that you have already
edited will reflect their edited policy assignment. When you click the Save Changes
button all of the Access Policy assignment changes you have done for the system will
be saved. The appliance will save these in batches, informing you of the number of
assignments added, removed, or changed for each batch.
Note! You must be both a PPM and PSM ISA over a system to be allowed
to assign an Access Policy to it.
48
QUEST
15.9 Creating a System Template
To create a system template from scratch select Systems, Accounts, & Collections
 Systems  Add System Template from the menu. Enter the Template Name in
the Template Name field and continue to fill out all the parameters on all the system
tabs as you so desire. Go to the Template tab and make sure the Create this
System as a Template checkbox is checked. The other checkboxes are optional.
Once this is complete click the
button.
To create a system template from an existing system, pull up the system and check
the Create this System as a Template box on the Template tab. (see section
15.2.1 for details). Go to the Details tab and enter the template name in the
Template Name field and click the
button.
Changing a template assigned to an AD or Generic Integration entry does not change
any existing systems nor change the template associated with said systems.
15.9.1 Deleting a System Template
To delete a system template select the template from the System Listing
tab. Click the
button. You will get the following pop up window.
Click the
button. When a template is deleted any systems that
were created from this template are not longer associated to it.
A template that's currently being used by AD or Generic Integration cannot be
deleted.
15.10 Adding A System
Select Systems, Accounts, & Collections  Systems  Add System from the
menu. After completing all required fields for the new system (see section 15.0 for a
description of all fields), click the
button to accept. To start adding
accounts for the system or view/edit the functional account you can click the
button and you will be taken to the Account listing for that system.
49
Quest One Privileged Account Management Administrator Manual
15.10.1 Adding a System Using a Template
Select Systems, Accounts, & Collections  Systems  Add System from
the menu. Click the
button.
Select a Template from the Listing tab and click the Details tab to enter the
System Name. If the fields are not locked, make any other changes to the
individual fields as needed before saving.
Alert! The System IP address is copied from the template so do not
forget to change that.
15.10.2
ISA Policy
You will see this list option when adding a System if your userid is assigned
an Access Policy that contains an ISA permission. From this list you can select
which ISA policy should be applied for your access to this new system once it
has been saved.
Alert! If you select Do not Assign an ISA Policy and do not
assign the System to a Collection that you have access to, you will
NOT have any access to the system after it is saved. (unless you are
a paradmin)
50
QUEST
15.10.3 Adding a System When there is a Default Template
If the administrator has set a template as a “default” template, every time
you add a system it will automatically use this template.
15.10.4 Disassociating a System from a Template
To disassociate a system from a template click the
button on
the System Details tab. You will get the following pop up window.
Click the
51
button and then click the
button.
Quest One Privileged Account Management Administrator Manual
15.11 Managing A System
Select Systems, Accounts, & Collections  Systems  Manage Systems from
the menu. After selecting the system you want to modify using the Filter (see section
14.2) and Listing tabs(see section 14.3), make the necessary changes to the
system information (see section 15.0 for a description of all fields), and click the
button to accept.
15.12 Clearing a Stored System Host Entry
The
button removes the host entry from TPAM’s knownhosts
file. An example of the necessity for this would be a situation in which the SSH
package on a managed system has been reinstalled, or the OS itself may be
reinstalled. A test of the system would indicate that the host key entry does not
match, and will prevent password authentication because of a perceived “man in the
middle” attack.
15.13 Testing a System
To test connectivity to the system you have configured in TPAM, click the
button.
15.14 Duplicating a System
To ease the burden of administration and help maintain consistency, systems can be
duplicated. This allows the administrator to create new systems that are very similar
to those that exist, while only having to modify a few details. To duplicate a system,
select Systems, Accounts, & Collections  Systems  Manage Systems from
the menu. Select the system to duplicate from the Listing tab and click the
button. A new system object will be created and the system settings
page will be displayed. Make the necessary changes to the system settings, and click
the
button. The new system will inherit collection membership,
permissions, affinity and ticket system settings from the existing system.
15.15 Deleting Systems
To delete a system select the system from the Systems Management Listing tab and
click the
button. The following pop up window will appear.
52
QUEST
Click the
button.
When you delete a system it is “soft” deleted. This means that the system
information is retained in TPAM for “X” days depending on how your System
Administrator has set the Days in Trash Global Setting in the paradmin interface. To
view “soft” deleted systems go to Systems, Accounts, & Collections  Systems
 Deleted Systems on the main menu.
Using the Filter tab select the deleted system you want to view from the Listing tab.
53
Quest One Privileged Account Management Administrator Manual
If you want to “undelete” a system click the
button. Systems will
only be available to “undelete” prior to the Days in Trash Global Setting taking effect.
If you want to “hard” delete a system from TPAM click the
button.
Note! You will only be able to hard delete systems if the Allow Manual
Hard Deletes global setting has been set to Yes by the System Administrator in the
paradmin interface.
The undo delete process can fail for multiple reasons such as a conflicting names or
non-existence of a functional account dependency, etc.
15.16 List Systems
Certain data may be exported from TPAM to Microsoft® Excel® or CSV format. This is
a convenient way to provide an offline work sheet and also to provide data that may
be imported into another TPAM – for example, to populate a lab appliance with data
for testing, without making the lower level changes that restoring a backup would
cause.
Systems are exported using the Systems, Accounts, & Collections  Systems 
List Systems menu selection. Choose the criteria for the list of systems, which can
be filtered to produce a specific subset of data, or the full list of systems. System
Templates will not be included in the Listing.
With the introduction of Access Policies in v2.4 the PAR and EGP Permissions
tabs on the System Listing have been replaced with a single Permissions tab that
displays the Access Policy assigned to each user for the system.
54
QUEST
Use the Filter tab to enter your listing criteria and the Layout tab to select the data
set you want exported in your file Click the
or
to download your file.
15.17 Importing Systems
Systems may be bulk imported into TPAM. This is another way to ease administrative
burden and expedite migration to TPAM.
15.17.1 File Format
Note! The File Format rules apply to all Batch Import and Update
processes in TPAM. Individual exceptions will be noted in each section.
55
Quest One Privileged Account Management Administrator Manual
Files may be either CSV or Tab delimited. File names may have spaces.
Optionally, the first line of the file may contain column headers describing
each column. If you choose not to have column headers then the columns
must be in the specific order listed on the Import Systems page. If you
choose to include column headers these rules apply:
• Column headers must be the first line in the file.
• The columns may appear in any order in the file.
• Duplicate column headers will be ignored. The first appearance of the
column will be the data used.
• Columns with empty headers will be skipped.
• Columns marked “Req” must be present for the import file to be
processed.
• Columns marked “Opt” may be omitted from the file.
• Column Names in the file may be chosen from either the “Column” or
“Alternate Names” in the table on each page.
• Column Names are case and spacing insensitive, but punctuation is
significant. For example, if an entry lists the column name as “AutoPassword Mgmt” and the alternate names as “Auto Mgmt”, “Auto”, “AutoPassword”, and “Auto Password”, then any of the following are acceptable:
AutoMgmt, automgmt, autopassword, Auto, auto. However, “Autopassword-Mgmt” would not be recognized due to the second hyphen
between “password” and “Mgmt”.
Data will be truncated to fit in the target column. For instance, if the target
column is a description that allows 100 characters, the import will be
truncated at a length of 100.
To import systems select Systems, Accounts, & Collections  Systems 
Import Systems from the menu.
56
QUEST
15.17.2 Show Template
Click the
button to create a comma or tab delimited
template to use when importing systems.
Select the radio button for the type of file format you want to work with and
then copy/paste the template provided into your file.
Tip! The most common problems with import files are an incorrect
number of commas or a missing carriage return character at the end of the
last line.
15.17.3 Import History Tab
By going to Systems, Accounts, & Collections  Systems  Import
Systems and then clicking the History tab the user can see the import
history. If a file fails to import it will still be listed in the log so the user will
know they need to try again.
57
Quest One Privileged Account Management Administrator Manual
Now that the batch import and update processes have be modified to allow
the user to upload the file and review the results later, we have been able to
remove the limit on the number of records that can be included in a batch
file.
You can click the
button to cancel a file from processing as
long as the Start Date is still null.
15.17.4 Import System Detail Tab
Each file that a user has attempted to import will show in the History log. To
see the details of the import select a File Name from the History list and then
click the Details tab.
15.18 Batch Updates to Systems
In cases where a large number of systems require similar updates or deletion, batch
updates can be performed using .csv or .txt files as input. To perform a batch system
update, select Systems, Accounts, & Collections  Systems  Batch Update
Systems from the menu (only TPAM administrators may perform this function).
58
QUEST
You have the ability to clear out existing data for specific fields through Batch Update.
Columns with a † after their Max Size will accept an update value of !NULL
(exclamation point followed by the word NULL) to clear the data.
15.18.1 File Format
See section 15.17.1 for general rules on the file format.
On the update page there is an area to set a default value that can be
assigned to the Update Action column.
The radio buttons below the File Name can be used to flag all rows in the file
as being Add, Delete, or Update as appropriate to each task. The Specified in
File button should be selected if the Update Action column is specified in the
file. If either of the other buttons is chosen it will override all Update Actions
in the file, even if they differ from the default action. If any button except
Specified in File is chosen then the Update Action column may be omitted
from the file.
It is recommended that a small test of one or two systems be used to perfect
the file format.
Tip! The most common problems with update files are an incorrect
number of commas or a missing carriage return character at the end of the
last line.
15.18.2 Show Template
Click the
button to create a comma or tab delimited
template to use when batch updating systems.
15.18.3 Update Systems History Tab
The user has the ability to see a history of files that have been imported. By
going to Systems, Accounts, & Collections  Systems  Batch Update
Systems and then clicking the History tab the user can see the batch
system update history. If a file fails to process it will still be listed in the log
so the user will know they need to try again.
59
Quest One Privileged Account Management Administrator Manual
15.18.4 Update System Detail Tab
Each file that a user has attempted to import will show in the History log. To
see the details of the import select a File Name from the History list and then
click the Details tab.
15.19 Batch Update Permissions
You have the ability to update System,
Account,
File, Collection, User
or Group Permissions through Batch Update. To perform a batch permission update,
select Systems, Accounts, & Collections  Systems  Batch Update
Permissions from the menu.
Batch Update Permissions for Systems has been redesigned to accommodate
Access Policies and Account and File level permissions in v2.4.
15.19.1 File Format
See section 15.17.1 for general rules on the file format.
•
Instead of separate columns for PAR Permissions and EGP
Permissions in the file, now there is a single column for the Access Policy
you want to assign.
•
To remove any existing policy assignment use an Update Action of
“A”, with a Policy of “NA”.
•
When specifying permissions for an Account or File you must also
include the System name in the upload file.
Note! You cannot specify both a File and Account on the same import line.
60
QUEST
On the update page there is an area to set a default value that can be
assigned to the Update Action column.
15.19.2 Show Template
Click the
button to create a comma or tab delimited
template to use when batch updating permissions.
15.19.3 Update Permissions History Tab
The user has the ability to see a history of files that have been imported. By
going to Systems, Accounts, & Collections  Systems  Batch Update
Permissions and then clicking the History tab the user can see the batch
permission update history. If a file fails to process it will still be listed in the
log so the user will know they need to try again.
15.19.4 Update Permissions Detail Tab
Each file that a user has attempted to import will show in the History log. To
see the details of the import select a File Name from the History list and then
click the Details tab.
61
Quest One Privileged Account Management Administrator Manual
16.0 Managing Accounts
Accounts on remote systems can be managed manually from TPAM. Selecting Systems,
Accounts, & Collections  Accounts  Add Account or Systems, Accounts, &
Collections  Accounts  Manage Accounts will lead to the configuration pages for
accounts. If modifying an existing account, first select the desired account by entering
criteria on the Filter tab, clicking on the Listing tab, clicking on the Account Name you
are looking for and then clicking on any of the additional tabs to edit the account. Below is a
description of all the fields on the various tabs.
Using the Filter and Listing tabs, select the account to manage.
16.1 Account Details Tab
In V2.4 we have rearranged the tabs for Accounts.
62
QUEST
16.1.1 Account Name
This is the descriptive name of the account. Within TPAM, all the account
names on one system must be unique. The name can be 2-30 characters
long, but cannot include empty spaces.
16.1.2 Account is Locked
This checkbox gives Administrators and ISA’s the ability to “lock” and “unlock”
an account. When an account is locked passwords for that account cannot be
retrieved, released or changed. Password requests or session requests can be
submitted but the password or session will not be available until the account
is unlocked.
16.1.3 Password
Enter the active current password for the account. If no password is specified
(left blank), PPM will store the value “default initial password” as the
password for the account.
16.1.4 Password Rule
Select the desired password rule to serve as the default for the account. If the
selection is not changed (or if no other rules have been defined in TPAM) the
Default Password Rule will be selected. The password rule will govern the
construction requirements for new passwords generated by PPM.
If the account resides on a Windows system, two additional options
are provided:
63
Quest One Privileged Account Management Administrator Manual
16.1.5 Change password for Windows Services started by this account?
If this is the Administrator account, or another functional account that runs
system services, this option will ensure that the password change is also
applied to each service the account runs.
16.1.6 Use this account’s current password to change the password?
This may be necessary on Windows XP and Windows Server 2003 where
Encrypting File System or other third-party security products are used, and
rely on authentication certificates stored in that account’s personal store. If
the system is configured with a “non-privileged functional account” then this
setting will default for all accounts added to this system.
16.1.7 Description
This is a free text field where additional descriptive information may be
entered.
Alert! For accounts on LDAP/LDAPS and Novell managed
systems you must enter the actual account name in this field.
16.1.8 Password Management
By default, the property of the parent system is inherited at the account level
as either None or Automatic. If Manual is selected then the primary contact
e-mail at the system and
account level will receive an email when it is
time to manually reset the password. The contact will keep receiving this
email at regular intervals based on how this is configured by the Sys-Admin in
the Auto Management Agent settings, until the password has been confirmed
to be reset in PPM. If Automatic or Manual, the change frequency and postrelease reset details should be specifically configured for the account on the
Management Details tab.
Alert! The Reset Password option relies on the PPM change
agent. If the change agent is not running, the password will not be
reset. The Manual Password e-mail notification relies on the Man Pwd
Change Agent, if it is not running no email notifications will go out to
reset the password.
16.1.9
Ignore System Access Policies?
If this box is checked and saved any Access Policies assigned to the System
will not apply to this account. For users of TPAM prior to v2.4 this takes the
place of the Alias Access Only setting.
Alert! If this box is checked the account will not be able to be
requested unless it is in a collection (with appropriate access assigned) or
user/group permissions are assigned directly to the account.
16.1.10 Approvals Required
The default value is 1, indicating that one single approval will allow the
password release to the requestor (dual control release). This value can be
changed to force multiple approvers to approve each release request. Setting
64
QUEST
a value of zero will disable dual control for the account and PPM will autoapprove any request for release and make the appropriate log entry.
16.1.11 Maximum Duration
This is the maximum duration for a password release on the account. If this is
overridden by an Access Policy assignment, the lower of the two durations will
be used. The default duration that the requestor will see for any new
password request is 2 hours, or the maximum duration, whichever is less.
16.1.12 Notification E-mail
The e-mail address specified in this field will receive notification of certain
password releases. This would apply to releases by ISA users and CLI/API
users under all circumstances, and authorized requestors when dual control is
not required (number of approvals set to zero). This e-mail address also
receives notification if a manually managed password needs to be changed.
Multiple email addresses can be specified by entering each email address
separated by a comma, up to a maximum of 255 characters.
Any time there is a change made to the notification email address field, an
email will automatically be sent to the old email address with a notification
that this change has occurred.
16.1.13 Simultaneous Privileged Release
This field allows an Admin or a PPM ISA to grant more than one Privileged
Access User (PAC) to request and retrieve a password/session during the
same or overlapping time period.
Note! If another Requestor already has the password checked out the
PAC users will have to wait for that release window to expire before they can
gain access.
16.1.14 Override Individual Accountability
The System Administrator must have this global setting turned on in order for
the TPAM Administrator to check this flag on an account. When the Override
Individual Accountability box is checked more than one requestor will be able
to request this password at the same time or during an overlapping duration.
Any changes made to the Override Individual Accountability checkbox at
the account level will be logged in the Activity Log.
On the Account Management tab, if the account has the Change Password
after any Release box checked, and the password is retrieved then the
password will be changed at the end of each requestors request duration.
If the Do not automatically change the password while a release is
active box is checked, the password will not be changed until the last
requestors’ release duration has expired.
If the System Administrator decides to change the Global Setting from
allowing account override to no longer allowing it, any Accounts that had been
checked to override individual accountability will have their checkboxes
cleared.
65
Quest One Privileged Account Management Administrator Manual
16.2 Account Reviews Tab
The account review settings that were on the Account Details tab in prior releases
are now located on a sub-tab titled Reviews.
16.2.1 Post Release Review Requirements
These settings give you the ability to set review requirements for password
releases. Enter the number of reviews required. Select the radio button to
choose eligible reviewers. If you select Any Authorized Reviewer
(excluding Requestor) any user assigned to an Access Policy with Review
Password permissions or is a member of a Group with a Review Password
permission is eligible to complete the review as well as all Auditors. If you
want someone to receive an e-mail notification if the review is not completed
within X hours, fill out the hour threshold and e-mail address. The password
release is not eligible for review until the release duration has expired. Once
the password release has expired all eligible reviewers will receive an e-mail
notification that there is a password release to review.
16.3 Account Custom Information Tab
There are six customizable fields that you can use to track information about each
account. These custom fields are enabled and configured by the System Administrator
in the paradmin interface. If these fields have not been enabled then this sub-tab will
not be visible.
66
QUEST
16.4 Account Management Tab
The location of this tab has changed in v2.4. This is now a sub-tab of the
Details tab.
16.4.1 Check Password
If the Check Password box is selected the password for this account will be
checked by PPM. The check schedule is configured through the paradmin
interface and it can be run as often as daily.
67
Quest One Privileged Account Management Administrator Manual
16.4.2 Reset Password on Mismatch
This option is only available if the Check Password box is checked. If this
option is checked the password will be changed when a mismatch condition is
found.
16.4.3 Don’t Check Password
If the Don’t Check Password box is selected the password for this account
will not be checked daily by PPM. Care should be used selecting this option
because a mismatch between the stored password and the actual password
will go undetected.
16.4.4 Change Password after any release
This option indicates whether the password for the account should be
automatically reset by PPM following a release to any user (including ISA
users). The option is enabled by default. If disabled, the password will not be
changed after releases, but will still be changed based upon the Change
Frequency settings.
16.4.5 Do Not Automatically Change the Password while a Release is Active
This is a flag that the admin or PPM ISA can check so that a password will not
be automatically changed by PPM while it still has an active release request
open. For example if a release request for a session or password is open (has
not been canceled, expired or closed) and the password has already been
accessed by the requestor then any scheduled changes will be skipped. The
exception to this rule is if an ISA pulls the password and the Change
Password After Any Release box is checked then the password will be
changed.
16.4.6 Change Frequency
This option instructs PPM to generate a new password and change it on the
managed system for this account only based on the time criteria selected.
16.4.7 Change Time
This option specifies the time of day that the automated password changes
should occur for this account.
16.4.8 Next Change Date
This option indicates the date that the next scheduled password change is to
occur. This date may be changed to alter the current change schedule.
16.4.9 Default duration for ISA releases of password
This option specifies the amount of time after an ISA user has released the
password before it will be changed. This option will be disabled if the Change
password after any release option is disabled. Maximum value is 7 days.
Minimum value is 15 minutes. Configurable in 15 minute increments.
16.4.10 Allow ISA to enter Duration on Release
If this checkbox is checked, an ISA may enter a release duration other than
the default when retrieving a password. The duration must be >0 and <= the
max of either ISA Duration (Mgt Details tab) or Max Release Duration (Details
tab). This column was added to the System and Account Imports and Batch
Updates.
68
QUEST
16.4.11 Pull Defaults From System
When checked, the default values for password change frequency, change
time, ISA release change parameters, and whether or not the password will
be checked will be pulled from those settings at the system level and
populated at the account level. This is a onetime action and does not prevent
any of these settings from being modified again. This is a good way to ‘reset’
an account’s parameters at any time. This action can be performed as many
times as desired.
16.5 Account Ticket System Tab
The location of this tab has changed in v2.4. This is now a sub-tab of the
Details tab. The options available on this tab will be predetermined by how Ticket
Systems were configured in the paradmin interface and at the System level. If no
Ticket Systems have been configured and enabled in the paradmin interface the
Ticket System tab will be inaccessible.
16.5.1 Require Ticket Number from:
Check this box if you want to require ticket number validation every time a
password request is submitted for this system. If multiple Ticket Systems are
enabled they will be listed in the list for selection. You can specify the ticket
system or allow entry of a ticket number from any system that is enabled. If
this box is not checked users will still be able to enter a Ticket Number on a
request.
16.5.2 Ticket required for:
If Ticket Validation is required than all requestors will be required to provide a
ticket number. You also have the option to require ISA’s to supply a ticket
number prior to retrieving a password as well as requests made through the
CLI or API.
16.5.3 Send Email to:
If any of the ISA, CLI or API required boxes are left unchecked you also have
the option of entering one or more e-mail addresses (up to 255 characters)
69
Quest One Privileged Account Management Administrator Manual
that will receive an e-mail when an ISA, CLI or API user releases or retrieves
a password or file without supplying a ticket.
16.5.4 Propagation
You have the option of pulling the Ticket System settings for the Account from
the System defaults. To set the account at the System defaults check this box
and click the
button. To override the system settings, uncheck
this box, edit the settings and click the
button.
Note! If someone goes in at the System level and decides to push the
system settings out to all the accounts, the settings saved here will be
overridden with whatever is set at the system level at that time.
16.6 Accounts Management Logs Tab
By clicking on the Logs Tab the user can view detailed history on the password for
the account. There is a Filter tab to allow the user to specify the date range or exact
date of activity you are looking for.
16.6.1 Change Log
This allows you to view the password change history.
16.6.2 Test Log
This allows you to view the log of password test activity.
16.6.3 Release Log
This allows you to view the log of password release activity.
16.6.4 Dependent Change Log
If the account exists on a Windows Domain Controller and could have other
systems dependencies there will be DA (domain account) Change Log tab that
will show the change activity for the account on the dependent systems. This
tab becomes enabled when a change log record is selected that has
associated dependent changes.
70
QUEST
16.6.5 Change Agent Log
This tab will show associated change agent log records for the selected entity
but only for changes that occur after a v2.3+ upgrade.
16.7 Account Management Past Password Tab
The location of this tab has changed in v2.4. This is now a sub-tab of the
Passwords tab.
To view past passwords for an account click the Past Passwords tab. Use the Filter
tab to narrow the date range of the passwords you are looking for and then click the
Past Passwords tab next to the Filter tab. This allows you to select a password that
was valid for a specific period of time. This is especially important if the managed
system has been restored from a backup and the password that was effective at the
time of the backup is required.
To view the password for each logged activity, click a row in the results and then click
the Password tab.
16.8 Account Management Current Password Tab
The location of this tab has changed in v2.4. This is now a sub-tab of the
Passwords tab.
This tab is only active for users with ISA password permissions on the system.
71
Quest One Privileged Account Management Administrator Manual
The Current Password tab retrieves the password for the account. Enter the
Release Reason in the text box provided. If required enter the Ticket System and
Ticket Number. Click the Password tab to see the current password.
If your System Administrator has decided to configure Reason Codes for your
environment, you will see them available in the list here. Reason codes give you a
quick way to submit a request without having to type in a detailed reason. You may
be required to enter a reason code, they may be optional or they may be disabled.
If the ISA needs to access the current password on behalf of another person they
should enter the original requestors name in the Proxy Release For field. Proxy
releases can be reported on in Password Release Activity Report. The ISA will be able
to enter a longer/shorter duration for the release if the Allow ISA to enter
Duration on Release flag is checked on the Account Management tab.
The password will be displayed for a maximum of 20 seconds. For convenience, the
password may also be copied into the user’s clipboard. This can be done using the
mouse and dragging the password, then right-clicking and selecting “Copy”.
72
QUEST
Tip! An easy and quick way to copy the password into the clipboard is to click in
the displayed password text box then use Ctrl+A followed by Ctrl+C.
16.9
Account Collections Tab
With the addition of account level permissions in v2.4, accounts can now be members
of a collection. See section 15.7 for details on assigning Collection membership.
Note! An account cannot belong to the same collection as its’ parent system, or
vice versa.
16.10
Setting Permissions for PSM and PPM Functionality for
Accounts
In v2.4 you can now assign permissions at the Account level. Select Systems,
Accounts, & Collections  Accounts Manage Accounts from the menu. Once
you select the account you want to modify click the Permissions tab.
Refer to section 15.8 for details on how the Permissions tab works.
16.11 PSM Details General Tab (PSM Customers Only)
73
Quest One Privileged Account Management Administrator Manual
The options for configuring sessions are as follows:
16.11.1 Enable PSM Sessions?
Turn on/off the ability of users to access this account as a recorded session
through PSM. All subsequent options are contingent upon this being checked.
16.11.2 Proxy Connection Type (platform dependent)
Select the type of remote connection compatible with the configuration of the
remote system.
Note! When choosing any of the proxy methods listed below that use
Automatic Login, the password is not automatically reset after the session is
completed because the password is never displayed to the user.
•
•
•
•
•
•
•
•
•
RDP-Automatic Login Using Password – Connect to the system using
RDP (Terminal services protocol) client and automatically login using the
password retrieved from the local or remote TPAM. This ensures that the
password is never displayed or known to the user.
RDP-Interactive Login – Connect to the system using an RDP client to
which PSM does not provide automatic login. If the password is managed
by PPM, it will be displayed on the screen when the session is started,
otherwise the user must know the account password when the
authentication dialog is presented.
VNC-Interactive Login – Establish a connection to the remote system
using the VNC client. The user must know the VNC password for the
system. If the password is managed by PPM, it will be displayed on the
screen when the session is started, otherwise the user must know the
account password when the authentication dialog is presented.
VNC Enterprise- Interactive Login - Establish a connection to the
remote system using the VNC Enterprise client. The user must know the
VNC password for the system. If the password is managed by a PPM, it
will be displayed on the screen when the session is started, otherwise the
user must know the account password when the authentication dialog is
presented.
Telnet-Interactive Login – Connect to the system using the Telnet
protocol, to which PSM does not provide automatic login. If the password
is managed by a PPM, it will be displayed on the screen when the session
is started, otherwise the user must know the account password when the
authentication dialog is presented.
Telnet-Automatic Login Using Password – Connect to the system
using the Telnet protocol and automatically login using the password
retrieved from the local or a remote TPAM. This ensures that the password
is never displayed or known to the user.
SSH-Automatic Login Using DSS Key – Connect to the system using
SSH and authenticate via DSS private key. The private key must be
previously uploaded to TPAM for this purpose.
SSH - Interactive Login – Establish an SSH session to the remote
system and allow the user to manually enter the password. If the
password is managed by a PPM, it will be displayed on the screen when
the session is started, otherwise the user must know account password
when the authentication prompt is presented.
SSH – Automatic Login Using Password (for UNIX systems only) –
Connect to the system using SSH and automatically login using the
password retrieved from the local or remote TPAM.
74
QUEST
•
•
•
•
•
•
RDP Through SSH – Automatic Login Using Password (for eDMZ
SPCW systems only) Connect to the system using RDP client via the SSH
protocol and automatically login using the password retrieved from the
local or remote TPAM.
RDP Through SSH – Interactive Login (for eDMZ SPCW systems only)
Connect to the system using RDP client via the SSH protocol and allow the
user to manually enter the password. If the password is managed by PPM,
it will be displayed on the screen when the session is started, otherwise
the user must know account password when the authentication prompt is
presented.
SQLPlus – Automatic Login Using Password - Connect to the system
using the SQLPlus client and automatically login using the password
retrieved from the local or remote TPAM.
SQLPlus –Interactive Login - Establish a connection to the remote
system using the SQLPlus client. The user must know the SQLPlus
password for the system. If the password is managed by PPM, it will be
displayed on the screen when the session is started, otherwise the user
must know the account password when the authentication dialog is
presented.
SQL Window – Automatic Login Using Password - Connect to the
system using the Sql Window Client and automatically login using the
password retrieved from the local or remote TPAM.
SQL Window – Interactive Login - Establish a connection to the remote
system using the SQL Window client. The user must know the SQL
Window password for the system. If the password is managed by PPM, it
will be displayed on the screen when the session is started, otherwise the
user must know the account password when the authentication dialog is
presented.
16.11.3 Custom Connection Profile
You have the ability to create and assign Custom Connection Profiles to an
account. The connection profile can be used to override the default connection
parameters. For more details on Custom Connection Profiles see section 27.0.
16.11.4 Post Session Profile
You have the ability to create and assign Post Session Profiles to an account.
The post session file is used to add additional steps at the end of a session
request. For more details on Post Session Profiles see section 28.0.
16.11.5 Color Depth (proxy type dependent)
This is a setting for the number of possible colors displayed in the sessions
you record. You can select a color depth setting of 8 (256 colors) or 16
(65,000 colors) for recording your sessions. For a VNC connection there are
color options of 0 (Very Low) through 3 (Auto Select/Full Color).
16.11.6 Required # of Approvals
This indicates the number of approvers required for each session request. If
the system/account is managed by PPM it is possible to have a different value
configured in PSM for this system/account. In the event of such a conflict, the
value set on PPM for dual control requirement may override the value set
here. This will occur only for connection types that use interactive login
(where the password will be displayed).
75
Quest One Privileged Account Management Administrator Manual
16.11.7 Maximum Simultaneous Sessions (proxy type dependent)
Specifies the maximum number of simultaneous sessions that may be
established for the system/account. This option only exists for accounts
configured to auto-authenticate the user. If the password is provided by TPAM
for interactive logon then only one concurrent session will be allowed to
preserve individual accountability.
16.11.8 Default Session Duration
This is the Session Duration that is displayed by default when requesting a
session. It can be changed within the limits set by the Max Password Duration
and the Access Policy session duration. TPAM will not automatically disconnect
the session unless indicated by the global setting.
16.11.9 Session Exceeding Duration Notification
Allows email notifications to be sent to the primary contact specified for the
system if a session exceeds the maximum session time for the request.
Configurable parameters are: frequency (in minutes) of notifications; and
threshold time (in minutes) before initial notification is sent for a session.
Both values must be non-zero for notifications to be sent.
16.11.10 Session Start Notification
When the user starts the session this contact will receive an e-mail
notification.
16.11.11 Enable Clipboard?
If this box is checked the user will be able to use the clipboard function for
copy/paste of text during a session.
16.11.12 Enable Console Connection?
If this box is checked the user will be able connect to the console of the
system they are connecting to. This is an RDP only feature.
16.11.13 Record All Sessions
This box will be checked by default. If you do NOT want any sessions
recorded for this account, UNCHECK the box. Unchecking the box will also
mean that this will be an option at the account alias level.
16.11.14 Enable File Uploads?
If this flag is checked file uploads will be allowed during sessions through this
account. This box will be checked by default.
16.11.15 Enable File Downloads?
You have the ability to download a file from a managed system to the local
pc/network drive during a session. Check the box to enable this option.
76
QUEST
16.12 PSM Session Authentication Tab (PSM Customers Only)
16.12.1 Authentication Credential Storage Method
•
•
•
•
•
Password Managed by Local TPAM – select this option if the local
TPAM appliance is managing this account.
Use Remote TPAM CLI – select this option if the account is managed by
another TPAM appliance, and specify the CLI UserID to be used to retrieve
the password. The remote TPAM CLI ID now has the capability of using
domain accounts for authentication during a session. Access to the public
key for the CLI ID will be required, and must be supplied to TPAM. When
this method of password retrieval is used, the number of approvals
specified on the remote TPAM is ignored and access to the password is not
limited to a single release.
Use DSS Key – select this option if an authentication key is used for the
account instead of a password. You have the additional options of using a
system standard DSS Key (TPAM 2.1 allows you to configure up to 3
active keys) or having TPAM generate a pair of keys for you.
Not Stored-Specify password during session – select this option if the
account’s password is not stored or managed by any TPAM. When this
option is used the password must be specified when the session is
initiated.
Use Windows Domain Account - select this option if the account’s
password is not stored or managed by any TPAM. The named account is a
placeholder for the domain account TPAM will be using to authenticate to
the system. Through this method you can connect to a system using a
domain account instead of a local account. On the Session
Authentication tab the user name used to log in to the remote session
must be added as an account associated with a Windows Active Directory
System.
16.13 PSM File Transfer Tab (PSM Customers Only)
You have the ability to transfer files during a session from the client to the host. The
File Transfer tab is where you can configure this.
77
Quest One Privileged Account Management Administrator Manual
16.13.1 File Transfer Method (platform dependent)
Based on the system platform select Windows File Copy, Secure Copy (SCP)
or SCP using the TPAM Functional Account.
16.13.2 File Transfer Share
Enter the share where the files will be located.
If you select Same as Session Authentication then it will use the same
credentials as the session (account name and password or key). If you select
Specify at file transfer time you will be prompted to provide the account
name and password at the time of file transfer.
To test the file transfer, click the
button. The test Account
Name is required when the Specify at file transfer time radio button is
selected. The test Password is required when either the Specify at file
transfer time radio button is selected or the authentication method indicates
the password is not stored.
Alert! There is a 100mb size limit on any files that you transfer.
16.14 PSM Review Requirements Tab (PSM Customers Only)
You have the ability to configure review requirements for recorded sessions. This is to
facilitate the need to make sure all recorded sessions are audited by someone within
your company. See descriptions of the fields below to configure the reviews.
78
QUEST
16.14.1 Reviews Required
This number indicates the number of reviewers required to review the
recorded
session. The default is set to 0. Until the specified number of reviews are
attached to a session, the review requirements have not been met.
16.14.2 Selecting the Reviewer
Select whether you want a specific Group, User, Auditor or Any
Authorized Reviewer to be eligible to review the session. Any Authorized
Reviewer is any user that is assigned an access policy which contains a
Review Session permission or is a member of a Group with Review Session
permission and all Auditors.
16.14.3 Review Escalation
The e-mail will be sent if the required review/reviews have not been
completed within the specified time after the requested session duration. You
can enter multiple e-mail addresses by separating them with a comma. If the
review requirements are met prior to the expiration of the escalation time
after the session then the escalation notification will not be sent.
16.15 Adding an Account
Select Systems, Accounts, & Collections  Accounts  Add Account from the
menu. Enter your filter criteria to select the system you want to add the account on
and click the System tab. Select the system or system template and click the Detail
tab. After completing all required fields for the new account (see 11.1 for a
description of all fields), click the
button to accept.
Note! A paradmin user may add accounts to a Template System up to a total of
10 accounts (including the functional account). Any accounts added in this way will
be added to new systems created from the template. Existing systems based on the
79
Quest One Privileged Account Management Administrator Manual
template will not have any new accounts added or existing accounts removed. ISA
users cannot add, view, or edit accounts on template systems.
16.16 Managing an Account
Select Systems, Accounts, & Collections  Accounts  Manage Accounts from
the menu. After completing all required fields for the new account (see 11.1 for a
description of all fields), click the
button to accept.
The
button allows you to quickly navigate to the System on which a
specific account resides.
16.17 Deleting Accounts
To delete an account select the account from the Account Management Listing tab
and click the
Click the
button. The following pop up window will appear.
button.
When you delete an account it is “soft” deleted. This means that the account
information is retained in TPAM for “X” days depending on how your System
Administrator has set the Days in Trash Global Setting in the paradmin interface. To
view “soft” deleted accounts go to Systems, Accounts, & Collections  Systems
 Deleted Accounts on the main menu.
Using the Filter tab select the deleted account you want to view from the Listing
tab.
80
QUEST
If you want to “undelete” an account click the
button. Accounts will
only be available to “undelete” prior to the Days in Trash Global Setting taking effect.
If you want to “hard” delete an account from TPAM click the
button.
Note! You will only be able to hard delete accounts if the Allow Manual
Hard Deletes global setting has been set to Yes by the System Administrator in the
paradmin interface.
Alert! The only way to delete a functional account is to delete the system.
16.18 Account Current Status
The
button on the bottom of the Account Management and the
Retrieve Password pages gives Administrators and ISAs the most up to date
information on an account in a central location. After clicking the
button you will see the following page.
81
Quest One Privileged Account Management Administrator Manual
Here you see information on the account such as open password requests, open
session requests, scheduled password resets and past reset results. You'll also see if
the current password has been released by the system or if it was manually entered
by a user. Passwords manually entered prior to TPAM 2.1.711 are not reported but
any password set after TPAM 2.1.711 should be reported properly as to whether that
password is known by any user.
16.19 Manual Password Management
Accounts that are not auto-managed by PPM may still take advantage of the secure
storage and release mechanisms, as well as the logging and reporting functions of
TPAM. Password changes for such system accounts can be accomplished in two ways
– PPM generated passwords and User generated passwords.
If the system is auto-managed then PPM will generate the password and attempt to
set it on the managed system. If the system is not managed then PPM will generate
the password and display it for the user to set on the target system and then require
the user to indicate whether or not the password was set successfully on the target
system.
Also for a non-managed account, if the correct password is known and is known to be
incorrect in TPAM, then the correct password can be keyed into the New Password
field of the account details.
PPM Generated Passwords – To take advantage of the password generating ability
of PPM, passwords can be generated for non auto-managed systems. From the
Account Listing tab select an account and click the
button.
Because the system is not managed by PPM, it is not possible for TPAM to reset the
password on the system itself. A new password will be generated. The results of the
password reset will automatically appear on the screen. See below.
82
QUEST
Change the password for the account on the remote system manually to the new
password assigned by PPM. When the password has been reset, click the
button. If there are problems encountered changing the password,
click the
button – PPM will discard the new password and perform
a rollback to the previously stored password.
User Generated Passwords – If the password for the non-managed account is to
be maintained independently of PPM, it is desired to keep the password stored in
TPAM synchronized manually, from the Listing tab select the account and click the
Details tab. Enter the new password in the Current Password field and save the
changes. This method is useful if the system belongs to another party, is not
accessible to TPAM, or is otherwise not eligible for auto-management.
Password Release Notification – When a non-managed account’s password has
been released to a user, the defined system contact email address for the system will
receive a notice when the release duration has expired. This provides the opportunity
to have the password manually reset if desired. Early expiration of the release
duration will not change the time of notification.
16.20 Password Management
Password Management allows TPAM Administrators and PPM ISA’s to do a “mass”
forced reset of account passwords that are auto-managed and not a collection
account. This screen also gives you a central location in which to view the current
password status for all passwords. Select Systems, Accounts, & Collections 
Passwords  Manage Passwords on the main menu.
Use the Filter tab to enter your search criteria and then click the Listing tab.
83
Quest One Privileged Account Management Administrator Manual
In v2.4 we added a Change Schedule Filter on the Password Management
page that allows you to filter based on the reason for a scheduled password change.
Managed Password Reset
To force a reset of all passwords managed by PPM that are not a synchronized
password, click the All checkbox at the top of the page and then click the
button.
To individually select which PPM managed account passwords you want reset check
the checkbox on each individual account and click the
for more than
one account or the
button to reset just one account password. This
will schedule the password reset in the Change queue. To view the change history
select the individual account and click the Logs tab.
Non Managed Password Reset
To reset a password for a system/account not managed by PPM (manual or not
managed) select the individual row and click the
button. A new
password will be generated and presented to you on the screen. Indicate whether the
password update on the non managed system was successful or if it failed by clicking
the appropriate button.
16.21 Managing Services in a Windows Domain Environment
If the account managed by PPM is a Windows domain account (the system is defined
as Active Directory or Windows NT Domain), services running on domain member
systems using this account can also be managed in terms of password changes.
84
QUEST
The prerequisite for domain members systems to have these service account
password changed is that each system must be configured in TPAM and the domain
functional account must be properly privileged on that system (i.e. member of local
Administrators group).
To specify these systems for automatic password changes at the services level, select
the Dependents tab. Enter your Filter criteria and click the Results tab.
85
Quest One Privileged Account Management Administrator Manual
The Results page will display all available Windows systems. Select those with
dependencies on the domain level account by clicking the Dependent radio button
next to each System Name.
When the password for the managed domain account (i.e. Administrator) is changed,
PPM will also enumerate the services on each selected dependant system and change
the password for all services being run by the domain account.
In the example used in the figures above, ‘Administrator’ is a domain account,
specified on a domain controller called Saturn. The system Jupiter is defined as a
dependant system to this account, indicating that there are services running on
Jupiter using the domain Administrator account. When the password for
‘Administrator’ is changed by PPM, each system defined as dependant, such as
Jupiter, will have the password changed for any service using the domain
Administrator password.
86
QUEST
16.22 List Accounts
Accounts are exported using the Systems, Accounts, & Collections  Accounts 
List Accounts menu selection. Choose the criteria for the list of accounts, which can
be filtered to produce a specific subset of data, or the full list of accounts.
In v2.4 we added password review requirement information to the listing.
Use the Filter tab to enter your listing criteria and the Layout tab to select the data
set you want to view.
87
Quest One Privileged Account Management Administrator Manual
16.23 List PSM Accounts (PSM Customers Only)
PSM accounts can be listed and exported using the Systems, Accounts, &
Collections  Accounts  List PSM Accounts menu selection. Choose the criteria
for the list of accounts, which can be filtered to produce a specific subset of data, or
the full list of accounts.
Use the Filter tab to enter your listing criteria and the Layout tab to select the data
set you want to view.
16.24 Importing System Accounts
To further assist in the configuration of systems, the accounts can be imported.
To import system accounts from a pre-configured file, select Systems, Accounts, &
Collections  Accounts  Import Accounts from the menu.
The file format requirements for account imports will be displayed, along with the
filename field. A
button is also available to allow the file to be selected.
Enter or select the import file and click the
complete, the results will be displayed.
button. When the import is
88
QUEST
Note! To import PSM enabled accounts they must first be imported through
Import Accounts, and then the PSM Details can be loaded through the Batch
Update PSM Accounts from the menu. See Section 16.26 for details.
In order for the import of accounts to be successful, the system must be pre-defined
in the TPAM database, and the format of the import file must be correct.
16.24.1 File Format
See section 15.17.1 for general rules on the file format.
16.24.2 Show Template
See section 15.17.2 for details on Show Template.
16.24.3 Import History
See section 15.17.3 for details on the Import History tab.
16.24.4 Import Detail Tab
See section 15.17.4 for information on the Import Detail tab.
89
Quest One Privileged Account Management Administrator Manual
16.25 Batch Update Accounts
Batch updates to system accounts are done by selecting Systems, Accounts, &
Collections  Accounts  Batch Update Accounts. The process for updates is
very similar to that for imports with the exception that it is presumed that the
accounts exist and certain fields are being modified or the account is being deleted.
You have the ability to clear out existing data for specific fields through Batch Update.
Columns with a † after their Max Size will accept an update value of !NULL
(exclamation point followed by the word NULL) to clear the data.
On the update page there is an area to set a default value that can be assigned to the
Update Action column.
The radio buttons below the File Name can be used to flag all rows in the file as being
Add, Delete, or Update as appropriate to each task. The Specified in File button
should be selected if the Update Action column is specified in the file. If either of the
other buttons is chosen it will override all Update Actions in the file, even if they differ
from the default action. If any button except Specified in File is chosen then the
Update Action column may be omitted from the file.
90
QUEST
16.25.1 Show Template
Click the
button to create a comma or tab delimited
template to use when batch updating accounts.
Note! The most common problems with import files are an incorrect
number of commas or a missing carriage return character at the end of the
last line.
16.26 Batch Update PSM Accounts (PSM Customers Only)
You have the ability to update the PSM details for an account through the Systems,
Accounts, & Collections  Accounts  Batch Update PSM Accounts menu
option. The process is the same as described in the prior section on Updating
Accounts.
You have the ability to clear out existing data for specific fields through Batch Update.
Columns with a † after their Max Size will accept an update value of !NULL
(exclamation point followed by the word NULL) to clear the data.
91
Quest One Privileged Account Management Administrator Manual
17.0 Configuring Collections
Collections are groups of systems,
accounts and/or
used to simplify the process of assigning permissions.
files. Collections can be
17.1 Who Can Manage Collections
Because collections offer a powerful method of TPAM management, only a TPAM
Administrator has the capability to perform the functions described in this section. To
add or remove members, from a collection, a user must hold ISA Password privilege
over both the collection and the member. Administrators may manage any collection.
Selecting Systems, Accounts, & Collections  Collections  Add Collection or
Systems, Accounts, & Collections  Collections  Manage Collections will
lead to the configuration pages for Collections. If modifying an existing collection, first
select the desired collection by entering criteria on the Collections Management
Filter tab, clicking on the Listing tab, clicking on the Collection Name you are
looking for and then clicking on any of the additional tabs to edit the collection. Below
is a description of all the fields on the various tabs.
17.2 Adding A Collection
Select Systems, Accounts, & Collections  Collections  Add Collection from
the menu. The Collection Details tab is displayed:
92
QUEST
Enter Collection Name, Description and click the
17.3 Affinity Tab (PSM Customers Only)
Here you can assign DPA server priority to the Collection.
93
button.
Quest One Privileged Account Management Administrator Manual
The default setting will be Allow PSM sessions to be run on any defined DPA.
The default DPA Server name will be LocalServer which is the local TPAM appliance. If
your company purchased and configured additional DPA’s to optimize session
performance you will see these listed in the DPA Name column. (See section 29.0 on
configuring DPAs).To optimize performance you can prioritize the DPA that the
member systems use in this collection when a session is being conducted against it.
Enter the Priority number next to each DPA and click the
button. If the
system has a different affinity priority assignment the priority at the system level will
take precedence over the collection affinity setting.
17.4 Set Collection Members:
Now in v2.4, in addition to systems, accounts and files can be members of a
Collection. A System cannot be in the same collection as any of its Accounts or Files &
vice versa.
Add the desired members for the collection by clicking on the Members tab, then
clicking the Results tab. Click the Assigned radio buttons and Not Assigned radio
buttons as desired and click the
button.
94
QUEST
Tip! You can set all the displayed members to either Assigned or Not
Assigned by holding down the Ctrl key when clicking on any radio button.
Note! A Collection used by either AD or Generic Integration cannot have its
membership changed here. The current member status is displayed, but all radio
buttons in the list are disabled.
17.5
Set Collection Permissions:
On the Permissions tab you can assign users and or groups an Access Policy for a
Collection. Refer to section 15.8 for details on how to assign permissions.
17.6 Managing A Collection
Select Systems, Accounts, & Collections  Collections  Manage Collections
from the menu. Using the Filter tab search for the collection you want to manage by
entering your search criteria and click the Listing tab.
17.7 Update Collection
Select the collection from the list and click the Details tab. Make the desired changes
to the collection and click
.
17.8 Delete A Collection
Select the collection from the list and click the
button. You will be
asked if you are sure you want to delete the collection to help prevent the accidental
removal of collections.
The
button at the bottom of the page will take you to a listing of the
Systems in the Collection.
17.9 Duplicating A Collection
Select the collection from the Listing Tab and click the
button. A new
collection object will be created and the collection Details tab will be displayed. The
duplicate will inherit the permissions and members of the existing collection. Set the
95
Quest One Privileged Account Management Administrator Manual
membership for the new collection. Set the permissions for the new collection. Click
the
button.
17.10 List Collections
Go to Systems, Accounts, & Collections  Collections  List Collections to
view a list of collections. Enter your listing criteria on the Filter tab. To select which
columns will be on your listing click the Layout tab. To view your listing on the
screen click the Listing tab.
To view the collection listing in Excel or CSV format click the
or
buttons. To view all the collection members in Excel or CSV
format click the
or
button.
To view all members of the collection, click a Collection Name in the listing and then
click the Members tab (available to administrator and auditor users only). To view
permissions assigned to the collection, click a Collection Name in the listing and then
click the Permissions tab. Available to administrator and auditor users only.
96
QUEST
17.11 Batch Updates to Collections
Changes to collection membership can be performed in bulk update processes using a
properly configured update file.
In v2.4 we added Account and File columns to the update template.
17.11.1 File Format
See section 15.17.1 for general rules on the file format.
From the menu, select Systems, Accounts, & Collections  Collections 
Load Collection Membership. The collection update page is displayed:
On the update page there is an area to set a default value that can be
assigned to the Update Action column.
The radio buttons below the File Name can be used to flag all rows in the file
as being Add, Delete, or Update as appropriate to each task. The Specified
in File button should be selected if the Update Action column is specified in
the file. If either of the other buttons is chosen it will override all Update
Actions in the file, even if they differ from the default action. If any button
97
Quest One Privileged Account Management Administrator Manual
except Specified in File is chosen then the Update Action column may be
omitted from the file.
17.11.2 Show Template
Click the
button to create a comma or tab delimited
template to use when updating collection membership.
18.0 Managing Secure File Storage
In addition to the secure storage and release capabilities for passwords, TPAM facilitates the
same secure storage and retrieval controls for files. This functionality can be used for many
file types, but its intent is to securely store and control access to public/private key files and
certificates.
18.1 Adding a File for Storage
To add a new file for secure storage, select Systems, Accounts, & Collections 
Files  Add File from the menu. Enter your filter criteria to find the system you
want and click the System tab. Select the desired system, then click the Details tab.
98
QUEST
Define the File Display Name, which can be more descriptive than the actual
filename. This is the name users will see when requesting access to stored files.
Enter a full path or click the
where you can select your local file.
button. This will bring up another window
The number of Approvals Required to release the file contents indicates the level of
approval control desired. This parameter will accomplish the exact same results as
the similar parameter for stored passwords
The Maximum Duration parameters limit the amount of time an approved user may
release the contents of the stored file. A release Notification email address will
receive a notification whenever the file is retrieved without dual control. Enter any
desired text in Description field.
Click the
button to store the file.
18.2 File Ticket System Tab
Tab to configure Ticket System Integration for the file. The options available on this
tab will be predetermined by how Ticket Systems were configured in the paradmin
99
Quest One Privileged Account Management Administrator Manual
interface and at the System level. If no Ticket Systems have been configured and
enabled in the paradmin interface the Ticket System tab will be inaccessible.
18.2.1 Require Ticket Number from:
Check this box if you want to require ticket number validation every time a
file request is submitted for this system. If multiple Ticket Systems are
enabled they will be listed in the list for selection. You can specify the ticket
system or allow entry of a ticket number from any system that is enabled. If
this box is not checked users will still be able to enter a Ticket Number on a
request.
18.2.2 Ticket required for:
If Ticket Validation is required than all requestors will be required to provide a
ticket number. You also have the option to require ISA’s to supply a ticket
number prior to retrieving a file as well as requests made through the CLI or
API.
18.2.3 Send Email to:
If any of the ISA, CLI or API required boxes are left unchecked you also have
the option of entering one or more e-mail addresses (up to 255 characters)
that will receive an e-mail when an ISA, CLI or API user releases or retrieves
a file without supplying a ticket.
18.2.4 Propagation
You have the option of pulling the Ticket System settings for the File from the
System defaults. To set the file at the System defaults check this box and
click the
button. To override the system settings, uncheck this
box, edit the settings and click the
button.
Note! If someone goes in at the System level and decides to push the
system settings out to all the files, the settings saved here will be overridden
with whatever is set at the system level at that time.
100
QUEST
18.3
File Collections Tab
In v2.4 Files can now be members of a collection. Refer to section15.7 for detail on
assigning collection membership
Note! A file cannot belong to the same collection as its parent system, or vice
versa.
18.4
Setting Permissions for Files
Prior to v2.4 the permissions for files were based on the permissions set at the
System level. In v2.4 you can now assign permissions at the File level. Select
Systems, Accounts, & Collections  Accounts Manage Files from the menu.
Once you select the file you want to modify click the Permissions tab. Refer to
section 15.8 for details on assigning permissions.
18.5 Updating a Stored File
To make changes to an existing stored file, select Systems, Accounts, &
Collections  Files  Manage Files from the menu. Enter your search criteria on
the Filter tab and click the Listing tab. Select the file from the Listing tab and click
the Details tab.
101
Quest One Privileged Account Management Administrator Manual
Changes may be made to the description, number of approvals required for release,
email notification, and maximum release duration. Additionally, a new file may be
uploaded to replace the existing stored file, such as when a new key file or certificate
file exists but the desire is to maintain the same display name. The display name for
the file cannot be modified.
18.6 Reviewing File History and Activity
To view file history select Systems, Accounts, & Collections  Files  Manage
Files from the menu. Enter your search criteria on the Filter tab. Click the Listing
tab to select the file you are looking for. Click the File History tab. This report will
show the history of all physical files that have been associated with the file display
name as well as the dates the file was originally stored and replaced. The older files,
though no longer associated with the display name, remain on the appliance and may
be accessed by and administrator using the filename link. Older files may also be
deleted from history.
102
QUEST
The Logs tab for stored files will show the activity associated with accessing the file.
The Current File tab will allow you to retrieve the file if you have ISA permission for
the file. Type a release reason in the text box and then click the
button.
19.0 Synchronized Passwords
Synchronized Passwords (formerly known as Collection Accounts prior to v2.3.761) provide
a way to allow multiple accounts, on different systems, to have the passwords
synchronized.
103
Quest One Privileged Account Management Administrator Manual
Alert! Any of your collection accounts that existed prior to applying the 2.3
patch will be converted to synchronized passwords. They will retain the same
name but have a random number appended to the end of the synchronized
password name.
The Synchronized Password functionality depends heavily on the new Synch Pass Change
Auto Agent that must be enabled by your System Administrator in the paradmin interface.
If the agent is not running, Synch member passwords will never be changed unless you
perform a manual forced reset.
19.1 Creating a Synchronized Password
To add a synchronized password go to Systems, Accounts, & Collections 
Passwords  Add Synchronized Password.
19.1.1 Synchronized Password Name
Enter a unique name for the Synchronized Password
19.1.2 Password
You can choose to manually enter a password in this field. Any password
entered will be validated against the selected password rule. This will preempt any post release resets and will cause any subscriber with a different
password to be scheduled for a mismatch reset.
104
QUEST
19.1.3 Disable Synchronization
Passwords will not be synchronized if this is enabled. This can be used when
changing subscriber priority and then force a reset; otherwise new
subscribers are not synchronized by priority. While synchronization is disabled
new subscribers will not be scheduled for a mismatch reset if their current
password does not match.
19.1.4 Password Rule
Select the desired password rule to serve as the default for the synchronized
password. If the selection is not changed (or if no other rules have been
defined in TPAM) the Default Password Rule will be selected. The password
rule will govern the construction requirements for new passwords generated
by PPM.
19.1.5 Description
This is a free text field where additional descriptive information may be
entered.
19.1.6 Notification Email
The e-mail address specified in this field will receive notification of certain
password releases. This would apply to releases by ISA users and CLI/API
users under all circumstances, and authorized requestors when dual control is
not required (number of approvals set to zero). Multiple email addresses can
be specified by entering each email address separated by a comma, up to a
maximum of 255 characters.
19.1.7 Check Password
If the Check Password box is selected the passwords of the subscribers for
this synchronized password will be checked by PPM. The check schedule is
configured through the paradmin interface and it can be run as often as daily.
19.1.8 Reset Password on Mismatch
This option is only available if the Check Password box is checked. If this
option is checked the passwords for the subscribers will be changed when a
mismatch condition is found.
19.1.9 Don’t Check Password
If the Don’t Check Password box is selected the passwords of the
subscribers for this synchronized password will not be checked daily by PPM.
Care should be used selecting this option because a mismatch between the
stored password and the actual passwords will go undetected.
19.1.10 Change Password after any release
This option indicates whether the passwords for the subscribers of the
synchronized password should be automatically reset by PPM following a
release to any user (including ISA users). The option is enabled by default. If
disabled, the passwords will not be changed after releases, but will still be
changed based upon the Change Frequency settings.
19.1.11 Change Frequency
This option instructs PPM to generate a new password and change it for the
subscriber accounts based on the time criteria selected.
105
Quest One Privileged Account Management Administrator Manual
19.1.12 Change Time
This option specifies the time of day that the automated password changes
should occur for the subscribers.
19.1.13 Next Change Date
This option indicates the date that the next scheduled password change is to
occur. This date may be changed to alter the current change schedule.
19.1.14 Default duration for ISA releases of password
This option specifies the amount of time after an ISA user has released the
password of any of the subscribers before it will be changed. This option will
be disabled if the Change password after any release option is disabled.
Maximum value is 7 days. Minimum value is 15 minutes. Configurable in 15
minute increments.
19.2 Adding Subscribers to a Synchronized Password
Once you save the synchronized password you can add which accounts (candidates)
you want to be synched by clicking on the
button.
You can use the Filter to narrow your search for candidates and then click the
Candidates tab.
The list of Candidates will only include accounts that are either auto-managed or
manually managed.
19.2.1 Select
Check the box in the Select column for the candidates you want to add.
106
QUEST
Alert! If you add one or more accounts to a System Template as
subscribers, any new systems added to TPAM using that template will
automatically have those accounts be subscribers to this
synchronized password.
19.2.2 Priority Level
You have the option to enter a number in the Priority Level column to
determine the order which the Synch Pass Change Agent tries to synchronize
the subscribers. When you are done click the
button.
Only auto managed accounts can be assigned a Priority Level. First the
change agent will attempt to synchronize the prioritized subscribers from
lowest to highest. If any of the prioritized subscribers fail to synchronize then
the process stops, and the change agent does not attempt to synchronize any
of the other subscribers. Once the prioritized subscribers are synchronized
then any auto managed, non prioritized accounts are synchronized and then
the manually managed accounts will get put in the Manual Password Change
Notification queue. Any non-prioritized subscribers that fail to change will also
be scheduled through the regular password change agent. Once they are in
the regular change queue any admin or ISA can force a reset through the
accounts management page or password management page.
19.3 Subscriber Status
To check on the status of the subscriber passwords click the Subscriber Status tab.
The Pending Change column is populated if the subscribers are in the regular
change queue. Clicking on the
button will refresh the tab and show
the accounts are no longer in the regular change queue. The Listing tab would then
show a force reset pending in the synchronized password change queue.
19.3.1 Unsubscribe
To remove an account from the synchronized password check the
Unsubscribe box and click the
button. The account will
automatically be scheduled for a password reset.
19.3.2 Priority
To change the priority of subscribers use the Priority field. Once you have
finished reprioritizing click the
button.
19.3.3 Password Status
Here you will see if the subscriber is in synch with the synchronized password.
To force an immediate synchronization click the
107
button.
Quest One Privileged Account Management Administrator Manual
19.4 Logs tab
By clicking on the Logs tab the user can view detailed history on the synchronized
passwords for the subscriber accounts. There is a Filter tab to allow the user to
specify the date range or exact date of activity you are looking for.
19.5 Manual Reset
To schedule a forced reset the synchronized password click the
button.
19.6 Deleting a Synchronized Password
To delete a synchronized password select the synchronized password name from the
Listing tab and click the
button. Once the synchronized password is
deleted the subscribers will revert back to the Password Management settings that
they had prior to becoming a subscriber.
20.0 Managing User ID’s
20.1
Adding A UserID
Select Users & Groups  UserIDs  Add UserID from the menu.
20.1.1 UserName
Enter the user’s login ID here. This is generally done according to a naming
convention, such as first initial + last name, etc. Usernames may be a
maximum of 20 characters in length. The following special characters are
allowed in the UserName field:
108
QUEST
`~#%&(){}.!'
20.1.2
User Disabled?
To temporarily disable a user’s access to TPAM this checkbox can be checked
and then unchecked to allow them back in.
20.1.3 Last Name
Enter the user’s last name.
20.1.4 First Name
Enter the user’s first name.
20.1.5 Phone Number/Pager Number
Contact number for the user.
20.1.6 Email Address
Enter the user’s e-mail address. If multiple email addresses are to be
associated with the user, this may be accomplished by using a semicolon and
no spaces to separate them. An alias name can also be designated for the
email (this name will appear in the To: field). Example:
Wile E Coyote<[email protected];[email protected]>,…
To create an alias, enter it as: alias<email-address-1;email-address-2>
Double quotes may be required to include spaces in email addresses.
20.1.7 Description
Free text area that may be used to enter additional descriptive information
about the user account.
20.1.8 User Type
Select Basic, Administrator, Auditor, User Administrator, or Cache User
from the list.
Basic: If selected, the user can be a requestor, approver, reviewer, privileged
access, denied or ISA but will not have any administrator privileges.
Administrator: If selected, this user account will have Administrator
privileges to the TPAM interface.
Auditor: If selected, this user account will have Auditor privileges in TPAM.
Auditor is a special user type that may view reports, system, and users, but
may not request or approve passwords, files and sessions or modify any data.
User Administrator: If selected, this user account has the authority to
manage Basic user types. User Administrators may disable and enable users,
unlock user accounts, and update account information. The User
Administrator does not have the ability to add users to groups or modify
permissions. CLI/API user accounts cannot be managed by a User
Administrator.
Cache User: If selected, this user will only be able to retrieve passwords
through an assigned Cache server and will not be able to log in to TPAM. A
security certificate must be loaded for each Cache user. If using a user-
109
Quest One Privileged Account Management Administrator Manual
supplied certificate, the customer may also have to provide the certificate
password depending on format of certificate being uploaded.
20.1.9 User Interface
Select Web, CLI, or API from the list to determine how the user will be
accessing the TPAM.
If CLI or API is selected then the user will see the Restricted IP Address
Field appear.
Restricted IP Address: The source IP address may be restricted for a CLI
/API UserID by entering an IP address in this field. If an address is specified,
the UserID may only access TPAM from this address. This adds the ability to
secure and control access to TPAM. More than one IP address may be
specified by separating each with a comma – up to a limit of 100 characters
for the entire string. The use of wildcards is also permitted to specify a
complete network segment – i.e. 10.14.10.* Since the CLI/API user cannot be
disabled with a checkbox, this field can be used to temporarily disable the
user access by setting the value to an invalid IP address such as “disabled”.
CLI User ID
A Command Line UserID is a special user account used to access TPAM
remotely via the CLI (command line interface). TPAM CLI/API users
require separate accounts from interactive TPAM users. A CLI /API user
cannot log onto TPAM interactively using a web browser, and can only
execute specific commands supported by the TPAM CLI/API.
Before the new CLI/API ID can be used, the authentication key must be
downloaded from TPAM. This key must exist on any computer that will use
this ID to access TPAM’s command line functions. To download the key,
select Users & Groups  UserIDs  Manage UserIDS from the
menu, select the user ID from the Listing and click the
button. Save the key file to the desired location. The name of the key file
can be renamed.
110
QUEST
In the CLI Key Passphrase field you can enter an optional passphrase
to encrypt the user’s private key. The phrase is case sensitive, up to 128
characters, and does not allow double quotes (“). The phrase is not stored
and cannot be retrieved once the key is generated. Remember to give the
passphrase to the CLI user along with their private key file. If the CLI User
ID and key are going to be used in any type of scripting or automation, be
aware that any time a CLI Key with a passphrase is used the passphrase
must be entered by the user via the keyboard. Passphrase entry via any
type of scripting is not allowed for DSS Keys.
If a key has been corrupted or compromised, a new key can be created
for the existing user ID by clicking the
button. This will
also clear the passphrase for the key, and a new one can be entered.
Once this has been done, the new key must be downloaded for use.
Note: The UserID “PAR-CLI” is reserved and cannot be used for a CLI user
account.
For more information about the TPAM CLI and its functions, see Appendix
C. For more information about the TPAM API and its functions, see
Appendix D.
20.1.10 Mobile Device Access Flag
This flag controls the ability for a user to access TPAM through their personal
mobile device (Blackberry, iPhone) to make password or session requests,
deny or approve requests, and comment/review password releases or
sessions. See the Mobile Access Manual for details. This flag defaults to
unchecked for new and existing users. This flag is only an option for Basic,
Auditor, or Administrator users with a Web interface type.
20.1.11 Password
Enter a password for the user account. If left blank, a random password will
be generated by the TPAM system. Does not apply to CLI/API users.
Note! You will not be able to change passwords for users with external
primary authentication. If Primary Authentication has been minimilized then
you will not be able to change the user’s local password.
20.1.12 Confirm Password
Re-type the password to ensure that there are no typing or spelling mistakes.
Does not apply to CLI/API users.
20.1.13 Primary Authentication
You can use primary authentication to authenticate using TPAM (Local) or
your Windows Active Directory. WinAD is configured in the paradmin interface
as an external source of authentication. When WinAD is chosen the user will
authenticate using the UPN (User Principle Name) format, allowing the use of
multiple domains. Ex. [email protected]
111
Quest One Privileged Account Management Administrator Manual
In v 2.3.765 we have also added LDAP and Radius as primary
authentication methods. (See also: Configuring External Authentication in the
TPAM Configuration and Administration Manual).
In v2.3.767+ when LDAP is the primary authentication method you
now have the option of letting users enter a shortened version of their LDAP
UserID that will expand to the full LDAP UserID for authentication.
In the example above when “John” logs in to PAR he only has to enter a userid
of “John.Q.Public” and PAR will use the Full Primary UserID version to
perform the authentication.
20.1.14 Secondary Authentication
Secondary authentication mechanisms supported by TPAM are Safeword, RSA
SecureID, LDAP (both UNIX and Windows), LDAPS, Radius and Windows
Active Directory. This option is available at the user level (allowing specific
user requirements), rather than as a global configuration. Does not apply to
CLI/API users.
UserID: If the user is using secondary authentication enter their ID here.
Does not apply to CLI/API users.
20.2 Template Tab
You have the ability to add a User and save all the settings for that User as a
template. Templates may be used to quickly create new users with a given set of
default values via the web interface, CLI or API. Templates can only be created by
TPAM Administrators.
Note! Cache users can not be turned into a template. Any CLI User templates
cannot have a passphrase. User templates do not store a default password. If you
create a user template from a user that has SysAdmin privileges, these privileges will
NOT be saved onto the template.
112
QUEST
20.2.1 Create a Template from this User
Checking this flag will save the values for this user as a User Template. Once
a template has been created you cannot uncheck this flag,
20.2.2 Use this as the default template
If this box is checked this template will be used when adding all Users unless
another template is chosen. Only one template can be designated as the
“Default” at one time. Only a template with a User Type of Basic and User
Interface of Web can be used as a default template. If a template is
designated as the “Default” it will listed in purple font in the Manage Users
listing.
20.2.3 Retain Group Membership in the template
When checked this will create the template with all the Groups memberships
currently defined on this user. Users created from the template will have the
same group memberships.
Alert! If this user is a member of an AD Integration Group, that
membership is NOT transferred to the template and subsequent
users.
20.2.4 Retain System/Collection Permissions in the template
When checked this will create the template with all the System and Collection
permissions currently defined for the user. Users created from this template
will have the same permissions.
20.3 Time Information Tab
This tab is not enabled for Cache, CLI and API users.
20.3.1 User Local Time Zone Information
The admin has the ability to set a user’s local time zone. The user will also be
able to edit their time zone information through the My Info  User Details
menu option.
If the user is in the same time zone as the appliance and follows the same
Daylight Saving Time (DST) rules the first radio button should be selected.
If the user is in a different time zone and/or follows different DST rules and
does not want to follow server time, the second radio button should be
113
Quest One Privileged Account Management Administrator Manual
selected, and the appropriate time zone chosen from the list. With this option
most dates and times that the user sees in the application or on reports will
be converted to their local time. If a date or time still reflects server time it
will be noted on the screen.
Example: The TPAM appliance is located in New York, NY on Eastern Time.
The user is located in Los Angeles, CA, which is on Pacific Time. If the user
chooses to set their time zone to Pacific Time, any requests, approvals, etc
that they make will be reflected in Pacific Time to them, and they will have
the option to view some reports in their local time zone. If the TPAM
administrator is in the Eastern Time zone the admin will see this user’s
transactions stamped with the Eastern Time.
Alert! When the user is in Daylight Saving Time (DST) they
must remember to check the DST box and uncheck it when it is over.
This box does NOT automatically get changed for them.
20.3.2 Day/Time Based System Access
You can limit or restrict the business hours that a user can access TPAM as
well as specify the days of the week that they are allowed access. For Time
of Day you may enter up to 4 time ranges. Multiple ranges must be
separated with a semi-colon. The ranges must be entered using 24-hour
times with a hyphen between start and end times. Times may be entered as
7, 700, 7:00, or 07:00 (all representing 7:00 am). For example, “7-12;13:0018:00;19-23:59” would allow/prohibit logon between 7:00 am – 12 pm, 1:00
pm – 6:00 pm, and 7:00 pm – 11:59 pm.
20.4 UserID Group Membership Tab
Select group memberships for this user account by clicking on the Group
Membership tab. Enter the Filter criteria and then click the Results tab. Click the
Assigned radio button next to the Group you wish to add membership to and click
the
button.
114
QUEST
Permissions can be separated between PSM (PSM Customers Only) and PPM
functionality. There are several default groups that exist for assignment to users. For
example a user could be in the Global PSM Requestor Group but also in the Global
PPM Approver Group. Take care to notice the differences between these groups when
making your assignments.
20.5
UserID Permissions Tab
Select the UserID from the Listing tab and click the Permissions tab. Enter the
Filter criteria and click the Results tab. See section 15.8 for details on how to assign
permissions.
115
Quest One Privileged Account Management Administrator Manual
20.6 Creating a User Template
To create a user template from scratch select Users & Groups  UserIDs  Add
User Template from the menu. Enter the Template Name in the Template Name
field and continue to fill out all the parameters on all the user tabs as you so desire.
Go to the Template tab and make sure the Create a Template from this User
checkbox is checked. The other checkboxes are optional. Once this is complete click
the
button.
To create a user template from an existing user, pull up the user and check the
appropriate boxes on the Template tab. (see section 20.2.1 for details). Go to the
Details tab and enter the template name in the Template Name field and click the
button.
Alert! Any templates that are used by Active Directory or Generic
Integration and have a WinAD primary Authentication type, the Primary User
ID must be empty or one of the following values (not case-sensitive): UPN,
UserPrimaryName, SAMAccountName
If any external authentication is set the ExternalUserID must still be
populated to save the template, however when a user is created from the
template the UserName will be used as the default ExternalID.
Changing a template assigned to an AD or Generic Integration entry does not change
any existing users nor change the template associated with said users.
116
QUEST
20.6.1 Adding a User Using a Template
Select Users & Groups  UserIDs  Add UserID from the menu. Click the
button.
Select a Template from the Listing tab and click the Details tab to enter the
User Name. If the fields are not locked, make any other changes to the
individual fields as needed before saving.
20.6.2 Adding a User When there is a Default Template
If the administrator has set a template as a “default” template, every time
you add a user it will automatically use this template.
20.6.3 Disassociating a User from a Template
To disassociate a user from a template click the
User Details tab. You will get the following pop up window.
117
button on the
Quest One Privileged Account Management Administrator Manual
Click the
button and then click the
button.
20.6.4 Deleting a User Template
To delete a user template select the template from the User Listing tab. Click
the
button. You will get the following pop up window.
Click the
button. When a template is deleted any users that were
created from this template are not longer associated to it.
A template that's currently being used by AD or Generic Integration cannot be
deleted.
20.7 Managing a UserID
Select Users & Groups  UserIDs  Manage UserIDs from the menu.
118
QUEST
Enter your Filter criteria and click the Listing tab. A list of UserIDs will be displayed.
You will notice on the Listing tab that you can see if a UserID is flagged as a
System Administrator. System Administrators also have access to the paradmin and
parconfig interfaces. System Administrators are configured in the paradmin interface.
Any user templates will appear in the Listing in green italics font.
119
Quest One Privileged Account Management Administrator Manual
20.8 Manage a UserID
Select the UserName from the Listing tab and click the Details or Permissions
tabs. Make any necessary changes to the User account and click the
button to accept the changes.
20.9 Delete UserID
Select the UserID and click the
button. A confirmation dialog must be
acknowledged to complete the deletion of the UserID.
20.10 Manage Group Membership
Select the UserID and click the Group Membership tab. Enter the Filter criteria and
then click the Results tab. Click the Assigned radio button next to the Group you
wish to add membership to and click the
from a group click the Not Assigned radio button.
button. To remove the userid
Tip! You can set all the displayed members to either Assigned or Not
Assigned by holding down the Ctrl key when clicking on any radio button.
Note! If a group is tied to either AD or Generic Integration the user’s
membership status in that group cannot be changed.
20.11 Set User Password
Select the UserID from the Listing tab and click the Details tab. Enter a password in
the Password and Confirm Password fields and click the
button.
20.12 Duplicate User
To save administrative time and effort, and to ensure consistency when required,
user accounts can be duplicated. When a user account is duplicated, all group
memberships, user type, and permissions are inherited by the new UserID.
To duplicate a UserID, select the UserID from the Listing tab and click the
button. A new user account will be created with the prefix of
DuplicateOf and the duplicated UserID. The duplicate user will have the same
permissions and group memberships as the duplicated user, but all other user specific
information such as first and last name must be entered into the appropriate fields
and saved.
20.13 Unlock a User
If a user has locked themselves out of TPAM by entering the incorrect password
multiple times select the UserName from the Listing tab. Click the
button.
20.14 List UserIDs
To see a list of a UserID’s effective permissions on all systems, display the User list,
by selecting Users & Groups  UserIDs  List UserIDs from the menu. Enter
the Filter criteria for your listing. Click the Layout tab to select which columns to
120
QUEST
display on your listing. Click the Listing Tab. The UserIDs that meet your filter
criteria will be displayed. User Templates will not be included in the Listing.
To download the list in Excel, click the
list in CSV file click the
button. To download the
button.
To view the Groups that the user belongs to select the user name from the Listing
and click the Groups tab.
To view the Permissions the user has to select the user name from the Listing and
click the Permissions tab.
121
Quest One Privileged Account Management Administrator Manual
20.15 Import UserIDs:
User accounts can be imported from pre-configured text files. This provides a
valuable time saving method, and also provides a consistency of data. Select Users
& Groups  UserIDs  Import UserIDs from the menu. Specify the import file by
manually entering the path or by using the
specified, click the
button. Once the file has been
button to load the import file.
In v2.3.767 we added a column of “PrimAuthExtra” to the import file for the
Full Primary Version of the UserID for LDAP primary authentication users.
As of the writing of this manual, the valid local time zone values for a user can be
used from this list. As needed Quest Software will be posting OS patches on the
Customer Portal to update time zone information. Any portion of the time zone name
may be used as long as it is unique. For example, using “Guam” will find only one
time zone but using “02:00” or “US” will find multiple entries. A value of “Server” will
set the user to follow the Server time zone and DST rules:
(GMT-12:00) International Date Line
West
(GMT-11:00) Midway Island, Samoa
(GMT-01:00) Cape Verde Is.
(GMT+05:00) Islamabad, Karachi,
Tashkent
(GMT+05:30) Sri Jayawardenepura
(GMT-09:00) Alaska
(GMT) Greenwich Mean Time :
Dublin, Edinburgh, Lisbon, London
(GMT) Casablanca, Monrovia,
Reykjavik
(GMT+01:00) West Central Africa
(GMT-08:00) Pacific Time (US &
Canada)
(GMT-08:00) Tijuana, Baja
California
(GMT-07:00) Chihuahua, La Paz,
Mazatlan - New
(GMT-07:00) Chihuahua, La Paz,
Mazatlan - Old
(GMT-07:00) Mountain Time (US &
Canada)
(GMT-07:00) Arizona
(GMT+01:00) Amsterdam, Berlin,
Bern, Rome, Stockholm, Vienna
(GMT+01:00) Brussels,
Copenhagen, Madrid, Paris
(GMT+01:00) Belgrade, Bratislava,
Budapest, Ljubljana, Prague
(GMT+01:00) Sarajevo, Skopje,
Warsaw, Zagreb
(GMT+02:00) Helsinki, Kyiv, Riga,
Sofia, Tallinn, Vilnius
(GMT+02:00) Cairo
(GMT-06:00) Saskatchewan
(GMT+02:00) Jerusalem
(GMT+07:00) Bangkok, Hanoi,
Jakarta
(GMT+08:00) Kuala Lumpur,
Singapore
(GMT+08:00) Taipei
(GMT-06:00) Central Time (US &
Canada)
(GMT-06:00) Central America
(GMT+02:00) Harare, Pretoria
(GMT+08:00) Irkutsk, Ulaan Bataar
(GMT+02:00) Amman
(GMT+08:00) Perth
(GMT-06:00) Guadalajara, Mexico
City, Monterrey - New
(GMT-06:00) Guadalajara, Mexico
City, Monterrey - Old
(GMT-05:00) Bogota, Lima, Quito,
Rio Branco
(GMT-05:00) Eastern Time (US &
Canada)
(GMT-05:00) Indiana (East)
(GMT+02:00) Athens, Bucharest,
Istanbul
(GMT+02:00) Beirut
(GMT+08:00) Beijing, Chongqing,
Hong Kong, Urumqi
(GMT+09:00) Seoul
(GMT+02:00) Minsk
(GMT+02:00) Windhoek
(GMT+09:00) Osaka, Sapporo,
Tokyo
(GMT+09:00) Yakutsk
(GMT+03:00) Tbilisi
(GMT+09:30) Adelaide
(GMT-04:00) Caracas, La Paz
(GMT+09:30) Darwin
(GMT-04:00) Santiago
(GMT+03:00) Moscow, St.
Petersburg, Volgograd
(GMT+03:00) Nairobi
(GMT-04:00) Atlantic Time (Canada)
(GMT+03:00) Kuwait, Riyadh
(GMT+10:00) Canberra, Melbourne,
Sydney
(GMT+10:00) Brisbane
(GMT-04:00) Manaus
(GMT+03:00) Baghdad
(GMT+10:00) Hobart
(GMT-03:30) Newfoundland
(GMT+03:30) Tehran
(GMT+10:00) Vladivostok
(GMT-10:00) Hawaii
(GMT+05:30) Chennai, Kolkata,
Mumbai, New Delhi
(GMT+05:45) Kathmandu
(GMT+06:00) Almaty, Novosibirsk
(GMT+06:00) Astana, Dhaka
(GMT+06:30) Yangon (Rangoon)
(GMT+07:00) Krasnoyarsk
122
QUEST
(GMT-03:00) Buenos Aires,
Georgetown
(GMT-03:00) Brasilia
(GMT+04:00) Abu Dhabi, Muscat
(GMT+10:00) Guam, Port Moresby
(GMT+04:00) Baku
(GMT-03:00) Greenland
(GMT-03:00) Montevideo
(GMT+04:00) Caucasus Standard
Time
(GMT+04:00) Yerevan
(GMT+11:00) Magadan, Solomon
Is., New Caledonia
(GMT+12:00) Fiji, Kamchatka,
Marshall Is.
(GMT+12:00) Auckland, Wellington
(GMT-02:00) Mid-Atlantic
(GMT+04:30) Kabul
(GMT+13:00) Nuku'alofa
(GMT-01:00) Azores
(GMT+05:00) Ekaterinburg
20.15.1 Show Template
Click the
button to create a comma or tab delimited
template to use when importing UserID’s.
In v2.4 we have changed the naming convention we use for “External
Authentication” to “Secondary Authentication”. This is reflected in the
template column names.
123
Quest One Privileged Account Management Administrator Manual
20.15.2 Import History Tab
By going to Users & Groups  UserIDs  Import UserIDs and then
clicking the History tab the user can see the import history. If the import
fails, troubleshooting details will be displayed showing the line and field
number that caused the failure.
20.15.3 Import User Detail Tab
Each file that a user has attempted to import will show in the History log. To
see the details of the import select a File Name from the History list and then
click the Details tab. The results of the import will be displayed, showing
both successful and unsuccessful items.
124
QUEST
20.16 Batch Update Users
Selecting Users & Groups  UserIDs  Batch Update UserIDs from the menu
provides a mechanism to make changes to many users at one time, or to delete
users. As with other import and update procedures, the file used to perform the
update must be properly formatted.
You have the ability to clear out existing data for specific fields through Batch Update.
Columns with a † after their Max Size will accept an update value of !NULL
(exclamation point followed by the word NULL) to clear the data.
20.16.1 File Format
See section 15.17.1 for general rules on the file format.
On the update page there is an area to set a default value that can be
assigned to the Update Action column.
125
Quest One Privileged Account Management Administrator Manual
20.16.2 Show Template
Click the
button to create a comma or tab delimited
template to use when batch updating UserID’s.
In v2.4 we have changed the naming convention we use for “External
Authentication” to “Secondary Authentication”. This is reflected in the
template column names.
In v2.3.767 we added a column of “PrimAuthExtra” to the update file
for the Full Primary Version of the UserID for LDAP primary authentication
users.
Tip! The most common problems with import files are an incorrect
number of commas or a missing carriage return character at the end of the
last line.
21.0 Managing Groups
Combining users into groups for ease of administration is a common practice on all
managed systems, and TPAM is also designed to utilize this concept. Because a group is an
object to which permissions can be applied, careful planning and consideration should be
used when creating them.
21.1 Default Groups
Included with TPAM are several default global groups that can be used for assigning
permissions. If your System Administrator has enabled these in the paradmin interface you
will see these by going to Users & Groups  Groups  Manage Groups and clicking on
the Listing tab.
126
QUEST
To assign a user to one of these groups click the Members tab. You will not be able to
select the Permissions tab for any of the default Global Groups because you cannot change
the Access Policy for a system generated group.
21.2 Group Details Tab
To create a new group, select Users & Groups  Groups  Add Group from the
menu. The Group Details tab will be displayed:
127
Quest One Privileged Account Management Administrator Manual
Enter a unique name for the group in the Group Name field. This name should be
meaningful and self-descriptive. It is also recommended that a naming convention be
followed. A more informative description of the group can be entered in the
Description field.
21.3 Group Members Tab
Select the group membership by clicking on the Members tab and then click the
Results tab. To assign members to the group click the Assigned radio button next
to the user name. To remove the user from the group click the Not Assigned radio
button. User Templates are displayed in the Name column using green italics text.
When the group and its membership have been completed, click the
button to accept the new group.
Tip! You can set all the displayed members to either Assigned or Not
Assigned by holding down the Ctrl key when clicking on any radio button.
Note! If a group is tied to either AD or Generic Integration the users’
membership status in that group cannot be changed.
128
QUEST
The
button will allow you to quickly navigate to a listing of the Users
that are members of this group.
21.4 Group Permissions Tab
Now that the group has been created, and user members have been assigned, it is
time to give this new group some function. This is done by assigning permissions to
the group. Click the Permissions tab. Enter your criteria into the Filter tab and click
the Results tab. See section 15.8 for details on how to assign permissions.
129
Quest One Privileged Account Management Administrator Manual
21.5 List Groups
To view the current permissions for a group, select Users & Groups  Groups 
List Groups from the menu. Enter your search criteria on the Filter tab. Using the
Layout tab select the columns you want to appear on your listing. Click the Listing
tab to see the results.
130
QUEST
Note! If the System Administrator has disabled Global Groups in the paradmin
interface you will not see them in this listing.
To get more details on a group, select the group name and then click the Members
or Permissions tabs.
To view the group listing in Excel or CSV format click the
or
buttons. To view all of the group members in Excel or CSV
format click the
or
button.
21.6 Duplicating A Group
For the same reasons of administrative efficiency mentioned for duplicating
collections, groups can also be duplicated. This is particularly useful if the group will
apply to either all of the systems or all of the users contained in the original group. If
neither case exists, it may not be useful to duplicate. When duplicating objects such
as users and groups, it is important to re-check every detail to ensure that duplicated
properties have been modified where needed.
131
Quest One Privileged Account Management Administrator Manual
From the menu, select Users & Groups  Groups  Manage Groups. Enter your
search criteria on the Filter tab. Click the Listing tab. Select the group to manage
from the list and click the
button. The Group Details tab will be
displayed. At this point, with the exception of the group’s name, it is still identical to
the group from which it was duplicated. The default name of the new group will be
the preface of “DuplicateOf” followed by the original group name. Make any desired
changes to the new group, including the name of the group, and click the
button.
21.7 Batch Updates to Groups
Changes to group membership can be performed in bulk update processes using a
properly configured update file.
From the menu, select Users & Groups  Groups  Load Group Membership.
The group update page is displayed:
Locate the formatted file to upload to TPAM using the
select
button, and then
.
132
QUEST
21.7.1 File Format
See section 15.17.1 for general rules on the file format.
On the Update page there is an area to set a default value that can be
assigned to the Update Action column.
The radio buttons below the File Name can be used to flag all rows in the file
as being Add, Delete, or Update as appropriate to each task. The Specified
in File button should be selected if the Update Action column is specified in
the file. If either of the other buttons is chosen it will override all Update
Actions in the file, even if they differ from the default action. If any button
except Specified in File is chosen then the Update Action column may be
omitted from the file.
21.7.2 Show Template
Click the
button to create a comma or tab delimited
template to use when updating group membership.
22.0 Active Directory Integrati on
TPAM can be configured to integrate with Active Directory to automatically detect, enroll,
and modify users and computers. To configure Active Directory integration select
Integration  Active Directory from the main menu.
22.1 Adding an Active Directory System Mapping
To create an Active Directory Integration Computer mapping click the
button.
133
Quest One Privileged Account Management Administrator Manual
22.1.1 Active Directory System
Select the Active Directory System from the list. This must be configured as a
managed Windows Active Directory system in TPAM to be available in the list.
22.1.2 Distinguished Name
Enter the Distinguished Name for the Active Directory System. To validate
that TPAM recognizes the Distinguished Name click the
button.
Example: CN=Computers,dc=domain,dc=company,dc=com
Example: OU=Corporate,OU=Servers, dc=domain,dc=company,dc=com
22.1.3 Automatically Update
Select how often you want TPAM to pull updates from the AD System. The
update will pull changes in last name, first name, e-mail, phone number,
pager number, comments/notes and if the user has been disabled or added.
22.1.4 Send Messages
You have the option of sending an e-mail to a specific user every time an
update occurs, or only when there are failures trying to perform an update.
22.1.5 Collision Strategy
By answering the collision questions you are configuring how TPAM will handle
scenarios if it encounters systems that already exist in TPAM, with or without
134
QUEST
distinguished name mappings. Also you determine how TPAM will handle the
scenario when an update finds a system no longer in the source.
In v2.4 we added a new Collision Strategy option of Soft Delete
System regardless of other mappings, remove mapping, when a system
is removed from a source container.
Example: If you already have a managed system set up in TPAM with no DN
mapping and want to map this to the system in Active Directory select:
System Name exists in TPAM, No Distinguished Name mapping: Map
to Existing.
Example: If you select System Name exists in TPAM and a Distinguished
Name mapping exists: Create Unique TPAM System it will add that
system to TPAM as “new system name_1”.
22.2 Active Directory System Tab
Once you have completed the fields on the Source tab, click the System tab.
135
Quest One Privileged Account Management Administrator Manual
22.2.1 TPAM Collection Name
Enter the name of the TPAM Collection for these systems. This will need to be
a collection name that does not already exist in TPAM and membership
changes will not be allowed outside this mapping. For more on Collections see
section 17.0, Configuring Collections.
22.2.2 Use Template System
We added System Templates as a way to create systems from the AD Source.
Any new systems added will be created in TPAM using the default settings
from the template chosen here. This includes all parameters on the Systems
Details tab, as well as all the other tabs. Template System values only affect
new systems added from the AD container. The template is not used when
updating existing systems. For more information on System Templates see
section 15.2.
To quickly create a new template prior to completing the system mapping
click the
button. This will take you to the add system
template page. If you select an existing template from the list and click the
button you will be taken to Systems Management page for
that template.
Alert! If you still need to apply the v2.3 patch to get to v2.4,
when you apply the v2.3 patch any existing Active Directory System
entries will be converted to templates. For each entry a new Template
will be created with the following naming convention:
AD_System_Template_XXX, where XXX is 001, 002, 003, etc. The
Comment for the new template is Auto-created template for AD
System mapping of YYY where YYY is the TPAM Collection Name used
on the AD Mapping.
Click the
button to save your system mapping.
22.3 Adding Active Directory User Mappings
To create an Active Directory Integration User mapping click the
button.
136
QUEST
22.3.1 Active Directory System
Select the Active Directory System from the list. This must be configured as a
managed Windows Active Directory system in TPAM to be available in the list.
22.3.2 Distinguished Name
Enter the Distinguished Name for the Active Directory System. To validate
that TPAM recognizes the Distinguished Name click the
button.
Example: CN=Users,dc=domain,dc=company,dc=com
Example: OU=Sales,OU=Users,dc=domain,dc=company,dc=com
22.3.3 Automatically Update
Select how often you want TPAM to pull updates from the AD System. The
update will pull changes in last name, first name, e-mail, phone number,
pager number, comments/notes and if the user has been disabled or added.
22.3.4 Send Messages
You have the option of sending an e-mail to a specific user every time an
update occurs, or only when there are failures trying to perform an update.
22.3.5 Collision Strategy
By answering the collision questions you are configuring how TPAM will handle
scenarios if it encounters users that already exist in TPAM, with or without
137
Quest One Privileged Account Management Administrator Manual
distinguished name mappings. Also you determine how TPAM will handle the
scenario when an update finds a user no longer in the source.
Example: If you have a user name that conflicts with a TPAM restricted
username such as paradmin, if you select the Create Unique TPAM User
option the user will be added as paradmin_1.
22.4 Active Directory User Tab
Once you have completed the Source tab click the User tab.
22.4.1 TPAM Group Name
Enter the name of the TPAM Group for these users. This will need to be a
Group name that does not already exist in TPAM and membership changes
will not be allowed outside the integration mapping. For more on Groups see
section 21.0, Managing Groups.
22.4.2 Use Template User
We added User Templates as a way to create users from the AD Source. Any
new users added will be created in TPAM using the default settings from the
template chosen here. This includes all parameters on the User Details tab, as
well the Time Information tab. User templates may also include Group
138
QUEST
Membership and System/Account/Collection permissions. Template user
values only affect new users added from the AD container. The template is
not used when updating existing users. For more information on User
Templates see section 20.2.
To quickly create a new template prior to completing the user mapping click
the
button. This will take you to the add user template
page. If you select an existing template from the list and click the
button you will be taken to User Management page for that
template.
Alert! If you still need to apply the v2.3 patch to get to v2.4,
when you apply the v2.3 patch any existing Active Directory User
entries will be converted to templates. For each entry a new Template
will be created with the following naming convention:
AD_User_Template_XXX, where XXX is 001, 002, 003, etc. The
Comment for the new template is Auto-created template for AD User
mapping of YYY where YYY is the TPAM Group Name used on the AD
Mapping.
22.5 Export User and System Mappings
The
and
buttons allow you to do
export all of the details regarding your Active Directory Mappings in TPAM.
23.0 Generic Integration Tool
TPAM can be configured to integrate with various databases to automatically detect, enroll,
and modify users and systems. To configure the Generic Integration tool select Integration
 Generic from the main menu.
139
Quest One Privileged Account Management Administrator Manual
To create a Generic User mapping click the
button.
140
QUEST
23.1 Configuring a Data Source
23.1.1 System Name
Enter the Data Source System Name. This must be configured as a system
in TPAM (with a platform of Sybase, Oracle, MySQL or MS SQL Server).
23.1.2 Account Name
Enter the Account Name. This account must be set up on the system in TPAM.
This account must have permissions to execute the SQL command.
23.1.3 SQL Command
Enter the SQL command that will pull the user data from your data source.
23.1.4 Result Set Map
This table will be populated once you complete filling in the fields on the
Source and User tabs, save your mapping and test your SQL command. Once
the Source Columns are populated you must map the data to the TPAM
Target Columns.
Note! One of the TPAM Target Columns is called "UniqueUserID". This
value you assign to this column is used to identify one specific user regardless
141
Quest One Privileged Account Management Administrator Manual
of the user name or data source. The value is expected to be unique across
any and all potential data sources used by Generic Integration.

Example: You have two Generic Integration Data Sources using a MySQL
database, one for "Management" users and one for "Operations". The data
sources both point to the same database, but use different query strings to select
the different types of users based on a Department field. A user with UserName
of JGreene has just been promoted from Operations to Management. In the
MySQL database you change her department from Operations to Management.
When the Generic Integration mappings are processed they see that JGreene no
longer appears in the "Operations" source and removes her UserName from the
associated group in TPAM. Later it sees a "new" user named JGreene in the
mapping for the "Management" source. The UniqueUserID value will be used to
tell TPAM if this is the same JGreene as before, in which case she is simply added
to the new TPAM Group, or a totally new JGreene user which will be handled by
the Collision Strategy.

Because the UniqueUserID is expected to be unique across all data sources, we
recommend against using any type of Identity or sequentially numbered value
which may be unique in one particular data source but could be easily repeated in
a different table or database.
23.1.5 Automatically Update
Select how often you want TPAM to check the Data Source for new updates.
23.1.6 Send Messages
You have the option of sending an e-mail to a specific user every time an
update occurs, or only when there are failures trying to perform an update.
23.1.7 Collision Strategy
By answering the collision questions you are configuring how TPAM will handle
scenarios if it encounters users that already exist in TPAM, with or without
mappings. Also you determine how TPAM will handle the scenario when an
update finds a user no longer in the source.
In v2.4 we added a new Collision Strategy option of Soft Delete
System regardless of other mappings, remove mapping, when a system
is removed from a source container.
Example: If you have a user name that conflicts with a TPAM restricted
username such as paradmin, if you select the Create Unique option the user
will be added as paradmin_1.
23.2 Adding User Mappings
You must complete the fields on the User tab before you can save your mapping.
142
QUEST
23.2.1 TPAM Group Name
Enter the name of the TPAM Group for these users. This will need to be a
Group name that does not already exist in TPAM and membership changes
will not be allowed outside the integration mapping. For more on Groups see
section 21.0, Managing Groups.
23.2.2 Use Template User
We added User Templates as a way to create users from the Generic Source.
Any new users added will be created in TPAM using the default settings from
the template chosen here. This includes all parameters on the User Details
tab, as well the Time Information tab. User templates may also include Group
Membership and System/Collection permissions. Template user values only
affect new users added from the Generic container. The template is not used
when updating existing users. For more information on User Templates see
section 20.2.
To quickly create a new template prior to completing the user mapping click
the
button. This will take you to the add user template
page. If you select an existing template from the list and click the
button you will be taken to User Management page for that
template.
143
Quest One Privileged Account Management Administrator Manual
Alert! If you still need to apply the v2.3 patch to get to v2.4,
when you apply the v2.3 patch any existing Generic Integration User
entries will be converted to templates. For each entry a new Template
will be created with the following naming convention:
GN_User_Template_XXX, where XXX is 001, 002, 003, etc. The
Comment for the new template is Auto-created template for GN User
mapping of YYY where YYY is the TPAM Group Name used on the GN
Mapping.
23.3 Completing the Mapping
Once you have completed the fields mentioned above go click the
button. Next go back to the Source tab and click the
populate the Source Columns of the Result Set Map.
button. This should
For each Column Name select the TPAM Column name that it should map to from
the lists. Once you have mapped all the required columns, click the
button.
144
QUEST
23.4 Export User Mappings
The
button allows you to do export all of the details regarding
your Generic User Mappings in TPAM.
23.5 Adding System Mappings
You can configure integration with various databases to automatically detect, enroll,
and modify systems. After configuring your data source (see section 23.1) click the
System tab.
145
Quest One Privileged Account Management Administrator Manual
23.5.1 TPAM Collection Name
Enter the name of the TPAM Collection for these systems. This will need to be
a Collection name that does not already exist in the TPAM and membership
changes will not be allowed outside the integration mapping. For more on
Collection see section 17.0, Managing Collections
23.5.2 Use Template System
In v2.3 we have added System Templates as a way to create systems from
the Generic Source. Any new systems added will be created in TPAM using the
default settings from the template chosen here. This includes all parameters
on the Systems Details tab, as well as all the other tabs. Template System
values only affect new systems added from the Generic container. The
template is not used when updating existing systems. For more information
on System Templates see section 15.2.
To quickly create a new template prior to completing the system mapping
click the
button. This will take you to the add system
template page. If you select an existing template from the list and click the
button you will be taken to Systems Management page for
that template.
146
QUEST
Alert! If you still need to apply the v2.3 patch to get to v2.4,
when you apply the v2.3 patch any existing Generic Integration
System entries will be converted to templates. For each entry a new
Template will be created with the following naming convention:
GN_System_Template_XXX, where XXX is 001, 002, 003, etc. The
Comment for the new template is Auto-created template for GN
System mapping of YYY where YYY is the TPAM Collection Name used
on the GN Mapping.
23.6 Export System Mappings
The
button allows you to do export all of the details regarding
your Generic System Mappings in TPAM.
24.0 Cache Servers
If your company purchased cache servers to optimize password retrieval, configure them by
selecting Management  Cache Servers  Manage Cache Servers from the menu.
147
Quest One Privileged Account Management Administrator Manual
24.1 Cache Server Details Tab
To add a Cache server click the
button.
24.1.1 Cache Server Name
Enter the name for the cache server.
24.1.2 Secure Bus
Enter network address that TPAM and the Cache server will use to
communicate.
In v2.3.765 we added the ability to change this address
after initial configuration of the cache server.
24.1.3 Appl Interface
Enter the network address that Cache Users will use to access the Cache
server.
24.1.4 Description
Enter any description about this specific cache server.
24.1.5 Retention
If this box is checked and the cache server does not communicate with TPAM
within X minutes entered in the Disable after field then the cache server will
148
QUEST
shut down. This is to safeguard users trying to retrieve passwords when the
TPAM appliance may be down.
24.1.6 Enroll String
Enter the enroll string that the cache server generated when it was being
configured.
24.1.7 Logging
You have the option of having logs sent to a Syslog address and/or a specific
e-mail address.
24.1.8 Alerting
You have the options to have alerts sent to an SNMP address and/or a specific
e-mail address.
In v2.3.765 we have added an alert notification if the
Cache server loses communication with TPAM and also another alert when the
connection is restored.
24.1.9 SMTP
If the cache server is going to use a different SMTP server than TPAM then
enter the address here.
24.2 Cache Server WSDL Tab
On the WSDL (Web Services Description Language) tab the developers can find the
XML they will need when programming the interface to the Cache server.
149
Quest One Privileged Account Management Administrator Manual
24.3 Cache Server Accounts Tab
To assign accounts to the cache server click the Accounts tab. The Filter tab can be
used to narrow down the accounts you want to assign. Check the Assigned? box to
assign the account to the cache server. To enable the account on the cache server so
that the password can be retrieved check the Enabled? box.
Tip! You can hold down the Control key and click your mouse in a column to
select or deselect all checkboxes in the columns on the page.
150
QUEST
24.4 Cache Server Root Certificates Tab
By default TPAM will generate its own root certificate that can be assigned to the
cache server. You also have the option to upload your own root certificates that can
be assigned to the cache server. To add your own certificates go to Management 
Cache Servers  Manage Trusted Roots. See Section 24.12 for details. Check the
Assigned box to assign the certificate to the cache server and then click the
button.
24.5 Cache Server Users Tab
The cache server Users tab is where you configure the users that can access the
cache server. To configure Cache Users see section 20.1 Adding a UserID. Check the
Assigned? box next to the users for this cache server and click the
button.
24.6 Cache Server Hosts Tab
Any hosts that you have set up in TPAM will be listed on the Hosts tab. See section
24.10 on how to configure cache client hosts. Check the Assigned? checkbox next to
each host you want to be able to access this cache server and click the
button.
151
Quest One Privileged Account Management Administrator Manual
24.7 Cache Server Permissions Tab
The cache server Permissions tab is where you configure the combination of
accounts, users, and hosts to specify who and what will be able to be accessed on a
specific cache server.
Note! Any changes made on the Accounts, Users, and Hosts tab affect the
Permissions tab and must be saved before the Permissions tab can be accessed.
Using your mouse, highlight the combination of accounts, users, and hosts that you
want to set up for the cache server. Click the
button to add
your selections to the Permissions list. To remove any combinations from the list
check the Select? checkbox and click the
are finished adding and removing entries to the list click the
button. Once you
button.
You can use Shift-Click and Ctrl-Click mouse gestures to select more than one item
from each list. For instance you can Ctrl-Click “Active_Directory” and “Solaris”, then
click “cacheuser” then click “123…” and ctrl-click “23.45…” Then when you click
it will add all combinations of the selected items to the list.
24.8 Cache Server Current Status
If you click the
button you will see if the cache server is
found/enabled and the current values for the number of users, hosts, accounts and
permissions.
152
QUEST
24.9 Deleting a Cache Server
To delete a cache server go to Management  Cache Servers  Manage Cache
Servers. From the Listing tab select the cache server you want to delete. Click the
button.
24.10 Adding Cache Server Client Hosts
As an extra security precaution you have the option to specify the client host that the
cache users are using to access the cache server. To set up the client hosts go to
Management  Cache Servers  Manage Client Hosts. Click the
button.
Enter the Network Address for the Client Host. If you want this host to be active
check the Enabled? button. Enter a Description. Click the
button.
Once the Client Host is saved it will display in the Host listing on the Cache server
Hosts tab.
153
Quest One Privileged Account Management Administrator Manual
24.11 Deleting Cache Server Client Hosts
To delete a Cache Server Client Host go to Management  Cache Servers 
Manage Client Hosts. Select the Host/Hosts that you want to delete from the
Network Addresses list. Click the
button. Click the
button once you have finished deleting hosts to save the changes. When you delete a
host that had previously active cache users assigned to it these permissions will also
automatically be deleted from the cache server.
24.12 Cache Server Trusted Root Certificates
To add a certificate for a cache server go to Management  Cache Servers 
Manage Trusted Roots.
Click the
button. Enter a Name and Description. You have the
option of uploading a certificate file or entering the certificate. Once you add the
certificate click the
button. The certificate will now be available for
assignment on the Cache Server Root Certificates tab.
A Trusted Root Certificate will need to be added to the cache server if a user-supplied
certificate (see section 20.1.8) is used for a cache user.
To delete a certificate highlight the certificate in the Certificate Name list and click the
button, then click the
button.
25.0 Managing TPAM CLI IDs (PSM Customers Only)
154
QUEST
25.1 Adding a new CLI User
A CLI UserID is a special account used to access TPAM remotely via the CLI
(command line interface). TPAM CLI IDs may be defined to TPAM and used to access
passwords that may be stored and managed on a remote TPAM appliance.
To specify a new CLI user select Management  TPAM CLI IDs  Add TPAM CLI
ID from the menu. The CLI user page will be displayed:
•
•
•
•
•
CLI UserName – Specify the CLI UserID on TPAM.
TPAM Name – Enter a name to identify the TPAM hosting the CLI ID.
TPAM Primary Address – Specify the IP address or FQDN of the primary
TPAM.
TPAM Replica Address – Specify the IP address or FQDN of the replica
TPAM, if applicable. If the CLIRetrieve call gets an error when calling the
primary it will call the replica (if one is defined)
DSS Key – Paste the entire contents of the DSS key file into this field.
Note: this is the private key that is downloaded from TPAM when the CLI
user is defined.
25.2 Modifying CLI Users
To make changes to any CLI User ID, select Management  TPAM CLI IDs 
Manage TPAM CLI IDs from the menu. Enter your search criteria in the Filter tab
and click the Listing tab. Select the ID you want to manage.
155
Quest One Privileged Account Management Administrator Manual
Existing CLI UserIDs may be updated and deleted. Using the
the CLI account can be tested for troubleshooting purposes.
button,
26.0 Quest One Privileged Command Manager (PSM Customers Licensed for
PCM Only)
Using PCM you have the capability to specify by account what commands a user can
execute during a session.
Here is an overview of the steps required to fully deploy Privileged Command Management:
Step 1: Go to Management  Command Management and set up commands and proxy
types for each command and/or add your own custom commands. (Described in Section
26.0)
Step 2:
With the introduction of Access Policies in v2.4 you need to create Access
Policies for the commands that you want executed. In a single Access Policy you can allow
multiple commands. See section 10.1 on configuring Access Policies.
Step 3:
Once the Access Policies have been created you can assign them to Users
and Groups for Systems, Accounts, and Collections.
When the user requests a session for a specific account the Access policy will control what
commands can be executed during that session.
156
QUEST
26.1 Adding a Command
In addition to adding your own, PCM comes with a default set of commands you that
you choose from. You have the option of editing the default commands. To add a
command select Management  Command Management from the main menu.
You will see a list of the default commands available with PCM. The proxy types for
these commands will be appropriately checked.
Note! Adding or editing a default command requires the purchase of a PCM
license. Contact your salesperson for more information.
To add a new command click the
157
button.
Quest One Privileged Account Management Administrator Manual
•
•
•
•
Enter
Enter
Enter
Enter
the Command Name
the Command Text.
the Working Directory
a Description for the Command
26.2 Setting the Proxy Type
For each new command you must select the Proxy types that are able to run the
command by selecting the Proxy Types tab. Check the Selected box next to each
Proxy Type that you want to be able to issue this command. Click the
button to save the command.
158
QUEST
26.3 Editing a Command
To edit an existing command (custom or default) select the command from the Listing
and click the Details tab. Make your changes and click the
button.
26.4 Duplicating a Command
We have given you the ability to duplicate a command for ease of creating commands
that are very similar to one another. From the Command Listing tab, select the
command you want to duplicate and click the
button. The proxy
types of the command you duplicated will be inherited by this new command, so
adjust them accordingly.
159
Quest One Privileged Account Management Administrator Manual
You will be taken to the Details tab where you can edit anything about the command
you are duplicating before saving it.
26.5 Deleting a Command
To delete a command select the command from the Listing tab and click the
button. If you delete a command that has a pending or
active/approved session request the user will not be able to conduct the session when
they try and connect.
27.0 Connection Profiles (PSM Customers Only)
Connection profiles allow for overriding the default connection parameters when connecting
to a session. These new connection profiles can be modified by the Administrator to specify
other connection settings for mainframe connections. To add a connection profile select
Management  Profile Management from the main menu. Select PSM Connection
from the Profile Type: list. Click the
button to add a profile.
160
QUEST
Select a Proxy Type from the list. Enter a Profile Name. Enter a Description for your
custom connection profile.
Enter an Alternate Port for the connection. Depending on the proxy type chosen there
may also be other fields to complete such as Custom Command, Post-Auth Control
Character, and Post- Auth Command. Click the
button.
27.1 Deleting a Connection Profile
To delete a connection profile select it from the Connection Profiles list and click the
button. You will not be able to delete a profile if it is currently
associated with an account. You must go to the PSM Details General tab for each
account associated to the profile and remove the association. See section 16.11.4 for
details.
28.0 Post Session Processing Profiles (PSM Customers Only)
You can add Post Session Processing profiles to trigger specific events after a session
request has expired. For Post Session Profiles to take affect your System Administrator must
have enabled the Post Session Processing Agent in the paradmin interface. To add a post
session profile select Management  Profile Management from the main menu. Select
Post Session Processing from the Profile Type: list. Click the
to add a profile.
161
button
Quest One Privileged Account Management Administrator Manual
Enter a Profile Name. Enter a Description.
To force a check on ALL managed passwords on the requested system, check the Check
passwords of all Managed Accounts on the requested System? checkbox. Passwords
will only be changed if a mismatch is found and the account has the “reset on mismatch”
flag set.
To force a change on the requested account. regardless of proxy type used, check the
Force password change on requested account? checkbox.
Checking the Send an email to the Primary Contact on the System? checkbox will send
an email to the primary contact at the end of the session request.
You can use the Other E-Mail Notification field to enter multiple email addresses to notify
at the end of the session request, if you have the Send email to Primary, box checked.
Click the
button.
28.1 Deleting a Post Session Processing Profile
To delete a post session profile select it from the Post Session Processing Profiles list
and click the
button. You will not be able to delete a profile if it is
currently associated with an account. You must go to the PSM Details General tab
for each account associated to the profile and remove the association. See section
16.11.4 for details.
29.0 DPA’s
You have the option to purchase additional Distributed Processing Appliances (DPA’s) to
increase your ability to run concurrent sessions (PSM Customers Only). Each additional DPA
supports 150 additional concurrent sessions. PSM performs simplistic load balancing by
162
QUEST
sending the next session record or replay request to the active DPA with the most available
sessions remaining.
With DPA v3.0+ you can now assign a DPA to a system to optimize password checking and
changing. At the System level (on the Affinity tab) you can assign which DPA should
perform password checking and changing for all the Accounts on that System.
To configure and manage the DPA’s select Management  DPAs from the main menu.
You will see the base TPAM appliance listed on the servers list with a Network Address of
localhost.
29.1 Adding a DPA
To configure a new DPA (distributed processing appliance) click the
button.
•
•
•
•
•
•
•
•
•
•
•
163
Specify the DPA Name
Specify the Network Address. You must enter the IP address
Specify the Port.
Specify the DNS Name.
Enter the number of concurrent sessions you want this server to manage in
the Max Sessions field. The maximum number is 150. The number of max
sessions can be modified, if necessary to meet specific performance
objectives.
Enter any descriptive text desired for the server in the Description field.
To make the new server the active, check the Make Active? option.
To automatically have the session logs from this server archived check the
Auto- Archive Session Logs? option.
Specify the Archive Server that you use for the session log from the
Preferred Archive Server list.
You also have the option of being able to replay sessions off the archive
server.
Enter the Enroll String that will function as the key exchange with the DPA.
The Enroll string is provided by the DPA when you execute the Prepare to
enroll/re-enroll with TPAM option of the setup menu.
Quest One Privileged Account Management Administrator Manual
•
Click the
button to accept the configuration and save the
server to the list of DPA servers. If the DPA is active it will appear in the
listing of servers on the Affinity tab under Systems management. See
section 15.5 Affinity Tab.
When the configuration of the DPA is complete, test the functionality by clicking the
button.
The
button provides a way to reboot the DPA from the TPAM
interface. The DPA will only be rebooted if there are no active sessions running.
You can use the
button to remove the DPA. Any systems that assigned
to the DPA you delete will revert back to using the local appliance for those functions.
When a new DPA is added to a customer with the PSM module a PSM only system and
2 aliases are created (one for web access and one for ICA access). These systems can
be added to collections and granted permissions on but no accounts can be added or
removed. The system, aliases and accounts are all deleted when the DPA is deleted.
To view active sessions on the DPA go to Management  Session Mgmt 
Manage Sessions.
29.2 DPA Log Tab
This tab provides visibility to PSM related processes on the DPA that could be helpful
when troubleshooting.
164
QUEST
30.0 Releasing Passwords
The release of passwords for managed system accounts that require dual control is a three
step process, with each step being performed by a separate TPAM user. This insures the
security of the system account password, provides accountability, and provides dual control
over the managed accounts. The basic process is as follows:



A password release is requested by an authorized requestor.
The request for release is approved by the specified number of authorized
approvers.
The password is displayed by the authorized requestor.
30.1 Request For Password Release
The requestor logs on to TPAM and selects Request Password  Add Request
from the menu. The password requests filter will be presented:
You have ability to request multiple password releases at one time. To submit a new
request, enter your Filter criteria and click the Accounts tab. The systems and
accounts that meet your filter criteria will be displayed. Click the checkbox next to
each account you would like to request a password for and click the Details tab.
Note! If, through some Group or Collection assignment, the user has
multiple Access Policies granting a REQ permission they will see the account listed
multiple times on the Accounts listing tab. Each row will show the Access Policy,
Minimum Approvers, and Maximum Release Duration associated with it.
165
Quest One Privileged Account Management Administrator Manual
A requestor can return to the filter page when adding a password request without
canceling the add process. Click the
request process.
button to terminate the
Note! When requesting multiple passwords together, the request time and
release duration will be the same for all accounts requested.
The form is completed as follows:
30.1.1 Request Immediate:
Check the Request Immediate box if you want the password/s released
immediately. If this box is selected then the Date/Time Required fields will
be unavailable.
Alert! Beginning with Account-level permissions in v2.4, the process
of determining lists of Approvers and Reviewers has become much more
involved. As such when a request is issued the system reacts differently
166
QUEST
based on whether the Request Immediate box is checked or not. When the
box is not checked, the new request is added to a queue which is processed in
the background, thus allowing the requests to save much more quickly. The
background process will determine if sufficient Approvers are available and
generate e-mails accordingly. If there are not enough Approvers for a given
request the Requestor will receive an e-mail informing them of this and that
particular request will be canceled.
When the Request Immediate box is checked these checks are handled as
part of the save process and the Requestor will receive feedback on each
request processed. For appliance which track large numbers of Systems,
Accounts, and Users this could cause a noticeable delay when saving.
30.1.2 Date/Time Required:
Requests can be made in advance for future release periods (this allows
scheduling password releases to coincide with scheduled maintenance, for
example) by completing the date and time fields.
Alert! If the Requester’s User ID has a local time zone
assigned, the date and time are expected to be entered in his or her
local time. The appliance will convert these values to server time as
the request is being saved.
30.1.3 Requested Duration:
The requested duration is the period of time that the password(s) will be
available for release. Once the request has been made, this “countdown” will
begin. Valid parameters for release durations are from 15 minutes to 7 days,
in 15 minute increments – however, the effective valid parameter for the
maximum allowable release request duration will be the value configured for
maximum release duration at the account level. When requesting passwords
for multiple accounts together, the Requested Duration will default to the
shortest "Maximum Duration" for all accounts listed on the request.
30.1.4
Reason Code:
If your System Administrator has decided to configure Reason Codes for your
environment, you will see them available in the list here. Reason codes give
you a quick way to submit a request without having to type in a detailed
reason. You may be required to enter a reason code, they may be optional or
they may be disabled.
30.1.5 Request Reason:
This is a free text area. Since this text will be visible to the Approver, it is
recommended that it be used to convey a brief explanation for the request.
The maximum allowed length of the text is 1000 characters.
Prior to
v2.4 this was always a required field. Now in v2.4 your System Administrator
has the option to make this field required, optional, or not required.
30.1.6 Ticket System:
Based on how the Administrator or ISA has configured the Account, the
choice of a ticket system may be required before the request is processed.
You can request multiple passwords that have different ticket system
167
Quest One Privileged Account Management Administrator Manual
validation rules. Any boxes highlighted in red require a ticket system to be
selected.
30.1.7 Ticket Number:
Based on how the Administrator or ISA has configured the Account, a ticket
number may be required before the request is processed. The System
Administrator has the option to enter validation rules to validate the ticket
number you enter here against the ticket system referenced. If the ticket
number entered fails validation, then the request is automatically canceled
and you have the option to enter a different ticket number and submit a new
request. Any boxes highlighted in red require a ticket number to be selected.
30.1.8 Select Accounts
If you would like to add to the accounts you have selected for the password
request, PRIOR to clicking the
button, click the
button. This will take you back to the filter tab to select
more accounts. If you want to remove accounts from the request, PRIOR to
clicking the
button, uncheck the box next to each account.
30.1.9 Submitting the Request:
Use the
button to complete the request and send the
notification to the approvers (if so configured). If you want to add additional
accounts to the request after you have saved it you can. To add more
accounts pull up the original password request using the Password Request
Management filter. Click the
button. This will take you
back to the filter tab so that you can select additional accounts to add to the
request. You will be able to add accounts to the request up until 15 minutes
from the original expiration date/time for the request. It is possible that some
of the accounts on the request will be denied. Those that are denied will not
be released and those that are approved will be released.
168
QUEST
If the password request does not require the approval of another person (it
will be auto-approved), the Password tab will become enabled. To view
the password click the Password tab.
Once the request is successfully submitted but not yet approved, the user can
click the Details tab again to update the status of the request.
30.1.10 Potential Request Conflicts
If you submit a password request on an account that has a request that has
already been approved for the release duration you have requested you will
be able to submit your request, but it will automatically be canceled because
of the conflict. You will be able to click the Approvers tab to see who is
eligible to approve requests for this account so that you can contact them if
your request needs to take priority over the existing approved request on this
account.
169
Quest One Privileged Account Management Administrator Manual
To be able to submit your request you must change the Date/Time of your
request and the release duration to be outside the window of the existing
release.
If more than one password request is submitted for the same time period on
the same account it is up to the Approver/s to decide which request to
approve and which requests to deny.
Alert! The exceptions to this are if you are a Privileged Access
User requesting a password for an account that has more than 1 PAC
simultaneous password release allowed or if Override Individual
Accountability has been checked for this account.
30.2 Password Request Responses Tab
Once you have submitted the password request the Password Request Responses
tab will be enabled. On this tab you will be able to see the logged responses of
anyone who has approved or denied each of your password requests. To see the
responses for each request, select that request on the Details tab and then click the
Responses tab.
170
QUEST
30.3 Password Request Approvers Tab
Once you have submitted the password request the Password Request Approvers
tab will be enabled. If you click this tab you will see the list of all the users that can
approve your password. When you submitted your request all of these users were emailed to let them know a request must be approved. The number of people that
must approve your request is based on how your system administrator configured the
account when it was set up.
30.4 Password Request Password Tab
Once your password request has been approved you will receive an email notification
and the Password tab will be enabled. On this tab you will be able to see the current
password for the account. The password will be displayed for a maximum of 20
seconds. The password can be displayed by the requestor as often as necessary
during the release duration period.
Password Changes During Release Window
While a requestor has an active release duration window, there are three possible
circumstances that could cause the password to be changed by PPM during that time.
• The configured Default Change Setting for the account occurs during the
release window. For example, if the password is to be changed every 30 days
– and this time occurs while a requestor has an open password release the
password will be changed.
• The ISA post-release reset interval has occurred. In this case, an ISA may
have recently retrieved the password and it is being reset because the
configured interval for that action has expired.
• The ISA or the Administrator has forced a reset of the password.
30.5 Managing Password Requests
Once you have submitted your password requests to check on the status of these
requests select Request  Password  Manage Requests from the main menu.
171
Quest One Privileged Account Management Administrator Manual
Enter the filter criteria for the request you want to check on. Note that you can filter
your results using the Request Status list as shown below.
Once you have entered your filter criteria click the Listing tab.
In v2.4 we added a Reason Code filter parameter.
Select the request you want to manage and then click the other tabs to see the latest
information on the request.
30.6 Canceling a Password Request
To cancel a password request before it is approved select Request  Password 
Manage Requests from the main menu.
172
QUEST
Enter the filter criteria for the request you want to cancel and click the Listing tab.
Select the request on the Listing tab and click the Details tab. On a request with
multiple accounts check the box in the Apply Reason column for the requests you
want to cancel. Enter the Cancel/Expire Reason and click the
button.
30.7 Expiring a Password Release Request
If a password has been used and it is certain that it will no longer be needed, the
requestor can expire the password release request to immediately end the release
duration period. Expiring the release accomplishes several key things:
•
•
•
The password will no longer be able to be displayed by the requestor.
The password for this system/account will be available to other requestors.
The password will be immediately queued for an automatic change (if the
password is auto-managed and set to change after any release.)
To expire a password select Request  Password  Manage Requests from the
main menu.
Enter the filter criteria for the request you want to expire. Select the request you
want to expire from the Listing tab. On the Details tab enter the Cancel/Expire
Reason and click the
button. For a request that has multiple
passwords on it you can check the Apply Reason checkbox to apply the expiration
reason to more than one password.
173
Quest One Privileged Account Management Administrator Manual
31.0 Approving Password Requests
31.1 Password Request Filter Tab
When a password request has been properly submitted, the associated approver(s)
will be notified via email of the pending request. The approver logs on to TPAM and
selects Review  Password Request from the menu.
You have the ability to approve multiple password requests at one time. To approve
requests, enter your Filter criteria and click the Listing tab.
174
QUEST
The requests that meet your filter criteria will be displayed.
From the list of release requests pending approval, the approver selects the desired
request by clicking the row, and then clicks the Details tab. If the request you
selected was part of a multiple request submission then you will also see all the other
pending requests that you are eligible to approve that were part of this multiple
request.
175
Quest One Privileged Account Management Administrator Manual
31.1.1 Approve/Deny Request
You must enter an approval reason or deny reason in the Request Response
field. Check the box in the Apply All column for the requests you want the
Response reason to apply to each RequestID. To approve the request/s use
the
button at the bottom of the form. To deny the request/s
click the
button. If approved, the password/s will be
available to the requestor during the release duration specified in the request.
Ticket Revalidation
If the required Ticket System for this account has “provisional validation
enabled” in the paradmin interface, and the Ticket System is not available for
validation at the time the requestor submits the request, you will see the
following note on the Request Details tab,
You have the option of:
• Approving/Denying the request without trying to revalidate the ticket
•
Clicking the
button before approving/denying the
request.
If you try to revalidate the ticket and the Ticket System is now enabled, and
the ticket fails validation, then the request will automatically be denied. You
will see the following pop up window.
176
QUEST
31.2 Password Request Responses Tab
To see a log of all the comments regarding the approval or rejection by yourself or
other approvers highlight the specific Request ID row and click the Responses tab.
On this tab you will be able to see the logged responses of anyone who has approved
or denied the password request.
31.3 Password Request Approvers Tab
The Password Request Approvers tab will display a list of all the users eligible to
approve the highlighted password request.
31.4 Password Request Conflicts Tab
Before approving a request you should click the Conflicts tab to see if there are any
requests that are in conflict with one another. Examples of a conflict would be if 2
requestors are requesting a password on the same account for the same release
window. In this case the approver must decide which request to approve.
177
Quest One Privileged Account Management Administrator Manual
32.0 Retrieving Passwords
If you have Password ISA permissions on an account you will be able to retrieve the
password without
requiring any approvals.
To quickly retrieve a password go to Retrieve  Retrieve Password. Once you enter your
filter criteria click the Listing tab.
Select the account from the Listing tab. Click the Passwords tab. Enter the Release
Reason and/or Reason Code. Enter a Ticket System and Ticket Number if they are
required. The ISA has the ability to retrieve a password on behalf of another individual
(Proxy Release For). Enter the person’s name when this scenario applies to the password
retrieval. This activity can be reported on in the Password Release Activity report.
178
QUEST
Click the Password tab.
The password will be displayed for 20 seconds.
To view Past Passwords use the filter tab and click the Past Passwords tab and to access
the old password you are looking for. Select the one you want to view and then click the
Password tab.
179
Quest One Privileged Account Management Administrator Manual
33.0 Releasing Files
In addition to the secure storage and release capabilities for passwords, TPAM facilitates the
same secure storage and retrieval controls for files. This functionality can be used for many
file types, but its intent is to securely store and control access to public/private key files and
certificates.
33.1 Request a File
Retrieving a stored file from TPAM is not procedurally different than retrieving a
password. From the menu, select Request  File  Add Request to begin a new
request. The file requests filter will be presented.
To submit a new request, enter your Filter criteria and click the Files tab. The
systems and files that meet your filter criteria will be displayed.
Note! If, through some Group or Collection assignment, the user has
multiple Access Policies granting a REQ permission they will see the account listed
multiple times on the Accounts listing tab. Each row will show the Access Policy,
Minimum Approvers, and Maximum Duration associated with it.
180
QUEST
Select the file you were looking for and click the Details tab.
The tab is completed as follows:
33.1.1 Status:
The status field will let you know the current status of the request as it is
being processed. If it has not been approved yet, the status will be Approval
Required. Once the file request is approved the status will be Approved. If
the file does not require any approval the status will be Available.
181
Quest One Privileged Account Management Administrator Manual
33.1.2 Request Immediate:
Check the Request Immediate box if you want the file released immediately.
If this box is selected then the Date/Time Required and the Max Release
Duration fields will be unavailable.
Alert! Beginning with Account-level permissions in v2.4, the process
of determining lists of Approvers and Reviewers has become much more
involved. As such when a request is issued the system reacts differently
based on whether the Request Immediate box is checked or not. When the
box is not checked, the new request is added to a queue which is processed in
the background, thus allowing the requests to save much more quickly. The
background process will determine if sufficient Approvers are available and
generate e-mails accordingly. If there are not enough Approvers for a given
request the Requestor will receive an e-mail informing them of this and that
particular request will be canceled.
When the Request Immediate box is checked these checks are handled as
part of the save process, and the Requestor will receive feedback on each
request processed. For appliance which track large numbers of Systems,
Accounts, and Users this could cause a noticeable delay when saving.
33.1.3 Date/Time Required:
Requests can be made in advance for future release periods (this allows
scheduling file releases to coincide with scheduled maintenance, for example)
by completing the date and time fields
33.1.4 Max Release Duration:
The max release duration parameters limit the amount of time an approved
user may release the file.
33.1.5 Requested Duration:
The requested duration is the period of time that the file will be available for
release. Once the request has been made, this “countdown” will begin. Valid
parameters for release durations are from 15 minutes to 7 days, in 15 minute
increments – however, the effective valid parameter for the maximum
allowable release request duration will be the value configured for maximum
release duration at the file level.
33.1.6 Request Reason:
This is a free text area. Since this text will be available to the Approver, it is
recommended that it be used to convey a brief explanation for the request.
The maximum allowed length of the text is 1000 characters. This is a required
field.
33.1.7 Ticket System:
Based on how the System Administrator has configured ticket systems in the
paradmin interface the choice of ticket system may be required before the
request is processed.
33.1.8 Ticket Number:
Based on how the System Administrator has configured Ticket Systems in the
paradmin interface, a ticket number may be required before the request is
processed. The system administrator has the option to enter validation rules
182
QUEST
to validate the ticket number you enter here against the ticket system
referenced. If the ticket number entered fails validation, then the request is
automatically canceled and you have the option to enter a different ticket
number and submit a new request.
33.1.9 Submitting the Request:
Use the
button to complete the request and send the
notification to the approvers (if so configured). Note: If an approved release
request for the file is currently open (active), a new request for that timeperiod will not be allowed. This is by design, to preserve the audit trail for file
access and to ensure that only one individual may have the file at any given
time.
If the file request does not require the approval of another person (it will be
auto-approved), the
the file click this button.
button will become enabled. To access
33.1.10 Potential Request Conflicts
If you submit a file request on a system that has a file request that has
already been approved for the release duration you have requested, you will
see a message in the feedback area of the screen alerting you of this.
To be able to submit your request you must change the Date/Time of your
request and the release duration to be outside the window of the existing
release.
If more than one file request is submitted for the same time period on the
same account it is up to the Approver/s to decide which request to approve
and which requests to deny.
33.2 File Request Response Tab
Once you have submitted the file request the File Request Responses tab will be
enabled. On this tab you will be able to see the logged responses of anyone who has
approved or denied your file request.
33.3 File Request Approvers Tab
Once you have submitted the file request the File Request Approvers tab will be
enabled. If you click this tab you will see the list of all the users who can approve
183
Quest One Privileged Account Management Administrator Manual
your request. When you submitted your request all of these users were e-mailed to
let them know there was a pending request to approve. The number of people that
must approve your request is based on how your system administrator configured the
file when it was set up.
33.4 Retrieving the Requested File
The only difference between a password release and a file release is the delivery.
Unlike a password that is displayed to the requestor, a file will be made available for
the requestor to Open or Save in the traditional download format.
Once the file request has been approved the
button will be
enabled. Click the Retrieve button to access the file. This will open another window
asking if you want to open or save the file.
33.5 Managing File Requests
Once you have submitted your file requests to check on the status of these requests
select Request  File  Manage Requests from the main menu.
184
QUEST
Enter the filter criteria for the request you want to manage. Note that you can filter
your results using the Request Status list as shown below.
Once you have entered your filter criteria click the Listing tab.
Select the request you want to manage and then click the other tabs to see the latest
information on this request.
185
Quest One Privileged Account Management Administrator Manual
33.6 Canceling a File Request
To cancel a file request before it is approved select Request  File  Manage
Requests from the main menu.
Enter the filter criteria for the request you want to cancel and click the Listing tab.
Select the request on the Listing tab and click the Details tab. Enter the Cancellation
Reason and click the
button.
33.7 Duplicating a File Request
To save time you may duplicate a file. To duplicate a file request select Request 
File  Manage Requests from the main menu.
Enter the filter criteria for the request you want to duplicate. Select the request you
want to duplicate from the Listing tab and click the
button.
186
QUEST
This will take you to the Details tab and you will need to enter a Request Reason
and click
the
button.
33.8 Expiring a File Request
If you have accessed the file and no longer need access to it, the requestor can
expire the file release request to immediately end the release duration period.
Expiring the File Release accomplishes several key things:
•
•
The file will no longer be accessible to the requestor
The file for this system will be available to other requestors
Enter the filter criteria for the request you want to expire. Select the request you
want to expire from the Listing tab. On the Details tab enter the Expiration
Reason and click the
187
button.
Quest One Privileged Account Management Administrator Manual
34.0 Approving File Requests
34.1 File Request Filter Tab
When a file request has been properly submitted, the associated approver(s) will be
notified via email of the pending request. The approver logs on to TPAM and selects
Review  File Request from the menu.
188
QUEST
Enter your filter criteria to find the pending file request you are looking for. Note that
you can have the ability to filter on the request status by using the Request Status
list. Click the Listing tab once you have entered your filter criteria.
34.2 Select Release Request
From the list of file requests pending approval, the approver selects the desired
request by clicking the row, and then clicks the Details tab.
189
Quest One Privileged Account Management Administrator Manual
34.2.1 Approve/Deny Request
To approve the request use the
button at the bottom of the
form. To reject the request click the
button. You must enter
an approval reason or deny reason in the Request Response field. If
approved, the file will be available to the requestor during the release
duration specified in the request.
34.3 File Request Responses Tab
To see a log of all the comments regarding the approval or rejection by yourself or
other approvers click the Responses tab. On this tab you will be able to see the
logged responses of anyone who has approved or denied the file request.
190
QUEST
34.4 File Request Approvers Tab
The File Request Approvers tab will display a list of all the users eligible to approve
the current file request.
34.5 File Request Conflicts Tab
Before approving a request you should click the Conflicts tab to see if there are any
requests that are in conflict with one another. Examples of a conflict would be if 2
requestors are requesting the same file on a system for the same release window. In
this case the approver must decide which request to approve.
35.0 Retrieving Files
If you have ISA permissions over a system you can retrieve a file without any other
approvals. To quickly retrieve a file go to Retrieve  Retrieve File.
191
Quest One Privileged Account Management Administrator Manual
Select the file from the Listing tab. Click the Current File tab. Enter the Release Reason
in the text box and click the
or open it immediately for viewing.
button. You will be prompted to save the file
36.0 Reviewing Password Releases
You have the ability to review Password Releases. The details on how to configure these
review requirements at the account level are covered in section 16.2. If there is a password
release pending your review you will receive an e-mail notification. To review password
releases select Review  Password Releases from the main menu.
Enter the filter criteria for the password release you want to review. Note that you have the
option to filter by Review Status. A Password Release will only show up to be reviewed if,
it is set to require reviews at the account level, the requestor actually accessed the
password, and the password request has expired.
192
QUEST
Select the password release you want to review from the Listing tab and click the Details
tab.
193
Quest One Privileged Account Management Administrator Manual
36.1 Password Release Review Details Tab
If the password release you are reviewing was part of a multiple password request
you have the option of reviewing all of these password releases at one time. By
selecting each individual Request ID the Details tab will give you all the summary
information about each password release such as when the review needs to be
completed by, how many reviews are required, request expiration date, etc.
If provisional validation was enabled for the ticket system assigned to this account,
when reviewing the password release you will see the following note on the Details
tab:
194
QUEST
Enter your comments in the Review Comment text box. Check the Apply Review
box for each review you want these comments applied to. You have the option to
enter comments and save them before officially marking the password release as
“Reviewed”. To do this click the
button. This will add your
comment to the Reviews tab, but the password review will not be flagged as
complete. Every time you submit a comment for the release the Reviews Submitted
field number will increase.
Once you are done entering comments and ready to mark the password release as
reviewed click the
button. The password release will not
be flagged as reviewed until this button has been clicked.
36.2 Password Release Responses Tab
The Responses tab gives visibility to the approval comments that were made by
anyone who approved this request and any comments the requestor made if they
expired the request early.
36.3 Password Release Reviews Tab
To see any comments entered by a reviewer click the Password Reviews tab.
36.4 Password Release Reviewers Tab
To see a list of other eligible “reviewers” for this password release click the
Reviewers tab.
37.0 Quest One Privileged Session Manager (PSM Customers Only)
Remote access to systems that require dual control is a three step process. This provides
accountability, and provides dual control capabilities. The basic process is as follows:
195
Quest One Privileged Account Management Administrator Manual
•
•
•
A system session is requested by an authorized requestor.
The session request is approved by the specified number of authorized approvers
(if dual control is enforced).
The system session is accessed by the authorized requestor during the approved
request time period.
37.1 Requesting a Session
Log onto TPAM and select Request  Session  Add Request from the menu.
You have the ability to request multiple session requests at one time. To submit a
new request, enter your Filter criteria and click the Accounts tab.
A requestor can return to the filter page when adding a session request without
canceling the add process. Use the
process.
button to terminate the request
A list of systems and user accounts for which the user is authorized to request
sessions will be displayed. Click the checkbox next to each account you would like to
request session for and click the Details tab.
Note! If, through some Group or Collection assignment, the user has
multiple Access Policies granting a REQ permission they will see the account listed
multiple times on the Accounts listing tab. Each row will show the Access Policy,
Minimum Approvers, and Maximum Duration associated with it.
Those requiring approval must be approved before you can start a session. (these
accounts are configured for dual control). Select the desired systems\accounts and
click the Details tab to display the request page.
196
QUEST
37.1.1 Request Immediate:
Check the Request Immediate box if you want the session to start
immediately. If this box is selected then the Date/Time Required field will
be unavailable.
Alert! Beginning with Account-level permissions in v2.4, the process
of determining lists of Approvers and Reviewers has become much more
involved. As such when a request is issued the system reacts differently
based on whether the Request Immediate box is checked or not. When the
box is not checked, the new request is added to a queue which is processed in
the background, thus allowing the requests to save much more quickly. The
background process will determine if sufficient Approvers are available and
generate e-mails accordingly. If there are not enough Approvers for a given
request the Requestor will receive an e-mail informing them of this and that
particular request will be canceled.
When the Request Immediate box is checked these checks are handled as
part of the save process, and the Requestor will receive feedback on each
request processed. For appliance which track large numbers of Systems,
Accounts, and Users this could cause a noticeable delay when saving.
37.1.2 Date/Time Required:
Requests can be made in advance for future session periods (this allows
scheduling sessions to coincide with scheduled maintenance, for example) by
completing the date and time fields.
197
Quest One Privileged Account Management Administrator Manual
37.1.3 Requested Duration:
The requested duration is the period of time that the access to the remote
system/s will be available. Once the session request has been submitted, this
“countdown” will begin. This should be taken into consideration when
selecting the request duration. If not approved quickly, the request duration
available to the requestor could be considerably shorter than that specified.
When expired, the session will no longer be available to the requestor. The
session will not be terminated or interrupted, but once it has been closed the
user will no longer be able to restart it. The default request duration is always
2 hours, but can be changed by the requestor. When making multiple session
requests the Requested Duration cannot be more to the shortest "Maximum
Duration" for all accounts listed on the session request. Also the “Maximum
Duration” will never be longer that the “Max Session Duration” configured by
the System Administrator in Global Settings.
Note! Once a session has started if it exceeds the number of hours
configured by the Sys Admin in the Global Settings it will be terminated.
37.1.4
Reason Code:
If your System Administrator has decided to configure Reason Codes for your
environment, you will see them available in the list here. Reason codes give
you a quick way to submit a request without having to type in a detailed
reason. You may be required to enter a reason code, they may be optional or
they may be disabled.
37.1.5 Request Reason:
This is a free text area. Since this text will be visible to the Approver, it is
recommended that it be used to convey a brief explanation for the request.
Prior to v2.4 this was always a required field. Now in v2.4 your
System Administrator has the option to make this field required, optional, or
not required.
37.1.6 Ticket System:
Based on how the TPAM Administrator/ISA has configured ticket systems for
this account, the choice of ticket system may be required before the request
is processed. You can request multiple sessions for accounts that have
different ticket system validation rules. Any boxes highlighted in red require a
ticket system to be selected.
37.1.7 Ticket Number:
Based on how the TPAM Administrator/ISA has configured ticket systems for
this account, a ticket number may be required before the request is
processed. The system administrator has the option to enter validation rules
to validate the ticket number you enter here against the ticket system
referenced. If the ticket number entered fails validation, then the request is
automatically canceled and you have the option to enter a different ticket
number and submit a new request. Any boxes highlighted in red require a
ticket number to be entered.
198
QUEST
37.1.8 Submitting the Request:
Use the
button to complete the request and send the
notification to the approvers (if so configured).
In the Request Details column there will be either Active/Approved or
Pending Approval. Systems marked Active/Approved may be accessed
immediately by selecting the system\account and clicking the
button. Skip to section 39.1 Beginning the System
Session.
If you want to add additional accounts to the request after you have saved it
you can. To add more accounts pull up the original session request using the
Session Request Management filter. Click the
button. This
will take you back to the filter tab so that you can select additional accounts
to add to the request. You will be able to add accounts to the request up until
15 minutes from the original expiration date/time for the request.
Once the request is successfully submitted but not yet approved, the user can
click the Details tab again to update the status of the request.
37.1.9 Potential Request Conflicts
If you submit a session request for an account that has a request that has
already been approved for the release duration you have requested you will
be able to submit your request, but it will automatically be canceled because
of the conflict. You will be able to click the Approvers tab to see who is
eligible to approve requests for this account so that you can contact them if
your request needs to take priority over the existing approved request on this
199
Quest One Privileged Account Management Administrator Manual
account. The exception to this is if you are a Privileged Access User
requesting a session for an account that has more than 1 PAC simultaneous
session release allowed.
To be able to submit your request you must change the Date/Time of your
request and the release duration to be outside the window of the existing
release.
If more than one password request is submitted for the same time period on
the same account it is up to the Approver/s to decide which request to
approve and which requests to deny.
Note! The exception to this rule is if the “Override Individual
Accountability” flag has been set for this account.
37.2 Session Request Responses Tab
Once you have submitted the session request/s the Session Request Responses tab
will be enabled. On this tab you will be able to see the logged responses of anyone
who has approved or denied your session request. To see the responses for each
request, select that request on the Details tab and then click the Responses tab.
200
QUEST
37.3 Session Request Approvers Tab
Once you have submitted the session request the Session Request Approvers tab
will be enabled. If you click this tab you will see the list of all the users that can
approve your session. When you submitted your request all of these users were emailed to let them know a request must be approved. The number of people that
must approve your request is based on how your system administrator configured the
account when it was set up.
37.4 Connect Options Tab
The Connect Options tab will become enabled once you have saved your session
request. Connection options are dependent on your proxy type and if you have a DPA
configured.
You can uncheck the Use Default Connection Options to select different session
connection options from the lists below. In future releases of TPAM we will be adding
more Keyboard options and connect options for more proxy types.
201
Quest One Privileged Account Management Administrator Manual
•
•
•
•
•
•
•
Select the Keyboard type you want to emulate during the session. Currently
the only choices are US Keyboard, Swiss French, and French Keyboard.
Experience changes default bandwidth performance behavior. For
Experience you have a choice of default (only theming is enabled) or 56Kbps
(modem).
You can select Compression On or Off for the RDP data stream.
You can turn Cache Bitmaps On (persistent bitmap caching), which generally
improves performance and reduces network traffic at the cost of a slightly
longer startup and some disk space.
You can opt to send your Mouse Motion during the session or not. Not
sending the mouse motion can save bandwidth, although some applications
may rely on receiving mouse motion.
Screen Updates can be sent as bitmaps or left at the default of higher level
drawing operations.
The Language you select sets the language (sometimes referred to as locale)
on the target system for the PSM session being started. On most operating
systems this will change things like the language used for system menus,
alerts, & messages and default date, time, & numeric formats.
The connection options that you select will persist throughout the duration of your
session request, regardless of how many times you connect.
37.5 Managing Session Requests
Once you have submitted your session requests to check on the status of these
requests select Request  Session  Manage Requests from the main menu.
202
QUEST
Enter the filter criteria for the request you want to check on. Note that you can filter
your results using the Request Status list as shown below.
Once you have entered your filter criteria click the Listing tab.
Select the request you want to manage and then click the other tabs to see the latest
information on the request.
203
Quest One Privileged Account Management Administrator Manual
37.6 Canceling a Session Request
To cancel a session request before it is approved select Request  Session 
Manage Requests from the main menu.
Enter the filter criteria for the request you want to cancel and click the Listing tab.
Select the request on the Listing tab and click the Details tab. Enter the
Cancel/Expire Reason and click the
button.
37.7 Expiring a Session Request
If a session has been used and it is certain that it will no longer be needed, the
requestor can expire the session request to immediately end the release duration
period. Expiring the session accomplishes several key things:
•
•
The session will no longer be able to be accessed by the requestor.
The session for this system/account will be available to other requestors.
To expire a session select Request  Session  Manage Requests from the main
menu.
Enter the filter criteria for the request you want to expire. Select the request you
want to expire from the Listing tab. On the Details tab enter the Cancel/Expire
Reason and click the
button.
204
QUEST
38.0 Approving/Denying System Session Requests (PSM Customers Only)
38.1 Session Requests Filter Tab
When a session request has been properly submitted, the associated approver(s) will
be notified via email of the pending request. The approver logs in to TPAM and selects
Review  Session Request from the menu. You have ability to approve multiple
session requests at one time.
205
Quest One Privileged Account Management Administrator Manual
Enter your filter criteria to find the pending request/s you are looking for. Note that
you can have the ability to filter on the request status by using the Request Status
list. Click the Listing tab once you have entered your filter criteria.
38.2 Select Session Request
From the list of session requests pending approval, the approver selects the desired
request by clicking the row, and then clicks the Details tab. If the request you
selected was part of a multiple request submission then you will also see all the other
pending requests that you are eligible to approve that were part of this multiple
request.
38.2.1 Approve/Deny Request
Check the box in the Apply Reason column for the requests you want the
Response reason to apply to. You must enter an approval reason or deny
reason in the Request Response field. To approve the request use the
button at the bottom of the form. To reject the request click
the
button. If approved, the ability to connect for a session
will be available to the requestor during the release duration specified in the
request.
206
QUEST
Ticket Revalidation
If the required Ticket System for this account has “provisional validation
enabled” in the paradmin interface, and the Ticket System is not available for
validation at the time the requestor submits the request, you will see the
following note on the Request Details tab:
You have the option of:
• Approving/Denying the request without trying to revalidate the ticket
•
Clicking the
request.
button before approving/denying the
If you try to revalidate the ticket and the Ticket System is now enabled, and
the ticket fails validation, then the request will automatically be denied. You
will see the following pop up window.
38.3 Session Request Responses Tab
To see a log of all the comments regarding the approval or rejection by yourself or
other approvers highlight the specific Request ID row and click the Responses tab.
On this tab you will be able to see the logged responses of anyone who has approved
or denied the session request.
38.4 Session Request Approvers Tab
The Session Request Approvers tab will display a list of all the users eligible to
approve the current session request.
207
Quest One Privileged Account Management Administrator Manual
38.5 Session Request Conflicts Tab
Before approving a request you should click the Conflicts tab to see if there are any
requests that are in conflict with one another. Examples of a conflict would be if 2
requestors are requesting a session on the same account for the same release
window for an account that only allows one active session at a time. In this case the
approver must decide which request to approve.
38.6 Denying a Session Request after it has been Approved
Any eligible approver can deny a session request after it has already been approved
or auto-approved. If a live session is being conducted at the time you decide to deny
the request that session will automatically be terminated. The requestor will receive
an e-mail notifying them that you have denied their request.
To deny the request go to Review  Session Requests. Enter the filter criteria to
find the request you want to deny. Click the Details tab. Enter the reason you are
denying the request in the Request Response field. Click the
button.
39.0 Starting a Remote Session (PSM Customers Only)
The requestor will select Request  Session  Manage Requests from the TPAM menu.
Enter the criteria for the session you want to start on the Filter tab and then click the
Listing tab.
208
QUEST
Select the session you want to begin.
In v2.3.765 we have added the ability to
select the window session display size for your session. (1024x768, 1280x1024, or
1280x768). Once you select your display size click the
button.
Note! Your display size selection will not be saved, so each time you connect you will
have to reselect your window display size preference.
The remote session will be initiated in a new page. All activity performed by the remote user
will be logged and recorded. This button is only available for approved sessions which have
not expired.
Note! If your recording session reaches a size of 500MG your session will be
automatically terminated.
39.1 Beginning The System Session
When a session begins, a new window will be opened and a few steps will occur,
some of which require user intervention:
•
209
The Java environment will be initialized. This step can take up to a minute.
Quest One Privileged Account Management Administrator Manual
•
•
A web certificate warning will appear. Click the
button to continue.
TPAM will establish the connection to the remote system over a secure
channel.
210
QUEST
A single left-click of the mouse will allow the session to the remote system to begin.
•
•
•
The session presentation will begin. Depending upon the configuration for
session authentication for the system, one of several scenarios will occur:
The session will auto-logon using a predefined account and its password.
The logon will be presented by the system, but require the user to enter the
password – which is supplied by TPAM (retrieved from PPM) See example
below.
Note! Sessions to remote systems are also subject to the configuration of the
access method at the remote system. Example: if Windows RDP or Terminal Services
is the connection method then the configuration for disconnected session timeouts,
maximum connections, etc. will govern certain session behavior. In addition,
troubleshooting problems with connectivity to these systems should include
examining the configuration of the remote system.
Clipboard transfer between the RDP session and the desktop will be available if this
option was checked at the Account level on the PSM Details tab. You can use this
feature to Copy/Cut and Paste text between the Remote Session and the desktop.
When you are using SSH as the proxy type you can change the font size on the
window using Ctrl + right mouse click. On the VT Fonts window you can change the
Font Size.
211
Quest One Privileged Account Management Administrator Manual
39.2 File Transfer
You have the ability to upload files to the remote system and download a file from the
managed system during the session. To transfer a file click the File Transfer tab. In
order to be able to upload or download files during a session, the account must be
configured for this on the File Transfers sub tab under the PSM Details tab at the
account level. (See sections 16.11.14,16.11.15 and 16.13.
39.2.1 File Uploads
You have the ability to upload more than one file at the same time. The
Destination Directory will be based how you configured it on the PSM
Details File Transfer tab for the account. (See section 16.13) Click the
button to locate the file or directory you want to transfer.
Repeat this step for each file or directory you want to upload. As you select
these files and/or directories they will appear in the Selected Files list. To
remove a file that you may have selected by mistake use the
or the
buttons as needed. Additionally files and directories
may be selected by simply dragging and dropping them on the Selected
Files: list.
Alert! The upload process will overwrite any existing file(s) if
the user has the file system rights to do so. If the user does not have
sufficient rights to an existing file and they attempt to upload a file of
the same name the upload will fail.
If you selected the Same as Session Authentication option on the PSM Details File
Transfer tab the screen will look like the example below:
212
QUEST
If you selected the Specify at File Transfer Time option on the PSM Details File
Transfer tab you will be required to enter the Account Name and Account
Password before you can transfer the file.
Click the
button to start the transfer process. Once the transfer is
complete you will get a successful or unsuccessful message in the box at the bottom
of the page.
39.2.2 File Downloads
You have the ability to download files from the managed system to a local
directory. In the Download File Name field enter the fully qualified name of
the file you wish to download. Once you have entered the file name click the
button. Once the transfer is complete you will get a successful
or unsuccessful message in the box at the bottom of the page.
213
Quest One Privileged Account Management Administrator Manual
If you selected the Specify at File Transfer Time option on the PSM Details
File Transfer tab you will be required to enter the Account Name and
Account Password before you can download the file.
40.0 Reviewing Sessions (PSM Customers Only)
A user has the ability to configure Review Requirements for sessions on particular accounts.
The details on how to configure these review requirements are documented in Section 16.14
PSM Review Requirements tab. If you are designated as a “reviewer” for a session and there
is a session that is pending review you will receive an e-mail notification.
To review the session, select Review  PSM Session from the menu.
Enter the filter criteria for the session you want to review. Note that you have the option
to filter by Review Status.
Select the session you want to review from the Listing tab and click the Details tab.
40.1 Session Review Details Tab
214
QUEST
If the session you are reviewing was part of a multiple session request you have the
option of reviewing all of these sessions at one time. By selecting each individual
Request ID the Details tab will give you all the summary information about each
session such as when the review needs to be completed by, how many reviews are
required, start and end date of the session, etc.
If provisional validation was enabled for the ticket system assigned to this account,
when reviewing the session request you will see the following note on the Details
tab:
215
Quest One Privileged Account Management Administrator Manual
Enter your comments in the Review Comment text box. Check the Apply Review
box for each review you want these comments applied to. You have the option to
enter comments and save them before officially marking the session as “Reviewed”.
To do this click the
button. This will add your comment to
the Reviews tab, but the session review will not be flagged as complete. Every time
you submit a comment for the session the Reviews Submitted field number will
increase.
Once you are done entering comments and ready to mark the session as reviewed
click the
button. The session will not be flagged as
reviewed until this button has been clicked.
Note! You will not be permitted to “Complete the Review” unless you have
replayed at least one of the session logs from each session request.
40.2 Session Review Responses Tab
The Responses gives visibility to the approval comments that were made by anyone
who approved this request and any comments the requestor made if they expired the
request early.
216
QUEST
40.3 Session Logs Tab
To play back the session you need to review click the Session Logs tab.
Select the session from the list and click the
button to play
back the session. If a File Transfer took place during the session you will see the
number of files transferred in the File Transfers column of the Session Log tab. For
more details on replaying a session see section 41.1 Replaying a Session Log.
To view details about the file transfer click the session and then click the on the File
Transfers tab.
40.4 Reviews Tab
To see any comments entered by a reviewer click the Session Reviews tab.
217
Quest One Privileged Account Management Administrator Manual
40.5 Reviewers Tab
To see a list of other users eligible to “review” the session click the Reviewers tab.
40.6 Comments Tab
Users that have “review” permissions on the system as well as the requestor for
a session have the ability to enter comments regarding the session. These comments
do not flag a session as being reviewed, but may be informative to the user assigned
to formally reviewing the session. To enter session comments, first click on the
Session Logs tab, select the session log you want to comment on and then click the
Comments tab.
218
QUEST
Enter your comments into the New Comment box and click the
button.
The comments will be placed in a list above the New Comment box.
40.7 File Transfers Tab
If a file was transferred during the session you are reviewing you can view
information about that file by selecting a session from the Session Logs tab and
then clicking on the File Transfers tab.
41.0 Session Management (PSM Customers Only)
The session management menu provides access to session logs and the ability to playback
previous sessions to systems. This answers the critical question “what did they do” with
respect to auditing access to privileged accounts. All user actions, whether performed via
keyboard or mouse are recorded.
41.1 Replaying a Session Log
Select Management  Session Mgmt  Session Logs from the menu.
219
Quest One Privileged Account Management Administrator Manual
Use the filter criteria to limit the list of session logs to those desired. From the
Listing tab select the desired session to replay and click the
button.
Note! If the session log is stored on an archive server there may be a delay
while TPAM retrieves the log from its remote storage location.
The remote access session will be displayed and played back in real time. The
playback session may be paused and resumed, moved ahead or back at increased
speed, or continuously played at various speeds.
220
QUEST
41.1.1 Using the session playback controls
To manipulate the playback of a session, the controls at the bottom of the
session replay window allow the speed of the playback to be changed, ranging
from ½ normal speed to 16 times normal speed. Replay may be paused at
any point.
The session playback toolbar contains both session information and playback
controls:
• Session system – The name of the remote system to which the session
was established.
• Session UserID – The name of the remote account used to access the
system during the session.
• Slider control – Displays the current position of playback, and when the
session is paused allows a new position to be selected. To reposition
session replay, pause the session and position the slider control to the
desired spot. Resume playback using the pause control. The session
playback will move at maximum speed to the desired playback position.
Note! The session time position is based on network packet timestamps.
This means that the playback control slider may appear to move in an uneven
fashion depending on the ‘data density’ of each packet, especially for very
short recorded sessions. If for some period time there is a minimal amount of
activity followed by a flurry of dialog box openings and keystroke input, this
would cause the uneven control slider movement. Longer session files tend to
provide a smoother control slider movement.
•
•
•
•
•
•
•
•
•
Session time position – Shows the time position being displayed in relation
to the session length: current position / total session time.
Pause control – When green the session is playing. When red the session
is paused. To pause or resume playback simply click the control.
Loop button – selecting this button will set the session to replay over and
over.
.5x – The session will be played at ½ normal speed.
1x – The session will be played at normal speed (real time).
2x – The session will be played at 2 times normal speed.
4x – The session will be played at 4 times normal speed.
8x – The session will be played at 8 times normal speed.
16x – The session will be played at 16 times normal speed.
If a file was transferred during the session you are replaying you can view
information about that file on the File Transfers tab.
221
Quest One Privileged Account Management Administrator Manual
41.2 Resetting Statistics for a Session
To replay and archive sessions that previously did not have an end date calculated
select the session from the listing tab and click the
See the example below:
button.
41.3 Monitoring a Live Session
You have the ability to monitor a session as it is being recorded. The user running the
session has no indication that their session is being watched. To monitor a live
session select Management  Session Mgmt  Session Logs from the menu. Use
the filter criteria to limit the list of session logs to those desired.
Any live sessions will display Connected in the Status column. Select the session
you want to view and click the
button. Any user that has
permission to playback a session log has permission to monitor a session for that
account.
222
QUEST
You can also monitor a session by going to Management  Session Mgmt 
Manage Sessions to see a list of all active sessions.
41.4 Viewing Active Sessions
To view all active sessions select Management  Session Mgmt  Manage
Sessions from the main menu
41.4.1 User Details Tab
To view details about the user running the active session, select the active
session and click the User Details tab.
41.4.2 Monitors tab
If anyone is monitoring the session you have selected the Monitors tab will
be enabled. By clicking on this tab you can see all the people monitoring this
live session.
223
Quest One Privileged Account Management Administrator Manual
41.5 Terminating Active Sessions
An administrator user has the ability to terminate (kill) active sessions. To do this,
select Management  Session Mgmt  Manage Sessions from the menu. A list
of current active sessions will be displayed. Enter your search criteria into the Filter
tab and click the Listing tab.
To use the auto-refresh option check the box and enter the number of minutes you
would like the screen refreshed.
To abruptly end an active session, select the session you want to end from the list
and click the
button. Depending upon the connection type this
may either disconnect or terminate the user’s session. Be aware that ending a session
in this manner could leave unfinished work on the remote system and even do
potential damage. This option should only be used in the proper circumstances. Note
also that unless the session request has expired or been cancelled, the user could
simply restart the session.
41.6 Archiving Session Logs
Session logs can be archived to external storage to ensure that physical resources on
the appliance are not exhausted. Select Management  Session Mgmt  Archive
Settings from the menu to access the archive configuration page.
224
QUEST
Archival Settings can be configured to automatically move session logs from the TPAM
appliance to a specified archive server. The configuration options are:
41.6.1 Max Age in Days for session log archival (1-90)
This option specifies the maximum period of time that session logs will be
maintained on the appliance. Session logs older than the n value will be sent
to the archive server. Valid configuration is 1 to 90 days.
41.6.2 Max Age in days for session log deletion (1-999)
This value specifies that session logs will be permanently deleted when they
become older than y days. This setting is limited by the Session Request
Retention Period in global settings.
Alert! Session logs will be deleted regardless of their location –
whether stored on TPAM or on an archive server! If the value (y) to
delete session logs is less than the value (n) to archive session logs,
the logs will be deleted from the appliance without ever being sent to
an archive server.
41.6.3 Percentage full to trigger forced archival of oldest session logs (3080)
This option allows an automated safety net to ensure that the hard disk
resources of the appliance are not filled to capacity. If the disk space reaches
x% of storage capacity a forced archive will occur to free disk space.
41.6.4 Send archival messages to
Messages regarding archival events can be sent from TPAM via email to a
specified address. Valid choices are: All, Failed, or None.
When the desired configuration of Archival Settings has been made, click the
button to accept it.
41.7 Configuring Archive Servers
Archive Servers must be pre-configured to receive the archived sessions from TPAM.
For a server to be eligible to receive the archives, it must be running the Unix/Linux
file system. This can be accomplished on a Windows server by installing OpenSSH or
other UNIX emulation software which creates a directory structure containing /home.
There are readily available products that create a Linux environment for Windows.
TPAM uses only DSS authentication to connect to archive servers and transfer
session logs. This requires a matched public/private key pair to exist between TPAM
and the archive server. The public key is located on the archive server, while TPAM
maintains the private key.
41.7.1 Adding an Archive Server
Select Management  Session Mgmt  Archive Servers from the menu
to access the archive configuration page. To configure a new archive server
for remote session log storage click the
225
button.
Quest One Privileged Account Management Administrator Manual
•
•
•
Specify the Server Name and Network Address (IP or FQDN).
Specify the Port.
You have the option to use one of the active System Std. Keys or to use a
System Specific Key. Download the DSS key from TPAM in either
OpenSSH or SECSH format by clicking the appropriate button. The public
key must be placed into the proper directory on the archive server. For
most systems this will be [user’s home directory]/.ssh (create the
directory if it does not exist). The public key must also be specified as an
authorized authentication method for the functional account. A new DSS
key pair can be generated at any time (if for example it is felt that the
existing keys have been compromised). Clicking the
button will generate a new public/private key pair. The
•
•
only regenerates the system specific key for the
selected archive server, so only that archive server will be affected.
Specify the Account Name that will be used to authenticate to the
archive server, and within whose home directory the logs will be stored.
Enter the Archive Server Path. Prior to TPAM 2.0 the path was hard
coded to ./egparch. It is assumed that old sessions that have already been
archived are stored in ./egparch. It is important to ensure that this
226
QUEST
•
•
•
•
•
directory is owned by the functional ID, and that the functional ID has
proper permissions (600 is recommended).
Enter any descriptive text desired for the server in the Description field.
To make the new server the default server, check the Make Default?
option. Only one archive server may be the default server at any given
time.
Click the
button to accept the configuration and save the
server to the list of archive servers.
For a more detailed instruction on creating the necessary directories,
authorizing the public key, etc., refer to the TPAM Client Setup Manual.
When the configuration of the archive server is complete, test the
functionality by clicking the
button for the selected server.
If the test is unsuccessful, use the information in the test output to review
these steps and troubleshoot the configuration.
41.7.2 Archived Files Tab
Files stored on the archive server may be viewed by clicking the Archived
Files tab. Unlike the Session Logs menu option, which shows all logs
regardless of their storage location, only the logs stored on the specified
archive server will be displayed.
227
Quest One Privileged Account Management Administrator Manual
41.8 Archive Logs
To view the archive logs select Management  Session Mgmt  Archive Log
from the main menu. Enter your search criteria on the Report Filter tab and then
click the Report tab to see the log results.
42.0 Reports
TPAM includes a number of pre-defined reports to aid in system administration, track
changes to objects, and provide a thorough audit trail for managed systems. All reports are
accessed via the Reports menu. The reports can be filtered by criteria that are specific to
each report type.
Note! Access to different reports is based on the user’s permissions. Only TPAM
Administrators and Auditors have access to all reports.
42.1 Report Time Zone Options
There are time zone filter parameters on most of the reports so that the user can
choose to view the report data in their local time zone or the server time zone. These
filter parameters will only be visible if the user is configured with a local time zone.
228
QUEST
This filter affects not only the data reported but also the filter dates used to pull the
data.
For example, the server is at GMT time and the user is in Athens, Greece (GMT +2).
When the user enters a date range of 9/16/2009-9/17/2009 with the local time zone
option, the report will pull transactions that happened on the server between
9/15/2009 22:00 through 9/17/2009 21:59.
All reports that use the local time zone filter now have an extra column indicating the
GMT offset that was used to generate the report. This value will either be the current
GMT offset of the server or the user. This column will also appear in reports that are
exported using excel or csv.
42.2 Report Layout Options
The user can select which columns they want to display on the report by clicking on
the Report Layout tab. Also the user can decide which column they want the report
sorted by clicking the radio button in the Sort Column.
Also note the Max Rows to Display list. This limits the number of rows that are
returned on the report even if there are more rows that meet this filter criteria.
229
Quest One Privileged Account Management Administrator Manual
42.3 Adjustable Column Widths
The user can adjust the column size of any column on a report by hovering their
mouse over the column edge and holding down the left mouse button and dragging
the mouse to adjust the column width.
42.4 Report Export Options
In addition to exporting the report to an Excel formatted file, the user can also export
the file in a CSV (comma separated value) file format.
Alert! If you expect your report results to be over 64,000 rows you
must use the CSV export option. The Export to Excel option will only export a
maximum of 64,000 rows!
42.5 Activity Report
The activity report contains a detailed history of all changes made to TPAM.
230
QUEST
42.6 ISA User Activity
The ISA user activity report shows an audit-trail report containing detailed records of
all activities performed by users with ISA permissions.
42.7 Approver User Activity
The approver activity report shows an audit-trail report containing detailed records of
all activities performed by users with Approver permissions. If a user has both
requestor and approver activity this report will only show the approver activity.
42.8 Requestor User Activity
The requestor activity report shows an audit-trail report containing detailed records of
all activities performed by users with Requestor permissions. If a user has both
requestor and approver activity, this report will only show the requestor activity.
42.9 PSM Accounts Inventory (PSM Customers Only)
The PSM accounts inventory report will show a list of all accounts that are PSM
“enabled”.
231
Quest One Privileged Account Management Administrator Manual
42.10 Password Aging Inventory
The password inventory report will display a list of all managed systems, and all
accounts on those systems that are managed by PPM.
42.11 File Aging Inventory
Similar to the password inventory report, the file inventory report will display a list of
secure stored files and the systems for which they are managed.
42.12 Release-Reset Reconcile
The purpose of the Release-Reset Reconciliation report is to provide auditable
evidence that passwords have been reset appropriately after being released. The
232
QUEST
report can be filtered by date or date range, and sorted by system name, RequestID,
or first release date.
42.13
User Entitlement
In v2.4 we merged the Password, EGP and File User Entitlement reports all into one
User Entitlement report, with additional filters. This report provides a mechanism to
review and audit individual users’ permissions for systems, accounts, commands and
files on an enterprise scale. Based upon selected filter criteria, the report will show
each user and their permissions to each system, whether based upon Collection,
Group, or individual assignment.
To reduce the size of the report for large organizations where numerous systems
belong to collections, use the filters provided such as “Show Only Effective
Permissions”.
233
Quest One Privileged Account Management Administrator Manual
Turning on the checkboxes or radio buttons for the options will have the following
effects on the report:
• Expand Collections to show all Systems, Accounts, & Files? When checked
the report will expand any retrieved Collection-level permissions to show all the
Systems, Accounts, and Files in the collection. Permissions are indicated as
being at the Collection level by the presence of the Collection Name as well as
the Permission Source column. When not checked only the Collection itself is
shown.
• Expand Groups to show all Users? When checked the report will expand any
retrieved Group to show all users within this group. Permissions are indicated as
being at the Group level by the presence of a Group name as well as the
Permission Source column. When not checked only the Group itself is shown.
• Expand Access Policies to show policy permissions details? When checked
this will expand the Access Policy for each row to show the Permission Type
(Password, Session, etc.) and Permission Name (Requestor, Approver, etc.) for
all detail rows for each Access Policy. When not checked only the Access Policy
Name is displayed.
• Show All Permissions When this radio button is selected the report will show all
possible policies for each assignee (User or Group) to each entity (System,
Account, File, or Collection) with the effective permission indicated.
• Show Only Effective Permissions When this radio button is selected the report
will show only the effective permission for each assignee to each entity.
Alert! If you select any of the Expand … options you must fill in at
least one of the text filters with a non-wildcard value. For very large data
sources the expansion of Collections, Groups, and/or Access Policies can
very easily create a report beyond the retrieval and display capabilities of a
web browser. For large datasets (10’s of thousands of accounts or
thousands of large collections to expand) it is recommended to rely on the
Data Extracts for unfiltered versions of the Entitlement Report.
42.14 Failed Logins
Failed login attempts to TPAM are recorded and these events are available for review
using the Failed Logins report.
Note! Data shown for failed logins may be up to 15 minutes old. The data for
the report is refreshed every 15 minutes.
234
QUEST
42.15 Password Update Activity
The password update report shows an audit-trail report containing detailed records of
all password modifications to all systems managed by PPM.
42.16 Password Update Schedule
The password update schedule report will show all currently scheduled password
changes and the reason for the change – such as a change due to default change
settings or in response to a password release, etc.
42.17 Password Testing Activity
The password testing activity report shows the results of automated testing of each
managed account’s password.
235
Quest One Privileged Account Management Administrator Manual
42.18 Password Test Queue
The password test queue report will list all accounts currently queued for password
tests. This is a useful report to view when troubleshooting performance related
issues. A high number of queued password tests can impact system response time if
the check agent is running. This report does not provide a mechanism for exporting
data but does provide for deleting passwords from the test queue. So if there is
some known reason why a large group of password tests will fail such as a network
outage, that group can be filtered out in the report and then deleted. An alternative
would be to just stop the check agent.
42.19 Expired Passwords
This report allows you to report on currently expired passwords, or passwords that
are going to expire within a certain date range. You can also filter based on whether
the system/account has password management enabled or set to manual.
In v2.4 we added a Reason Code column to the report.
42.20 Passwords Currently In Use
This report defines “In Use” as passwords that:
• Have been retrieved by the ISA/CLI/API that have not yet been reset
• Passwords that have been requested and retrieved, but not yet reset
• If password has been manually reset from the account details or password
management pages but not yet reset by PPM.
236
QUEST
•
•
•
If the password has been manually entered on the Account Details page but
not reset by PPM.
If the account is created either from the TPAM interface or as a result of Batch
Import Accounts and is assigned a password by the user (as opposed to
allowing the system to generate a random password).
Passwords manually changed prior to TPAM 2.1.711 will not show as IN USE
42.21 Password Requests
This report allows you to view all password requests within a specified time period
and view details relating to the request. Selecting a row in the report, and clicking on
the Responses, Reviews and Releases tab will give you additional details on the
request.
In v2.4 we added a Reason Code column to the report.
42.22 Auto-Approved Releases
Password and stored file releases made by requestors that did not require dualcontrol approval (auto-approved requests) may be reviewed in the Auto Approved
Releases and Auto Approved File Releases reports.
237
Quest One Privileged Account Management Administrator Manual
42.23 Password Release Activity
The password release activity report displays a history of password releases, based
upon filter criteria selected for the report. The reason text and ticket system
information is also provided in the report.
column to the report.
In v2.4 we added a Reason Code
42.24 File Release Activity
The file release report is essentially identical to a password release report, but will
show the release activity associated with stored files.
Reason Code column to the report.
In v2.4 we added a
42.25 Windows Domain Account Dependencies
This report shows which managed domain accounts have dependencies on other
systems.
42.26 Auto Approved Sessions (PSM Customers Only)
This report lists all sessions that were auto approved because the account had no
approvals required for session requests.
238
QUEST
42.27 PSM Session Activity (PSM Customers Only)
This report shows the details on any sessions that occurred within a specified time
period or for a specific system/account.
column to the report.
In v2.4 we added a Reason Code
42.28 PSM Session Requests (PSM Customers Only)
This report allows you to view all session requests within a specified time period and
view details relating to the request. Selecting a row in the report, and clicking on the
Responses, Reviews and Releases tab will give you additional details on the
request.
In v2.3.765 we added a “Reviews Required” column to this report. In
v2.4 we added a Reason Code column to the report.
43.0 Scheduled Reports
To see the scheduled reports options from the menu go to Reports  Scheduled Reports.
Alert! The upgrade to v2.4 will DISABLE all of the PSM, PPM, and File User
Entitlement Reports in the Scheduled Reports page. These reports are all very
resource intensive and with the new Account-level permissions are capable of
causing severe performance degradation for on-line users during the daily report
cycle. If you plan on using the information on a daily basis we strongly
recommend that you enable the reports one at a time and only generate the
versions that are needed. HTML output may be usable on smaller installations.
However it is very common for the reports to be over 1 million rows, and most
customers find that CSV files are more manageable.
239
Quest One Privileged Account Management Administrator Manual
43.1 Subscribing to Reports
Because TPAM automatically produces and stores batch reports, these reports are
available for subscription to administrator and auditor users. To subscribe to any of
these reports, select Reports  Scheduled Reports  Report Subscriptions from
the menu.
In v2.4 we added the System DPA Affinity Batch Report, to display Affinity
assignments for all systems.
Note! The start time for these reports is controlled by the Daily Maintenance
start time that is configured by the System Administrator in the paradmin interface.
Check the option box for each report desired, selecting either HTML or CSV format (or
both, if desired) and click the
button. When the batch reports are
created (generally at 00:30 hrs), the selected reports will be sent to each subscriber
via email attachment.
You have the ability to disable specific batch reports (HTML, CSV, or both). Use the
list in the Status column to set your preference and click the
button.
The settings you have saved in the Subscribed column will not be affected by what
you select in the Status column. If a report is disabled, then the subscribers will not
receive it until it is enabled again.
Report subscriptions are dependent upon the TPAM Mail Agent and a valid email
address for the subscribing user.
240
QUEST
You have the option to add additional recipients to the Batch Reports. Select the
report you want to add recipients to and then click the Additional Recipients tab.
To add a recipient, enter the recipients e-mail address. You can separate multiple email addresses with a coma. Select the how you want the report sent from the list.
Click the
the
button. To remove recipients from the batch report click
button. To modify a recipient’s e-mail address, make the change and
click the
button.
43.2 Browsing Stored Reports
All Batch reports are generated daily by TPAM and stored internally. These reports are
available for viewing by any administrator or auditor user. Stored reports are retained
for a period of time specified in the Online Batch Reports retention period of the
administrative Global Settings of TPAM (see TPAM Configuration and System
Administrator Manual).
To view the stored reports, select Reports  Scheduled Reports  Browse
Stored Reports from the menu.
Note! The date and timestamp on the stored reports is server time.
Note! Even if no one has subscribed to a report it will still be generated and stored in the
PARReports folder. Setting a report to HTML Only or CSV Only will generate and store only
that version of the report
Select the desired date by clicking the hyperlink, formatted yyyymmdd. The individual
reports available for that date will be displayed in the browser window.
241
Quest One Privileged Account Management Administrator Manual
Each report is available in either HTML format or comma separated value (CSV)
format. Simply click the desired hyperlink for the report to view it.
You have the ability to resubmit a run of batch reports for a prior date. To resubmit a
batch report to run for a prior date log into the paradmin interface. Select System
Status/Setting  Resubmit Batch Reports from the menu.
Enter the date the date you want to run the reports for. Log back into TPAM and go to
Reports  Scheduled Reports  Browse Stored Reports to find the report you
resubmitted.
Now that we provide for batch reports to be resubmitted from the PARADMIN
interface, the user may see a much longer folder name for batch reports. When the
batch is resubmitted then the directory name starts with the resubmit date followed
with “_rundate_time”. So if the 10/1/07 reports were rerun on 11/13/07 at 1pm
there would be a directory named 20071001_20071113_130000.
44.0 Data Extracts
Certain data may be extracted from TPAM and automatically transferred to a pre-configured
Archive Server (see the TPAM Configuration and Administration Manual for more information
on archive servers).
Extracted data is supplied as a *.CSV file and is easily viewed with MS Excel or any text
editor. Information that may be extracted includes lists of systems, accounts, users, etc.
and many logs of user activity and entitlement. The extracted files are compressed (ZIP file
format) and named with a date and time stamp.
Data extracts are configured much in the same way as TPAM system backups. The extracts
can be set to occur based upon various interval criteria, and the time the process runs may
also be specified.
242
QUEST
To configure data extracts, select Reports  Scheduled Reports Data Extract
Schedules from the main menu bar.
To configure an extract click one of the Schedule Names and click the Details tab.
44.1 Data Extract Details Tab
44.1.1 Schedule Name:
The schedule name can be changed and saved to whatever the user wants.
243
Quest One Privileged Account Management Administrator Manual
44.1.2 Enabled:
The Enabled option is used to turn on or off the automatic data extracts.
44.1.3 Zip Files:
If the Zip option is checked then the files that are extracted will be saved in a
zip file format.
44.1.4 Delimiter:
If you want the file formatted differently than tab delimited, enter the other
format type in this field.
44.1.5 Schedule Time:
To have the extract run daily, select this radio button and set the start time.
To have the extract run weekly, select this radio button and select the day of
the week and start time. To have the extract run monthly select this radio
button and select one of the day of the month options and the start time.
44.1.6 Transfer the data extract to this Archive Server:
The archive server to which the extract will be transferred is selected from a
drop-down list of available servers configured by the TPAM System
Administrator. Select the desired archive server.
44.1.7 Send / Results To:
Optionally specify an email address to receive extract results. Choices are: All
or Failed.
44.2 Data Extracts Data Set Tab
This tab is used to indicate which specific data sets will be extracted.
In v2.4
we added two new data extracts, Password Release Activity and Password
Update Activity.
244
QUEST
44.2.1 Enabled:
Check the Enabled? box to select this data set as part of the scheduled
extract.
44.2.2 Column Headings:
Check the Column Headings? Box if you would like the data extract file to
have column headings.
Click the
extract.
button to save and changed to a scheduled data
44.3 Data Extract Log Tab
The data extract log tab will display the logged results of each scheduled extraction.
You can use the Filter tab to narrow the results of your search, and then click the
Data Extract Log tab.
245
Quest One Privileged Account Management Administrator Manual
If you click the
button the data extract will immediately initiate.
If you click the
button all the history in the data extract log will be
cleared. . If a specific Extract Schedule is selected then only log data for that job will
be deleted otherwise all data extract log data will be deleted.
44.4 Data Extract Dataset Filenames
You can customize the file name for each data extract. Click the Dataset Filenames
tab and adjust the file names. You cannot specify different file names for different
schedules.
246
QUEST
Put your cursor in the Filename field and rename the file to your specification. Click
the
247
button.
Quest One Privileged Account Management Administrator Manual
Appendix A: TPAM Hardware Specifications
Feature/Spec
Processor
TPAM Standard / DPA
1 Quad-core Intel® Xeon®
processor 3400 series
TPAM Enterprise
2 Quad-Core Intel® Xeon®
processor 5500 series
1
TPAM Resilient
1 Quad-Core Intel®
Xeon® processors 3400
series
1
# Processors
# Cores Per
Processor
L2/L3 Cache
Chipset
DIMMs
Quad
Quad
Quad
8 MB
Intel® 3420 chipset
4 DDR3
Unbuffered w/ECC
1333/1066 MHz
8 MB
Intel® 3420
DDR3
6 R-DIMMs or
4 U-DIMMs
RAM
HD Bays
2 GB Min
2 x 3.5” or
2 x 2.5”
Default SATA
Chipset based SATA
2 GB Min
4 x 3.5
8 MB
Intel® 5520
4+4 DDR3
Unbuffered w/ECC or Registe
w/ECC
1333/1066/800MHz
4 GB Min
4 x 3.5
HD Types
Internal HD
Controller
Disk
Availability
250 GB SATA
ECC Memory, TPM
I/O Slots
1 x PCIe x8
RAID
None
NIC/LOM
DRAC
USB
2x GbE LOM
iDRAC6
2 front/2 rear/2 internal
Power Supplies /
Power details
Non-redundant, energy
efficient 250W,
Auto Ranging
(100V~240V) ,
ACPI compatible
3 Non-redundant, nonhot swappable
1U rack
42.6 x 431 x 393.7 (mm)
(w/o ear and bezel)
1.67” x 17.1” x 15.5”
Fans
Chassis
Dimension
(HxWxD)
Weight
Max. 17.76 lbs
(8.058 Kg)
Misc.
Operating Temp
10° to 35°C
SATA/SAS/SSD
Intel® 3420
PERC S100 (Embedded
SW RAID)
2 x 500 GB
ECC Memory, Hot-swap
HDD; Redundant PSU,
TPM
1 x PCIe x8
RAID 1
Mirrored
2x GbE LOM
iDRAC6
2 rear/2 front/2
internal
Redundant, 400W,
Auto Ranging
(100V~240V), ACPI
compatible
3 Non-redundant, nonhot-swappable
1U Rack
42.4 x 434.0 x 610
(mm) ( w/o bezel)
1.67 x 17.10 x 24.00
(in)
Max: 33.02 lbs (15Kg)
Intrusion switch detects
when cover is opened,
Hype-threading(8
threads), 128x20 LCD
status LCD panel
10° to 35°C
2
SAS add-in controller
Chipset-based SATA
4 x 300 GB SAS
Hot-swap HDD; Redundant P
Memory mirroring, TPM
1 x PCIe x16 (True x16, Gen
full height, half length
RAID10
2x GbE LOM
iDRAC6
2 front/2 rear/2 internal
Redundant, 500W,
Auto Ranging (100V~240V),
ACPI compliant
4 Non-redundant, non-hotswappable
1U Rack
43.0 x 434.0 x 627.1 (mm) (
ear, w/o bezel)
1.69 x 17.09 x 24.69 (in)
Max: 62.61lbs (28.4Kg)
Intrusion switch detects whe
cover is opened, simultaneou
multi-threading, status LCD
module
10° to 35°C
248
QUEST
Regulatory
Certifications
Additional country
certification information
available upon request.
249
Class A:
Class A:
Australia /
N. Z. – AMCA or C-Tick
Canada – SCC, ICES
European Union - CE
Germany -TUV
United States – FCC, NRTL
Australia /
N. Z. – AMCA or C-Tick
Canada – SCC, ICES
European Union - CE
Germany -TUV
United States – FCC, NRTL
Class A:
Australia /
N. Z. – AMCA or C-Tick
Canada – SCC, ICES
European Union - CE
Germany -TUV
United States – FCC, NRTL
Appendix B: Platform Support Matrix
Privileged Session Manager Platform Support Matrix
AIX, FreeBSD
HP-UX, HP-UX
Shadow
HP-UX Untrusted
Linux, MAC OSX (No
Telnet)
Solaris
UnixWare
AS/400





 
 


 
 
    


  
 
    
  
 
    
  
 
  
 

 

  
 


 
 

 
  
  
  
No
Multiple
Simultane
ous
Sessions
Yes
Windows
Domain Acct
Not Stored
Remote PAR
CLI
DSS Key
Local Par
Interactive
ICA Access
Web Browser
SSH
Automatic
Password
Automatic DSS
SQL Window
SQL Plus
Logon Options
DPA Required
VNC Enterprise
VNC
x5250
x3270
Telnet
Supported Platform
RDP
Proxy Type
Password Storage
Method









 





 

         
 

 
  

 

 
  

 

  
    
 
 
 






 
 
 
      
      
 
 
 
 
  
  
  
  
  
  
  
  
  

 





 

 
 
 
 
 
 
 
 
 
PSM Web Access

    
    

 
PSM ICA Access

HP iLO
HP iLO2
JunOS
OpenVMS
Stratus





    

    
    
    

            
    
    

    
    

    
    

 
 
 
 
 
 
Cisco (no SSH for
Cisco PIX)
CyberGuard
NetScreen
Nokia IPSO
Dell Remote Access




eDMZ SPCW
IBM HMC
Mainframe

 

 
  

 




QUEST



MS SQL Server
Sybase



   
   
Oracle

POS 4690


Windows
Windows Desktop
Windows NT
Domain(No SSH)
Windows AD (No SSH)
251

 
 



 



  
  
  
  
  






 

 
 
  
 
  
  
  
  
 
 


 





 


  






Appendix C: Using the TPAM Command Line Interface
The TPAM CLI (command line interface) provides a method for properly authorized users or automated
processes to retrieve information from, or perform limited actions to the TPAM system. Commands must
be passed to TPAM via SSH (Secure Shell) using an identity file key created by TPAM. A specific CLI
UserID is also required. See “Managing CLI User Accounts” in this manual for instructions on creating the
ID and downloading the key file.
In the examples used below, TPAM is accessed via command line from a Windows 2000 computer with
SSH capabilities. SSH software (not provided) must be installed on any system before it can be used for
TPAM CLI access.
Command syntax: ssh –i <keyfile> <userid>@<PAR-address> command <required parameter>,[optional
parameter]
Starting at TPAM v2.2.754 we introduced a new format for command syntax. Existing CLI commands still
use the comma-separated parameter syntax, but new or modified commands now accept parameters in
the style of --OptionName optionvalue (two dashes precede the option name). Existing commands that
get updated will still accept the comma-separated syntax, but only for parameters that were present prior
to TPAM v2.2.754. New parameter values for these updated commands will only be recognized when
using the “named option” style of the command. Your existing scripts do not require modification unless
you wish to take advantage of new parameters.
Additionally, all commands which recognize named options will recognize an option of --Help. This
expanded help syntax will show all valid options for each command, whether the option is required or
optional, and a description of the option & allowed values.
The following notes apply to all named option-type commands:
- Options may be specified in any order in the command
- Option names are not case sensitive, --SystemName and --systemname are equivalent
- When the --Help option is used, no other processing takes place. The help text is printed and
the command terminates.
- Options marked as “optional” are just that – optional. They do not need to be included in the
command line to “save space” for commands that come afterwards.
- Option names may be abbreviated “to uniqueness” for each command. For example if a
command accepts options of --SystemName, --AccountName, and --Description the option
names can be abbreviated to --S, --A, and --D, respectively. However if the options were -AccountName and --AccountDescription they can only be abbreviated do --AccountN and -AccountD.
Any option value which contains spaces, e.g., --Description or --RequestNotes, must
surround the description with single or double quotes, depending on your command line shell.
It’s also recommended that you surround the entire command invocation with quotes to
prevent the shell from unintentionally stripping desired quotes from your command. The
following is an example using Windows cmd.exe
ssh -i cliadmin_key [email protected] 'UpdateSystem
--SystemName "System1" --Description "Description for System 1"
--NetworkAddress 192.168.164.99'
CLI commands:
Alert! The following CLI Commands are NO longer valid in the v2.4 environment:
AddAccountAlias
Add Alias
DropAccountAlias
GrantPermission – Use SetAccessPolicy
QUEST
ListEGPPermissions – Use ListAssignedPolicies
ListPermissions – Use ListAssignedPolicies
RevokePermission – Use SetAccessPolicy
SetEGPPermission – Use SetAccessPolicy
SetPermission – Use SetAccessPolicy
UpdateAccountAlias
UpdateAlias
AddAccount -- options
Adds a new system account. The CLI user must have ISA or Administrator privilege.
Option Name
--Custom[1-6]
--Description
--DomainAccountName
Req/
Description
Opt
Req System Name. Maximum 30 characters.
Req Account Name. Maximum 30 characters.
Opt
This option is obsolete. Any value passed in using this option will
be used for the --IgnoreSystemPoliciesFlag option.
Opt Allow the ISA to specify a duration when retrieving a password. Y/N
Opt Account Password Management type. N=None, Y=Automatic,
M=Manual
Opt Block/Allow the Change Agent from changing the password when in
use. Y/N
Opt A number between -2 and 360. The default is set on the managed
system. -2= no scheduled change -1= last day of the month. 0= first
day of the month 1-360=Schedule every n days
Opt The time of day to schedule the password change (24-hour format).
Opt Schedule the account for a regular password check. Y/N
Opt Change the password for Windows Services started by this account.
Y/N (Windows platforms only)
Opt Custom Account Columns, if defined. Use !NULL to clear the value.
Opt Use !NULL to clear the value. Maximum of 255 characters.
Opt
--EscalationEmail
Opt
--EscalationTime
Opt
--SystemName
--AccountName
--AliasAccessOnlyFlag
--AllowISADurationFlag
--AutoFlag
--BlockAutoChangeFlag
--ChangeFrequency
--ChangeTime
--CheckFlag
--ChangeServiceFlag
Opt
--IgnoreSystemPoliciesFlag
--LockFlag
Opt
--MaxReleaseDuration
Opt
--MinimumApprovers
Opt
--NextChangeDate
--OverrideAccountability
Opt
Opt
253
If a password post-release review is not completed within the number
of hours in EscalationTime send an email to this address. Use !NULL
to clear the value.
Number of hours after which to send an escalation email if a password
post-release has not been completed. Expressed in hours. Use 0
(zero) to disable the notification.
Ignore System Policies Flag. Y/N. When set to Y any System-level
Access Policies are ignored, and only Account-level policies are used
for permissioning.
Account Lock Flag. Y/N. Passwords for locked accounts cannot be
retrieved, released, or changed
The maximum duration for a password request, expressed in minutes.
The value will be rounded to the nearest 15-minute increment. Valid
values are 1-10080 (7 days).
Minimum number of approvals required for a password release
request. 0 (zero) indicates that all requests are auto-approved.
Set the next scheduled change date for this account
When the Global Setting to Allow Account specific override is enabled
this flag can be turned on at the account level to allow simultaneous,
overlapping password requests to be approved. When the Global
Quest One Privileged Account Management Administrator Manual
--Password
Opt
--PasswordRule
Opt
--ReleaseNotifyEmail
--ReleaseChangeFlag
--ReleaseDuration
Opt
Opt
Opt
--RequireTicketForAPI
Opt
--RequireTicketForCLI
Opt
--RequireTicketForISA
Opt
--RequireTicketForRequest Opt
--ResetFlag
Opt
--ReviewCount
--ReviewerName
Opt
Opt
--ReviewerType
--SimulPrivAccReleases
Opt
Opt
--TicketSystemName
Opt
--TicketEmailNotify
Opt
--UseSelfFlag
Opt
--Help
Opt
Setting is not enabled this flag is ignored. Y/N
Initial or New Password for the account. The password cannot be
changed for auto-managed accounts. Maximum of 128 characters.
Name of the Password Rule used to generate passwords for the
account. The default rule for new accounts is set on the managed
system. You may also specify "Default Password Rule" or another rule
to override this.
Use !NULL to clear the value.
Change the password after any ISA, CLI, or API release. Y/N
The default duration for an ISA/CLI/API retrieval of a password,
expressed in minutes. The value will be rounded to the nearest
15minute increment. Valid values are 1-10080 (7 days). This is ignored
if ReleaseChangeFlag is N.
Require a valid Ticket System & Number for any API password
retrieval on this account. Y/N. Ignored if RequireTicketForRequest is
N.
Require a valid Ticket System & Number for any CLI password
retrieval on this account. Y/N. Ignored if RequireTicketForRequest is
N.
Require a valid Ticket System & Number for any ISA password
retrieval on this account. Y/N. Ignored if RequireTicketForRequest is
N.
Require a valid Ticket System & Number for any password or session
request on this account. Y/N
Reset the password if a regular check finds it to be different than
what's stored in PPM. Y/N This value is ignored if CheckFlag is N.
Number of post-release reviews required after a password release. 0-n
User Name or Group Name of required reviewer. Only valid when
ReviewerType is User or Group.
Type of reviewer. Valid values are: Any (default), Auditor, User, Group
Number of simultaneous Privileged Access Users who may retrieve
the password. 0-99
When RequireTicketForRequest is Y this is the Ticket System that's
required. Use a value of "!Any" to allow tickets from any valid ticket
system.
Email to notify if a password is retrieved via API, CLI, or ISA without a
ticket number. Ignored when RequireTicketForRequest is N or ticket is
required for all three (API, CLI, and ISA). Use !NULL to clear the value.
Use the account's current password to change the password. Y/N. If
the functional account is flagged as "non-privileged" at the system
level this value is forced to Y.
Print this help message and exit
Legacy support for AddAccount command:
AddAccount <System,Account>,[Password],[ChangeFreq],[ReleaseDuration],
[AccountAutoFl(Y|N|M)],[ChangeTime hh:mm],[NextChangeDt],[PasswordRule],
[ChgSvcFl(Y|N)],[UseSelfFl(Y|N)],[MinApprovers],[DomainAcctName],
[RelNotifyEmail],[CheckFl(Y|N)],[ResetFl(Y|N)],[ReleaseChgFl(Y|N)],
[MaxReleaseDuration(<=10080)],[Description]
AddCollection <CollectionName>,<CollectionDescription>
Creates a new Collection. The CLI user must have ISA or administrator privilege.
254
QUEST
AddCollectionMember --options
Beginning with v2.4 Collections may now contain Accounts and Files as well as Systems.
Creates a new collection member where the system, account, and or file and collection(s)
currently exist. The CLI user must have administrator privilege or the ISA permission over the
collection and system, and or file.
Option Name
Req/
Description
Opt
--CollectionName Req
Name of Collection
--SystemName
Req
Name of System to add to the Collection. If and Account or File is being added
to the Collection this must be the system on which the Account or File exists. A
System cannot be in the same collection as any of its Accounts or Files.
--AccountName Opt
Name of the Account to add to the Collection. If a System or File is being
added to the Collection this value must be empty. The Account must reside on
--SystemName and cannot be a member of any of the same Collections as the
System. Accounts and Files from a System *may* be members of the same
collection.
--FileName
Opt
Name of the File to add to the Collection. If a System or Account is being
added to the Collection this value must be empty. The File must reside on -SystemName and cannot be a member of any of the same Collections as the
System. Accounts and Files from a System *may* be members of the same
collection.
--Help
Opt
Print this help message and exit
Legacy support for AddCollectionMember command: (which only supports adding a System to
the collection.)
AddCollectionMember <MemberName>,<CollectionName>
AddGroup <GroupName>,<GroupDescription>
Creates a new Group. The CLI user must have ISA or administrator privilege.
AddGroupMember <UserName>,<GroupName>
Adds an existing user account to one or more existing groups. The CLI user must have
administrator privilege.
AddPwdRequest --options
Allows a CLI User to add a password request on behalf of another user. Both users (the calling
CLI and the user they're adding for) must have "Request" permissions on the target system. The
target user must be a web-based user, i.e., not a CLI or API user. The CLI User creating the
request may later cancel the request, but cannot approve the request they create.
Option Name
--SystemName
--AccountName
--ForUserName
--AccessPolicyName
Req/
Opt
Req
Req
Req
Opt*
Description
System for which the Password request is being created.
Account for which the Password request is being created.
The user you are creating the request for.
An Access Policy to use for the request. This option is only
required if the user has access via more than one Policy.
Note! If a Policy Name is specified it must contain a
255
Quest One Privileged Account Management Administrator Manual
Opt*
--ReasonCode
--RequestImmediateFlag
Opt
--RequestedReleaseDate
Opt*
--ReleaseDuration
Opt
--RequestNotes
--TicketNumber
Req
Opt*
--TicketSystemName
Opt*
--Help
Opt
Password REQ permission and the user for whom the request is
being created must have access via this policy.
A Reason Code for the Request. The list of permitted Reason
Codes is maintained by the system administrator. Based on Global
Settings a Reason Code may be required, optional, or not allowed.
Y to create a request with an immediate release date. If N is
entered you must supply the RequestedReleaseDate option.
Required if RequestImmediate is N. Must be a valid future
date/time in the form of MM/DD/YYYY HH:MM (using 24-hour or
AM/PM notation.
Note! If the user in “ForUserName” is assigned to a Time
zone other than the server this value represents a time local to the
User.
Duration of the request expressed in minutes. The default is 120
minutes for password requests. The maximum value is set on the
account details.
Description of the request. Up to 1000 characters.'
A Ticket Number from the TicketSystemName ticket system. This
may be required based on account information.
The name of a Ticket System to validate the TicketNumber value.
This may be required based on account information.
Print this help message and exit
AddSessionRequest --options
Allows a CLI User to add a session request on behalf of another user. Both users (the calling CLI
and the user they're adding for) must have "Request" permissions on the target system. The
target user must be a web-based user, i.e., not a CLI or API user. The CLI User creating the
request may later cancel the request, but cannot approve the request they create.
Option Name
--SystemName
--AccountName
--ForUserName
Req/
Opt
Req
Req
Req
Opt*
--AccessPolicyName
Opt
--CommandName
Opt*
--ReasonCode
--RequestImmediateFlag
Opt
--RequestedReleaseDate
Opt*
Description
System for which the Session request is being created.
Account for which the Session request is being created.
The user you are creating the request for.
An Access Policy to use for the request. This option is only
required if the user has access via more than one Policy.
Note! If a Policy Name is specified it must contain a Session
REQ permission and the user for whom the request is being
created must have access via this policy.
The Command name to use to request a PCM Session. If a
command is specified then the Access Policy Name must also be
specified and must include REQ permissions for the user for
whom the request is being created. If no command is specified a
PSM Session will be requested.
A Reason Code for the Request. The list of permitted Reason
Codes is maintained by the system administrator. Based on Global
Settings a Reason Code may be required, optional, or not allowed.
Y to create a request with an immediate release date. If N is
entered you must supply the RequestedReleaseDate option.
Required if RequestImmediate is N. Must be a valid future
date/time in the form of MM/DD/YYYY HH:MM (using 24-hour or
AM/PM notation. **NOTE**: If the user in ForUserName is
256
QUEST
--ReleaseDuration
Opt
--RequestNotes
--TicketNumber
Req
Opt*
--TicketSystemName
Opt*
--Help
Opt
assigned to a Time zone other than the server this value
represents a time local to the User.
Duration of the request expressed in minutes. The default duration
for a session requests is set on the account details. The maximum
value is set on the account details.
Description of the request. Up to 1000 characters.
A Ticket Number from the TicketSystemName ticket system. This
may be required based on account information.
The name of a Ticket System to validate the TicketNumber value.
This may be required based on account information.
Print this help message and exit
AddSyncPwdSub – options
Allows you to add subscribers to a Synchronized Password.
Option Name Req/ Opt
Description
--SyncPassName Req
Synchronized Password Name. You must have Admin privileges.
--SystemName Req
System name of account to subscribe.
--AccountName Req
Account name to subscribe.
--Help
Opt
Print this help message and exit
AddSystem -- options
Creates a new system. The CLI user must have ISA or Administrator privilege.
Option Name
--Description
--DomainFuncAccount
Req/
Description
Opt
Req System Name. Must be between 2 and 30 characters in length and
consist of only upper or lower case letters, numbers, hyphen,
underscore, period, or US dollar sign ($).
Opt Whether to allow the Functional Account password to be requested
and released. Y/N. Default N.
Opt Allow an ISA to enter a duration when releasing a password in the
GUI. Y/N. Default N.
Opt Alternate IP address in addition to the system NetworkAddress. This
value is only valid on certain platform types.
Opt The OS Name (platform) for a Boks server.
Opt A number between -2 and 360. The default is set on the managed
system. -2=Don't schedule the account -1=Schedule on the last day of
the month. 0=Schedule on the first day of the month 1-360=Schedule
every n days
Opt Time of day at which the change agent will schedule password
changes on this system. Expressed in 24-hour format. This is a default
value for new accounts on the system.
Opt Custom System Columns, if defined. Use !NULL to clear the value.
Opt Schedule accounts on the system for a regular password check. Y/N.
This is a default value for new accounts on the system.
Opt Use !NULL to clear the value. Maximum of 255 characters.
Opt
--DomainName
Opt
--SystemName
--AllowFuncReqFlag
--AllowISADurationFlag
--AlternateIP
--BoksServerOS
--ChangeFrequency
--ChangeTime
--Custom[1-6]
--CheckFlag
257
Quest One Privileged Account Management Administrator Manual
--EGPOnlyFlag
Opt
--EnablePassword
--EscalationEmail
Opt
Opt
--EscalationTime
Opt
--FuncAcctCred
--FunctionalAccount
Opt
Opt
--LineDef
Opt
--MaxReleaseDuration
Opt
--NetBiosName
Opt
Setting this value to Yes will disabled *ALL* PPM functionality on this
system and all its accounts and will delete any existing password
history or secure stored files. Y/N.
Password to use for the "ENABLE" account (Cisco platforms only).
If a password post-release review is not completed within the number
of hours in EscalationTime send and email to this address. Use !NULL
to clear the value.
Number of hours after which to send an escalation email if a password
post-release has not been completed. Expressed in hours. Use 0
(zero) to disable the notification.
Password for the account indicated in the FunctionalAccount option.
Account name of the functional account for the system. This is the
account which will be used to change other passwords on the system.
The maximum duration for a password request, expressed in minutes.
The value will be rounded to the nearest 15-minute increment. Valid
values are 1-10080 (7 days).
--NetworkAddress
Req Network address of the system. May be an IP V4 address or a fully
qualified domain name.
--NonPrivFuncFlag
Opt Y/N.
--OracleSIDSN
Opt Either the SID or Service Name (as indicated in the OracleType option)
used to connect to the Oracle system.
--OracleType
Opt May be either SID or SN. Only accepted for Oracle platform.
--PasswordRule
Opt The name of the Password Rule used to generate random passwords
for this system. Leave empty to use the default password rule for new
Systems. Must use the text "Default Password Rule" to change
existing systems.
--PlatformName
Req Any recognized platform name. Note that certain platforms, once set,
cannot be changed.
--PlatSpecificValue
Opt A platform specific value, e.g., Linux Delegation prefix or Windows
Computer Name. Not all platforms support this value.
--PortNumber
Opt Port number used for SSH communication with the system. Default
values are platform specific.
--PrimaryEmail
Opt Primary email contact for this system. Max of 255 characters. Use
!NULL to clear the value.
--ReleaseChangeFlag
Opt Change the password after any ISA, CLI, or API release. Y/N. This is a
default value for new accounts on the system.
--ReleaseDuration
Opt The default duration for an ISA/CLI/API retrieval of a password,
expressed in minutes. The value will be rounded to the nearest
15minute increment. Valid values are 1-10080.
--RequireTicketForAPI
Opt Require a valid Ticket System & Number for any API password
retrieval on this account. Y/N. Ignored if RequireTicketForRequest is
N.
--RequireTicketForCLI
Opt Require a valid Ticket System & Number for any CLI password
retrieval on this account. Y/N. Ignored if RequireTicketForRequest is
N.
--RequireTicketForISA
Opt Require a valid Ticket System & Number for any ISA password
retrieval on this account. Y/N. Ignored if RequireTicketForRequest is
N.
--RequireTicketForRequest Opt Require a valid Ticket System & Number for any password or session
request on this account. Y/N
258
QUEST
--ResetFlag
Opt
--SSHAccount
Opt
--SSHKey
Opt
--SSHPort
Opt
--SystemAutoFlag
Opt
--TemplateSystemName
Opt
--TicketEmailNotify
Opt
--TicketSystemName
Opt
--Timeout
Opt
--UseSslFlag
Opt
--UseSshFlag
Opt
--Help
Opt
Reset the password if a regular check finds it to be different than
what's stored in TPAM. Y/N This value is ignored if CheckFlag is N.
This is a default value for new accounts on the system.
The account name to use when communicating with this system via
SSH. This is required when the UseSshFlag is set to Y.
Either "Standard" to use the appliance's system standard keys or
"Specific" to generate a specific key for this system. "Standard" is the
default.
The port number for SSH communication. If not specified a default of
22 is used.
Whether or not to enable automatic password management for
accounts on this system. Y/N. If set to N the account auto flags may
only be N (none) or M (Manual). Y/N.
The name of a template system. Data from the template system will be
used as defaults for the new system. Template data will be overridden
with data supplied here. System templates may also contain Collection
Membership, Group & User Permissions, and up to 10 accounts, all of
which will be automatically transferred to the new system.
Email to notify if a password is retrieved via API, CLI, or ISA without a
ticket number. Ignored when RequireTicketForRequest is N or ticket is
required for all three (API, CLI, and ISA). Use !NULL to clear the value.
When RequireTicketForRequest is Y this is the Ticket System that's
required. Use a value of "!Any" to allow tickets from any valid ticket
system.
The number of seconds TPAM will attempt to communicate with the
system for password checks and changes before issuing a "timed out"
error. Default is 20 seconds.
Whether or not to use SSL to communicate with the system. Y/N.
Support for this is platform specific. NOTE: The UseSsl and UseSsh
Flags are mutually exclusive. You may only set one or the other, not
both.
Whether or not to use SSH to communicate with the system. Y/N.
Support for this is platform specific. NOTE: The UseSsl and UseSsh
Flags are mutually exclusive. You may only set one or the other, not
both.
Print this help message and exit
Legacy support for AddSystem command:
AddSystem <System>,<NetworkAddress>,[PrimaryEmail],
PlatformName,[ChangeFreq],[ReleaseDuration(<=10080)]],[SystemAutoFl(Y|N)],
[FunctionalAccount],[FunctionalAcctCredentials (DSS|password)],
[ChangeTime hh:mm],[PasswordRule],[PortNumber],[EnablePassword],[AlternateIP],
[Description],[DomainFunctionalAccount],[BoksServerOS],[LineDef],[Timeout],
[DomainName],[OracleType],[OracleSIDSN],[CheckFl(Y|N)],
[ResetFl(Y|N)],[ReleaseChgFl(Y|N)] ,[NetBiosName],[MaxReleaseDuration(<=10080)],
[NonPrivFuncFl(Y|N)],[UseSslFl(Y|N)], [AllowFuncReqFl(Y|N)], [EscalationTime], [EscalationEmail],
[EgpOnlyFl(Y|N)], [PlatSpecificValue]
The values for change frequency options are:
0 = First Day of the month
-1 = Last Day of the month
N = Every n days (1 – 999)
-2 = None (no scheduled change)
259
Quest One Privileged Account Management Administrator Manual
AddUser -- options
Creates a new user account. The CLI user must have user administrator or administrator
privilege.
Option Name
--UserName
--LastName
--FirstName
--Password
Req/
Opt
Req
Req
Req
Opt
Description
User Name. Maximum 20 characters.
Maximum of 30 characters.
Maximum of 30 characters.
Password for new User. Maximum of 30 characters. If not specified a
random password will be generated and must be reset before the user may
log in.
--Email
Opt Maximum of 255 characters. Use !NULL to clear.
--Phone
Opt Maximum of 30 characters. Use !NULL to clear.
--Pager
Opt Maximum of 30 characters. Use !NULL to clear.
--UserType
Opt Basic (default), Admin, Auditor, or UserAdmin
--Disable
Opt Whether the user's ID is currently disabled. Y/N. Disabled users cannot log
in to the appliance.
--ExternalAuth
Opt Obsolete, replaced with SecondaryAuth
--SecondaryAuth
Opt Secondary authentication system used for user login. Valid values are None
(default), SecureID, Safeword, Radius, WinAD, and LDAP.
--ExternalAuthSystem Opt Obsolete, replaced with SecondaryAuthSystem
-Opt Name of the secondary authentication system of the type indicated in
SecondaryAuthSystem
ExternalAuth. Values are defined by the appliance SysAdmin.
--ExternalUserID
Opt Obsolete, replaced with SecondaryUserID
--SecondaryUserID
Opt* User ID to use for secondary authentication. This is required when
SecondaryAuth is other than None.
Opt The LDAP Primary Authentication Types support an "Extra" UserID. The
-User logs in using a shorthand value in the PrimaryAuthID, but the data in
PrimaryAuthExtra
the PrimaryAuthExtra will be used to do the actual authentication against
the external system. Use !NULL to clear.
--PrimaryAuthID
Opt* The User ID to use for primary authentication when a WinAD or LDAP
system is used.
--PrimaryAuthType
Opt The type of the primary authentication system for this user. Current values
are Local, LDAP, or WinAD. When Local is used the PrimaryAuthID,
PrimaryAuthExtra and PrimaryAuthSystem values are ignored.
--PrimaryAuthSystem Opt* Name of the defined system to use when the PrimaryAuthType is WinAD or
LDAP. Systems are defined by the appliance SysAdmin.
--Description
Opt Maximum of 255 characters. Use !NULL to clear.
--LogonHoursFlag
Opt Indicates whether the LogonHours value represents Allowed or Prohibited
hours. Valid values are A, P, or N (no restrictions).
--LogonHours
Opt A listing of up to 4 hour ranges. Times must be expressed in 24-hour format
in any of the following forms: 7, 07, 700, 0700, 07:00 (all indicating 07:00
AM). Separate multiple ranges with semi-colons, 07:00-12:00;18:00-23:59
(7AM-12AM and 6PM-11:59PM). If the LogonHoursFlag value is N this
value is ignored.
--LogonDays
Opt When Logon Hours are specified you may also specify the days of the week
those hours are effective. Specify days with a string of 7 X's (to indicate and
"on" day) or periods (for an "off" day) to represent the week from SundaySaturday. For example, .XXXXX. is Mon-Fri on, Sun and Sat off. If
LogonHours are specified and LogonDays is left empty the default is all
260
QUEST
--MobileAllowedFlag
Opt
--LocalTimezone
Opt
--DstFlag
Opt
--TemplateUserName Opt
--Help
Opt
days "on", e.g., XXXXXXX.
Whether to allow this user to log in to the system from a mobile device
(Blackberry, iPhone, etc.). Y/N.
The user's local time zone. See the Documentation for a list of valid time
zone names. You may enter any part of the time zone name as long as it is
unique in the list, e.g., entering Guam will only find one timezone while
entering 02:00 or US will find multiple entries. A value of "Server" indicates
that the user is in the same time zone as the server and follows the same
DST rules.
Whether this user is *currently* operating under Daylight Saving/Summer
Time. Y/N. This value is ignored when LocalTimezone is set to "Server".
NOTE: This is a manually maintained value. It does *not* automatically
change based on the system calendar! Additionally, some timezones do not
allow/recognize DST.
The name of a template user. Data from the template user will be used as
defaults for the new user. Template data will be overridden with data
supplied here. User templates may also contain Group Membership and
System & Collection Permissions, all of which will be automatically
transferred to the new user. A CLI User may only utilize Web-Interface
templates.
Print this help message and exit
Legacy support for AddUser command:
AddUser - <UserName>,<LastName>,<FirstName>,[EmailAddress],[Phone],[Pager],
[UserType (Basic default|Admin|Auditor|UserAdmin)],[InitialPassword],
[DisableFl(Y|N)],[ExtAuthType(NONE,SAFEWORD,SECUREID,LDAP,RADIUS,WINAD)],
[ExtAuthUserID],[Description]
Deprecated but still supported:
AddUser2 <UserName>,<LastName>,<FirstName>,[EmailAddress],[Phone],[Pager],
[UserType (Basic default|Admin|Auditor|UserAdmin)],[InitialPassword],
[DisableFl(Y|N)],[ExtAuthType(NONE,SAFEWORD,SECUREID,LDAP,RADIUS,WINAD)],
[ExtAuthUserID], [LogonHoursFL(N|A|P)],[LogonHours], [PrimAuthType(LOCAL |WINAD)],
[PrimAuthUserID], [PrimAuthSystem], [ExtAuthSystem], [Description]
Creates a new user account. The CLI user must have user administrator or administrator
privilege. LogonHoursFL may be N (no logon restrictions), A (LogonHours indicate allowed logon
hours), or P (LogonHours indicate prohibited logon hours). LogonHours describes up to 4 ranges
of hours during which the user is either allowed on or prohibited from logging in to the system.
Approve --options
Allows password requests to be approved via TPAM CLI. The CLI UserID must be authorized to
approve requests for the system/account in the request. The CLI User cannot approve a
password request they have added on behalf of another user.
Successful execution of the approve command will produce no output. This is by design.
Option
Req/
Description
Name
Opt
--RequestID
Req
Password Request ID.
--Comment
Req
Up to 255 characters.
--Help
Opt
Print this help message and exit
Legacy support for Approve command:
Approve <request ID>, <comment>
261
Quest One Privileged Account Management Administrator Manual
ApproveSessionRequest --options
Allows session requests to be approved via TPAM CLI. The CLI UserID must be authorized to
approve session requests for the system/account in the request. The CLI User cannot approve a
session request they have added on behalf of another user.
Successful execution of the approve command will produce no output. This is by design.
Option
Name
--RequestID
--Comment
--Help
Req/
Opt
Req
Req
Opt
Description
Session Request ID.
Up to 255 characters.
Print this help message and exit
Cancel --options
Allows password requests to be cancelled via TPAM CLI .The CLI UserID must be an authorized
approver for the system/account in the request.
Successful execution of the cancel command will produce no output. This is by design.
Option
Req/
Description
Name
Opt
--RequestID
Req
Password Request ID.
--Comment
Req
Up to 255 characters.
--Help
Opt
Print this help message and exit
Legacy support for Cancel command:
Cancel <request ID>, <comment>
CancelSessionRequest --options
Allows session requests to be cancelled via TPAM CLI. The CLI UserID must be an authorized
approver for the system/account in the request.
Successful execution of the cancel command will produce no output. This is by design.
Option
Name
--RequestID
--Comment
--Help
Req/
Opt
Req
Req
Opt
Description
Session Request ID.
Up to 255 characters.
Print this help message and exit
ChangeUserPassword <UserName>,<Password>
Performs a forced reset on a user’s password. The CLI user must have User Administrator (for
non-privileged accounts only) or Administrator privilege.
CheckPassword <SystemName>,<AccountName>
Initiates a password test for the specified system account. The CLI user must have administrator
privilege or the ISA permission over the system.
DeleteAccount <systemname>,<accountname>
Soft deletes the system account. The CLI user must have ISA or Administrator privilege.
DeleteSystem <systemname>
Soft deletes the named system. The CLI user must have Administrator privilege.
DeleteUser <username>
Permanently deletes the named user account. The CLI user must have administrator privilege to
delete any user, or user administrator privilege to delete any non-administrator user.
262
QUEST
DropCollection <CollectionName>
Deletes an existing Collection. The CLI user must have ISA or administrator privilege.
DropCollectionMember --options
Beginning with v2.4 Collections may now contain Accounts and Files as well as Systems.
Removes a system, account or file from one or more collections. The CLI user must have
administrator privilege or the ISA permission over the collection and system.
Option Name
--CollectionName
--SystemName
--AccountName
--FileName
--Help
Req/
Description
Opt
Req Name of Collection
Req Name of System to drop from the Collection. If and Account or File is being
dropped from the Collection this must be the system on which the Account or
File exists.
Opt Name of the Account to drop from the Collection. If a System or File is being
dropped from the Collection this value must be empty. The Account must
reside on --SystemName.
Opt Name of the File to drop from the Collection. If a System or Account is being
dropped from the Collection this value must be empty. The File must reside on
--SystemName.
Opt Print this help message and exit
Legacy support for DropCollectionMember command: (which only supports dropping systems)
DropCollectionMember <MemberName>,<CollectionName>
DropGroup <GroupName>
Deletes an existing Group. The CLI user must have ISA or administrator privilege.
DropGroupMember <UserName>,<GroupName>
Removes an existing user account from one or more groups. The CLI user must have
administrator privilege.
DropSyncPwdSub --options
Allows you to remove a subscriber from a Synchronized Password.
Option Name Req/ Opt
Description
--SyncPassName Req
Synchronized Password Name. You must have Admin privileges.
--SystemName Req
System name of account to unsubscribe.
--AccountName Req
Account name to unsubscribe.
--Help
Opt
Print this help message and exit
ForceReset <SystemName>,<AccountName>
Forces a password change for the specified system account. The CLI user must have
administrator privilege or the ISA permission over the system. The specified system must be auto
managed.
GetPwdRequest <RequestID>
263
Quest One Privileged Account Management Administrator Manual
Returns the details associated with the specified password request.
GetSessionRequest --options
Returns the details associated with the specified session request
Option
Req/
Description
Name
Opt
--RequestID
Req
Session RequestID
--Help
Opt
Print this help message and exit
ListAccounts ---options
Lists all defined system accounts. Only systems for which the CLI user has ISA privilege will be
listed. Administrators may list all accounts.
Option Name
--AccountName
--SystemName
--NetworkAddress
--CollectionName
--Platform
Req/
Opt
Opt
Opt
Opt
Opt
Opt
--SystemAutoFlag
Opt
--AccountAutoFlag Opt
--DualControlFlag
Opt
--Sort
--MaxRows
--Help
Opt
Opt
Opt
Description
Account Name to filter. Use * for wildcard.
System Name to filter. Use * for wildcard.
Network Address to filter. Use * for wildcard.
Collection Name to filter. Use * for wildcard.
Platform Name (use "All" to filter all platforms). See the documentation for list
of supported platform names. Default is All.
Filter on the Auto Management flag on the System. Y=Auto managed, N=Not
managed, or All (default).
Filter on the Auto Management flag on the Account. Y=Auto managed,
N=Not managed, M=Manually managed, or All (default).
Y=Account requires more than 1 approver, N=account requires zero or one
approver, or All (default).
Sort results by SystemName (default, AccountName, or NextChangeDate
Maximum number of rows to return. Default=25.
Print this help message and exit
Legacy support for ListAccounts command:
ListAccounts<SystemName (* for wildcard),>[obsolete],
[AccountName (* for wildcard)],[NetworkAddress (* for wildcard)],
[CollectionName (* for wildcard)],[Platform (All| (see Supported platform list)) default=All],
[SysAutoFl (All|Y|N) default=All],[AcctAutoFl (All|Y|N|M) default=All],
[Dual Control Required Flag (All|Y|N) default=All],
[Sort (SystemName|AccountName|NextChangeDt) default=SystemName],[MaxRows Default=25]
ListAssignedPolicies –options
Lists Access Policies assigned to Accounts, Collections, Files, Groups, Systems or Users based
on specified filter criteria. ListAssignedPolicies takes the place of both ListPermissions and
ListEGPPermissions.
The output of this command is essentially the same data as the Entitlement Report. All users will
be listed, along with their effective permissions over any system. The output can potentially be
very large. The CLI user must be an Administrator to return the full list. ISA users will obtain a
limited list based upon the scope of their privilege.
264
QUEST
Note! At least one of the following options must contain a non-wildcard value in order to run
this report: AccessPolicyName, AccountName, CollectionName, FileName, GroupName,
SystemName, UserName.
Option Name
Req/
Description
Opt
--AccessPolicyName
Opt*
Access Policies to include in the listing. Use * for wildcard. If the Policy
Name includes spaces the string must be quoted appropriately.
--AccountName
Opt*
Account Name to filter. Use * for wildcard.
--AllOrEffectiveFlag
Opt
A/E. Show either All policies affecting each entry or only the one
effective policy. When all policies are shown the effective policy is
indicated.
--CollectionName
Opt*
Collection Name to filter. Use * for wildcard.
--ExpandCollectionFlag Opt
Y/N. Whether to expand the collections to show all member systems,
accounts, & files. Default is N.
--ExpandGroupFlag
Opt
Y/N. Whether to expand the Groups to show all member Users. Default
is N.
--ExpandPolicyFlag
Opt
Y/N. Whether to expand the Access Policies to show underlying
permissions. When not expanded only the Access Policy Name is
shows. Default is N.
--FileName
Opt*
File Name to filter. Use * for wildcard.
--GroupName
Opt*
Group Name to filter. Use * for wildcard.
--MaxRows
Opt
Maximum number of rows to return. Default=25
--PermissionName
Opt
Permissions to include in listing. Multiple permission names may
included with a semi-colon between each. Valid types are: All (Default),
DEN, ISA, APR, REQ, REV, and PAC.
--PermissionType
Opt
Permission Types to include in the listing. Multiple types may be included
with a semi-colon between each. Valid types are: Pwd, Sess, File, Cmd,
and All (default).
--SortOrder
Opt
One of UserName (default), SystemName, AccountName, FileName,
PolicyName, GroupName or CollectionName.
--SystemName
Opt*
System Name to filter. Use * for wildcard.
--UserName
Opt*
User Name to filter. Use * for wildcard.
--Help
Opt
Print this help message and exit
ListCollectionMembership [CollectionName (* for wildcard)],[SystemName (* for wildcard)] ,[MaxRows
Default=25 (0 for unlimited)]
Beginning with v2.4 Collections may now contain Accounts and Files as well as Systems.
Lists collection and system, account, and file name for all collections, specified collections, or
specified systems. The CLI user must have administrator privilege or the ISA permission over the
collection and system.
ListDependentSystems --options
Lists status of systems (dependent or not dependent) for a specific account.
Option Name
265
Req/ Opt
Description
Quest One Privileged Account Management Administrator Manual
--SystemName
Req
--AccountName
Req
--DependentStatus Opt
--DependentName Opt
--MaxRows
Opt
--Help
Opt
System Name. You must have Admin or PPM ISA privileges on the system.
Account Name.
Status of Dependents to list: Both (default), Dependent, Not Dependent.
Filter list of dependents by System Name. Use * for wildcard.
Maximum number of rows to retrieve. Default=25.
Print this help message and exit
ListEGPAccounts –options
Lists all accounts that are PSM enabled.
Option Name
Req/
Description
Opt
--AccountAutoFlag
Opt Filter on the Auto Management flag on the Account. Y=Auto managed, N=Not
managed, M=Manually managed, or All (default).
--AccountEgpFlag
Opt Filter on the PSM Enabled flag on the Account. Y=Enabled, N=Disabled, or
All (default).
--AccountName
Opt Account Name to filter. Use * for wildcard.
--AccountCustom[1-6] Opt Filter based on contents of Account-level Custom Columns. Ignored if the
appropriate custom column has not been defined in Global Settings.
--CollectionName
Opt Collection Name to filter. Use * for wildcard.
--DualControlFlag
Opt Y=Account requires more than 1 approver, N=account, All=All accounts
(default).
--AccountLockFlag
Opt Filter on the Account Locked Flag on the Account. Y=Locked, N=Not locked,
or All (default).
--NetworkAddress
Opt Network Address to filter. Use * for wildcard.
--Platform
Opt Platform Name (use "All" to filter all platforms). See the documentation for list
of supported platform names. Default is All.
--SystemAutoFlag
Opt Filter on the Auto Management flag on the System. Y=Auto managed, N=Not
managed, or All (default).
--SystemCustom[1-6] Opt Filter based on contents of System-level Custom Columns. Ignored if the
appropriate custom column has not been defined in Global Settings.
--SystemEgpFlag
Opt Filter on whether the System is enabled for PSM Access. Y=System PSM
Access enabled, N=Disabled, or All (default).
--SystemName
Opt System Name to filter. Use * for wildcard. Requires zero or one approver, or
All (default).
--Sort
Opt Sort results by SystemName (default) or AccountName.
--SortType
Opt Ascending or Descending. Can be abbreviated to Asc or Desc. Default is
Asc.
--MaxRows
Opt Maximum number of rows to return. Default=25.
--Help
Opt Print this help message and exit
ListGroupMembership [GroupName (* for wildcard)],[UserName (* for wildcard)],[MaxRows Default=25
(0 for unlimited)]
Lists group name and username for all groups, specified groups, or specified users. The CLI user
must have administrator privilege.
ListRequest –options
Lists basic details about password requests for which the CLI user is an approver.
Option Name
--Status
Req/
Description
Opt
Opt
One of All, Pending, Active, Open(default), or Current.
266
QUEST
-RequestorName
--AccountName
--SystemName
--StartDate
--EndDate
Opt
User Name of the requestor. Use * for wildcard.
Opt
Opt
Opt
Opt
--MaxRows
--Help
Opt
Opt
User Name of the requestor. Use * for wildcard.
User Name of the requestor. Use * for wildcard.
Start Date of requested release dates.
End Date of requested release dates. To select a single date enter a Start Date
and empty End Date.
Maximum number of rows to retrieve. Default=25.
Print this help message and exit
Legacy support for ListRequest command:
ListRequest [Status(All|Pending|Active|Open|Current) Default=Open],[RequestorName (* for wildcard)],
[AccountName (* for wildcard)], [SystemName (* for wildcard)], [StartDate (MM/DD/YY)], [EndDate
(MM/DD/YY)], [MaxRows Default=25]
ListRequestDetails --options
Lists more specific details about password requests for which the CLI user is an approver, such
as submission date, release duration, expiration date, etc.
Option Name Req/ Opt
Description
--Status
Opt
Status of request. One of All, Open (default), Pending, Active, or Current
--RequestorName Opt
Requestor Name to filter. Use * for wildcard.
--AccountName Opt
Account Name to filter. Use * for wildcard.
--SystemName Opt
System Name to filter. Use * for wildcard.
--StartDate
Opt
Beginning Requested Release Date to filter.
--EndDate
Opt
Ending Requested Release Date to filter.
--MaxRows
Opt
Maximum number of rows to return. Default=25
--Help
Opt
Print this help message and exit
Legacy support for ListRequestDetails command:
ListRequestDetails [Status(All|Pending|Active|Open|Current) Default=Open],[RequestorName (* for
wildcard)], [AccountName (* for wildcard)], [SystemName (* for wildcard)], [StartDate (MM/DD/YY)],
[EndDate (MM/DD/YY)], [MaxRows Default=25]
ListSessionRequest --options
Lists basic details about session requests for which the CLI user is an approver.
Option Name
--Status
-RequestorName
--AccountName
--SystemName
--StartDate
--EndDate
Req/ Opt
Opt
Opt
Description
One of All, Pending, Active, Open(default), or Current.
User Name of the requestor. Use * for wildcard.
Opt
Opt
Opt
Opt
--MaxRows
--Help
Opt
Opt
User Name of the requestor. Use * for wildcard.
User Name of the requestor. Use * for wildcard.
Start Date of requested release dates.
End Date of requested release dates. To select a single date enter a
Start Date and empty End Date.
Maximum number of rows to retrieve. Default=25.
Print this help message and exit
ListSessionRequestDetails --options
Lists more specific details about session requests for which the CLI user is an approver, such as
submission date, release duration, expiration date, etc.
267
Quest One Privileged Account Management Administrator Manual
Option Name
--Status
-RequestorName
--AccountName
--SystemName
--StartDate
--EndDate
Req/ Opt
Opt
Opt
Description
One of All, Pending, Active, Open(default), or Current.
User Name of the requestor. Use * for wildcard.
Opt
Opt
Opt
Opt
--MaxRows
--Help
Opt
Opt
User Name of the requestor. Use * for wildcard.
User Name of the requestor. Use * for wildcard.
Start Date of requested release dates.
End Date of requested release dates. To select a single date
enter a Start Date and empty End Date.
Maximum number of rows to retrieve. Default=25.
Print this help message and exit
ListSyncPwdSubscribers – options
Lists the subscribers of an Access Policy.
Option Name Req/ Opt
Description
--SyncPassName Req
Synchronized Password Name. You must have Admin privileges.
--Help
Opt
Print this help message and exit
ListSynchronizedPasswords – options
Options may be specified in any order. Option values which accept more than one word, i.e., -Description, must surround the value with double quotes. Option Names are not case sensitive
and may be abbreviated to uniqueness.
ListSystems -- options
Lists all defined systems. Only systems for which the CLI user has ISA privilege will be listed.
Administrators may list all systems.
Option Name
Req/
Description
Opt
Opt
System Name to filter. Use * for wildcard.
Opt
Network Address to filter. Use * for wildcard.
--SystemName
-NetworkAddress
--CollectionName Opt
--Platform
Opt
--AutoFlag
--SortOrder
--MaxRows
--Help
Opt
Opt
Opt
Opt
Collection Name for membership to filter. Use * for wildcard.
Name of specific platform to filter or All (default). See the documentation for a
list of supported values.
Y/N or All for all systems regardless of automation.
One of SystemName (default), NetworkAddress, PlatformName.
Maximum number of rows to return. Default=25
Print this help message and exit
Legacy support for ListSystems command:
ListSystems <SystemName (* for wildcard), >[obsolete], [NetworkAddress (* for
wildcard)],[CollectionName (* for wildcard)],[Platform (All| (see Supported platform list))
default=All],[SysAutoFl (All|Y|N) default=All],
268
QUEST
[Sort (SystemName|NetworkAddress|PlatformName) default=SystemName],[MaxRows Default=25]
ListUsers -- options
Lists all non-CLI users defined in TPAM. The CLI user must have administrator or user
administrator privilege.
Option Name Req/ Opt
Description
--UserName
Opt
User Name to filter. Use * for wildcard.
--EmailAddress
Opt
Email Address to filter. Use * for wildcard.
--GroupName
Opt
Group Name for membership to filter. Use * for wildcard.
--UserInterface
Opt
One of All (default), API, CLI, WEB.
--UserType
Opt
One of All (default), Basic, Admin, Auditor, or UserAdmin.
--Status
Opt
One of All (default), Enabled, Disabled, or Locked.
--ExternalAuthType Opt
One of All (default), SafeWord, SecureID, LDAP, WinAD, RADIUS, or None.
--SortOrder
Opt
One of UserName (default), FirstName, or LastName.
--MaxRows
Opt
Maximum number of rows to return. Default=25
--Help
Opt
Print this help message and exit
Legacy support for ListUsers command:
ListUsers <UserName (* for wildcard),>[EmailAddress (* for wildcard)],
[GroupName (* for wildcard)],[UserInterface (All|CLI|WEB|API) default=All],
[UserType (All,Basic,Admin,Auditor,UAdmin) default=All],
[Status (All|Enabled|Disabled|Locked) default=All],
[ExternalAuthType (All|SafeWord|SecureID|LDAP|RADIUS|WINAD |None) default=All],
[Sort (UserName|FirstName|LastName) default=UserName],[MaxRows Default=25]
Retrieve -- options
Provides a mechanism to retrieve a password for a managed system/account. The CLI UserID
must be authorized to retrieve the password, by holding either the requestor or the ISA for that
account. The optional requirement for dual control does not apply to CLI releases. The comment
is not required.
Option Name
--SystemName
--AccountName
--ReasonCode
--ReasonText
--TicketNumber
Req/
Description
Opt
Req System Name. Maximum 30 characters.
Req Account Name. Maximum 30 characters.
Opt* A Reason Code for retrieving the password. The list of permitted Reason
Codes is maintained by the system administrator. Based on Global Settings a
Reason Code may be required, optional, or not allowed.
Opt* ISA Reason for retrieving the password. Maximum of 200 characters. Based
on Global Settings the Reason Text may be required, optional, or not allowed.
Opt* Ticket Number to validate. Both Ticket System Name and Ticket Number must
be supplied to validate a ticket. Depending on Account settings this may be a
required value.
-Opt* Name of a Ticket System to validate the Ticket Number. Depending on
TicketSystemName
Account settings this may be a required value.
--TimeRequired
Opt Number of minutes to release the password. The default duration is set at the
Account level.
--Help
Opt Print this help message and exit
Legacy support for Retrieve command:
Retrieve <systemname>, <accountname>, <duration(in minutes)>,<comment>
269
Quest One Privileged Account Management Administrator Manual
Deprecated but still supported:
RetrieveWithTicket <systemname>, <accountname>, <duration(in minutes)>, <Ticket System Name>,
<Ticket Number>, <comment>
Provides a mechanism to retrieve a password for a managed system/account. The CLI UserID
must be authorized to retrieve the password, by holding either requestor or the ISA permissions
for that account. The optional requirement for dual control does not apply to CLI releases. The
comment is not required. If the password being retrieved requires a Ticket Number for CLI
release then both Ticket System Name and Ticket Number are required.
SetAccessPolicy –options
Allows you to add or remove an Access Policy assignment to an Account, Collection, File, Group,
System, or User. Replaces the old CLI Commands of GrantPermission, SetPermission,
SetEGPPermission, and RevokePermissions.
Option Name
Req/
Description
Opt
--AccessPolicyName Req
Access Policy Name to assign.
--Action
Req
ADD or DROP. Adding a policy of Unassign or NA will drop any currently
assigned Policy.
--AccountName
Opt
Account affected by the assignment. If Account is specified the -SystemName must also be filled in. This value must be empty if the
assignment is at the Collection level.
--CollectionName
Opt
Collection affected by the assignment. If this value is present System,
Account, and File must be empty.
--FileName
Opt
File affected by the assignment. If File is specified the --SystemName must
also be filled in and --AccountName must be empty. This value must be
empty if the assignment is at the Collection level.
--GroupName
Opt
Group Name affected by the assignment. Either User OR Group must be
specified, but not both. "Global" Groups cannot have their permissions
altered.
--SystemName
Opt
System Name affected by the assignment or the System on which the
affected Account or File resides. If the assignment is at the Collection level
this value must be empty.
--UserName
Opt
User Name affected by the assignment. Either User OR Group must be
specified, but not both. Auditor, Cache, UserAdmin, and SysAdmin users
cannot be assigned permissions.
--Help
Opt
Print this help message and exit
TestSystem <SystemName>
Initiates a system test. The CLI user must have administrator privilege or the ISA permission over
the system.
UnlockUser <UserName>
Unlocks a currently locked user account. The CLI user must have ISA, User Administrator or
Administrator privilege.
UpdateAccount --options
Modifies an existing account. The CLI user must have ISA or Administrator privilege. You can
only update the Password for an account that is NOT automanaged.
270
QUEST
In v2.4 ISA’s must have ISA permission on Passwords and Sessions to be able to
update permissions.
Option Name
--System
--AccountName
--AliasAccessOnlyFlag
--AllowISADurationFlag
--AutoFlag
Req/
Description
Opt
Req System Name. Maximum 30 characters.
Req Account Name. Maximum 30 characters.
Opt This option is obsolete. Any value passed in using this option will be
used for the --IgnoreSystemPoliciesFlag option.
Opt
Opt
--BlockAutoChangeFlag
Opt
--ChangeFrequency
Opt
--ChangeTime
--CheckFlag
--ChangeServiceFlag
Opt
Opt
Opt
--Custom[1-6]
--Description
--DomainAccountName
Opt
Opt
Opt
--EscalationEmail
Opt
--EscalationTime
Opt
Opt
--IgnoreSystemPoliciesFlag
--LockFlag
Opt
--MaxReleaseDuration
Opt
--MinimumApprovers
Opt
--NextChangeDate
--OverrideAccountability
Opt
Opt
--Password
Opt
--PasswordRule
Opt
271
Allow the ISA to specify a duration when retrieving a password. Y/N
Account Password Management type. N=None, Y=Automatic,
M=Manual
Block/Allow the Change Agent from changing the password when in
use. Y/N
A number between -2 and 360. The default is set on the managed
system. -2= no scheduled change -1= last day of the month. 0= first
day of the month 1-360=Schedule every n days
The time of day to schedule the password change (24-hour format).
Schedule the account for a regular password check. Y/N
Change the password for Windows Services started by this account.
Y/N (Windows platforms only)
Custom Account Columns, if defined. Use !NULL to clear the value.
Use !NULL to clear the value. Maximum of 255 characters.
If a password post-release review is not completed within the
number of hours in EscalationTime send and email to this address.
Use !NULL to clear the value.
Number of hours after which to send an escalation email if a
password post-release has not been completed. Expressed in hours.
Use 0 (zero) to disable the notification.
Ignore System Policies Flag. Y/N. When set to Y any System-level
Access Policies are ignored, and only Account-level policies are
used for permissioning.
Account Lock Flag. Y/N. Passwords for locked accounts cannot be
retrieved, released, or changed
The maximum duration for a password request, expressed in
minutes. The value will be rounded to the nearest 15-minute
increment. Valid values are 1-10080 (7 days).
Minimum number of approvals required for a password release
request. 0 (zero) indicates that all requests are auto-approved.
Set the next scheduled change date for this account
When the Global Setting to Allow Account specific override is
enabled this flag can be turned on at the account level to allow
simultaneous, overlapping password requests to be approved. When
the Global Setting is not enabled this flag is ignored. Y/N
Initial or New Password for the account. The password cannot be
changed for auto-managed accounts. Maximum of 128 characters.
Name of the Password Rule used to generate passwords for the
account.
Quest One Privileged Account Management Administrator Manual
--ReleaseNotifyEmail
--ReleaseChangeFlag
--ReleaseDuration
Opt
Opt
Opt
--RequireTicketForAPI
Opt
--RequireTicketForCLI
Opt
--RequireTicketForISA
Opt
--RequireTicketForRequest
Opt
--ResetFlag
Opt
--ReviewCount
Opt
--ReviewerName
Opt
--ReviewerType
Opt
--SimulPrivAccReleases
Opt
--TicketSystemName
Opt
--TicketEmailNotify
Opt
--UseSelfFlag
Opt
--Help
Opt
Use !NULL to clear the value.
Change the password after any ISA, CLI, or API release. Y/N
The default duration for an ISA/CLI/API retrieval of a password,
expressed in minutes. The value will be rounded to the nearest
15minute increment. Valid values are 1-10080 (7 days). This is
ignored if ReleaseChangeFlag is N.
Require a valid Ticket System & Number for any API password
retrieval on this account. Y/N. Ignored if RequireTicketForRequest is
N.
Require a valid Ticket System & Number for any CLI password
retrieval on this account. Y/N. Ignored if RequireTicketForRequest is
N.
Require a valid Ticket System & Number for any ISA password
retrieval on this account. Y/N. Ignored if RequireTicketForRequest is
N.
Require a valid Ticket System & Number for any password or
session request on this account. Y/N
Reset the password if a regular check finds it to be different than
what's stored in TPAM. Y/N This value is ignored if CheckFlag is N.
Number of post-release reviews required after a password release.
0-n
User Name or Group Name of required reviewer. Only valid when
ReviewerType is User or Group.
Type of reviewer. Valid values are: Any (default), Auditor, User,
Group
Number of simultaneous Privileged Access Users who may retrieve
the password. 0-99
When RequireTicketForRequest is Y this is the Ticket System that's
required. Use a value of "!Any" to allow tickets from any valid ticket
system.
Email to notify if a password is retrieved via API, CLI, or ISA without
a ticket number. Ignored when RequireTicketForRequest is N or
ticket is required for all three (API, CLI, and ISA). Use !NULL to clear
the value.
Use the account's current password to change the password. Y/N. If
the functional account is flagged as "non-privileged" at the system
level this value is forced to Y.
Print this help message and exit
Legacy support for UpdateAccount command:
UpdateAccount –<System,Account>,[Password],[ChangeFreq],[ReleaseDuration],
[AccountAutoFl(Y|N|M)],[ChangeTime hh:mm],[NextChangeDt],[PasswordRule],
[ChgSvcFl(Y|N)],[UseSelfFl(Y|N)],[MinApprovers],[DomainAcctName],
[RelNotifyEmail],[CheckFl(Y|N)],[ResetFl(Y|N)],[ReleaseChgFl(Y|N)],
[MaxReleaseDuration(<=10080)],[Description]
Deprecated but still supported:
UpdateAccountTicket
<System>,<Account>,<TicketSystemName>,<RequireTicketForRequest(Y|N)>,<RequireTicketForISA(Y|
N)>,<RequireTicketForCLI(Y|N)>,<RequireTicketForAPI(Y|N)>, [TicketEmailNotify]
Modifies the Ticket System requirements on an existing system account. The CLI user must have
ISA or Administrator privilege.
UpdateDependentSystems --options
272
QUEST
Allows you to update the dependent systems assigned to an account. You must have Admin or
PPM ISA privileges on the system.
Option Name
--SystemName
--AccountName
--Assign
--Unassign
--Help
Req/
Description
Opt
Req System Name. You must have Admin or PPM ISA privileges on the system.
Req Account Name.
Opt Semi-colon separated list of Systems to assign as dependents. You must have
Admin or PPM ISA privileges on the dependent system, the dependent must be
an automanaged system with a Windows or eDMZ SPCW platform type, and
cannot be the parent system specified in the SystemName option. Invalid or
unrecognized systems in this list will be ignored (no errors generated). You may
specify a list of systems to both Assign and Unassign in the same command. Any
systems which appear in both lists will be unassigned.
Opt Semi-colon separated list of Systems to remove as dependents. You must have
Admin or PPM ISA privileges on the dependent system. Invalid or unrecognized
systems in this list will be ignored (no errors generated). You may specify a list of
systems to both Assign and Unassign in the same command. Any systems which
appear in both lists will be unassigned.
Opt Print this help message and exit
UpdateEgpAccount --options
Modifies the PSM Details of an existing account. The CLI user must have PPM ISA and PSM ISA
or Administrator privilege.
Option Name
--System
--Account
--ClipboardFlag
Req/
Opt
Req
Req
Opt
--CLIAccountName
Opt
--CLIDomainName
Opt
--CLISystemName
Opt
--ColorDepth
Opt
--ConnectionProfile
Opt
--ConsoleFlag
--DSSKey
Opt
Opt
--DSSKeyName
--DSSKeyType
Opt
Opt
273
Description
System Name. Maximum 30 characters.
Account Name. Maximum 30 characters.
Whether to enable clipboard support to/from the host to the
session. Y/N.
The Account name on the remote TPAM to retrieve. See
CLISystemName. Use !NULL to clear the value.
The AD or Netbios name to use when starting the session. See
CLISystemName. Use !NULL to clear the value.
When a TPAM CLIUserName is specified you may also include an
option system and account name for retrieval on the remote . The
CLISystem, Account, and Domain values are ignored if the TPAM
CLIUserName is not specified. Use !NULL to clear the value.
Color depth of the PSM session. For RDP sessions valid values
are 8 or 16 (bit depth). For VNC sessions valid values are 0 (Very
Low), 1, 2, 3 (Auto-Select/Full Color). This setting does not apply
to SSH or Telnet proxy types.
Name of the optional Custom Connection Profile to use for
sessions on this account. Connection Profiles are associated with
specific proxy types. Use the word "Standard" to revert to default
connection information.
Y/N.
The DSS Key to use for session authentication when
DSSKeyType is Upload. The key may be up to 4096 characters.
The source of the DSS Key used for session authentication when
Quest One Privileged Account Management Administrator Manual
--DefaultSessionDuration
Opt
--DomainAccount
Opt
--EnableFlag
Opt
--EscalationEmail
Opt
--EscalationTime
Opt
--FileTransAuthMethod
Opt
--FileTransDownFlag
--FileTransPath
Opt
Opt
--FileTransType
Opt
--FileTransUpFlag
--MaxSessionCount
Opt
Opt
--MinApprovers
Opt
--NotifyFrequency
Opt
--NotifyThreshold
Opt
--PARCLIUserName
Opt
--PasswordMethod
Opt
PasswordMethod is set to DSS Key. Valid values are: Standard:
Use any of the System Standard keys Specific: Generate and use
a specific DSS key for this account Upload: DSS Key supplied in
the DSSKey option
Default value used for duration of a Session request, expressed in
minutes. The value will be rounded to the nearest 15-minute
increment. Valid values are 1-10080 (7 days).
The Windows Domain Account used to authenticate the session
when PasswordMethod indicates.
Flag to indicate whether this account may be requested for PSM
Sessions. Y/N.
If a password post-release review is not completed within the
number of hours in Escalation Time send an email to this address.
Use !NULL to clear the value.
Number of hours after which to send an escalation email if a
password post-release has not been completed. Expressed in
hours. Use 0 (zero) to disable the notification.
Either Same (to use the same credentials as the session) or
Prompt (to ask for credentials at the time of transfer).
Whether to allow transfer of files from the Session to the host. Y/N.
A directory path on the target machine where the transferred file
will be placed. Directory syntax is platform specific.
The file transfer method. Allowable values are platform specific,
but may be any of the following. You may use either the short
name or the full description: Short Description = DIS File Transfer
Disabled (default) WFC Windows File Copy SCP Secure Copy
(SCP) FTP File Transfer (FTP) ECP SCP using PSM Function
Account
Whether to allow transfer of files from the host to the Session. Y/N.
The maximum number of simultaneous sessions that may be
running for this account. For proxy types that display a password
this value is set to 1 (one) and cannot be changed.
Minimum number of approvals required for a session request. 0
(zero) indicates that all session requests are auto-approved. If the
proxy type requires the display of a password this value is
overridden by the TPAM Release Minimum Approver.
If NotifyThreshold is greater than zero this is the frequency at
which "PSM Expired Session" e- mails will be sent.
If greater than zero this indicates the number minutes after the
expiration of the session re- quest when the system should email
notification of a still-active session. The email notifications will
continue until the session has been terminated.
The CLI User on another TPAM appliance used to retrieve the
password when PasswordMethod is "Remote TPAM CLI". The CLI
User must already be defined on this appliance and is in the form
of TPAMName/CLIUserName.
Method PSM uses to authenticate sessions to the Account. The
option values must be surrounded by quotes because of spaces.
Valid values are: "Local PAR" (default): use the local TPAM
appliance for the password. "Remote PAR": use another TPAM
appliance for the password. If this option is used the
PARCLIUserName must be supplied "DSS Key": use a DSS key.
See DSSKey, DSSKeyName, and DSSKeyType. "Not Stored": the
user will be prompted for the password when starting the session
274
QUEST
--PostSessionProfile
Opt
--ProxyType
Opt
--RecordingRequiredFlag
--ReviewCount
--ReviewerName
Opt
Opt
Opt
--ReviewerType
Opt
--SessionStartNotifyEmail
Opt
--Help
Opt
"Windows Domain Account": use the account in DomainAccount
for the password.
Name of a Post Session Profile to control activities that take place
after the last session on a request has completed. Use the word
"Standard" to revert to default processing.
The type of proxy connection used for this session. The values
are platform dependent. Use the entire text as seen in the "Proxy
Connection Type" select list of the PSM Details, e.g., "SSH Interactive Login".
Whether to require all sessions to be recorded. Y/N.
Number of post-release reviews required after a session. 0-n
User Name or Group Name of required reviewer. Only accepted
when Reviewer Type is User or Group.
Type of reviewer. Valid values are: Any (de- fault), Auditor, User,
Group
If populated this email address will be notified any time a session
is started on this account. Use !NULL to clear the value.
Print this help message and exit
UpdateSystem -- options
Modifies an existing system. The CLI user must have ISA or Administrator privilege.
Option Name
--Description
--DomainFuncAccount
Req/
Description
Opt
Req System Name. Must be between 2 and 30 characters in length and
consist of only upper or lower case letters, numbers, hyphen,
underscore, period, or US dollar sign ($).
Opt New name to apply to the system. Must be between 2 and 30
characters in length.
Opt Whether to allow the Functional Account password to be requested
and released. Y/N. Default N.
Opt Allow an ISA to enter a duration when releasing a password in the
GUI. Y/N. Default N.
Opt Alternate IP address in addition to the system NetworkAddress. This
value is only valid on certain platform types.
Opt The OS Name (platform) for a Boks server.
Opt A number between -2 and 360. The default is set on the managed
system. -2= no change scheduled -1= last day of the month. 0= first
day of the month 1-360=Schedule every n days
Opt Time of day at which the change agent will schedule password
changes on this system. Expressed in 24-hour format. This is a default
value for new accounts on the system.
Opt Custom System Columns, if defined. Use !NULL to clear the value.
Opt Schedule accounts on the system for a regular password check. Y/N.
This is a default value for new accounts on the system.
Opt Use !NULL to clear the value. Maximum of 255 characters.
Opt
--DomainName
Opt
--EGPOnlyFlag
Opt
--EnablePassword
Opt
--SystemName
--NewSystemName
--AllowFuncReqFlag
--AllowISADurationFlag
--AlternateIP
--BoksServerOS
--ChangeFrequency
--ChangeTime
--Custom[1-6]
--CheckFlag
275
Setting this value to Yes will disabled *ALL* PPM functionality on this
system and all its accounts and will delete any existing password
history or secure stored files. Y/N.
Password to use for the "ENABLE" account (Cisco platforms only).
Quest One Privileged Account Management Administrator Manual
--EscalationEmail
Opt
--EscalationTime
Opt
--FuncAcctCred
--FunctionalAccount
Opt
Opt
--LineDef
Opt
--MaxReleaseDuration
Opt
--NetBiosName
Opt
--NetworkAddress
Opt
--NonPrivFuncFlag
--OracleSIDSN
Opt
Opt
--OracleType
--PasswordRule
Opt
Opt
--PlatformName
Opt
--PlatSpecificValue
Opt
--PortNumber
Opt
--PrimaryEmail
Opt
--ReleaseChangeFlag
Opt
--ReleaseDuration
Opt
--RequireTicketForAPI
Opt
--RequireTicketForCLI
Opt
--RequireTicketForISA
Opt
--RequireTicketForRequest Opt
--ResetFlag
Opt
--SSHAccount
Opt
If a password post-release review is not completed within the number
of hours in EscalationTime send and email to this address. Use !NULL
to clear the value.
Number of hours after which to send an escalation email if a password
post-release has not been completed. Expressed in hours. Use 0
(zero) to disable the notification.
Password for the account indicated in the FunctionalAccount option.
Account name of the functional account for the system. This is the
account which will be used to change other passwords on the system.
The maximum duration for a password request, expressed in minutes.
The value will be rounded to the nearest 15-minute increment. Valid
values are 1-10080 (7 days).
Network address of the system. May be an IP V4 address or a fully
qualified domain name.
Y/N.
Either the SID or Service Name (as indicated in the OracleType option)
used to connect to the Oracle system.
May be either SID or SN. Only accepted for Oracle platform.
The name of the Password Rule used to generate random passwords
for this system. Leave empty to use the default password rule for new
Systems. Must use the text "Default Password Rule" to change
existing systems.
Any recognized platform name. Note that certain platforms, once set,
cannot be changed.
A platform specific value, e.g., Linux Delegation prefix or Windows
Computer Name. Not all platforms support this value.
Port number used for SSH communication with the system. Default
values are platform specific.
Primary email contact for this system. Max of 255 characters. Use
!NULL to clear the value.
Change the password after any ISA, CLI, or API release. Y/N. This is a
default value for new accounts on the system.
The default duration for an ISA/CLI/API retrieval of a password,
expressed in minutes. The value will be rounded to the nearest
15minute increment. Valid values are 1-10080.
Require a valid Ticket System & Number for any API password
retrieval on this account. Y/N. Ignored if RequireTicketForRequest is
N.
Require a valid Ticket System & Number for any CLI password
retrieval on this account. Y/N. Ignored if RequireTicketForRequest is
N.
Require a valid Ticket System & Number for any ISA password
retrieval on this account. Y/N. Ignored if RequireTicketForRequest is
N.
Require a valid Ticket System & Number for any password or session
request on this account. Y/N
Reset the password if a regular check finds it to be different than
what's stored in TPAM. Y/N This value is ignored if CheckFlag is N.
This is a default value for new accounts on the system.
The account name to use when communicating with this system via
276
QUEST
--SSHKey
Opt
--SSHPort
Opt
--SystemAutoFlag
Opt
--TicketEmailNotify
Opt
--TicketSystemName
Opt
--Timeout
Opt
--UseSslFlag
Opt
--UseSshFlag
Opt
--Help
Opt
SSH. This is required when the UseSshFlag is set to Y.
Either "Standard" to use the appliance's system standard keys or
"Specific" to generate a specific key for this system. "Standard" is the
default.
The port number for SSH communication. If not specified a default of
22 is used.
Whether or not to enable automatic password management for
accounts on this system. Y/N. If set to N the account auto flags may
only be N (none) or M (Manual). Y/N.
Email to notify if a password is retrieved via API, CLI, or ISA without a
ticket number. Ignored when RequireTicketForRequest is N or ticket is
required for all three (API, CLI, and ISA). Use !NULL to clear the value.
When RequireTicketForRequest is Y this is the Ticket System that's
required. Use a value of "!Any" to allow tickets from any valid ticket
system.
The number of seconds TPAM will attempt to communicate with the
system for password checks and changes before issuing a "timed out"
error. Default is 20 seconds.
Whether or not to use SSL to communicate with the system. Y/N.
Support for this is platform specific. NOTE: The UseSsl and UseSsh
Flags are mutually exclusive. You may only set one or the other, not
both.
Whether or not to use SSH to communicate with the system. Y/N.
Support for this is platform specific. NOTE: The UseSsl and UseSsh
Flags are mutually exclusive. You may only set one or the other, not
both.
Print this help message and exit
Legacy support for UpdateSystem command:
UpdateSystem <System>,[NewSystemName],[NetworkAddress],[PrimaryEmail],
[PlatformName],[ChangeFreq],[ReleaseDuration(<=10080)]],[SystemAutoFl(Y|N)],
[FunctionalAccount],[FunctionalAcctCredentials (DSS|password)],
[ChangeTime hh:mm],[PasswordRule],[PortNumber],[EnablePassword],[AlternateIP],
[Description],[DomainFunctionalAccount],[BoksServerOS],[LineDef],[Timeout],
[DomainName],[OracleType],[OracleSIDSN],[CheckFl(Y|N)],
[ResetFl(Y|N)],[ReleaseChgFl(Y|N)] ,[NetBIOSName],[MaxReleaseDuration(<=10080)],
[NonPrivFuncF1(Y|N)],[UseSslFl(Y|N)],[AllowFuncReqFl(Y|N)],[EscalationTime],[EscalationEmail],
[EgpOnlyFl(Y|N)], [PlatSpecificValue]
Deprecated but still supported:
UpdateSystemTicket
<System>,<TicketSystemName>,<RequireTicketForRequest(Y|N)>,<RequireTicketForISA(Y|N)>,<Requir
eTicketForCLI(Y|N)>,<RequireTicketForAPI(Y|N)>, [TicketEmailNotify]
Modifies the Ticket System requirements on an existing system. The CLI user must have ISA or
Administrator privilege.
UpdateUser -- options
Modifies an existing user account. The CLI user must have user administrator or administrator
privilege.
Option Name
--UserName
--LastName
277
Req/ Description
Opt
Req User Name. Maximum 20 characters.
Opt Maximum of 30 characters.
Quest One Privileged Account Management Administrator Manual
--FirstName
--Email
--Phone
--Pager
--UserType
--Disable
Opt
Opt
Opt
Opt
Opt
Opt
Maximum of 30 characters.
Maximum of 255 characters. Use !NULL to clear.
Maximum of 30 characters. Use !NULL to clear.
Maximum of 30 characters. Use !NULL to clear.
Basic (default), Admin, Auditor, or UserAdmin
Whether the user's ID is currently disabled. Y/N. Disabled users cannot log
in to the appliance.
--ExternalAuth
Opt Obsolete, replaced with SecondaryAuth
--SecondaryAuth
Opt Secondary authentication system used for user login. Valid values are None
(default), SecureID, Safeword, Radius, WinAD, and LDAP.
--ExternalAuthSystem Opt Obsolete, replaced with SecondaryAuthSystem
-Opt Name of the secondary authentication system of the type indicated in
SecondaryAuthSystem
ExternalAuth. Values are defined by the appliance SysAdmin.
--ExternalUserID
Opt Obsolete, replaced with SecondaryUserID
--SecondaryUserID
Opt* User ID to use for secondary authentication. This is required when
SecondaryAuth is other than None.
Opt The LDAP Primary Authentication Types support an "Extra" UserID. The
-User logs in using a shorthand value in the PrimaryAuthID, but the data in
PrimaryAuthExtra
the PrimaryAuthExtra will be used to do the actual authentication against
the external system. Use !NULL to clear.
--PrimaryAuthID
Opt* The User ID to use for primary authentication when a WinAD or LDAP
system is used.
--PrimaryAuthType
Opt The type of the primary authentication system for this user. Current values
are Local, LDAP, or WinAD. When Local is used the PrimaryAuthID,
PrimaryAuthExtra and PrimaryAuthSystem values are ignored.
--PrimaryAuthSystem Opt* Name of the defined system to use when the PrimaryAuthType is WinAD or
LDAP. Systems are defined by the appliance SysAdmin.
--Description
Opt Maximum of 255 characters. Use !NULL to clear.
--LogonHoursFlag
Opt Indicates whether the LogonHours value represents Allowed or Prohibited
hours. Valid values are A, P, or N (no restrictions).
--LogonHours
Opt A listing of up to 4 hour ranges. Times must be expressed in 24-hour format
in any of the following forms: 7, 07, 700, 0700, 07:00 (all indicating 07:00
AM). Separate multiple ranges with semi-colons, 07:00-12:00;18:00-23:59
(7AM-12AM and 6PM-11:59PM). If the LogonHoursFlag value is N this
value is ignored.
--LogonDays
Opt When Logon Hours are specified you may also specify the days of the week
those hours are effective. Specify days with a string of 7 X's (to indicate and
"on" day) or periods (for an "off" day) to represent the week from SundaySaturday. For example, .XXXXX. is Mon-Fri on, Sun and Sat off.
--MobileAllowedFlag Opt Whether to allow this user to log in to the system from a mobile device
(Blackberry, iPhone, etc.). Y/N.
--LocalTimezone
Opt The user's local time zone. See the Documentation for a list of valid time
zone names. You may enter any part of the time zone name as long as it is
unique in the list, e.g., entering Guam will only find one timezone while
entering 02:00 or US will find multiple entries. A value of "Server" indicates
that the user is in the same time zone as the server and follows the same
DST rules.
--DstFlag
Opt Whether this user is *currently* operating under Daylight Saving/Summer
Time. Y/N. This value is ignored when LocalTimezone is set to "Server".
NOTE: This is a manually maintained value. It does *not* automatically
change based on the system calendar! Additionally, some timezones do not
allow/recognize DST.
278
QUEST
--Help
Opt
Print this help message and exit
Legacy support for UpdateUser command:
UpdateUser <UserName>,[LastName],[FirstName],[EmailAddress],[Phone],[Pager],
[UserType (Basic|Admin|Auditor|UserAdmin)],
[DisableFl(Y|N)],[ExtAuthType(NONE,SAFEWORD,SECUREID,LDAP,RADIUS, WINAD)],
[ExtAuthUserID],[Description]
Deprecated but still supported:
UpdateUser2 <UserName>,[LastName],[FirstName],[EmailAddress],[Phone],[Pager],
[UserType (Basic|Admin|Auditor|UserAdmin)],
[DisableFl(Y|N)],[ExtAuthType(NONE,SAFEWORD,SECUREID,LDAP,RADIUS, WINAD)],
[ExtAuthUserID], [LogonHoursFL(N|A|P)],[LogonHours], [PrimAuthType(LOCAL |WINAD)],
[PrimAuthUserID], [PrimAuthSystem], [ExtAuthSystem], [Description]
Modifies an existing user account. The CLI user must have user administrator or administrator
privilege. LogonHoursFL may be N (no logon restrictions), A (LogonHours indicate allowed logon
hours), or P (LogonHours indicate prohibited logon hours). LogonHours describes up to 4 ranges
of hours during which the user is either allowed on or prohibited from logging in to the system.
Note! The comment string can be included in quotes or not, but cannot contain single or
double quotation marks within the string.
Examples:
Command: ssh -i CliAdmin.181.txt [email protected] AddPwdRequest --SystemName NewTestSystem -AccountName NewTestAccount --ForUserName --RequestImmediateFlag Y --ReleaseDuration 30 --RequestNotes
Add_Password_Request --TicketNumber AB-12345 --TicketSystemName testticket
Command: ssh -i CliAdmin.181.txt [email protected] UpdateDependentSystems --SystemName
WindowsDomainSystem --AccountName DomainAccount --Assign NewTestSystem
Command: ssh -i CliAdmin.181.txt [email protected] ListDependentSystems --SystemName
WindowsDomainSystem --AccountName DomainAccount --DependentStatus Dependent
279
Quest One Privileged Account Management Administrator Manual
Appendix D: TPAM
Application Programming Interface (API) Manual
1.0 TPAM API Overview
The TPAM Application Programming Interface (API) allows client applications, via an
SSH (Secure Shell) connection to the TPAM appliance, to perform many of the
operations provided in the TPAM User Interface.
The operations supported by the TPAM API are identical to the operations provided
by the TPAM Command Line Interface (CLI). See the Appendix C of the TPAM
Administrator Manual for details of the TPAM CLI.
The TPAM API is available in several programming languages to allow customers to
use their choice of programming languages when working with the API. Details for
using the API in each programming language are provided in later sections of this
document.
As mentioned above, the operations are invoked on the TPAM appliance via an SSH
connection. An identity file key created by TPAM and a UserID with “API” user
interface are required for the API to be able to establish the SSH connection. The
necessary SSH client software is included with the TPAM API library, except for nonWindows installations of the Perl version of the TPAM. In this case, the client
machine must have Ssh software installed and available in the directory path.
2.0 C++ Library
The TPAM API C++ library is provided as a static library. It is distributed with
several other libraries that are required by the TPAM API C++ library.
The main class of the library is ApiClient. This class provides the SSH connection to
TPAM and provides the method used to execute the various operations on TPAM.
Additionally, there are several categories of classes that will be used by application
code using the C++ library. Most classes fall into the category of business objects,
commands, results, or exceptions.
See 6.0 C++ Examples for examples of using the C++ library.
2.1 Class ApiClient
Class ApiClient is used to create the SSH connection to TPAM and execute the
various commands provided by the library. This main class contains only a few
functions.
C++ Library: Class ApiClient
Method
constructor
Description
Constructor for the class
Parameters
String host: IP address of
TPAM appliance
String keyFileName: local
path to identity key file
created by and
280
QUEST
downloaded from TPAM
String userName: user
name of “API” user
defined in TPAM
connect
sendCommand
disconnect
This method initiates the SSH
connection to TPAM.
This method invokes the requested
operation on TPAM and processes the
response. The response attributes are
available via the appropriate “result”
class described below.
This method disconnects the SSH
session.
None
An object of type
“command” class as
discussed below
None
2.2 Business Object Classes
The business object classes describe the entities in TPAM that can be queried or
manipulated in some manner via the TPAM API.
C++ Library: Business Object Classes
Class
Account
Alias
CollectionMembership
EDMZSystem
EgpAccount
GroupMembership
Permission
Policy
PwdRequest
Request
SessionRequest
SynchronizedPassword
SyncPwdSubscriber
User
Description
This class contains the attributes of an account.
This class contains the attributes of an alias.
This class contains the attributes of a collection
membership.
This class contains the attributes of a system.
This class contains the attributes of an EGP account.
This class contains the attributes of a group
membership.
This class contains the attributes of a permission.
This class contains the attributes of an access policy.
This class contains the attributes of a password
request. It is based on the Request class.
This class contains the attributes common to a
password or session request.
This class contains the attributes of a session request.
It is based on the Request class.
This class contains the attributes of a synchronized
password.
This class contains the attributes of a synchronized
password subscriber.
This class contains the attributes of a user.
2.3 Command Classes
Each “command” class implements a single operation that can be performed on
TPAM. The constructor for each class accepts the mandatory data that is required by
TPAM to execute the operation.
281
Quest One Privileged Account Management Administrator Manual
Some operations have optional values that may be specified. Several of the add and
update operations allow optional attributes of the business object being added or
updated to be set. The list operations allow optional selection criteria to be specified
in order to narrow the results returned by TPAM. See section 2.3.1, Setting Optional
Values for Operations, for details.
An instance of one of these “command” classes is passed to method sendCommand
of class ApiClient to have the operation carried out on TPAM. After execution, a
“result” class can be queried for details of the outcome of the operation. This result
class is accessed via method getResult() of the “command” class. In the case of
commands that query data from TPAM, if the result indicates success, the retrieved
data will be available within the “command” class after execution of the operation on
TPAM.
C++ Library: Command Classes
Class
AddAccountAliasCommand
AddAccountCommand
AddAliasCommand
AddCollectionCommand
AddCollectionMemberCommand
AddGroupCommand
AddGroupMemberCommand
AddPwdRequestCommand
AddSessionRequestCommand
AddSyncPwdSubCommand
AddSystemCommand
AddUserCommand
ApproveCommand
ApproveSessionRequestCommand
CancelCommand
CancelSessionRequestCommand
ChangeUserPasswordCommand
CheckPasswordCommand
DeleteAccountCommand
DeleteSystemCommand
DeleteUserCommand
DropAccountAliasCommand
DropCollectionCommand
“Result
” Class
Detailin
g
Executi
on
Outcom
e
Result
IDResult
IDResult
Result
Result
Result
Result
IDResult
IDResult
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
Result
N/A
IDResult
IDResult
Result
Result
Result
Result
Result
Result
Result
Result
Result
Result
Result
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
Method Used to Access
Retrieved Data
282
QUEST
DropCollectionMemberCommand
DropGroupCommand
DropGroupMemberCommand
DropSyncPwdSubCommand
ForceResetCommand
GetPwdRequestCommand
GetSessionRequestCommand
GrantPermissionCommand
ListAccountsCommand
ListAssignedPoliciesCommand
N/A
N/A
N/A
Result
N/A
Result
ListResu
lt
N/A
getPwdRequest() returns a
single PwdRequest object
getSessionRequest()
returns a single
SessionRequest object
N/A
getAccountList() returns a
vector of Account objects
getAssignedPoliciesList()
returns a vector of Policy
objects
getCollectionMembershipLi
st() returns a vector of
CollectionMembership
objects
getDependentSystemsList(
) returns a vector of
DependentSystem objects
getEgpAccountList()
returns a vector of
EgpAccount objects
getPermissionList() returns
a vector of Permission
objects
getGroupMembershipList()
returns a vector of
GroupMembership objects
getPermissionList() returns
a vector of Permission
objects
getRequestList() returns a
vector of Request objects
getRequestDetailsList()
returns a vector of
Request objects
getSessionRequestList()
returns a vector of
SessionRequest objects
getSessionRequestDetailsLi
st() returns a vector of
SessionRequest objects
getSynchronizedPasswords
List() returns a vector of
SynchronizedPassword
objects
ListResu
lt
Result
ListResu
lt
ListResu
lt
ListCollectionMembershipCommand
ListResu
lt
ListDependentSystemsCommand
ListResu
lt
ListEgpAccountsCommand
ListResu
lt
ListEgpPermissionsCommand
ListResu
lt
ListGroupMembershipCommand
ListResu
lt
ListPermissionsCommand
ListResu
lt
ListRequestCommand
ListResu
lt
ListRequestDetailsCommand
ListResu
lt
ListSessionRequestCommand
ListResu
lt
ListSessionRequestDetailsCommand
ListResu
lt
ListSynchronizedPasswordsComman
d
283
Result
Result
Result
ListResu
lt
Quest One Privileged Account Management Administrator Manual
ListSystemsCommand
ListResu
lt
ListUsersCommand
ListResu
lt
RetrieveCommand
Result
RetrieveWithTicketCommand
Result
RevokePermissionCommand
Result
getSyncPwdSubscribers()
returns a vector of
SyncPwdSubscriber objects
getSystemList() returns a
vector of EDMZSystem
objects
getUserList() returns a
vector of User objects
getPassword() returns the
password as a string
getPassword() returns the
password as a string
N/A
Result
N/A
Result
Result
N/A
N/A
Result
N/A
Result
Result
Result
IDResult
IDResult
IDResult
Result
IDResult
IDResult
IDResult
IDResult
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
ListSyncPwdSubscribersCommand
SetAccessPolicyCommand
SetEgpPermissionCommand
SetPermissionCommand
SyncPassForceResetCommand
TestSystemCommand
UnlockUserCommand
UpdateAccountAliasCommand
UpdateAccountCommand
UpdateAccountTicketCommand
UpdateAliasCommand
UpdateDependentSystemsCommand
UpdateEgpAccountCommand
UpdateSystemCommand
UpdateSystemTicketCommand
UpdateUserCommand
ListResu
lt
2.3.1 Setting Optional Values for Operations
Add and update “command” classes that allow optional values to be set
contain an instance of the corresponding business object. Mandatory values
specified in the “command” class constructor are populated in the business
object. The optional values can be set by obtaining a reference to the
business object from the “command” class, and setting the desired attributes
of the business object.
For example, when adding a new system, the constructor for class
AddSystemCommand requires parameters specifying the system name,
network address, and platform name. These values are populated in the
EDMZSystem object contained within the AddSystemCommand object. To set
optional attributes, obtain a reference to this EDMZSystem object by calling
method getSystem() on the AddSystemCommand object, and then call the
desired setter methods of the EDMZSystem object. This is demonstrated in
the example code provided in 6.0 C++ Examples.
284
QUEST
The add and update “command” classes that contain these business objects
that allow setting of optional values are shown in the following table.
C++ Library: Command Classes containing Business Objects
Class
AddAccountCommand
UpdateAccountCommand
AddAliasCommand
UpdateAliasCommand
AddCollectionMemberCommand
AddGroupMemberCommand
AddSystemCommand
UpdateSystemCommand
AddUserCommand
UpdateUserCommand
Method Used to Get Business Object
Reference
getAccount()
getAlias()
getCollectionMembership()
getGroupMembership()
getSystem()
getUser()
Selection criteria for the list operations are specified by using the setter
methods of the “command” classes that perform the list operations. See the
example code provided in 6.0 C++ Examples.
2.4 Result Classes
The “result” classes detail the result of the execution of operations on TPAM.
C++ Library: Result Classes
Class
Result
IDResult
ListResult
Attributes
Integer return code: zero indicates successful execution of command,
non-zero indicates failure.
String message: a message returned by TPAM with brief information
about execution of command.
Integer return code: see Result class for description.
String message: see Result class for description.
Integer ID: on successful command execution, this field shows the row
number of the modified database record.
Integer return code: see Result class for description.
String message: see Result class for description.
Integer row count: on successful list operations, this value tells how
many entries have been returned by TPAM. Query the appropriate
attribute of the “command” class to access the data returned by TPAM.
2.5 Exception Classes
The C++ TPAM API Library will throw exceptions under error conditions. Each
exception contains a message describing the failure.
C++ Library: Exception Classes
Class
285
Description
Quest One Privileged Account Management Administrator Manual
ParseException
SshException
ValidationException
This exception will be thrown if there is a failure while parsing
a response from TPAM.
This exception will be thrown if there is a problem with the
SSH connection being used to communicate with TPAM.
This exception will be thrown if validation fails on any data
prior to sending that data to TPAM for processing.
Note that most data validation is done by TPAM itself. Under
this scenario, if invalid data is passed to TPAM,
ValidationException is not raised. Instead, the result from
execution of the command on TPAM will indicate a failure and
the result message details the failure reason.
3.0 .NET Library
The TPAM API .NET library is provided as a Windows DLL file. It is distributed
alongside the TPAM API C++ Library.
The main class of the library is ApiClientWrapper. This class provides the SSH
connection to TPAM and methods to execute all available operations on TPAM.
Additionally, there are several categories of classes that will be used by application
code using the .NET library. These classes fall into the categories of business
objects, filters, and results.
See 7.0.NET Examples (C#) for examples of using the .NET library.
3.1 Class ApiClientWrapper
Class ApiClientWrapper is used to create the SSH connection to TPAM, and it
provides methods to implement the various operations available in the library.
Methods in ApiClientWrapper will throw an ApplicationException on error. A message
describing the failure is included in the exception.
.NET Library: Class ApiClientWrapper
Method
constructor
connect
(initiate the SSH
connection to TPAM)
disconnect
(disconnect the SSH
Parameters
Return
s
System::String^ host: IP address
of TPAM appliance
System::String^ keyFileName:
local path to identity key file
created by and downloaded from
TPAM
System::String^ userName: user
name of “API” user defined in TPAM
N/A
None
Void
None
Void
286
QUEST
session)
addAccount
addAccountAlias
addAccountAlias
addAlias
addCollection
addCollectionMember
addCollectionMember
addGroup
addGroupMember
addPwdRequest
addSessionRequest
addSyncPwdSub
addSystem
addUser
approve
approveSessionRequest
cancel
cancelSessionRequest
changeUserPassword
287
Account^ account
System::String^ aliasSystem
System::String^ aliasAccountName
System::String^ accountName
System::String^ aliasTypeString
System::String^ pcmCommand
System::String^ aliasSystemName
System::String^ accountAliasName
System::String^ accountName
System::String^ aliasTypeString
AddAccountAliasParms^ parms
Alias^ alias
System::String^ collectionName
System::String^ description
System::String^ systemName
System::String^ collectionName
System::String^ systemName
System::String^ collectionName
AddCollectionMemberParms^
parms
System::String^ groupName
System::String^ description
System::String^ userName
System::String^ groupName
System::String^ systemName
System::String^ accountName
System::String^ forUserName
System::String^ requestNotes
AddPwdRequestParms^ parms
System::String^ systemName
System::String^ accountName
System::String^ forUserName
System::String^ requestNotes
AddSessionRequestParms^ parms
System::String^ syncPassName
System::String^ systemName
System::String^ accountName
EDMZSystem^ system
User^ user
int requestID
System::String^ comment
int requestID
System::String^ comment
int requestID
System::String^ comment
int requestID
System::String^ comment
System::String^ userName
System::String^ password
IDResult
Result
Result
IDResult
Result
Result
Result
Result
Result
IDResult
IDResult
Result
IDResult
IDResult
Result
Result
Result
Result
Result
Quest One Privileged Account Management Administrator Manual
checkPassword
deleteAccount
deleteSystem
deleteUser
dropAccountAlias
dropAccountAlias
dropCollection
dropCollectionMember
dropCollectionMember
dropGroup
dropGroupMember
dropSyncPwdSub
forceReset
getPwdRequest
getSessionRequest
grantPermission
listAccounts
System::String^ systemName
System::String^ accountName
System::String^ systemName
System::String^ accountName
System::String^ systemName
System::String^ userName
System::String^ aliasSystem
System::String^ aliasAccountName
System::String^ accountName
System::String^ aliasTypeString
System::String^ pcmCommand
System::String^ aliasSystemName
System::String^ accountAliasName
System::String^ aliasTypeString
System::String^ collectionName
System::String^ systemName
System::String^ collectionName
System::String^ systemName
System::String^ collectionName
DropCollectionMemberParms^
parms
System::String^ groupName
System::String^ userName
System::String^ groupName
System::String^ syncPassName
System::String^ systemName
System::String^ accountName
System::String^ systemName
System::String^ accountName
int requestID
[System::Runtime::InteropServices
::Out]
PwdRequest^ %request
int requestID
[System::Runtime::InteropServices
::Out]
SessionRequest^ %sessionRequest
System::String^ permName
UserOrGroup userOrGroupChoice
(possible values are USER or
GROUP)
System::String^ userOrGroupName
SystemOrCollection
systemOrCollectionChoice
(possible values are SYSTEM or
COLLECTION)
System::String^
systemOrCollectionName
AccountFilter^ filter
[System::Runtime::InteropServices
Result
Result
Result
Result
Result
Result
Result
Result
Result
Result
Result
Result
Result
ListResu
lt
ListResu
lt
Result
ListResu
lt
288
QUEST
listAssignedPolicies
listCollectionMembership
listDependentSystems
listEgpAccounts
listPermissions
listEgpPermissions
listGroupMembership
listRequest
listRequestDetails
listSessionRequest
listSessionRequestDetails
289
::Out]
array<Account^>^% accounts
PolicyFilter^ filter
[System::Runtime::InteropServices
::Out] array<Policy^>^% policies
System::String^ collectionName
System::String^ systemName
int maxRows
[System::Runtime::InteropServices
::Out]
array<CollectionMembership^>^%
membership
System::String^ systemName
System::String^ accountName
DependentSystemFilter^ filter
[System::Runtime::InteropServices
::Out]
array<DependentSystem^>^%
dependentSystems
EgpAccountFilter^ filter
[System::Runtime::InteropServices
::Out]
array<EgpAccount^>^%
egpAccounts
PermissionFilter^ filter
[System::Runtime::InteropServices
::Out]
array<Permission^>^%
permissions
System::String^ groupName
System::String^ userName
int maxRows
[System::Runtime::InteropServices
::Out]
array<GroupMembership^>^%
membership
RequestFilter^ filter
[System::Runtime::InteropServices
::Out]
array<Request^>^% requests
RequestFilter^ filter
[System::Runtime::InteropServices
::Out]
array<Request^>^% requests
SessionRequestFilter^ filter
[System::Runtime::InteropServices
::Out]
array<SessionRequest^>^%
sessionRequests
SessionRequestFilter^ filter
[System::Runtime::InteropServices
ListResu
lt
ListResu
lt
ListResu
lt
ListResu
lt
ListResu
lt
ListResu
lt
ListResu
lt
ListResu
lt
ListResu
lt
ListResu
lt
Quest One Privileged Account Management Administrator Manual
listSynchronizedPasswords
listSyncPwdSubscribers
listSystems
listUsers
retrieve
retrieve (v2.3+)
retrieve (v2.3+)
retrieveWithTicket
revokePermission
setAccessPolicy
::Out]
array<SessionRequest^>^%
sessionRequests
[System::Runtime::InteropServices
::Out]
array<SynchronizedPassword^>^
% synchronizedPasswords
System::String^ syncPassName
[System::Runtime::InteropServices
::Out]
array<SyncPwdSubscriber^>^%
syncPwdSubscribers
SystemFilter^ filter
[System::Runtime::InteropServices
::Out]
array<EDMZSystem^>^% systems
UserFilter^ filter
[System::Runtime::InteropServices
::Out]
array<User^>^% users
System::String^ systemName
System::String^ accountName
int timeRequired
System::String^ comment
System::String^ systemName
System::String^ accountName
System::String^ comment
RetrieveParms^ parms
System::String^ systemName
System::String^ accountName
RetrieveParms^ parms
System::String^ systemName
System::String^ accountName
int timeRequired
System::String^
ticketSystemName
System::String^ ticketNumber
System::String^ comment
System::String^ permName
UserOrGroup userOrGroupChoice
(possible values are USER or
GROUP)
System::String^ userOrGroupName
SystemOrCollection
systemOrCollectionChoice
(possible values are SYSTEM or
COLLECTION)
System::String^
systemOrCollectionName
System::String^ accessPolicyName
System::String^ action
ListResu
lt
ListResu
lt
ListResu
lt
ListResu
lt
Result
Result
Result
Result
Result
Result
290
QUEST
setPermission
setEgpPermission
syncPassForceReset
291
SetAccessPolicyParms^ parms
System::String^ permName
UserOrGroup userOrGroupChoice
(possible values are USER or
GROUP)
System::String^ userOrGroupName
SystemOrCollection
systemOrCollectionChoice
(possible values are SYSTEM or
COLLECTION)
System::String^
systemOrCollectionName
System::String^ syncPassName
Result
Result
Quest One Privileged Account Management Administrator Manual
syncPassForceReset
testSystem
unlockUser
updateAccount
updateAccountAlias
updateAccountTicket
updateAlias
updateDependentSystems
updateEgpAccount
updateSystem
updateSystemTicket
updateUser
System::String^ syncPassName
System::String^ newPassword
System::String^ systemName
System::String^ userName
Account^ account
System::String^ aliasSystemName
System::String^ accountAliasName
System::String^ aliasTypeString
UpdateAccountAliasParms^ parms
System::String^ systemName
System::String^ accountName
System::String^
ticketSystemName
eDMZ::ParApi::Flag
requireTicketForRequest
eDMZ::ParApi::Flag
requireTicketForISA
eDMZ::ParApi::Flag
requireTicketForCLI
eDMZ::ParApi::Flag
requireTicketForAPI
System::String^ ticketEmailNotify
Alias^ alias
System::String^ systemName
System::String^ accountName
UpdateDependentSystemsParms^
parms
System::String^ systemName
System::String^ accountName
UpdateEgpAccountParms^ parms
EDMZSystem^ system
System::String^ systemName
System::String^
ticketSystemName
eDMZ::ParApi::Flag
requireTicketForRequest
eDMZ::ParApi::Flag
requireTicketForISA
eDMZ::ParApi::Flag
requireTicketForCLI
eDMZ::ParApi::Flag
requireTicketForAPI
System::String^ ticketEmailNotify
User^ user
Result
Result
Result
IDResult
Result
IDResult
IDResult
Result
IDResult
IDResult
IDResult
IDResult
3.2 Business Object Classes
The business object classes describe the entities in TPAM that can be queried or
manipulated in some manner via the TPAM API.
292
QUEST
.NET Library: Business Object Classes
Class
Account
Alias
CollectionMembership
DependentSystem
EDMZSystem
EgpAccount
GroupMembership
Permission
Policy
PwdRequest
Request
SessionRequest
SynchronizedPassword
SyncPwdSubscriber
User
This class contains
This class contains
This class contains
membership.
This class contains
system.
This class contains
This class contains
This class contains
membership.
This class contains
Description
the attributes of an account.
the attributes of an alias.
the attributes of a collection
the attributes of a dependent
the attributes of a system.
the attributes of an EGP account.
the attributes of a group
the attributes of a permission.
This class contains the attributes of an access policy.
This class contains the attributes of a password
request. It is based on the Request class.
This class contains the attributes common to a
password or session request.
This class contains the attributes of a session request.
It is based on the Request class.
This class contains the attributes of a synchronized
password.
This class contains the attributes of a synchronized
password subscriber.
This class contains the attributes of a user.
3.3 Filter and Parms Classes
The “filter” classes are used to specify selection criteria for data being requested
from TPAM.
.NET Library: Filter Classes
Class
AccountFilter
DependentSystemFilter
EgpAccountFilter
PermissionFilter
PolicyFilter
RequestFilter
SessionRequestFilter
SystemFilter
UserFilter
293
Description
Provides selection criteria for listAccounts
Provides selection criteria for listDependentSystems
Provides selection criteria for listEgpAccounts
Provides selection criteria for listPermissions and
listEgpPermissions
Provides selection criteria for listAssignedPolicies
Provides selection criteria
listRequestDetails
Provides selection criteria
listSessionRequestDetails
Provides selection criteria
Provides selection criteria
for listRequest and
for listSessionRequest and
for listSystems
for listUsers
Quest One Privileged Account Management Administrator Manual
The “parms” classes are used to specify optional parameters for various methods
implemented in ApiClientWrapper.
.NET Library: Parms Classes
Class
AddAccountAliasParms
AddCollectionMemberParms
AddPwdRequestParms
AddSessionRequestParms
DropCollectionMemberParms
RetrieveParms
SetAccessPolicyParms
UpdateAccountAliasParms
UpdateDependentSystemsParms
UpdateEgpAccountParms
Description
Allows setting of optional parameters
addAccountAlias method
Allows setting of optional parameters
addCollectionMember method
Allows setting of optional parameters
addPwdRequest method
Allows setting of optional parameters
addSessionRequest method
Allows setting of optional parameters
dropCollectionMember method
Allows setting of optional parameters
retrieve method
Allows setting of optional parameters
setAccessPolicy method
Allows setting of optional parameters
updateAccountAlias method
Allows setting of optional parameters
updateDependentSystems method
Allows setting of optional parameters
updateEgpAccount method
for the
for the
for the
for the
for the
for the
for the
for the
for the
for the
3.4 Result Classes
The “result” classes detail the result of the execution of operations on TPAM.
.NET Library: Result Classes
Class
Result
IDResult
ListResult
Attributes
Integer return code: zero indicates successful execution of command,
non-zero indicates failure.
String message: a message returned by TPAM with brief information
about execution of command.
Integer return code: see Result class for description.
String message: see Result class for description.
Integer ID: on successful command execution, this field shows the row
number of the modified database record.
Integer return code: see Result class for description.
String message: see Result class for description.
Integer row count: on successful list operations, this value tells how
many entries have been returned by TPAM.
Array of Objects: array containing “row count” elements, with each
element being an object of type described under business objects as
requested by the operation.
This array is used internally by the API. It simply refers to the data
being returned as an OUT parameter of list operations. It is suggested
that applications using the API use the OUT parameters instead of this
294
QUEST
array.
4.0 Perl Library
Documentation for the TPAM API Perl library is available in Perl POD format. Please
see the Customer Portal to download this document.
5.0 Java Library
Documentation for the TPAM API Java library is available in Javadoc format. Please
see the Customer Portal to download this document.
6.0 C++ Examples
The following examples have minimal error checking for simplicity.
void addSystem(ApiClient& client)
{
// Add a dummy system.
AddSystemCommand asc("testsys", "147.148.149.150", "AS400");
// Set some attributes of the system being added.
asc.getSystem().setSystemAutoFl(Flag::FLAG_N);
asc.getSystem().setDescription("Description for testsys");
// Execute the operation on TPAM.
client.sendCommand(asc);
// Check the outcome of the operation.
IDResult* idresult = asc.getResult();
cout << "addSystem: rc = " << idresult->getReturnCode()
<< " message = " << idresult->getMessage() << endl;
}
void addAccount(ApiClient& client)
{
// Add a dummy account.
AddAccountCommand aac("testsys", "testacct");
// Set an attribute of the account being added.
aac.getAccount().setDescription("Description for testacct");
// Execute the operation on TPAM.
client.sendCommand(aac);
// Check the outcome of the operation.
IDResult* idresult = aac.getResult();
cout << "addAccount: rc = " << idresult->getReturnCode()
<< " message = " << idresult->getMessage() << endl;
}
void updateAccount(ApiClient& client)
{
295
Quest One Privileged Account Management Administrator Manual
// Update the account password.
UpdateAccountCommand uac("testsys", "testacct");
uac.getAccount().setPassword("a1b2c3d4e5");
// Execute the operation on TPAM.
client.sendCommand(uac);
// Check the outcome of the operation.
IDResult* idresult = uac.getResult();
cout << "updateAccount: rc = " << idresult->getReturnCode()
<< " message = " << idresult->getMessage() << endl;
}
void retrieve(ApiClient& client)
{
// Get the password for testsys/testacct.
RetrieveCommand rc("testsys", "testacct", 30, "This is my comment");
// Execute the operation on TPAM.
client.sendCommand(rc);
Result* result = rc.getResult();
if (result->getReturnCode() == 0)
{
cout << "retrieve: The password is " << rc.getPassword() << endl;
}
else
{
cout << "Failed retrieving password: " << result->getMessage() << endl;
}
}
void listAccounts(ApiClient& client)
{
// List the accounts, but set filters to see only testsys/testacct.
ListAccountsCommand lac;
lac.setSystemName("testsys");
lac.setAccountName("testacct");
// Execute the operation on TPAM.
client.sendCommand(lac);
ListResult* listresult = lac.getResult();
// Since we set filters for just testsys/testacct,
// there should be just 1 entry returned.
if ((listresult->getReturnCode() == 0) &&
(listresult->getRowCount() == 1))
{
cout << "listAccounts: The description for testsys/testacct is "
<< lac.getAccountList().at(0).getDescription() << endl;
}
else
296
QUEST
{
cout << "Unexpected result for listAccounts: "
<< listresult->getMessage() << endl;
}
}
void listSystems(ApiClient& client)
{
// We'll list all defined systems.
ListSystemsCommand lsc;
// Execute the operation on TPAM.
client.sendCommand(lsc);
ListResult* listresult = lsc.getResult();
if (listresult->getReturnCode() == 0)
{
for (int i=0; i<listresult->getRowCount(); i++)
{
cout << "listSystems: System name: "
<< lsc.getSystemList().at(i).getSystemName() << endl;
}
}
}
void deleteAccount(ApiClient& client)
{
// Delete the account.
DeleteAccountCommand dac("testsys", "testacct");
// Execute the operation on TPAM.
client.sendCommand(dac);
// Check the outcome of the operation.
Result* result = dac.getResult();
cout << "deleteAccount: rc = " << result->getReturnCode()
<< " message = " << result->getMessage() << endl;
}
void deleteSystem(ApiClient& client)
{
// Delete the system.
DeleteSystemCommand dsc("testsys");
// Execute the operation on TPAM.
client.sendCommand(dsc);
// Check the outcome of the operation.
Result* result = dsc.getResult();
cout << "deleteSystem: rc = " << result->getReturnCode()
<< " message = " << result->getMessage() << endl;
}
297
Quest One Privileged Account Management Administrator Manual
void getPwdRequest(ApiClient& client)
{
GetPwdRequestCommand gprc(9);
// Execute the operation on TPAM.
client.sendCommand(gprc);
ListResult* listresult = gprc.getResult();
// This operation always returns just 1 entry.
if ((listresult->getReturnCode() == 0) &&
(listresult->getRowCount() == 1))
{
cout << "getPwdRequest: Status of request "
<< gprc.getPwdRequest().getRequestID()
<< " is "
<< gprc.getPwdRequest().getRequestStatus() << endl;
}
else
{
cout << "Unexpected result for getPwdRequest: "
<< listresult->getMessage() << endl;
}
}
int main()
{
ApiClient client("192.168.70.3", "C:/keys/parapiuser.txt", "parapiuser");
try
{
client.connect();
try
{
addSystem(client);
addAccount(client);
updateAccount(client);
retrieve(client);
listAccounts(client);
listSystems(client);
deleteAccount(client);
deleteSystem(client);
getPwdRequest(client);
}
catch (ValidationException& vex)
{
cout << "ValidationException: " << vex.toString() << endl;
}
catch (ParseException& pex)
{
cout << "ParseException: " << pex.toString() << endl;
}
// Call disconnect() on the ApiClient after commands have completed.
298
QUEST
client.disconnect();
}
catch (SshException& sshex)
{
cout << "SshException: " << sshex.toString() << endl;
}
}
7.0 .NET Examples (C#)
The following examples have minimal error checking for simplicity.
static void addSystem(ApiClientWrapper client)
{
// Add a dummy system.
EDMZSystem edmzsys = new EDMZSystem();
edmzsys.systemName = "testsys";
edmzsys.networkAddress = "147.148.149.150";
edmzsys.platformName = "AS400";
edmzsys.systemAutoFl = Flag.N;
edmzsys.description = "Description of testsys";
// Execute the operation on TPAM.
IDResult idresult = client.addSystem(edmzsys);
// Check the outcome of the operation.
Console.WriteLine("addSystem: rc = {0}, message = {1}",
idresult.returnCode, idresult.message);
}
static void addAccount(ApiClientWrapper client)
{
// Add a dummy account.
Account account = new Account();
account.systemName = "testsys";
account.accountName = "testacct";
account.description = "Description for testacct";
// Execute the operation on TPAM.
IDResult idresult = client.addAccount(account);
// Check the outcome of the operation.
Console.WriteLine("addAccount: rc = {0}, message = {1}",
idresult.returnCode, idresult.message);
}
static void updateAccount(ApiClientWrapper client)
{
Account account = new Account();
account.systemName = "testsys";
account.accountName = "testacct";
account.password = "a1b2c3d4e5";
299
Quest One Privileged Account Management Administrator Manual
// Execute the operation on TPAM.
IDResult idresult = client.updateAccount(account);
// Check the outcome of the operation.
Console.WriteLine("updateAccount: rc = {0}, message = {1}",
idresult.returnCode, idresult.message);
}
static void retrieve(ApiClientWrapper client)
{
Result result = client.retrieve(
"testsys", "testacct", 30, "This is my comment");
if (result.returnCode == 0)
{
// If returnCode indicates success, the message is the password.
Console.WriteLine("retrieve: The password is {0}",
result.message);
}
else
{
// If returnCode indicates failure,
// the message is an actual message.
Console.WriteLine("Failed retrieving password: {0}",
result.message);
}
}
static void listAccounts(ApiClientWrapper client)
{
// List the accounts, but set filters to see only testsys/testacct.
AccountFilter af = new AccountFilter();
af.systemName = "testsys";
af.accountName = "testacct";
// Execute the operation on TPAM.
Account[] accounts = null;
ListResult lr = client.listAccounts(af, out accounts);
// Since we set filters for just testsys/testacct,
// there should be just 1 entry returned.
if ((lr.returnCode == 0) && (lr.rowCount == 1))
{
Console.WriteLine(
"listAccounts: The description for testsys/testacct is {0}",
accounts[0].description);
}
else
{
Console.WriteLine("Unexpected result for listAccounts: {0}",
lr.message);
}
300
QUEST
}
static void listSystems(ApiClientWrapper client)
{
// We'll list all defined systems.
EDMZSystem[] systems = null;
ListResult lr = client.listSystems(null, out systems);
if (lr.returnCode == 0)
{
for (int i = 0; i < lr.rowCount; i++)
{
Console.WriteLine("listSystems: System name: {0}",
systems[i].systemName);
}
}
}
static void deleteAccount(ApiClientWrapper client)
{
// Delete the account.
Result result = client.deleteAccount("testsys", "testacct");
// Check the outcome of the operation.
Console.WriteLine("deleteAccount: rc = {0}, message = {1}",
result.returnCode, result.message);
}
static void deleteSystem(ApiClientWrapper client)
{
// Delete the system.
Result result = client.deleteSystem("testsys");
// Check the outcome of the operation.
Console.WriteLine("deleteSystem: rc = {0}, message = {1}",
result.returnCode, result.message);
}
static void getPwdRequest(ApiClientWrapper client)
{
PwdRequest request;
ListResult lr = client.getPwdRequest(9, out request);
if (lr.returnCode == 0)
{
Console.WriteLine(
"getPwdRequest: Status of request {0} is {1}",
request.requestID,
request.requestStatus);
}
else
{
Console.WriteLine("Unexpected result for getPwdRequest: {0}",
301
Quest One Privileged Account Management Administrator Manual
lr.message);
}
}
static void Main(string[] args)
{
ApiClientWrapper client = new ApiClientWrapper(
"192.168.70.3",
"C:\\keys\\parapiuser.txt",
"parapiuser");
try
{
client.connect();
addSystem(client);
addAccount(client);
updateAccount(client);
retrieve(client);
listAccounts(client);
listSystems(client);
deleteAccount(client);
deleteSystem(client);
getPwdRequest(client);
}
catch (ApplicationException aex)
{
Console.WriteLine("Exception: {0}", aex.Message);
}
finally
{
client.disconnect();
}
}
302
Was this manual useful for you? yes no
Thank you for your participation!

* Your assessment is very important for improving the work of artificial intelligence, which forms the content of this project

Download PDF

advertisement