null  null
The Privileged Appliance and Modules
(TPAM) 2.5
Administrator Guide
Copyright© 2017 Dell Inc. All rights reserved.
This product is protected by U.S. and international copyright and intellectual property laws. Dell™, SonicWALL and the Dell
logo are trademarks of Dell Inc. in the United States and/or other jurisdictions. MAC OS, OS X are trademarks of Apple, Inc.,
registered in the U.S. and other countries. Check Point is a registered trademark of Check Point Software Technologies Ltd. or
its affiliates. Cisco is a registered trademark of Cisco Systems, Inc. and/or its affiliates in the United States and certain other
countries. ForeScout and CounterACT are trademarks of ForeScout Technologies, Inc. Fortinet is a registered trademark of the
Fortinet Corporation in the United States and/or other countries. FreeBSD is a registered trademark of the FreeBSD foundation.
H3C is a trademark of Hangzhou H3C Technologies, Co. Ltd. Google and Chrome are trademarks of Google, Inc., used with
permission. HP, OPENVMS and Tru64 are registered trademarks of Hewlett-Packard Development Company. AS/400, IBM and AIX
are registered trademarks of International Business Machines Corporation, registered in many jurisdictions worldwide. Juniper,
JUNOS and NetScreen are registered trademarks of Juniper Networks, Inc. in the United States and other countries. Linux® is
a registered trademark Linus Torvalds in the United States, other countries, or both. MariaDB is a registered trademark of
MariaDB Corporation. Microsoft, Active Directory, Internet Explorer, and Windows are either registered trademarks or
trademarks of Microsoft Corporation in the United States and/or other countries. Mozilla and Firefox are registered trademarks
of the Mozilla Foundation. NetApp is a registered trademark of NetApp, Inc., registered in the U.S. and other countries. Nokia
is a registered trademark of Nokia Corporation. Novell is a registered trademark of Novell, Inc. in the United States and/or
other countries. Oracle, Java, MySQL, and Solaris are trademarks of Oracle and/or its affiliates. PAN-OS is a registered
trademark of Palo Alto Networks, Inc. PowerPassword is a registered trademark of BeyondTrust Software, Inc. PROXYSG is a
trademark of Blue Coat Systems, Inc., registered in the United States and other countries. Stratus is a registered trademark of
Stratus Technologies Bermuda Ltd. Teradata is a registered trademark of Teradata Corporation or its affiliates in the United
States or other countries. UNIX and UNIXWARE is a registered trademark of The Open Group in the United States and other
countries. VMware is a registered trademark or trademark of VMware, Inc. in the United States and/or other jurisdictions.
Other trademarks and trade names may be used in this document to refer to either the entities claiming the marks and names
or their products. Dell disclaims any proprietary interest in the marks and names of others.
Legend
CAUTION: A CAUTION icon indicates potential damage to hardware or loss of data if instructions are not followed.
WARNING: A WARNING icon indicates a potential for property damage, personal injury, or death.
IMPORTANT NOTE, NOTE, TIP, MOBILE, or VIDEO: An information icon indicates supporting information.
TPAM Administrator Guide
Updated - February 2017
Software Version - 2.5
Contents
Privileged Password Management Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .13
Resource requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .14
Access the privileged password appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .14
Initial Set Up . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .15
Recommended steps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .15
Permission Based Home Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17
Message of the day tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17
Recent activity tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17
Approvals tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17
Pending reviews tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17
Current requests tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .18
User ID’s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .19
Details tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .20
Web tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .21
Key based tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .23
Cache tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .24
Time tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .24
PSM connection defaults . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .25
Custom information tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .25
Template tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .25
Group membership tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .26
Linked accounts tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .26
Permissions tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .27
Add a web user ID . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .28
Add a user template . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .28
Add a user ID using a template . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .29
Add a CLI user ID . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .29
Add an API user ID . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .30
Regenerate keys for CLI/API users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .31
Duplicate a user ID . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .31
Disassociate a user from a template . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .31
Delete a user ID . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .32
Delete a user template . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .32
Disable/enable a user ID . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .32
Unlock a user ID . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .33
TPAM 2.5
Administrator Guide
3
Reset user ID password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .33
Manage the paradmin user ID . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .33
List user IDs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .34
Manage your TPAM user ID . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .35
Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .36
Details tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .36
Members tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .36
Permissions tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .37
Add a group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .38
Duplicate a group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .38
Delete a group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .39
List groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .39
Default global groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .39
Permission Hierarchy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .41
Permission precedence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .41
Permissions example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .42
Access Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .44
Details tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .44
Permission types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .46
Add an access policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .47
Make an access policy inactive . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .47
Reactivate an access policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .48
Duplicate an access policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .48
Delete an access policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .48
Rebuild assigned policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .49
Password Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .50
Add a password check profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .50
Add a password change profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .52
Delete a password check/change profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .55
Assign a password check /change profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .56
Export Password Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .56
Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .57
Information tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .57
Custom information tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .61
Connection tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .61
Management tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .63
Ticket system tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .66
TPAM 2.5
Administrator Guide
4
LDAP schema tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .66
Template tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .66
Account discovery tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .67
Affinity tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .68
Collections tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .69
Permissions tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .69
Add a system . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .70
Add a system template . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .71
Add a system using a template . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .71
Test a system . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .72
Clear a stored system host entry . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .72
Duplicate a system . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .72
Disassociate a system from a template . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .72
Delete a system . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .73
Delete a system template . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .74
List systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .74
Local appliance systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .74
Custom Platforms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .75
Custom platform Details tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .75
Add a conversational custom platform . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .77
Add a jump box custom platform . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .77
Test a custom platform . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .78
Duplicate a custom platform . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .78
Delete a custom platform . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .78
Using custom platforms in TPAM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .79
Batch processing custom platform systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .79
CLI and API commands for custom platform systems . . . . . . . . . . . . . . . . . . . . . . . . .79
Jump boxes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .79
Collections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .83
Details tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .83
Members tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .83
Permissions tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .84
Affinity tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .85
Add a collection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .85
Duplicate a collection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .86
Delete a collection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .86
List collections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .87
Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .88
Information tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .89
Reviews tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .91
TPAM 2.5
Administrator Guide
5
Custom Information tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .92
Management tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .92
Ticket System tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .93
Dependents tab (Windows® AD only) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .94
Logs tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .94
Past Password tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .94
Current Password tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .94
Collections tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .94
Permissions tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .95
PSM Details tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .96
General tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .96
Session Authentication tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101
File Transfer tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101
Review Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102
Add an account . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102
Duplicate an account . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103
Delete an account . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104
Retrieve a password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105
List accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105
List PSM accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106
Password current status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106
Manual password management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106
Password management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107
Managing services in a Windows® domain environment . . . . . . . . . . . . . . . . . . . . . . 108
Add generic account to TPAM for PSM sessions to a user specified Windows account . . . 109
Linked Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .111
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111
Add a linked account to a system . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111
Add linked account/s to a user . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112
Request a session using a linked account . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112
Linked accounts report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113
Using Quest Authentication Services with TPAM . . . . . . . . . . . . . . . . . . . . . . . . . .114
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114
Configure QAS integration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114
How it works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115
TPAM Account Discovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .116
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116
Configure account discovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116
Account discovery profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118
Add an account discovery profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120
Delete an account discovery profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120
Assign an account discovery profile to a system/system template . . . . . . . . . . . . . . . 121
Combine account discovery with auto discovery . . . . . . . . . . . . . . . . . . . . . . . . . . . 121
TPAM 2.5
Administrator Guide
6
Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .122
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122
Details tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122
Ticket System tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123
Logs tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124
File History tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124
Current File tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124
Collections tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125
Permissions tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125
Add a file . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126
Duplicate a file . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127
Review file history . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127
Delete a file . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128
Retrieve a file . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128
List files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128
Auto Discovery - LDAP Integration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .130
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130
LDAP directory mapping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130
Source tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130
Add a LDAP data source . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132
Add user/system template . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133
Add LDAP user/system mapping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133
Delete a LDAP system/user mapping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134
Discover accounts on auto discovered systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134
Auto Discovery - Generic Integration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .135
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135
Generic directory mapping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135
Source tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136
System tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138
User tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139
Add a generic system mapping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139
Add a generic user mapping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140
Delete a generic system/user mapping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140
Application Password Virtual Cache . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .141
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141
Importing the virtual cache . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142
Boot the cache . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142
Configure network settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142
Enable remote access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143
Changing the setup password while logged in to the Cache . . . . . . . . . . . . . . . . . . . . 143
Using TPAM to manage the Cache accsetup account . . . . . . . . . . . . . . . . . . . . . . . . . 144
Define remote IP address restrictions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144
Prepare the cache for enrollment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144
TPAM 2.5
Administrator Guide
7
Add the cache in the TPAM interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145
Add cache users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145
Add cache client hosts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146
Add cache trusted root certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146
Add the cache server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146
Details tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147
WSDL tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148
Accounts tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148
Root Certificates tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148
Users tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149
Hosts tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149
Cache server permissions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149
Cache current status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149
Create a cache team . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150
Remove a cache team member . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150
Alerts for the cache appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151
Delete a cache . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151
List cache server permissions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152
Cache logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152
Usage examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152
Batch Processing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .156
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156
Advanced file settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156
Import user IDs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157
Import systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159
Import accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160
Import or update collections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161
Import or update groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162
Add or drop collection members . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163
Add or drop group members . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164
Batch update user IDs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165
Batch update systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166
Batch update accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167
Batch update PSM accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168
Batch update permissions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169
Batch update cache server permissions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170
Cancel a batch process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172
View batch job history . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172
PSM Connection Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .173
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173
Add a PSM connection profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174
Delete a PSM connection profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174
Assign a PSM connection profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174
TPAM 2.5
Administrator Guide
8
Post Session Processing Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .175
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175
Add a post session processing profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175
Delete a post session processing profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176
Assign a post session processing profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176
Restricted Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .177
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177
System requirements for restricted commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177
Add a restricted command profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178
Assign profile to access policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179
Restricted command account settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179
Command detection during a session . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180
Archive Session Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .181
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181
Configure session log archive settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181
Configure session log archive server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182
Test the archive server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184
View archive files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184
View archive log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184
Delete a session log archive server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184
Clear a stored system host entry . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 185
Privileged Command Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .186
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186
Add a command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186
Commands to assist with authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186
Duplicate a command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187
Delete a command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187
Create access policy with the command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187
Assign access policy to user or group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188
Setup requirement for Windows® . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188
Synchronized Passwords . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .189
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189
Details tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189
Candidates tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190
Subscriber status tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191
Logs tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191
Add synchronized password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192
Add subscriber to a synchronized password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192
Remove a subscriber from a synchronized password . . . . . . . . . . . . . . . . . . . . . . . . 192
Delete a synchronized password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193
Force reset of synchronized password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193
Scheduled Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .194
TPAM 2.5
Administrator Guide
9
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194
Enable/disable scheduled reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194
Send scheduled reports to archive server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195
Subscribe/unsubscribe to scheduled reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195
Add/remove additional recipients to scheduled reports . . . . . . . . . . . . . . . . . . . . . . 195
View scheduled reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 196
Resubmit scheduled reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 196
Password Requests . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .197
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197
Request a password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197
Email notification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199
View submitted password requests . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199
Access the password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199
Access past passwords . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 200
Cancel/expire a password request . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 200
Data Extracts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .202
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202
Configure data extracts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202
Customize data extract dataset file names . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204
TPAM CLI IDs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .205
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205
Add a TPAM CLI ID . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205
Connect PSM account to TPAM CLI ID . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206
Delete a TPAM CLI ID . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206
Approve/Deny Password Request . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .207
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207
Approve/deny password request . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207
Revalidate ticket on a request . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207
Deny request after it is approved . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 208
Review a Password Release . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .209
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209
Review status definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209
Review a password release . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209
Provisional ticket validation on a password release . . . . . . . . . . . . . . . . . . . . . . . . . 210
Session Requests . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .211
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211
Request a session . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211
Email notification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213
View submitted session requests . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213
Cancel/expire a session request . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213
Request a session using a linked account . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 214
TPAM 2.5
Administrator Guide
10
Approve/Deny Session Request . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .215
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 215
Approve/deny session request . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 215
Revalidate ticket on a request . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 215
Deny request after it is approved . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 216
Start a Remote Session . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .217
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217
Client requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217
Start a session . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217
File transfer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 219
End a session . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220
Session Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .221
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221
Session playback controls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221
Meta data window . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222
Replay a session log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222
Add a bookmark to a session . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223
View bookmarks/captured events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223
Jump to a bookmark . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 224
Jump to an event . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 224
Monitor a live session . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 224
Terminate a session . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 225
Review a Session . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .226
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 226
Review status definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 226
Review a session . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 226
Provisional ticket validation on a session . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 227
File Requests . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .228
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 228
Request a file . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 228
Email notification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 229
View submitted file requests . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 229
Access the file . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 230
Cancel/expire a file request . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 230
Approve/Deny File Request . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .231
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 231
Approve/deny file request . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 231
Revalidate ticket on a request . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 231
Deny request after it is approved . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 232
On Demand Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .233
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 233
TPAM 2.5
Administrator Guide
11
Report time zone options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 233
Run a report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 233
Report descriptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 234
Network Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .236
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 236
The ping utility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 236
Nslookup utility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 236
TraceRoute utility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 237
Telnet test utility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 237
Display routes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 237
CLI Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .238
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 238
Command standards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 238
Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 239
Application Programming Interface (API) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .287
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 287
C++ library . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 287
.NET library . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 293
PERL library . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 301
Java® library . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 301
C++ examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 301
.NET examples (C#) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 304
Configuration for Capturing Events on Windows® Systems . . . . . . . . . . . . . . . . . . .308
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 308
General j-Interop requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 308
Summary of common problems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 309
Firewall related problems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 309
Explicitly opening DCOM ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 310
Dynamically opening DCOM ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 310
Remote registry related problems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 310
Local security policy related problems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 311
User account control (UAC) related problems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 311
Registry key related problems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 312
Operating systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 313
Windows® event requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 315
Appliance Specifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .316
About Dell . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .318
Contacting Dell . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 318
Technical Support Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 318
TPAM 2.5
Administrator Guide
12
1
Privileged Password Management
Overview
•
Introduction
•
Resource requirements
•
Access the privileged password appliance
Introduction
TPAM is a robust collection of integrated modular technologies designed specifically to meet the complex and
growing compliance and security requirements associated with privileged identity management and privileged
access control.
NOTE: This guide explains the core functionality available in TPAM regardless of the product licenses that
has been applied.
Privileged Password Manager
The Privileged Password Manager (PPM) module provides secure control of administrative accounts. TPAM
is a repository where these account passwords are stored until needed, and released only to authorized
persons. Based on configurable parameters, the PPM module will automatically update these passwords.
Privileged Session Manager
The Privileged Session Manager (PSM) module provides a secure method of connecting to remote
systems, while recording all activity that occurs to a session log file that can be replayed at a later time.
All connections to remote systems are proxied through Privileged Account Management (TPAM) appliance
ensuring a secure single access point.
The TPAM appliance has several methods of access:
•
Configuration interface (HTTPS via direct connection, with network option)
•
Administrative interface (HTTPS via network access)
•
User interface (HTTPS via network access)
•
Admin CLI (SSH via network access)
•
User CLI (SSH via network access)
•
User API (SSH client application via network access)
All data stored in TPAM is encrypted in storage and transit. Careful attention has been placed on the security
and audit capabilities of the appliance, due to the high security implications of the data it contains.
To support this high level of security, TPAM is designed to ensure segregation of duties and dual control. The
segregation of duties is accomplished through permission based authorization. Dual control is accomplished by
optionally requiring multiple pre-defined individuals to be involved in the connection to a system.
TPAM 2.5
Administrator Guide
13
Resource requirements
One IP address is required for each TPAM appliance in a cluster. The 1U hardware design provides a small
footprint for the device and requires minimal rack space.
Access the privileged password appliance
To access TPAM, point the browser to TPAM’s IP address or FQDN followed by /tpam. For example, if the IP
address for the appliance has been configured as 192.168.1.100, the URL would be
https://192.168.1.100/tpam/. The initial TPAM administrator account is paradmin and the initial password is
provided with your licensing information.
Connectivity
To communicate with TPAM and successfully initiate a session your computer needs to be able to pass traffic on
ports 443 (HTTPS), 8000, and 22 (SSH).
If TPAM will be accessed via Microsoft® Internet Explorer® (IE), there is one important setting to verify or
change in the IE configuration:
Pop-Up blocker
When the /tpam website is accessed, the initial instance of the browser is closed and a new window opens
without menu or title bars. Browsers that are configured to block pop-ups often interpret this as a Popup and
the page will not display. Be sure to add the URL for TPAM to the list of allowed pop ups. If your desktop
environment does not allow pop-up blockers to be disabled, this functionality may be disabled by the system
administrator with a global setting in the /admin interface.
TPAM 2.5
Administrator Guide
14
2
Initial Set Up
•
Introduction
•
Recommended steps
Introduction
This chapter covers the recommended steps for the initial set up of the TPAM appliance in the /tpam interface.
Before proceeding, the configuration of the /config and /admin interface should be completed. See the System
Administrator Guide for details. The order of the information presented in this manual reflects the
recommended steps outlined below.
Recommended steps
To configure the /tpam interface:
1
Login to the /tpam interface with the paradmin user ID.
2
Add a CLI user ID with a user type of administrator. Download and store the key outside of the appliance.
See Add a CLI user ID for details.
3
Create password check and change profiles. See Password Profiles.
4
Create password rules. See the TPAM System Administrator Guide.
5
If LDAP or Generic Integration will be utilized, add the necessary system and user templates. See Add a
system template and Add a user template.
6
Outline the desired groups within LDAP that will be used to create TPAM groups for assigning permissions.
With those groups, add LDAP mappings to create the groups and provision the users. See Add LDAP
user/system mapping.
7
If Auto Discovery is not utilized, load TPAM users through Import user IDs.
8
Configure any Cache servers. See Add the cache in the TPAM interface.
9
Outline the desired OU’s within LDAP that will be used to create TPAM Collections and provision systems.
With those OU’s, add LDAP mappings to create the collection and provision the system.
NOTE: The system template can be used to add accounts as well.
10 If Auto Discovery is not used, load the systems to be managed through Import systems or Add a system.
See the Client Set Up Guide for details on configuring specific platforms.
11 If desired, add any files to be managed. See Add a file.
12 If Cache servers and/or DPAs were purchased, make the affinity assignments at the system level. See
Affinity tab.
13 For any accounts that were not provisioned using the auto-discovery process for adding systems, load the
accounts in TPAM through Import accounts.
TPAM 2.5
Administrator Guide
15
14 To utilize collections (buckets of systems, accounts and/or files) other than the ones created using autodiscovery, add collections and then load collection membership. See Add a collection and Add or drop
collection members.
15 To utilize groups (buckets of users) other than the ones created using auto-discovery, add groups and
then load group membership. See Add a group and Add or drop group members.
16 See Permissions tab to add the permissions desired to allow the group access to the collections or to
individual systems.
17 If Privileged Session Manager (PSM) was purchased and Privileged Command Manager (PCM) will be used,
configure PCM Commands. See Add a command.
18 Create any custom Access Policies. See Add an access policy.
19 Update permissions with access policy assignment. See Batch update permissions.
20 If a PSM customer, add any PSM Connection Profiles and Post Session Processing Profiles. See Add a PSM
connection profile and Add a post session processing profile.
NOTE: In the admin interface the Post Processing Agent must be started for post session profiles to
take effect.
21 If a PSM customer see Batch update PSM accounts to update the PSM permissions for accounts.
22 If a PSM customer see Configure session log archive settings and Configure session log archive server to
configure retention settings for session logs.
23 Configure the Batch Report subscriptions and recipients. See Enable/disable scheduled reports.
24 Configure the Data Extract Schedule and data Sets. See Configure data extracts.
25 Configure Synchronized Passwords. (Optional) See Add synchronized password.
26 Configure TPAM CLI IDs. (Optional) See Add a TPAM CLI ID.
TPAM 2.5
Administrator Guide
16
3
Permission Based Home Page
•
Introduction
•
Message of the day tab
•
Recent activity tab
•
Approvals tab
•
Pending reviews tab
•
Current requests tab
Introduction
Your home page is based on the user type and permissions assigned to your user ID in the TPAM application.
Return to the home page from anywhere in the TPAM application by clicking the home icon
located on the far left side of the menu ribbon.
Message of the day tab
The first tab that displays is the default message of the day, which is configured through the admin interface. To
immediately make a session, password or file request as well as approve any pending requests click the links.
Recent activity tab
The recent activity tab shows all your activity in TPAM for the last 7 days.
Approvals tab
The Approvals tab displays any requests (Password, File or Session) that require approval. After they are
approved or denied the request can be seen on this list until the release duration expires. Clicking on the
request id opens the appropriate Requests Approval Detail tab to approve or deny the request. To use the autorefresh option select the box and type the number of minutes you would like the window refreshed.
Pending reviews tab
Eligible reviewers for any post password releases or sessions see the Pending Reviews tab on the home page. Any
password releases or sessions that are pending review are seen on this tab. Clicking on the request ID opens the
TPAM 2.5
Administrator Guide
17
Password Release Review Details or Session Review Details tab. To use the auto-refresh option select the box
and type the number of minutes you would like the window refreshed.
Current requests tab
The Current Requests tab displays any request (Password, File or Session) that you have made. The requests stay
visible on this tab until the release duration expires. Clicking on the Request ID link opens the Session, Password
or File Request Management tabs to view details on a request.
TPAM 2.5
Administrator Guide
18
4
User ID’s
•
Introduction
•
Add a web user ID
•
Add a user template
•
Add a user ID using a template
•
Add a CLI user ID
•
Add an API user ID
•
Regenerate keys for CLI/API users
•
Duplicate a user ID
•
Disassociate a user from a template
•
Delete a user ID
•
Delete a user template
•
Disable/enable a user ID
•
Unlock a user ID
•
Reset user ID password
•
Manage the paradmin user ID
•
List user IDs
•
Manage your TPAM user ID
Introduction
This chapter covers, adding and managing TPAM User ID’s.
To add and manage user ID’s, information is entered on the following tabs in the TPAM interface:
Table 1. Management: TPAM interface tabs
Tab name
Description
Details
Define main information, such as name, contact information, and user type.
Details/Web
Configure access and authentication methods.
Details/Key Based
Define key based authentication method.
Details/Cache
For cache users only, generate or upload the user’s certificate.
Details/Time
Define time zone and access times.
Detail/PSM Connection
Defaults
Default PSM connection options when recording a session.
Details/Custom Information
Custom boxes available for use.
Template
Used to save user ID settings as a template.
TPAM 2.5
Administrator Guide
19
Table 1. Management: TPAM interface tabs
Tab name
Description
Group Membership
Assign group membership.
Permissions
Assign access policies for systems, accounts, and/or files for this user.
Details tab
The table below explains all of the box options available on the Details tab.
Table 2. User Management: Details tab options
Element
Description
Required?
User Name
The user’s login id. User names may be a maximum of 30
characters long. The following special characters are allowed
in the user name: `~#%&(){}.!'
Yes
User Disabled?
If selected, the user cannot access TPAM.
No
Last Name
Last name of the user.
Yes
First Name
First name of the user.
Yes
Phone Number
Phone number associated with the user ID in TPAM.
No
Mobile Number
Mobile number associated with the user ID in TPAM.
No
Email Address
The email address that TPAM will use for email notifications
from TPAM.
No
Default
Off
If multiple email addresses are to be associated with the user,
this may be accomplished by using a semicolon and no spaces
to separate them. An alias name can also be designated for
the email (this name is displayed in the To: box). Example:
John Doe<[email protected];[email protected]>,…
To create an alias, type it as: alias<email-address-1;emailaddress-2> Double quotes may be required to include spaces
in email addresses.
TPAM 2.5
Administrator Guide
20
Table 2. User Management: Details tab options
Element
Description
Description
The description box may be used to provide additional details No
about the user.
User Type
Select the user type. Available choices are:
•
Basic: If selected, the user can be a requestor,
approver, reviewer, privileged access, denied or ISA but
does not have any administrator privileges.
•
Administrator: If selected, this user account has
Administrator privileges to the TPAM interface. The
administrator is the most powerful user type for the
TPAM user interface. This user type can create and
delete systems, users, groups, and collections. The
administrator user type may also assign access policies
to any user – including themselves. An administrator
may view all reports. It is recommended that this user
type be assigned carefully. The administrator may not
delete or disable their user id.
•
Auditor: If selected, this user has Auditor privileges in
TPAM. Auditor is a special user type that may view
reports, systems, and users, but may not request or
approve passwords, files and sessions or modify any
data. Auditors may also review completed password
and session requests. At this time Auditors cannot view
the key stoke log for a session.
•
User Administrator: If selected, this user has the
authority to manage Basic user types. User
Administrators may disable and enable users, unlock
user accounts, and update account information. The
User Administrator does not have the ability to add
users to groups or modify permissions. CLI/API user
accounts cannot be managed by a User Administrator.
•
Cache User: If selected, this user can only retrieve
passwords through an assigned Cache server and
cannot log in to TPAM. A security certificate must be
loaded for each Cache user. If using a user-supplied
certificate, the customer may also have to provide the
certificate password depending on format of
certificate being uploaded.
Required?
Yes
Default
Basic
Web tab
The table below explains all of the box options available on the Web tab:
TPAM 2.5
Administrator Guide
21
Table 3. User Management: Details Web tab options
Field
Description
Required?
Default
Allow this user
to access TPAM
from a Mobile
Device?
If selected, users can make requests, deny or approve
requests, and review password releases and sessions by using
their personal mobile device (Blackberry®, iPhone®). User
administrators and cache user types may not access TPAM via
a mobile device.
No
Off
Allow WEB
Access?
If selected, the user can access TPAM via the web.
No
On
Password/
Confirm
Password
Enter/confirm a password for the user account.If left blank, a No
random password is generated by the TPAM system. The TPAM
default password rule configured by the System Administrator
is used for these passwords.
Certificate
Thumbprint
For users who authenticate using a client certificate, the
No
certificate’s SHA1 or SHA2 thumbprint should be entered here.
This option will not appear unless certificate is selected as the
primary user authentication type.
NOTE: Allowing web access is permanent once saved. The only
way to remove web access for the user id is to delete the user
and add the user back.
TPAM 2.5
Administrator Guide
22
Table 3. User Management: Details Web tab options
Field
Description
Required?
Default
Primary User
Authentication
If selected, user can use primary authentication to
authenticate. The primary authentication user ID cannot be
the same as any other user’s TPAM user name or primary
authentication ID. Available choices are:
Yes
Local
No
None
Secondary User
Authentication
•
Certificate - User’s authenticate using a client
certificate. Based on global settings the user will be
linked to the certificate through the thumbprint or the
value of the subjectAltName:PrincipalName attribute
in the certificate.
•
Local - TPAM
•
Windows Active Directory® - WinAD is configured in
the admin interface as an external source of
authentication. The Windows® AD primary user ID must
always be in (user principle name) format, allowing the
use of multiple domains. The primary authentication ID
cannot be the same as any other user’s User Name or
primary ID.
•
LDAP - LDAP is configured in the admin interface as an
external source of authentication. Users can type a
shortened version of their LDAP user ID that expands to
the full LDAP user ID for authentication.
•
Radius - Radius is configured in the admin interface as
an external source of authentication.
•
Defender - Defender is configured in the admin
interface as an external source of authentication
If the user is using secondary authentication select the type,
source and enter their user ID here. Choices of secondary
authentication are:
•
None
•
Safeword
•
SecurID
•
LDAP
•
Radius
•
WinAD
•
Defender
Key based tab
The table below explains all of the box options available on the Key Based tab:
Table 4. User Management: Details Key Based tab options
Field
Description
Required?
Default
CLI
If selected, the user can access TPAM via the command line
interface (CLI).
No
Off
API
If selected the user can access TPAM via the API.
No
Off
TPAM 2.5
Administrator Guide
23
Table 4. User Management: Details Key Based tab options
Field
Description
CLI Key
Passphrase
Only applies to CLI users. This is an optional pass phrase to
No
encrypt the user’s private key. The phrase is case sensitive, up
to 128 characters, and does not allow double quotes (“). The
phrase is not stored and cannot be retrieved after the key is
generated. Remember to give the pass phrase to the CLI user
along with their private key file.
Required?
Default
NOTE: If the CLI user ID and key are going to be used in any
type of scripting or automation, be aware that any time a CLI
key with a passphrase is used the passphrase must be typed by
the user via the keyboard. Passphrase entry via any type of
scripting is not allowed for DSS Keys
Restricted IP
Address
Only applies to CLI/API users. If an address is specified, the
No
user may only access TPAM from this address. More than one IP
address may be specified by separating each with a comma –
up to a limit of 100 characters for the entire string. The use of
wildcards is also permitted to specify a complete network
segment – i.e. 10.14.10.*
Since a CLI/API user cannot be disabled with a check box, this
box can be used to temporarily disable the user access by
setting the value to an invalid IP address such as “disabled”.
Cache tab
The Cache tab is only enabled when a user type of cache user is selected. For more details on cache users see
Add cache users.
The table below explains all of the box options available on the Cache tab:
Table 5. User Management: Details Cache tab options
Field
Description
Required?
Certificate Type A security certificate must be loaded for the cache user. If
Yes
User-Supplied is selected, certificate is loaded by clicking the
Select File button. If Created by TPAM is selected, the
certificate is generated by clicking the Download the TPAM
Root Certificate button.
Password /
Confirm
Password
If uploading a PKCS12 file or generating a certificate a
password must be supplied.
Default
UserSupplied
No
Time tab
The Time tab allows administrators and user administrators to set a user’s local time zone. This tab is not
enabled for Cache, CLI and API users.
NOTE: The TPAM server is always at UTC time and never uses daylight savings time.
TPAM 2.5
Administrator Guide
24
The table below explains all of the box options available on the User ID Time tab:
Table 6. User Management: Details Time tab options
Field
Description
Required? Default
User Timezone
Select a local time zone for the user.
Yes
Will default to
the default user
timezone global
setting value.
Yes
No Restrictions
NOTE: If the user is in a time zone that follows DST, TPAM
will automatically adjust the time for them.
Time Based System Choices are:
Access
• No Restriction - if selected, the user can access
TPAM at any time/day.
•
Allow - To limit a user’s access to TPAM, select the
Allow button, select days of the week and enter up
to 4 time ranges. Multiple ranges must be separated
by semi-colons. The ranges must be entered using
24-hour times with a hyphen between start and end
times.
•
Prohibit - To restrict a user’s access to TPAM, select
the Prohibit button, select days of the week and
enter up to 4 time ranges. The ranges must be
entered using 24-hour times with a hyphen between
start and end times.
PSM connection defaults
Lists all possible PSM connection options and their values. Connection options and values are proxy specific. The
selected values will be used as defaults the first time a user starts a PSM session to any given account. Once the
user has started the session, the default values for that user are saved and will be the defaults the next time
the user connects to that account. These user connection defaults are cleared any time the proxy type for the
account is changed.
These defaults only apply to session recordings and not session playback or monitoring.
Custom information tab
There are six custom boxes that can be used to track information about each user. These custom boxes are
enabled and configured by the System Administrator in the /admin interface. If these boxes have not been
enabled the Custom Information tab will not be visible.
Template tab
The template tab is used to save all the settings for a user ID as a template. Templates may be used to quickly
create new users with a given set of default values via the web interface, CLI or API. Templates can only be
created and edited by TPAM Administrators. User templates do not store a default password. Only TPAM
Administrators and ISAs may use templates.
The table below explains all of the box options available on the User ID Template tab:
TPAM 2.5
Administrator Guide
25
Table 7. User Management: Details Template tab options
Field
Description
Required?
Default
Create a Template
from this User
Selecting this flag saves the values for this user ID as a User No
Template.
Off
Use this as the
default template
If selected, this template is used when adding new user IDs No
unless another template is chosen with the Use Template
button.
Off
Only one template can be designated as the “Default” at a
time. Only a template with a user type of Basic and user
interface of Web can be used as a default template. If a
template is designated as the “Default” it is listed in
purple italics on the Manage UserIDs listing.
Retain Group
Membership in the
template
If selected, TPAM creates the template with all the group
memberships currently defined on this user. User IDs
created from this template will have the same group
memberships.
No
Off
If selected, TPAM creates the template with all the system No
and collection permissions (Access Policy assignments)
currently defined for the user. User IDs created from this
template will have the same permissions.
Off
NOTE: If this user ID is a member of an AD Integration
Group, that membership is not transferred to the template
and subsequent users.
Retain Permissions
in the template
Group membership tab
A group is a container of users, which can share common permissions. The group membership tab is used to
assign users to groups.
NOTE: If a group is tied to either AD or Generic Integration the user’s membership status in that group
cannot be changed.
The table below explains all of the box options available on the User ID Group Membership tab:
Table 8. User Management: Group Membership tab options
Field
Description
Required?
Name
The name of the group. Clicking on the name will opens the
group management listing tab.
No
Membership
Status
To modify group membership, simply click the Not Assigned or
No
Assigned buttons next to each collection name and click the
Save Changes button. Pressing the Ctrl key and clicking on any
Assigned or Unassigned option will set all the rows in that
column to the same value.
Default
Not
Assigned
NOTE: If the System Administrator has disabled Global Groups
in the admin interface the groups will not be visible in this
listing.
Linked accounts tab
The linked accounts tab is used to assign linked accounts to the user ID. For more details on linked accounts see
Linked Accounts.
TPAM 2.5
Administrator Guide
26
Permissions tab
The permissions tab is used to assign systems, accounts, files and/or collections an access policy for this user.
To assign Access Policies:
1
Use the table on the left of the page to select the name/s of the system/s, account/s, file/s and/or
collection/s to which the selected access policy is to be assigned.
2
Select an access policy from the Access Policy list in the access policy details pane, located in the right
upper side of the results tab. Selecting an access policy on the list displays the detailed permissions
describing this access policy on the rows below.
3
Select one of the icons in the access policy details pane (right upper side of page) to make the
assignment.
Table 9. Access policy details pane icons
Icon
Action
Refreshes the list of Access Policies.
Scrolls the currently selected row into view.
Applies the currently selected policy to the current row. Assigning a policy of “Not
Assigned” removes the current assignment. This affects only the current row (row with the
dotted border) even if multiple rows are selected.
Applies the currently selected policy to all selected rows in the list. Confirmation of the
assignment is required if more than 10 rows are affected.
Removes the currently selected policy from all selected rows in the list. If a row is not
currently set to the selected policy it will not be changed. Confirmation the assignment is
required if more than 10 rows are affected.
Removes unsaved edits on the current row. This only affects the current row (row with the
dotted border) even if multiple rows are selected.
Removes unsaved edits on all currently selected rows.
This icon (
) next to any row on the list simply means that row has been edited since the last save
changes occurred.
Pressing the SHIFT key and left clicking the mouse can be used to select a range of rows. The first row
clicked will be surrounded by purple dashed lines. The next row that you “Shift-Click” on will cause all
the rows in between the original row and current row to be highlighted.
4
When finished assigning/un-assigning Access Policies, click the Save Changes button.
TIP: The results list can be re-filtered and re-retrieved without losing existing edits. As the Results
tab is reloaded any systems, accounts, files, or collections that have already been edited reflect
their edited policy assignment. When the Save Changes button is clicked all the Access Policy
assignment changes for the user are saved. The appliance saves these in batches, reporting of the
number of assignments added, removed, or changed for each batch.
Using Ctrl-Click or Shift-Click on the hyperlink in the Name column will open the details page for this entity in a
new tab or window.
TPAM 2.5
Administrator Guide
27
Add a web user ID
When adding a user ID in TPAM, information is entered on the following tabs to configure the user:
•
Details
•
Details/Web
•
Details/Time
•
Details/PSM Connection Defaults
•
Details/Custom
•
Template
•
Group Membership
•
Permissions
The following procedure describes the steps to add a user ID.
To add a new web user ID:
1
Select Users & Groups | UserIDs | Add UserID from the menu.
2
Enter information on the Details tab. For more information on this tab see Details tab.
3
Enter information on the Web tab. For more information on this tab see Web tab.
4
To set time zone and access rules, click the Time tab and make changes. For more details see Time tab.
(Optional)
5
TO enter custom information, click the Custom Information tab. For more details see PSM connection
defaults. (Optional)
6
To save this user ID as a template, click the Template tab and enter the requested information. For more
details see Template tab. (Optional)
7
Click the Group Membership tab and assign/remove membership. For more details see Group
membership tab. (Optional)
8
Click the Permissions tab and assign/remove permissions. For more details see Linked accounts tab.
(Optional)
9
Click the Save Changes button.
Add a user template
NOTE: Any templates used by LDAP or generic integration and have a WinAD primary authentication type,
the primary user ID must be empty, or one of the following values: UPN, UserPrimaryName or
SAMAccountName.
If any external authentication is set the external user ID must still be populated to save the template,
however when a user is created from the template the UserName is used as the default externalID.
To add a User Template:
1
Select Users & Groups | UserIDs | Add User Template from the menu.
2
Enter the template name and placeholder first and last names.
3
Change any other settings on the various tabs.
4
Click the Save Changes button.
TPAM 2.5
Administrator Guide
28
Add a user ID using a template
Users added using a template will automatically inherit the time information, group membership and
permissions from the template used.
To add a user using a template:
1
Select Users & Groups | UserIDs | Add UserID from the menu.
2
Click the Use Template button.
3
Select a template on the Listing tab.
4
Click the Details tab.
5
Enter the user name, first name, last name, and other contact information.
6
Make any other changes as desired.
7
Click the Save Changes button.
Add a CLI user ID
A CLI user ID is a special user account used to access TPAM remotely via the CLI (command line interface). It is
now possible for one user ID to be both a web and CLI user. When accessing TPAM through the CLI they can only
execute specific commands supported by the TPAM CLI.
NOTE: The paradmin user ID cannot be given CLI access.
To add a new CLI user ID:
1
Select Users & Groups | UserIDs | Add UserID from the menu.
2
Enter information on the Details tab. For more information on this tab see Details tab.
3
Enter information on the Web tab. For more information on this tab see Web tab.
4
Click the Key Based tab. Select the CLI check box. Enter information on the Key Based tab. For more
information see Key based tab.
5
To enter custom information, click the Custom Information tab. For more details see PSM connection
defaults. (Optional)
6
To save this user ID as a template, click the Template tab and enter the requested information. For more
details see Template tab. (Optional)
7
Click the Group Membership tab and assign/remove membership. For more details see Group
membership tab. (Optional)
8
Click the Permissions tab and assign/remove permissions. For more details see Linked accounts tab.
(Optional)
9
Click the Save Changes button.
TIP: If a user ID that has both Web access and CLI or API access is added, to generate keys they must first
log in to TPAM and go to the User menu to generate and download their keys. Steps 10-13 do not apply.
10 Click the Details tab.
11 Click the Key Based tab.
12 Click the Download Key button.
13 Save the key file that is generated.
TPAM 2.5
Administrator Guide
29
14 Give this key file to the user. This key file must be placed on any computer that uses this user ID to
access TPAM’s command line functions.
NOTE: The name of the key file can be renamed.
IMPORTANT: If a user ID has both web and API or CLI access to TPAM you will not be able to download or
generate keys for that user ID. They must log on to TPAM to download and/or regenerate their own DSS
key.
Add an API user ID
An API user ID is required to use TPAM’s Application Programming Interface (API).The TPAM API allows client
applications, via an SSH (Secure Shell) connection to the TPAM appliance, to perform many of the operations
provided in the TPAM User Interface. For more on the API see the Application Programming Interface chapter
later in this guide.
To add an API user ID:
1
Select Users & Groups | UserIDs | Add UserID from the menu.
2
Enter information on the Details tab. For more information on this tab see Details tab.
3
Enter information on the Web tab. For more information on this tab see Web tab.
4
Click the Key Based tab. Select the API check box. Enter information on the Key Based tab. For more
information see Key based tab.
5
To enter custom information, click the Custom Information tab. For more details see PSM connection
defaults. (Optional)
6
To save this user ID as a template, click the Template tab and enter the requested information. For more
details see Template tab. (Optional)
7
Click the Group Membership tab and assign/remove membership. For more details see Group
membership tab. (Optional)
8
Click the Permissions tab and assign/remove permissions. For more details see Linked accounts tab.
(Optional)
9
Click the Save Changes button.
TIP: If you are adding a user ID that has both Web access and CLI or API access, to generate keys they must
first log in to TPAM and go to the User menu to generate and download their keys. Steps 10-13 do not
apply.
10 Click the Details tab.
11 Click the Key Based tab.
12 Click the Download Key button.
13 Save the key file that is generated.
14 Give this key file to the user. The key file created by TPAM and a the user ID are required for the API to
be able to establish the SSH connection.
TPAM 2.5
Administrator Guide
30
Regenerate keys for CLI/API users
TIP: You cannot regenerate a key for a CLI/API user that also has web access. These users must log on to
the TPAM web interface to retrieve or regenerate their own keys.
To generate a new key:
1
Select Users & Groups | UserIDs | Manage UserIDs from the menu.
2
Enter your search criteria on the Filter tab.
3
Click the Listing tab.
4
Select the user.
5
Click the Details tab.
6
Click the Key Based tab.
7
If you require a CLI Key Passphrase, enter one. If not proceed to step 8.
8
Click the Regenerate Key button.
Duplicate a user ID
To ease the burden of administration and help maintain consistency, user IDs can be duplicated. This allows the
administrator to create new user IDs that are very similar to those that exist, while only having to modify a few
details. The new user ID inherits time information, group membership, and permissions settings from the
existing user ID.
To duplicate a user ID:
1
Select Users & Groups | UserIDs | Manage UserIDs from the menu.
2
Enter your search criteria on the Filter tab.
3
Click the Listing tab.
4
Select the user ID to be duplicated.
5
Click the Duplicate button. A new user ID is created and the User ID Details page displays. The name of
the new user ID is automatically DuplicateoOfXXXXX.
6
Enter a first name and last name for the user.
7
Make any changes to the user configuration on the various tabs.
8
Click the Save Changes button.
Disassociate a user from a template
To disassociate a user from the template is was created from:
1
Select Users & Groups | UserIDs | Manage UserIDs from the menu.
2
Enter your search criteria on the Filter tab.
3
Click the Listing tab.
4
Select the user to disassociate.
5
Click the Details tab.
6
Click the Disassociate button.
TPAM 2.5
Administrator Guide
31
7
Click the OK button on the confirmation window.
8
Click the Save Changes button.
Delete a user ID
A user ID cannot be deleted if the user ID :
•
has pending batch import or update processes running
•
has an active PSM session
•
is being used as a template for importing LDAP or Generic auto-discovery mappings
•
is required to complete a review on a password release or PSM session.
Even is a user ID is deleted, any session logs, requests, reviews, etc. associated with that ID will remain in TPAM
until and retention settings age the data out of TPAM.
To delete a user ID:
1
Select Users & Groups | UserIDs | Manage UserIDs from the menu.
2
Enter your search criteria on the Filter tab.
3
Click the Listing tab.
4
Select the user ID to be deleted.
5
Click the Delete button.
6
Click the OK button on the confirmation window.
Delete a user template
To delete a user template:
1
Select Users & Groups | UserIDs | Manage UserIDs from the menu.
2
Enter your search criteria on the Filter tab.
3
Click the Listing tab.
4
Select the user template to be deleted.
5
Click the Delete button.
6
Click the OK button on the confirmation window.
NOTE: A template that is currently being used by AD or Generic Integration cannot be deleted.
Disable/enable a user ID
To disable/enable a user ID:
1
Select Users & Groups | UserIDs | Manage UserIDs from the menu.
2
Enter your search criteria on the Filter tab.
3
Click the Listing tab.
4
Select the user ID to be changed.
TPAM 2.5
Administrator Guide
32
5
Click the Details tab.
6
Select/Clear the User Disabled? box.
7
Click the Save Changes button.
Unlock a user ID
A user may need to be unlocked if they enter an incorrect password multiple times.
To unlock a user:
1
Select Users & Groups | UserIDs | Manage UserIDs from the menu.
2
Enter your search criteria on the Filter tab.
3
Click the Listing tab.
4
Select the user ID to be unlocked.
5
Click the Unlock button.
Reset user ID password
To reset a user’s password:
1
Select Users & Groups | UserIDs | Manage UserIDs from the menu.
2
Enter your search criteria on the Filter tab.
3
Click the Listing tab.
4
Select the user ID to be reset.
5
Click the Details tab.
6
Enter the new password in the Password and Confirm boxes.
7
Click the Save Changes button.
8
Notify the user of their new password.
This creates a one time use password that the user will be forced to change upon logging on.
NOTE: You cannot change passwords for users with external primary authentication. If Primary
Authentication has been minimilized then you cannot change the user’s local password.
Manage the paradmin user ID
There is the option to have TPAM manage the paradmin user ID, so that any user wanting to log on as paradmin
must go through the TPAM request and approval process to obtain the account password. When the paradmin
account is managed through TPAM you cannot enter a new password for this account on the User Management
Details page. Additionally, when a user is logged on as paradmin they will not have access to the User menu
Change Password option.
To manage the paradmin user ID:
1
Create an administrator account. See Add a web user ID.
2
Log on to the /tpam interface using the new administrator account.
3
Select Users & Groups | Manage Sys-Admin UserIDs from the menu.
TPAM 2.5
Administrator Guide
33
4
Filter for the paradmin account. Click the Listing tab.
5
Select the paradmin account.
6
Click the Details tab.
7
Select the Administer account password with local PPM? check box.
8
Click the Save Changes button.
After this is saved the paradmin account on the managed system Local_Appliance_paradmin will be set with the
Automatic Password Management selected.
NOTE: The Local_Appliance systems cannot be deleted, duplicated or tested. Users cannot add or delete
accounts on the Local_Appliance. The Local_Appliance systems do not count against licensed systems.
9
Select Accounts | Manage Accounts from the menu.
10 Filter for the paradmin account. Click the Details tab.
11 Click the Management tab. Verify that the password check and changes profiles you want used to
manage this account are assigned.
The password will be scheduled for an immediate reset. Depending on the number of password changes in the
queue it may take some time to reset. Any users currently logged on as paradmin will be prompted to enter a
new password once it has been reset.
To disable management of the paradmin user ID:
1
Log on to the /tpam interface using an admin account other than paradmin
2
Select Users & Groups | Manage UserIDs from the menu.
3
Filter for the paradmin account. Click the Listing tab.
4
Select the paradmin account.
5
Click the Details tab.
6
Clear the Administer account password with local PPM? check box.
7
Enter a new password in the password and confirm boxes.
8
Click the Save Changes button.
List user IDs
The List UserIDs option allows you to export the user data from TPAM to Microsoft Excel® or CSV format. This is
a convenient way to provide an offline work sheet and also to provide data that may be imported into another
TPAM – for example, to populate a lab appliance with data for testing, without making the lower level changes
that restoring a backup would cause.
The last access date/time on the report is in server time (UTC).
To list the user IDs:
1
Select Users & Groups | UserIDs | List UserIDs from the main menu.
2
Enter your search criteria on the Filter tab.
3
Click the Layout tab to select the columns and sort order for the listing.
4
To view and store the data outside of the TPAM interface, click the Export to Excel button, or the
Export to CSV button.
5
To view the data in the TPAM interface, click the Listing tab.
6
To view group membership for a user, select the user ID and click the Groups tab.
TPAM 2.5
Administrator Guide
34
7
To view the permissions assigned to the user, select the user and click the Permissions tab.
Manage your TPAM user ID
Any user may change their password and update individual account details using the User menu option.
To reset your password:
1
From the User Menu select Change Password.
2
Enter the Old Password, the New Password, and Confirm New Password.
3
Click the Save Changes button.
NOTE: User passwords are subject to the requirements of the Default Password Rule.
To edit your user details:
1
From the User menu select User Details.
2
Make changes in the following boxes:
Table 10. Fields available on My User Details
Field name
Description
Phone Number
Phone number that is associated with your user id in TPAM.
Mobile Number
Mobile number that is associated with your user id in TPAM.
E-mail
The email address that TPAM will use for email notifications from
TPAM.
My Timezone
The appropriate time zone must be chosen from the list. With this
option most dates and times that the user sees in the application or
on reports are converted to their local time. If a date or time still
reflects server time it is noted on the window.
Description
The description box may be used to provide additional details about
the user.
PSM Connection Defaults
Default PSM connection options when recording a session.
CLI Key Passphrase
Only applies to CLI users. This is an optional pass phrase to encrypt
the user’s private key. The phrase is case sensitive, up to 128
characters, and does not allow double quotes (“). The phrase is not
stored and cannot be retrieved after the key is generated.
Reset CLI Key
Click this button to create a new CLI key for the user ID.
Get CLI Key
Click the button to retrieve the new CLI key.
Get API Key
Click this button to create a new API key for the user ID.
Get API Key
Click the button to retrieve the new API key.
NOTE: If the System-Administrator disables User Time zone changes in the /admin interface the
User Time Zone Information block shown above is visible only for Administrator users.
3
Click the Save Changes button.
TPAM 2.5
Administrator Guide
35
5
Groups
•
Introduction
•
Add a group
•
Duplicate a group
•
Delete a group
•
List groups
•
Default global groups
Introduction
Groups are defined sets of users. Groups can be used to simplify the process of assigning permissions.
To add and manage groups, information is entered on the following tabs in the TPAM interface:
Table 11. Group Management: TPAM interface tabs
Tab name
Description
Details
Define group name.
Members
Assign members to the group.
Permissions
Assign systems, accounts, files and/or collections permissions for the group.
Details tab
The table below explains the fields on the Details tab.
Table 12. Group Management: Details tab options
Field
Description
Required?
Group Name
Unique name for the group.
Yes
Description
Used to provide additional information about the group.
No
Members tab
The table below explains the fields on the Members tab.
Table 13. Group Management: Members tab options
Field
Description
Name
Name of the user.
Required?
Membership
Status
To modify group membership, simply click the Not Assigned or Assigned
buttons next to each user. You can set all displayed users to either Assigned or
Not Assigned by holding down the Ctrl key when clicking on any button.
Yes
TPAM 2.5
Administrator Guide
36
Permissions tab
The Permissions tab is used to assign users and/or groups an Access Policy for this group.
To assign Access Policies:
1
Use the table on the left of the page to select the name/s of the user/s to which the selected access
policy is to be assigned.
2
Select an Access Policy from the Access Policy list in the Access Policy Details pane, located in the right
upper side of the Results tab. When you select an Access Policy on the list the detailed permissions
describing this Access Policy are displayed on the rows below.
3
Select one of the icons in the Access Policy Details pane (right upper side of page) to make the
assignment.
Table 14. Access Policy Details pane icons
Icon
Action
Refreshes list of available Access Policies.
Scrolls the currently selected User into view.
Applies the currently selected policy to the current row. Assigning a policy of “Not
Assigned” removes the current assignment. This affects only the current row (row with the
dotted border) even if multiple rows are selected.
Applies the currently selected policy to all selected rows in the list. You are asked to
confirm the assignment if more than 10 rows are affected.
Removes the currently selected policy from all selected rows in the list. If a row is not
currently set to the selected policy it will not be changed. You are asked to confirm the
assignment if more than 10 rows are affected.
Removes unsaved edits on the current row. This only affects the current row (row with the
dotted border) even if multiple rows are selected.
Removes unsaved edits on all currently selected rows.
This icon (
) next to any row on the list simply means that row has been edited since the last save
changes occurred.
You can “Shift+Click” to select a range of rows. The first row you click will be surrounded by purple
dashed lines. The next row that you “Shift-Click” on will cause all the rows in between the original row
and current row to be highlighted.
4
When you are finished assigning/un-assigning Access Policies, click the Save Changes button.
TIP: You may re-filter and re-retrieve the results list without losing existing edits. As the Results tab is
reloaded any Users that you have already edited reflect their edited policy assignment. When you click
the Save Changes button all the Access Policy assignment changes for the account are saved. The
appliance saves these in batches, informing you of the number of assignments added, removed, or
changed for each batch.
Using Ctrl-Click or Shift-Click on the hyperlink in the Name column will open the details page for this entity in a
new tab or window.
TPAM 2.5
Administrator Guide
37
Add a group
When adding a group in TPAM, information is entered on the following tabs to configure the group:
•
Details
•
Members
•
Permissions
The following procedure describes the required steps to add a group.
To add a new group:
1
Select Users & Groups | Groups | Add Group from the menu.
2
Enter information on the Details tab. For more information on this tab see Details tab.
3
Click the Members tab.
4
Enter your search criteria on the Filter tab.
5
Click the Results tab to assign/remove members from the group. For more detail see the Members tab.
NOTE: A group used by either AD or Generic Integration cannot have its membership changed here.
The current member status is displayed, but all buttons in the list are disabled.
TIP: You can set all the displayed members to either Assigned or Not Assigned by holding down the
Ctrl key when clicking on any button.
6
Click the Permissions tab and assign/remove permissions. For more details see Permissions tab.
NOTE: The Permissions tab is disabled for any of the default Global Groups because you cannot
change the Access Policy for a system generated group.
7
Click the Save Changes button.
Duplicate a group
To ease the burden of administration and help maintain consistency, groups can be duplicated. This allows the
administrator to create new groups that are very similar to those that exist, while only having to modify a few
details. The new group inherits membership and permissions from the existing group.
To duplicate a group:
1
Select Users & Groups | Groups | Manage Groups from the menu.
2
Enter your search criteria on the Filter tab.
3
Click the Listing tab.
4
Select the group to be duplicated.
5
Click the Duplicate button. A new group is created and the Group Details page displays. The name of the
new group is automatically DuplicateofXXXXX.
6
Make any changes to the group on the various tabs.
7
Click the Save Changes button.
TPAM 2.5
Administrator Guide
38
Delete a group
To delete a group:
1
Select Users & Groups | Groups | Manage Groups from the menu.
2
Enter your search criteria on the Filter tab.
3
Click the Listing tab.
4
Select the group to be deleted.
5
Click the Delete button.
6
Click the OK button on the confirmation window.
List groups
The List Groups option allows you to export the group data from TPAM to Microsoft Excel or CSV format. This is
a convenient way to provide an offline work sheet and also to provide data that may be imported into another
TPAM – for example, to populate a lab appliance with data for testing, without making the lower level changes
that restoring a backup would cause.
To list the groups:
1
Select Users & Groups | Groups | List Groups from the main menu.
2
Enter your search criteria on the Filter tab.
3
Click the Layout tab to select the columns and sort order for the listing.
4
To view and store the list of group names outside of the TPAM interface, click the Export to Excel
button, or the Export to CSV button. To view and store the list of group members outside of the TPAM
interface, click Export Members to Excel button, or the Export Members to CSV button.
5
To view the data in the TPAM interface, click the Listing tab.
6
To view membership of a group, select the group and click the Members tab.
7
To view the permissions granted to the group, select the group and click the Permissions tab.
Default global groups
Included with TPAM are several default global groups that can be used for assigning permissions. These are only
visible in TPAM if the System Administrator has enabled these in the admin interface.
IMPORTANT: Any users assigned to a global group will gain the associated permissions on all systems unless
overridden by other assignments.
To view global groups:
1
Select Users & Groups | Groups | Manage Groups from the main menu.
2
Click the Listing tab.
3
Select a global group.
4
Click the Members tab to edit membership to the group.
5
Select the Not Assigned or Assigned button.
TPAM 2.5
Administrator Guide
39
6
Click the Save Changes button.
NOTE: The Permissions tab is disabled for all global groups because you cannot change the Access Policy
for a global group.
TPAM 2.5
Administrator Guide
40
6
Permission Hierarchy
•
Introduction
•
Permission precedence
•
Permissions example
Introduction
Because TPAM allows groupings of users (Groups) and remote systems (Collections), it is possible, even likely,
that a user could appear to have multiple conflicting permissions for a particular system, account, and or file.
To prevent this, TPAM implements a precedence of permissions.
Permission precedence
The precedence, in order of decreasing priority is:
•
An Access Policy assigned to a User for an Account/File (most specific)
•
An Access Policy assigned to a User for a Collection containing Accounts or Files
•
An Access Policy assigned to a User for a System
•
An Access Policy assigned to a User for a Collection of Systems
•
An Access Policy assigned to a Group for an Account /File
•
An Access Policy assigned to a Group for a Collection containing Accounts or Files
•
An Access Policy assigned to a Group for a System
•
An Access Policy assigned to a Group for a Collection of Systems (least specific)(*)
(*) This category includes Users who are assigned to any of the “Global XXX” Groups. The groups grant their
respective permissions to an internally-maintained “All Systems” collection.
IMPORTANT: A Denied access policy assignment at any level overrides all other permissions at that level.
After any permissions are changed, for example, by adding or removing a user from a group, the precedence is
recalculated, and if necessary, the permissions for the user are changed to reflect the new level that results.
TPAM 2.5
Administrator Guide
41
Permissions example
In the scenario shown above, the groups and users have been assigned Access Policies that grant the permissions
specified. In this situation, the precedence of permissions will be applied and the effective permissions would
be as follows:
•
User A has Approver permission on System C through the Group to System assignment.
•
User A has been assigned Reviewer rights on System A, Account B1, and File C1 via Group A to Collection
B assignment. These Review rights on File C1 take precedence over the Approve rights on System C
because assignment to a Collection containing an Account or File is more specific than a collection
containing just the System. User A may still Approve requests to all accounts on System C and all of C’s
files with the exception of File C1.
•
Users A, C, and D have Request rights on System A, Account B1, and File C1 through Group B. Note that
as with above, the Group B to Collection B assignment of Request rights for User A on File C1 override
the Approver rights from Group A.
•
Since User A is in both Groups A and B he has both Review and Request rights on all the items in
Collection B. Assignments at the same hierarchy level are combined.
•
User B has been Denied access to System B, which includes all Accounts and Files thereon. Even though
the Group A to Collection B assignment User B grants Review to Account B1 on System B, User B is still
denied access because the User to Collection assignment trumps the Group to Account in a Collection
assignment. If User B had instead been assigned the Review permission directly (as opposed to through
Group A) to Account B1 that would have replaced the Denied assignment on System B, but only for that
one account.
•
User B also has Review rights on all Accounts and Files on System A and File C1 on System C.
•
User C has been granted explicit ISA rights on Account B1. This User to Account assignment supersedes
both policies User C received via the Group to Collection assignments, but only for Account B1. User C
still has Review and Request permissions to System A and File C1.
•
User D has been granted ISA rights over Collection A. This assignment takes precedence over D’s Request
permission on System A, which is through the Group B to Collection B. D still retains the Request
permissions on Account B1 and File C1 from the Group assignment, however that removes D’s ISA
permissions on Account B1 (although D still has ISA permissions over any other accounts on System B).
Where there is more than one permission granted at the same level of the permission hierarchy those
permissions are combined, as long as one of those permissions is not “Denied”. If a User is in 3 different groups
TPAM 2.5
Administrator Guide
42
(A, B, and C) with policies to the same System (A grants Approver, B grants Reviewer, and C grants Requestor)
the user has all three permissions in effect on that system. However, if Group B has Denied permissions instead
of Reviewer that takes precedence over all other "Group to System" assignments for that User on that System.
TPAM 2.5
Administrator Guide
43
7
Access Policies
•
Introduction
•
Details tab
•
Permission types
•
Add an access policy
•
Make an access policy inactive
•
Reactivate an access policy
•
Duplicate an access policy
•
Delete an access policy
•
Rebuild assigned policies
Introduction
Access polices allow permissions to be assigned at the system, account and file level. Access policies allow
permissions to be broken down and assigned at a more granular level. For example you could create one access
policy that would allow someone to review password releases, request password releases and request a session
that would limit them to two commands. Default access policies exist in TPAM that mimic the old TPAM roles of
“EGP Requestor”, “PAR ISA” etc, so that existing permission assignments are migrated to the new access policy
model and so that the default Global Groups can be supported.
Details tab
The table below explains all of the box options available on the details tab.
Table 15. Access Policies: Details tab options
Field
Description
Required?
Policy Name
The unique policy name. When assigning access policies you select this
name from a list so make it as descriptive as possible. Limited to 30
characters.
Yes
Description
The description box may be used to provide additional information about
the access policy. This information is only visible to Administrators when
editing the policy.
No
System
Generated
This box is selected if the access policy was automatically crated by TPAM. No
System generated access policies are created for backwards compatibility
in the migration from system level permissions and aliases to account level
permissions and access policies. System generated access policies cannot
be altered in any way, only made inactive. System generated access
policies can be duplicated but not deleted.
Active
If selected, this access policy can be assigned to users/groups.
Yes
TPAM 2.5
Administrator Guide
44
Table 15. Access Policies: Details tab options
Field
Description
Required?
Used By
Summary
Displays the count of entities that are using this access policy.
NA
Access Policy
Type
Choices are All, Password, File, Session or Command. When command is
selected a list of commands is available to select from. These are the
entities that you are granting permissions on.
Yes
Access Policy
Permission
Permission choices are:
Yes
•
DEN - Denied
•
ISA - Information Security Administrator
•
APR - Approver
•
REQ - Requester
•
REV - Reviewer
•
PAC - Privileged Access
See Permission types for a detailed explanation of each permission.
Use Defaults
from System,
Account, or File
The data on this section of the page replaces the details that were
No
formerly configured on the Alias Account Details tab in releases prior to
v2.4. To override the settings at the system, account or file, clear the Use
defaults check box and adjust the settings.
Allow Clipboard
This option is only enabled for session and command types. If selected, the No
user can use the clipboard function for copy/paste of text during a
session.
Allow File
Uploads
This option is only enabled for session and command types. If selected, file No
uploads are allowed during sessions with this account.
Allow File
Downloads
This option is only enabled for session and command types. If selected, file No
can be downloaded from the remote system to the local system/network
drive during a session.
Prevent
Password
Release
This option is only enabled for session and command types. If selected,
prevents a user from requesting a session where the proxy type is
interactive login.
Retrieve Past
Passwords
If selected, users with requestor or privileged access permissions can
retrieve any past passwords for the account with an approved request.
No
NOTE: Users will be able to retrieve any past password even if they did not
have assigned permissions for the account in the past. Access is allowed
based on current permissions.
Record Sessions
This option is only enabled for session and command types. If selected, the No
session is recorded.
Record
Keystrokes
If selected, creates a keystroke log (KSL) of the user’s activity during the
session.
No
NOTE: A DPA is required for a keystroke log to be created.
Allow KSL View
If selected, allows people replaying the session to see the keystroke log.
This check box applies only when ISA, APR, or REV permissions are
selected.
No
Record Events
If selected, a log of events during the session is created. These events can No
be searched or book marked during playback.
Restr. Cmd Prof. Can select a profile which restricts the commands the user may run during No
a session. The Record Session option must be selected in order to select a
profile.
Min Approvers
The request will use the value here or the value set at the account,
whichever is greater.
No
TPAM 2.5
Administrator Guide
45
Table 15. Access Policies: Details tab options
Field
Description
Required?
Max Duration
The request will use the maximum value here or the value set at the
account, whichever is less.
No
Dflt Duration:
The request will use this as the default value for the duration of the
request.
Permission types
When creating access policies in TPAM there are several different permission types to choose from. The table
below explains the different types.
Table 16. Access Policies: Available permission types
Type
Description
Denied
This permission type was created so that collection permissions could be assigned
to a user and then the denied permission set for specific entities within this
collection that the user should not have access to. If a user is Denied for a system
but has access to a specific account/file on that system they can still access the
account/file, because account or file permission assignment holds precedence over
system.
ISA (Information Security The role of ISA is intended to provide the functionality needed for security help
Administrator)
desk personnel, and as a way to delegate limited authority to those responsible for
resource management.
An ISA permission with a type of session allows the user to add and update all
aspects of PSM Only systems, PSM only accounts, and for PSM supported platforms.
An ISA permission with a type of password allows the user to add and update
systems and accounts for all platforms except those that are PSM only.
A user must be assigned an access policy with a type of both password and session
and permission of ISA to be able to assign access policies to other entities. The ISA
permission does not allow the user to delete a system.
Approver
An approver can be configured to approve password, session and / or file requests.
An approver can also be configured to only approve sessions that are requesting
specific commands.
Requestor
A Requestor can be configured to request password, session, and / or file requests.
A requestor can also be configured to only request sessions that run specific
commands.
NOTE: A user requesting a session that has an interactive proxy type must also have
an access policy assigned to them that includes password/requestor for that
account.
Reviewer
The reviewer role permits the individual to view reports on specific systems that
they have been granted reviewer rights. A session/command reviewer can also
replay sessions and review/comment on these sessions. If the user has password
reviewer permissions they can review a password release that has expired and
comment on that password release.
PAC (Privileged Access)
With a PAC permission type, the user must go through the request process for
passwords, files, and sessions but after they submit the request it is automatically
approved, regardless of the number of approvers required.
NOTE: If a user has session /PAC permissions but does NOT have password/PAC
permissions on an account, they can only start a session that is configured for one
of the automatic proxy connection types, since they do not have permissions to
access the password.
TPAM 2.5
Administrator Guide
46
Add an access policy
To add an access policy:
1
Select Management | Access Policies from the menu.
2
Click the Add Policy button.
3
Enter the policy name.
4
Enter the policy description. (Optional)
5
Select a type/s. If command is selected, select a command from the list.
6
Select the permission/s.
7
If Session is selected as a type, along with a permission of REQ or PAC, you have the option to clear the
User defaults check box, and selecting Allow Clipboard, Allow File Uploads, Allow File Downloads,
Prevent Password Release, Record Sessions, Record Keystrokes, Allow KSL Monitor, Record Events,
and or select a Command Restriction Profile. (Optional)
8
If REQ is selected as a permission, you have the option to clear the Use defaults check box and enter Min
Approvers and Max Duration. (Optional)
9
To add another type/permission combination, click the Add button and repeat steps 5-8.
10 Click the Save Changes button.
IMPORTANT: Commands on access policies are not limited by proxy type, so it IS possible to create an
access policy with commands that cannot be executed on the assigned account due to proxy type
limitations.
NOTE: There is no way to create a policy that allows a user to “Request, Approve or Review any Session
using any PCM Command”. A separate detail row must be created for each PCM command that is allowed
through the policy.
TIP: Any detail rows on an access policy that include a command permission need to have their own line.
See the example screen shot below.
Detail rows should not conflict with each other in the same policy. For example, if you have one row granting
Password/REQ, you cannot have another row with Password/DEN. Nor are you allowed to have two rows in the
policy that grant the same permission to the same type or command, e.g., you cannot have two rows both
granting Password/REQ, however you may have two (or more) rows granting Command/REQ as long as all the
rows reference different PCM Commands.
Make an access policy inactive
Making an access policy inactive removes it from the list of possible access polices that can be assigned to users
or groups for a system, account, collection or file. Also making the policy inactive will remove it from any entity
it is assigned to.
To make an access policy inactive:
1
Select Management | Access Policies from the menu.
2
Enter your search criteria on the Filter tab.
3
Click the Listing tab.
4
Select the access policy to make inactive.
5
Click the Details tab.
6
Clear the Active check box. If the access policy is currently assigned, you will see a warning message.
7
After reading the warnings, to proceed select the Yes, this is really what I want to do check box.
TPAM 2.5
Administrator Guide
47
8
Click the Save Changes button.
NOTE: If this is a system generated policy it makes the associated Global XXX Group effectively useless,
but does not change membership in the group.
Reactivate an access policy
To reactivate an access policy:
1
Select Management | Access Policies from the menu.
2
Enter your search criteria on the Filter tab.
3
Click the Listing tab.
4
Select the access policy to make active.
5
Click the Details tab.
6
Select the Active check box.
7
Click the Save Changes button.
NOTE: Reactivating a system-generated access policy brings back assignments of the associated global
group to the “All Systems” collection.
Duplicate an access policy
To ease the burden of administration and help maintain consistency, access policies can be duplicated. This
allows the administrator to create new policies that are very similar to those that exist, while only having to
modify a few details.
Duplicating an access policy duplicates all information about the policy itself (with the exception of the System
Generated setting), but does not duplicate any policy assignments.
To duplicate an access policy:
1
Select Management | Access Policies from the menu.
2
Enter your search criteria on the Filter tab.
3
Click the Listing tab.
4
Select the access policy to be duplicated.
5
Click the Duplicate Policy button. A new policy is created and the Details tab displays.
6
Enter the Policy Name.
7
Make any changes to the access policy.
8
Click the Save Changes button.
Delete an access policy
NOTE: An access policy can only be deleted if it is currently marked inactive.
To delete an access policy:
1
Select Management | Access Policies from the menu.
2
Enter your search criteria on the Filter tab.
TPAM 2.5
Administrator Guide
48
3
Click the Listing tab.
4
Select the access policy to be deleted.
5
Click the Delete Policy button.
6
Click the OK button on the confirmation window.
Rebuild assigned policies
If the "Always use cached permission data" global setting is set to Yes or Not for Password/File Retrieval and
Session Start, then it is recommended that Administrators and ISAs use the rebuild assigned policy page to
update the cached permissions to the latest changes they have made. These changes include:
•
Editing any permission assignment
•
Adding/deleting systems, accounts, files, users, groups, or collections
•
Changing the Ignore System Policies check box on the account
•
Changing the user type (Administrator, Basic, Auditor, User Admin)
•
Changing collection membership
•
Changing the Global Groups setting in Global Settings
The Rebuild Assigned Policies page shows how much data is in the cache, when it was last updated, and the
current state of the background job. An Administrator or a user with both PPM and PPM ISA permissions may use
the Run Now button to run the job immediately if there are pending changes. This job will automatically run in
the background every 60 seconds as needed to update changes.
To rebuild the assigned policies:
1
Select Management | Rebuild Assigned Policies from the menu.
2
Click the Run Now button to update TPAM with the latest changes.
The Refresh Data button can be clicked to see if there are any new changes in the queue that need to be
processed.
TPAM 2.5
Administrator Guide
49
8
Password Profiles
•
Introduction
•
Add a password check profile
•
Add a password change profile
•
Delete a password check/change profile
•
Assign a password check /change profile
•
Export Password Profiles
Introduction
Password check and change profiles define the rules for the checking and changing of an account’s password.On
a brand new TPAM appliance there will be 3 factory default check profiles and 5 factory default change profiles
that can be used to assign to systems/accounts as desired or new ones can be configured. The three check
profiles available are:
•
Check and Reset- marked as default until another profile is marked as default.
•
Check, No Reset
•
Check Disabled.
The change profiles available are:
•
Change Disabled
•
Change Daily
•
Change Every 5 days
•
Change on First of Month - marked as default until another profile is marked as default.
•
Change on Last of Month
Add a password check profile
To add a password check profile:
1
Select Management | Profile Management from the menu.
2
Select Password Check from the Profile Type list.
3
Click the New Profile button.
4
Complete the boxes as the table below describes.
TPAM 2.5
Administrator Guide
50
Table 17. Password check profile page options
Field
Description
Required?
Profile Name
Enter a unique profile name.
Yes
Description
Enter information about the password check profile.
No
Default
Default Check If selected, this password check profile will automatically be
Profile
assigned to any new system added.
No
Off
Schedule
Yes
Daily, 1 time
per day
Specifies the interval that the password is checked.Choices
are:
•
No scheduled password checks
•
Daily - password checked n time(s) per day.
•
Weekly - password is checked once on the day(s)
selected.
•
Every n Days- password is checked every n days. The n
value can be between 1 and 999.
•
Monthly - if selected then the password is checked every
month depending on one of the options below:
•
First Day of the Month – the password is checked
every month, on the first day of the month
•
Last Day of the Month – the password is checked
every month, on the last day of the month,
•
Days of the Month- specific days can be entered.
Multiple days can be entered separated with
semi-colons. -1 can be entered to represent the
last day of the month.
Checks will be
scheduled
during the
following
window(s)
The time windows entered indicate the time(s) the password is Yes
scheduled to be checked. Time windows are entered as
StartTime-EndTime. Times must be entered using a 24 hour
format. Multiple time windows may be entered separated by a
semi-colon. Up to 4 windows may be entered. Each window
must be a minimum of 60 minutes long, and there must be at
least 30 minutes in between each window. Windows that cross
midnight will be listed as two separate windows once the
profile is saved. Based on the time windows entered, the total
number of minutes per day that the check can be scheduled is
displayed on the right. A schedule must allow at least 4 hours
per day when it can be run.
00:00-23:59
Allow system
to notify TPAM
it is available
for check
If selected, the system can notify TPAM that is online and
No
available for password checks. If this selected and the system is
online, a password check will be scheduled if the last
successful check date indicates that a password check is
overdue. The system must have a unique certificate thumbprint
assigned in order to use this option. See How to call the
notification service for details. Account that are overdue for a
check will be scheduled regardless of the current schedule
settings, unless this account has No scheduled password
checks selected. Accounts subscribed to a Synchronized
Password will be checked against the current synchronized
password and reset if needed.
Off
NOTE: If the account is on a custom platform system, the
custom platform must have the Automation Active check box
selected.
TPAM 2.5
Administrator Guide
51
Table 17. Password check profile page options
Field
Description
Required?
Default
Check
password
timeout
Determines the amount of time in seconds that an attempt to
check the password remains active before being aborted. In
most cases, it is recommended to use the default value (20
seconds). If there are problems with connection failures with
the system, this value can be increased
Yes
20
After n
consecutive
failures to
check do ...
n is a value between 0-99. Options available if failure occur
are:
Yes
0, Do nothing
•
Do nothing
•
Disable check schedule -account is ignored for any
future checks until Administrator or ISA goes to the
account details management tab and clears the Check
schedule disable check box.
•
Lock - locks account in TPAM, no password releases or
password requests permitted until it is unlocked.
•
Increase retry interval- if selected enter retry interval
>0 and greater than the current check retry interval
setting on the Auto management agent in the admin
interface.
Also notify
account
owner of
check failure
Only available if consecutive failures setting is greater than 0. No
Email addresses saved on the system detail information tab will
receive notifications when the nth failure occurs and every nth
time after. Ex. 3 failures, email sent, 3 more failures, email
sent.
Off
On password
mismatch do
...
Option selected determines how TPAM handles the scenario.
Options are:
Do nothing
Also notify
account
owner of
mismatch
5
•
Do nothing
•
Reset Password - schedule the account for immediate
password change.
•
Disable check schedule - account is ignored for any
future checks until Administrator or ISA goes to the
account details management tab and clears the Check
schedule disable check box.
•
Lock-locks account in TPAM, no password releases or
password requests permitted until it is unlocked.
Yes
Email addresses saved on the system detail information tab will No
receive notifications when there is a password mismatch.
Off
Click the Save Changes button.
Add a password change profile
To add a password change profile:
1
Select Management | Profile Management from the menu.
2
Select Password Change from the Profile Type list.
3
Click the New Profile button.
TPAM 2.5
Administrator Guide
52
4
Complete the boxes as the table below describes.
Field
Description
Required?
Profile Name
Enter a unique profile name.
Yes
Description
Enter information about the password change profile.
No
Default
Default
If selected, this password change profile will automatically be
Change Profile assigned to any new system added.
No
Off
Schedule
Yes
Daily, 1 time
per day
Specifies the interval that the password is changed.Choices
are:
•
No scheduled password changes - accounts or
synchronized password with this setting will never be
scheduled for changes. Post-release resets may still
occur based on the account level setting.
•
Daily - password changed n time(s) per day.
NOTE: If a password is scheduled to be changed more than
once a day the recommendation is to use the Test Port option
as well.
Changes will
be scheduled
during the
following
window(s)
•
Weekly - password is changed once on the day(s)
selected.
•
Every n Days- password is changed every n days. The n
value can be between 1 and 999.
•
Monthly - if selected then the password is changed every
month depending on one of the options below:
•
First Day of the Month – the password is changed
every month, on the first day of the month
•
Last Day of the Month – the password is changed
every month, on the last day of the month,
•
Days of the Month- specific days can be entered.
Multiple days can be entered separated with
semi-colons. -1 can be entered to represent the
last day of the month.
The time windows entered indicate the time(s) the password is Yes
scheduled to be changed. Time windows are entered as
Starttime-EndTime. Times must be entered using a 24 hour
format. Multiple time windows may be entered separated by a
semi-colon. Up to 4 windows may be entered. Each window
must be a minimum of 60 minutes long, and there must be at
least 30 minutes in between each window. Windows that cross
midnight will be listed as two separate windows once the
profile is saved. Based on the time windows entered, the total
number of minutes per day that the change can be scheduled is
displayed on the right. A schedule must allow at least 4 hours
per day when it can be run.
00:00-23:59
TPAM 2.5
Administrator Guide
53
Field
Description
Required?
Allow system
to notify TPAM
it is available
for change
If selected, the system can notify TPAM that is online and
No
available for password changes. If this selected and the system
is online, a password change will be scheduled if the last
successful change date indicates that a password change is
overdue. The system must have a unique certificate thumbprint
assigned in order to use this option. The certificate is assigned
to the system on the System Management tab. See Management
tab for details.
Default
Off
Account that are overdue for a change will be scheduled
regardless of the current schedule settings, unless this account
has No scheduled password changes selected. Accounts
subscribed to a Synchronized Password will be checked against
the current synchronized password and reset if needed.
Do not change If selected, the password will not be changed while the account No
password
has an active password request open or if a PSM session is
while release active and the proxy type is auto login.
is active
Off
Change
password
timeout
Determines the amount of time in seconds that an attempt to
change the password remains active before being aborted. In
most cases, it is recommended to use the default value (20
seconds). If there are problems with connection failures with
the system, this value can be increased
20
Test
Port/Timeout
If selected, the port that is used for the password change is
No
tested before attempting to change the password. If selected a
timeout in seconds is required. Recommend a small value for
timeout. Using the test port helps reduce the number failed
passwords that TPAM has to store as well as reduces network
resources waiting on unsuccessful change password attempts. A
test port failure is logged, but does not count as a failed
password change.
Do not change If selected, the password WILL NOT be changed after a
password
password request duration has expired, which allows the
after Requests requestor to retain knowledge of the current password. The
password will only be reset by a regularly scheduled change or
a forced reset. This setting does not affect ISA password
retrievals or apply to synchronized passwords.
Yes
Off
No
Off
Yes
0, Do nothing
NOTE: It is recommended that this option only be used with
Enable account before release option selected on the account
details. These accounts will have the account disabled after
the request expires, even though the password still will not be
reset until a regularly scheduled change.
After n
consecutive
failures to
change do ...
n is a value between 0-99. Options available if failure occur
are:
•
Do nothing
•
Disable change schedule -account is ignored for any
future checks until Administrator or ISA goes to the
account details management tab and clears the Change
schedule disable check box.
•
Lock - locks account in TPAM, no password releases or
password requests permitted until it is unlocked.
NOTE: Test port failures do no count toward consecutive
failures.
TPAM 2.5
Administrator Guide
54
Field
Description
Required?
Default
Also notify
account
owner of
change failure
Only available if consecutive failures setting is greater than 0. No
Email addresses saved on the system detail information tab will
receive notifications when the nth failure occurs and every nth
time after. Ex. 3 failures, email sent, 3 more failures, email
sent.
Off
Send email n
days before
the scheduled
change to ....
These settings will send Password Pre-Change emails prior to a
scheduled password change. The email will be sent to the
specified recipient(s) at the desired intervals before the
change is attempted. No follow-up emails are sent if the
schedule is changed due to either a Post-Release Reset or
forced change.
No
blank
Enter one or more recipients to receive a Password Post-Change No
email after any scheduled, forced, or post-release change of a
password.The list of recipients may include any of the following
placeholder values:
blank
The schedule must be either Monthly or Every 3+ days. The days
may be a list of up to 4 numbers separated by semi-colons
indicating the number of days prior to change. E.g., 14;7;1 will
send emails at 14 days, 7 days and 1 day prior to the change.
The email address is a semi-colon separated list of recipients
and may include any of the following placeholder values:
Send Email
after
successful
change to:
•
:Group=Group1,Group2,…: - Comma-separated list of
one or more group names. Email addresses of all users in
these groups.
•
:User=User1,User2,…: - Comma-separated list of one or
more TPAM user names.
•
:RelNotify: - Release notification email on the account
•
:System: - Primary email contact on the system
•
:ISA: - All users with PPM ISA permissions on the account
•
:Functional: - The notification email for the functional
account of the assigned system.
•
:Group=Group1,Group2,…: - Comma-separated list of
one or more group names. Email addresses of all users in
these groups.
•
:User=User1,User2,…: - Comma-separated list of one or
more TPAM user names.
•
:RelNotify: - Release notification email on the account
•
:System: - Primary email contact on the system
•
:ISA: - All users with PPM ISA permissions on the account
•
:Functional: - The notification email for the functional
account of the assigned system.
NOTE: This could generate many emails for very active
accounts or accounts with frequent scheduled changes.
5
Click the Save Changes button.
Delete a password check/change profile
To delete a password check or change profile:
1
Select Management | Profile Management from the menu.
TPAM 2.5
Administrator Guide
55
2
Select Password Change or Password Check as the profile type.
3
Select the profile to be deleted from the list.
4
Click the Delete Profile button.
5
Click the OK button on the confirmation window.
NOTE: A password check or change profile can only be deleted if it is not assigned to any systems,
accounts or synchronized passwords.
Assign a password check /change profile
Password check and change profiles can be assigned using the batch processing, CLI/API or by following the
procedure below.
To assign a password check or change profile to an system:
1
Select Systems, Accounts, & Collections | Accounts | Manage Systems.
2
Select the system on the Listing tab.
3
Click the Management tab.
4
Select the profiles from the lists.
5
Click the Save Changes button.
Export Password Profiles
To view all configured password profiles as well as any other type of profiles that have been
configured:
1
Select Management | Profile Management.
2
Click the Export to Excel button.
3
Open or save the file.
TPAM 2.5
Administrator Guide
56
9
Systems
•
Introduction
•
Add a system
•
Add a system template
•
Add a system using a template
•
Test a system
•
Clear a stored system host entry
•
Duplicate a system
•
Disassociate a system from a template
•
Delete a system
•
Delete a system template
•
List systems
•
Local appliance systems
Introduction
This chapter covers the steps to add and manage systems in TPAM. To add and manage systems, information is
entered on the following tabs in the TPAM interface:
Table 18. Systems Management: TPAM interface tabs
Tab name
Description
Details/Information
Define main system information, such as name, IP address, contact.
Details/Custom Information
Enter data in custom fields, if they have been defined.
Details/Connection
Define functional account credentials.
Details/Management
Configure the settings for how TPAM will manage the passwords for the
accounts on this system.
Details/Ticket System
Configure Ticket System Validation for requests on this system.
Details/LDAP Schema
For LDAP Directory systems, whose schema may require customizing.
Template
Used to save system settings as a template.
Account Discovery
Assign the account discovery profile to be used for this system.
Affinity
Define Distributed Processing Appliance (DPA) assignment for a system.
Collections
Assign a system to a collection/s.
Permissions
Assign users and groups permissions on this system.
Information tab
The table below explains all of the box options available on the details information tab.
TPAM 2.5
Administrator Guide
57
Table 19. Systems Management: Details information tab options
Field
Description
Required?
System Name
Yes
Descriptive name of the system. Typically, the host name (for
UNIX® systems) or the machine name (for Windows® systems) is
used.
Default
Within TPAM, the system name must be unique. The name can
be 1-30 characters long, but cannot include empty space (i.e.
spaces, carriage-returns, etc.).
Network
Address
The IP address (example: 192.168.0.15) or DNS name
(example:server1.domain.bigco.com) of the system.
Yes
It is imperative that this information is entered correctly, as the
back-end automation procedures use this address to connect to
the remote system.
NOTE: MS SQL Server® systems with dynamic ports can be
entered as the networkaddress\namedinstance in this box. For
more details see the Client Set Up Guide.
ISA Policy
This option is listed after adding a system if your user ID is
assigned an Access Policy that contains an ISA permission. From
this list, select the ISA policy to be applied which allows you to
access the system after it has been saved. If you have ISA access
granted via a single Access Policy it is pre-selected.
NOTE: If you select Do not Assign an ISA Policy you must assign
the system to a collection to which you have access; otherwise
once the system is saved you will no longer have access unless
you are an administrator.
Platform
This list shows the operating system platforms currently
supported for proxied connections by TPAM. The platform of
Other can be chosen for platforms not currently supported for
TPAM auto management. Select the appropriate platform for
the operating system running on the remote host.
Yes
AIX
For PSM this box is primarily descriptive, since it is the proxy
connection type that actually determines how the session is
established. However, if the passwords for this system are
managed by PPM, ensure the correct platform is selected, as
PPM uses it to determine the most secure and reliable way to
manage the passwords on the remote system.
Password Rule
The password rule to serve as the default for all accounts
defined for the system. If the selection is not changed (or if no
other rules have been defined in TPAM) the Default Password
Rule is selected. The password rule governs the construction
requirements for new passwords generated by PPM. Password
rules are managed by Sys-Admin users in the admin interface.
Yes
Default
Password
Rule
Maximum
Duration
This is the maximum duration for a password release on the
account. If this is overridden by an Access Policy assignment,
the lower of the two durations is used. The default duration
that the requestor sees for any new password request is 2
hours, or the maximum duration, whichever is less.
Yes
7 Days
TPAM 2.5
Administrator Guide
58
Table 19. Systems Management: Details information tab options
Field
Description
Contact E-mail Allows support personnel to receive email notifications from
TPAM. Alerts are sent when there is a:
•
Password check or change failure based on password
profile settings.
•
Scheduled password changes for a manually managed
account
•
A PSM session expires
•
A non-managed account password release notification
Required?
Default
No
This box can be left blank, in which case errors are logged but
notifications are not sent.
Description
The description box may be used to provide additional
information about the system, special notes, business owner,
etc.
No
Enable
Automatic
Password
Management?
Tells TPAM whether to automatically manage remote system
No
account passwords, based upon configuration parameters for
each system. Auto-management includes automatic testing and
changing of the passwords. Selected = enabled, cleared =
disabled. This option is available at both the system and
account levels, therefore it is possible to allow TPAM to automanage one account on a specific system, while another
account on the same system is not auto-managed. However, if
the option is not selected at the system configuration level, no
accounts on the system can be auto-managed.
Enabled on
appliances
with
Privileged
Account
Manager
licenses.
NOTE: If the appliance has exceeded the number of PPM
managed systems that were licensed this option cannot be
selected for any new systems until you select the Disable all
PPM functions ... check box on another managed system or
increase your system license quantity.
Disable all PPM
functions and
delete any
existing
password
history or
secured files?
(PSM
Customers
Only)
This check box sets the system to “PSM only”, which means you No
cannot use any of the PPM features on this system such as
password change history, release logs, password checking and
changing, and releasing passwords.
Approver
Escalation
You have the ability to send an escalation to a specific email
address if no approvers have responded to a Password/File
request within X minutes. You can enter multiple email
addresses by separating them with a comma up to the box
maximum of 255 characters.
Off
The reason for this is product licensing. You are not limited to
the number of “PSM only” systems you can add, but the number
of managed (PPM) systems you can add is limited to the number
of system licenses you purchased.
No
Delegation
This box can be used to preface the commands that PPM uses to No
Prefix (specific manage passwords for this system. The delegation prefix can
platforms only) also be used to specify an absolute path to the command that
PPM uses to manage passwords for the system.
TPAM 2.5
Administrator Guide
59
Table 19. Systems Management: Details information tab options
Field
Description
Required?
Default
Computer
This box is designated for the system’s computer name and is
Yes for
Name (specific required for proper password management. If it is not
specific
platforms only) populated, TPAM attempts to determine the system’s computer platforms.
name when the system is tested and update the box. The
Computer Name box is also used with TPAM’s Autologon feature.
You have the option to have TPAM log the user into the remote
system using the WORKSTATION\USERID format.This prevents
any incorrect logon if the Default domain is saved as the
DOMAIN name versus the Local Workstation. If a Domain user is
selected from the Session Authentication window on PSM
details, the user credentials are passed as DOMAIN\USERID.
With both options the DOMAIN box is disabled at login.
Workstation ID For AS400 systems a specific workstation ID can be entered here No
(Specific
that will be used when TPAM tries to connect to the system.
platforms only)
Restricted
URL(PSM Web
Access
platform only)
If a URL is entered the user is restricted to this address during
the PSM web access session. If ALLOWNAV; is typed in before
the restricted URL, the user can navigate away from the
restricted URL.
No
Initial
Command (HP
Non-Stop
platform only)
Initial command sent to the system.
No
Client ID (SAP® ALS Client ID. When the target is a cluster enter the
platform only) r3Name:GroupName:MSPort in this box. The network address
entered for the system should be the network address of the
message server.
No
Password
Release on
Change (SPCW
Pwd platform
only)
This value specifies if the old password, new password, or both No
will be substituted for the %OLDPW% and %NEWPW% tags in the
parameters for the command specified under Execute a
command if the password change succeeds within SPCW.
Extra DB
Connection
String (DB
platforms only)
This value will be used in the database connection string when
testing the system, checking or changing passwords, and, on
supported platforms, auto discovery of accounts. The string
must be semi-colon separated name=value pairs, such as
encrypt=yes;database=master;...
No
The connection string is checked for syntax, but the content
can only be validated when used. The allowable name=value
pairs vary across database platforms. For a full description
consult the Client Setup Guide.
NOTE: For MS SQL Server this connection string is ignored when
using a domain or local computer functional account.
TACACS+
Shared Secret
This value is the TACACS+ Shared Secret. This value must match No
the shared secret that is set when configuring TPAM as an AAA
client.
TPAM 2.5
Administrator Guide
60
Custom information tab
There are six fields that can be customized to track information about each system. These custom fields are
enabled and configured by the System Administrator in the /admin interface. If these fields have not been
enabled then this sub-tab is not visible.
Connection tab
The connection tab is used to configure the functional account that TPAM will use to connect to the system. This
tab is not enabled unless the Enable Automatic Password Management? check box is selected on the details
information tab (except for the SPCW platforms). The boxes available on the connection tab are dependent on
the platform type of the system being configured.
The table below describes the different box options on the Connection tab.
Table 20. Systems Management: Details Connection tab options
Field
Description
Required?
Functional
Account Name
The functional account defines the account that is used to
Yes
manage the accounts on the managed system. This account
must be defined and configured on the managed system as
defined in the appropriate Client Setup Instructions. The
credential defines whether SSH uses a predefined key (DSS)
to authenticate or a standard password. DSS is the preferred
and more secure way of managing accounts on systems that
support SSH. You have the option to let PPM manage the
functional account.
Default
funcacct
The auto-change parameters for this password may then be
configured via the account information tab, as with any
other account. This helps to secure the managed system, by
not maintaining a “static” password on a functional account.
NOTE: After a system is saved for the first time, any changes
in the system parameters are not automatically applied to
the functional account, unless the Push defaults out to All
Accounts switch on the management tab has been selected.
The auto manage function never propagates to the
functional account. It must be manually set.
Alternate Port
(platform
specific)
No
Most non-Windows® platforms allow alternate ports to be
configured for communication of standard protocols, such as
SSH, Telnet, or database ports.
Domain Name
(platform
specific)
When the system platform being created represents a
central authority such as Active Directory®, BokS, or
PowerPassword®, the fully qualified domain name must be
specified. DO not enter an alias, simple name or NetBIOS
name. Max of varchar(255).
Yes
Distinguished
Name (platform
specific)
LDAP/LDAPS and Novell® systems require this field. Max is
varcahr(2000).
Yes
NetBIOS Domain Windows® domain systems (Active Directory® or SPCW) also Yes
Name (platform include the NetBIOS Domain Name box. Specify the name of
specific)
the domain in NetBIOS format.
SID/
Service_Name
(Oracle® DB
only)
Specifies either the security ID (SID) or the service name for Yes
Oracle® databases, and should match the setting in
SQLNET.ORA at the database server.
TPAM 2.5
Administrator Guide
61
Table 20. Systems Management: Details Connection tab options
Field
Description
Required?
Default
Server O/S
(BoKS only)
Select the O/S running on the server from the list.
Yes
AIX
Use Domain
Account
(platform
specific)
If selected, uses the domain account to change accounts
passwords on the central authority.
No
Local Computer If selected, uses Windows® account on the host system,
Account (MS SQL which also must be configured as a managed account in
Server® only)
TPAM, to connect to the system. Format should be
system\account. Named pipe connections must be enabled
using SQL Server® Configuration Manager on the target
system.
No
Connection
Timeout
The connection timeout value determines the amount of
Yes
time in seconds that a connection attempt to the managed
system remains active before being aborted. In most cases,
it is recommended to use the default value (20 seconds). If
there are problems with connection failures with the
system, this value can be increased (for example,
connections to Windows® systems are often slower than SSH
connections and may require a significantly higher timeout
value). Max value 9999.
20
PSM Functional
Account (SPCW
only)
The PSM functional account is used to provide secure
communication during the session and file transfer during a
session. If the PSM enabled account on the system is
configured to use a proxy type of RDP through SSH, the PSM
functional account is used during this connection.
psmfuncacct
Tunnel DB
Connection
Through SSH
(platform
specific)
No
Database tunneling through SSH provides the ability to
securely connect to a remote database. Enter the account
name used to connect to the remote system. If SSH is not
listening on port 22, enter the correct port number to be
used. For DBMS accounts, SSH tunneling only uses the public
key for establishing the SSH connections.
Yes
Off
NOTE: Make sure that the default of AllowTCP Forwarding is
set to Yes on the SSH Configuration file of the managed
system.
DSS Account
Credentials
When using DSS key authentication, a function is available to No
permit specific configuration of the public/private keys
used.
•
Avail. System Std. Keys – uses the single standard
SSH keys (either Open SSH or the commercial key)
stored centrally on TPAM. You have the ability to
have up to three active keys simultaneously. These
keys are configured in the admin interface. Use the
list to select the key you want to retrieve.
NOTE: When using the Avail. System Std. Keys you cannot
specify the key that is used. One or all available keys may be
downloaded to the remote system, but TPAM attempts to
use all currently active keys when communicating with the
remote system.
•
Use System Specific Key – allows the generation and
download of a specific SSH key to be used with this
system only. The key must first be generated using
the Get/Regen Key button, and then downloaded in
either Open SSH or Sec SSH (commercial) format.
TPAM 2.5
Administrator Guide
62
Table 20. Systems Management: Details Connection tab options
Field
Description
Required?
Password
Account
Credentials
If a password is entered it must match the password for the
account on the managed system, otherwise password
changes for accounts on this system will fail.
No
Default
Enable Password Some systems may require the use of very specific accounts
(platform
for access. Password to use for the “ENABLE” account (Cisco
specific)
platforms only) or “EXPERT” account (for CheckPoint SP
platforms only.
Authentication
Username/password is used when a username is needed to Yes
Method (Cisco
connect to the system. Line definition is used when there is
Router TEL only) no username to be specified, it is simply a password on the
terminal connection.
Username/
Password
Expert Password Setting up an Expert Password allows configuration access to Yes
(CheckPoint SP the system.
only)
Custom
Command
(Mainframe
only)
If there is a special command that needs to be entered prior No
to being prompted for authentication credentials, it is
specified by placing the command in the custom command
box.
Use SSL?
(platform
specific)
Select this box if communications between TPAM and the
device requires the SSL option.
No
Off
Non-Privileged
Functional
Account
(Windows® AD
only)
If selected, any password changes for accounts on this
system use the managed account’s current password to log
in and make the password change instead of using the
functional account password.
No
Off
Allow Functional
Account to be
Requested for
Password
Release
If selected, requestors on this system can make a request to No
release the password for the functional account. If not
selected, the functional account passwords are not available
for release to a requestor and are only accessible to an ISA.
Off
Management tab
The management details tab is used to configure how TPAM manages the passwords for accounts on this system.
This tab is not enabled unless the Enable Automatic Password Management? check box is selected on the
details information tab. Once set, these parameters are inherited by accounts added to this system. These
options can be overridden at the account level.
The table below explains the options on the Management Details tab.
TPAM 2.5
Administrator Guide
63
Table 21. Systems Management: Details Management tab options
Field
Description
Required?
Default
Password
Check Profile
Name
Select a password check profile from the list to determine the
rules for how the password is checked on the system against
what is stored in TPAM. The password check profiles are
configured by the TPAM Administrator. See Password Profiles for
more details.
Yes, if
automatic
password
management
has been
selected.
Default
from
system
template,
or one
marked as
default.
Password
Change Profile
Name
Select a password change profile from the list to determine the
rules for how the password is changed on the managed
system.The password change profiles are configured by the
TPAM Administrator. See Password Profiles for more details.
Yes, if
automatic
password
management
has been
selected.
Default
from
system
template,
or one
marked as
default.
Push Defaults
out to All
Accounts
Default change settings and management properties can be
configured differently between systems and the defined
accounts for those systems. If the desire is to ensure
consistency throughout this parent-child relationship, it is
possible to push the configuration of the default check and
change settings from the system object to all child objects
defined for the system. If selected, these settings will be
pushed to the accounts when the Save Changes button is
clicked. This is a one-time synchronization and may still be
changed at the account level.
No
Off
Enable auto
To enable this check box the Push Defaults out to All Accounts No
management
must be selected first. If selected, auto management will be
on All Accounts enabled on all accounts under this system when the Save
Changes button is clicked. This is a one-time synchronization
and may still be changed at the account level.
Off
NOTE: Synchronized password subscribers will not receive these
updates.
NOTE: The functional account defined for the system does not
receive the Enable Auto Management on All Accounts setting
during a push. The auto-manage property must be manually
enabled for the functional account.
NOTE: Synchronized password subscribers will not receive these
updates.
Default
duration for
ISA releases of
password
The duration for an ISA release may be specified up to a
No
maximum of 21 days. This is the amount of time that transpires
between the initial ISA retrieval and the automatic reset of the
password (if enabled). If 0 is entered the ISA retrieval of a
password will not trigger a post release reset of the password.
2 Hours
TPAM 2.5
Administrator Guide
64
Table 21. Systems Management: Details Management tab options
Field
Description
Required?
Default
Allow ISA to
enter Duration
on Release
If selected, an ISA may enter a release duration other than the
default when retrieving a password. The duration must be
greater than zero and less than or equal to the maximum
specified for either the ISA Duration or Max Release Duration
(details information tab).The setting does not propagate to
existing accounts, it will only get pushed to accounts added
after it is selected.
No
Off
This check box is disabled when the Default duration for ISA
releases of passwords is set to 0.
Profile
Notification
Certificate
This is required if this system is using a check or change profile Yes,
that is using the Allow system to notify TPAM it is available for depending on
check/change.
password
profile
• No certificate - no thumbprint or certificate. Default
options.
• Thumbprint Only - The SHA1 thumbprint of the
certificate used by the system to notify TPAM of
availability for check/change operations.
•
User-Supplied - user can upload their own certificate to
TPAM.
•
Created by TPAM -TPAM will generate a certificate and
record the thumbprint. This certificate must be installed
on the system in order to call the TPAM notification
service. There is an optional password on a TPAM
generated certificate. This password will be required to
install the certificate on the target system. The
password is NOT stored and cannot be retrieved if
forgotten.
How to call the notification service
For systems that are going to notify TPAM that they are online and available for check and changes, there is a
new REST service endpoint is available on the TPAM appliance.
A system can make a call to the following address to notify TPAM that it is online and available for
check/change: https://tpamAddress:9443/available
The call can be made using a language or scripting environment of the user's choice.It requires a certificate to
be included with the http request. The thumbprint of that certificate must be on file in TPAM for a managed
system. When the call succeeds and TPAM finds the thumbprint all accounts on that system which have profiles
allowing notification will be scheduled for checks/changes as required. The service returns a JSON dataset with
the following information:
•
CertificateThumbprint - 40-byte hexadecimal value of the certificate attached to the request. This does
not indicate the request was accepted or not - it's just an echo of what the cert is. Debug purposes
primarily. This value may or may not stay.
•
ErrorID - number - 0 = good, non-zero = error occurred. Note that "success" does not necessarily mean
anything was added flagged for processing.
•
ResultMessage - text. Either "Success" or some error message. Right now it will return an error message
informing you of an unrecognized thumbprint.
•
If no certificate is attached the call will result in a 403 error (403 - Forbidden: Access is denied).
TPAM 2.5
Administrator Guide
65
Ticket system tab
The ticket system tab is used to configure third party ticket system requirements when submitting password
release, file release or session requests for this system. The ticket system tab is only enabled if the TPAM
System Administrator has configured ticket system/s in the admin interface. The settings on this tab become
the default settings for any accounts or files added to this system.
The following table explains the options on this tab.
Table 22. Systems Management: Details Ticket system tab options
Field
Description
Required?
Default
Ticket
Required for
By selecting the check boxes you can require that ticket
No
validation is enforced for Password/Files requests and/or
Session requests.You also have the option to require ISAs to
supply a ticket number prior to retrieving a password or file as
well as requests made through the CLI or API. If a check box is
not selected, users can still enter a ticket number on a request,
but it is not required.
Off
Require Ticket
Number from
If multiple ticket systems are enabled they are listed in the list No
for selection. You can specify the ticket system or allow entry
of a ticket number from any system that is enabled.
Off
Send Email to
If any of the ISA, CLI or API required check boxes are left clear
you have the option of entering one or more email addresses
(up to 255 characters) that will receive an email when an ISA,
CLI or API user releases or retrieves a password or file without
supplying a ticket.
No
No
Push ticket
defaults out to
all accounts
and files
If selected, when the Save Changes button is clicked, it will
push these settings to all accounts and files under the system.
New accounts and files will inherit these settings.
No
Off
NOTE: The propagation is a one time update each time this
check box is selected and the Save Changes button is clicked.
After that there is no forcing of the settings to remain in synch.
The settings on the accounts and files can be overridden.
LDAP schema tab
This tab is only enabled for LDAP, LDAPS and Novell® NDS® systems. It is used to customize the schema. The
fields in this tab specify the value of core attributes as well as the name(s) of optional attributes. For example
‘objectClass’ is a core attribute with defined values that distinguish the specific directory object as group, user
or computer. Similarly with attribute naming, a group object’s member attribute may be called ‘member’
‘uniquemember’ or ‘memberUid’, first name attribute may be called ‘givenName’, etc.
Template tab
The template tab is used to save all the settings for a system as a template. Templates may be used to quickly
create new systems with a given set of default values via the web interface, CLI or API. Templates can only be
created and edited by TPAM Administrators. Only TPAM Administrators and ISAs may use templates.
The table below explains all of the box options available on the Template tab.
TPAM 2.5
Administrator Guide
66
Table 23. Systems Management: Template tab options
Field
Description
Required?
Default
Create a
Template from
this System
Selecting this flag saves this system as a System Template.
No
Off
Use this as the
Default
Template
If selected, this template is used when adding new systems
unless another template is chosen with the Use Template
button.
No
Off
Retain
Collection
Membership in
the template
If selected, TPAM creates the template with all the collection
No
memberships currently defined on this system. Systems created
from this template will have the same collection memberships.
Off
Retain
User/Group
Permissions in
the template
If selected, TPAM creates the template with all the User and
No
Group permissions (Access Policy assignments) currently defined
on the system. Systems created from this template will have
the same permissions.
NOTE: After a template has been created you cannot clear this
flag.
Only one template can be designated as the “Default” at a
time. If a template is designated as the “Default” it is listed in
purple italics on the Manage Systems listing.
NOTE: If this system is a member of an AD Integration
Collection, that membership is not transferred to the template
and subsequent systems.
Retain Existing When creating a template based on an existing system, this
Accounts in the option allows you to retain up to 10 accounts from the existing
system (including the functional account.)
template
No
Off
Off
If this option is selected, use the table located below this
option to select the accounts to be included in the template.
The functional account cannot be cleared.
NOTE: Accounts included in the template do not retain any
passwords, password history, or dependent system information.
Account discovery tab
Account discovery profiles allow TPAM to periodically check for accounts on a managed system and add or
remove them from TPAM. Account discovery profiles can only be assigned to Windows®, *nix and database
systems. If account discovery is going to be used for a system, the account discovery profile to be used is
assigned on this tab. The time displayed on the Log tab is the user’s time zone.
The table below describes the options available on the Account Discovery tab
Table 24. Systems Management: Account Discovery tab options
Field
Description
Required?
Discovery
Profile
Select the profile to be used for account discovery. Only
available for Windows®, *nix, and database platforms.
No
Exclude List
Any accounts that you want to be excluded from the account
discovery process can be listed here. Up to 1000 characters,
case insensitive.
No
Timeout
The number of seconds the auto discovery process will run
No
before it will time out. If the discovery process times out it will
continue to discover the remaining accounts during the next
scheduled run. If the box is left null the default value of 300
seconds is used.
(seconds)
Default
300
TPAM 2.5
Administrator Guide
67
Table 24. Systems Management: Account Discovery tab options
Field
Description
Required?
Test Discovery
Profile
Once the profile has been saved, click the Test Discovery
Profile button to see what accounts and actions are found. No
changes are made, it is only a test.
n/a
Run Discovery
Profile
Click this button to run account discovery for this system on
n/a
demand, rather than waiting for the scheduled run. The number
of accounts that can be discovered by clicking this button is
limited to 5,000. More than 5,000 can be discovered during the
automated runs.
Default
Affinity tab
The Affinity tab is used to assign the system to a distributed processing appliance (DPA) if DPA’s are configured
to work with the TPAM appliance. Assigning the system to a DPA can help optimize performance for session
recording, session playback and password checking and changing. The affinity tab is not enabled until the
system has been saved.
The table below describes the options available on the Affinity tab.
Table 25. Systems Management: Affinity tab options
Field
Description
Required?
Default
Allow PSM
Sessions to be
run on any
defined DPA
If selected, TPAM will select the DPA that has the least number
of sessions running on it to conduct the session.
No
Yes
Selected DPA
affinity and
priority
Select this option to prioritize which DPA is used for sessions
No
conducted on this system. The default DPA is LocalServer, which
is the local TPAM appliance.
No
Use the Priority column in the table below this option to enter a
priority number next to each DPA. Leave the box blank (NULL)
for any DPAs you do not want to use for session recordings.
When determining which DPA to use, the appliance looks at
them in order from lowest to highest and uses the first one that
has an open slot.
Use local PPM
appliance for
password
checks and
changes
If selected, then all password checks and changes will be run on No
the TPAM appliance.
Yes
Selected DPA
Affinity
Select this option to prioritize which DPA is used for password
checking and changing on this system.
No
No
NOTE: We do not support using named instances for SQL
Server® when using a DPA for password checks and changes. The
workaround is to specify the port.
Use the Priority column in the table below this option to enter a
priority number next to each DPA. Leave the box blank (NULL)
for any DPAs you do not want to use for password management.
When determining which DPA to use, the appliance looks at
them in order from lowest to highest and uses the first one that
has an open slot. A value of 0 (zero) is simply “more important”
than any other value.
TPAM 2.5
Administrator Guide
68
Collections tab
A collection is a group of systems, accounts and or files. The collections tab is used to assign the system to a
collection/s. Systems can belong to more than one collection. The collections list shows all collections that
have been defined to the TPAM appliance if the user modifying the system is an administrator. If the user
modifying the system is an ISA, only the collections that the user holds the ISA role for are displayed. By
assigning the system to collections, the system automatically inherits user and group permissions that have
been assigned at the collection level.
NOTE: A system cannot belong to a collection that already contains any of its accounts or files.
Conversely, an account or file cannot be added to a collection that already contains that entity’s parent
system.
NOTE: If a collection is tied to either AD or Generic Integration the system’s membership status in that
collection cannot be changed.
Use the Filter tab to enter search criteria for the collections to assign/un-assign. Click the Results tab.
The table below explains the fields on the Results tab.
Table 26. Systems Management: Collections Results tab options
Field
Description
Required?
Type
On this tab type will always say Collection.
Name
The name of the collection. Clicking on the name will take you
to the collection management listing tab.
Membership
Status
To modify collection membership, simply click the Not Assigned No
or Assigned buttons next to each collection name and click the
Save Changes button. You can set all members to either
Assigned or Not Assigned by holding down the Ctrl key when
clicking on any button.
Default
No
Not
Assigned
Permissions tab
The permissions tab is used to assign users and/or groups an access policy for this system.
To assign Access Policies:
1
Use the table on the left of the page to select the name/s of the user/s and/or group/s to which the
selected access policy is to be assigned.
2
Select an access policy from the Access Policy list in the access policy details pane, located in the right
upper side of the results tab. When you select an access policy on the list the detailed permissions
describing this access policy are displayed on the rows below.
3
Select one of the icons in the access policy details pane (right upper side of page) to make the
assignment.
Table 27. Access policy details pane icons
Icon
Action
Refreshes list of available Access Policies.
Scrolls the currently selected User or Group into view.
Applies the currently selected policy to the current row. Assigning a policy of “Not
Assigned” removes the current assignment. This affects only the current row (row with the
dotted border) even if multiple rows are selected.
TPAM 2.5
Administrator Guide
69
Table 27. Access policy details pane icons
Icon
Action
Applies the currently selected policy to all selected rows in the list. You are asked to
confirm the assignment if more than 10 rows are affected.
Removes the currently selected policy from all selected rows in the list. If a row is not
currently set to the selected policy it will not be changed. You are asked to confirm the
assignment if more than 10 rows are affected.
Removes unsaved edits on the current row. This only affects the current row (row with the
dotted border) even if multiple rows are selected.
Removes unsaved edits on all currently selected rows.
This icon (
) next to any row on the list simply means that row has been edited since the last save
changes occurred.
You can “Shift+Click” to select a range of rows. The first row you click will be surrounded by purple
dashed lines. The next row that you “Shift-Click” on will cause all the rows in between the original row
and current row to be highlighted.
4
When you are finished assigning/un-assigning Access Policies, click the Save Changes button.
TIP: You may re-filter and re-retrieve the results list without losing existing edits. As the Results tab is
reloaded any Groups or Users that you have already edited reflect their edited policy assignment. When
you click the Save Changes button all the Access Policy assignment changes for the system are saved. The
appliance saves these in batches, informing you of the number of assignments added, removed, or
changed for each batch.
NOTE: You must be both a PPM and PSM ISA over a system to be allowed to assign an access policy.
Using Ctrl-Click or Shift-Click on the hyperlink in the Name column will open the details page for this entity in a
new tab or window.
Add a system
When adding a system in TPAM, information is entered on the following tabs to configure the system:
•
Details
•
Template
•
Connection
•
Management
•
Affinity
•
Ticket System
•
Collections
•
Permissions
•
Account Discovery
•
LDAP Schema
The following procedure describes the required steps to add a system.
To add a system:
1
Select Systems, Accounts, & Collections | Systems | Add System from the menu.
TPAM 2.5
Administrator Guide
70
2
Enter information on the details information tab. For more information on this tab see Information tab.
3
Click the Custom Information tab to add custom information about this system. (Optional) For more
details see Custom information tab.
4
Click the Connection tab to configure the functional account that TPAM will use to connect to the
system. For more details see Connection tab.
5
Click the Management tab and select preferences for managing account passwords. For more details see
Management tab.
6
Click the Ticket System tab and set external ticket system requirements for submitting password release
requests. For more details see How to call the notification service. (Optional)
7
Click the LDAP Schema tab to tweak LDAP mapping attributes. For more details see LDAP schema tab.
(Optional)
8
To save this system as a template, click the Template tab and enter the requested information. For more
details see Template tab. (Optional)
9
Click the Account Discovery tab to assign an account discovery profile. (Optional) For more details see
Account discovery tab.
10 Click the Affinity tab and make DPA assignments. For more details see How to call the notification
service. (Optional)
11 Click the Collections tab and assign/remove membership. For more details see Collections tab.
(Optional)
12 Click the Permissions tab and assign/remove permissions. For more details see Permissions tab.
(Optional)
13 Click the Save Changes button.
Add a system template
To add a system template:
1
Select Systems, Accounts, & Collections | Systems | Add System Template from the menu.
2
Enter the template name and a placeholder network address.
3
Change any other settings on the various tabs.
4
Click the Save Changes button.
Add a system using a template
To add a system using a template:
1
Select Systems, Accounts, & Collections | Systems | Add System from the menu.
2
Click the Use Template button.
3
Select a template on the listing tab.
4
Click the Details tab.
5
Enter the system name.
6
Change the system IP address.
7
Make any other changes as desired.
8
Click the Save Changes button.
TPAM 2.5
Administrator Guide
71
Test a system
Once a system has been saved, to test TPAM’s connectivity to the system, click the Test System button. The
results of the test will be displayed on the Results tab.
Clear a stored system host entry
The Clear Sys. Host Entry button removes the host entry from TPAM’s known hosts file. An example of the
necessity for this would be a situation where the SSH package on a managed system has been reinstalled, or the
OS itself may be reinstalled. A test of the system would indicate that the host key entry does not match, and is
preventing password authentication because of a perceived “man in the middle” attack. This can be performed
through the CLI by running the ClearKnownHosts command.
To clear the System Host entry:
1
Select Systems, Accounts, & Collections | Systems | Manage Systems from the menu.
2
Enter your search criteria on the filter tab.
3
Click the Listing tab.
4
Select the system whose host entry is to be removed from TPAM’s known hosts file.
5
Click the Clear Sys. Host Entry button.
Duplicate a system
To ease the burden of administration and help maintain consistency, systems can be duplicated. This allows the
administrator to create new systems that are very similar to those that exist, while only having to modify a few
details. The new system inherits collection membership, permissions, affinity and ticket system settings from
the existing system.
To duplicate a system:
1
Select Systems, Accounts, & Collections | Systems | Manage Systems from the menu.
2
Enter your search criteria on the Filter tab.
3
Click the Listing tab.
4
Select the system to be duplicated.
5
Click the Duplicate button. A new system object is created and the System Details page displays. The
name of the new system is automatically DupofXXXXX.
6
Make any changes to the system configuration on the various tabs.
7
Click the Save Changes button.
Disassociate a system from a template
To disassociate a system from the template is was created from:
1
Select Systems, Accounts, & Collections | Systems | Manage Systems from the menu.
2
Enter your search criteria on the Filter tab.
3
Click the Listing tab.
4
Select the system to disassociate.
TPAM 2.5
Administrator Guide
72
5
Click the Details tab.
6
Click the Disassociate button.
7
Click the OK button on the confirmation window.
8
Click the Save Changes button.
Delete a system
When you delete a system from the Manage Systems listing it is “soft” deleted. This means that the system
information is retained in TPAM for “X” days depending on how the System Administrator has set the Days in
Trash global setting in the admin interface.
NOTE: You cannot delete a system that has an active PSM session or any accounts with pending session or
password reviews.
To “soft” delete a system:
1
Select Systems, Accounts, & Collections | Systems | Manage Systems from the menu.
2
Enter your search criteria on the Filter tab.
3
Click the Listing tab.
4
Select the system to be deleted.
5
Click the Delete button.
6
Click the OK button on the confirmation window.
To view “soft” deleted systems go to Systems, Accounts, & Collections | Systems | Deleted Systems on the
main menu.
TPAM allows you to undo a soft deletion prior to the Days in Trash global setting taking effect.
NOTE: A soft deleted system using an inactive custom platform cannot be un-deleted until the custom
platform is made active again.
To undo a “soft” delete:
1
Select Systems, Accounts, & Collections | Systems | Deleted Systems from the main menu.
2
Enter your search criteria on the Filter tab.
3
Click the Listing tab.
4
Select the system to be restored.
5
Click the Undo Delete button.
To undo a soft delete for all the systems in the listing:
1
Click the Undo Delete All button.
2
Click the Yes, continue with undo delete button.
Hard deleting a system removes all records of the system from the TPAM interface. Hard deletion is only allowed
if the Allow Manual Hard Deletes global setting has been enabled by the System Administrator.
To “hard” delete a System:
1
Select Systems, Accounts, & Collections | Systems | Deleted Systems from the main menu.
2
Enter your search criteria on the Filter tab.
3
Click the Listing tab.
TPAM 2.5
Administrator Guide
73
4
Select the system to be deleted.
5
Click the Hard-Delete button.
6
Click the OK button on the confirmation window.
To hard delete all the systems in the listing:
1
Click the Hard-Delete All button.
2
Click the Yes, continue with hard-delete button.
Delete a system template
To delete a system template:
1
Select Systems, Accounts, & Collections | Systems | Manage Systems from the menu.
2
Enter your search criteria on the Filter tab.
3
Click the Listing tab.
4
Select the system template to be deleted.
5
Click the Delete button.
6
Click the OK button on the confirmation window.
NOTE: A template that is currently being used by AD or Generic Integration cannot be deleted.
List systems
The List Systems option allows you to export the system data from TPAM to Microsoft Excel or CSV format. This
is a convenient way to provide an offline work sheet and also to provide data that may be imported into another
TPAM – for example, to populate a lab appliance with data for testing, without making the lower level changes
that restoring a backup would cause.
To list the systems:
1
Select Systems, Accounts, & Collections | Systems | List Systems from the main menu.
2
Enter your search criteria on the Filter tab.
3
Click the Layout tab to select the columns and sort order for the listing.
4
To view and store the data outside of the TPAM interface, click the Export to Excel button, or the
Export to CSV button.
5
To view the data in the TPAM interface, click the Listing tab.
6
To view collection membership for a system, select the system and click the Collections tab.
7
To view the permissions assigned for the system, select the system and click the Permissions tab.
Local appliance systems
When looking at the system listing in TPAM, you will see two systems that are there by default,
Local_Appliance_paradmin, and Local_Appliance_parmaster. These systems do not count against the total
licensed systems in TPAM and are used for managing the paradmin and parmaster accounts if
desired.Administrator Guide
TPAM 2.5
Administrator Guide
74
10
Custom Platforms
•
Introduction
•
Custom platform Details tab
•
Add a conversational custom platform
•
Add a jump box custom platform
•
Test a custom platform
•
Duplicate a custom platform
•
Delete a custom platform
•
Using custom platforms in TPAM
•
Batch processing custom platform systems
•
CLI and API commands for custom platform systems
•
Jump boxes
Introduction
Custom Platforms allow you to create new platforms for managed systems which cannot be managed by existing
platforms. A custom platform allows you to customize the check system, check password, and change password
operations used to check and change passwords of managed accounts. PSM sessions are also available or custom
platforms. There are two types of custom platforms:
•
Jump Box - This platform type uses an intermediary server on your network to do all communication to
the target system and returns the results to the TPAM appliance. TPAM will call a script of your choosing
on the jump box passing all parameters relevant to the operation being performed. The script must
communicate with the target system, perform the indicated action, and return the result. A jump box
can be used when platforms require the use of an API or SDK that is not supported natively by TPAM. For
details on how to configure the jump box see Jump Boxes.
•
Conversational - A conversational platform is created by importing an XML file to create or update a
platform file on the appliance. The XML file describes the entire conversation with a managed system
when performing the check system, check password, or change password operations. It includes
parameters describing how the communication is done, commands issued to test a system and check or
change a password, and how to interpret the results of those commands.
Custom platform Details tab
To add and manage custom platforms information is entered on the Custom Platform Details tab.
TPAM 2.5
Administrator Guide
75
Table 28. Custom Platforms: Details tab
Field
Description
Platform Name
Yes
Descriptive name that is used to select the platform when adding a
system via the TPAM user interface, CLI, or API or batch processes. The
platform name must be unique among custom platforms but can be the
same name as an existing standard TPAM platform.
Required?
Active
If selected, this custom platform can be selected when adding a system No
to TPAM. A platform may be made inactive only if it is not being used
by any managed systems or used only by a soft-deleted system.
NOTE: A conversational platform cannot be marked selected as Active
until at least one successful upload has been processed.
Automation Active If selected, and at least one managed system is using this platform,
No
only the name and description of the platform can be edited. If clear,
the platform can be edited, but the automated check and change
password engines will skip any accounts on systems using this platform.
Manual check and change of the account passwords may still be done
from the Account Management page or via the CLI/API.
Description
The description box may be used to provide additional information
about the custom platform. This information is only visible to
Administrators when editing the custom platform.
No
Platform Type
Platform type choices are:
Yes
•
Conversational
•
Jump Box
The platform type cannot be changed once the platform is being used
by a system.
Jump Box
Select the name of jump box the custom platform will use. Applies to
jump box custom platforms only.
Yes for jump box
Script Name
The name of the script or executable which will be invoked on the
jump box to perform the check system, check password or change
password operation. A path may be included with the script name.
Yes for jump box
Port
The port number which will be used to communicate to the managed
system.
Yes
NOTE: For jump box platforms this is NOT the port used to
communicate with the jump box.
Functional Account Functional account choices are:
Access via
• DSS Key - if selected and the platform type is jump box, the
system must use a system specific key.
•
Yes
Password
Platform Specific
Label
If defined this will add a box to the Managed System Details
No
Information tab which allows input of system-specific information
which will be included with each command. This text will be the label
of the exposed box.
Enable Account
If selected, an Enable Account box will be available for input on the
Connection tab of a managed system using this platform.
No
NetBIOS Domain
Name
If selected, a NetBIOS Domain Name box will be available for input on
the Connection tab of a managed system using this platform.
No
Domain Name
If selected, a Domain Name box will be available for input on the
Connection tab of a managed system using this platform.
No
PSM Sessions
If selected, PSM sessions can be configured for accounts on this type of No
platform.
TPAM 2.5
Administrator Guide
76
Field
Description
Required?
Port Test
Applies to jump box custom platforms only. If selected and the
No
assigned password change profile also has test port selected, a call will
be made to the jump box script for test port. The script must return
“host unreachable’, “check failure”, or “check success”. If the
assigned password change profile has the test port selected and the
jump box does not, the test port call will fail.
Allowable Proxy
Types
Proxy types selected here will display on the PSM Details tab for
accounts set up on this platform type.
Yes, if PSM
sessions
selected.
Allowable File
Transfer Types
File transfer types selected here will display on the File transfer tab
for accounts set up on this platform type.
Yes, if PSM
sessions
selected.
Add a conversational custom platform
To add a conversational custom platform:
1
Select Management | Custom Platforms from the main menu.
2
Click the Add Platform button.
3
Enter information on the Details tab. Select Conversational as the platform type.
4
Click the Save Changes button.
5
Click the Select File button to upload an XML file describing the platform conversations.
IMPORTANT: For help building the XML file please contact Professional Services.
6
Click the Compile Platform from Upload button. If successful a Y will appear in the Success? column
when complete and the custom platform can me marked active.
If a N appears in the Success? column, click on the hyper-link to view the compilation output on the
Results tab.
NOTE: The platform file on the appliance will reflect the most recent successful compilation indicated by
Current in the Success? column.
Add a jump box custom platform
To add a jump box custom platform at least one jump box must be configured in TPAM. For instructions on how
to add a jump box see Jump Boxes.
NOTE: For help building the script please contact Professional Services.
To add a jump box custom platform:
1
Select Management | Jump Box from the main menu.
2
Click the Add Jump Box button.
3
Enter the information on the page and click the Save Changes button.
4
Select Management | Custom Platforms from the main menu
5
Click the Add Platform button.
6
Enter information on the Details tab. Select Jump Box as the platform type.
TPAM 2.5
Administrator Guide
77
7
Select the jump box from the list.
8
Enter the script name. This is the script name that will be called upon connection to begin the check and
change process. For the type of information that can be requested see Jump boxes.
9
Click the Save Changes button.
Test a custom platform
It is recommended that when implementing a custom platform for the first time that you leave the Automation
Active check box on the custom platform clear until you have confirmed that the platform file or jump box are
handling check system, check password, and change password operations correctly. With the check box clear
you will be able to go back and forth and change the custom platform details without having to worry that
automation will attempt to process any accounts using this platform. Once all tests confirm that the custom
platform works as expected you may select the Automation Active check box and save the custom platform.
Duplicate a custom platform
To ease the burden of administration custom platforms can be duplicated. This allows the administrator to
create new custom platforms that are very similar to those that exist, while only having to modify a few details.
To duplicate a custom platform:
1
Select Management | Custom Platforms from the main menu.
2
Click the Listing tab.
3
Select the custom platform to duplicate.
4
Click the Duplicate button. A new custom platform is created and the Custom Platform Details page
displays. The name of the new custom platform is automatically named Copy_of_XXXXXXX.
5
Make any changes to the custom platform configuration.
6
Click the Save Changes button.
7
For a conversational custom type platform click the Select File button to upload an XML file describing
the platform conversations.
IMPORTANT: For help building the XML file please contact Professional Services.
8
For a conversational custom platform type click the Compile Platform from Upload button. If successful
a Y will appear in the Success? column when complete and the custom platform can me marked active.
If a N appears in the Success? column, click on the hyper-link to view the compilation output on the
Results tab.
Delete a custom platform
NOTE: A custom platform can only be deleted if it is not in use by any system or “soft-deleted” system.
To delete a custom platform:
1
Select Management | Custom Platforms from the main menu.
2
Click the Listing tab.
3
Select the custom platform to be deleted.
4
Click the Delete button.
TPAM 2.5
Administrator Guide
78
5
Click the OK button on the confirmation window.
Using custom platforms in TPAM
If an active custom platform exists, the custom platform will appear in the Platform list on the System Details
Information tab and Filter tabs throughout TPAM:
When using a Filter tab in TPAM you have the option to select Custom Platform (Any) to pull all custom
platforms meeting the filter criteria or you can select a specific custom platform name.
Batch processing custom platform systems
To batch import or batch update a custom platform system, the platform name is indicated by “Custom” or
“Custom Platform” followed by a forward slash (/) and the custom platform name. For example
custom/testjumpboxplatform.
CLI and API commands for custom platform
systems
For CLI and API commands, when passing the PlatformName parameter the platform name is indicated by
“Custom” or “Custom Platform” followed by a forward slash (/) and the custom platform name. The “Custom
Platform” must be properly quoted on the CLI command line based on the shell being used. For example in
Windows cmd.exe the format would be as follows:
ssh -i keyFile [email protected] “AddSystem --SystemName newSystem -PlatformName \”Custom Platform/Router Jumpbox\” […other options…]”
When specifying functional account credentials using CLI, API or batch processing you can pass SPECIFIC as a
value to indicate that the account will be using a system specific key. A system specific key is required for jump
box custom platforms. Conversational custom platforms may also use the credential DSS to indicate the use of
any of the system standard keys defined on the appliance.
Jump boxes
One aspect of custom platforms is the use of a jump box. A jump box can be used when platforms require the
use of an application programing interface (API) or software development kit (SDK) that is not supported
natively by TPAM. Users can call a script on the jump box from TPAM to perform platform management on
target systems. The script (or program) is responsible for requesting the information, performing the password
management task, and reporting back the status during the connection to TPAM. The data that is available for
request will be listed in each of the function sections.
Platform management can be divided into three functions: CheckSystem, CheckPassword, and ChangePassword.
Each function is described below.
Check system
The CheckSystem function is designed to determine platform connectivity using the functional account. The
table below describes the tags available for request.
TPAM 2.5
Administrator Guide
79
Table 29. Jump Boxes: CheckSystem Tags
Tag
Description
%netaddr%
Target system’s address
%funcacct%
Target system’s functional account
%funcacctpwd%
Target system’s functional account password
%port%
Target system’s port
%timeout%
Time to wait before ending the connection
%key%
The DSS key used for the functional account.
NOTE: The key is sent as a string with ; representing carriage returns. The
script called should format the key output to file replacing ; with a
carriage return/new line character. This will result in a properly formatted
private key. See examples below.
%platspecificvalue% This value is associated with the Platform Specific Label box. When setting
up the custom platform in TPAM, the user can define the Platform Specific
Label. This label will display on the System Details Information tab.
%paracctdn%
Functional account distinguished name. Currently this is used for LDAP
platforms.
%domainname%
Target system’s domain name
%netbiosname%
Target system’s netBIOS name
%enablepwd%
Target system’s enable password
The following tags are recognized as return tags from the jump box:
•
%host unreachable% - Return this to TPAM when the host is unreachable
•
%account does not exist% - Return this to TPAM when the account does not exist
•
%check failure% - Return this to TPAM when the target system fails the check
•
%check success% -Return this to TPAM when the target systems passes the check
Check password
The CheckPassword function is designed to determine if an account’s password is correct on the target system.
The table below describes the tags available for request.
Table 30. Jump Boxes: CheckPassword Tags
Tag
Description
%netaddr%
Target system’s address
%funcacct%
Target system’s functional account
%funcacctpwd%
Target system’s functional account password
%funcacctdn%
Target system’s functional account distinguished name
%port%
Target system’s port
%timeout%
Time to wait before ending the connection
%key%
The DSS key used for the functional account.
NOTE: The key is sent as a string with ; representing carriage returns. The
script called should format the key output to file replacing ; with a
carriage return/new line character. This will result in a properly formatted
private key. See examples below.
%platspecificvalue% This value is associated with the Platform Specific Label box. When setting
up the custom platform in TPAM, the user can define the Platform Specific
Label. This label will display on the System Details Information tab.
TPAM 2.5
Administrator Guide
80
Table 30. Jump Boxes: CheckPassword Tags
Tag
Description
%paracctdn%
Functional account distinguished name. Currently this is used for LDAP
platforms.
%acctdn%
Managed account distinguished name
%domainname%
Target system’s domain name
%netbiosname%
Target system’s netBIOS name
%enablepwd%
Target system’s enable password
%acctname%
Account name to check the password on the system.
%acctpwd%‘
Account’s password to check on the target system.
The following tags are recognized as return tags from the jump box:
•
%host unreachable% - Return this to TPAM when the host is unreachable
•
%account does not exist% - Return this to TPAM when the account does not exist
•
%check failure% - Return this to TPAM when the target system fails the check
•
%check success% -Return this to TPAM when the target systems passes the check
Change password
The ChangePassword function uses the functional account to connect to the target and change the target
account’s password. The table below describes the tags available for request.
Table 31. Jump Boxes: ChangePassword Tags
Tag
Description
%netaddr%
Target system’s address
%funcacct%
Target system’s functional account
%funcacctpwd%
Target system’s functional account password
%port%
Target system’s port
%timeout%
Time to wait before ending the connection
%key%
The DSS key used for the functional account.
NOTE: The key is sent as a string with ; representing carriage returns. The
script called should format the key output to file replacing ; with a
carriage return/new line character. This will result in a properly formatted
private key. See examples below.
%platspecificvalue% This value is associated with the Platform Specific Label box. When setting
up the custom platform in TPAM, the user can define the Platform Specific
Label. This label will display on the System Details Information tab.
%paraccountdn%
Functional account distinguished name. Currently this is used for LDAP
platforms.
%acctdn%
Managed account description
%domainname%
Target system’s domain name
%netbiosname%
Target system’s netBIOS name
%enablepassword%
Target system’s enable password
%acctname%
Account name to check the password on the system.
%oldacctpwd%
Account’s current password on the target system.
%newacctpwd%
Account’s password to be changed to on the target system.
The following tags are recognized as return tags from the jump box:
TPAM 2.5
Administrator Guide
81
•
%host unreachable% - Return this to TPAM when the host is unreachable
•
%account does not exist% - Return this to TPAM when the account does not exist
•
%change failure% - Return this to TPAM when the target system fails the check
•
%change success% -Return this to TPAM when the target systems passes the check
Examples of DSS key script
#!/bin/bash
echo -n "%Funcacct%"
read facct
echo -n "%funcacctpwd%"
read fcred
echo -n "%netaddr%"
read ipaddress
echo -n "%key%"
read keyin
#perform action based on inputs, if actions are successful, return change success
echo -n "%change success%"
#Log inputs for debugging
echo FA:$facct >> testlog
echo FC:$fcred >> testlog
echo IP:$ipaddress >> testlog
echo KEY:$keyin >> testlog
TPAM 2.5
Administrator Guide
82
11
Collections
•
Introduction
•
Add a collection
•
Duplicate a collection
•
Delete a collection
•
List collections
Introduction
Collections are groups of systems, accounts and/or files. Collections can be used to simplify the process of
assigning permissions.
To add and manage collections, information is entered on the following tabs in the TPAM interface:
Table 32. Collection Management: TPAM interface tabs
Tab name
Description
Details
Define collection name.
Members
Assign members to the collection.
Permissions
Assign users and groups permissions for the collection.
Affinity
Assign a DPA to be used for sessions on collection members.
Details tab
The table below explains the fields on the Details tab.
Table 33. Collection Management: Details tab options
Field
Description
required?
Collection Name
Unique name for the collection.
Yes
Description
Used to provide additional information about the collection.
No
Members tab
The table below explains the fields on the Members tab.
Table 34. Collection Management: Members tab options
Field
Description
Type
Indicates whether the member is a system, account of file.
required?
TPAM 2.5
Administrator Guide
83
Table 34. Collection Management: Members tab options
Field
Description
Name
Name of the system, account or file.
required?
Membership
Status
To modify collection membership, simply click the Not Assigned or
Yes
Assigned buttons next to each system, account of file. You can set all
members to either Assigned or Not Assigned by holding down the Ctrl key
when clicking on any button.
Permissions tab
The Permissions tab is used to assign users and/or groups an Access Policy for this collection.
To assign Access Policies:
1
Use the table on the left of the page to select the name/s of the user/s and/or group/s to which the
selected access policy is to be assigned.
2
Select an Access Policy from the Access Policy list in the Access Policy Details pane, located in the right
upper side of the Results tab. When you select an Access Policy on the list the detailed permissions
describing this Access Policy are displayed on the rows below.
3
Select one of the icons in the Access Policy Details pane (right upper side of page) to make the
assignment.
Table 35. Access Policy Details pane icons
Icon
Action
Refreshes list of available Access Policies.
Scrolls the currently selected User or Group into view.
Applies the currently selected policy to the current row. Assigning a policy of “Not
Assigned” removes the current assignment. This affects only the current row (row with the
dotted border) even if multiple rows are selected.
Applies the currently selected policy to all selected rows in the list. You are asked to
confirm the assignment if more than 10 rows are affected.
Removes the currently selected policy from all selected rows in the list. If a row is not
currently set to the selected policy it will not be changed. You are asked to confirm the
assignment if more than 10 rows are affected.
Removes unsaved edits on the current row. This only affects the current row (row with the
dotted border) even if multiple rows are selected.
Removes unsaved edits on all currently selected rows.
This icon (
) next to any row on the list simply means that row has been edited since the last save
changes occurred.
You can “Shift+Click” to select a range of rows. The first row you click will be surrounded by purple
dashed lines. The next row that you “Shift-Click” on will cause all the rows in between the original row
and current row to be highlighted.
TPAM 2.5
Administrator Guide
84
4
When you are finished assigning/un-assigning Access Policies, click the Save Changes button.
TIP: You may re-filter and re-retrieve the results list without losing existing edits. As the Results tab is
reloaded any Groups or Users that you have already edited reflect their edited policy assignment. When
you click the Save Changes button all the Access Policy assignment changes for the account are saved.
The appliance saves these in batches, informing you of the number of assignments added, removed, or
changed for each batch.
NOTE: You must be both a PPM and PSM ISA over an account to be allowed to assign an Access Policy.
Using Ctrl-Click or Shift-Click on the hyperlink in the Name column will open the details page for this entity in a
new tab or window.
Affinity tab
The Affinity tab is used to assign the collection to a distributed processing appliance (DPA) if DPA’s are
configured to work with the TPAM appliance. Assigning the collection to a DPA can help optimize performance
for session recording and session playback. The Affinity tab is not enabled until the Collection has been saved.
The table below describes the options available on the Affinity tab.
Table 36. Collection Management: Affinity tab options
Field
Description
Required?
Default
Allow PSM
Sessions to be
run on any
defined DPA
If selected, TPAM will select the DPA that has the least number
of sessions running on it to conduct the session.
No
Yes
Selected DPA
affinity and
priority
Select this option to prioritize which DPA is used for sessions
conducted on this collection. The default DPA is LocalServer,
which is the local TPAM appliance.
No
No
NOTE: If a system has a different affinity priority assignment,
the priority at the system level takes precedence over the
collection affinity setting.
Use the Priority column in the table below this option to enter a
priority number next to each DPA. Leave the box blank (NULL)
for any DPAs you do not want to use for session recordings.
When determining which DPA to use, the appliance looks at
them in order from lowest to highest and uses the first one that
has an open slot. A value of 0 (zero) is simply “more important”
than any other value.
More than one DPA can have the same number ranking. DPA’s
with the same number will automatically be load balanced.
Add a collection
When adding a collection in TPAM, information is entered on the following tabs to configure the collection:
•
Details
•
Members
•
Permissions
•
Affinity
The following procedure describes the required steps to add a collection.
TPAM 2.5
Administrator Guide
85
To add a new collection:
1
Select Systems, Accounts, & Collections | Collections | Add Collection from the menu.
2
Enter information on the Details tab. For more information on this tab see Details tab.
3
Click the Members tab.
4
Enter your search criteria on the Filter tab.
5
Click the Results tab to assign/remove members from the collection. For more details see Members tab.
NOTE: A system cannot be in the same collection as any of its accounts or files and vice versa.
NOTE: A collection used by either AD or Generic Integration cannot have its membership changed
here. The current member status is displayed, but all buttons in the list are disabled.
TIP: You can set all the displayed members to either Assigned or Not Assigned by holding down the
Ctrl key when clicking on any button.
6
Click the Permissions tab and assign/remove permissions. For more details see Permissions tab.
7
Click the Save Changes button.
8
Click the Affinity tab and make DPA assignments. (Optional) For more details see Affinity tab.
9
Click the Save Changes button.
Duplicate a collection
To ease the burden of administration and help maintain consistency, collections can be duplicated. This allows
the administrator to create new collections that are very similar to those that exist, while only having to modify
a few details. The new collection inherits membership and permissions, affinity settings from the existing
collection.
To duplicate a collection:
1
Select Systems, Accounts, & Collections | Collections | Manage Collections from the menu.
2
Enter your search criteria on the Filter tab.
3
Click the Listing tab.
4
Select the collection to be duplicated.
5
Click the Duplicate button. A new collection is created and the Collection Details page displays. The
name of the new collection is automatically DupofXXXXX.
6
Make any changes to the collection on the various tabs.
7
Click the Save Changes button.
Delete a collection
To delete a collection:
1
Select Systems, Accounts, & Collections | Collections | Manage Collections from the menu.
2
Enter your search criteria on the Filter tab.
3
Click the Listing tab.
4
Select the collection to be deleted.
5
Click the Delete button.
TPAM 2.5
Administrator Guide
86
6
Click the OK button on the confirmation window.
List collections
The List Collections option allows you to export the collection data from TPAM to Microsoft Excel or CSV format.
This is a convenient way to provide an offline work sheet and also to provide data that may be imported into
another TPAM – for example, to populate a lab appliance with data for testing, without making the lower level
changes that restoring a backup would cause.
TIP: Enter ! in the System, Account and File name filters to find empty collections.
To list the collections:
1
Select Systems, Accounts, & Collections | Collections | List Collections from the main menu.
2
Enter your search criteria on the Filter tab.
3
Click the Layout tab to select the columns and sort order for the listing.
4
To view and store the list of collection names outside of the TPAM interface, click the Export to Excel
button, or the Export to CSV button. To view and store the list of collection members outside of the
TPAM interface, click Export Members to Excel button, or the Export Members to CSV button.
5
To view the data in the TPAM interface, click the Listing tab.
6
To view membership of a collection, select the collection and click the Members tab.
7
To view the user and groups with permissions on the collection, select the collection and click the
Permissions tab.
TPAM 2.5
Administrator Guide
87
12
Accounts
•
Introduction
•
Add an account
•
Duplicate an account
•
Delete an account
•
Retrieve a password
•
List accounts
•
List PSM accounts
•
Password current status
•
Manual password management
•
Password management
•
Managing services in a Windows® domain environment
•
Add generic account to TPAM for PSM sessions to a user specified Windows account
Introduction
This chapter covers the steps to add and manage accounts in TPAM. To add and manage accounts, information is
entered on the following tabs in the TPAM interface:
Table 37. Account Management: TPAM interface tabs
Tab name
Description
Details/Information
Define main account information, such as name, password rule, contact.
Details/Reviews
Set review requirements for password releases on this account.
Details/Custom Information
Enter data in custom fields, if they have been defined.
Details/Management
Configure the settings for how TPAM will manage the password for the
account.
Details/Ticket System
Configure Ticket System Validation for requests on this system.
Dependents
Set systems that are dependent on the domain level account.
Logs
Can view test, change and release history for the account.
Passwords
Can view past passwords and retrieve current password with ISA PPM
permissions.
Collections
Assign an account to a collection/s.
Permissions
Assign users and groups permissions on this account.
PSM Details/General
Enable PSM functionality for the account and set approval requirements.
PSM Details/Session
Authentication
Set authentication method sessions using this account.
PSM Details/File Transfer
Enable/disable file transfer.
PSM Details/Review Requirements Set review requirements for sessions.
TPAM 2.5
Administrator Guide
88
Information tab
The table below explains all of the box options available on the details information tab.
Table 38. Account Management: Details information tab options
Field
Description
Required?
Account Name
This is the descriptive name of the account. Within TPAM, all
the account names on one system must be unique. The name
can be 1-30 characters long, but cannot include empty spaces.
Yes
Name on
Domain
Name of the account on the domain in the form of
No
domain\account. Allows 286 characters (domain name of 255 + \
+ accountname of 30). For *nix platforms when system is
managed by a domain account.
Account is
Locked
This check box gives Administrators and ISA’s the ability to
“lock” and “unlock” an account. When an account is locked
passwords for that account cannot be retrieved, released,
changed or checked. Password requests or session requests can
be submitted but the password or session is not available until
the account is unlocked.
Password
Enter the active current password for the account. If no
No
password is specified (left blank), PPM stores the value default
initial password as the password for the account.
Confirm
To confirm the password reenter it in this box.
No
Password Rule
Select the password rule to serve as the default for the
account. If the selection is not changed (or if no other rules
have been defined in TPAM) the Default Password Rule is
selected. The password rule governs the construction
requirements for new passwords generated by PPM.
Yes
Distinguished
Name
Only required for LDAP, LDAPS, and Novell® platforms.
Yes
Issue ndmcom
for this
account?
Only visible for HP NonStop Tandem platform. If selected the
No
ndmcom command is issued after the password for the account
is changed.
Off
Change
password for
Windows®
Services
started by this
Account?
Only visible for Windows® platforms. If this is the Administrator No
account, or another functional account that runs system
services, this option ensures that the password change is also
applied to each service the account runs.
Off
Automatically
restart such
services?
No
Only visible for Windows® platforms. If selected, after the
password is changed the services will automatically be stopped
and restarted.
Off
Change the
password for
Scheduled
Tasks started
by this
account?
Only visible for Windows® platforms. If selected, after a task
has been completed it will change the password.
No
Off
No
Default
Off
Default
Password
Rule
TPAM 2.5
Administrator Guide
89
Table 38. Account Management: Details information tab options
Field
Use this
account’s
current
password to
change the
password?
Description
®
Only visible for Windows platforms. This may be necessary on
Windows® XP and Windows® Server 2003 where Encrypting File
System or other third-party security products are used, and rely
on authentication certificates stored in that account’s personal
store.
Required?
Default
No
See Note
NOTE: If the system is configured with a “non-privileged
functional account” then this setting defaults for all accounts
added to this system.
NOTE: If the password has expired, TPAM will not be able to
change the password.
Description
This is a free text box where additional descriptive information No
may be entered.
Password
Management
By default, the property of the parent system is inherited at the Yes
account level as either None or Automatic.
•
None - The Management tab will be disabled, and TPAM
will not automatically check, change or reset the
password. Manually pressing the Check Password or
Reset Password buttons WILL result in a check or reset
for this account.
•
Automatic - TPAM manages the password for this
account based on the settings configured on the
Management tab.
•
Manual - TPAM sends an email to the primary contact at
the system and account level when it is time to manually
reset the password. The email is sent based on the
change frequency settings on the Management tab. The
contact/s will keep receiving this email at regular
intervals based on how this is configured by the SysAdmin in the Auto Management Agent settings, until the
password has been confirmed to be reset in PPM.
Defaults to
what is set
at the
system
level.
NOTE: The manual password email notification relies on the
Man Pwd Change Agent. If it is not running no email
notifications to reset the password will be sent.
Ignore System
Access Policies
If selected, any access policies assigned to the system will not
apply to this account.
Enable account Only visible for Windows® platforms. If selected TPAM will
before release enable the account when:
No
Off
No
Off
- releasing the password for a request
- ISA password release
- starting a PSM session which uses password authentication
If the account cannot be enabled the password will not be
released and the session will not start. If the account cannot be
disabled when the password is changed the change will be
marked as successful but an alert will raised. The alert must be
subscribed to in the admin interface. See the help bubble text
in the TPAM interface for more details.
If this check box is selected, this account cannot be added as a
Synchronized Password subscriber.
NOTE: If this flag is selected and the account has the incorrect
password, this will be reported as a mismatch if password is
checked through the DPA, and disabled if checked through the
TPAM console.
TPAM 2.5
Administrator Guide
90
Table 38. Account Management: Details information tab options
Field
Description
Approvals
Required
Yes
The default value of 1, indicates that a single approval allows
the requestor to view the password. A value greater than 1
requires multiple approvers to approve each release request. A
value of 0 means any release requests will be auto-approved by
TPAM. If this value is overridden by an access policy the greater
of the two values is used.
Require Multi- Can only be selected if Approvals Required is greater than 1. If
Group Approval selected, you can require that approvals for requests come
from
from two or more groups. At least 1 approval must come from
each group.
Required?
No
Default
1
Off
NOTE: Any user with approver permissions will be able to
approve the request, but unless the user is a member of one of
the selected groups, their approval will not count.
NOTE: Any authorized approver can deny the request.
Maximum
Duration
Maximum duration for a password release on the account. If this Yes
is overridden by an Access Policy assignment, the lower of the
two durations is used. The default duration that the requestor
sees for any new password request is 2 hours, or the maximum
duration, whichever is less.
7 days
Notification
Email
The email address specified in this box receives notification of No
certain password releases. This would apply to releases by ISA
users, CLI/API users under all circumstances, and requests when
no approvals are required. This email address also receives
notification if a manually managed password needs to be
changed. Multiple email addresses can be specified by entering
each email address separated by a comma, up to a maximum of
255 characters.
Null
Any time a change is made to the notification email address
box, an email is automatically sent to the old email address
with a notification that this change has occurred.
Simultaneous
This option allows an Admin or a PPM ISA to grant more than
Privileged
one Privileged Access User (PAC) to request and retrieve a
Access Release password/session during the same or overlapping time period.
Yes
1
NOTE: If another Requestor already has the password checked
out the Privileged Access users must wait for that release
window to expire before they can gain access.
Override
Individual
Accountability
The System Administrator must have this global setting turned
on in order for the TPAM Administrator or ISA to select this flag.
If selected, more than one requestor can request the password
at the same time or during an overlapping duration. Any
changes made to the override individual accountability check
box at the account level are logged in the Activity Log.
If the System Administrator disables the Global Setting allowing
account override, any accounts that had been selected to
override individual accountability will have their check boxes
cleared.
Reviews tab
The table below explains all of the options available on the Reviews tab.
TPAM 2.5
Administrator Guide
91
Table 39. Account Management: Review tab options
Field
Description
Required?
Default
Reviews
Required
Number of reviews required after a password release has
expired.
No
0
Any Authorized If selected, any auditor, and any user or group member with an No
Reviewer
access policy of Review Password permission will be eligible to
(excluding
complete the review.
Requestor)
Off
Specific User
If selected, the specific user with review permission will be the No
only user allowed to review password releases for this account.
Off
Any Auditor
If selected, any user with a user type of auditor will be eligible No
to review password releases for this account.
Off
Member of a
Group
If selected, any users that are members of the group that is
chosen will be eligible to review password releases for this
account. Only groups that have review permissions will be
available in the list.
Off
If the review
isn’t complete
...
To have a user receive an email notification if the review is not No
complete within X hours, enter the hours threshold and the
email address. The password release is not eligible for review
until the release duration expires.
No
NullDetails
Custom Information tab
There are six fields that can be customized to track information about each account. These custom fields are
enabled and configured by the System Administrator in the /admin interface. If these fields have not been
enabled then this sub-tab is not visible.
Management tab
The Management tab is used to configure how TPAM manages the passwords for this account. This tab is not
enabled unless Automatic or Manual is selected on the Details Information tab. The settings here will default
from the system settings but can be overridden.
The table below explains the options on the Management Details tab.
Table 40. Account Management: Details Management tab options
Field
Description
Required?
Default
Password
Check Profile
Name
Select a password check profile from the list to determine the
rules for how the password is checked on the system against
what is stored in TPAM. The password check profiles are
configured by the TPAM Administrator. See Password Profiles for
more details.
Yes, if
automatic
password
management
has been
selected.
Whatever
profile is
assigned for
the system.
Password
Change Profile
Name
Select a password change profile from the list to determine the
rules for how the password is changed on the managed
system.The password change profiles are configured by the
TPAM Administrator. See Password Profiles for more details.
Yes, if
automatic
password
management
has been
selected.
Whatever
profile is
assigned for
the system.
TPAM 2.5
Administrator Guide
92
Table 40. Account Management: Details Management tab options
Field
Description
Pull Defaults
from System
If selected, upon saving, the Management settings of the system No
are populated at the account level. This is a one time action
and does not prevent any of these settings from being modified
again at the account level.
Required?
Off
Default
duration for
ISA releases of
password
No
The duration for an ISA release may be specified up to a
maximum of 21 days. This is the amount of time that transpires
between the initial ISA retrieval and the automatic reset of the
password (if enabled). If 0 is entered the ISA retrieval of a
password will not trigger a post release reset of the password.
From
System
Allow ISA to
enter Duration
on Release
If selected, an ISA may enter a release duration other then the
default when retrieving a password. The duration must be
greater than zero and less than or equal to the maximum
specified for either the ISA Duration (Mgt Details tab) or Max
Release Duration (Details tab).
From
System
No
Default
This check box is disabled when the Default duration for ISA
releases of passwords is set to 0.
Next Change
Date
Schedule an account password to be changed at a specific
date/time. Overrides password change profile schedule.
Password mismatch, post release reset, and force resets will
still be processed as they occur.
No
Ticket System tab
The Ticket System tab is used to configure third party ticket system requirements when submitting password
release requests for this account. The Ticket System tab is only enabled if the TPAM System Administrator has
configured ticket system/s in the /admin interface.
The following table explains the options on this tab.
Table 41. Account Management: Details Ticket System tab options
Field
Description
Required?
Default
Ticket
Required for
By selecting the check boxes you can require that ticket
No
validation is enforced for Password/Files requests and/or
Session requests.You also have the option to require ISAs to
supply a ticket number prior to retrieving a password or file as
well as requests made through the CLI or API. If a check box is
not selected, users can still enter a ticket number on a request,
but it is not required.
Off
Require Ticket
Number from
If multiple ticket systems are enabled they are listed in the list No
for selection. You can specify the ticket system or allow entry
of a ticket number from any system that is enabled.
Off
Send Email
notification to
If any of the ISA, CLI or API required check boxes are left clear
you have the option of entering one or more email addresses
(up to 255 characters) that will receive an email when an ISA,
CLI or API user releases or retrieves a password without
supplying a ticket.
No
From
System
Pull defaults
from system
If selected, when the Save Changes button is clicked, it will
pull these settings from the system
No
Off
The propagation is a one time update each time this check box
is selected and the Save Changes button is clicked. After that
there is no forcing of the settings to remain in synch. The
settings on the accounts can be overridden.
TPAM 2.5
Administrator Guide
93
Dependents tab (Windows® AD only)
If the account managed by PPM is a Windows® domain account (the system is defined as Active Directory® ),
services running on domain member systems using this account can also be managed in terms of password
changes.
Logs tab
The Logs tab contains three sub-tabs that provide detailed password history for the account. The log data
displays the user’s time zone. The following table explains the sub-tabs.
Table 42. Account Management: Logs tab sub-tabs
Tab
Description
Filter
This filter tab can be used to specify your search criteria in any of the other log tabs.
Change Log
Provides details on password change history.
Test Log
Provides details on password test activity.
Release Log
Provides details on password release history.
Dependent
Change Log
Only visible if account resides on Windows® Domain Controller with dependent systems
assigned. Provides details on changes of the domain account.
Change Agent
Log
Provides details on change agent log records for the account that have occurred after a 2.3+
TPAM upgrade.
Past Password tab
This tab allows an administrator to view past password for an account. This allows you to select a password that
was valid for a specific period of time. This is especially important if the managed system has been restored
from a backup and the password that was effective at the time of the backup is required.
Current Password tab
The tab allows users with ISA password permissions to retrieve the current password. By default administrators
do not have ISA permissions, they must be assigned.
Collections tab
A collection is a group of systems, accounts and or files. The Collections tab is used to assign the account to a
collection/s. Accounts can belong to more than one collection. The collections list shows all collections that
have been defined in the TPAM appliance if the user modifying the account is an administrator. If the user
modifying the account is an ISA, only the collections that the user holds the ISA role for are displayed. By
assigning the account to collections, the account automatically inherits user and group permissions that have
been assigned at the collection level.
NOTE: An account cannot belong to the same collection as its parent system, or vice versa.
Use the Filter tab to enter search criteria for the collections to assign/un-assign. Click the Results tab.
The table below explains the fields on the Results tab.
TPAM 2.5
Administrator Guide
94
Table 43. Account Management: Collection Results tab options
Field
Description
Required?
Type
On this tab type will always say Collection.
Name
The name of the collection. Clicking on the name will take you
the collection management listing tab.
Membership
Status
To modify collection membership, simply click the Not
No
Assigned or Assigned buttons next to each collection name and
click the Save Changes button. You can set all members to
either Assigned or Not Assigned by holding down the Ctrl key
when clicking on any button.
Default
No
Not
Assigned
Permissions tab
The Permissions tab is used to assign users and/or groups an Access Policy for this account.
To assign Access Policies:
1
Use the table on the left of the page to select the name/s of the user/s and/or group/s to which the
selected access policy is to be assigned.
2
Select an Access Policy from the Access Policy list in the Access Policy Details pane, located in the right
upper side of the Results tab. When you select an Access Policy on the list the detailed permissions
describing this Access Policy are displayed on the rows below.
3
Select one of the icons in the Access Policy Details pane (right upper side of page) to make the
assignment.
Table 44. Access Policy Details pane icons
Icon
Action
Refreshes list of available Access Policies.
Scrolls the currently selected User or Group into view.
Applies the currently selected policy to the current row. Assigning a policy of “Not
Assigned” removes the current assignment. This affects only the current row (row with the
dotted border) even if multiple rows are selected.
Applies the currently selected policy to all selected rows in the list. You are asked to
confirm the assignment if more than 10 rows are affected.
Removes the currently selected policy from all selected rows in the list. If a row is not
currently set to the selected policy it will not be changed. You are asked to confirm the
assignment if more than 10 rows are affected.
Removes unsaved edits on the current row. This only affects the current row (row with the
dotted border) even if multiple rows are selected.
Removes unsaved edits on all currently selected rows.
This icon (
) next to any row on the list simply means that row has been edited since the last save
changes occurred.
TPAM 2.5
Administrator Guide
95
You can “Shift+Click” to select a range of rows. The first row you click will be surrounded by purple
dashed lines. The next row that you “Shift-Click” on will cause all the rows in between the original row
and current row to be highlighted.
4
When you are finished assigning/un-assigning Access Policies, click the Save Changes button.
TIP: You may re-filter and re-retrieve the results list without losing existing edits. As the Results tab is
reloaded any Groups or Users that you have already edited reflect their edited policy assignment. When
you click the Save Changes button all the Access Policy assignment changes for the account are saved.
The appliance saves these in batches, informing you of the number of assignments added, removed, or
changed for each batch.
NOTE: You must be both a PPM and PSM ISA over an account to be allowed to assign an Access Policy.
Using Ctrl-Click or Shift-Click on the hyperlink in the Name column will open the details page for this entity in a
new tab or window.
PSM Details tab
The PSM Details tab is composed of four sub-tabs: General, Session Authentication, File Transfer, and Review
Requirements, that allow users to configure the account for Privileged Session Manager (PSM). PSM licences are
required for this functionality to be enabled.
NOTE: PSM sessions to Windows® machines using an RDP proxy connection type can be configured on the
Windows® machine to use SSL/TLS security for RDP connections. Note that the computer name set in
TPAM for the system may need to be uppercase for the connections to succeed.
General tab
The following table explains the options on the General tab.
TPAM 2.5
Administrator Guide
96
Table 45. Account Management: PSM General tab options
Field
Description
Required?
Default
Enable PSM
Sessions?
If selected, allows users to request access to this account
through a recorded session. All subsequent options on the PSM
tabs are contingent upon this being selected.
No
Off
Proxy
Connection
Type
Used to select the type of remote connection compatible with
the configuration of the remote systems. Options are
dependent on the system platform.
Yes, if PSM
Enabled
NOTE: When choosing any of the proxy methods listed below
that use Automatic Login, the password is not automatically
reset after the session is completed because the password is
never displayed to the user.
Available choices are:
•
DPA - ICA Access - Using a DPA, establish a connection to
the system using Citrix ICA web client. (For PSM ICA
Access only)
•
DPA - Web Browser - Using a DPA, establish a connection
to the system using a web browser. (For PSM Web Access
only)
•
RDP-Automatic Login Using Password – Connect to the
system using RDP (Terminal services protocol) client and
automatically login using the password retrieved from
the local or remote TPAM. This ensures that the
password is never displayed or known to the user.
•
RDP-Interactive Login – Connect to the system using an
RDP client that PSM does not provide automatic login for.
If the password is managed by PPM, it is displayed on the
window when the session is started, otherwise the user
must know the account password when the
authentication dialog is presented.
•
RDP Through SSH – Automatic Login Using Password
(for SPCW systems only) Connect to the system using RDP
client via the SSH protocol and automatically login using
the password retrieved from the local or remote TPAM.
•
RDP Through SSH – Interactive Login (for SPCW systems
only) Connect to the system using RDP client via the SSH
protocol and allow the user to manually type the
password. If the password is managed by PPM, it is
displayed on the window when the session is started,
otherwise the user must know account password when
the authentication prompt is presented.
•
SQLPlus – Automatic Login Using Password - Connect to
the system using the SQLPlus client and automatically
login using the password retrieved from the local or
remote TPAM.
•
SQLPlus –Interactive Login - Establish a connection to
the remote system using the SQLPlus client. The user
must know the SQLPlus password for the system. If the
password is managed by PPM, it is displayed on the
window when the session is started, otherwise the user
must know the account password when the
authentication dialog is presented.
•
SQL Window – Automatic Login Using Password Connect to the system using the Sql Window Client and
automatically login using the password retrieved from
the local or remote TPAM.
TPAM 2.5
Administrator Guide
97
Table 45. Account Management: PSM General tab options
Field
Proxy
Connection
Type
Description
•
SQL Window – Interactive Login - Establish a connection
to the remote system using the SQL Window client. The
user must know the SQL Window password for the
system. If the password is managed by PPM, it is
displayed on the window when the session is started,
otherwise the user must know the account password
when the authentication dialog is presented.
•
SSH-Automatic Login Using DSS Key – Connect to the
system using SSH and authenticate via DSS private key.
The private key must be previously uploaded to TPAM for
this purpose.
•
SSH – Automatic Login Using Password (for UNIX®
systems only) – Connect to the system using SSH and
automatically login using the password retrieved from
the local or remote TPAM.
•
SSH - Interactive Login – Establish an SSH session to the
remote system and allow the user to manually type the
password. If the password is managed by a PPM, it is
displayed on the window when the session is started,
otherwise the user must know account password when
the authentication prompt is presented.
•
Telnet-Automatic Login Using Password – Connect to
the system using the Telnet protocol and automatically
login using the password retrieved from the local or a
remote TPAM. This ensures that the password is never
displayed or known to the user.
•
Telnet-Interactive Login – Connect to the system using
the Telnet protocol, to which PSM does not provide
automatic login. If the password is managed by a PPM, it
is displayed on the window when the session is started,
otherwise the user must know the account password
when the authentication dialog is presented.
•
VNC Enterprise - Interactive Login - Establish a
connection to the remote system using the VNC®
Enterprise client. The user must know the VNC password
for the system. If the password is managed by a PPM, it
is displayed on the window when the session is started,
otherwise the user must know the account password
when the authentication dialog is presented.
•
VNC-Interactive Login – Establish a connection to the
remote system using the VNC client. The user must know
the VNC password for the system. If the password is
managed by PPM, it is displayed on the window when the
session is started, otherwise the user must know the
account password when the authentication dialog is
presented.
•
x3270 - Automatic Login - Establish a connection to the
remote system using a 3270 emulator and automatically
login using the password retrieved from the local or a
remote TPAM.
Required?
Default
TPAM 2.5
Administrator Guide
98
Table 45. Account Management: PSM General tab options
Field
Proxy
Connection
Type
Description
•
x3270 - Interactive Login Using Password - Connect to
the system using a 3270 emulator and allow the user to
manually type the password. If the password is managed
by a PPM, it is displayed on the window when the session
is started, otherwise the user must know account
password when the authentication prompt is presented.
•
x5250 - Interactive Login - Connect to the system using
a 5250 emulator and allow the user to manually type the
password. If the password is managed by a PPM, it is
displayed on the window when the session is started,
otherwise the user must know account password when
the authentication prompt is presented.
Required?
Default
Custom
Connection
Profile
The connection profile can be used to override the default
connection parameters. If any custom profiles have been
created they will be available in this list. See Add a PSM
connection profile for more on creating custom connection
profiles.
No
Use
Standard
Settings
Post Session
Profile
The post session file is used to add additional steps at the end
of a session request. If any post session profiles have been
created they will be available in this list. For more details on
Post Session Profiles see Add a post session processing profile.
No
Use
Standard
Settings
Color Depth
Only an option for some proxy types. Used to set the number of No
possible colors displayed in the recorded sessions for this
account. The choices are proxy type dependent. Options are:
Required # of
Approvals
•
8 - 256 colors
•
16 - 65,000 colors
•
0 - very low
•
1 - low
•
2 - medium
•
3 - auto select/full color
The number of approvers required for each session request. A
value greater than 1 requires multiple approvers to approve
each session request. A value of 0 means any session requests
will be auto-approved by TPAM.
8 or 0,
depending
on proxy
type.
Yes
0
No
Off
If this value is overridden by an access policy the greater of the
two values is used.
If the system/account is managed by PPM it is possible to have a
different value for session and password request approvals. In
the event of such a conflict, the value set on the password
approvals required may override the value set here. This occurs
only for connection types that use interactive login (where the
password is displayed).
Require Multi- Can only be selected if Approvals Required is greater than 1. If
Group Approval selected, you can require that approvals for requests come
from
from two or more groups. At least 1 approval must come from
each group.
NOTE: Any user with approver permissions will be able to
approve the request, but unless the user is a member of one of
the selected groups, their approval will not count.
NOTE: Any authorized approver can deny the request.
TPAM 2.5
Administrator Guide
99
Table 45. Account Management: PSM General tab options
Field
Description
Maximum
Simultaneous
Sessions
Specifies the maximum number of simultaneous sessions that
may be established for account.
Required?
Default
1
This option only exists for accounts configured to autoauthenticate the user. If the password is provided by TPAM for
interactive logon then only one concurrent session is allowed to
preserve individual accountability.
Default Session Session duration that is displayed by default when requesting a
Duration
session. It can be changed within the limits set by the max
password duration and the access policy session duration.
Yes
2 hours
Notify primary
contact ....
Allows email notifications to be sent to the primary contact
specified for the system if a session exceeds the maximum
session time for the request. Configurable parameters are:
frequency (in minutes) of notifications; and threshold time (in
minutes) before initial notification is sent for a session. Both
values must be non-zero for notifications to be sent.
No
0,0, null
Send PSM Start Email address that receives notification when a session on this
Notification
account starts. The following special addresses may also be
included:
No
null
No
On
Enable Console If selected, during a session, the user can connect to the system No
Connection?
console. This option is only available with RDP proxy types.
Off
Record All
Sessions?
If selected, all sessions for this account will be recorded.
No
On
Enable File
Uploads?
If selected, files can be uploaded from the remote system
during the session.
No
Off
No
Off
If selected, events during the session are captured and listed in No
session logs with hyper links to that point in the session. This
option is only available for specific platforms. Clicking the Test
Event Configuration button will mimic event capture during a
session for testing with the system. There is a scheduled report,
Daily Session Activity Detailed, that will list captured events
during a session.
Off
Enable
Clipboard?
•
:AllApprovers - all users who can approve the request
•
:Approvers - users that approved the request
•
:Group=Group1,Group2... - comma separated list of one
or more group names
•
:RelNotify - release notification email for the account
•
:System - primary email contact for the account
If selected, during a session, the user can use the clipboard
option for copy/paste.
NOTE: This option cannot be selected until file transfer is
enabled on the File Transfer tab.
Enable File
Downloads?
If selected, files can be downloaded to the remote system
during the session.
NOTE: This option cannot be selected until file transfer is
enabled on the File Transfer tab.
Capture
Events?
NOTE: For capturing events on Windows® systems see
Configuration for Capturing Events on Windows® Systems.
NOTE: A DPA is required to capture events.
TPAM 2.5
Administrator Guide
100
Session Authentication tab
The following table explains the options on this tab.The option selected on the session authentication tab
determines the authentication credential storage method.
Table 46. Account Management: PSM Details Session Authentication tab options
Field
Description
Required?
Default
Password
Managed by
Local TPAM
If selected, the local TPAM manages this account.
No
Yes
Use Remote
TPAM CLI
Select this option if the account is managed by another TPAM
No
appliance, and specify the CLI user ID to be used to retrieve the
password. This TPAM appliance makes a CLI call to the remote
TPAM and pulls the password for the system/account specified
and formats the account name at login time using the specified
Domain. If the System and Account box are left blank then the
system and account name of the account being configured is
used. Access to the public key for the CLI ID is required, and
must be supplied to TPAM. When this method of password
retrieval is used, the number of approvals specified on the
remote TPAM is ignored and access to the password is not
limited to a single release.
No
Use DSS Key
Select this option if an authentication key is used for the
No
account instead of a password. You have the additional options
of using a system standard DSS Key (TPAM allows you to
configure up to 3 active keys) or having TPAM generate a pair of
keys for you.
No
Not Stored Specify
password
during session
Select this option if the account’s password is not stored or
managed by any TPAM. When this option is used the password
must be specified when the session is initiated.
No
No
Use Windows®
Domain
Account
No
Select this option if the account’s password is not stored or
managed by any TPAM. The named account is a placeholder for
the domain account TPAM uses to authenticate to the system.
Through this method you can connect to a system using a
domain account instead of a local account. On the Session
Authentication tab the user name used to log in to the remote
session must be added as an account associated with a Windows
Active Directory® System.
No
File Transfer tab
The following table explains the options on the File Transfer tab.
CAUTION: It is strongly recommended not to edit file transfer settings while a live file transfer is in
process for the account.
TPAM 2.5
Administrator Guide
101
Table 47. Account Management: PSM Details File Transfer tab options
Field
Description
Required?
Default
File Transfer
Method
Select the method used to transfer the files. The options
available in this list are platform dependent.
No
File
Transfer
Disabled
Yes, if file
transfer
enabled.
Null
Same as Session If selected, the same credentials that are used for the session
Authentication will be used to transfer the file.
No
Yes
Specify at file
transfer time
No
No
NOTE: If using Windows® File copy make sure that port 139 or
445 is open on the target system.
File Transfer
Share/Path
The share where the files will be uploaded/downloaded.
If selected, the user is prompted to specify the account name
and password at the time of file transfer.
Review Requirements
The following table explains the options on the Review Requirements tab.
Table 48. Account Management: PSM Details Review Requirements tab options
Field
Description
Required?
Default
Reviews
Required
Number of reviews required after a session has expired.
No
0
Specific User
If selected, the specific user with review permission will be the No
only user allowed to review sessions for this account.
Off
Any Auditor
If selected, any user with a user type of auditor will be eligible No
to review sessions for this account.
Off
Member of a
Group
If selected, any users that are members of the group that is
No
chosen will be eligible to review sessions for this account. Only
groups that have review permissions will be available in the
list.
Off
If the review
isn’t complete
...
To have a user receive an email notification if the review is not No
complete within X hours, enter the hours threshold and the
email address. The session is not eligible for review until the
release duration expires.
Null
Add an account
When adding an account in TPAM, information is entered on the following tabs to configure the account:
•
Details - Information, Reviews, Custom Information, Management, Ticket System
•
Dependents
•
Collections
•
Permissions
•
PSM Details - General, Session Authentication, File Transfer, Review Requirements
The following procedure describes the required steps to add an account.
TPAM 2.5
Administrator Guide
102
To add a new account:
1
Select Systems, Accounts, & Collections | Accounts | Add Account from the menu.
2
Enter filter criteria on the Filter tab to find the system to add the account to.
3
Click the System tab.
4
Select the system or system template.
NOTE: A total of 20 accounts can be added to a system template (including the functional
account). Any accounts added in this way are added to new systems created from the template.
Existing systems based on the template will not have any new accounts added or existing accounts
removed. ISA users cannot add, view, or edit accounts on template systems.
5
Click the Details tab. Enter information on the Details tab. For more information on this tab see
Information tab.
6
Click the Reviews sub-tab to configure review requirements for password releases. For more information
on this tab see the Reviews tab. (Optional)
7
Click the Custom Information sub-tab to enter custom information for the account. For more
information on this tab see Custom Information tab. (Optional)
8
Click the Management sub-tab and select preferences for managing account passwords. For more details
see Management tab.
9
Click the Ticket System sub-tab and set external ticket system requirements for submitting password
release requests. For more details see Ticket System tab. (Optional)
10 Click the PSM Details tab to enable/disable PSM sessions. For more information see PSM Details tab.
(Optional)
11 Click the Session Authentication sub-tab to select session authentication method. For more information
see The following table explains the options on the General tab.. (Optional)
12 Click the File Transfer sub-tab to enable file transfers during sessions. For more information see File
Transfer tab. (Optional)
13 Click the Review Requirements sub-tab to set review requirements for sessions. For more information
see Review Requirements. (Optional)
14 Click the Save Changes button.
15 Click the Dependents tab to assign/remove dependents to Windows Active Directory® systems. For more
details see Dependents tab (Windows® AD only). (Optional)
16 Click the Collections tab and assign/remove membership. (Optional) For more information on this tab
see Collections tab.
17 Click the Permissions tab and assign/remove permissions. For more details see Permissions tab.
(Optional)
18 Click the Save Changes button.
Duplicate an account
To ease the burden of administration and help maintain consistency, accounts can be duplicated. This allows
the administrator to create new accounts that are very similar to those that exist, while only having to modify a
few details. The new account inherits password management, review, ticket system, and PSM details settings
from the existing account. Collections and permissions assignments are not inherited.
To duplicate an account:
1
Select Systems, Accounts, & Collections | Accounts | Manage Accounts from the menu.
2
Enter your search criteria on the Filter tab.
TPAM 2.5
Administrator Guide
103
3
Click the Listing tab.
4
Select the account to be duplicated.
5
Click the Duplicate button. A new account object is created and the Details tab displays.
6
Enter the Account Name.
7
Make any changes to the account configuration on the various tabs.Click the Collections tab and assign
membership. (Optional)
8
Click the Permissions tab and assign access policies. (Optional)
9
Click the Save Changes button.
Delete an account
When you delete an account from the Manage Accounts listing it is “soft” deleted. This means that the account
information is retained in TPAM for “X” days depending on how the System Administrator has set the Days in
Trash global setting in the /admin interface.
IMPORTANT: The only way to delete a functional account is to delete the system.
NOTE: You cannot delete an account that has an active PSM session.
To “soft” delete an account:
1
Select Systems, Accounts, & Collections | Accounts | Manage Accounts from the menu.
2
Enter your search criteria on the Filter tab.
3
Click the Listing tab.
4
Select the account to be deleted.
5
Click the Delete button.
6
Click the OK button on the confirmation window.
To view “soft” deleted accounts go to Systems, Accounts, & Collections | Accounts | Deleted Accounts on
the main menu.
TPAM allows you to undo a soft deletion prior to the Days in Trash global setting taking effect.
To undo a “soft” delete:
1
Select Systems, Accounts, & Collections | Accounts | Deleted Accounts from the main menu.
2
Enter your search criteria on the Filter tab.
3
Click the Listing tab.
4
Select the account to be restored.
5
Click the Undo Delete button.
To undo a soft delete for all the accounts in the listing:
1
Click the Undo Delete All button.
2
Click the Yes, continue with undo delete button.
Hard deleting an account removes all records of the account from the TPAM interface. Hard deletion is only
allowed if the Allow Manual Hard Deletes global setting has been enabled by the System Administrator.
To “hard” delete an account:
1
Select Systems, Accounts, & Collections | Accounts | Deleted Accounts from the main menu.
TPAM 2.5
Administrator Guide
104
2
Enter your search criteria on the Filter tab.
3
Click the Listing tab.
4
Select the account to be deleted.
5
Click the Hard-Delete button.
6
Click the OK button on the confirmation window.
To hard delete all the accounts in the listing:
1
Click the Hard-Delete All button.
2
Click the Yes, continue with hard-delete button.
Retrieve a password
A user with PPM ISA permission over an account can retrieve a password.
To retrieve a password:
1
Select Retrieve | Retrieve Password from the menu.
2
Enter your search criteria on the Filter tab.
3
Click the Listing tab.
4
Select the account.
5
Click the Passwords tab.
6
Complete the following fields:
Table 49. Password tab fields
7
Field name
Description
Release Reason
Used to provide a brief description of the reason for the password
release. May be optional, required or not allowed, depending on
configuration.
Reason Code
Reason codes will appear if they have been configured by the System
Administrator. Reason codes streamline the request process, and
may be optional, required, or not allowed depending on how they
are configured.
Ticket System
May be required, based on configuration.
Ticket Number
May be required, based on configuration. If the ticket number fails
validation the ISA will not be able to retrieve the password.
Proxy Release For
If the ISA is retrieving the password on behalf of another user, enter
the user’s name here. This name will be displayed on the Password
Release Activity report.
Click the Password tab. The password will be displayed for a preconfigured time, after which the ISA
must click the password tab again to view the password.
List accounts
The List Accounts option allows you to export the account data from TPAM to Microsoft Excel or CSV format.
This is a convenient way to provide an offline work sheet and also to provide data that may be imported into
another TPAM – for example, to populate a lab appliance with data for testing, without making the lower level
changes that restoring a backup would cause.
TPAM 2.5
Administrator Guide
105
To list the accounts:
1
Select Systems, Accounts, & Collections | Accounts | List Accounts from the main menu.
2
Enter your search criteria on the Filter tab.
3
Click the Layout tab to select the columns and sort order for the listing.
4
To view and store the data outside of the TPAM interface, click the Export to Excel button, or the
Export to CSV button.
5
To view the data in the TPAM interface, click the Listing tab.
6
To view collection membership for an account, select the account and click the Collections tab.
7
To view the permissions assigned to the account, select the account and click the Permissions tab.
List PSM accounts
The List PSM Accounts option allows you to export the account data from TPAM to Microsoft Excel or CSV format.
This lists all accounts that are PSM enabled or have the option of being PSM enabled. This is a convenient way to
provide an offline work sheet and also to provide data that may be imported into another TPAM – for example,
to populate a lab appliance with data for testing, without making the lower level changes that restoring a
backup would cause.
To list the accounts:
1
Select Systems, Accounts, & Collections | Accounts | List PSM Accounts from the main menu.
2
Enter your search criteria on the Filter tab.
3
Click the Layout tab to select the columns and sort order for the listing.
4
To view and store the data outside of the TPAM interface, click the Export to Excel button, or the
Export to CSV button.
5
To view the data in the TPAM interface, click the Listing tab.
Password current status
The current status of a password for an account will report last password release, open password requests,
scheduled password resets, password checks and reset history.
To check the current status of a password:
1
Select Systems, Accounts, & Collections | Accounts | Manage Accounts from the main menu.
2
Enter your search criteria on the Filter tab.
3
Click the Listing tab.
4
Select the account to check.
5
Click the Current Status button.
Manual password management
Accounts that are not auto-managed by PPM may still take advantage of the secure storage and release
mechanisms, as well as the logging and reporting functions of TPAM. Password changes for such system accounts
can be accomplished in two ways – PPM generated passwords and User generated passwords.
TPAM 2.5
Administrator Guide
106
When a non-managed account’s password has been released to a user, the defined system contact email address
for the system receives a notice when the release duration expires. This provides the opportunity to have the
password manually reset. If the request is expired early, the email notification is sent immediately.
To use passwords generated by PPM:
1
Select Systems, Accounts, & Collections | Accounts | Manage Accounts from the main menu.
2
Enter your search criteria on the Filter tab.
3
Click the Listing tab.
4
Select the account from the listing.
5
Click the Details tab.
6
Select Manual for the password management setting. If this was already selected, skip to step 8.
7
Click the Save Changes button.
8
Click the Reset Password button.
9
Take the new password that PPM has generated, and set it to this on the remote system.
10 If the password update on the remote system was successful, click the Update Successful button. If the
password was unable to be reset on the remote system, click the Update Failed button. PPM will discard
the new password and rollback to the previously stored password.
To use password not generated by PPM:
1
Select Systems, Accounts, & Collections | Accounts | Manage Accounts from the main menu.
2
Enter your search criteria on the Filter tab.
3
Click the Listing tab.
4
Select the account from the listing.
5
Click the Details tab.
6
Select Manual for the password management setting. If this was already selected, skip to step 8.
7
Click the Save Changes button.
8
Enter the new password in the Password and Confirm fields.
9
Click the Save Changes button.
Password management
Password Management allows TPAM Administrators and PPM ISA’s to do a “mass” forced reset of account
passwords that are auto-managed. If manually managed passwords are scheduled for reset, the automatic email
notification will be generated to the system contact to manually reset the password.
NOTE: If the account is a synchronized password subscriber, it cannot be reset from this window.
This window also gives you a central location to view the current password status for all passwords.
To perform a mass password reset:
1
Select Systems, Accounts, & Collections | Passwords | Manage Passwords from the main menu.
2
Enter your search criteria on the Filter tab.
3
Click the Listing tab.
4
To select all passwords returned on the Listing tab for reset, select the All check box in the column
header. To select more than one, but not all, select the check box in the Select for Scheduling column
for the passwords to be reset.
TPAM 2.5
Administrator Guide
107
5
Click the Schedule Resets button.
To select one password for reset:
1
Select Systems, Accounts, & Collections | Passwords | Manage Passwords from the main menu.
2
Enter your search criteria on the Filter tab.
3
Click the Listing tab.
4
Select the individual row.
5
Click the Reset Individual button.
6
If the account is manually managed, after manually resetting the password on the system, click the
Update Successful or Update Failed button, according to the results.
To view password history:
1
Select Systems, Accounts, & Collections | Passwords | Manage Passwords from the main menu.
2
Enter your search criteria on the Filter tab.
3
Click the Listing tab.
4
Select an account.
5
Click the Logs tab.
6
Enter your search criteria on the Filter tab.
7
Click the Change Log, Test Log, Release Log, Dependent Change Log, or Change Agent Log to view the
specific history.
Managing services in a Windows® domain
environment
If the account managed by PPM is a Windows® domain account (the system is defined as Active Directory® in
TPAM), services running on domain member systems using this account can also be managed in terms of
password changes.
The prerequisite for domain members systems to have these service account passwords changed is that each
system must be configured in TPAM and the domain functional account must be properly privileged on that
system (i.e. member of local Administrators group).
NOTE: Dependent systems will always have the passwords for Windows Services and Scheduled Tasks
changed regardless if the check boxes are selected on the Account Details Information tab.
Add the domain controller as a managed system:
1
Select Systems, Accounts, & Collections | Systems| Add System.
2
When adding the system on the Information tab make sure that Enable Automatic Password
Management is selected.
3
On the Connection tab, specify the functional account credentials.
4
Click the Save Changes button.
In Active Directory use the Delegation Control wizard to assign the following minimum permissions:
•
Object type: User Objects
•
Reset Password
•
Read and write account restrictions
TPAM 2.5
Administrator Guide
108
•
Read lockout time
•
Write lockout time
Add the managed account on the domain controller system for the Active Directory user
specified on the Windows services and tasks:
1
Select Systems, Accounts, & Collections | Accounts | Add Account from the main menu.
2
Filter for the domain controller managed system added in the step above.
3
Click the Listing tab.
4
On the Information tab make sure that Enable Automatic Password Management is selected.
5
The following check boxes should NOT be selected UNLESS there are services and tasks that need to be
managed locally on the domain controller itself:
•
Change password for Windows services started by the account?
•
Automatically restart such services?
•
Use this account’s current password to change the password?
6
Click the Save Changes button.
7
The options only apply to the local system to which the managed account belongs. If you wish to manage
services and tasks on other systems, click the Dependents tab.
8
Enter your search criteria on the Filter tab.
9
Click the Results tab.
10 Select the Dependent button for systems for which you would like the Windows services and tasks to be
updated.
11 Click the Save Changes button.
A managed system must exist in TPAM for each system where you have Windows services and/or Scheduled
Tasks for which the credentials need to be updated. Ensure that Password Management is enabled on each of
these systems in TPAM, so that Functional Account credentials can be specified on the Connection tab.This
system must then be set as a Dependent on the AD Account as specified in the step above.
The Functional Account must have the following local permissions on system(s) running the Services and Tasks.
•
Member of the local Administrators group OR
•
Members of the local Backup Operators group and granted the "Log on as a batch job" local policy.
To verify the configuration:
1
Go to the managed account configured on the domain controller that was added above.
2
Perform a forced reset by clicking the Reset Password button.
If everything is configured properly and the correct permissions are assigned, the password will be reset and any
Dependent systems will also be updated. If you receive any errors about password reset failures or access
denied, you will need to verify the permissions assigned above.
Add generic account to TPAM for PSM
sessions to a user specified Windows
account
TPAM provides the ability to create a generic TPAM account that can be used to log in to any user-specified
Windows account during a PSM session. The user is prompted to input the desired Windows account name and
password when the PSM session is starting. This allows TPAM to provide the account name and password during
TPAM 2.5
Administrator Guide
109
RDP session initiation, thereby allowing the RDP session to succeed even when the RDP session security layer is
set to SSL/TLS on the Windows machine.
To configure a generic TPAM account:
1
The target system must be added to TPAM. The platform for the system can be any of the Windows or
SPCW platforms. For details on how to add a system see Add a system.
2
Select Systems, Accounts, & Collections | Accounts | Add Account from the menu.
3
Enter filter criteria on the Filter tab to find the system to add the account to.
4
Click the System tab.
5
Select the system in the listing.
6
Click the Details tab.
7
Enter :prompt: for the account name.
8
Select None for the Password Management option.
9
Click the PSM Details tab.
10 Select the Enable PSM Sessions check box.
11 Select RDP- Interactive Login as the Proxy Connection Type.
12 Click the Session Authentication tab. Select Not Stored - Specify password during session.
13 Click the Permissions tab. Assign permissions to this account. For details see Permissions tab. Assign
Requestor permissions to the appropriate TPAM users.
How it works
A TPAM user requests a session using the :prompt: account on the target system. When the PSM session is
initiated, the user is prompted to enter the Windows account name and password.
After the account name and password are entered, the RDP session is connected as desired.
NOTE: It is not possible to monitor events in this scenario,
NOTE: If performing file transfer, credentials must be specified at file transfer time.
TPAM 2.5
Administrator Guide
110
13
Linked Accounts
•
Introduction
•
Add a linked account to a system
•
Add linked account/s to a user
•
Request a session using a linked account
•
Linked accounts report
Introduction
Many organizations are following best practices for creating multiple user IDs for users requiring
privileged access. For normal, everyday use, an unprivileged account should be used. Privileged
accounts should only be used when performing administrative functions that require the elevated
authorizations. TPAM can further enhance this by using managed accounts via PSM for access into
the target host, thereby never allowing the user to have knowledge of the password for their
elevated accounts. The linked account functionality allows one TPAM user ID to be linked to many
privileged accounts without requiring user specific accounts on each managed system.
Add a linked account to a system
A linked account must be added to a system in order for the linked account functionality to work. This account
is not a “real” account on the target system, it is a placeholder that the user will request when making the PSM
session request. The proxy connection type used by the PSM session can be any protocol (SSH, RDP, telnet, etc.)
but must be a connection type that uses Automatic Login Using Password. The Session Authentication type for
PSM is only allowed to be Password Managed by Local TPAM.
To add a linked account:
1
Select Systems, Accounts, & Collections | Accounts | Add Account from the menu.
2
Enter filter criteria on the Filter tab to find the system to add the account to.
3
Click the System tab.
4
Select the system.
5
Click the Details tab.
6
Type :linkedaccount: in the Account Name box. (The :linkedaccount: text is not case sensitive, but
must have the surrounding colons.)
7
Select None for the password management option.
8
Enter the other settings as desired on the Details Information, Reviews and Ticket System tabs.
9
Click the PSM Details tab.
10 Select the Enable PSM Sessions? check box.
11 Select a proxy type using Automatic Login Using Password.
TPAM 2.5
Administrator Guide
111
12 Enter the other settings as desired on the General, File Transfer, Review Requirements, Collections
and Permissions tabs.
13 Click the Save Changes button.
Review and Approve permissions only apply to the linked account itself and not the associated requests.
Add linked account/s to a user
To add a linked account to a user ID the user ID must have a User Type of Basic or Administrator.
To add a linked account to a user:
1
Select Users & Groups | UserIDs | Manage UserIDs from the menu.
2
Enter your search criteria on the Filter tab.
3
Click the Listing tab.
4
Select a user ID and click the Linked Accounts tab.
5
Click the Results tab.
6
Select Linked in Linked Status column for accounts you want this user to have access to.
7
Click the Save Changes button.
8
Click the Permissions tab.
9
Filter for the :linkedaccount: on the system that you created.
10 Make sure that the user ID has Session Requestor permissions assigned to the :linkedaccount:. Only
Session or Command Requestor permissions apply to a linked account.Users cannot use a linked account
to request a password for any of the linked accounts assigned to them.
As with all other accounts, permissions to a :LinkedAccount: may be granted at the system or collection level
using either User or Group assignments.
Request a session using a linked account
All of the logging for the request on a linked account will display the actual account that was requested on the
details tab.
To request a session using a linked account:
1
Select Request | Session | Add Request from the main menu.
2
To request a session on a specific system or a specific account enter the criteria on the Filter tab.
3
Click the Accounts tab.
4
Select the :linkedaccount:.
5
Click the Details tab.
6
Select the account desired for session request from the Account Name list. The list of available accounts
will include all linked accounts assigned to the user which are:
7
•
Domain accounts - accounts on a system with a domain name
•
Accounts local to the system the :linkedaccount: resides on.
Complete and save the request as normal. For more details on session requests see Request a session.
TPAM 2.5
Administrator Guide
112
Linked accounts report
To see the linked accounts associated to a user ID:
1
Select Users & Groups | UserIDs | List UserIDs from the main menu.
2
Type in the filter criteria.
3
Click the Export to Excel or Export to CSV button.
TPAM 2.5
Administrator Guide
113
14
Using Quest Authentication Services
with TPAM
•
Introduction
•
Configure QAS integration
•
How it works
Introduction
Quest Authentication Services (QAS) is patented technology that empowers non-Windows® systems to become
members of Active Directory® (AD) for centralized authentication. The ability for Linux®, UNIX® and Mac®
systems to join the Active Directory® domain provides the benefit of central control over which an AD user is
permitted to authenticate to which non-Windows® system.
TPAM is able to leverage QAS with UNIX®, Linux®, and Mac® systems to allow for Active Directory® functional
accounts on UNIX®, Linux®, and Mac systems. TPAM also allows for currently logged on users to request a session
using it’s currently logged on username through a special account defined in TPAM for each system called
:myaccount: This is beneficial because many implementations use Active Directory® as the primary
authentication source and are granted permissions through this integration. A user may request access to a
system using their own username and password by requesting a session with the account :myaccount:. The user
then proxies access to the system through TPAM using their own credentials, without having to store additional
information on each defined system in TPAM for that user.
Configure QAS integration
Before integration with TPAM can be configured QAS must be installed on the target system prior to configuring
the integration in TPAM. See the documentation provided with QAS for these steps.
The target system must be added to TPAM. For details on how to add a system see Add a system template.
To create an account for QAS to use with TPAM:
1
Log on to the /tpam interface.
2
Select Systems, Accounts, & Collections | Accounts | Add Account from the menu.
3
Enter filter criteria on the Filter tab to find the system to add the account to.
4
Click the System tab.
5
Select the system in the listing.
6
Click the Details tab.
7
Enter :myaccount: for the account name.
8
Select None for the Password Management option.
NOTE: The password for the domain account is not stored in this account.
TPAM 2.5
Administrator Guide
114
9
Click the PSM Details tab.
10 Select the Enable PSM Sessions check box.
11 Select one of the "interactive" proxy types as the Proxy Connection Type.
12 Click the Session Authentication tab. Select Not Stored - Specify password during session.
13 Click the Permissions tab. Assign permissions to this account. For details see Permissions tab. Assign
Requestor permissions to the appropriate TPAM users.
14 Click the Save Changes button.
How it works
A TPAM user requests a session using :myaccount: on the target system. The user requests a session.
When the PSM session is initiated the account of the user is sent to the target system as the TPAM user ID and
they must provide the domain password for authentication. The domain password is then sent to QAS for
authentication.
TPAM 2.5
Administrator Guide
115
15
TPAM Account Discovery
•
Introduction
•
Configure account discovery
•
Account discovery profiles
•
Add an account discovery profile
•
Delete an account discovery profile
•
Assign an account discovery profile to a system/system template
•
Combine account discovery with auto discovery
Introduction
For Windows®, *nix, and database systems, account discovery can be configured in TPAM. Account discovery is
the process of discovering accounts on a TPAM managed system. Configuration allows these accounts to be
added or removed from TPAM as they are discovered or removed from the remote system. Administrators can
also opt to just have email notifications sent when these accounts are discovered/removed. Account discovery
uses an account template to create new accounts, as they are discovered, on the parent system in TPAM.
Configure account discovery
A system template is a container for account templates used during the discovery process. The platform
selected and the Enable Auto Password Management check box are the only attributes that are used in the
discovery process.
To configure account discovery:
1
Create a system template. Select Systems, Accounts, & Collections | Systems | Add System Template
from the menu. To discover any Windows accounts the system platform must be Windows, Windows
Desktop, or Windows Active Directory. When discovering accounts on any *nix type system any
discoverable *nix type platform may be used. When discovering accounts in a DBMS the platform of the
template must match the database being discovered. The system name, network address, functional
account, password profiles, collections, permissions, etc. are not relevant to account discovery. If the
discovered accounts are going to be auto-managed the system template must have auto management
enabled so that the template accounts created in the next step can be auto managed. Note - this is NOT
where you assign the account discovery profile.
2
Add an account to the system template. Select Accounts | Add Account from the menu. Filter for the
system template you just created. Select the template from the System tab and click the Details tab.
The details on these account templates *ARE* significant. Any accounts discovered using these templates
will be added to the parent system using all details (except the account name), review information,
password profiles, custom columns, PSM details, collection membership, permissions, etc. of the
account template.
For a system template with auto-management turned on (the default) there will already be an account
template created for the functional account. Because functional accounts default to being unmanaged
TPAM 2.5
Administrator Guide
116
(Password Management set to "None") it is recommended that you create at least one additional account
template for discovery purposes. Additionally, if you do use the template's "functional acount" to
discover accounts on new systems realize that does not make the discovered accounts the functional
account on the parent system.
If the discovered accounts need to be connected to a synchronized password the account template must
be a subscriber of the synchronized password before the accounts are discovered.
As when using system templates to create systems, this template is only used to create the account. Any
edits to a template after accounts are created are not "pushed out" to accounts created from the
template. Configure the account and click the Save Changes button.
NOTE: For a disabled account that is newly discovered, if the Enable Account Before Release check box
is selected on the template used in account discovery the account WILL be brought into TPAM. If the
Enable Account Before Release check box is clear on the template the disabled account will not be
brought into TPAM.
NOTE: For a disabled account that exists in TPAM, and the Enable Account Before Release check box is
selected on the template used in account discovery, the account WILL NOT be considered deleted. For a
disabled account that exists in TPAM, and the Enable Account Before Release check box is clear on the
template used in account discovery, the account WILL be considered deleted.
3
Create an account discovery profile.When adding the detail rows select the desired account template(s)
created in Step 2 above. For more information on how to create an account discovery profile see
Account discovery profiles.
4
Assign the account discovery profile created in Step 3 above to the parent system on which you want to
discover accounts by selecting Systems, Accounts, & Collections | Systems | Manage Systems. Find the
parent system in the Listing tab and click the Account Discovery tab. After the changes are saved click
the Test Account Discovery button to see what accounts are found.
NOTE: The parent system being discovered must be auto managed and must be able to successfully execute a "Test
System". If the functional account password is invalid or the system is unreachable for whatever reason then Account
Discovery will not work.
5
If desired click the Run Discovery Profile button to immediately have the profile run instead of waiting
for the next scheduled run. A maximum of 5,000 accounts can be discovered this way.(Optional)
Accounts will display on the Discovered Accounts tab if the Delete Account Action or New Account
Action setting is set to Notify via Email on the account discovery profile. If accounts are discovered,
select from the following options:
•
Add Account - If selected, the account will be added to the system using the indicated template
account.
•
Turn Off Auto - Accounts with this option have been deleted from the target system, but are still
set up as a managed account in TPAM. If Turn Off Auto is selected, the password management
setting for this account will be set to None.
•
Add to Exclude - If selected, the account will be added to the system’s exclude list. The account
will be ignored during auto discovery processing.
After making selections click the Process Selected Actions button to execute the selections.
Clicking the Clear All Staged Accounts button clears out all staged account rows for this system without
processing them.
Clicking the Refresh Current List button refreshes the list with whatever filter applies.
6
Confirm with the System Administrator that the Account Discovery agent has been enabled in the admin
interface.
TPAM 2.5
Administrator Guide
117
Account discovery profiles
Account Discovery profiles allow TPAM to periodically check for accounts on a managed system and add or
remove them from TPAM. Account Discovery profiles can only be assigned to Windows®, *nix and database
systems.
The table below explains the options on the Account Discovery profile page.
Table 50. Account Discovery profile page options
Field
Description
Required?
Default
Profile Type
Account Discovery should be selected from the list.
Yes
Account
Discovery
Profile Name
Enter a unique profile name
Yes
Description
Enter a brief description of this profile.
No
Time of Day
Enter the time of day that TPAM should check the assigned
managed systems for account changes.
Yes
23:00/Daily
The action to take when an existing account has been removed Yes
from the system.
Do Nothing
Delete
Account
Action
Delete
Notification
Email
•
Disabled - Processing of the account discovery profile is
suspended. The profile can still be assigned to systems,
and clicking the Test and Run buttons on the Account
Discovery tab on the systems page will still work, but
future runs will not be scheduled.
•
Daily - If selected, the check will occur every day at the
configured time.
•
Weekly - If selected, the check will occur on the days
selected, at the configured time.
•
Monthly - If selected, the check will occur on the days of
the month listed. Multiple days may be entered
separated by a semi-colon. Use a value -1 to run on the
last day of the month, regardless of length.
•
Do Nothing - no action taken
•
Turn off Auto-Management - If the managed account is
currently set to be auto-managed or is a subscriber to a
synchronized password, the password management
setting for the account will be change to None.
•
Notify via Email - the account is not changed, but an
email is sent to the addresses specified that it has been
removed from the remote system. Information will also
be displayed on the Discovered Accounts tab when this
option is selected.
•
Both - the account’s auto-management is set to None,
and an email notification is sent out.
A list of email addresses, separated by semi-colons, to be
notified based on the New/Delete Account Action selections.
Allows up to 255 characters. Two special addresses are
recognized:
•
:System: - sends an email to the primary contact
entered on the System Details tab.
•
:Functional: - sends an email to the notification email
entered for the functional account.
No
TPAM 2.5
Administrator Guide
118
Table 50. Account Discovery profile page options
Field
Description
Required?
Default
New Account
Action
The action to take when a new account is entered on an
assigned system. Choices are:
Yes
Do Nothing
First
template in
the list
•
Do Nothing - no action taken
•
Create an Account - a new managed account will be
created on the system using the template account
•
Notify - the account is not created, but an email is sent
to the addresses specified.
•
Both - the account is created, and an email notification
is sent out.
Template
Account
Select a template from the list to be used for the accounts
created. They will be listed as template name/account name.
The discovered accounts will assigned the attributes of the
template account selected.
Yes
UID
Only applies to *nix systems. A comma separated list of numeric
filter values. Only UID (User Id) values that match one of the
following values will be discovered. Values may be entered as
follows:
At least one
filter criteria
is required to
save the
profile.
SID
Name
Group
•
# - only a numeric UIDs will be recognized.
•
#-# - numeric UIDs between these two values.
•
<# - UIDs less than, but not equal to
•
># - UIDs greater than, but not equal to
•
!# - UIDs not equal to
Only applies to Windows® systems. A string list values. Only SID At least one
filter criteria
(Security Identifier) values that match one of the following
is required to
values will be discovered. Values may be entered as follows:
save the
• # - only a numeric SIDs will be recognized.
profile.
• #-# - numeric SIDs between these two values.
•
<# - SIDs less than, but not equal to
•
># - SIDs greater than, but not equal to
•
!# - SIDs not equal to
A comma separated list of values. Only account names that
match one of the following values will be discovered. Values
may be entered as follows:
•
text - only this account will be recognized
•
*text - account names ending in text
•
text* - account names starting with text
•
!text - account names not equal to text
Only applies to Windows® and *nix platforms. A comma
separated list of group names. Only accounts which are
members of the indicated group(s) will be discovered. Vales
may be entered as follows:
•
text - only this group will be recognized
•
*text - group names ending in text
•
text* - group names starting with text
•
!text - group names not equal to text
At least one
filter criteria
is required to
save the
profile.
At least one
filter criteria
is required to
save the
profile.
TPAM 2.5
Administrator Guide
119
Table 50. Account Discovery profile page options
Field
Description
Role
At least one
Only applies to database systems. A comma separated list of
role names. Only accounts which are members indicated role(s) filter criteria
is required to
will be discovered. Values may be entered as follows:
save the
• text - only this role will be recognized
profile.
• *text - role names ending in text
•
text* - role names starting with text
•
!text - role names not equal to text
Required?
Default
Task
At least one
Only applies to Windows® systems. If selected, discovers an
filter criteria
account if it is being used to run any Windows® scheduled task.
is required to
save the
profile.
Off
Service
Only applies to Windows® systems. If selected, discovers an
account if it is being used to run any Windows®services.
At least one
filter criteria
is required to
save the
profile.
Off
Add an account discovery profile
IMPORTANT: An account discovery profile cannot be added unless at least one system template has been
added to TPAM.
To add an account discovery profile:
1
Select Management | Profile Management from the menu.
2
Select Account Discovery from the Profile Type list.
3
Click the New Profile button.
4
Enter a unique name for the profile.
5
Enter a description for the profile. (optional)
6
Enter a time of day and frequency for the auto discovery check to run.
7
Click the Add Detail button.
8
Select the various detail options available. For more information on how these are configured see the
table in the Account discovery profiles section.
9
To add another detail row repeat steps 7 and 8.
10 Click the Save Changes button.
Delete an account discovery profile
To delete an account discovery profile:
1
Select Management | Profile Management from the menu.
2
Select Account Discovery as the profile type.
3
Select the profile to be deleted from the list.
4
Click the Delete Profile button.
TPAM 2.5
Administrator Guide
120
5
Click the OK button on the confirmation window.
NOTE: An account discovery profile can only be deleted if it is not assigned to any systems.
Assign an account discovery profile to a
system/system template
Account Discovery connection profiles can be assigned using the Import Systems or Update Systems batch
processing functions, or by following the procedure below.
To assign a connection profile to a system:
1
Select Systems, Accounts, & Collections | Systems| Manage Systems.
2
Select the system/system template on the listing tab.
3
Click the Account Discovery tab.
4
Select the profile from the discovery profile list.
5
Enter any accounts to be excluded from the discovery profile actions in the excluded box.
6
Click the Save Changes button.
IMPORTANT: The profile being assigned to the template cannot have any accounts in common with the
template it is being assigned to.
Combine account discovery with auto
discovery
TPAM can be configured to integrate with LDAP, LDAPS, Novell® NDS and Windows Active Directory® to
automatically detect, enroll, and modify users and systems through Auto Discovery integration. To take this
process one step further, once a system is “auto discovered” and added to TPAM, account discovery can also be
configured to find accounts on this newly added system. To combine auto discovery with account discovery see
Discover accounts on auto discovered systems.
TPAM 2.5
Administrator Guide
121
16
Files
•
Introduction
•
Add a file
•
Duplicate a file
•
Review file history
•
Delete a file
•
Retrieve a file
•
List files
Introduction
In addition to the secure storage and release capabilities for passwords, TPAM facilitates the same secure
storage and retrieval controls for files. This functionality can be used for many file types, but its intent is to
securely store and control access to public/private key files and certificates.
To add and manage files, information is entered on the following tabs in the TPAM interface:
Table 51. Files Management: TPAM interface tabs
Tab name
Description
Details
Define main file information, such as name, approvals required, contact.
Ticket System
Configure Ticket System Validation for requests on this file.
Collections
Assign a file to a collection/s.
Permissions
Assign users and groups permissions on this file.
Details tab
The Details tab is where you upload the file to TPAM and set approval requirements.
The table below explains all of the options available on the File Details tab.
Table 52. Files Management: Details tab options
Field
Description
Required?
File Display
Name
The name users see when requesting access to stored files.
Yes
Filesize (in
bytes)
Display only. The size of the file that is uploaded.
Select Local
Filename
Where the file is uploaded by clicking the browse button.
Default
Yes
TPAM 2.5
Administrator Guide
122
Table 52. Files Management: Details tab options
Field
Description
Approvals
Required
The default value of 1, indicates that a single approval allows
No
the requestor to access the file. A value greater than 1 requires
multiple approvers to approve each request. A value of 0 means
any requests will be auto-approved by TPAM. If overridden by an
access policy the greater of the two values will be used.
Required?
1
Maximum
Duration
This is the maximum duration for a file release. If this is
Yes
overridden by an Access Policy assignment, the lower of the two
durations is used. The default duration that the requestor sees
for any new file request is 2 hours, or the maximum duration,
whichever is less.
7 Days
Require Multi- Can only be selected if Approvals Required is greater than 1. If No
Group Approval selected, you can require that approvals for requests come
from:
from one or more groups. If only one group is selected, all
approvals must come from members of this group. If more than
one group is selected, at least 1 approval must come from each
group.
Default
Off
NOTE: Any user with approver permissions will be able to
approve the request, but unless the user is a member of one of
the selected groups, their approval will not count.
Any authorized approver can deny the request.
Notification
Email
The email address specified in this box receives notification of
certain file releases. This would apply to releases by ISA users,
CLI/API users under all circumstances, and requests when no
approvals are required. Multiple email addresses can be
specified by entering each email address separated by a
comma, up to a maximum of 255 characters.
No
Null
Any time a change is made to the notification email address
box, an email is automatically sent to the old email address
with a notification that this change has occurred.
Description
The description box may be used to provide additional
information about the file, special notes, business owner, etc.
No
Ticket System tab
The Ticket System tab is used to configure third party ticket system requirements when submitting file release
requests for this file. The Ticket System tab is only enabled if the TPAM System Administrator has configured
ticket system/s in the /admin interface.
The following table explains the options on this tab.
Table 53. Files Management: Ticket System tab options
Field
Description
Required?
Require Ticket
Number from
Select this check box to require ticket number validation every time a No
file request is submitted. If multiple Ticket Systems are enabled they
are listed in the list for selection. You can specify the ticket system or
allow entry of a ticket number from any system that is enabled. If this
check box is not selected, users can still enter a Ticket Number on a
request, but it is not required.
Perform Ticket If ticket validation is required, then all requestors are required to
Validation for
provide a ticket number. You also have the option to require ISAs to
supply a ticket number prior to retrieving a file.
No
Default
From
System
From
System
TPAM 2.5
Administrator Guide
123
Table 53. Files Management: Ticket System tab options
Field
Description
Required?
Default
Send Email
notification to
If any of the ISA, CLI or API required check boxes are left clear you
have the option of entering one or more email addresses (up to 255
characters) that will receive an email when an ISA, CLI or API user
releases or retrieves a file without supplying a ticket.
No
From
System
Pull defaults
from system
If selected, when the Save Changes button is clicked, it will pull
these settings from the system.
No
Off
The propagation is a one time update each time this check box is
selected and the Save Changes button is clicked. After that there is
no forcing of the settings to remain in synch. The settings on the file
can be overridden.
Logs tab
The Logs tab for stored files shows the activity associated with accessing the file.
The following table explains the fields on this tab.
Table 54. Files Management: Logs tab options
Field
Description
Request ID
Request ID for the file request.
User Name
User ID of the requestor.
User Full Name
Full name of the requestor.
Release Date
Date and time that the file was retrieved.
Release Type
Indicates of the file was retrieved by a requestor or an ISA.
File History tab
This tab shows the history of all physical files that have been associated with the file display name as well as
the dates the file was originally stored and replaced. The older files, though no longer associated with the
display name, remain on the appliance and may be accessed by and administrator using the filename link. Older
files may also be deleted from history.
The following table explains the fields on this tab.
Table 55. Files Management: File History tab options
Field
Description
Actual Filename
The name of the file that was stored on TPAM.
Stored Date
The date the file was uploaded to TPAM.
Replaced Date
The date the file was replaced with another file.
Filesize
Size of the file in bytes.
Current File tab
The Current File tab allows you to retrieve the file if you have ISA permission for the file.
The following table explains the options on this tab.
TPAM 2.5
Administrator Guide
124
Table 56. Files Management: Current File tab options
Field
Description
Required?
Release Reason
The reason for the file release.
Depends on configuration by System
Administrator
Reason Code
The reason for the file release.
Depends on configuration by System
Administrator
Ticket System
Ticket system to validate the request against.
Depends on configuration by
Administrator.
Ticket Number
Ticket number to validate the request against.
Depends on configuration by
Administrator.
Collections tab
A collection is a group of systems, accounts and or files. The Collections tab is used to assign the file to a
collection/s. Files can belong to more than one collection. The collections list shows all collections that have
been defined in the TPAM appliance if the user modifying the file is an administrator. If the user modifying the
file is an ISA, only the collections that the user holds the ISA role for are displayed. By assigning the file to
collections, the file automatically inherits user and group permissions that have been assigned at the collection
level.
NOTE: A file cannot belong to the same collection as its parent system, or vice versa.
Use the Filter tab to enter search criteria for the collections to assign/un-assign. Click the Results tab.
The table below explains the fields on the Results tab.
Table 57. Files Management: Collections Results tab options
Field
Description
Type
On this tab type will always say Collection.
Required?
Name
The name of the collection. Clicking on the name will take you
the collection management listing tab.
Membership
Status
To modify collection membership, simply click the Not Assigned No
or Assigned buttons next to each collection name and click the
Save Changes button. You can set all members to either
Assigned or Not Assigned by holding down the Ctrl key when
clicking on any button.
Default
No
Not
Assigned
Permissions tab
The Permissions tab is used to assign users and/or groups an Access Policy for this file.
To assign Access Policies:
1
Use the table on the left of the page to select the name/s of the user/s and/or group/s to which the
selected access policy is to be assigned.
2
Select an Access Policy from the Access Policy list in the Access Policy Details pane, located in the right
upper side of the Results tab. When you select an Access Policy on the list the detailed permissions
describing this Access Policy are displayed on the rows below.
3
Select one of the icons in the Access Policy Details pane (right upper side of page) to make the
assignment.
TPAM 2.5
Administrator Guide
125
Table 58. Access Policy Details pane icons
Icon
Action
Refreshes list of available Access Policies.
Scrolls the currently selected User or Group into view.
Applies the currently selected policy to the current row. Assigning a policy of “Not
Assigned” removes the current assignment.This affects only the current row (row with the
dotted border) even if multiple rows are selected.
Applies the currently selected policy to all selected rows in the list. You are asked to
confirm the assignment if more than 10 rows are affected.
Removes the currently selected policy from all selected rows in the list. If a row is not
currently set to the selected policy it will not be changed. You are asked to confirm the
assignment if more than 10 rows are affected.
Removes unsaved edits on the current row. This only affects the current row (row with the
dotted border) even if multiple rows are selected.
Removes unsaved edits on all currently selected rows.
This icon (
) next to any row on the list simply means that row has been edited since the last save
changes occurred.
You can “Shift+Click” to select a range of rows. The first row you click will be surrounded by purple
dashed lines. The next row that you “Shift-Click” on will cause all the rows in between the original row
and current row to be highlighted.
4
When you are finished assigning/un-assigning Access Policies, click the Save Changes button.
TIP: You may re-filter and re-retrieve the results list without losing existing edits. As the Results tab is
reloaded any Groups or Users that you have already edited reflect their edited policy assignment. When
you click the Save Changes button all the Access Policy assignment changes for the file are saved. The
appliance saves these in batches, informing you of the number of assignments added, removed, or
changed for each batch.
NOTE: You must be both a PPM and PSM ISA over an account to be allowed to assign an Access Policy.
Using Ctrl-Click or Shift-Click on the hyperlink in the Name column will open the details page for this entity in a
new tab or window.
Add a file
When adding a file in TPAM, information is entered on the following tabs to configure the file:
•
Details - File name, Approvals required
•
Ticket System
•
Collections
•
Permissions
The following procedure describes the required steps to add a file.
TPAM 2.5
Administrator Guide
126
To add a new file:
1
Select Systems, Accounts, & Collections | Files | Add File from the menu.
2
Enter filter criteria on the Filter tab to find the system to add the file to.
3
Click the System tab.
4
Select the system.
5
Click the Details tab. Enter information on the Details tab. For more information on this tab see Details
tab.
6
Click the Ticket System tab and set external ticket system requirements for submitting file release
requests. For more details see Ticket System tab. (Optional)
7
Click the Save Changes button.
8
Click the Collections tab and assign/remove membership. (Optional) For more information on this tab
see Collections tab.
9
Click the Permissions tab and assign/remove permissions. For more details see Permissions tab.
(Optional)
10 Click the Save Changes button.
Duplicate a file
To ease the burden of administration and help maintain consistency, files can be duplicated. This allows the
administrator to create new files that are very similar to those that exist, while only having to modify a few
details. The new file inherits approval requirements, ticket system settings, collection and permission
assignments from the existing file.
To duplicate a file:
1
Select Systems, Accounts, & Collections | Files | Manage Files from the menu.
2
Enter your search criteria on the Filter tab.
3
Click the Listing tab.
4
Select the file to be duplicated.
5
Click the Duplicate button. A new file object is created and the Details tab displays.
6
Enter the file name.
7
Upload the file.
8
Make any other additional changes on the Details and Ticket System tabs. (Optional)
9
Click the Save Changes button.
10 Click the Collections tab and assign membership. (Optional)
11 Click the Permissions tab and assign access policies. (Optional)
12 Click the Save Changes button.
Review file history
To view file history:
1
Select Systems, Accounts, & Collections | Files | Manage Files from the menu.
2
Enter your search criteria on the Filter tab.
TPAM 2.5
Administrator Guide
127
3
Click the Listing tab.
4
Select the file.
5
Click the File History tab. For more information see File History tab.
Delete a file
To delete a file:
1
Select Systems, Accounts, & Collections | Files | Manage Files from the menu.
2
Enter your search criteria on the Filter tab.
3
Click the Listing tab.
4
Select the file to be deleted.
5
Click the Delete button.
6
Click the OK button on the confirmation window.
Retrieve a file
A user with ISA permission over a file can retrieve it.
To retrieve a file:
1
Select Retrieve | Retrieve File from the menu.
2
Select the file to retrieve from the Listing tab.
3
Click the Current File tab.
4
Complete the following fields:
Table 59. Current File tab fields
5
Field name
Description
Release Reason
Used to provide a brief description of the reason for the password release. May be
optional, required or not allowed, depending on configuration.
Reason Code
Reason codes will appear if they have been configured by the System
Administrator. Reason codes streamline the request process, and may be optional,
required, or not allowed depending on how they are configured.
Ticket System
May be required, based on configuration.
Ticket Number
May be required, based on configuration. If the ticket number fails validation the
ISA will not be able to retrieve the file.
Click the Retrieve File button.
List files
The List Files option allows you to export the account data from TPAM to Microsoft Excel or CSV format. This is
a convenient way to provide an offline work sheet.
To list files:
1
Select Systems, Accounts, & Collections | Files | List Files from the main menu.
TPAM 2.5
Administrator Guide
128
2
Enter your search criteria on the Filter tab.
3
Click the Layout tab to select the columns and sort order for the listing.
4
To view and store the data outside of the TPAM interface, click the Export to Excel button, or the
Export to CSV button.
5
To view the data in the TPAM interface, click the Listing tab.
6
To view collection membership for the file, select the file and click the Collections tab.
7
To view the permissions assigned to the file, select the file and click the Permissions tab.
TPAM 2.5
Administrator Guide
129
17
Auto Discovery - LDAP Integration
•
Introduction
•
Source tab
•
Add a LDAP data source
•
Add user/system templateAdd LDAP user/system mapping
•
Delete a LDAP system/user mapping
•
Discover accounts on auto discovered systems
Introduction
TPAM can be configured to integrate with LDAP, LDAPS, Novell® NDS and Windows Active Directory® to
automatically detect, enroll, and modify users and systems.
To configure Auto Discovery you must complete the following steps:
•
Set up the LDAP data source as system in TPAM
•
Add templates for the systems and/or users you want to import
•
Set up the LDAP Directory Mapping
•
Confirm that the Auto Discovery Agent is running
LDAP directory mapping
To configure the LDAP Directory Mapping, information is entered on the following tabs in the TPAM interface:
Table 60. LDAP Directory Mapping: TPAM interface tabs
Tab name
Description
Source
Define the source for the LDAP data and collision strategies for integrating users or systems.
Also specify the group/collection and template to be used for mapping integrated
users/systems.
Template
Displays selected template details when clicking the “eye” button below the template list.
Source tab
The table below explains all of the options available on the LDAP Source tab. The field names and collision
strategy questions and answers will differ based on whether you are mapping systems or users.
TIP: Hover your mouse over the buttons on this page for descriptions of how each button functions. Click
the help buttons for more details on the Filter and Template Name fields.
TPAM 2.5
Administrator Guide
130
Table 61. LDAP Directory Mapping: Source tab options
Field
Description
Required?
LDAP Directory
Select a system from the list. The system must be set up as a Yes
Windows® AD, LDAP, LDAPS or Novell® NDS system in TPAM.
TPAM Collection
Name
Enter name of the TPAM Collection for these systems. This
needs to be a collection name that does not already exist in
TPAM and membership changes are not allowed outside this
mapping.
Default
Yes
TPAM Group Name Enter name of the TPAM Group for these users. This needs to Yes
be a group name that does not already exist in TPAM and
membership changes are not allowed outside this mapping.
System
Administrator?
If selected, any users created are created as system
administrator users.
Distinguished
Name/Directory
Explorer
Click the Plus button to enter the full distinguished name of
the source container. The other option is to click the
magnifying glass button browse the LDAP directory to select
an entry.
Filter
Using LDAP filter syntax, you can narrow the results of the
No
Distinguished Name entry. The filter is wrapped with a
standard filter used to return only computers or users based
on the type of LDAP mapping. The standard filter syntax is
included in the listing above once you enter any text into the
filter, but you cannot edit any part of the standard filter. The
filter you enter will be validated for basic syntax as you edit,
but the content is not checked until the Distinguished Name
is validated. Valid/invalid syntax will be indicated with a
green check mark or red X to the left of the text.
Template Name
Select or edit an existing system/user template. Each
Yes
Distinguished Name/Filter row can be assigned a different
template. System/User Templates are used to create
systems/users from the LDAP directory source. Any new
systems/users added are created in TPAM using the default
settings from the template chosen here. This includes all
parameters on the Details tab, as well as all the other tabs.
Template values only affect new systems/users added from
the LDAP container. The template is not used when updating
existing systems/users. If the template selected has an
Account Discovery profile assigned to it, then the account
discovery process will occur at the next schedule run of the
Account Discovery agent.
Automatically
Update every...
Select how often you want TPAM to pull updates from the
LDAP directory. The update pulls changes in last name, first
name, email, phone number, mobile number, network
address, comments/notes and if the user has been disabled
or a system/user added.
Yes
No
0
NOTE: This can be set to 0 when the host is unavailable.
Send Messages
to...
You have the option of sending an email to a specific user
every time an update occurs, or only when failures occur
trying to perform an update.
No
None
What to do for
usernames that
conflict with
TPAM restricted
usernames
Option selected determines how TPAM handles the scenario.
Options are:
Yes
Report as
Error
•
Report as Error
•
Create Unique
TPAM 2.5
Administrator Guide
131
Table 61. LDAP Directory Mapping: Source tab options
Field
Description
Required?
Default
System/User
name exists in
TPAM with no
distinguished
name mapping
Option selected determines how TPAM handles the scenario.
Options are:
No
No Action
No
No Action
No
Leave
System/
User,
Remove
mapping
No
Clear
•
No Action
•
Create Unique TPAM System/User
•
Map to existing
•
Report as Error
System/User
name exists in
TPAM with a
distinguished
name mapping
Option selected determines how TPAM handles the scenario.
Options are:
What to do when
LDAP Directory
system/user
mapped to a
system/user in
TPAM is removed
from the source
container
Option selected determines how TPAM handles the scenario.
Options for systems are:
•
No Action
•
Create Unique TPAM System/User (system/user will
be added as "newsystemname_1" or
"newusername_1")
•
Report as Error
•
Leave System, remove mapping
•
Soft Delete System, regardless of other mappings,
remove mapping
•
Report as Error
Options for users are:
•
Leave User, remove mapping
•
Disable user in TPAM
• Report as Error
NOTE: Any data associated with a deleted user - activity
logs, requests, releases, reviews, etc., - remains in the TPAM
database until such time as the associated Retention Period
setting ages the data out of the system.
Ignore data from
Inserts or updates from the mapped data source will always
overwrite existing TPAM data. To preserve data which may
be inserted or updated in TPAM use Ctrl-Click to select or
clear individual columns in the list. TPAM data in the
selected columns will not be overwritten by inserts or
updates from the data source.
Add a LDAP data source
To add a LDAP data source:
1
Add the LDAP Directory server as a managed system in TPAM. For more details on adding a system see
Add a system.
2
Click the Connection tab to configure the details for the functional account, distinguished name and
other communication options.
NOTE: When setting up a Windows Active Directory® domain controller for LDAP integration TPAM
relies on the domain name to leverage Active Directory’s built in fail over capabilities. TPAM must
be able to resolve the domain name, either via DNS or by adding a mapping in the hosts file. See
the System Administrator manual.
3
Click the LDAP Schema tab. This tab is pre-populated with well known attributes and changes to the
mappings can be made here.(Optional)
TPAM 2.5
Administrator Guide
132
4
Click the Save Changes button.
Add user/system template
Templates must be added to TPAM for the systems and/or users that are found and added to TPAM during the
auto discovery process. The systems and users added to TPAM use the attributes as they have been set on the
template when they are added to TPAM. For instructions on how to add a system template see Add a system
template. For instructions on how to add a user template see Add a user template.
Templates can also be added or edited using the buttons below the Templates list on the Source tab of the LDAP
Directory Mapping.
NOTE: Any templates used by LDAP or generic integration and have a WinAD primary authentication type,
the primary user ID must be empty, or one of the following values: UPN, UserPrimaryName or
SAMAccountName.
If any external authentication is set the external user ID must still be populated to save the template,
however when a user is created from the template the UserName is used as the default externalID.
Add LDAP user/system mapping
To add a LDAP User/System Mapping:
1
Select Auto Discovery | LDAP Directory from the menu.
2
Click the Add Systems or Add Users button.
3
Complete the information on the Source tab.
1
Select the LDAP Directory.
2
Enter the TPAM Group/Collection name.
3
Click the Plus button to add a Distinguished Name and Filter (optional). Click the check box
button to validate the DN name and the filter. Repeat as needed to add more filters.The validate
button will either return the number of discovered entities or an error.
NOTE: During auto discovery the query will be executed in the order that the filters are
listed. This order can be changed by using the arrow buttons on the left of the Filters
listing.
4
Select or create a template. Click the Save Changes button.
NOTE: Each Distinguished Name/Filter row can have a different template assigned.
5
Complete the automatically update section.
6
Select the collision strategy choices.
4
Click the Save Changes button. All Distinguished Name/Filter rows must be validated and a template
selected before the Save Changes button will enable.
5
Confirm with your System Administrator that the Auto Discovery Agent has been started in the /admin
interface.
For users discovered from LDAP directory, the full primary user ID is set to their distinguished name if primary
authentication is set to LDAP. Similarly, the secondary authentication user ID is set to the distinguished name if
secondary authentication is set to LDAP. This facilitates LDAP directory synchronized Users to be able to login to
TPAM.
TPAM 2.5
Administrator Guide
133
Delete a LDAP system/user mapping
To delete a LDAP System/User Mapping:
1
Select Auto Discovery | LDAP Directory from the menu.
2
Enter your search criteria on the Filter tab.
3
Click the Listing tab.
4
Select the mapping to delete.
5
Click the Delete button.
When the mapping is deleted the association of the system/user with that mapping are removed.
Discover accounts on auto discovered
systems
To discover accounts on auto discovered systems:
1
Create a System Template - this will be the Auto Discovery System Template. This must be a different
system template than one created for Account Discovery. All attributes of this template will be used
when creating a new system - Information, Custom Information, Connection and functional account,
password profiles, affinity, collections, permissions, etc.
Assign an Account Discovery Profile to the system template.
2
(Optional) Create up to ten accounts (including the functional account) on the system template from
step 1. These are static account names that will be created whenever the system template is used from
any source - through auto discovery or manually via the GUI, CLI/API, or batch processing. TPAM does not
validate these accounts prior to creation, it simply clones whatever accounts are attached to the system
template. These accounts have no relation to Account Discovery.
3
Assign the System Template created in step 1 to an LDAP/AD or Generic Auto Discovery Mapping.
When the Auto Discovery agent processes the mapping it will create systems based on the assigned
template. Once the new system is managed by TPAM the automation engine will process the system using
the Account Discovery Profile to discover and create accounts on the new system. Any discovered
accounts which have the same names as accounts cloned from the system template (added in step 2) are
considered "existing" accounts, their account attributes will be left as those from the Auto Discovery
template, not updated to match the Account Discovery template.
TPAM 2.5
Administrator Guide
134
18
Auto Discovery - Generic Integration
•
Introduction
•
Source tab
•
System tab
•
User tab
•
Add a generic system mapping
•
Add a generic user mapping
•
Delete a generic system/user mapping
Introduction
TPAM can be configured to integrate with MySQL®, Oracle®, SQL Server® and Sybase® to automatically detect,
enroll, and modify users and systems.
To configure Auto Discovery you must complete the following steps:
•
Set up the database server as system in TPAM
•
Create templates for the systems and/or users you want to import
•
Set up the Generic Directory Mapping
•
Confirm that the Auto Discovery Agent is running
Generic directory mapping
To configure the Generic Directory Mapping, information is entered on the following tabs in the TPAM interface:
Table 62. Generic Auto Discovery Mappings: TPAM interface tabs
Tab name
Description
Source
Define the source for the data (database server and source SQL query) and define
collision strategies.
User
Define the group and template to be used for mapping integrated users.
System
Define the collection and template to be used for mapping integrated systems.
TPAM 2.5
Administrator Guide
135
Source tab
Special note regarding MySQL® data sources
If your MySQL® data source contains any columns with string data types which have a collation other than
Latin1, you must use the following syntax in your SQL command:
;CharSet=X;YourSQLCommand
The semi-colon before CharSet and after X are required, and there are no spaces before or after the semicolon. Replace the X with the name of the character set for the collation being used. For example:
;CharSet=utf8;select * from userintegration.usersource
Note that all of the string type columns which are present in the data set must use the same collation. You
cannot have one returned column as Latin1 and another as utf8. The CharSet indicator is not needed if your
result set contains only numeric, date, or time column types
The table below explains all of the options available on the Generic Source tab. The collision strategy questions
and answers will differ based on whether you are mapping systems or users.
Table 63. Generic Auto Discovery Mappings: Source tab options
Field
Description
Required?
System Name
Enter the data source system name. This must be configured Yes
as a managed system in TPAM with a platform type of
Sybase® , Oracle®, MySQL®, or MS SQL Server®.
Account Name
Enter the account name. The account must be configured on Yes
the system in TPAM and have the permissions to execute the
SQL command.
SQL Command
Enter the SQL command that will pull the data from the data Yes
source.
Default
TPAM 2.5
Administrator Guide
136
Table 63. Generic Auto Discovery Mappings: Source tab options
Field
Description
Required?
Result Set Map
This table is populated after completing the Source, User or
System tabs, saving changes and clicking the Test SQL
button. After the Source Columns are populated you must
map the data to the TPAM Target columns.
Yes
Default
Auto-Map Result Set - Attempts to match Source
Columns to Target columns based on column names and
types. The code will look for names that match
alphanumerically (spaces, case, and punctuation are
ignored), have the same data type (char and varchar are
interchangeable), and where the width of the source column
is less than or equal to the width of the target column. Any
column that's not an exact match on type and length will be
highlighted will show in bold red text. Hovering the mouse
over the target column will explain any discrepancy in a hint
bubble.
Clear all target columns - Clears all TPAM Target
Column assignments.
Show only unmapped or multiple mapped - Filters the
result set to show only unmapped (no Target Column
assigned) or multiple mapped (same target column assigned
to 2 or more Source Columns) target columns.
Show all columns - Removes filter set by clicking Show
only unmapped[…] button
NOTE: The value assigned to the target column labeled
UniqueUserID is used to identify one specific user regardless
of the user name or data source. For example: You have two
Generic Integration Data Sources using a MySQL® database,
one for “Management” users and one for “Operations”. The
data sources both point to the same database, but use
different query strings to select the different types of users
based on a Department box. A user with UserName of
JGreene has just been promoted from Operations to
Management. In the MySQL® database you change her
department from Operations to Management. When the
Generic Integration mappings are processed they see that
JGreene no longer displays in the “Operations” source and
removes her UserName from the associated group in TPAM.
Later it sees a “new” user named JGreene in the mapping for
the “Management” source. The UniqueUserID value is used to
tell TPAM if this is the same JGreene as before, in which case
she is simply added to the new TPAM Group, or a totally new
JGreene user that is handled by the collision strategy.
Automatically
Update every...
Select how often you want TPAM to pull updates from the
No
data source. All of TPAM’s system parameters (those that can
be set by batch system import) can be pulled from the data
source. This can be set to 0 when the host is unavailable.
Send Messages
to...
You have the option of sending an email to a specific user
every time an update occurs, or only when failures occur
trying to perform an update.
No
0
None
TPAM 2.5
Administrator Guide
137
Table 63. Generic Auto Discovery Mappings: Source tab options
Field
Description
Required?
Default
What to do for
usernames that
conflict with
TPAM restricted
usernames
Option selected determines how TPAM handles the scenario.
Options are:
Yes
Report as
Error
System/User
name exists in
TPAM with no
unique
SystemID/UserID
mapping
Option selected determines how TPAM handles the scenario.
Options are:
No
No Action
No
No Action
No
Leave
System
/User,
Remove
mapping
No
Clear
System/User
name exists in
TPAM and a
unique
SystemID/UserID
mapping exists
•
Report as Error
•
Create Unique
•
No Action
•
Create Unique TPAM System/User
•
Map to existing
•
Report as Error
Option selected determines how TPAM handles the scenario.
Options are:
•
No Action
•
Create Unique TPAM System/User (system will be
added as “newsystemname_1” or “newusername_1”)
•
Report as Error
What to do when Option selected determines how TPAM handles the scenario.
a computer
Options are:
mapped to a
• Leave System/User, remove mapping
TPAM system/user
• Disable User in TPAM
is removed from
• Soft Delete System, regardless of other mappings,
the source
remove mapping
container
• Report as Error
NOTE: If a user is a member of more than one group, it will
only be disabled when it is removed from all groups.
Ignore data from
Inserts or updates from the mapped data source will always
overwrite existing TPAM data. To preserve data which may
be inserted or updated in TPAM use Ctrl-Click to select or
clear individual columns in the list. TPAM data in the
selected columns will not be overwritten by inserts or
updates from the data source.
System tab
The table below explains all of the options available on the Generic Auto Discovery System tab. Clicking on the
Edit Template button will take you to the system template page to make your changes.
TPAM 2.5
Administrator Guide
138
Table 64. Generic Auto Discovery Mappings: System tab options
Field
Description
Required?
TPAM Collection
Name
Enter name of the TPAM Collection for these systems. This
needs to be a collection name that does not already exist in
TPAM and membership changes are not allowed outside this
mapping.
Yes
Use Template
System/Edit
Template
Select or edit an existing system template. System Templates Yes
are used to create systems from the Generic data source. Any
new systems added are created in TPAM using the default
settings from the template chosen here. This includes all
parameters on the Systems Details tab, as well as all the other
tabs. Template System values only affect new systems added
from the generic data source. The template is not used when
updating existing systems.
Default
User tab
The table below explains all of the options available on the Generic User tab. Clicking on the Edit Template
button will take you to the user template page to make your changes.
Table 65. Generic Auto Discovery Mappings: User tab options
Field
Description
Required?
TPAM Group
Name
Enter name of the TPAM Group for these users. This needs to
be a group name that does not already exist in TPAM and
membership changes are not allowed outside this mapping.
Yes
System
Administrator?
If selected, any users created are created as system
administrator users.
Use Template
User/Create
Template
Select or create a user template. User Templates are used to Yes
create users from the generic data source. Any new users
added are created in TPAM using the default settings from the
template chosen here. This includes all parameters on the
User Details tab, as well the Time Information tab. User
templates may also include Group Membership and
System/Account/Collection permissions. Template user values
only affect new users added from the generic data source. The
template is not used when updating existing users.
Default
Add a generic system mapping
To add a Generic System Mapping:
1
Add the generic data source as a managed system in TPAM. For more details see Add a system.
2
Create a system template for systems that are imported through this mapping. For more details see
Connection tab.
3
Select Auto Discovery | Generic from the menu.
4
Click the Add Systems button.
5
Complete the information on the Source tab. For more details see Source tab.
6
Click the System tab.
7
Complete the information on the System tab. For more details see System tab.
TPAM 2.5
Administrator Guide
139
8
Click the Save Changes button.
9
Click the Test SQL button to retrieve the source column set.
10 Map the source columns to the TPAM target columns.
11 Click the Save Changes button.
12 Confirm with your System Administrator that the Auto Discovery Agent has been started in the /admin
interface.
Add a generic user mapping
To add a Generic User Mapping:
1
Add the generic data source as a managed system in TPAM. For more details see Add a system.
2
Create a user template for users that are imported through this mapping. For more details see Template
tab.
3
Select Auto Discovery | Generic from the menu
4
Click the Add Users button.
5
Complete the information on the Source tab. For more details see Source tab.
6
Click the User tab.
7
Complete the information on the User tab. For more details see User tab.
8
Click the Save Changes button.
9
Click the Test SQL button to retrieve the source column set.
10 Map the source columns to the TPAM target columns.
11 Click the Save Changes button.
12 Confirm with your System Administrator that the Auto Discovery Agent has been started in the /admin
interface.
Delete a generic system/user mapping
To delete a Generic System/User Mapping:
1
Select Auto Discovery | Generic from the menu.
2
Enter your search criteria on the Filter tab.
3
Click the Listing tab.
4
Select the mapping to delete.
5
Click the Delete button.
When the mapping is deleted the association of the system/user with that mapping are removed.
TPAM 2.5
Administrator Guide
140
19
Application Password Virtual Cache
•
Introduction
•
Importing the virtual cache
•
Boot the cache
•
Configure network settings
•
Enable remote access
•
Changing the setup password while logged in to the Cache
•
Using TPAM to manage the Cache accsetup account
•
Using TPAM to manage the Cache accsetup account
•
Prepare the cache for enrollment
•
Add the cache in the TPAM interface
•
Add cache users
•
Add cache client hosts
•
Add cache trusted root certificates
•
Add the cache server
•
Cache server permissions
•
Cache current status
•
Create a cache team
•
Remove a cache team member
•
Alerts for the cache appliance
•
Delete a cache
•
List cache server permissions
•
Cache logs
•
Usage examples
Introduction
The Password Virtual Cache is an add-on product designed to provide additional performance capability and
support distributed architecture deployment for TPAM. It provides extremely fast, concurrent, password
retrieval to support high demand application to application (A2A) requirements. To support this, the data stored
on the cache(s) must be current. The following gives a very high level overview of how this is accomplished.
As cache provisioning data (such as users, accounts, hosts, and permissions) is set up within TPAM, the relevant
data is pushed by TPAM to the virtual cache via secure connection. Passwords that are cached on the virtual
cache need to be updated whenever TPAM changes the account passwords. This is accomplished by pushing the
new password to the cache as soon as the password is successfully changed on the device and stored within
TPAM. The password is updated on the cache within a few seconds of being changed and stored within TPAM.
TPAM 2.5
Administrator Guide
141
All updates are pushed from TPAM to the necessary cache(s). The cache does not pull any data from TPAM. If a
cache is restarted for any reason, during the cache initialization, a message will be sent to TPAM requesting that
all data for that cache to be sent to it again. TPAM will then push the required data to the cache.
Retrieval of passwords from the cache is via secure web service using certificate authentication. Using this
technology makes access possible from clients written in numerous programming languages. Client
authentication is described and programming examples are provided later in this document.
To get the cache up and running you must perform the following steps:
•
Import the cache file
•
Boot the cache virtual
•
Configure the network settings
•
Enable remote access (Optional)
•
Define remote access IP restrictions (Optional)
•
Prepare the cache for enrollment
•
Add the cache to the TPAM interface
•
Test the connection between TPAM and the cache.
Importing the virtual cache
The virtual cache is distributed as an open virtual appliance (.OVA) file. There are numerous virtualization
products available which can be used as the host for the virtual cache machine. Please consult your virtual
product's documentation for instructions on deploying the OVA file.
Minimum resources required for the cache are 1 gigabyte of memory and 1 processor. These numbers may need
to be increased depending on the number of account passwords contained in the cache and the number of
requests expected to be made to the cache. Performance improvements will be realized with the allocation of
more memory and additional processor(s) to the cache.
Boot the cache
To boot the cache:
1
Power on the cache using your virtualization product.
2
The appliance will boot to a login prompt.
3
Type accsetup for the user ID and Setup4ACC as the password. Both the user ID and password are casesensitive, type them exactly as shown. This is the only user ID that can be used to connect to the cache,
and it can be logged on from the console only.
Configure network settings
1
From the home menu type 4 and press the ENTER key to configure the network settings.
2
Type 2 and press the ENTER key.
3
Type the IP Address for eth0 as prompted and press the ENTER key
4
Type the Network Mask for eth0 as prompted and press the ENTER key.
5
Type the Gateway for eth0 as prompted and press the ENTER key.
6
Type Y and press the ENTER key to save your changes.
TPAM 2.5
Administrator Guide
142
7
From the Manage Network Settings menu, Type 1 and press the ENTER key to display the new running
values.
8
If a different network address is required/desired for application access to the cache, Type 3 and press
the ENTER key.
NOTE: If a custom application interface certificate will be used, then both eth0 and eth1 must be
configured.
9
Repeat steps 3-6 for eth1.
10 Press the ENTER key to return to the manage network settings menu.
11 Type 4 and press the ENTER key to modify the DNS settings.
12 Type the DNS IP and press the ENTER key.
13 Type the Secondary DNS IP and press the ENTER key. (Optional)
14 Type the DNS Domain and press the ENTER key. (Optional)
15 Type Y and press the ENTER key to save your changes.
16 Press the ENTER key to return to the manage network settings menu.
17 Type Q and press the ENTER key to return to the main menu.
Enable remote access
This step allows remote SSH access to the cache appliance setup menu. You may elect to skip this step but be
mindful that Step 4 involves a rather long “enrollment string” that must be provided in the TPAM application
interface when pairing the cache Server to TPAM. Allowing remote SSH access gives you the ability to copy and
paste the string rather than having to write it down and type it in manually. By default remote access to the
cache is disabled.
To enable remote access:
1
From the main menu, type 5 and press the ENTER key.
2
Type 2 and press the ENTER key.
3
Type E and press the ENTER key to enable remote access to the cache.
4
Type and confirm a password for the raccsetup user.
5
Type Q and press the ENTER key to return to the main menu.
6
Type 8 and press the ENTER key to shutdown the appliance.
7
Place the cache on your network.
8
Power the virtual appliance on.
9
Using an SSH client, connect to the cache with the user ID raccsetup using the password you just set.
Changing the setup password while logged
in to the Cache
This step allows you to change the password associated with the accsetup account.
To change the password for the accsetup account:
1
From the main menu type 5 and press the ENTER key.
TPAM 2.5
Administrator Guide
143
2
Type 1 and press the ENTER key.
3
Type Y and press the ENTER key.
4
Type the current password and press the ENTER key.
5
Type the new password and press the ENTER key.
Using TPAM to manage the Cache accsetup
account
When a cache server is enrolled in TPAM a system is automatically created for the cache server and accounts
created for the accsetup and raccsetup accounts. By default these accounts are not auto-managed. These can
be set to auto-managed so that TPAM can manage the password for the cache server. The password for the
accounts will be set to default initial password. When a cache server is deleted the cache system and accounts
will be automatically deleted from TPAM.
Password management operations on the raccsetup account will not work unless remote access for this account
has been enabled. PSM sessions are allowed to the raccsetup account. Remote access for this account must be
enabled, and the password for this account must be known by TPAM in order for PSM sessions to successfully
authenticate.
CAUTION: If password management is enabled and the cache server is going to be deleted from TPAM,
then it is critical to retrieve and save the passwords for the accounts prior to deletion. There is no
mechanism to reset the account password(s) for a cache server that is not enrolled and to re-enroll
the cache the password will be needed.
Define remote IP address restrictions
If remote IP address restrictions are configured, the IP address of the remote machine is checked against all
restrictions that are entered. If it meets all specified criteria, the login is allowed to proceed.
All restrictions must be entered at one time, comma separated. Wildcards and negation are allowed. An asterisk
(*) matches zero or more characters. A question mark (?) matches exactly one character. An exclamation point
(!) negates the criterion. In the example below, “192.168.30.*” says all IP addresses starting with “192.168.30.”
are allowed. Then, the “!192.168.30.???” excludes 192.168.30.100 through 192.168.30.255. Also, 192.168.30.1
is explicitly excluded.
To configure restrictions:
1
From the main cache menu, type 5 and press the ENTER key.
2
Type 3 and press the ENTER key.
3
Type the restriction rules and press the ENTER key.
4
Type Y and press the ENTER key.
Prepare the cache for enrollment
The next step is to prepare the cache for enrollment to your TPAM appliance. This step prepares temporary keys
that will be used to establish the secure connections between cache and your TPAM appliance(s). This step is
best done remotely as the string necessary to enroll the cache is rather long and remote accessing the cache
allows you to copy the string more easily.
TPAM 2.5
Administrator Guide
144
To prepare for enrollment:
1
From the main menu, type 3 and press the ENTER key.
2
When prompted, type the IP address of the TPAM primary or standalone device, and press the ENTER
key.
3
Type the IP address (es) of the replica(s), if applicable, and press the ENTER key.
4
Type E and press the ENTER key to enroll the cache.
5
Type Y and press the ENTER key.
6
Copy the key that is presented. You will need to type this key in procedure below.
Add the cache in the TPAM interface
Once the cache virtual has been booted and prepared for enrollment in TPAM it is ready to be configured in the
TPAM interface. The Cache Details page is where the cache is configured.
To configure the cache in the TPAM interface you must perform the following steps:
•
Add cache users.
•
Add cache client hosts. (Optional)
•
Add cache trusted root certificate. (Optional)
•
Add and configure the cache server.
Add cache users
To add a cache user:
1
Select Users & Groups | UserIDs | Add UserID from the menu.
2
Enter information on the Details tab. For more information on this tab see Details tab.
3
Select Cache User as the User Type.
4
Applications requesting passwords from the Password Virtual Cache must provide a client certificate in
order to be authenticated by the Cache. The client, or user certificate can be created by TPAM or
supplied by the customer. Each certificate is associated with a user type of Cache User in TPAM. Use one
of the following methods to select certificate type:
•
Select User-Supplied. Click the Select File button. Click the Browse button and select the file.
Click the Upload button. When uploading a user-supplied certificate, you can upload a
PKCS12/PFX file (password is typically associated with this type of file since they contact a
private key) or a PEM-encoded text file (password not required). Additionally, when using a usersupplied certificate, a trusted root certificate that can establish trust in the user certificate must
be uploaded to TPAM and assigned to the Cache(s) from which the user will request passwords.
This is needed so that applications requesting passwords using this user-supplied certificate can
be authenticated by the Cache. See Add cache trusted root certificates.
•
Select Created by TPAM. Click the Download TPAM Root Certificate button to generate the
certificate.The generated user certificate must be downloaded and used by applications
requesting passwords from the Cache.
5
Type and confirm the Password. The password is not required if uploading a PEM encoded text file.
6
Click the Save Changes button.
TPAM 2.5
Administrator Guide
145
Add cache client hosts
As an extra security precaution you have the option to specify the client host that the cache users are using to
access the cache server.
To configure the client host/s:
1
Select Management | Cache Servers | Manage Client Hosts from the menu.
2
Click the Add Host button.
3
Type the Network Address for the client host.
4
To enable the host, select the Enabled? check box.
5
Type a description for the client host. (Optional)
6
Click the Save Changes button.
Add cache trusted root certificates
A trusted root certificate needs to be added to the cache server if a user-supplied certificate is used for a cache
user.To add a root certificate:
1
Select Management | Cache Servers | Manage Trusted Roots from the menu.
2
Click the Add Certificate button.
3
Type a name for the certificate.
4
Type a description for the certificate. (Optional)
5
Use one of the following methods to select the certificate source:
6
•
Select Upload certificate file. Click the Select File button. Click the Browse button and select
the file. Click the Upload button.
•
Select Enter Certificate. Paste the certificate in the text area.
Click the Save Changes button.
Add the cache server
To add a cache server, information is entered on the following tabs in the TPAM interface:
Table 66. Cache Server Management: TPAM interface tabs
Tab name
Description
Details
Define name, network addresses and contact information.
WSDL
XML provided to program interface to virtual cache.
Accounts
Where accounts are assigned to the cache.
Root Certificates
Where trusted root certificates are assigned to the cache.
Users
Where cache user IDs are assigned to the cache server.
Hosts
Where you can assign client hosts that are allowed to access this cache server.
To add a cache server in the TPAM interface:
1
Select Management | Cache Servers | Manage Cache Servers from the menu.
2
Click the Add Server button.
TPAM 2.5
Administrator Guide
146
3
Type the information on the Details tab. For more information on these fields see Details tab.
4
Click the Save Changes button.
5
Click the Accounts tab. Assign and enable the desired accounts. See Accounts tab for details.
6
Click the Root Certificates tab. Load root certificates. See Root Certificates tab. (Optional)
7
Click the Users tab. Assign users to the cache. See Users tab.
8
Click the Hosts tab. Assign hosts to the cache. See Hosts tab. (Optional)
9
Click the Save Changes button.
10 Click the Permissions button. Assign permissions to the cache. See Cache server permissions.
11 Click the Save Changes button.
Details tab
The table below explains the fields available when adding a cache server in the TPAM interface.
Table 67. Cache Server Management: TPAM interface fields
Field
Description
Required?
Cache Server
Name
Descriptive name for the cache.
Yes
Enabled?
If selected, this cache server will be available to be assigned to No
systems.
Secure Bus
The network address that TPAM and the cache use to
communicate.
Appl Interface The network address that cache user IDs use to access the
cache server.
Default
Off
Yes
Yes
NOTE: If a custom application interface certificate will be
used, then both eth0 and eth1 must be configured on the cache
server, and the Secure Bus and Appl Interface address must
differ.
Upload
Custom
Application
Interface
Certificate?
A Custom Application Interface Certificate (or server
No
certificate) for cache servers can be uploaded. This enables the
use of third-party certificates as the server certificate for
cache servers. If a custom certificate is not uploaded, a default
server certificate will still be generated by TPAM. Note that for
client applications to trust the cache server when requesting
passwords, the client will need to have access to either the
root certificate of the CA that generated the Custom
Application Interface Certificate if a custom server certificate
is in use on the cache server or the TPAM root certificate
(downloadable from User Management) if the default server
certificate generated by TPAM is in use on the cache server. If
the Application Interface Certificate is changed by uploading a
custom certificate or by reverting back to the default
certificate by removing a Custom Application Interface
Certificate, a restart of the application running on the cache
server is triggered. This will result in unavailability of the cache
server for a couple of minutes.
Description
The description box may be used to provide additional
information about the cache, special notes, business owner,
etc.
Off
No
TPAM 2.5
Administrator Guide
147
Table 67. Cache Server Management: TPAM interface fields
Field
Description
Required?
Default
Retention?
If selected, and the cache server does not communicate with
TPAM within X minutes entered in the Disable After box, the
cache server will shut down. This is a safeguard to prevent
users retrieving passwords when the TPAM appliance may be
down.
No
Off
Enroll String
The enroll string functions as the key exchange with the cache. Yes
The enroll string is provided by the cache when you execute
the prepare to enroll/re-enroll with TPAM option of the Setup
menu.
Logging
You have the option of having logs sent to a syslog address
and/or a specific email address.
No
Alerting
You have the option of having alerts sent to an SNMP address
and/or a specific email address.
No
SMTP
Required if you want the cache server to send email
notifications.
No
Use DNS?
If selected, DNS is used to ask for the MX record, specifying the No
correct server to use for sending mail.
WSDL tab
On the WSDL (Web Services Description Language) tab the developers can find the XML they need when
programming the interface to the cache server.
Accounts tab
The table below explains all of the options available on the Accounts tab:
Table 68. Cache Server Management: Accounts tab options
Field
Description
System Name
The system name.
Account Name
The account name.
Sys Auto?
Indicates whether the system is auto-managed by TPAM (Y) or not managed (N).
Acct Auto?
Indicates whether the account is auto-managed by TPAM (Y), manually managed (M), not
managed (N), or a member of a synchronized password (S).
Assigned?
If selected, the account is assigned to this cache server. Pressing the Ctrl key and selecting
one row will select or clear all check boxes in the column.
Enabled?
If selected, the password for this account can be retrieved from the cache server. Pressing
the Ctrl key and selecting one row will select or clear all check boxes in the column.
Root Certificates tab
By default TPAM generates its own root certificate that can be assigned to the cache server. You also have the
option to upload your root certificates that can be assigned to the cache server. To add your certificates see Add
cache trusted root certificates. Select the Assigned box to assign the certificate to the cache server and then
click the Save Changes button.
TPAM 2.5
Administrator Guide
148
Users tab
The Users tab is where you configure the users that can access the cache server. Select the Assigned? box next
to the users for this cache server and click the Save Changes button.
Hosts tab
Any hosts that you have configured in TPAM are listed on the Hosts tab. See Add cache client hosts to configure
cache client hosts. Select the Assigned? check box next to each host you want to be able to access this cache
server and click the Save Changes button.
Cache server permissions
The cache server permissions page is where you configure the combination of accounts, users and hosts to
specify who and what are able to be accessed on a specific cache server
IMPORTANT: This page will accommodate a maximum of 512 possible permissions (#users * #accounts*
#hosts) before forcing you to use Update Cache Server Permissions under the Batch Processing menu.
To add permissions:
1
Select Management | Cache Servers | Manage CS Permissions from the menu.
2
Select the cache server from the list.
3
Using the mouse, select the combination of accounts, users, and hosts that you want to configure for the
cache server.
4
Click the Add Items button to add the selections to the list.
5
To remove any combinations on the list select the Select? check box and click the Remove Selected
button.
6
After you are finished adding and removing entries to the list click the Save Changes button.
TIP: You can use Shift-Click and Ctrl-Click mouse gestures to select more than one item on each list. Then
when you click Add Items it adds all combinations of the selected items to the list.
Cache current status
In TPAM, if you click the Current Status button you see if the cache server is found/enabled and the current
values for the number of users, hosts, accounts and permissions.
Outside of TPAM you can go to https://cacheServerAddress/status/index.html to query the status. A valid cache
user client certificate must be used to access this page. To access this page with a browser, make sure a cache
user client certificate is in the certificate store used by the browser.
If you want to use curl to access the page, convert the cache user client certificate to PEM format, and use a
command similar to:
curl -s -k --cert certfile.pem:certPassword
https://cacheServerAddress/status/index.html
Possible values from the page are:
•
Status: NotReady
•
Status: InitRequested
•
Status: Initializing
TPAM 2.5
Administrator Guide
149
•
Status: Ready
Create a cache team
More than one cache appliance can added to a "team". Any cache servers added to a team after the first team
member has been added will inherit the accounts, users, and permissions configured for the first team member
and lose any previously configured assignments. As instructed below the cache server should be "disabled" when
joining a team.
Team members will become mirror images of one another, so that if needed users can be redirected to use
another cache server team member for password requests. Once a cache server is a team member, any changes
in assignments on a team member will effect assignments on all team members.
To create a cache team:
1
Select Management | Cache Servers | Manage Cache Servers from the menu.
2
Type the filter criteria and click the Listing tab.
3
From the list select the cache that will act as the initial cache team member.
4
Click the Details tab.
5
Type the team name in the HA Team Name box. This box will only appear for enrolled cache servers.
6
Click the Save Changes button.
7
Click the Listing tab.
8
Select the cache server you want to add to the team. This cache will act as a mirror image of the first
team member.
9
Click the Details tab.
10 If selected, clear the Enabled check box.
11 Click the Save Changes button.
12 Type the same exact team name from Step 5 in the HA Team Name box. This box will only appear for
enrolled cache servers.
13 Click the Save Changes button.
14 Select the Enabled check box.
15 Click the Save Changes button.
16 Repeat steps 8-15 to add additional team members.
Remove a cache team member
When a cache server is removed from a team, it will retain all its existing account, user and permission
configurations but will no longer receive any updates or changes to these relationships. It will lose these
configurations if it is assigned to a new team.
To remove a cache team member:
1
Select Management | Cache Servers | Manage Cache Servers from the menu.
2
Type the filter criteria and click the Listing tab.
TPAM 2.5
Administrator Guide
150
3
Select the cache server to be removed from the team.
4
Click the Details tab.
5
If selected, clear the Enabled check box.
6
Click the Save Changes button.
7
Delete the team name from the HA Team Name box.
8
Click the Save Changes button.
9
Select the Enabled check box.
10 Click the Save Changes button.
Alerts for the cache appliance
There are alerts that are issued from the Cache server when specific situations arise. These alerts can be
subscribed to through the /admin interface. These alerts are listed under the Cache Server Component Name on
the Alerts tab.
In addition to the alerts above, these alerts can also be generated by the cache server:(% shows variable data)
“Alert from Password Cache Appliance: Communication with TPAM restored.
%“
AlertDate:
"Alert from Password Cache Appliance: Communication with TPAM has failed.
AlertDate: %"
"Alert from Password Cache Appliance: The Password Cache(%) at % is shutting down
because there has been no communication to/from TPAM for over % minutes AlertDate:
%"
"Alert from Password Cache Appliance: The Password Cache needs to be disabled and
re-enabled to complete configuration changes. AlertDate: %"
"Alert from Password Cache Appliance: Unable to communicate with any SMTP servers
returned in the MX lookup for %. No mail will be sent. AlertDate: %"
"Alert from Password Cache Appliance: Unable to locate MX records for %: %
AlertDate: %"
"Alert from Password Cache Appliance: Unable to communicate to the SMTP server at
%. No mail will be sent. AlertDate: %"
Delete a cache
To delete a cache:
1
Select Management | Cache Servers | Manage Cache Servers from the menu.
2
Type your search criteria on the Filter tab.
3
Click the Listing tab.
4
Select the cache to be deleted.
5
Click the Delete button.
6
Click the OK button on the confirmation window.
TPAM 2.5
Administrator Guide
151
List cache server permissions
To view a list of existing cache server permissions:
1
Select Management | Cache Servers | List CS Permissions from the menu.
2
Type your search criteria on the Filter tab.
3
Click the Listing tab.
Cache logs
On the cache console there are a variety of logs that can be viewed.
To view cache logs:
1
From the cache console main menu type 6 and press the ENTER key.
2
Type the number for the log you wish to view and press the ENTER key.
Usage examples
Any programming language capable of invoking secure web services over SSL/TLS using client certificates for
authentication can be used to request passwords from the Password Virtual Cache. Below are some examples of
requesting a password from the Cache using various programming languages. In all cases, the WSDL file,
available within TPAM for each Cache, is used to generate web service client code that is used by the client
application when requesting passwords.
For brevity, in each example, only one password is retrieved and displayed, and there is no error handling.
Note that if a nonzero value is returned when invoking the web service method handleRequestWS, a descriptive
reason for the failure is provided in place of the password. This can prove useful when setting up accounts,
users, and permissions for the Cache within the TPAM web interface.
Perl
Perl package SOAP::Lite can be used when requesting passwords from the Cache.
The first thing to do is to generate client stubs from the WSDL file. The SOAP::Lite package contains a Perl
script named stubmaker.pl that can generate the client stubs. Assuming the WSDL file is named cache.wsdl,
execute the following command to generate the client stub file:
perl path\to\stubmaker.pl file:cache.wsdl
A file named HandlePWRequestService.pm will be created. You can see by editing this file that it uses
SOAP::Lite, so this package must be present on the machine where the Perl application will be run.
Next, create the Perl application that will use the client stub file generated by stubmaker.pl, and add code to
request a password. Here is a very simple example, in a file named perlclient.pl.
use HandlePWRequestService;
my
my
my
my
$certfile = "cacheuser.p12";
$certpw = "CertPassword";
$system = "linux10";
$account = "linuxacct1";
TPAM 2.5
Administrator Guide
152
$ENV{HTTPS_PKCS12_FILE} = $certfile;
$ENV{HTTPS_PKCS12_PASSWORD} = $certpw;
my $pwservice = new HandlePWRequestService;
my @rc = $pwservice->handleRequestWS($system,$account);
print "rc=$rc[0], password=$rc[1]\n";
The output from execution of "perl perlclient.pl" is:
rc=0, password=linuxacct1pw
There are other Perl packages besides SOAP::Lite that can be used to generate web service client stubs and
request passwords, but SOAP::Lite is one of the simplest.
NOTE: Perl installations vary due to different versions of Perl itself and different versions of installed Perl
modules. The differences in installations may sometimes keep this simple example from working as
expected. Also, for simplicity, this client intentionally omits some security checks such as server
certificate validation and server host name validation.
Java®
This Java® example was created using MyEclipse™. For this example, a Java® project has been created, and
within that project, packages sample.client and sample.generated have been created.
Within MyEclipse, use the New Web Service Client tool and provide the location of the WSDL file. MyEclipse will
generate the client web service code (have the tool put the generated code in the package sample.generated).
Next, create a new Java® class in package sample.client, and write the code that requests a password. This
example shows setting of the keystore and truststore properties inline, but this can also be done by providing
the appropriate arguments when starting the Java® application.
package sample.client;
import javax.xml.ws.Holder;
import sample.generated.HandlePWRequest;
import sample.generated.HandlePWRequestService;
public class Client {
public static void main(String[] args)
{
System.setProperty("javax.net.ssl.keyStore",
"path\\to\\cacheuser.p12");
System.setProperty("javax.net.ssl.keyStoreType",
System.setProperty("javax.net.ssl.keyStorePassword",
"pkcs12");
"CertPassword");
// Need to convert parRootCA.crt downloaded from TPAM
// into jks type truststore using Java's keytool.
// keytool -importcert -trustcacerts -file parRootCA.crt -keystore
truststore.jks
System.setProperty("javax.net.ssl.trustStore",
"pat\\to\\truststore.jks");
System.setProperty("javax.net.ssl.trustStoreType",
"jks");
System.setProperty("javax.net.ssl.trustStorePassword", "TruststorePassword");
HandlePWRequestService service = new HandlePWRequestService();
HandlePWRequest port = service.getHandlePWRequestPort();
Holder<String> pw = new Holder<String>();
int rc = port.handleRequestWS("linux10", "linuxacct1", pw);
TPAM 2.5
Administrator Guide
153
if (rc == 0)
{
System.out.println("Password is " + pw.value);
}
else
{
System.err.println("Request failed: rc=" + rc + ", msg=" + pw.value);
}
}
}
The output from execution of the Java® client application is:
Password is linuxacct1pw
Other IDEs that are used for Java® development should also provide a way to generate the client stub code from
the WSDL.
C#
This C# example was created using Visual Studio® 2010. For this example, a C# Console Application has been
created.
Within Visual Studio, use the Add Service Reference tool and provide the location of the WSDL file. In this
example, when adding the service reference, we named it HandlePWRequestReference. Visual Studio will
generate the client web service code, and then the client application can make use of that reference. Now, add
the code that requests a password.
using
using
using
using
System;
System.Net;
System.Security.Cryptography.X509Certificates;
System.ServiceModel;
namespace CacheWSClient
{
class Program
{
static void Main(string[] args)
{
// For testing, we'll accept the server certificate instead of
// having to put the trusted root in our certificate store.
ServicePointManager.ServerCertificateValidationCallback =
(sender, certificate, chain, sslPolicyErrors) => true;
// The configuration file created when adding the service reference
// does not indicate that the client credential is certificate. The
// configuration file can be modified for this, or override as below.
// Create a BasicHttpBinding and set credential type to certificate.
var binding = new BasicHttpBinding(BasicHttpSecurityMode.Transport);
binding.Security.Transport.ClientCredentialType =
HttpClientCredentialType.Certificate;
// The Cache is at 192.168.30.241.
var ea = new EndpointAddress
("https://192.168.30.241/HandlePWRequestService/HandlePWRequest");
// Get a reference to the web service.
var client = new HandlePWRequestReference.HandlePWRequestClient(binding, ea);
// Get our client certificate.
TPAM 2.5
Administrator Guide
154
client.ClientCredentials.ClientCertificate.Certificate =
new X509Certificate2("path\\to\\cacheuser.p12", "CertPassword");
string pw;
// Invoke the web service to get the password.
var rc = client.handleRequestWS(out pw, "linux10", "linuxacct1");
if (rc == 0)
{
Console.WriteLine("Password is {0}", pw);
}
else
{
Console.WriteLine("Request failed: rc={0}, msg={1}", rc, pw);
}
}
}
}
The output from execution of the C# client application is:
Password is linuxacct1pw
TPAM 2.5
Administrator Guide
155
20
Batch Processing
•
Introduction
•
Advanced file settings
•
Import user IDs
•
Import systems
•
Import accounts
•
Import or update collections
•
Import or update groups
•
Add or drop collection members
•
Add or drop group members
•
Batch update user IDs
•
Batch update systems
•
Batch update accounts
•
Batch update PSM accounts
•
Batch update permissions
•
Batch update cache server permissions
•
Cancel a batch process
•
View batch job history
Introduction
For ease of administration, new systems, accounts, and users can be imported into TPAM. Also if mass changes
are needed these same entities can be updated without having to make individual changes one at a time in the
GUI. The following sections will describe the various import and update options available in TPAM.
Advanced file settings
Advanced File Settings are an option on all of TPAM’s batch processing pages. These settings allow the user to
specify in more detail how TPAM should process the upload file. The table below explains all of the Advanced
File Settings options.
TPAM 2.5
Administrator Guide
156
Table 69. Advanced File Settings options
Field
Description
Default
Column headers in
first non-blank
row?
Possible values are Yes, No and Detect.
Detect
Skip first X non
blank rows
If Yes is selected for Column Headers, then TPAM will skip the first X non- 0
blank rows before the header. If No is selected for Column Headers, then
TPAM will skip the first X non-blank rows.
Skip first X rows of If Yes is selected for Column Headers, then TPAM will skip the first X rows 0
data, after header, of data after the header. If No is selected for Column Headers, then TPAM
if found.
will skip the first X rows of data.
Only process X
rows of data, not
including header
If Yes is selected for Column Headers, then TPAM will process X rows of
0
data not including the header. If No is selected for Column Headers, then 0 = all
TPAM will process X rows of data.
Row Delimiters
Possible values are CR (carriage return)/LF (line feed), LF only, CR only
and other.
Auto detect
Column Delimiters
Possible values are Tab, comma-separated value (CSV), or Other.
Auto detect
Text Delimiter
Any single character allowed, but usually either single or double quotes.
(’ or ") Can only be changed when Column Delimiter is set to Other.
Double Quote
(“)
Import user IDs
Rather than individually adding users to TPAM, they may be bulk imported. Importing users can ease
administrative burden and expedite migration to TPAM.
When importing users it is critical that the import file be formatted correctly. Files may be either CSV or tab
delimited.
To create an import file:
1
Select Batch Processing | Import UserIDs from the main menu.
2
Click the Show Template button.
3
Select the Comma or Tab button, depending on the file format you are going to use.
4
Select and copy all of the template text.
5
Paste the template text into the header row of your CSV or tab delimited file.
6
Enter the data for the various columns in the import file.
As of the writing of this manual, the valid local time zone values for a user can be used from the list
below. As needed technical support will post OS patches on the Customer Portal to update time zone
information. Any portion of the time zone name may be used as long as it is unique. For example, using
“Guam” will find only one time zone but using “02:00” or “US” will find multiple entries. A value of
“Server” sets the user to follow the Server time zone.
Table 70. Time zones
(UTC+04:00) Abu Dhabi, Muscat
(UTC+02:00) Harare, Pretoria
(UTC+09:30) Adelaide
(UTC-10:00) Hawaii
(UTC-09:00) Alaska
(UTC+02:00) Helsinki, Kyiv, Riga, Sofia,
Tallinn, Vilnius
(UTC+02:00) Amman
(UTC+10:00) Hobart
(UTC+01:00) Amsterdam, Berlin, Bern, Rome, Stockholm,
Vienna
(UTC-05:00) Indiana (East)
TPAM 2.5
Administrator Guide
157
Table 70. Time zones
(UTC-07:00) Arizona
(UTC-12:00) International Date Line West
(UTC+06:00) Astana
(UTC+09:00) Irkutsk
(UTC-04:00) Asuncion
(UTC+05:00) Islamabad, Karachi
(UTC+02:00) Athens, Bucharest
(UTC+02:00) Istanbul
(UTC-04:00) Atlantic Time (Canada)
(UTC+02:00) Jerusalem
(UTC+12:00) Auckland, Wellington
(UTC+04:30) Kabul
(UTC-01:00) Azores
(UTC+03:00) Kaliningrad, Minsk
(UTC+03:00) Baghdad
(UTC+05:45) Kathmandu
(UTC-08:00) Baja California
(UTC+08:00) Krasnoyarsk
(UTC+04:00) Baku
(UTC+08:00) Kuala Lumpur, Singapore
(UTC+07:00) Bangkok, Hanoi, Jakarta
(UTC+03:00) Kuwait, Riyadh
(UTC+08:00) Beijing, Chongqing, Hong Kong, Urumqi
(UTC+12:00) Magadan
(UTC+02:00) Beirut
(UTC-02:00) Mid-Atlantic
(UTC+01:00) Belgrade, Bratislava, Budapest, Ljubljana,
Prague
(UTC) Monrovia, Reykjavik
(UTC-05:00) Bogota, Lima, Quito
(UTC-03:00) Montevideo
(UTC-03:00) Brasilia
(UTC+04:00) Moscow, St. Petersburg,
Volgograd
(UTC+10:00) Brisbane
(UTC-07:00) Mountain Time (US & Canada)
(UTC+01:00) Brussels, Copenhagen, Madrid, Paris
(UTC+03:00) Nairobi
(UTC-03:00) Buenos Aires
(UTC-03:30) Newfoundland
(UTC+02:00) Cairo
(UTC+02:00) Nicosia
(UTC+10:00) Canberra, Melbourne, Sydney
(UTC+07:00) Novosibirsk
(UTC-01:00) Cape Verde Is.
(UTC+13:00) Nuku'alofa
(UTC-04:30) Caracas
(UTC+09:00) Osaka, Sapporo, Tokyo
(UTC) Casablanca
(UTC-08:00) Pacific Time (US & Canada)
(UTC-03:00) Cayenne, Fortaleza
(UTC+08:00) Perth
(UTC-06:00) Central America
(UTC+12:00) Petropavlovsk-Kamchatsky Old
(UTC-06:00) Central Time (US & Canada)
(UTC+04:00) Port Louis
(UTC+05:30) Chennai, Kolkata, Mumbai, New Delhi
(UTC-03:00) Salvador
(UTC-07:00) Chihuahua, La Paz, Mazatlan
(UTC+13:00) Samoa
(UTC) Coordinated Universal Time
(UTC-04:00) Santiago
(UTC+12:00) Coordinated Universal Time+12
(UTC+01:00) Sarajevo, Skopje, Warsaw,
Zagreb
(UTC-02:00) Coordinated Universal Time-02
(UTC-06:00) Saskatchewan
(UTC-11:00) Coordinated Universal Time-11
(UTC+09:00) Seoul
(UTC-04:00) Cuiaba
(UTC+11:00) Solomon Is., New Caledonia
(UTC+02:00) Damascus
(UTC+05:30) Sri Jayawardenepura
(UTC+09:30) Darwin
(UTC+08:00) Taipei
(UTC+06:00) Dhaka
(UTC+05:00) Tashkent
(UTC) Dublin, Edinburgh, Lisbon, London
(UTC+04:00) Tbilisi
(UTC-05:00) Eastern Time (US & Canada)
(UTC+03:30) Tehran
(UTC+06:00) Ekaterinburg
(UTC+08:00) Ulaanbaatar
(UTC+12:00) Fiji
(UTC+11:00) Vladivostok
TPAM 2.5
Administrator Guide
158
Table 70. Time zones
(UTC-04:00) Georgetown, La Paz, Manaus, San Juan
(UTC+01:00) West Central Africa
(UTC-03:00) Greenland
(UTC+01:00) Windhoek
(UTC-06:00) Guadalajara, Mexico City, Monterrey
(UTC+10:00) Yakutsk
(UTC+10:00) Guam, Port Moresby
(UTC+06:30) Yangon (Rangoon)
(UTC+04:00) Yerevan
7
Save the file.
NOTE: The file format requirements and a description of all the columns in the import file are listed on
the Import Users page.
To load the import users file into TPAM:
1
Select Batch Processing | Import UserIDs from the main menu.
2
Click the Select File button.
3
Click the Browse button. Select the file.
4
Click the Upload button.
5
Enter an import comment. This comment will be saved with the import history. (optional)
6
Click the Adv. File Settings button to specify how the rows and columns in your file should be treated.
(optional) See Advanced file settings for details.
7
Click the Process File button.
As the user IDs are being imported the results will be displayed on the Details tab. There will be a count
of the number of users successfully imported and error messages for any user IDs that did not import.
To view import history:
1
Select Batch Processing | Import UserIDs from the main menu.
2
Click the History tab.
3
Select the import to view.
4
Click the Detail tab.
Import systems
Rather than individually adding systems to TPAM, they may be bulk imported. Importing systems can ease
administrative burden and expedite migration to TPAM.
When importing systems it is critical that the import file be formatted correctly. Files may be either CSV or tab
delimited.
To create an import file:
1
Select Batch Processing | Import Systems from the main menu.
2
Click the Show Template button.
3
Select the Comma or Tab button, depending on the file format you are going to use.
4
Select and copy all of the template text.
5
Paste the template text into the header row of your CSV or tab delimited file.
6
Enter the data for the various columns in the import file.
TPAM 2.5
Administrator Guide
159
7
Save the file.
NOTE: The file format requirements and a description of all the columns in the import file are
listed on the Import Systems page.
To load the import systems file into TPAM:
1
Select Batch Processing | Import Systems from the main menu.
2
Click the Select File button.
3
Click the Browse button. Select the file.
4
Click the Upload button.
5
Enter an import comment. This comment will be saved with the import history. (optional)
6
Click the Adv. File Settings button to specify how the rows and columns in your file should be treated.
(optional) See Advanced file settings for details.
7
Click the Process File button.
8
As the systems are being imported the results will be displayed on the Details tab. There will be a count
of the number of systems successfully imported and error messages for any systems that did not import.
NOTE: Platform Name is not required when importing systems if a system template is being used or if a
default template has been defined in TPAM.
To view import history:
1
Select Batch Processing | Import Systems from the main menu.
2
Click the History tab.
3
Select the import to view.
4
Click the Detail tab.
To cancel a System Import:
1
Select Batch Processing | Import Systems from the main menu.
2
Click the History tab.
3
Select the import you want to cancel.
4
Click the Cancel Batch button.
NOTE: A System Import can only be cancelled if the Start Date column on the History tab is still null.
Import accounts
Rather than individually adding accounts to TPAM, they may be bulk imported. Importing accounts can ease
administrative burden and expedite migration to TPAM.
When importing accounts it is critical that the import file be formatted correctly. Files may be either CSV or tab
delimited.
To create an import file:
1
Select Batch Processing | Import Accounts from the main menu.
2
Click the Show Template button.
3
Select the Comma or Tab button, depending on the file format you are going to use.
4
Select and copy all of the template text.
5
Paste the template text into the header row of your CSV or tab delimited file.
TPAM 2.5
Administrator Guide
160
6
Enter the data for the various columns in the import file.
NOTE: The file format requirements and a description of all the columns in the import file are
listed on the Import Accounts page.
7
Save the file.
To load the import accounts file into TPAM:
1
Select Batch Processing | Import Accounts from the main menu.
2
Click the Select File button.
3
Click the Browse button. Select the file.
4
Click the Upload button.
5
Enter an import comment. This comment will be saved with the import history. (optional)
6
Click the Adv. File Settings button to specify how the rows and columns in your file should be treated.
(optional) See Advanced file settings for details.
7
Click the Process File button.
8
As the accounts are being imported the results will be displayed on the Details tab. There will be a count
of the number of accounts successfully imported and error messages for any accounts that did not
import.
To view import history:
1
Select Batch Processing | Import Accounts from the main menu.
2
Click the History tab.
3
Select the import to view.
4
Click the Detail tab.
To cancel an Account Import:
1
Select Batch Processing | Import Accounts from the main menu.
2
Click the History tab.
3
Select the import you want to cancel.
4
Click the Cancel Batch button.
NOTE: An Account Import can only be cancelled if the Start Date column on the History tab is still null.
Import or update collections
In TPAM you can mass add, update or delete collection names.
To create the file:
1
Select Batch Processing | Import/Update Collections from the main menu.
2
Click the Show Template button.
3
Select the Comma or Tab button, depending on the file format you are going to use.
4
Select and copy all of the template text.
5
Paste the template text into the header row of your CSV or tab delimited file.
TPAM 2.5
Administrator Guide
161
6
Enter the data for the various columns in the import file.
NOTE: The file format requirements and a description of all the columns in the import file are
listed on the Update Collections page.
7
Save the file.
To load the changes into TPAM:
1
Select Batch Processing | Import/Update Collections from the main menu.
2
On the File Selector tab, click the Select File button to locate the file to load.
3
Click the Browse button. Select the file.
4
Click the Upload button.
5
Select the update action to be taken on each row.
•
To drop all rows, select the Drop option.
•
To add all rows, select the Add option.
•
To specify different actions for specific rows, select the Specified in File option.
NOTE: If the Drop or Add button is selected, the Update Action column in the file is ignored.
6
Add a comment (optional). This comment will be saved with the batch history.
7
Click the Adv. File Settings button to specify how the rows and columns in your file should be treated.
(optional) See Advanced file settings for details.
8
Click the Process File button.
As the updates are being loaded the results will be displayed on the Detail tab. There will be a count of
the number of records successfully updated and error messages for any updates that did not process.
To view import history:
1
Select Batch Processing | Import/Update Collections from the main menu.
2
Click the History tab.
3
Select the import to view.
4
Click the Detail tab.
Import or update groups
In TPAM you can mass add, update or delete group names.
To create the file:
1
Select Batch Processing | Import/Update Groups from the main menu.
2
Click the Show Template button.
3
Select the Comma or Tab button, depending on the file format you are going to use.
4
Select and copy all of the template text.
5
Paste the template text into the header row of your CSV or tab delimited file.
6
Enter the data for the various columns in the import file.
7
Save the file.
NOTE: The file format requirements and a description of all the columns in the import file are
listed on the Update Groups page.
TPAM 2.5
Administrator Guide
162
To load the changes into TPAM:
1
Select Batch Processing | Import/Update Groups from the main menu.
2
On the File Selector tab, click the Select File button to locate the file to load.
3
Click the Browse button. Select the file.
4
Click the Upload button.
5
Select the update action to be taken on each row.
•
To drop all rows, select the Drop option.
•
To add all rows, select the Add option.
•
To specify different actions for specific rows, select the Specified in File option.
IMPORTANT: If the Drop or Add button is selected, the Update Action column in the file is ignored.
6
Add a comment (optional). This comment will be saved with the batch history.
7
Click the Adv. File Settings button to specify how the rows and columns in your file should be treated.
(optional) See Advanced file settings for details.
8
Click the Process File button.
As the updates are being loaded the results will be displayed on the Details tab. There will be a count of
the number of records successfully updated and error messages for any updates that did not process.
To view import history:
1
Select Batch Processing | Import/Update Groups from the main menu.
2
Click the History tab.
3
Select the import to view.
4
Click the Detail tab.
Add or drop collection members
Rather than individually adding/editing collection members in TPAM, they may be bulk loaded.
To create the membership file:
1
Select Batch Processing | Add/Drop Collection Members from the main menu.
2
Click the Show Template button.
3
Select the Comma or Tab button, depending on the file format you are going to use.
4
Select and copy all of the template text.
5
Paste the template text into the header row of your CSV or tab delimited file.
6
Enter the data for the various columns in the import file.
NOTE: The file format requirements and a description of all the columns in the import file are
listed on the Update Collection Membership page.
7
Save the file.
To load the collection changes into TPAM:
1
Select Batch Processing | Add/Drop Collection Members from the main menu.
2
On the File Selector tab, click the Select File button to locate the file to load.
3
Click the Browse button. Select the file.
TPAM 2.5
Administrator Guide
163
4
Click the Upload button.
5
Select the update action to be taken on each row.
•
To drop all rows, select the Drop option.
•
To add all rows, select the Add option.
•
To specify different actions for specific rows, select the Specified in File option.
IMPORTANT: If the Drop or Add button is selected, the Update Action column in the file is ignored.
6
Add a comment (optional). This comment will be saved with the batch history.
7
Click the Adv. File Settings button to specify how the rows and columns in your file should be treated.
(optional) See Advanced file settings for details.
8
Click the Process File button.
As the updates are being loaded the results will be displayed on the Details tab. There will be a count of
the number of records successfully updated and error messages for any updates that did not process.
To view import history:
1
Select Batch Processing | Add/Drop Collection Members from the main menu.
2
Click the History tab.
3
Select the import to view.
4
Click the Detail tab.
Add or drop group members
Rather than individually adding/editing group members in TPAM, they may be bulk loaded.
To create the membership file:
1
Select Batch Processing | Add/Drop Group Members from the main menu.
2
Click the Show Template button.
3
Select the Comma or Tab button, depending on the file format you are going to use.
4
Select and copy all of the template text.
5
Paste the template text into the header row of your CSV or tab delimited file.
6
Enter the data for the various columns in the import file.
NOTE: The file format requirements and a description of all the columns in the import file are
listed on the Update Group Membership page.
7
Save the file.
To load the group changes into TPAM:
1
Select Batch Processing | Add/Drop Group Members from the main menu.
2
Click the Select File button.
3
Click the Browse button. Select the file.
4
Click the Upload button.
5
Select the update action to be taken on each row.
•
To drop all rows, select the Drop option.
•
To add all rows, select the Add option.
TPAM 2.5
Administrator Guide
164
•
To specify different actions for specific rows, select the Specified in File option.
IMPORTANT: If the Drop or Add button is selected, the Update Action column in the file is ignored.
6
Add a comment (optional). This comment will be saved with the batch history.
7
Click the Adv. File Settings button to specify how the rows and columns in your file should be treated.
(optional) See Advanced file settings for details.
8
Click the Process File button.
As the updates are being loaded the results will be displayed on the Detail tab. There will be a count of
the number of records successfully updated and error messages for any updates that did not process.
To view import history:
1
Select Batch Processing | Add/Drop Group Members from the main menu.
2
Click the History tab.
3
Select the import to view.
4
Click the Detail tab.
Batch update user IDs
In cases where a large number of user IDs require edits, batch updates can be performed using CSV or .txt files
as input.
To create a batch update file:
1
Select Users & Groups | List UserIDs.
2
Create a CSV or Excel file using List UserIDs with the data you want to update. See for the steps to create
the file.
3
Open the file.
4
If you exported the User Listing to Excel, delete the first row in the file.
5
Select Batch Processing | Update UserIDs from the main menu.
6
Select update action to be taken on each row.
•
To delete all rows, select the Delete option. Skip to step 9.
•
To update all rows, select the Update option. Skip to step 9.
•
To specify different actions for specific rows, select the Specified in File option. Continue to step
7.
7
Insert a column in the file with a column name of Update Action.
8
Enter D (delete) or U (update) as appropriate for each account.
9
Edit any of the other columns as needed to update the data in TPAM.
NOTE: The file format requirements and a description of all the columns in the import file are
listed on the Update Users page.
10 Save the file.
To upload the batch update file into TPAM:
1
Select Batch Processing | Update UserIDs from the main menu.
2
Click the Select File button.
3
Click the Browse button. Select the file.
TPAM 2.5
Administrator Guide
165
4
Click the Upload button.
5
Add a comment (optional). This comment will be saved with the batch history.
6
Click the Adv. File Settings button to specify how the rows and columns in your file should be treated.
(optional) See Advanced file settings for details.
7
Click the Process File button.
8
As the updates are being loaded the results will be displayed on the Detail tab. There will be a count of
the number of records successfully updated and error messages for any updates that did not process.
To cancel a batch update:
1
Select Batch Processing | Update UserIDs from the main menu.
2
Click the History tab.
3
Select the batch to cancel.
4
Click the Cancel Batch button.
NOTE: A batch update can only be cancelled if the Start Date column on the History tab is still null.
To view update history:
1
Select Batch Processing | Update UserIDs from the main menu.
2
Click the History tab.
3
Select the batch to view.
4
Click the Detail tab.
Batch update systems
In cases where a large number of systems require edits, batch updates can be performed using CSV or .txt files
as input.
To create a batch update file:
1
Select Systems, Accounts, & Collections | Systems | List Systems.
2
Create a CSV or Excel file using List Systems with the data you want to update. See List systems for the
steps to create the file.
3
Open the file.
4
If you exported the System Listing to Excel, delete the first row in the file.
5
Select Batch Processing | Update Systems from the main menu.
6
Select update action to be taken on each row.
•
To delete all systems, select the Delete option. Skip to step 9.
•
To update all systems, select the Update option. Skip to step 9.
•
To specify different actions for specific rows, select the Specified in File option. Continue to step
7.
7
Insert a column in the file with a column name of Update Action.
8
Enter D (delete) or U (update) as appropriate for each system.
9
Edit any of the other columns as needed to update the data in TPAM.
NOTE: The file format requirements and a description of all the columns in the import file are
listed on the Update Accounts page.
TPAM 2.5
Administrator Guide
166
10 Save the file.
To upload the batch update file into TPAM:
1
Select Batch Processing | Update Systems from the main menu.
2
Click the Select File button.
3
Click the Browse button. Select the file.
4
Click the Upload button.
5
Add a comment (optional). This comment will be saved with the batch history.
6
Click the Adv. File Settings button to specify how the rows and columns in your file should be treated.
(optional) See Advanced file settings for details.
7
Click the Process File button.
8
As the updates are being loaded the results will be displayed on the Detail tab. There will be a count of
the number of records successfully updated and error messages for any updates that did not process.
To cancel a batch update:
1
Select Batch Processing | Update Systems from the main menu.
2
Click the History tab.
3
Select the batch to cancel.
4
Click the Cancel Batch button.
NOTE: A batch update can only be cancelled if the Start Date column on the History tab is still null.
To view update history:
1
Select Batch Processing | Update Systems from the main menu.
2
Click the History tab.
3
Select the batch to view.
4
Click the Detail tab.
Batch update accounts
In cases where a large number of accounts require edits, batch updates can be performed using CSV or .txt files
as input.
To create a batch update file:
1
Select Systems, Accounts, & Collections | Accounts | List Accounts.
2
Create a CSV or Excel file using List Accounts with the data you want to update. See List accounts for the
steps to create the file.
3
Open the file.
4
If you exported the Account Listing to Excel, delete the first row in the file.
5
Select Batch Processing | Update Accounts from the main menu.
6
Select update action to be taken on each row.
•
To delete all rows, select the Delete option. Skip to step 9.
•
To update all rows, select the Update option. Skip to step 9.
TPAM 2.5
Administrator Guide
167
•
To specify different actions for specific rows, select the Specified in File option. Continue to step
7.
7
Insert a column in the file with a column name of Update Action.
8
Enter D (delete) or U (update) as appropriate for each account.
9
Edit any of the other columns as needed to update the data in TPAM.
NOTE: The file format requirements and a description of all the columns in the import file are
listed on the Update Accounts page.
10 Save the file.
To upload the batch update file into TPAM:
1
Select Batch Processing | Update Accounts from the main menu.
2
Click the Select File button.
3
Click the Browse button. Select the file.
4
Click the Upload button.
5
Add a comment (optional). This comment will be saved with the batch history.
6
Click the Adv. File Settings button to specify how the rows and columns in your file should be treated.
(optional) See Advanced file settings for details.
7
Click the Process File button.
8
As the updates are being loaded the results will be displayed on the Detail tab. There will be a count of
the number of records successfully updated and error messages for any updates that did not process.
To cancel a batch update:
1
Select Batch Processing | Update Accounts from the main menu.
2
Click the History tab.
3
Select the batch to cancel.
4
Click the Cancel Batch button.
NOTE: A batch update can only be cancelled if the Start Date column on the History tab is still null.
To view update history:
1
Select Batch Processing | Update Accounts from the main menu.
2
Click the History tab.
3
Select the batch to view.
4
Click the Detail tab.
Batch update PSM accounts
Batch updating PSM accounts allows mass updating of the PSM settings for accounts.
For details on the update values available see PSM Details tab.
To create a batch update file:
1
Select Systems, Accounts, & Collections | Accounts | List PSM Accounts.
2
Create a CSV or Excel file using List PSM Accounts with the data you want to update. See List PSM
accounts for the steps to create the file.
TPAM 2.5
Administrator Guide
168
3
Open the file.
4
If you exported the Account Listing to Excel, delete the first row in the file.
5
Edit any of the other columns as needed to update the data in TPAM.
NOTE: The file format requirements and a description of all the columns in the import file are
listed on the Update PSM Accounts page.
6
Save the file.
To upload the batch update file into TPAM:
1
Select Batch Processing | Update PSM Accounts from the main menu.
2
Click the Select File button.
3
Click the Browse button. Select the file.
4
Click the Upload button.
5
Add a comment (optional). This comment will be saved with the batch history.
6
Click the Adv. File Settings button to specify how the rows and columns in your file should be treated.
(optional) See Advanced file settings for details.
7
Click the Process File button.
8
As the updates are being loaded the results will be displayed on the Detail tab. There will be a count of
the number of records successfully updated and error messages for any updates that did not process.
To cancel a batch update:
1
Select Batch Processing | Update PSM Accounts from the main menu.
2
Click the History tab.
3
Select the batch to cancel.
4
Click the Cancel Batch button.
NOTE: A batch update can only be cancelled if the Start Date column on the History tab is still null.
To view update history:
1
Select Batch Processing | Update PSM Accounts from the main menu.
2
Click the History tab.
3
Select the batch to view.
4
Click the Detail tab.
Batch update permissions
System, Account, File, Collection, User and Group permissions can be updated through Update Permissions.
To create an import file:
1
Select Batch Processing | Update Permissions from the main menu.
2
Click the Show Template button.
3
Select the Comma or Tab button, depending on the file format you are going to use.
4
Select and copy all of the template text.
5
Paste the template text into the header row of your CSV or tab delimited file.
TPAM 2.5
Administrator Guide
169
6
Enter the data for the various columns in the batch update permissions file.
NOTE: The file format requirements and a description of all the columns in the import file are
listed on the Update Permissions page.
7
Save the file.
To load the batch update file into TPAM:
1
Select Batch Processing | Update Permissions from the main menu.
2
On the File Selector tab, click the Select File button to locate the file to load.
3
Click the Browse button. Select the file.
4
Click the Upload button.
5
Select the update action to be taken on each row.
•
To drop all rows, select the Drop option.
•
To add all rows, select the Add option.
•
To specify different actions for specific rows, select the Specified in File option.
IMPORTANT: If the Drop or Add button is selected, the Update Action column in the file is ignored.
6
Add a comment (optional). This comment will be saved with the batch history.
7
Click the Adv. File Settings button to specify how the rows and columns in your file should be treated.
(optional) See Advanced file settings for details.
8
Click the Process File button.
9
As the updates are being loaded the results will be displayed on the Detail tab. There will be a count of
the number of records successfully updated and error messages for any updates that did not process.
To view batch update history:
1
Select Batch Processing | Update Permissions from the main menu.
2
Click the History tab.
3
Select the import to view.
4
Click the Detail tab.
To cancel a batch update:
1
Select Batch Processing | Update Permissions from the main menu.
2
Click the History tab.
3
Select the batch you want to cancel.
4
Click the Cancel Batch button.
NOTE: A batch update can only be cancelled if the Start Date column on the History tab is still null.
Batch update cache server permissions
Cache server permissions can be updated through Update Cache Server Permissions.
To create an import file:
1
Select Management | Cache Servers | List CS Permissions from the main menu.
TPAM 2.5
Administrator Guide
170
2
Create a CSV or Excel file using List UserIDs with the data you want to update. See List cache server
permissions for the steps to create the file.
3
Open the file.
4
If you exported the User Listing to Excel, delete the first row in the file.
5
Select Batch Processing | Update Cache Server Permissions from the main menu.
6
Select update action to be taken on each row.
•
To delete all rows, select the Delete option. Skip to step 9.
•
To update all rows, select the Update option. Skip to step 9.
•
To specify different actions for specific rows, select the Specified in File option. Continue to step
7.
IMPORTANT: If the Drop or Add button is selected, the Update Action column in the file is ignored.
7
Insert a column in the file with a column name of Update Action.
8
Enter D (delete) or U (update) as appropriate for each account.
9
Edit any of the other columns as needed to update the data in TPAM.
NOTE: The file format requirements and a description of all the columns in the import file are
listed on the Update Users page.
10 Save the file.
To load the batch update file into TPAM:
1
Select Batch Processing | Update Cache Server Permissions from the main menu.
2
On the File Selector tab, click the Select File button to locate the file to load.
3
Click the Browse button. Select the file.
4
Click the Upload button.
5
Click the Adv. File Settings button to specify how the rows and columns in your file should be treated.
(optional) See Advanced file settings for details.
6
Click the Process File button.
7
As the updates are being loaded the results will be displayed on the Detail tab. There will be a count of
the number of records successfully updated and error messages for any updates that did not process.
To view batch update history:
1
Select Batch Processing | Update Cache Server Permissions from the main menu.
2
Click the History tab.
3
Select the import to view.
4
Click the Detail tab.
To cancel a batch update:
1
Select Batch Processing | Update Cache Server Permissions from the main menu.
2
Click the History tab.
3
Select the batch you want to cancel.
4
Click the Cancel Batch button.
NOTE: A batch update can only be cancelled if the Start Date column on the History tab is still null.
TPAM 2.5
Administrator Guide
171
Cancel a batch process
NOTE: We do not recommend canceling a batch job unless the wrong file was selected for processing or if
there is a degradation in the TPAM appliance performance as a result of the batch job.
To cancel a batch import/update that is still running:
1
Select Batch Processing | Manage Batches from the main menu.
2
Enter your filter criteria on the Filter tab and click the Listing tab.
3
Select the batch job on the Listing tab.
4
Click the Details tab.
5
Click the Cancel Select Batch button.
6
Enter the text displayed to continue with the batch job cancellation and click the Continue button.
View batch job history
To view batch job history:
1
Select Batch Processing | Manage Batches from the main menu.
2
Enter your filter criteria on the Filter tab and click the Listing tab.
3
Select the batch job on the Listing tab and click the Details tab.
TPAM 2.5
Administrator Guide
172
21
PSM Connection Profiles
•
Introduction
•
Add a PSM connection profile
•
Delete a PSM connection profile
•
Assign a PSM connection profile
Introduction
PSM connection profiles allow for overriding the default connection parameters during a session. These
connection profiles can be modified by the Administrator to specify other connection settings for mainframe
connections.
The table below explains the options on the PSM Connection profile page.
Table 71. PSM Connection profile page options
Field
Description
Required?
Default
Profile Type
PSM Connection should be selected from the list.
Yes
PSM
Connection
Proxy Type
This PSM connection will only be available for sessions using the Yes
proxy type selected from the list.
Domain User
Format
This option is available for SSH- Automatic Login Using
No
Password, RDP-Automatic Login Using Password, RDP Through
SSH-Automatic Using Password. When connecting to a PSM
session using a domain account you may adjust the format of
the account here. Enter a string using the words account
and/or domain with other characters as necessary. Any text
entered other than the words account and domain will be used
as-is. Common formats are [email protected] (default) and
domain\account.
Profile Name
Enter a unique profile name
Description
Enter a descriptive text for the profile
Alternate Port Option to enter an alternate port for the connection
Yes
No
No
SSL
Option for x3270 and x5250 proxy types. If selected, SSL will be No
used during the connection.
Custom
Command
Option for x3270 and x5250 proxy types.This command is sent
at the beginning of the connection.
Post-Auth
Control Char
Option for x3270 and x5250 proxy types. Used in conjunction
No
with the post-auth command in which after typing the
password the post-auth control char is pressed followed by the
post -auth command.
Post-Auth
Command
Option for x3270 and x5250 proxy types. Used in conjunction
with the post-auth control char.
Off
No
No
TPAM 2.5
Administrator Guide
173
Add a PSM connection profile
To add a connection profile:
1
Select Management | Profile Management from the menu.
2
Select PSM Connection from the Profile Type list.
3
Click the New Profile button.
4
Select a proxy type from the list.
5
Enter a unique name for the profile.
6
Enter a description for the profile. (optional)
7
Enter an alternate port. (optional)
8
Complete the fields as described in the table above.
9
Click the Save Changes button.
Delete a PSM connection profile
To delete a connection profile:
1
Select Management | Profile Management from the menu.
2
Select PSM Connection as the profile type.
3
Select the profile to be deleted from the list.
4
Click the Delete Profile button.
5
Click the OK button on the confirmation window.
NOTE: A connection profile can only be deleted if it is not assigned to any accounts.
Assign a PSM connection profile
PSM connection profiles can be assigned using the Batch Update PSM Accounts function, or by following the
procedure below.
To assign a connection profile to an account:
1
Select Systems, Accounts, & Collections | Accounts | Manage Accounts.
2
Select the account on the Listing tab.
3
Click the PSM Details tab.
4
Select the profile from the Custom Connection Profile list.
5
Click the Save Changes button.
TPAM 2.5
Administrator Guide
174
22
Post Session Processing Profiles
•
Introduction
•
Add a post session processing profile
•
Delete a post session processing profile
•
Assign a post session processing profile
Introduction
Post session processing profiles can be used to trigger specific events after a session request has expired. For
post session profiles to take affect the System Administrator must have enabled the Post Session Processing
Agent in the /admin interface.
Add a post session processing profile
To add a post session processing profile select Management | Profile Management from the menu.
Click the New Profile button.
The table below explains the options on the Profile Editor page:
Table 72. Profile Editor page options
Field
Description
Required?
Default
Profile Type
Post Session Processing should be selected from the list.
Yes
Account Auto
Discovery
Profile Name
Enter a unique profile name.
Yes
Description
Enter a descriptive text for the profile.
No
Check
Password of
all Managed
Accounts on
the requested
System?
If selected, password for all accounts on the managed system
will be checked after the session expires. Passwords are only
changed if a mismatch is found and the account has the “reset
on mismatch” check box selected on its Check Password
Profile.
No
Off
Trigger postrelease
processing for
requested
account’s
password?
If selected, the password will be treated as if it were released, No
which will trigger post-release processing for managed
accounts and synchronized password subscribers.
Off
Synchronized password subscribers are processed in priority
order. If any of the subscribers fail to change, the agent stops
and tries again based on the Synch Pass Change agent retry
interval setting. If the prioritized subscribers succeed but some
non-prioritized subscribers fail, then the failures will be
processed by the regular change agent.
Manual subscribers are scheduled with the regular manual
change agent.
TPAM 2.5
Administrator Guide
175
Table 72. Profile Editor page options
Field
Required?
Default
Send an email If selected, once the session expires, the primary contact for
to the Primary the system will be sent an email notifying them the session is
Contact on
over.
the System?
Description
No
Off
Other E-Mail
Notification
No
Option to enter additional email addresses to notify when the
session expires. Up to 255 characters can be entered, using
commas to separate multiple email addresses.
Enter the settings as desired and click the Save Changes button.
Delete a post session processing profile
To delete a post session processing profile:
1
Select Management | Profile Management from the menu.
2
Select Post Session Processing from the Profile Type list.
3
Select the profile to be deleted from the list.
4
Click the Delete Profile button.
5
Click the OK button on the confirmation window.
NOTE: A post session processing profile can only be deleted if it is not assigned to any accounts.
Assign a post session processing profile
Post session processing profiles can be assigned using the Update PSM Accounts function, or by following the
procedure below.
To assign a post session processing profile to an account:
1
Select Systems, Accounts, & Collections | Accounts | Manage Accounts.
2
Select the account on the Listing tab.
3
Click the PSM Details tab.
4
Select the profile from the Post Session Profile list.
5
Click the Save Changes button.
TPAM 2.5
Administrator Guide
176
23
Restricted Commands
•
Introduction
•
Add a restricted command profile
•
Assign profile to access policy
•
Restricted command account settings
•
Command detection during a session
Introduction
Restricted command profiles enable the TPAM administrator to restrict the commands that can be executed
during a session, and/or put notifications in place when specific commands are executed.
IMPORTANT: Restricted commands cannot always detect and terminate a command when it is executed. It
is possible that some commands complete execution before TPAM has time to detect them.
Restricted commands are limited to Windows® and *nix platforms. The restricted command functionality also
requires a DPA.
To configure restricted commands you must perform the following steps:
•
Add a restricted command profile
•
Add restricted command profile to an access policy.
•
Assign access policy to a user or group for a system or account.
•
Enable account to capture events during a session.
System requirements for restricted
commands
There are requirements for the target system that must be met in order for restricted commands to be detected
during PSM sessions. For Windows® and *nix platforms, the PPM functional account is used to detect the
commands being run on the target system.The relevant configuration discussed below pertains to the PPM
functional account.
*nix platforms
In order to detect and kill processes on *nix systems, the DPA connects to and monitors the target system using
SSH. The following commands must be executable on the target system by the functional account in order to
detect and kill processes.
•
- uname
•
- echo
•
- kill
TPAM 2.5
Administrator Guide
177
•
- "ps -ef" or "ps -axlww" depending on *nix variant
•
- "netstat -ntp", "sockstat -c4", or "lsof -i -n -P" depending on *nix variant
Delegation prefixes are supported for the relevant platforms.
Windows®
In order to detect and kill processes on Windows®, the DPA connects to and monitors the target system using
WMI. There are a number of items that must be configured to allow these WMI connections, which may include
but are not limited to setting up remote WMI access, setting WMI CIMV2 namespace security, setting DCOM
security to allow remote access and launch, altering firewall settings to allow the WMI traffic, and handling
UAC. Notes related to UAC are provided when executing Test Event Configuration.
Additionally, various security events must be generated by Windows® to identify the beginning and end of PSM
sessions. For operating systems prior to Windows® Vista, events with event identifiers of 528, 538, 551, 682, and
683 must be generated. For Windows® Vista and later operating systems, events with event identifiers of 4624,
4634, 4647, 4778, and 4779 must be generated. Note that restricted command detection for operating systems
prior to Windows® XP and Windows Server 2003 in not supported.
Add a restricted command profile
To add a restricted command profile:
1
Select Management | Profile Management from the main menu.
2
Select Restricted Command from the Profile Type list.
3
Click the New Profile button.
4
Enter a unique profile name.
5
Select one or both notifications types for the commands in the profile:
•
Notify via Alert? - If command has the Notify? check box selected and the command is detected
during a session a SNMP alert will be sent. The SNMP session events alert subscriptions must be
subscribed to by the system administrator in the /admin intrface.
•
Notify via Email? - If command has the Notify? check box selected and command is detected
during a session an email will be sent to the email addresses listed. Multiple email addresses can
be entered separated by a semi-colon. You can also enter :System: or :Account: to have the
notification sent to the system or account contacts.
6
Click the Add Cmd Detail button.
7
Select platform/s that command applies to:
•
*nix? - any UNIX® type platform.
•
Win? - Windows® platform.
8
Enter the command. The command text accepts a regular expression pattern to identify the name of the
command executable to be restricted. For Windows® commands, TPAM searches for process name and
parameters. For *nix commands, TPAM searches the process name and parameters in the output of the
relevant "ps" command.
9
Select the Notify? check box to be notified when this command is detected during a session.
10 Select one of the following actions for when the command is detected:
•
Do Nothing - nothing is done to stop the session
TPAM 2.5
Administrator Guide
178
•
Kill Command - the command is terminated, but the session is left open.
IMPORTANT: The command can only be terminated if TPAM has time to detect the command
before it finishes running.
•
Kill Login - the login to the remote system is terminated, but the session remains open.
•
Kill Session - the current session to the remote system is terminated.
NOTE: None of the actions above will cancel the session request.
11 To add additional commands to the profile repeat steps 6-10.
12 Click the Save Changes button.
Assign profile to access policy
Once a restricted command profile has been created, the next step is to assign the profile to an access policy.
To assign a restricted command profile to an access policy:
1
Select Management | Access Policies from the main menu.
2
Filter for an existing access policy or click the Add Policy button to add a new one.
3
Select the Record Events check box.
4
Select the restricted command profile from the list.
5
Click the Save Changes button.
6
The access policy then needs to be assigned to the appropriate, system, account, or group.
Restricted command account settings
To complete command restriction for an account:
1
Select Systems, Accounts, & Collections | Accounts | Manage Accounts from the menu.
2
Enter filter criteria for the specific account and click the Listing tab.
3
Select the account and click the PSM Details tab.
4
The Enable PSM Sessions? check box must be selected.
5
The proxy connection type must be one of the following:
•
RDP - Automatic Login Using Password
•
RDP - Interactive Login
•
SSH - Automatic Login Using Password
•
SSH- Automatic Login Using DSS key
•
SSH - Interactive Login
•
Telnet - Automatic Login Using Password
•
Telnet - Interactive Login
6
Click the Test Event Configuration button.
7
If the test events was successful, select the Capture Events? check box.
TPAM 2.5
Administrator Guide
179
Command detection during a session
If a restricted command is executed during a session the user may see one of the following, depending on how
the restricted command policy is configured:
If the profile is configured to kill the command, the user will see a pop-up window stating “Process terminated
per policy. This action has been logged.”
If the profile is configured to kill the login, the user will see a pop-up window stating “Login killed per policy.
This action has been logged.”
If the profile is configured to kill the session, the user will see a pop-up window stating “Session will be
terminated per policy. This action has been logged.” then the session is closed a few seconds later:
TPAM 2.5
Administrator Guide
180
24
Archive Session Logs
•
Introduction
•
Configure session log archive settings
•
Configure session log archive server
•
Test the archive server
•
View archive files
•
View archive log
•
Delete a session log archive server
•
Clear a stored system host entry
Introduction
This chapter covers the configuration and settings for session log archive.
Configure session log archive settings
Session logs can be archived to external storage to ensure that physical resources on the appliance are not
exhausted. The frequency of when these logs are transferred must be set as well as the retention period for the
logs on the appliance and the external storage.
To configure session log archive settings elect Management | Session Mgmt | Archive Settings from the menu.
The table below explains the options on the Session Logs Archival Settings page:
Table 73. Session Logs Archival Settings page options
Field
Description
Required?
Max Age in Days This option specifies the maximum period of time that session Yes
for session log
logs are maintained on the appliance. Session logs older than
archival (0-90)
the n value are sent to the archive server. Valid configuration
is 0 to 90 days.
Default
1
TPAM 2.5
Administrator Guide
181
Table 73. Session Logs Archival Settings page options
Field
Description
Max Age in days
for session log
deletion (12922)
This value specifies that session logs are permanently deleted Yes
from TPAM or the archive server after they become older than
y days. This setting is limited by the Session Request Retention
Period in global settings.
Required?
Default
90
CAUTION: Session logs are deleted regardless of their
location – whether stored on TPAM or on an archive server.
If the value (y) to delete session logs is less than the value
(n) to archive session logs, the logs are deleted on the
appliance without ever being sent to an archive server.
IMPORTANT: If TPAM tries to delete session logs from an
archive server and it fails, TPAM will not re-attempt to do so.
This means that these records may need to be manually
deleted if the archive server comes back up. A CSV export of
detailed files is available for each archive server to assist with
this.
Percentage full
to trigger forced
archival of
oldest session
logs (30-80)
This option allows for an automated safety net to ensure that
the hard disk resources of the appliance are not filled to
capacity. If the disk space reaches x% of storage capacity a
forced archive occurs to free disk space.
Send archival
messages to
Messages regarding archival events can be sent from TPAM via Yes
email to a specified address. Valid choices are:
•
All
•
Failed
•
None
Yes
80
Enter the settings as desired and click the Save Changes button.
Configure session log archive server
Archive Servers must be pre-configured to receive the archived sessions from TPAM.
SCP
For a server to be eligible to receive the archives via SCP, it must be running the UNIX®/Linux® file system. This
can be accomplished on a Windows® server by installing OpenSSH or other UNIX® emulation software that
creates a directory structure containing /home. There are readily available products that create a Linux®
environment for Windows®.
TPAM uses only DSS authentication to connect to archive servers and transfer session logs. This requires a
matched public/private key pair to exist between TPAM and the archive server. The public key is located on the
archive server, while TPAM maintains the private key.
FTP
To use FTP, the FTP server needs to have a password authenticated account with a directory that will accept
files transferred from the console or a DPA. The FTP server needs to support the del command to allow our
archive service to remove the aged out session logs using that same named account and password.
To configure an archive server select Management | Session Mgmt | Archive Servers from the menu.
TPAM 2.5
Administrator Guide
182
The table below explains the options on the archive server management page:
Table 74. Archive Server Management: Details tab options
Field
Description
Required?
Server Name
The unique server name.
Yes
Network
Address
The IP address or fully qualified domain name.
Yes
Archive Method
FTP or SCP using DSS Key
Yes
Port
Port number for TPAM to use.
No
Delete
Command
If using SCP as archive method, a custom delete command can No
be specified.
DSS Key Details
When using DSS key authentication, a function is available to No
permit specific configuration of the public/private keys used.
•
Default
FTP
Avail. System Std. Keys – uses the single standard SSH
keys (either Open SSH or the commercial key) stored
centrally on TPAM. You have the ability to have up to
three active keys simultaneously. These keys are
configured in the paradmin interface. Use the list to
select the key you want to retrieve.
NOTE: When using the Avail. System Std. Keys you cannot
specify the key that is used. One or all available keys may be
downloaded to the remote system, but TPAM attempts to use
all currently active keys when communicating with the remote
system.
•
Use System Specific Key – allows the generation and
download of a specific SSH key to be used with this
system only. The key must first be generated using the
Get/Regen Key button, and then downloaded in either
Open SSH or Sec SSH (commercial) format.
The public key must be placed into the proper directory on
the archive server. For most systems this is [user’s home
directory]/.ssh (create the directory if it does not exist). The
public key must also be specified as an authorized
authentication method for the functional account. A new DSS
key pair can be generated at any time (if for example it is felt
that the existing keys have been compromised). Clicking the
Regen Key Pair button generates a new public/private key
pair. The Regen Key Pair only regenerates the system specific
key for the selected archive server, so only that archive server
is affected.
Account Name
Used to authenticate to the archive server, and within whose
home directory the logs are stored.
Yes
Account
Password
Account password used for FTP connection.
Yes for FTP
Archive Server
Path
Prior to TPAM v2.0 the path was hard coded to ./egparch. It is Yes
assumed that old sessions that have already been archived are
stored in ./egparch. It is important to ensure that this
directory is owned by the functional ID, and that the
functional ID has proper permissions (600 is recommended).
Description
Descriptive text for the archive server.
No
Make Default?
If selected, this is the default archive server for all session
logs.
No
Off
Enter the settings as desired and click the Save Changes button.
TPAM 2.5
Administrator Guide
183
Test the archive server
Once the archive server has been saved it is recommended that connection to TPAM be tested by clicking the
Test button. The results of the test are displayed on the Results tab.
View archive files
To view the files stored on an archive server:
1
Select Management | Session Mgmt | Archive Servers from the menu.
2
Select the server on the Listing tab.
3
Click the Archived Files tab.
4
Enter your search criteria on the Filter tab.
5
Click the Session Logs tab or click the Export to CSV button.
View archive log
To view the archive log:
1
Select Management | Session Mgmt | Archive Log from the menu.
2
Enter your filter criteria.
3
Click the Report Layout tab. (Optional)
4
Select the appropriate boxes in the Column Visible column to specify the columns to be displayed on the
report.
5
Select the appropriate box in the Sort Column column to specify sort order.
6
Select the Sort Direction.
7
If viewing the report in Privileged Account Manager, select the Max Rows to display.
IMPORTANT: The Max Rows to Display limits the number of rows that are returned even if the
number of rows that meet the filter criteria is greater than what is selected.
8
To view the report results in Privileged Account Manager click the Report tab. To adjust the column size
of any column on a report hover the mouse over the column edge while holding down the left mouse
button and dragging the mouse to adjust the width.
9
To view the report results in an Excel or CSV file click the Export to Excel or Export to CSV button.
IMPORTANT: If you expect the report results to be over 64,000 rows you must use the CSV export
option. The Export to Excel option only exports a maximum of 64,000 rows.
10 Open or Save the report file.
Delete a session log archive server
To delete a session log archive server:
1
Select Management | Session Mgmt | Archive Servers from the menu.
2
Select the server to be deleted.
TPAM 2.5
Administrator Guide
184
3
Click the Delete button.
NOTE: You cannot delete an archive server that is flagged as the default archive server. This flag
must be cleared and saved before the delete button will enable.
4
Click the Delete Server button.
5
Click the OK button on the confirmation window.
Clear a stored system host entry
The Clear Sys. Host Entry button removes the host entry from TPAM’s known hosts file. An example of the
necessity for this would be a situation where the SSH package on a managed system has been reinstalled, or the
OS itself may be reinstalled. A test of the system would indicate that the host key entry does not match, and is
preventing password authentication because of a perceived “man in the middle” attack.
To clear the System Host entry:
1
Select Management | Session Mgmt | Archive Servers from the menu.
2
Select the archive server whose host entry is to be removed from TPAM’s known hosts file.
3
Click the Clear Sys. Host Entry button.
TPAM 2.5
Administrator Guide
185
25
Privileged Command Management
•
Introduction
•
Add a command
•
Commands to assist with authentication
•
Duplicate a command
•
Delete a command
•
Create access policy with the command
•
Assign access policy to user or group
•
Setup requirement for Windows®
Introduction
Privileged command management provides command control for administrative tasks that require elevated
credentials. The commands a user can execute using privileged session manager can be controlled.
Add a command
The first step in using privileged command manager is setting up the commands. PCM comes with a set of
default commands, but custom commands can be added.
To add a command:
1
Select Management | Command Management from the main menu.
2
Click the Add Command button.
3
Enter the Command Name.
4
Enter the Command Text.
5
Enter the Working Directory.
6
Enter the Description of the command. (optional)
7
Click the Save Changes button.
8
Click the Proxy Types tab.
9
Select the Proxy Types for this command.
10 Click the Save Changes button.
Commands to assist with authentication
The following commands can be added here:
TPAM 2.5
Administrator Guide
186
•
:accountname: - will pass the requested account name
•
:accountpwd: - will pass the requested account password
•
:myaccount: - will pass the TPAM user name.
These can be passed on the command line during a PSM session to facilitate authentication.
Duplicate a command
For the ease of creating commands that are similar, commands can be duplicated.
To duplicate a command:
1
Select Management | Command Management from the main menu.
2
Select the command to duplicate.
3
Click the Duplicate Command button.
4
Edit the Command Name, Command Text, Working Directory and Description as needed.
5
The proxy types are inherited from the command duplicated. Click the Proxy Types tab to edit the proxy
types.
6
Click the Save Changes button.
Delete a command
To delete a command:
1
Select Management | Command Management from the main menu.
2
Select the command to delete.
3
Click the Delete Command button.
4
Click the OK button on the confirmation window.
NOTE: A command cannot be deleted if it is associated with an Access Policy.
Create access policy with the command
Once the commands have been created, the next step is to create an access policy that includes this command.
To add a command to an Access Policy:
1
Select Management | Access Policies from the main menu.
2
Click the Add Policy button.
3
Enter a unique policy name. This is the name that appears in the list when selecting it for assignment, so
be as descriptive as possible.
4
Enter a description. This information is only visible to administrators when editing the policy. (optional)
5
Select the Command check box.
6
Select the command from the list.
7
Select the REQ check box.
8
To add another command to the access policy click the Add button.
TPAM 2.5
Administrator Guide
187
9
Repeat steps 5, 6 and 7.
10 Click the Save Changes button.
Assign access policy to user or group
Once the access policy is created, it can be assigned to a user or group for permissions on Systems, Accounts,
Files or Collections. The example below will cover assigning the access policy to a group of users for a system.
Access policies can also be assigned through the update permissions batch process.
To assign the access policy to a user or group:
1
Select Users & Groups | Groups | Manage Groups from the main menu.
2
Enter filter criteria to find the appropriate group.
3
Click the Listing tab.
4
Select the group.
5
Click the Permissions tab
6
Enter the filter criteria to find the system.
7
Click the Results tab.
8
Select the system.
9
Select the access policy from the list.
10 Click the single green check icon.
11 Click the Save Changes button.
When a user in this group submits a session request on this system they will only be allowed to execute the
command/s specified in the access policy during the session.
Setup requirement for Windows®
For Windows® 7, 2008 and 2012 additional configuration is required to get privileged command management to
work.
Configure the following registry changes on the Windows® server:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal
Services\fAllowUnlistedRemotePrograms = [REG_DWORD, value: 00000001]
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal
Services\fTurnOffSingleAppMode = [REG_DWORD, value: 00000000]
If the above doesn't work, additionally modify/add:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Terminal Server\HonorLegacySettings
= [REG_DWORD, value: 00000001]
TPAM 2.5
Administrator Guide
188
26
Synchronized Passwords
•
Introduction
•
Logs tab
•
Add synchronized password
•
Add subscriber to a synchronized password
•
Remove a subscriber from a synchronized password
•
Delete a synchronized password
•
Force reset of synchronized password
Introduction
Synchronized Passwords (formerly known as Collection Accounts prior to v2.3.761) provide a way to allow
multiple accounts, on different systems, to have the passwords synchronized.
The synchronized password functionality depends heavily on the Synch Pass Change Auto Agent that must be
enabled by the System Administrator in the admin interface. If the agent is not running, synch member
passwords are not changed unless you perform a manual forced reset.
To add and manage synchronized passwords, information is entered on the following tabs in the TPAM interface:
Table 75. Synchronized Password Management: TPAM interface tabs
Tab name
Description
Details
Define password name, and password management options.
Candidates
Used to assign accounts as subscribers of the synchronized password.
Details tab
The table below explains all of the options available on the details tab:
Table 76. Synchronized Password Management: Details tab options
Field
Description
Required?
Password Name Descriptive name of the synchronized password.
Yes
Password
If a manual password is entered here, any scheduled postrelease resets will be canceled, and any subscriber whose
password does not match will be scheduled for a mismatch
reset.
Yes
Confirm
Where the manual password is retyped for confirmation.
Yes
Default
TPAM 2.5
Administrator Guide
189
Table 76. Synchronized Password Management: Details tab options
Field
Description
Disable Synch.
If selected, subscriber passwords are not synchronized. This can No
be used when changing subscriber priority and then force a
reset; otherwise new subscribers are not synchronized by
priority. While synchronization is disabled new subscribers are
not scheduled for a mismatch reset if their current password
does not match.
Required?
Off
Password Rule
The password rule to serve as the default for the synchronized
password. The password rule governs the construction
requirements for new passwords generated by PPM.
Yes
Default
Password
Rule
Description
The description box may be used to provide additional
information about the synchronized password, special notes,
business owner, etc.
No
Notification
Email
The email address specified in this box receives email
No
notifications when a password is released without approval, and
scheduled password changes for manually managed accounts.
Default ISA Rel. The duration for an ISA release may be specified up to a
No
Duration
maximum of 21 days. This is the amount of time that transpires
between the initial ISA retrieval and the automatic reset of the
password (if enabled). If 0 is entered the ISA retrieval of a
password will not trigger a post release reset of the password.
Next Change
Date
Schedule an account password to be changed at a specific
date/time. Overrides password change profile schedule.
Password mismatch, post release reset, and force resets will
still be processed as they occur.
No
Use the check
profiles on the
subscribed
accounts
If selected, the password check profile assigned to each
subscriber will be used instead of the password check profile
listed below.
No
Password
Check Profile
Select a password check profile from the list to determine the
rules for how the password is checked for the synchronized
password. The password check profiles are configured by the
TPAM Administrator. See Password Profiles for more details.
Opt
Password
Change Profile
Select a password change profile from the list to determine the Yes
rules for how the password is changed on the synchronized
password.The password change profiles are configured by the
TPAM Administrator. See Password Profiles for more details.
Default
2 Hours
Off
Candidates tab
The table below explains all of the options available on the candidates tab:
Table 77. Synchronized Password Management: Candidates tab options
Field
Description
Candidate Name
System name and account name of the candidate. Only accounts that are auto-managed or
manually managed are eligible.
Account Auto
Management setting for the account.
Network Address
Network address for the account.
Platform
System platform for the account.
TPAM 2.5
Administrator Guide
190
Table 77. Synchronized Password Management: Candidates tab options
Field
Description
Select
If selected the account becomes a member of the synchronized password.
Priority Level
Number entered here represents the order that the Synch Pass Change agent uses to
synchronize the subscribers. Only auto-managed accounts can be assigned a priority
level.The agent attempts to synchronize the prioritized subscribers from lowest to
highest. If any subscribers fail to synchronize then the process stops, and the agent does
not attempt to process any other subscribers. Next, any auto-managed non-prioritized
accounts are synchronized. Any non-prioritized accounts that fail to synchronize are
scheduled through the regular password change agent. Then any manually managed
accounts get put in the manual password notification queue. If the subscriber is in the
regular change queue any ISA or Administrator can force a password reset through the
password management page or account management listing page.
Subscriber status tab
The table below explains all of the options available on the subscriber status tab:
Table 78. Synchronized Password Management: Subscriber Status tab options
Field
Description
Subscriber Name
System name and account name of subscriber.
Network Address
Network address for the system.
Platform
Platform for the system.
Unsubscribe /
Priority
If unsubscribe is selected and changes saved, the subscriber is removed from the
synchronized password. Priority level can be edited and saved here.
Password Status
Password will either be current or out of synch. If the password is out of synch then the
Synch Now button will be available to force an immediate synchronization.
Pending Change
Displays status if password is in the regular change queue.
Pending Check
Displays status is password is in the regular check queue.
Logs tab
The logs tab contains three sub-tabs that provide detailed password history for the subscribers of the
synchronized password. The following table explains the sub-tabs. The time displayed on the logs is in server
time (UTC).
Table 79. Synchronized Password Management: Logs tab sub-tabs
Tab
Description
Filter
This filter tab can be used to specify your search criteria in any of the other log tabs.
Change Log
Provides details on password change history.
Test Log
Provides details on password test activity.
Release Log
Provides details on password release history.
Dependent
Change Log
Only visible if account resides on Windows® Domain Controller with dependent systems
assigned. Provides details on changes of the domain account.
Change Agent
Log
Provides details on change agent log records for the accounts that have occurred after a 2.3+
TPAM upgrade.
TPAM 2.5
Administrator Guide
191
Add synchronized password
To add a new synchronized password:
1
Select Systems, Accounts, & Collections | Passwords | Add Synchronized Password from the menu.
2
Enter information on the details tab. For more information see Details tab.
3
Click the Save Changes button.
Add subscriber to a synchronized password
1
Select Systems, Accounts, & Collections | Passwords | Manage Synchronized Passwords from the
menu.
2
Enter your search criteria on the Filter tab.
3
Click the Listing tab.
1
Select the synchronized password.
2
Click the Add Subscribers button.
3
Enter your search criteria on the Filter tab.
NOTE: Only auto-managed accounts can be subscribers to a synchronized password.
4
Click the Candidates tab.
5
Select the Select check box to add candidates to the synchronized password. For more information see
Candidates tab.
IMPORTANT: If you add one or more accounts belonging to a System Template as subscribers, any
new systems added to TPAM using that template will automatically have those accounts be
subscribers to this synchronized password.
6
Enter a Priority Level for subscribers. (Optional)
7
Click the Save Changes button.
Remove a subscriber from a synchronized
password
To remove a subscriber/s from a synchronized password:
1
Select Systems, Accounts, & Collections | Passwords | Manage Synchronized Passwords from the
menu.
2
Enter your search criteria on the Filter tab.
3
Click the Listing tab.
4
Select the synchronized password.
5
Click the Subscriber Status tab.
6
Select the Unsubscribe check box for any subscribers to be removed.
7
Click the Save Changes button.
NOTE: Any accounts removed from the synchronized password will be immediately scheduled for a
password reset.
TPAM 2.5
Administrator Guide
192
Delete a synchronized password
To delete a synchronized password:
1
Select Systems, Accounts, & Collections | Passwords | Manage Synchronized Passwords from the
menu.
2
Enter your search criteria on the Filter tab.
3
Click the Listing tab.
4
Select the synchronized password.
5
Click the Delete button.
6
Click the OK button on the confirmation window.
NOTE: After the synchronized password is deleted the subscribers revert to the Password Management
settings that they had prior to becoming a subscriber.
Force reset of synchronized password
To schedule a forced reset of a synchronized password:
1
Select Systems, Accounts, & Collections | Passwords | Manage Synchronized Passwords from the
menu.
2
Enter your search criteria on the Filter tab.
3
Click the Listing tab.
4
Select the synchronized password.
5
Click the Reset Password button.
TPAM 2.5
Administrator Guide
193
27
Scheduled Reports
•
Introduction
•
Enable/disable scheduled reports
•
Send scheduled reports to archive server
•
Subscribe/unsubscribe to scheduled reports
•
Add/remove additional recipients to scheduled reports
•
View scheduled reports
•
Resubmit scheduled reports
Introduction
Scheduled reports (also known as Batch Reports) are standard reports available in TPAM. The TPAM
Administrator configures these reports to automatically run on a daily, or weekly basis. The reports are run by
the Daily Maintenance job which is configured in the /admin interface. The reports are stored on the appliance
and can be emailed to designated subscribers or sent directly to an archive server. Only Administrators and
Auditors can view these reports from the TPAM interface. Additional users can be configured to receive these
reports via email.
Enable/disable scheduled reports
Administrators can enable or disable which scheduled reports can be subscribed to. On a new TPAM appliance all
reports will be disabled by default.
NOTE: The run time for these reports is controlled by the daily maintenance start time that is configured
by the System Administrator in the admin interface.
To enable/disable scheduled reports:
1
Select Reports | Scheduled Reports | Report Subscriptions from the main menu.
2
Next to each report select one if the following from the far right hand column:
3
•
Disabled - the report will not run.
•
HTML Only- only the HTML version of the report will run.
•
CSV Only - only the CSV version of the report will run.
•
HTML & CSV - CSV and HTML versions will be run.
•
XML Only - the report will only be run in XML format.
Click the Save Changes button.
NOTE: If any option other than Disabled is selected the XML file is always generated (a zero byte file will
be generated even if no data is reported).
TPAM 2.5
Administrator Guide
194
IMPORTANT: The Entitlement reports are very resource intensive and can cause severe performance
degradation for online users during the daily report cycle. If the reports will be used on a daily basis it is
recommended that only the versions required are enabled. It is very common for these reports to be over
1 million rows and customers have found that the CSV files are more manageable.
Send scheduled reports to archive server
To have scheduled reports automatically sent to an archive server:
1
Select Reports | Scheduled Reports | Report Subscriptions from the main menu.
2
Select an archive server from the list. An archive server must be already configured in TPAM by the
System Administrator to display in this list.
3
Click the Save Changes button.
Subscribe/unsubscribe to scheduled reports
Only Administrators and Auditors have permission to edit report subscriptions.
To subscribe/unsubscribe to Scheduled Reports:
1
Select Reports | Scheduled Reports | Report Subscriptions from the main menu.
2
In the Subscribed column select one or more of the output options (HTML, CSV or XML), for the reports
you want to subscribe to.
3
Clear the HTML, CSV or XML check boxes in the Subscribe column for the reports you want to
unsubscribe to.
4
Select the Zip check box to zip all subscribed formats of the report into one file to be emailed.
5
Click the Save Changes button.
NOTE: When the select list does not include a format that is selected in the Subscribed column, the
selection will be highlighted in red.
Add/remove additional recipients to
scheduled reports
Only Administrators and Auditors can view Scheduled Reports from the TPAM interface. Additional users can be
configured to receive these reports via email.
To add additional recipients:
1
Select Reports | Scheduled Reports | Report Subscriptions from the main menu.
2
Select the report from the list.
3
Click the Additional Recipients tab.
4
Enter the email address for the additional recipient in the EmailAddress box.
5
Select the report format/s from the Type list. If None is selected, the recipient will receive an email
informing the report has been generated but without an attachment.
6
Select the Zip check box to zip all subscribed format into one file that will be emailed.
7
Click the Add New Recipient button.
TPAM 2.5
Administrator Guide
195
8
Repeat steps 4 through 6 for any additional email addresses.
To delete additional recipients:
1
Select Reports | Scheduled Reports | Report Subscriptions from the main menu.
2
Select the report from the list.
3
Click the Additional Recipients tab.
4
Click the Delete button in the Action column next to the recipient you want to remove.
To edit a recipient’s email address:
1
Select Reports | Scheduled Reports | Report Subscriptions from the main menu.
2
Select the report from the list.
3
Click the Additional Recipients tab.
4
Edit the address in the EmailAddress box.
5
Click the Update button in the Action column.
View scheduled reports
Scheduled Reports are generated daily by TPAM and stored internally. These reports are available for viewing by
any administrator or auditor user. Stored reports are retained for a period of time specified by the System
Administrator.
NOTE: The date and timestamp on the stored reports is server time.
To view scheduled reports that have run:
1
Select Reports | Scheduled Reports | Browse Stored Reports from the menu.
2
Select the date by clicking the hyperlink, formatted yyyymmdd.
3
The reports run on that date will be displayed. Click the hyperlink for the report you want to view.
4
Select Open to view the report immediately or Save to save the report.
Resubmit scheduled reports
The System Administrator has the ability to resubmit batch report runs for a prior date. Once the report run has
been resubmitted, the reports can be viewed on the same page as the daily report runs. See the procedure
above.
To resubmit a batch report run:
1
Log on to the /admin interface of TPAM. (accessible to system administrators)
2
Select System Status / Settings | Resubmit Batch Reports from the menu.
3
Enter the date to rerun the batch reports for.
4
Click the Resubmit button.
NOTE: When scheduled report runs are resubmitted, the new run date and time is appended to the end of
the file name. For example, if you rerun the 10/1/2011 reports on 11/13/2011 at 1 pm, the filename will
be 20111001_20111113_130000.
TPAM 2.5
Administrator Guide
196
28
Password Requests
•
Introduction
•
Request a password
•
Email notification
•
View submitted password requests
•
Access the password
•
Access past passwords
•
Cancel/expire a password request
Introduction
System account passwords that are configured using Privileged Password Manager can be released by submitting
a password request. The request will either require approval by one or more TPAM users, or be auto-approved,
based on how the account is configured. This process ensures the security of the system account password,
provides accountability, and provides dual control over the system accounts.
Request a password
To request a password:
1
Select Request | Password | Add Request from the main menu.
2
To request a password on a specific system or a specific account enter the criteria on the Filter tab.
3
Click the Accounts tab.
4
Select the check box next to each account to be included in the password request. When selecting
multiple accounts in one request, the request time and release duration will be the same for all accounts
requested.
NOTE: If, through a Group or Collection assignment, the user has multiple Access Policies granting
a REQ permission to the account, the account will be listed multiple times on the Accounts listing
tab. Each row will show the Access Policy, Minimum Approvers, and Maximum Release Duration
associated with it.
5
Click the Details tab.
6
Complete the following fields:
Table 80. Password Request Management: Details tab fields
Field name
Description
Request Immediate
Select this check box to immediately request the password.
Date/Time Required
To have a password released on a future date and time, enter the
date and time when the password is required. Enter the time in the
user’s local time.
TPAM 2.5
Administrator Guide
197
Table 80. Password Request Management: Details tab fields
7
Field name
Description
Requested Duration
The requested duration is the period of time that the password(s) is
available for release. The default requested duration will be pulled
from the access policy or account setting. Once the request is saved
this duration is added to the requested release date to determine
the request expiration date. Valid parameters for release durations
are from 15 minutes to 21 days, in 15 minute increments – however,
the effective valid parameter for the maximum allowable release
request duration is the value configured for maximum release
duration at the account level. When requesting passwords for
multiple accounts together, the Requested Duration defaults to the
shortest “Default Duration” for all accounts listed on the request.
Reason Code
Reason codes will appear if they have been configured by the System
Administrator. Reason codes streamline the request process, and
may be optional, required, or not allowed depending on how they
are configured.
Request Reason
Used to provide a brief description of the reason for the password
release. May be optional, required or not allowed, depending on
configuration.
Ticket System
May be required, based on configuration. Any boxes on the request
highlighted in red, require a ticket system to be chosen from the
list.
Ticket Number
May be required, based on configuration. If the ticket number fails
validation when the request is submitted, then the request is
automatically canceled.
Click the Save Changes button.
NOTE: If a request is submitted that does not have enough approvers configured to meet the approval
requirements, then the request is not submitted and a warning message is presented at the bottom of the
page:
Once the request has been submitted it will reflect one of these statuses:
•
Pending Approval - waiting for authorized approver/s to approve the request.
•
Active/Approved - the request has been approved and is within the release duration window.
•
Approved - the request has been approved but the request date/time is in the future.
•
Denied - the request was denied by the approver/s.
•
Canceled - the submitted request conflicts with a request that has already been approved for the same
time period or the requestor decides to cancel the request prior to accessing the password. The request
will also be cancelled if the ticket number entered on the request requires validation, and fails.
•
Expired - the release window for the password has passed or the requestor is done accessing the
password and expires the request early.
If a request has a status of Pending Approval, additional accounts can be added up to 15 minutes from the
original expiration date/time for the request.
To add accounts to a request once it has already been submitted:
1
Select Request | Password | Manage Requests from the main menu.
2
Enter filter criteria on the Filter tab.
3
Click the Listing tab.
4
Select the request to add accounts to.
5
Click the Details tab.
TPAM 2.5
Administrator Guide
198
6
Click the New Accounts button.
7
Enter filter criteria to find the accounts you want to add.
8
Click the Accounts tab.
9
Select the check box on the Selected column for the accounts you want to add.
10 Click the Details tab.
11 Enter a Ticket System/Ticket Number if required.
12 Click the Save Changes button.
Email notification
Once a password request is submitted, the requestor receives an email notification when the request is
approved, denied, or automatically cancelled as a result of a request conflict.
If a password request is submitted and does not require any approvals, the request is auto-approved and can be
accessed immediately.
View submitted password requests
To view requests that have been submitted:
1
Select Request | Password | Manage Requests from the main menu.
2
Enter filter criteria on the Filter tab.
3
Click the Listing tab.
4
Select the request.
5
Open the following tabs to view more detailed information about the request.
•
Details - Date and time stamps relevant to the life cycle of the request.
•
Responses - Request responses from approvers, or responses auto-generated by TPAM for autoapproved or cancelled requests.
•
Approvers - All TPAM users with permissions to approve or deny the request.
•
Password - If enabled, displays the password for the account.
Access the password
Once a request is approved to view the account password:
1
Select Request | Password | Manage Requests from the main menu.
2
Enter filter criteria on the Filter tab.
3
Click the Listing tab.
4
Select the request.
5
Click the Password tab.The password will be displayed. Depending on how your TPAM is configured the
password will display in one of three ways:
a
The password will be revealed on the screen. To copy and paste the password, click the mouse
once over the password which will automatically select the password.
TPAM 2.5
Administrator Guide
199
b
The Reveal Password button can be clicked to reveal the password or the password can be copied
to the clipboard without displaying it on the screen.
c
You must put your mouse in the designated area, and press the Ctrl-C keys to copy the password
to a clipboard.
The password can be displayed by the requestor as often as necessary during the release duration period.
Password reset during release window
While a requestor has an active release duration window, three possible circumstances could cause the
password to be changed by TPAM during that time:
•
The configured Default Change Setting for the account occurs during the release window. For example, if
the password is to be changed every 30 days which happens to occur while a requestor has a password.
This scenario can be prevented by selecting Do not automatically change the password while a release
is active on the account details management tab.
•
The ISA post-release reset interval has occurred. In this case, an ISA may have recently retrieved the
password and it is being reset because the configured interval for that action has expired. This scenario
can be prevented by selecting Do not automatically change the password while a release is active on
the account details management tab.
•
The ISA or the Administrator has forced a reset of the password.
The requestor should try and access the password at a later time.
Access past passwords
A requestor can access past passwords if the access policy assigned to their user ID has this option selected for
the account being requested.
To access past passwords:
1
Submit a password request following the normal procedure.
2
After the request is approved click on the Passwords tab.
3
On the left of the Password tab date ranges will be listed for passwords. Select a date range and the
password for that date range will be displayed on the right side of the screen.
Cancel/expire a password request
A password request can be cancelled by the requestor if the status is Pending Approval. Once approved, a
password request can be expired to immediately end the release duration. Expiring a request early makes the
account available for request for other users and immediately queues the password for a reset (if so
configured).
To cancel/expire a password request:
1
Select Request | Password | Manage Requests from the main menu.
2
Enter filter criteria on the Filter tab.
3
Click the Listing tab.
4
Select the request.
5
Click the Details tab.
6
Enter a reason in the Cancel/Expire Reason box.
TPAM 2.5
Administrator Guide
200
7
If the request contains multiple accounts, select the Apply Reason check box next to the applicable
accounts.
8
Click the Save Changes button.
TPAM 2.5
Administrator Guide
201
29
Data Extracts
•
Introduction
•
Configure data extracts
•
Enable/disable a data extract schedule
•
Data extract logs
•
Customize data extract dataset file names
Introduction
Data extracts are defined data sets that can be extracted from TPAM on a scheduled basis and automatically
transferred to a pre-configured Archive server.
Extracted data is supplied as a *.CSV file and is easily viewed with MS Excel or any text editor. Information that
may be extracted includes lists of systems, accounts, users, etc. and many logs of user activity and entitlement.
The extracted files are compressed (ZIP file format) and named with a date and time stamp.
Data extracts are configured much in the same way as TPAM system backups. The extracts can be set to occur
daily, weekly or monthly at a specific time.
Configure data extracts
Up to five different data extract schedules can be configured. Repeat the procedure below as needed to
configure multiple data extract schedules.
To configure a data extract:
1
Select Reports | Scheduled Reports | Data Extract Schedules from the main menu.
2
Select one of the Schedule Names from the Schedule tab and click the Details tab.
3
Edit the Schedule Name. (optional)
4
Select the Enabled check box to enable the data extract schedule.
5
Select the Zip check box to have the extract files saved in a zip file format. (optional)
6
To have the file formatted differently than comma delimited, type another format in the Delimiter box.
If left blank, tab is the default. (optional)
7
Set the frequency for the data extract run:
•
Daily
•
Weekly - select day/s of the week.
•
Monthly - choose First, Last, or specific Day of the Month.
8
Enter the time when the extraction is to start running. Time must be entered in 24 hour format.
9
Select the archive server where the data is to be transferred. The TPAM System Administrator is
responsible for configuring the Archive Servers.
TPAM 2.5
Administrator Guide
202
10 Select All or Failed and enter the email address of the recipient who is to receive data extract results.
(optional)
11 Click the Data Sets tab.
12 Select the Enabled? check box to add the Data Set as part of the scheduled extract.
13 Select the Column Headings? check box to have column headings included in the CSV file results.
(optional)
14 Click the Save Changes button.
The Password Release Activity and Password Update Activity data extracts will pull the last 24 hours of activity.
The Activity Log, Password Release Log and SysAdmin Activity Log data extracts will pull data based on the
number of days configured as the retention period in global settings.
Enable/disable a data extract schedule
To enable/disable a Data Extract Schedule:
1
Select Reports | Scheduled Reports | Data Extract Schedules from the main menu.
2
Select the schedule you want to enable/disable.
3
Click the Details tab.
4
Select/Clear the Enabled check box.
5
Click the Save Changes button.
To immediately kick off a Data Extract:
1
Select Reports | Scheduled Reports | Data Extract Schedules from the main menu.
2
Select a schedule from the list.
3
Click the Start button.
Data extract logs
The data extract log tab displays the logged results of each scheduled extraction.
To view a data extract log:
1
Select Reports | Scheduled Reports | Data Extract Schedules from the main menu.
2
Select a schedule from the list.
3
Click the Log tab.
4
Enter filter criteria on the Filter tab.
5
Click the Data Extract Log tab.
To clear data extract log/s:
1
Select Reports | Scheduled Reports | Data Extract Schedules from the main menu.
2
To clear a specific log, select the schedule from the list and click the Clear Log button.
3
To clear all the logs, click the Clear Log button without selecting a specific schedule from the list.
TPAM 2.5
Administrator Guide
203
Customize data extract dataset file names
The procedure below describes how to customize the default file names for the dataset extract results. The
customized file names apply to all the schedules that are configured.
To customize dataset file names:
1
Select Reports | Scheduled Reports | Data Extract Schedules from the main menu.
2
Click the Dataset Filenames tab.
3
Place your cursor in the FileName box and rename the file for all the file names to be changed.
4
Click the Save Filename Changes button.
TPAM 2.5
Administrator Guide
204
30
TPAM CLI IDs
•
Introduction
•
Add a TPAM CLI ID
•
Connect PSM account to TPAM CLI ID
•
Delete a TPAM CLI ID
Introduction
In some cases it might be necessary to use an account for PSM authentication which is managed by another,
independent TPAM device. An example use case is an MSP managing systems for several customers which require
password data to be stored in a physically separate database like financial institutions. This can be
accomplished by using TPAM CLI IDs.
A CLI user ID is a special account used to access TPAM remotely via the CLI (command line interface). TPAM CLI
IDs may be defined to TPAM and used to access passwords that may be stored and managed on a remote TPAM
appliance.
Add a TPAM CLI ID
In this example a TPAM CLI ID will be set up on TPAM01 and TPAM02 will use the account for PSM log on for an
account managed by TPAM01.
Add a CLI user ID on TPAM01:
1
Select Users & Groups | UserIDs | Add UserID from the menu.
2
Enter the user details, clear the Allow Web Access check box on the Web tab and select CLI key based
authentication on the Key Based tab.
3
Click the Save Changes button.
4
Click the Download key button to download and save the key.
To add a TPAM CLI ID on TPAM02:
1
Select Management | TPAM CLI IDs | Add TPAM CLI ID from the menu.
2
Enter the CLI user ID configured on the remote TPAM appliance.
3
Enter a name to identify the TPAM appliance hosting the CLI ID.
4
Enter the IP address or FQDN of the TPAM primary appliance.
5
Paste the contents of the DSS key into the DSS Key box. This is the private key that was downloaded from
TPAM when the specified CLI user ID was created.
6
Click the Save Changes button.
7
To test connectivity to the remote TPAM appliance with the CLI ID click the Test button.
TPAM 2.5
Administrator Guide
205
Connect PSM account to TPAM CLI ID
To connect the PSM account to the TPAM CLI ID:
1
Add the system in TPAM02 you need to connect to via PSM.
2
Add the account you want to use for PSM.
3
Click on the PSM Details tab.
4
Select User Remote TPAM CLI.
5
In the list select the TPAM CLI ID you created.
6
Click the Save Changes button.
When initiating a session for this account, TPAM02 will now log on to TPAM01 and request the password for
qsrv_qppm, managed by TPAM01 and use this to authenticate the session. After the session, the password will
be checked back in to TPAM01 and will be changed.
Delete a TPAM CLI ID
To delete a TPAM CLI ID:
1
Select Management | TPAM CLI IDs | Manage TPAM CLI IDs from the menu.
2
Enter your search criteria on the Filter tab.
3
Click the Listing tab.
4
Select the CLI ID to be deleted.
5
Click the Delete button.
6
Click the OK button on the confirmation window.
TPAM 2.5
Administrator Guide
206
31
Approve/Deny Password Request
•
Introduction
•
Approve/deny password request
•
Revalidate ticket on a request
•
Deny request after it is approved
Introduction
When a password request is submitted, the associated approver(s) is notified via email of the pending request.
The approver logs on to TPAM to approve/deny the request.
Approve/deny password request
The requested date/time of the request will be displayed to the approver in their local time, as configured for
their user ID in TPAM.
To approve/deny a password request:
1
Select Approve/Review | Password Request from the main menu.
2
To approve/deny a request on a specific system/account enter the criteria on the Filter tab.
3
Click the Listing tab.
4
Select the request to approve/deny.
5
Click the Details tab.
6
If the request selected is part of a multiple request submission then you also see all the other pending
requests that are eligible for your approval.
7
Select the Req. IDs to approve/deny.
8
Click the Conflicts tab to see if any other pending requests for this password overlap with the same
release duration.
9
Click the Approvers tab to see the list of other eligible approvers for this request.
10 Click the Responses tab to see the responses other eligible approvers have made for this request.
11 Enter comments in the Request Response box.
12 Click the Approve Request or Deny Request button.
Revalidate ticket on a request
If the required Ticket System for this account has “provisional validation enabled” in the admin interface, and
the Ticket System is not available for validation at the time the requestor submits the request, this message will
TPAM 2.5
Administrator Guide
207
appear: “The ticket number was provisionally validated because the ticket system was disabled at the time of
the request. Press the Revalidate button to attempt to revalidate the ticket.”
The request can be approved/denied without revalidating the ticket.
To revalidate the ticket:
1
Click the Revalidate Ticket button.
2
Click the OK or Cancel button. If TPAM determines that the ticket system is still disabled the status of
the request will remain unchanged.
Deny request after it is approved
Any eligible approver can deny a password request after it has already been approved or auto-approved. Once
denied, the requestor will no longer have access to the password. The requestor receives an email notifying
them that the request was denied
To deny the request:
1
Select Approve/Review | Password Request from the main menu.
2
Enter the search criteria on the Filter tab.
3
Click the Listing tab.
4
Select the request to deny.
5
Click the Details tab.
6
Select the Req. IDs to deny.
7
Enter a reason in the Request Response box.
8
Click the Deny Request button.
TPAM 2.5
Administrator Guide
208
32
Review a Password Release
•
Introduction
•
Review status definitions
•
Review a password release
•
Provisional ticket validation on a password release
Introduction
Accounts can be configured to have review requirements for password releases once the release duration has
expired. Users eligible to review password releases receive email notification to alert them of pending reviews.
Review status definitions
The table below explains the different possible password release review statuses.
Table 81. Password release review statuses
Status
Definition
Pending
An authorized reviewer is still required to complete the review process.
Completed
All the required reviewers have clicked the Complete My Review button.
Overdue
A reviewer has not reviewed the password release within the required time period.
On the Password Release for Review listing tab there is a column labeled Review Started. if the value isY, at
least one review comment has been submitted. If the value is N, no review comments have been submitted.If
the value is -(dash) then the review is complete.
Review a password release
To review a password release:
1
Select Review | Password Releases from the main menu.
2
To review a password release for a specific account enter the criteria on the Filter tab.
3
Click the Listing tab.
4
Select the Request ID to review.
5
Click the Reviewers tab to see the list of eligible reviewers. (optional) These are the review
requirements at the time the password request was submitted.
6
Click the Reviews tab to see any review comments made.
7
Click the Releases tab to see if past passwords were accessed.
TPAM 2.5
Administrator Guide
209
8
Click the Responses tab to see comments that were made when approving this request and comments
made by the requestor if they expired the request early.
9
Click the Details tab. The times displayed on this tab are displayed to the reviewer in their local time, as
configured for their user ID in TPAM.
10 If the password release being reviewed was part of a multi-request, select the Apply Review check box
for the appropriate row.
11 To enter a comment before officially marking the release as reviewed enter a comment in the Review
Comment box and click the Save My Review Comment button. (optional)
Every time a comment is submitted the Reviews Submitted count increases.
12 To mark the review as complete, enter a review comment and click the Complete My Review button.
Provisional ticket validation on a password
release
If the required ticket system for this account has “provisional validation” enabled in the admin interface and
the ticket system was not available for validation at the time the requestor submitted the request, you see the
following message note on the review details tab:
“The ticket number listed above was provisionally validated because the Ticket System was disabled at the time
of the request.”
A reviewer does not have the ability to retroactively check for ticket validation.
TPAM 2.5
Administrator Guide
210
33
Session Requests
•
Introduction
•
Request a session
•
Email notification
•
View submitted session requests
•
Cancel/expire a session request
Introduction
Systems that are configured using Privileged Session Manager can be accessed remotely by submitting a session
request. The request will either require approval by one or more TPAM users, or be auto-approved, based on
how the account is configured. The activity during the session will be recorded and can be played back by
authorized users.
Request a session
To request a session:
1
Select Request | Session | Add Request from the main menu.
2
To request a session on a specific system or a specific account enter the criteria on the Filter tab.
3
Click the Accounts tab.
4
Select the check box next to each account to be included in the session request. When selecting multiple
accounts in one request, the request time and release duration will be the same for all accounts
requested.
NOTE: If, through a Group or Collection assignment, the user has multiple Access Policies granting
a REQ permission to the account, the account will be listed multiple times on the Accounts listing
tab. Each row will show the Access Policy, Minimum Approvers, and Maximum Release Duration
associated with it.
5
Click the Details tab.
6
Complete the following fields:
Table 82. Session Request Management: Details tab options
Field name
Description
Request Immediate
Select this check box to immediately request the session.
Date/Time Required
To conduct a session on a future date and time, enter the date and
time when the session is required. Enter the time in the user’s local
time.
TPAM 2.5
Administrator Guide
211
Table 82. Session Request Management: Details tab options
Field name
Description
Requested Duration
The requested duration is the period of time that access to the
remote system/s is available. The default requested duration will be
pulled from the access policy or account setting. Once the request is
saved this duration is added to the requested release date to
determine the request expiration date. This should be taken into
consideration when selecting the request duration. If not approved
quickly, the request duration available to the requestor could be
considerably shorter than that specified. When expired, the session
is no longer available to the requestor. The session is not terminated
or interrupted, but after it has been closed the user can no longer
restart it. When requesting sessions for multiple accounts together,
the Requested Duration cannot exceed the shortest “default
duration” for all accounts listed on the request. Also the “Maximum
Duration” is never greater than the “Max Session Duration”
configured by the System Administrator in Global Settings.
NOTE: If you will be conducting a file transfer during the session,
the session duration must include the time that it takes for the file
transfer to complete.
7
Reason Code
Reason codes will appear if they have been configured by the System
Administrator. Reason codes streamline the request process, and
may be optional or required, depending on how they are configured.
Request Reason
Used to provide a brief description of the reason for the session
request. May be optional, required or not required, depending on
configuration.
Ticket System
May be required, based on configuration. Any boxes on the request
highlighted in red, require a ticket system to be chosen from the
list.
Ticket Number
May be required, based on configuration. If the ticket number fails
validation when the request is submitted, then the request is
automatically canceled.
Click the Save Changes button.
NOTE: If a request is submitted that does not have enough approvers configured to meet the approval
requirements, then the request is not submitted and the following message is presented at the bottom of
the page: “There are not enough individuals authorized to approve the request.”
Once the request has been submitted it will reflect one of these statuses:
•
Pending Approval - waiting for authorized approver/s to approve the request.
•
Active/Approved - the request has been approved and is within the release duration window.
•
Approved - the request has been approved but the request date/time is in the future.
•
Denied - the request was denied by the approver/s.
•
Canceled - the submitted request conflicts with a request that has already been approved for the same
time period or the requestor decides to cancel the request prior to connecting to the remote system.
The request will also be cancelled if the ticket number entered on the request requires validation, and
fails.
•
Expired - the release window for the session has passed or the requestor is done conducting the session
and expires the request early.
If a request has a status of Pending Approval, additional accounts can be added up to 15 minutes from the
original expiration date/time for the request.
TPAM 2.5
Administrator Guide
212
To add accounts to a request once it has already been submitted:
1
Select Request | Session | Manage Requests from the main menu.
2
Enter filter criteria on the Filter tab.
3
Click the Listing tab.
4
Select the request.
5
Click the Details tab.
6
Click the New Accounts button.
7
Enter filter criteria to find the accounts you want to add.
8
Click the Accounts tab.
9
Select the check box on the Selected column for the accounts you want to add.
10 Click the Details tab.
11 Enter a Ticket System/Ticket Number if required.
12 Click the Save Changes button.
Email notification
Once a session request is submitted, the requestor receives an email notification when the request is approved,
denied, or automatically cancelled as a result of a request conflict.
If a session request is submitted and does not require any approvals, the request is auto-approved and the
requestor can immediately start the session by clicking the Connect button.
View submitted session requests
To view requests that have been submitted:
1
Select Request | Session | Manage Requests from the main menu.
2
Enter filter criteria on the Filter tab.
3
Click the Listing tab.
4
Select the request.
5
Open the following tabs to view more detailed information about the request.
•
Details - Date and time stamps relevant to the life cycle of the request.
•
Responses - Request responses from approvers, or responses auto-generated by TPAM for autoapproved or cancelled requests.
•
Approvers - All TPAM users with permissions to approve or deny the request.
•
Connect Options - If enabled can be used to change settings such as keyboard language mapping
for the session.
Cancel/expire a session request
A session request can be cancelled by the requestor if the status is Pending Approval. Once approved, a session
request can be expired to immediately end the release duration. Expiring a request early makes the account
available for request for other users and immediately queues the password for a reset (if so configured).
TPAM 2.5
Administrator Guide
213
To cancel/expire a session request:
1
Select Request | Session | Manage Requests from the main menu.
2
Enter filter criteria on the Filter tab.
3
Click the Listing tab.
4
Select the request.
5
Click the Details tab.
6
Enter a reason in the Cancel/Expire Reason box.
7
If the request contains multiple accounts, select the Apply Reason check box next to the applicable
accounts.
8
Click the Save Changes button.
Request a session using a linked account
If your user ID has been set up with linked accounts you can request a PSM session using :linkedaccount: which
will grant you the ability to select many different accounts through the linked account.
To request a session using a linked account:
1
Select Request | Session | Add Request from the main menu.
2
To request a session on a specific system or a specific account enter the criteria on the Filter tab.
3
Click the Accounts tab.
4
Select the :linkedaccount:.
5
Click the Details tab.
6
Select the account desired for session request from the Account Name list.
7
Complete and save the request as normal.
TPAM 2.5
Administrator Guide
214
34
Approve/Deny Session Request
•
Introduction
•
Approve/deny session request
•
Revalidate ticket on a request
•
Deny request after it is approved
Introduction
When a session request is submitted, the associated approver(s) is notified via email of the pending request.
The approver logs on to TPAM to approve/deny the request.
Approve/deny session request
The requested date/time of the request will be displayed to the approver in their local time, as configured for
their user ID in TPAM.
To approve/deny a session request:
1
Select Approve/Review | Session Request from the main menu.
2
To approve/deny a request on a specific system/account enter the criteria on the Filter tab.
3
Click the Listing tab.
4
Select the request to approve/deny.
5
Click the Details tab.
6
If the request selected is part of a multiple request submission then you also see all the other pending
requests that are eligible for approval.
7
Select the Req. IDs to approve/deny.
8
Click the Conflicts tab to see if any other pending requests for this session overlap with the same release
duration.
9
Click the Approvers tab to see the list of other eligible approvers for this request.
10 Click the Responses tab to see the responses other eligible approvers have made for this request.
11 Enter comments in the Request Response box.
12 Click the Approve Request or Deny Request button.
Revalidate ticket on a request
If the required Ticket System for this account has “provisional validation enabled” in the admin interface, and
the Ticket System is not available for validation at the time the requestor submits the request, you see the
following note on the Request Details tab: “The ticket number listed above was provisionally validate because
TPAM 2.5
Administrator Guide
215
the ticket system was disabled at the time of the request. Press the Revalidate button to attempt to revalidate
the ticket.”
The request can be approved/denied without revalidating the ticket.
To revalidate the ticket:
1
Click the Revalidate Ticket button.
2
Click the OK or Cancel button. If TPAM determines that the ticket system is still disabled the status of
the request will remain unchanged.
Deny request after it is approved
Any eligible approver can deny a session request after it has already been approved or auto-approved. If a live
session is being conducted at the time you decide to deny the request that session is automatically terminated.
The requestor receives an email notifying them that the request was denied.
To deny the request:
1
Select Approve/Review | Session Request from the main menu.
2
Enter the search criteria on the Filter tab.
3
Click the Listing tab.
4
Select the request to deny.
5
Click the Details tab.
6
Select the Req. IDs to deny.
7
Enter a reason in the Request Response box.
8
Click the Deny Request button.
TPAM 2.5
Administrator Guide
216
35
Start a Remote Session
•
Introduction
•
Client requirements
•
Start a session
•
File transfer
•
End a session
Introduction
Once a session is approved a user can use TPAM to connect to a remote system This chapter covers the steps for
starting a session and files transfer options during a session.
Client requirements
Java® version 7 update 45 or higher is required to run the session applet.
IMPORTANT: If the recording session reaches the limit set in Max Recording Size global setting (set by the
TPAM System Administrator), the session is automatically terminated. Warning messages will be sent when
the session reaches 60% of the set limit.
Start a session
To start a session:
1
Select Request | Session | Manage Requests from the main menu.
2
Enter filter criteria on the Filter tab.
3
Click the Listing tab.
4
Select the request.
5
Click the Connect Options tab. If you have pre-configured default PSM connection options at the user
level, they will default here. Once a session is started, the user defaults are saved for the next time a
connection is made. If Use Default Connection options is selected the options will be reset to the
system connection options and not the user defined defaults. Connection options are dependent on the
platform, proxy type and if a DPA is assigned to the system. Clear the Use Default Connection Options
check box to select different session connection options. The connection options selected by the user
will persist for this user every time they connect with this account to a session, using the same proxy
type. If the proxy type changes the user will have to save their preferred connection settings again, in
order for them to persist. (optional)
TPAM 2.5
Administrator Guide
217
Table 83. Session Request Management: Connection Options
6
Connection option
Description
Cache Bitmaps
Turning this on may help responsiveness during session over a slow network
connection.
Compression
Turn on to control compression of the RDP data stream.
Experience
Experience changes default bandwidth performance behavior. Choices are
Default (theming is enabled) or 56Kbps (modem).
Keyboard
The keyboard type you want to emulate during the session.
Language
Sets the language (sometimes referred to as locale) on the target system for
the session. On most operating systems this changes things like the language
used for system menus, alerts, messages, and numeric formats for default
date and time.
Mouse Motion
Option to send the mouse motion during the session or not. Not sending the
mouse motion can save bandwidth, although some applications may rely on
receiving mouse motion.
Putty:Background
Background color choices of black, green, blue or white.
Putty:Foreground
Foreground color choices of grey, black or white.
Putty:Geometry
Select a window size of 80 x 24 or 132 x 24.
Screen Updates
Screen updates can be sent as bitmaps or left at the default of higher level
drawing operations.
XTerm:Backspace
If Ctrl-h is selected, then using the Backspace key during the session, will
perform the same action as Ctrl-h.
XTerm:Del
If Ctrl-d is selected, then using the Delete key during the session, will perform
the same action as Ctrl-d.
Select the desktop display size for the session. (optional)
NOTE: The window display size selection is not saved, and must be reselected before connecting
each time.
7
Click the Connect button.The remote session is initiated in a new page. All activity performed by the
remote user is logged and recorded. When a session begins, depending on the browser being used, an
JNLP pop up will appear. Click ok to proceed.
NOTE: If a Windows user tries to start a session and receives the error “ExitException: JNLP jar download
failure”, go to the Java Control Panel --> General --> Network Settings...and select Direct Connection
instead of Use browser settings.
8
Depending upon the configuration for session authentication for the account one of these scenarios
occurs:
•
The session uses auto-logon with a predefined account and its password.
•
The password is provided by TPAM but must typed in by the user.
•
The password is not stored in TPAM and must be typed in by the user.
NOTE: Sessions to remote systems are also subject to the configuration of the access method at the
remote system. Example: if Windows® RDP or Terminal Services is the connection method then the
configuration for disconnected session time outs, maximum connections, and so on, govern certain session
behavior. In addition, troubleshooting problems with connectivity to these systems should include
examining the configuration of the remote system.
Clipboard transfer between the RDP session and the desktop is available if this option was selected at the
account level on the PSM Details tab. The Clipboard transfer feature allows copy/cut and paste of text between
the remote session and the desktop.
TPAM 2.5
Administrator Guide
218
If the proxy type for the session is SSH, then the client is PuTTY. When connecting to the session a PuTTY
security warning message will be presented to validate the client machine host keys. Clicking the Accept button
will cache the host key so that this message will not be presented again during the session.
Pressing the Ctrl key and right clicking the mouse will bring up the Putty menu. This menu provides options to
copy the scroll back buffer, change fonts, and reconfigure other settings.
On the bottom of the PSM session window you will see the system name, account name, keyboard mapping
chosen, password (if display password is selected), the controls menu, session connection status and the size of
any data pasted to the clipboard. The controls menu contains options for hot keys and file transfer.
Controls Menu
The table below explains the options in the Controls menu.
Table 84. Session Request Management: Control Menu
Control option
Description
Show Password
If selected, displays the password from the interactive logon.
Hotkeys/Send
CTRL+ALt+DEL
Sends CTRL+ALT+DEL to the target.
Hotkeys/Send WIN Key
Sends the Windows Key to the target.
Hotkeys/Set Session
Clipboard
When recording a session any time the user clicks anywhere on the session
screen whatever is currently in the local clipboard buffer gets automatically
sent to the remote session clipboard making it available for the user to paste
in the session. This process is part of the VNC/RFB protocol -Client to Server
messages -ClientCutText. The Set Session Clipboard control allows the user to
force a re-send of the ClientCutText message based on what is currently
available in the local clipboard buffer.
Hotkeys/Send F13 thru Sends F13 through F24 to the target instead of SHIFT + F1 through F12.
F24
Hokeys/Convert to
ASCII
Can be used to try and assist customers that are using a keyboards/languages
not yet supported.
File Transfer
Click on Open Dialog to begin a file upload or download.
File transfer
Depending on how the account is configured there are options to upload files to the remote system and
download files from the managed system during the session. The time out period for file transfers is 10 hours.
To upload a file:
1
Select Controls Menu | File Transfer | Open Dialog located on the bottom of the session window.
2
Click the Select File button to locate the file or directory to transfer. Repeat this step for each file or
directory to upload. As files and/or directories are selected they are displayed in the Selected Files list.
IMPORTANT: There is 20 GB size limit on any files transferred.
3
To remove a file that was selected by mistake use the Remove Selected or the Remove All buttons as
needed. Additionally files and directories may be selected by simply dragging and dropping them on the
Selected Files list.
4
If the Transfer Credentials fields appear on the screen, enter the Account Name and Account Password
required to upload the file.
TPAM 2.5
Administrator Guide
219
5
Click the Upload button to start the transfer process. After the transfer is complete the status will be
reported as complete in the box at the bottom of the page.
IMPORTANT: The upload process overwrites any existing file(s) if the user has the file system rights to do
so. If the user does not have sufficient rights to an existing file and they attempt to upload a file of the
same name the upload fails.
To download a file:
CAUTION: File downloads can put a big strain on the appliance. If other users start to see
performance problems in TPAM the file download could be the cause.
1
Select Controls Menu | File Transfer | Open Dialog on the bottom of the session window.
2
Enter the fully qualified name of the file in the Download File Name box.
3
If the Transfer Credentials fields appear on the screen, enter the Account Name and Account Password
required to upload the file.
4
Click the Download button. After the download is complete the status will change to complete in the
box at the bottom of the page.
End a session
Once you have completed what you wanted to do on the remote system you can end the session. To end the
session close the session window. A new session can be started until the release duration on the request expires.
TPAM 2.5
Administrator Guide
220
36
Session Management
•
Introduction
•
Session playback controls
•
Meta data window
•
Replay a session log
•
Add a bookmark to a session
•
View bookmarks/captured events
•
Jump to a bookmark
•
Jump to an event
•
Monitor a live session
•
Terminate a session
Introduction
The session management menu provides access to session logs and the ability to playback sessions.
Session playback controls
To manipulate the playback of a session, the controls at the bottom of the session replay window lets the speed
of the playback be changed, ranging from ½ normal speed to 16 times normal speed. Replay may be paused at
any point.
The table below defines the functions and display information on the playback tool bar.
Table 85. Playback tool bar options
Option
Description
System Name
The name of the remote system where the session was established.
Account Name
The name of the remote account used to access the system during the session.
TPAM 2.5
Administrator Guide
221
Table 85. Playback tool bar options
Option
Description
Slider Control
Displays the current position of playback, and after the session is paused lets a new
position be selected. To reposition session replay, pause the session and position the
slider control to the desired spot. Resume playback using the pause control. The
session playback moves at maximum speed to the desired playback position.
NOTE: The session time position is based on network packet timestamps. This
means that the playback control slider may appear to move in an uneven fashion
depending on the ‘data density’ of each packet, especially for very short recorded
sessions. If for some period time there is a minimal amount of activity followed by a
flurry of dialog openings and keystroke input, this would cause the uneven control
slider movement. Longer session files tend to provide a smoother control slider
movement.
Elapsed Time
Time elapsed in the session replay.
Total Session Time
Total length of time of the session.
Pause Button
When green the session is playing. When red the session is paused. To pause or
resume playback simply click the control.
Loop Button
Selecting this button sets the session to replay over and over.
Controls Menu/Select
Speed
Session play speed in relation to normal speed. For example .5x will play the session
at half normal speed.
Controls
Menu/Metadata/Open
Dialog
If selected this opens a window to display the keystroke log, and tags for events and
bookmarks. The keystroke slider at the top of the window can be adjusted so that
they can see the keystrokes taking place in this window before or after they occur
in the actual session replay window.
Controls Menu/Add
Bookmark
If selected allows the user to add a bookmark at a specific point in the session.
Controls Menu/Always on If selected, the meta data dialog window will be displayed in front of the session
Top
replay window.
Meta data window
While replaying the session the meta data window can be displayed in another window to view the
keystroke/event log.
To open the meta data window during a session:
1
Click the Replay Session button.
2
Once the session has a status of connected in the replay window, select Controls Menu | MetaData |
Open Dialog.
Keystrokes/events will be displayed in green as they occur during the session replay. Bookmarks are displayed in
red. Slide the keystroke slider to the left to view the keystroke log in advance of the activity occurring in the
session replay window. If the Clear on Loop check box is selected the keystroke log will be cleared before the
session is replayed each time.
Replay a session log
NOTE: You cannot view the keystroke log when replaying a session unless the access policy that is granting
you permission to replay the session has Allow KSL View selected.
To replay a session log:
1
Select Management | Session Mgmt | Session Logs from the main menu.
TPAM 2.5
Administrator Guide
222
2
Enter your search criteria on the filter tab.
3
Click the Listing tab.
4
Select the session log to replay.
5
Click the Replay Session button.
6
Click the File Transfer tab to view details on any files transferred during the session.
7
Click the Captured Events / Bookmarks tab to view details on events captured during the session.
NOTE: If the session log is stored on an archive server there may be a delay while TPAM retrieves the log
from its remote storage location.
The remote access session is displayed and played back in real time. The playback session may be paused and
resumed, moved ahead or back at increased speed, or continuously played at various speeds.
Prior to v2.5.915 a session logs could be “stranded” by closing the browser when a session was recording and
clicking the Terminate button. To fix the problem so the session can be replayed, select the session from the
Listing page and click the Reset Stats button.
Add a bookmark to a session
Requestors, approvers, auditors and reviewers have the ability to add bookmarks to a session log. By adding a
bookmark, the requestor, approver, auditor or reviewer can point something out to another approver or
reviewer that they want them to look at without them having to replay and watch the entire session.
To add a bookmark:
1
Select Management | Session Mgmt | Session Logs from the main menu.
2
Enter your search criteria on the filter tab.
3
Click the Listing tab.
4
Select the session log to replay.
5
Click the Replay Session button.
6
When you get to the point in the session where you want to add a bookmark click the Pause button on
the session playback controls at the bottom of the window.
7
Select Controls Menu | Metadata | Add Bookmark.
8
Enter text to label the bookmark and click the OK button.
9
After the bookmark is added the session will resume playback.
View bookmarks/captured events
To view bookmarks and captured events from the session logs listing page:
1
Select Management | Session Mgmt | Session Logs from the main menu.
2
Enter your search criteria on the filter tab.
3
Click the Listing tab.
4
Select the session log.
5
Click the Captured Events, Bookmarks tab. Events are only captured for sessions on an account if the
Capture Events? check box is selected for the account on the PSM details tab.
TPAM 2.5
Administrator Guide
223
Jump to a bookmark
To jump to a bookmark while replaying a session:
1
Select Management | Session Mgmt | Session Logs from the main menu.
2
Enter your search criteria on the filter tab.
3
Click the Listing tab.
4
Select the session log to replay.
5
Click the Replay Session button.
6
On the session playback menu select Controls Menu | Metadata | Open Dialog.
7
Click the Select Bookmark tab.
8
Select the bookmark you want to go to.
9
Click the Jump to Bookmark button.
10 The session replay will go to the bookmark but will continue replay, it will not be paused at the
bookmark.
Jump to an event
To jump to an event while replaying a session:
1
Select Management | Session Mgmt | Session Logs from the main menu.
2
Enter your search criteria on the filter tab.
3
Click the Listing tab.
4
Select the session log to replay.
5
Click the Replay Session button.
6
On the session playback menu select Controls Menu | Metadata | Open Dialog.
7
Click the Select Event tab.
8
Select the event you want to go to.
9
Click the Jump to Event button.
10 The session replay will go to the event but will continue replay, it will not be paused at the event.
Monitor a live session
With the appropriate permissions a user can monitor another user’s session. The user running the session has no
indication that their session is being watched.
NOTE: You cannot view the Keystroke Log when monitoring a session.
To monitor a live session:
1
Select Management | Session Mgmt | Manage Sessions from the main menu.
2
Select the session to monitor. Live sessions will have a status of Connected.
3
Click the Monitor Session button. The PSM Session Monitor window will open with a view of the live
session.
TPAM 2.5
Administrator Guide
224
Terminate a session
An administrator user has the ability to terminate (kill) active sessions. Unless the session request is also
expired or cancelled the user has the ability to restart the session.
CAUTION: Be aware that terminating a session could leave unfinished work on the remote system and
even do potential damage.
To terminate a session:
1
Select Management | Session Mgmt | Manage Sessions from the main menu.
2
On the Active Sessions tab select the session to terminate.
3
Click the Terminate button.
TPAM 2.5
Administrator Guide
225
37
Review a Session
•
Introduction
•
Review status definitions
•
Review a session
•
Provisional ticket validation on a session
Introduction
Accounts can be configured to have review requirements for PSM Sessions once the sessions are expired. Users
eligible to review sessions receive email notification to alert them of pending reviews.
Review status definitions
The table below explains the different possible session review statuses.
Table 86. Session review statuses
Status
Definition
Pending Review
An authorized reviewer is still required to complete the review process.
Completed
All the required reviewers have clicked the Complete My Review button.
Overdue
A reviewer has not reviewed the session within the required time period.
On the PSM Sessions for Review listing tab there is a column labeled Review Started. if the value is Y, at least
one review comment has been submitted. If the value is N, no review comments have been submitted.If the
value is -(dash) then the review is complete.
Review a session
To review a session:
1
Select Approve/Review | PSM Session from the main menu.
2
To review a session for a specific account enter the criteria on the Filter tab.
3
Click the Listing tab.
4
Select the session to review.
5
Click the Session Logs tab.
6
Select a session log to replay.
TPAM 2.5
Administrator Guide
226
7
Click the Replay Session button. For details on replaying sessions see Session playback controls.
NOTE: A session review cannot be completed until one of the session logs has been replayed by the
reviewer. TPAM may be configured so that all session logs must be replayed before the review can
be completed.
8
Watch the session and then close the session window.
9
To enter or view any comments about a session log, select a session log on the session logs tab and click
the Comments tab. Enter a comment in the new comment box and click the Save New Comment button
to add a comment. (optional)
These comments do not flag a session as being reviewed, but may be informative to other reviewers.
10 To view information about a file transfer, select a session log on the Session Logs tab and click the File
Transfers tab. (optional)
11 Click the Reviewers tab to see the list of eligible reviewers. (optional) These are the review
requirements at the time the session request was submitted.
12 Click the Reviews tab to see any review comments made.
13 Click the Responses tab to see comments that were made when approving this request and comments
made by the requestor if they expired the request early.
14 Click the Details tab. The times displayed on this tab are displayed to the reviewer in their local time, as
configured for their user ID in TPAM.
15 If the session being reviewed was part of a multi-session request, select the Apply Review check box for
the appropriate row.
16 To enter a comment before officially marking the session as reviewed enter a comment in the Review
Comment box and click the Save My Review Comment button. (optional)
Every time a comment is submitted the Reviews Submitted count increases.
17 To mark the review as complete, enter a review comment and click the Complete My Review button.
Provisional ticket validation on a session
If the required Ticket System for this account has “provisional validation enabled” in the admin interface, and
the Ticket System was not available for validation at the time the requestor submitted the request, you see the
following note on the Review Details tab: “The ticket number listed above was provisionally validated because
the ticket system was disabled at the time of the request.”
TPAM 2.5
Administrator Guide
227
38
File Requests
•
Introduction
•
Request a file
•
Email notification
•
View submitted file requests
•
Access the file
•
Cancel/expire a file request
Introduction
In addition to the secure storage and release capabilities for passwords, TPAM facilitates the same secure
storage and retrieval controls for files. This functionality can be used for many file types, but its intent is to
securely store and control access to public/private key files and certificates.
Request a file
To request a file:
1
Select Request | File | Add Request from the main menu.
2
To request a file on a specific system enter the criteria on the Filter tab.
3
Click the Files tab.
4
Select the file to be included in the request.
NOTE: If, through a Group or Collection assignment, the user has multiple Access Policies granting
a REQ permission on the file, the file will be listed multiple times on the Files tab. Each row will
show the Access Policy, Minimum Approvers, and Maximum Release Duration associated with it.
5
Click the Details tab.
6
Complete the following fields:
Table 87. File Request Management: Details tab fields
Field name
Description
Request Immediate
Select this check box to immediately request the file.
Date/Time Required To have a file released on a future date and time, enter the date and time when
the file is required. Enter the time in the user’s local time.
TPAM 2.5
Administrator Guide
228
Table 87. File Request Management: Details tab fields
Field name
Description
Requested Duration The requested duration is the period of time that the file is available for release.
The default requested duration will be pulled from the access policy or file
setting. Once the request is saved this duration is added to the requested release
date to determine the request expiration date. Valid parameters for release
durations are from 15 minutes to 21 days, in 15 minute increments – however, the
effective valid parameter for the maximum allowable release request duration is
the value configured for maximum release duration at the access policy or file
level.
7
Reason Code
Reason codes will appear if they have been configured by the System
Administrator. Reason codes streamline the request process, and may be optional
or required, depending on how they are configured.
Request Reason
Used to provide a brief description of the reason for the file release. May be
optional, required or not required, depending on configuration.
Ticket System
May be required, based on configuration.
Ticket Number
May be required, based on configuration. If the ticket number fails validation
when the request is submitted, then the request is automatically canceled.
Click the Save Changes button.
NOTE: If a request is submitted that does not have enough approvers configured to meet the approval
requirements, then the request is not submitted and the following message is presented at the bottom of
the page: “There are not enough individuals authorized to approve this request.”
Once the request has been submitted it will reflect one of these statuses:
•
Pending Approval - waiting for authorized approver/s to approve the request.
•
Active/Approved - the request has been approved and is within the release duration window.
•
Approved - the request has been approved but the request date/time is in the future.
•
Denied - the request was denied by the approver/s.
•
Canceled - the submitted request conflicts with a request that has already been approved for the same
time period or the requestor decides to cancel the request prior to accessing the password. The request
will also be cancelled if the ticket number entered on the request requires validation, and fails.
•
Expired - the release window for the file has passed or the requestor is done accessing the file and
expires the request early.
Email notification
Once a file request is submitted, the requestor receives an email notification when the request is approved,
denied, or automatically cancelled as a result of a request conflict.
If a file request is submitted and does not require any approvals, the request is auto-approved by PPM and the
Retrieve button will be enabled.
View submitted file requests
To view requests that have been submitted:
1
Select Request | File | Manage Requests from the main menu.
2
Enter filter criteria on the Filter tab.
TPAM 2.5
Administrator Guide
229
3
Click the Listing tab.
4
Select the request.
5
Open the following tabs to view more detailed information about the request.
•
Details - Date and time stamps relevant to the life cycle of the request.
•
Responses - Request responses from approvers, or responses auto-generated by TPAM for autoapproved or cancelled requests.
•
Approvers - All TPAM users with permissions to approve or deny the request.
Access the file
Once a request is approved to retrieve the file:
1
Select Request | File | Manage Requests from the main menu.
2
Enter filter criteria on the Filter tab.
3
Click the Listing tab.
4
Select the request.
5
Click the Retrieve button.
6
Select to open or save the file.
Cancel/expire a file request
A file request can be cancelled by the requestor if the status is Pending Approval. Once approved, a password
request can be expired to immediately end the release duration. Expiring a request early makes the file
available for other users to request.
To cancel/expire a file request:
1
Select Request | File | Manage Requests from the main menu.
2
Enter filter criteria on the Filter tab.
3
Click the Listing tab.
4
Select the request.
5
Click the Details tab.
6
Enter a reason in the Expiration Reason box.
7
Click the Save Changes button.
TPAM 2.5
Administrator Guide
230
39
Approve/Deny File Request
•
Introduction
•
Approve/deny file request
•
Revalidate ticket on a request
•
Deny request after it is approved
Introduction
When a file request is submitted, the associated approver(s) is notified via email of the pending request. The
approver logs on to TPAM to approve/deny the request.
Approve/deny file request
The requested date/time of the request will be displayed to the approver in their local time, as configured for
their user ID in TPAM.
To approve/deny a file request:
1
Select Approve/Review | File Request from the main menu.
2
To approve/deny a request on a specific system enter the criteria on the Filter tab.
3
Click the Listing tab.
4
Select the request to approve/deny.
5
Click the Details tab.
6
Click the Conflicts tab to see if any other pending requests for this file overlap with the same release
duration.
7
Click the Approvers tab to see the list of other eligible approvers for this request.
8
Click the Responses tab to see the responses other eligible approvers have made for this request.
9
Enter comments in the Request Response box.
10 Click the Approve Request or Deny Request button.
Revalidate ticket on a request
If the required Ticket System for this file has “provisional validation enabled” in the admin interface, and the
Ticket System is not available for validation at the time the requestor submits the request, you see the
following note on the Approval Details tab: “The ticket number listed above was provisionally validate because
the ticket system was disabled at the time of the request. Press the Revalidate button to attempt to revalidate
the ticket.”
The request can be approved/denied without revalidating the ticket.
TPAM 2.5
Administrator Guide
231
To revalidate the ticket:
1
Click the Revalidate Ticket button.
2
Click the OK or Cancel button. If TPAM determines that the ticket system is still disabled the status of
the request will remain unchanged.
Deny request after it is approved
Any eligible approver can deny a file request after it has already been approved or auto-approved. Once denied,
the requestor will no longer have access to the file. The requestor receives an email notifying them that the
request was denied
To deny the request:
1
Select Approve/Review | File Request from the main menu.
2
Enter the search criteria on the Filter tab.
3
Click the Listing tab.
4
Select the request to deny.
5
Click the Details tab.
6
Select the Req. IDs to deny.
7
Enter a reason in the Request Response box.
8
Click the Deny Request button.
TPAM 2.5
Administrator Guide
232
40
On Demand Reports
•
Introduction
•
Report time zone options
•
Run a report
•
Report descriptions
Introduction
TPAM has a number of pre-defined reports to aid in system administration, track changes to objects, and
provide a thorough audit trail for managed systems. All reports are accessed via the Reports menu. The reports
can be filtered by criteria that are specific to each report type.
Report time zone options
Time zone filter parameters are included on most of the reports allowing you to view the report data in your
local or server time zone (UTC). These filter parameters only appear if you are configured with a local time
zone. These parameters affect not only the data reported but also the filter dates used to retrieve the data.
NOTE: Access to different reports is based on the user’s permissions. Only TPAM Administrators and
Auditors have access to all reports
For example, the server is at UTC time and the user is in Athens, Greece (UTC +2). When the user enters a date
range of 9/16/2009-9/17/2009 with the local time zone option, the report retrieves transactions that happened
on the server between 9/15/2009 22:00 through 9/17/2009 21:59.
All reports that use the local time zone filter have an extra column indicating the UTC offset that was used to
generate the report. This value is either the current UTC offset of the user. This column will also display in
reports that are exported using Excel or CSV.
Run a report
The following procedure describes the steps to run a report in TPAM.
To run a report:
1
From the Reports menu select the report.
2
On the Report Filter tab enter the filter criteria.
3
Click the Report Layout tab. (Optional)
4
Select the appropriate boxes in the Column Visible column to specify the columns to be displayed on the
report.
5
Select the appropriate box in the Sort Column column to specify sort order.
6
Select the Sort Direction.
TPAM 2.5
Administrator Guide
233
7
If viewing the report in the TPAM interface, select the Max Rows to display.
IMPORTANT: The Max Rows to Display limits the number of rows that are returned even if the
number of rows that meet the filter criteria is greater than what is selected.
8
To view the report results in TPAM click the Report tab. To adjust the column size of any column on a
report hover the mouse over the column edge while holding down the left mouse button and dragging
the mouse to adjust the width.
9
To view the report results in an Excel or CSV file click the Export to Excel or Export to CSV button.
IMPORTANT: If you expect the report results to be over 64,000 rows you must use the CSV export
option. The Export to Excel option only exports a maximum of 64,000 rows.
10 Open or Save the report file.
Report descriptions
The following table lists the on demand reports available in TPAM.
Table 88. TPAM report descriptions
Report title
Description
Activity Report
Detailed history of all changes made to TPAM.
ISA User Activity Report Detailed records of all activities performed by users with ISA permissions.
Approver User Activity
Detailed records of all activities performed by users with Approver permissions.
Requestor User Activity
Detailed records of all activities performed by users with Requestor permissions.
PSM Accounts Inventory Accounts that are PSM enabled.
(PSM Customers only)
Password Aging
Inventory
Managed systems, and the managed accounts that reside on those systems.
File Aging Inventory
Secure stored files and the systems that manage them.
Release-Reset Reconcile Audit evidence that released passwords have been reset appropriately.
User Entitlement
Data to review and audit users’ permissions for systems, accounts, files and
commands on an enterprise scale.
NOTE: It is recommended that Show Only Effective Permissions is selected to
reduce the size of the report.
NOTE: If any of the Expand … options are selected, at least one of the text filters
must be filled in with a non-wildcard value. For very large data sources the
expansion of Collections, Groups, and/or Access Policies can very easily create a
report beyond the retrieval and display capabilities of a web browser. For large data
sets (10’s of thousands of accounts or thousands of large collections to expand) it is
recommended to rely on the Data Extracts for unfiltered versions of the Entitlement
Report.
Failed Logins
Failed login attempts to Privileged Account Manager. The data for the report is
refreshed every 15 minutes.
Password Update
Activity
Password modifications to systems managed by Privileged Password Manager.
Password Update
Schedule
Scheduled password changes and the reason for the change.
Password Testing
Activity
The results of automated testing of each managed accounts’ password.
TPAM 2.5
Administrator Guide
234
Table 88. TPAM report descriptions
Report title
Description
Password Test Queue
Accounts currently queued for password tests.
NOTE: This is a useful report to view when troubleshooting performance related
issues. A high number of queued password tests can impact system response time if
the check agent is running. This report does not provide a mechanism for exporting
data but does provide for deleting passwords from the test queue. So if there is some
known reason why a large group of password tests are failing, such as a network
outage, that group can be filtered out in the report and then deleted. An alternative
would be to just stop the check agent.
Expired Passwords
Currently expired passwords, or passwords that will expire within a date range.
Passwords Currently in
Use
Defines “in-use” passwords as:
•
Passwords that have been retrieved by the ISA/CLI/API that have not yet been
reset.
•
Passwords that have been requested and retrieved, but have not yet been
reset.
•
Password has been manually reset on the Account Details or Password
Management pages, but has not yet been reset by PPM.
•
Password has been manually entered on the Account Details page, but has not
yet been reset by PPM.
•
Account is created on the TPAM interface or as a result of Batch Import
Accounts and is assigned a password by the user (as opposed to letting the
system generate a random password).
Password Requests
Password requests and the details relating to the request. Selecting a row in the
report, and clicking on the Responses, Reviews and Releases tab gives you
additional details on the request.
Password Consecutive
Failures
Password check and change failures for accounts.
Auto-Approved
Password Releases
Password releases that did not require dual control approval.
Auto-Approved File
Releases
File releases that did not require dual control approval.
Password Release
Activity
Details on password releases, such as request reason, retrieval date and ticket
information.
File Release Activity
Details on file releases, such as request reason, retrieval date and ticket
information.
Windows® Domain
Account Dependencies
Managed domain accounts that have dependencies on other systems.
Auto Approved Sessions
(PSM customers only)
Sessions that were approved, as a result of no approval requirements for sessions on
the account.
PSM Session Activity
(PSM customers only)
Session details, such as start date, end date, and request reason.
PSM Session Requests
(PSM customer only)
Session requests and the details relating to the request. Selecting a row in the
report, and clicking on the Responses, Reviews and Releases tab gives you
additional details on the request.
TPAM 2.5
Administrator Guide
235
41
Network Tools
•
Introduction
•
The ping utility
•
Nslookup utility
•
TraceRoute utility
•
Telnet test utility
•
Display routes
Introduction
To assist the TPAM Administrator with troubleshooting common network related problems, TPAM contains
network tools that are accessible from the tpam interface.
The ping utility
The ping utility can be used to verify connectivity to remote hosts and determine latency. Many of the optional
parameters for the ping command are available. The available command options are listed along with the short
description of each.
To use the ping utility:
1
Select Management | Network Tools | Ping from the menu.
2
Enter the IP or Hostname.
3
Select the options desired.
4
Click the Ping button. The results will be displayed.
Nslookup utility
Nslookup is a common TCP/IP tool used to test DNS settings and perform similar information gathering using DNS
resolution. The TPAM utility for nslookup will use the DNS server(s) configured to TPAM only. The option to
specify a server is not provided. TPAM Administrators can benefit from the ability to use nslookup to resolve
hostnames to IP addresses and vice versa.
To use Nslookup:
1
Select Management | Network Tools | Nslookup from the menu.
2
Enter the IP address or Hostname to look up.
3
Click the Lookup button.
TPAM 2.5
Administrator Guide
236
TraceRoute utility
The traceroute utility is available for examining network routing and connectivity from TPAM to a remote IP
address or hostname. The use of traceroute is often disallowed by firewalls, routers, and other network security
infrastructure – but if allowed, it can be a valuable diagnostic tool.
To use Traceroute:
1
Select Management | Network Tools | TraceRoute from the menu.
2
Enter the IP or Hostname to trace.
3
Select the -d check box. (Optional)
4
Change the default number of hops and timeout wait. (Optional)
5
Click the Trace button.
Telnet test utility
The Telnet test utility lets a test be performed from the appliance to another system over a specific port. The
tool will test the defined port using telnet functionality to verify the port, whether a connection can be made,
and then immediately close the connection.
To use the Telnet test utility:
1
Select Management | Network Tools | TelnetTest from the menu.
2
Enter the network address, port and timeout period.
3
Click the Trace button.
Display routes
Several tools are available to manage the routing table on TPAM, if the need arises.
To display current routes:
1
Select Management | Network Tools | Show Routes from the menu.
If necessary, TPAM System Administrators have the ability to edit the routes in the config interface.
TPAM 2.5
Administrator Guide
237
42
CLI Commands
•
Introduction
•
Command standards
•
Commands
Introduction
The TPAM command line interface (CLI) provides a method for authorized users or automated processes to
retrieve information from the TPAM system. Commands must be passed to TPAM via SSH (secure shell) using an
identity key file provided by TPAM. A specific CLI user ID is also required. See Add a CLI user ID for more details
on creating the user ID. CLI user IDs are case sensitive when logging on.
SSH software must be installed on any system before it can be used for TPAM CLI access.
Commands accept parameters in the style of --OptionName option value (two dashes precede the option
name). .
All commands recognize an option of --Help. This expanded help syntax will show all valid options for each
command, whether the option is required or optional, and a description of the option and allowed values.
NOTE: Many of the CLI commands will not run if the TPAM appliance is in maintenance mode.
Command standards
•
Options may be specified in any order in the command
•
Option names are not case sensitive, --SystemName and --systemname are equivalent
•
When the --Help option is used, no other processing takes place. The help text is printed and the
command terminates.
•
Options marked as “optional” are just that – optional. They do not need to be included in the command
line to “save space” for commands that come afterwards.
•
Option names may be abbreviated “to uniqueness” for each command. For example if a command
accepts options of --SystemName, --AccountName, and --Description the option names can be
abbreviated to --S, --A, and --D, respectively. However if the options were --AccountName and -AccountDescription they can only be abbreviated to --AccountN and --AccountD.
•
Any option value that contains spaces, e.g., --Description or --RequestNotes, must surround the
description with single or double quotes, depending on your command line shell. It’s also recommended
that you surround the entire command invocation with quotes to prevent the shell from unintentionally
stripping desired quotes from your command. Additionally your shell environment may require escaping
extra quotes within your command. The following is an example using Windows® cmd.exe
[...]"UpdateSystem[...]\"Sytem1[...]\"Description for System1\"[...]
TPAM 2.5
Administrator Guide
238
Commands
AddAccount--options
Adds a new system account. The CLI user must have ISA or Administrator privilege.
Table 89. AddAccount options
Option name
Req/Opt
Description
--SystemName
Req
System Name. Maximum 30 characters.
--AccountName
Req
Account Name. Maximum 30 characters.
--AccountDN
Opt
The distinguished name of the account on a Novell NDS, LDAP or
LDAPS system.
--AliasAccessOnlyFlag
Opt
This option is obsolete. Any value passed in using this option will
be used for the --IgnoreSystemPoliciesFlag option.
--AllowISADurationFlag
Opt
Allow the ISA to specify a duration when retrieving a password.
Y/N
--AutoFlag
Opt
Account Password Management type. N=None, Y=Automatic,
M=Manual
--BlockAutoChangeFlag
Opt
THIS OPTION IS OBSOLETE AND WILL BE REM0VED IN A FUTURE
RELEASE. The functionality of this option has been assumed by the
password change profile.
--ChangeFrequency
Opt
THIS OPTION IS OBSOLETE AND WILL BE REM0VED IN A FUTURE
RELEASE. The functionality of this option has been assumed by the
password change profile.
--ChangeTime
Opt
THIS OPTION IS OBSOLETE AND WILL BE REM0VED IN A FUTURE
RELEASE. The functionality of this option has been assumed by the
password change profile.
--CheckFlag
Opt
THIS OPTION IS OBSOLETE AND WILL BE REM0VED IN A FUTURE
RELEASE. The functionality of this option has been assumed by the
password check profile.
--ChangeServiceFlag
Opt
Change the password for Windows® Services started by this
account. Y/N (Windows® platforms only)
--ChangeTaskFlag
Opt
Change the password for the Windows® scheduled tasks started by
this account. (Windows® platforms only)
--Custom[1-6]
Opt
Custom Account Columns, if defined. Use !NULL to clear the value.
--Description
Opt
Use !NULL to clear the value. Maximum of 255 characters.
--DomainAccountName
Opt
For Windows® or BoKS platforms. Enter domainname\accountname
--EnableBeforeReleaseFlag
Opt
Y/N. If Y, TPAM will disable the account of the remote system until
the password is released or a session started which uses the
password to authenticate. Only applies to Windows® platforms.
--EscalationEmail
Opt
If a password post-release review is not completed within the
number of hours in EscalationTime send an email to this address.
Use !NULL to clear the value.
--EscalationTime
Opt
Number of hours after which to send an escalation email if a
password post-release has not been completed. Expressed in
hours. Use 0 (zero) to disable the notification.
--IgnoreSystemPoliciesFlag
Opt
Ignore System Policies Flag. Y/N. When set to Y any System-level
Access Policies are ignored, and only Account-level policies are
used for permissions.
TPAM 2.5
Administrator Guide
239
Table 89. AddAccount options
Option name
Req/Opt
Description
--LockFlag
Opt
Account Lock Flag. Y/N. Passwords for locked accounts cannot be
retrieved, released, checked or changed
--MaxReleaseDuration
Opt
The maximum duration for a password request, expressed in
minutes. The value will be rounded to the nearest 15-minute
increment. Valid values are 1-30240 (21 days).
--MinimumApprovers
Opt
Minimum number of approvals required for a password release
request. 0 (zero) indicates that all requests are auto-approved.
--NextChangeDate
Opt
Schedule an account password to be changed at a specific
date/time. Overrides password change profile schedule. Password
mismatch, post release reset, and force resets will still be
processed as they occur.
--OverrideAccountability
Opt
When the Global Setting to Allow Account specific override is
enabled this flag can be turned on at the account level to allow
simultaneous, overlapping password requests to be approved.
When the Global Setting is not enabled this flag is ignored. Y/N
--Password
Opt
Initial or new password for the account. The password cannot be
changed for auto-managed accounts. Maximum of 128 characters.
--PasswordChangeProfile
Opt
A profile which controls when the account will have it’s password
changed.
--PasswordCheckProfile
Opt
A profile which controls when the account will have it’s password
checked.
--PasswordRule
Opt
Name of the Password Rule used to generate passwords for the
account. The default rule for new accounts is set on the managed
system. You may also specify “Default Password Rule” or another
rule to override this.
--ReleaseNotifyEmail
Opt
Use !NULL to clear the value.
--ReleaseChangeFlag
Opt
Change the password after any ISA, CLI, or API release. Y/N
--ReleaseDuration
Opt
The default duration for an ISA/CLI/API retrieval of a password,
expressed in minutes. The value will be rounded to the nearest
15minute increment. Valid values are 0-30240 (21 days). This is
ignored if ReleaseChangeFlag is N. If 0 is entered the ISA retrieval
of a password will not trigger a post release reset of the password.
--RequireTicketForAPI
Opt
Require a valid Ticket System & Number for any API password
retrieval on this account. Y/N. Ignored if RequireTicketForRequest
is N.
--RequireTicketForCLI
Opt
Require a valid Ticket System & Number for any CLI password
retrieval on this account. Y/N. Ignored if RequireTicketForRequest
is N.
--RequireTicketForISA
Opt
Require a valid Ticket System & Number for any ISA password
retrieval on this account. Y/N. Ignored if RequireTicketForRequest
is N.
--RequireTicketForPSM
Opt
Require a valid Ticket System & Number for any PSM request on
this account. Y/N.
--RequireTicketForRequest
Opt
Require a valid Ticket System & Number for any password request
on this account. Y/N
--ResetFlag
Opt
Reset the password if a regular check finds it to be different than
what's stored in PPM. Y/N This value is ignored if CheckFlag is N.
--RestartServiceFlag
Opt
Restart Windows® services started by this account, following a
password change. Y/N (Windows® only)
TPAM 2.5
Administrator Guide
240
Table 89. AddAccount options
Option name
Req/Opt
Description
--ReviewCount
Opt
Number of post-release reviews required after a password release.
0-n
--ReviewerName
Opt
User Name or Group Name of required reviewer. Only valid when
ReviewerType is User or Group.
--ReviewerType
Opt
Type of reviewer. Valid values are: Any (default), Auditor, User,
Group
--SimulPrivAccReleases
Opt
Number of simultaneous Privileged Access Users who may retrieve
the password. 0-99
--TicketSystemName
Opt
When RequireTicketForRequest is Y this is the Ticket System that's
required. Use a value of “!Any” to allow tickets from any valid
ticket system.
--TicketEmailNotify
Opt
Email to notify if a password is retrieved via API, CLI, or ISA
without a ticket number. Ignored when RequireTicketForRequest is
N or ticket is required for all three (API, CLI, and ISA). Use !NULL
to clear the value.
--UseSelfFlag
Opt
Use the account's current password to change the password. Y/N.
If the functional account is flagged as “non-privileged” at the
system level this value should be set to Y.
AddCollection--options
Creates a new collection. The CLI user must have ISA or administrator privilege.
Table 90. AddCollection options
Option name
Req/Opt
Description
--CollectionName
Req
Name of collection.
--Description
Opt
Collection description. Max of 50 characters.
--PSMDPAAffinity
Opt
List of DPAs to use for PSM Affinity assignment in the form of
DPAName1/priority;DPAName2/priority. Pass “any” to reset the list and
allow any DPA to be used. Priority must be >=0 to add a DPA. A priority of 0
removes a DPA from the list.
Legacy support:
AddCollection <CollectionName>,<CollectionDescription>
AddCollectionMember--options
Creates a new collection member where the system, account, and or file and collection(s) currently exist. The
CLI user must have administrator privilege or the ISA permission over the collection and system, and or file.
Table 91. AddCollectionMember options
Option name
Req/Opt
Description
--CollectionName
Req
Name of collection.
--SystemName
Req
Name of system to add to collection. If an account or file is being added to
the collection then they must exist on this system. A system cannot be in
the same collection as any of its’ accounts or files.
TPAM 2.5
Administrator Guide
241
Table 91. AddCollectionMember options
Option name
Req/Opt
Description
--AccountName
Opt
Name of the account to ad to the collection. If a system or file is being
added to the collection this value must be empty. The account must reside
on --SystemName and cannot be a member of any of the same collections
as the system.
--FileName
Opt
Name of the file to add to the collection. If a system or account is being
added to the collection this value must be empty. The file must reside on -SystemName and cannot be a member of any of the same collections as
the system.
Legacy support:
AddCollectionMember <MemberName>,<CollectionName>
AddGroup--options
Creates a new group. The CLI user must have ISA or administrator privilege.
Table 92. AddGroup options
Option name
Req/Opt
Description
--GroupName
Req
Name of the group.
--Description
Opt
Description of group. Max of 50 characters.
Legacy support:
AddGroup <GroupName>,<GroupDescription>
AddGroupMember--options
Adds an existing user account to one or more existing groups. The CLI user must have administrator privilege.-GroupID or --GroupName may be passed, but not both.
Table 93. AddGroupMember options
Option name
Req/Opt
Description
--GroupName
Opt
Name of the group.
--GroupID
Opt
Unique identifier assigned to group by TPAM.
--UserName
Req
Name of user to add to the group. Only basic and administrator user types
can be added to a group. Multiple UserNames can be specified using semicolons between names.
Legacy support:
AddGroupMember <UserName>,<GroupName>
TPAM 2.5
Administrator Guide
242
AddProfile--options
Adds a profile. The CLI user must have administrator privilege. When typing the command the --Type is a
required parameter. Some of the parameters below only apply to check password profiles and some only apply
to change password profiles.
Table 94. AddProfile options
Option name
Req/Opt
Description
--Type
Req
Profile type to add.
--PasswordChange
--PasswordCheck
--Name
Req
Name of the profile.
--Description
Opt
Description of the profile. If the description contains spaces or non-alpha
numeric characters it must be properly quoted.
--DefaultFlag
Opt
Y/N. Defaults to N. If Y, marks this as the default change profile. Only one
change profile may be marked as the default. --DefaultFlag set to Y will
set DefaultFlag on all other change profiles to N.
--FrequencyOption
Req
Used in combination with --Frequency to set the check/change schedule
for the profile.
--Frequency
Opt*
•
N - schedule checks/changes are disabled
•
D - schedule checks/changes are X times per day
•
E - check/change passwords every X days
•
W - check/change passwords every week on specified weekdays
•
M - check/change passwords on a monthly schedule on specified
day(s) of the month.
Based on the value passed in --Frequency option.
•
N - No frequency. Value ignored.
•
D- number between 1 and 48. Number of times per day to
check/change the password.
•
E - number between 1 and 999. Number of days between scheduled
password checks/changes.
•
W - 7 character string to specify days of the week for scheduled
password checks.changes. Specify days with a string of 7 X’s (to
indicate the “on” day) or period (for an “off” day) to represent the
week from Sunday thru Saturday. For example, .X.X.X. would
indicate check/change scheduled on Mondays, Wednesday, and
Fridays.
•
M - Days of the month on which to schedule password
checks/changes. Specific days may be entered separated with
semi-colons using -1 to indicate the last day of the month. For
example, 10;15;-1 would schedule checks/changes on the 10th,
15th and last day of the month. Invalid days such as February 30th
will be skipped.
--AllowNotifyFlag
Opt
Y/N. Defaults to N. If Y, this allows a system to notify TPAM that it is online
and available for checks/changes. See How to call the notification service
for more details.
--Times
Opt*
Required when --Frequency option is other than N. A semi-colon separated
list of time ranges when scheduled checks/changes are allowed. For
example, 00:00-06:00;18:00-23:59.
--Timeout
Opt
Number of seconds a password check/change operation will be allowed to
run before timing out. If no value is entered the timeout value from the
managed system will be used.
TPAM 2.5
Administrator Guide
243
Table 94. AddProfile options
Option name
Req/Opt
Description
--ConsecFailCount
Opt
Numeric value greater than or equal to zero. Performs the accompanying
action and/or notification after this number of consecutive failed
attempts to check/change the password. User zero (the default) to
indicate no extra action or notification.
--ConsecFailAction
Opt*
When ConsecFailCount is greater than zero, this must be one of the
following:
•
Nothing - perform no action
•
Disable - account is ignored for any future checks/changes until
Administrator or ISA goes to the account details management tab
and clears the Check schedule disable check box.
•
Lock - locks account in TPAM, no checks, password releases or
password requests permitted until it is unlocked.
•
Increase - increase the retry interval
--FailNotifyOwnerFlag
Opt
Y/N. Default is N. If Y, after consecutive failure limit is reached an email is
sent to the account owner.
--MismatchAction
Opt
Determines how TPAM handles the scenario. Options are:
--MismatchNotifyOw
•
Nothing
•
Reset - schedule the account for immediate password change
•
Disable - account is ignored for any future checks until
Administrator or ISA goes to the account details management tab
and clears the Check schedule disable check box.
•
Lock-locks account in TPAM, no password releases or password
requests permitted until it is unlocked.
Opt
Y/N, defualt is N. If Y, notifies account owner when a password mismatch
is detected.
--RetryIncrease
Opt*
When --ConsecFailAction is Increase, each time the consecutive failure
count is reached this number of minutes will added to the retry interval
for the next check.
--RetryMax
Opt*
The maximum retry time. Must be greater than the automation engine’s
Check Retry Interval.
--BlockAccountAuto
Opt
Y/N. Default is N. If Y, scheduled checks/changes will be blocked if the
account is in use by a PSM session or password release request.
--TestPortFlag
Opt
Y/N. Default is N. If Y, the password check/change process will check that
the required port on the target system is available for attempting to
check/change the password.
--TestPortTimeout
Opt
Required when --TestPortFlag is set to Y. Values 1-999, default is 5.
Number of seconds before the pre-change port test times out.
--PreChangeEmailSched
Opt
A semi-colon separated list. The number of days prior to a scheduled
change when email reminders will be sent of the upcoming event. Ignored
unless --FrequencyOption is M (monthly) or E (every X days, where X is
greater than 2). Use !NULL to clear the schedule (you will also have to use
!NULL to clear the PreChangeEmailAddress at the same time).
nerFl
ChangeFlag
ule
Example: 14;7;1 will send emails 14, 7, and 1 day prior to scheduled
changes.
TPAM 2.5
Administrator Guide
244
Table 94. AddProfile options
Option name
Req/Opt
Description
--PreChangeEmailAddre
Opt
A semi-colon separated list of email address or placeholders to notify prior
to a scheudled change per the --PreChangeEmailSchedule. Email addresses
may be static ([email protected]) or any of the following placeholder
values:
ss
•
:Group=group1,group2...: List of TPAM group names. Email
addresses of all users in the list of groups.
•
:User=user1,user2...: List of TPAM user names. Email addresses of
all users in list.
--PostChangeEmailAddr
•
:RelNotify: Release Notification Email of the account
•
:System: Primary Contact Email of the system
•
:ISA: Email address of all users with PPM ISA permissions on the
account
•
:Functional: Release Notification Email of the functional account
for the system
Opt
A semi-colon separated list of email addresses or placeholders to receive a
Password Post-Change email after any scheduled, forced, or post-release
change of a password.The email addresses may be static
([email protected]) or any of the placeholder values described above.
Use !NULL to clear the value.
-Opt
NoPostRequestResetFlag
Y/N. Default is N. If Y, the password WILL NOT be scheduled for a postrelease reset when released by a password request. Does not apply to ISA
password retrievals or synchronized passwords.
ess
AddPwdRequest--options
CLI users can create a password request for themselves as well as other users. Both users (the calling CLI and
the user they're adding for) must have request permissions on the target system. The target user must be a webbased user, i.e., not a CLI or API user. The CLI User creating the request may later cancel the request, but
cannot approve the request they create.
Table 95. AddPwdRequest options
Option name
Req/Opt
Description
--SystemName
Req
System for which the password request is being created.
--AccountName
Req
Account for which the password request is being created.
--ForUserName
Opt
The user you are creating the request for. This parameter should be
omitted if submitting a request for yourself.
--AccessPolicyName
Opt
An access policy to use for the request. This is only required if the user
has access to the account via more than one policy.
--ReasonCode
Opt
A reason code for the request. Based on global settings, a reason code
may be required, optional, or not allowed.
--RequestImmediateFlag Opt
Use Y to create an immediate request, N to create request with future
date. If N is entered, you must supply the --RequestedReleaseDate
option.
--RequestedReleaseDate Opt
Required if RequestImmediate option is N. Must be a valid future date
in the form of MM/DD/YYYY HH:MM (using a 24 hour clock)
NOTE: If the --ForUserName is assigned to a time zone other then
UTC, this value represents the local time for the user.
--ReleaseDuration
Opt
Duration of the request in minutes. Time is rounded up to the next 15
minute interval. The default is 120 minutes for password requests.
The maximum value set is on the account details.
TPAM 2.5
Administrator Guide
245
Table 95. AddPwdRequest options
Option name
Req/Opt
Description
--RequestNotes
Opt
Description of the request. Up to 1000 characters. Based on global
settings, a RequestNote may be required, optional, or not allowed.
--TicketNumber
Opt
A ticket number from the --TicketSystemName. This may be required
based on account settings.
--TicketSystemName
Opt
The name of the ticket system to use for validation. This may be
required based on account settings.
AddSessionRequest--options
CLI users can create a session request for themselves as well as other users.Both users (the calling CLI and the
user they're adding for) must have request permissions on the target system. The target user must be a webbased user, i.e., not a CLI or API user. The CLI User creating the request may later cancel the request, but
cannot approve the request they create.
Table 96. AddSessionRequest options
Option name
Req/Opt
Description
--SystemName
Req
System for which the session request is being created.
--AccountName
Req
Account for which the session request is being created.
--ForUserName
Opt
The user you are creating the request for. This parameter should be
omitted if submitting a request for yourself.
--AccessPolicyName
Opt
An access policy to use for the request. This is only required if the
user has access to the account via more than one policy.
--CommandName
Opt
The command name that will be used during the session. If the
command is specified then the --AccessPolicyName must also be
specified and include REQ permissions for you and the user for
whom the request is being created.
--LinkedAccountName
Opt*
When requesting a session to an account named :LinkedAccount:
you must specify a linked account name to use for
authentication.The account must already be associated with the
ForUserName. Use the form [email protected] for a domain account
or systemname\accountname for a non-domain account on a TPAM
managed system.
--ReasonCode
Opt
A reason code for the request. Based on global settings, a reason
code may be required, optional, or not allowed.
--RequestImmediateFlag
Opt
Use Y to create an immediate request, N to create request with
future date. If N is entered, you must supply the -RequestedReleaseDate option.
--RequestedReleaseDate
Opt
Required if --RequestImmediate option is N. Must be a valid future
date in the form of MM/DD/YYYY HH:MM (using a 24 hour clock)
NOTE: If the --ForUserName is assigned to a time zone other then
UTC, this value represents the local time for the user.
--ReleaseDuration
Opt
Duration of the request in minutes. Time is rounded up to the next
15 minute interval. The default duration is set on the account’s PSM
details page. The maximum value is set on the account details page.
--RequestNotes
Opt
Description of the request. Up to 1000 characters. Based on global
settings, a RequestNote may be required, optional, or not allowed.
--TicketNumber
Opt
A ticket number from the --TicketSystemName. This may be
required based on account settings.
--TicketSystemName
Opt
The name of the ticket system to use for validation. This may be
required based on account settings.
TPAM 2.5
Administrator Guide
246
AddSyncPass--options
Allows you to add a synchronized password.
Table 97. AddSyncPass options
Option name
Req/Opt
Description
--SyncPassName
Req
Name of synchronized password. You must have administrator
privileges.
--AccountLevelCheckProfile
Opt
Y/N. Default value is N. If Y, the synchronized password does not
have a Password Check Profile and the password check schedule is
based on the profile assigned to each member account.
--ChangeFrequency
Opt
THIS OPTION IS OBSOLETE AND WILL BE REMOVED IN A FUTURE
RELEASE. The functionality of this option has assumed by the
Password Change Profile.
--ChangeTime
Opt
THIS OPTION IS OBSOLETE AND WILL BE REMOVED IN A FUTURE
RELEASE. The functionality of this option has assumed by the
Password Change Profile.
--CheckFlag
Opt
THIS OPTION IS OBSOLETE AND WILL BE REMOVED IN A FUTURE
RELEASE. The functionality of this option has assumed by the
Password Check Profile.
--DisableFlag
Opt
Disable synchronizing subscribed accounts. Y/N
--Description
Opt
Use !NULL to clear the value. Maximum of 255 characters.
--NextChangeDate
Opt
Schedule an account password to be changed at a specific
date/time. Overrides password change profile schedule. Password
mismatch, post release reset, and force resets will still be processed
as they occur.
--Password
Opt
Initial or new password for the account. The password cannot be
changed for auto-managed accounts. Max of 128 characters.
--PasswordChangeProfile
Req*
A profile which controls when the account will have it’s password
changed. *Must be supplied if no change profile is marked as default.
--PasswordCheckProfile
Req*
A profile which controls when the account will have it’s password
checked. *Required when AccountLevelCheckProfile is N and no
check profile is marked as default.
--PasswordRule
Opt
Name of the Password Rule used to generate passwords for the
account. The default rule for new accounts is set on the managed
system. You may also specify Default Password Rule or another rule
to override this.
--ReleaseNotifyEmail
Opt
Use !NULL to clear the value. This email address receives an email
when the password is released.
--ReleaseChangeFlag
Opt
Change the password after any ISA, CLI or API release. Y/N
--ReleaseDuration
Opt
The default duration for an ISA/CLI/API retrieval of a password,
expressed in minutes. The value will be rounded to the nearest 15
minute increment. Valid values are 0-30240 (21 days). If 0 is entered
the ISA retrieval of a password will not trigger a post release reset of
the password. This value is ignored if ReleaseChangeFlag is N.
--ResetFlag
Opt
THIS OPTION IS OBSOLETE AND WILL BE REMOVED IN A FUTURE
RELEASE. The functionality of this option has assumed by the
Password Check Profile.
AddSyncPwdSub--options
Allows you to add subscribers to a synchronized password.
TPAM 2.5
Administrator Guide
247
Table 98. AddSyncPwdSub options
Option name
Req/Opt
Description
--SyncPassName
Req
Name of synchronized password. You must have administrator privileges.
--Systemname
Req
System name of account subscribing.
--AccountName
Req
Account name subscribing.
AddSystem--options
Creates a new system. The CLI user must have ISA or Administrator privilege.
Table 99. AddSystem options
Option name
Req/Opt Description
--SystemName
Req
System Name. Must be between 2 and 30 characters in length and
consist of only upper or lower case letters, numbers, hyphen,
underscore, period, or US dollar sign ($).
--AllowFuncReqFlag
Opt
Whether to allow the functional account password to be requested and
released. Y/N. Default N.
--AllowISADurationFlag
Opt
Allow an ISA to enter a duration when releasing a password in the GUI.
Y/N. Default N.
--AlternateIP
Opt
Obsolete as of TPAM 2.5.909
--AutoDiscoveryExcludeList Opt
List of account names (up to 1,000 characters) separated by semicolons which will be ignored when processing the auto-discovery
profile on this system. Use !NULL to clear the value or override the
template’s value.
--AutoDiscoveryProfile
Opt
Name of auto-discovery profile which will be used to discover
new/deleted accounts on this system. Use !NULL to clear the value or
override the template’s value. Auto-discovery is only valid for
Windows®, *nix, and DBMS platforms.
--AutoDiscoveryTimeout
Opt
Timeout (in seconds) when discovering accounts on this system.
Default is 300 seconds. If the discovery process times out it will
continue to discover the remaining accounts during the next scheduled
run.Use 0 (zero) to set to the default.
--BoksServerOS
Opt
The OS Name (platform) for a Boks server.
--ChangeFrequency
Opt
THIS OPTION IS OBSOLETE AND WILL BE REMOVED IN A FUTURE
RELEASE. The functionality of this option has assumed by the Password
Change Profile.
--ChangeTime
Opt
THIS OPTION IS OBSOLETE AND WILL BE REMOVED IN A FUTURE
RELEASE. The functionality of this option has assumed by the Password
Change Profile.
--Custom[1-6]
Opt
Custom system columns, if defined. Use !NULL to clear the value.
--CheckFlag
Opt
THIS OPTION IS OBSOLETE AND WILL BE REMOVED IN A FUTURE
RELEASE. The functionality of this option has assumed by the Password
Check Profile.
--Description
Opt
Use !NULL to clear the value. Maximum of 255 characters.
--DomainFuncAccount
Opt
The domain account to be used as the functional account. Must be
defined in the format DomainName\AccountName and the account
must already be defined in TPAM. For MS SQL Server systems this can be
SystemName\AccountName to indicate a local computer account.
When specified the FunctionalAccount and FuncAcctCred values are
ignored.
--DomainName
Opt
Required for Windows® Active Directory systems.
TPAM 2.5
Administrator Guide
248
Table 99. AddSystem options
Option name
Req/Opt Description
--EGPOnlyFlag
Opt
Setting this value to Yes will disabled *ALL* PPM functionality on this
system and all its accounts and will delete any existing password
history or secure stored files. Y/N.
--EnablePassword
Opt
Password to use for the “ENABLE” account (Cisco platforms only) or
“EXPERT” account (for CheckPoint SP platforms only).
--EscalationEmail
Opt
If a password post-release review is not completed within the number
of hours in EscalationTime send and email to this address. Use !NULL to
clear the value.
--EscalationTime
Opt
Number of hours after which to send an escalation email if a password
post-release has not been completed. Expressed in hours. Use 0 (zero)
to disable the notification.
--FuncAcctCred
Opt
Password for the account indicated in the FunctionalAccount option.
Use a password or DSS to have the system use system standard keys for
functional account credentials or a password of SPECIFIC to use a
system specific key.
--FuncAcctDN
Opt*
The distinguished name of the functional account. Required for Novell
NDS, LDAP pr LDAPS systems. Ignored for all others.
--FunctionalAccount
Opt
Account name of the functional account for the system. This is the
account which will be used to change other passwords on the system.
--LineDef
Opt
Cisco telnet attribute.
--MaxReleaseDuration
Opt
The maximum duration for a password request, expressed in minutes.
The value will be rounded to the nearest 15-minute increment. Valid
values are 1-30240 (21 days).
--NetBiosName
Opt
Required for Windows® AD or SPCW (DC) platforms.
--NetworkAddress
Req
Network address of the system. May be an IP V4 address or a fully
qualified domain name.
--NonPrivFuncFlag
Opt
Y/N.
--OracleSIDSN
Opt
Either the SID or Service Name (as indicated in the OracleType option)
used to connect to the Oracle® system.
--OracleType
Opt
May be either SID or SERVICE. Only accepted for Oracle® platform.
--PasswordChangeProfile
Opt
A profile which controls when the account will have it’s password
changed.
--PasswordCheckProfile
Opt
A profile which controls when the account will have it’s password
checked.
--PasswordRule
Opt
The name of the Password Rule used to generate random passwords for
this system. Leave empty to use the default password rule for new
Systems. Must use the text “Default Password Rule” to change existing
systems.
--PlatformName
Req
Any recognized platform name. Note that certain platforms, once set,
cannot be changed. For custom platform names the platform name is
indicated by “Custom” or “Custom Platform” followed by a forward
slash (/) and the custom platform name.
--PlatSpecificValue
Opt
A platform specific value, e.g., Linux® Delegation prefix or Windows®
Computer Name. Not all platforms support this value.
--PortNumber
Opt
Port number used for SSH communication with the system. Default
values are platform specific.
TPAM 2.5
Administrator Guide
249
Table 99. AddSystem options
Option name
Req/Opt Description
--PPMDPAAffinity
Opt
List of DPAs to use for PPM affinity in the form
DPAName1/priority;DPAName2/priority. Use Local to reset the list
and only use the appliance for password checks/changes.PPM affinity
cannot be set when adding a system from a template, but after the
system is created the affinity may be changed.
--PSMDPAAffinity
Opt
List of DPAs to use for PSM affinity in the form
DPAName1/priority;DPAName2/priority. Use Any to allow any DPA to
be used. Priority must be a number greater than zero. PSM affinity
cannot be set when adding a system from a template, but after the
system is created the affinity may be changed.
--PrimaryEmail
Opt
Primary email contact for this system. Max of 255 characters. Use
!NULL to clear the value.
--ProfileCertType
Opt
One of the following values:
•
N - no thumbprint or certificate. Default
•
T - thumbprint only. The SHA1 thumbprint of the certificate
used by the system to notify TPAM of availability for
check/change operations.
•
G - generated. TPAM will generate a certificate and record the
thumbprint. This certificate must be installed on the system in
order to call the TPAM notification service.
--ProfileCertThumbprint
Opt
Thumbprint of certificate. Only used when ProfileCertType is T.
--ProfileCertPassword
Opt
Optional password on a TPAM generated certificate. This password will
be required to install the certificate on the target system. The
password is NOT stored and cannot be retrieved if forgotten.
--ReleaseChangeFlag
Opt
THIS OPTION IS OBSOLETE AND WILL BE REMOVED IN A FUTURE
RELEASE.
--ReleaseDuration
Opt
The default duration for an ISA/CLI/API retrieval of a password,
expressed in minutes. The value will be rounded to the nearest 15
minute increment. Valid values are 0-30240 (21 days). If 0 is entered
the ISA retrieval of a password will not trigger a post release reset of
the password.
--RequireTicketForAPI
Opt
Require a valid Ticket System & Number for any API password retrieval
on this account. Y/N. Ignored if RequireTicketForRequest is N.
--RequireTicketForCLI
Opt
Require a valid Ticket System & Number for any CLI password retrieval
on this account. Y/N. Ignored if RequireTicketForRequest is N.
--RequireTicketForISA
Opt
Require a valid Ticket System & Number for any ISA password retrieval
on this account. Y/N. Ignored if RequireTicketForRequest is N.
--RequireTicketForPSM
Opt
Require a valid Ticket System & Number for any PSM request on this
account. Y/N.
--RequireTicketForRequest Opt
Require a valid Ticket System & Number for any password request on
this account. Y/N
--ResetFlag
Opt
THIS OPTION IS OBSOLETE AND WILL BE REMOVED IN A FUTURE
RELEASE. The functionality of this option has assumed by the Password
Check Profile.
--SSHAccount
Opt
The account name to use when communicating with this system via
SSH. This is required when the UseSshFlag is set to Y.
--SSHKey
Opt
Either “Standard” to use the appliance's system standard keys or
“Specific” to generate a specific key for this system. “Standard” is the
default.
--SSHPort
Opt
The port number for SSH communication. If not specified a default of
22 is used.
TPAM 2.5
Administrator Guide
250
Table 99. AddSystem options
Option name
Req/Opt Description
--SystemAutoFlag
Opt
Whether or not to enable automatic password management for
accounts on this system. Y/N. If set to N the account auto flags may
only be N (none) or M (Manual). Y/N.
--TemplateSystemName
Opt
The name of a template system. Data from the template system will be
used as defaults for the new system. Template data will be overridden
with data supplied here. System templates may also contain Collection
Membership, Group & User Permissions, and up to 20 accounts, all of
which will be automatically transferred to the new system.
--TicketEmailNotify
Opt
Email to notify if a password is retrieved via API, CLI, or ISA without a
ticket number. Ignored when RequireTicketForRequest is N or ticket is
required for all three (API, CLI, and ISA). Use !NULL to clear the value.
--TicketSystemName
Opt
When RequireTicketForRequest is Y this is the Ticket System that's
required. Use a value of “!Any” to allow tickets from any valid ticket
system.
--Timeout
Opt
The number of seconds TPAM will attempt to communicate with the
system for password checks and changes before issuing a “timed out”
error. Default is 20 seconds.
--UseSslFlag
Opt
Whether or not to use SSL to communicate with the system. Y/N.
Support for this is platform specific. NOTE: The UseSsl and UseSsh Flags
are mutually exclusive. You may only set one or the other, not both.
--UseSshFlag
Opt
Whether or not to use SSH to communicate with the system. Y/N.
Support for this is platform specific. NOTE: The UseSsl and UseSsh Flags
are mutually exclusive. You may only set one or the other, not both.
AddUser--options
Creates a new user account. The CLI user must have user administrator or administrator privilege.
Table 100. AddUser options
Option name
Req/Opt Description
--UserName
Req
User Name. Maximum 30 characters.
--LastName
Req
Maximum of 30 characters.
--FirstName
Req
Maximum of 30 characters.
--UserType
Opt
Basic (default), Admin, Auditor, or UserAdmin
--CertThumbprint
Opt
The SHA1 Thumbprint of the user’s certificate. The SHA1 thumbprint
must be exactly 40 characters in length.
--Custom1-6
Opt
Custom user columns if defined,. Use !NULL to clear the value.
--DfltConnectOptions
Opt
Semi-colon separated list of name=value pairs of default PSM
connection options when a user starts a PSM session. In the /tpam
interface go to Batch Processing/Import UserIDs for a list of names
and values. Use !NULL to clear the value when updating.
--Description
Opt
Maximum of 255 characters. Use !NULL to clear.
--Password
Opt
Password for new User. Maximum of 128 characters. If not specified a
random password will be generated and must be reset before the user
may log in.
--Email
Opt
Maximum of 255 characters. Use !NULL to clear.
--Phone
Opt
Maximum of 30 characters. Use !NULL to clear.
--Mobile
Opt
Maximum of 30 characters. Use !NULL to clear. Also recognizes the
value --pager for legacy support.
TPAM 2.5
Administrator Guide
251
Table 100. AddUser options
Option name
Req/Opt Description
--Disable
Opt
Whether the user's ID is currently disabled. Y/N. Disabled users
cannot log in to the appliance.
--ExternalAuth
Opt
Obsolete, replaced with SecondaryAuth
--SecondaryAuth
Opt
Secondary authentication system used for user login. Valid values are
None (default), SecureID, Safeword, Radius, WinAD, Defender and
LDAP.
--ExternalAuthSystem
Opt
Obsolete, replaced with SecondaryAuthSystem
--SecondaryAuthSystem
Opt
Name of the secondary authentication system of the type indicated in
ExternalAuth. Values are defined by the appliance SysAdmin.
--ExternalUserID
Opt
Obsolete, replaced with SecondaryUserID
--SecondaryUserID
Opt*
User ID to use for secondary authentication. This is required when
SecondaryAuth is other than None.
--PrimaryAuthExtra
Opt
The LDAP Primary Authentication Types support an “Extra” user ID.
The User logs in using a shorthand value in the PrimaryAuthID, but the
data in the PrimaryAuthExtra will be used to do the actual
authentication against the external system. Use !NULL to clear.
--PrimaryAuthID
Opt*
The User ID to use for primary authentication when a non-local
authentication system is used.
--PrimaryAuthType
Opt
The type of the primary authentication system for this user. Current
values are Local, Certificate, LDAP, WinAD, Radius or Defender. When
Local is used the PrimaryAuthID, PrimaryAuthExtra and
PrimaryAuthSystem values are ignored.
--PrimaryAuthSystem
Opt*
Name of the defined system to use when the PrimaryAuthType is not
local or certificate. Systems are defined by the appliance System
Administrator.
--LogonHoursFlag
Opt
Indicates whether the LogonHours value represents allowed or
prohibited hours. Valid values are A (allowed), P (permitted) or N (no
restrictions).
--LogonHours
Opt
A listing of up to 4 hour ranges. Times must be expressed in 24-hour
format in any of the following forms: 7, 07, 700, 0700, 07:00 (all
indicating 07:00 AM). Separate multiple ranges with semi-colons,
07:00-12:00;18:00-23:59 (7AM-12AM and 6PM-11:59PM). If the
LogonHoursFlag value is N this value is ignored.
--LogonDays
Opt
When Logon Hours are specified you may also specify the days of the
week those hours are effective. Specify days with a string of 7 X's (to
indicate an “on” day) or periods (for an “off” day) to represent the
week from Sunday-Saturday. For example, .XXXXX. is Mon-Fri on, Sun
and Sat off. If LogonHours are specified and LogonDays is left empty
the default is all days “on”, e.g., XXXXXXX.
--MobileAllowedFlag
Opt
Whether to allow this user to log in to the system from a mobile
device (Blackberry, iPhone, etc.). Y/N.
--LocalTimezone
Opt
The user's local time zone. You may enter any part of the time zone
name as long as it is unique in the list, e.g., entering Guam will only
find one time zone while entering 02:00 or US will find multiple
entries. A value of “Server” indicates that the user is in the same
time zone as the server and follows the same DST rules.
TPAM 2.5
Administrator Guide
252
Table 100. AddUser options
Option name
Req/Opt Description
--DstFlag
Opt
Obsolete. Users will now automatically adjust DST per the local time
zone which they are assigned.
--TemplateUserName
Opt
The name of a template user. Data from the template user will be
used as defaults for the new user. Template data will be overridden
with data supplied here. User templates may also contain group
membership and system and collection permissions, all of which will
be automatically transferred to the new user. A CLI User may only
utilize Web-Interface templates.
Legacy support:
AddUser
<UserName>,<LastName>,<FirstName>,[EmailAddress],[Phone],[Mobile],[UserType(Basic
default
\Admin\Auditor\UserAdmin)],[InitialPassword],[DisableFl(Y\N)],[SecAuthType(NONE,SAF
EWORD,SECUREID,LDAP,RADUIS,DEFENDER,WINDAD)],[SecAuthUserID],[Description]
Approve--options
Allows password requests to be approved via TPAM CLI. The CLI user ID must be authorized to approve requests
for the system/account in the request. The CLI user cannot approve a password request they have added on
behalf of another user. Successful execution of the approve command will produce no output. This is by design.
Table 101. Approve options
Option name
Req/Opt
Description
--RequestID
Req
Password request ID to approve.
--Comment
Req
The approval comment. Up to 255 characters.
Legacy support:
Approve <request ID>, <comment>
ApproveSessionRequest--options
Allows session requests to be approved via TPAM CLI. The CLI user ID must be authorized to approve session
requests for the system/account in the request. The CLI user cannot approve a session request they have added
on behalf of another user. Successful execution of the approve command will produce no output. This is by
design.
Table 102. ApproveSessionRequest options
Option name
Req/Opt
Description
--RequestID
Req
Session request ID to approve.
--Comment
Req
The approval comment. Up to 255 characters.
Cancel--options
Allows password requests to be cancelled via TPAM CLI.The CLI user ID must be an authorized approver for the
system/account in the request. Successful execution of the cancel command will produce no output. This is by
design.
Table 103. Cancel options
Option name
Req/Opt
Description
--RequestID
Req
Password request ID to cancel.
--Comment
Req
The cancel comment. Up to 255 characters.
TPAM 2.5
Administrator Guide
253
Legacy support:
Cancel <requestid>,<comment>
CancelSessionRequest--options
Allows session requests to be cancelled via TPAM CLI. The CLI user ID must be an authorized approver for the
system/account in the request.
Table 104. CancelSessionRequest options
Option name
Req/Opt
Description
--RequestID
Req
Session request ID to approve.
--Comment
Req
The cancel comment. Up to 255 characters.
Legacy support:
CancelSessionRequest <requestid>,<comment>
ChangeUserPassword--options
Performs a forced reset on a user’s password. The CLI user must have user administrator (for non-privileged
accounts only) or administrator privilege.
Table 105. ChangeUserPassword options
Option name
Req/Opt
Description
--UserName
Req
User name to change password for. Cannot be a system administrator user.
--Password
Req
New user password. If the password contains any spaces the value must be
surrounded by double quotes.
Legacy support:
ChangeUserPassword <UserName>,<Password>
CheckPassword--options
Initiates a password test for the specified system account. The CLI user must have administrator privilege or the
ISA permission over the system.
Table 106. CheckPassword options
Option name
Req/Opt
Description
--SystemName
Req
System name of the account to check.
--AccountName
Req
Account name to check.
Legacy support:
CheckPassword <SystemName>,<AccountName>
ClearKnownHosts--options
Removes the host entry for the system from TPAM’s known hosts file.The CLI user must have PPM ISA or
Administrator privilege.
Table 107. ClearKnownHosts options
Option name
Req/Opt
Description
--SystemName
Req
Name of the system to clear the known hosts.
TPAM 2.5
Administrator Guide
254
DeleteAccount--options
Soft deletes the system account. The CLI user must have ISA or Administrator privilege.
Table 108. DeleteAccount options
Option name
Req/Opt
Description
--SystemName
Req
System name of the account to delete.
--AccountName
Req
Account name to delete.
DeleteProfile--options
Deletes the profile. The CLI user must have Administrator privilege.
Table 109. DeleteProfile options
Option name
Req/Opt
Description
--Type
Req
PasswordChange or PasswordCheck
--Name
Req
Name of the profile to delete. If the name contains spaces or alphanumeric characters it must be properly quoted.
Legacy support:
DeleteAccount <systemname>,<accountname>
DeleteSyncPass--options
Deletes a synchronized password. The CLI user must have administrator privilege.
Table 110. DeleteSyncPass option
Option name
Req/Opt
Description
--SyncPassName
Req
Name of synchronized password to delete.
DeleteSystem--options
Soft deletes the named system. The CLI user must have administrator privilege.
Table 111. DeleteSystem option
Option name
Req/Opt
Description
--SystemName
Req
System name of the account to delete.
Legacy support:
DeleteSystem <systemname>
DeleteUser--options
Permanently deletes the named user account. The CLI user must have administrator privilege to delete any user,
or user administrator privilege to delete any non-administrator user.
Table 112. DeleteUser option
Option name
Req/Opt
Description
--UserName
Req
User name to delete. Cannot be a system administrator user.
Legacy support:
DeleteUser <username>
TPAM 2.5
Administrator Guide
255
DropCollection--options
Deletes an existing collection. The CLI user must have ISA or administrator privilege.
Table 113. DropCollection option
Option name
Req/Opt
Description
--CollectionName
Req
Name of collection to delete. Cannot drop collections tied to auto-discovery.
Legacy support:
DropCollection <CollectionName>
DropCollectionMember--options
Removes a system, account or file from one or more collections. The CLI user must have administrator privilege
or the ISA permission over the collection and system.
Table 114. DropCollectionMember options
Option name
Req/Opt
Description
--CollectionName
Req
Name of collection. Cannot drop collections tied to auto-discovery.
--SystemName
Req
Name of system to drop from the collection. If the an account or file name
is being dropped from the collection, this should be the system on which
the account or file resides.
--AccountName
Opt
Name of account to drop from collection. The account must reside on -SystemName.
--FileName
Opt
Name of file to drop from collection. The --FileName must reside on -SystemName.
Legacy support:
DropCollectionMember <MemberName>,<CollectionName>
DropGroup--options
Deletes an existing group. The CLI user must have ISA or administrator privilege.--GroupID or --GroupName may
be passed, but not both.
Table 115. DropGroup options
Option name
Req/Opt
Description
--GroupName
Opt
Name of group. Cannot drop groups tied to auto-discovery.
--GroupID
Opt
Unique identifier assigned to group by TPAM.
Legacy support:
DropGroup <GroupName>
DropGroupMember--options
Removes an existing user account from one or more groups. The CLI user must have administrator privilege.-GroupID or --GroupName may be passed, but not both.
Table 116. DropGroupMember options
Option name
Req/Opt
Description
--GroupName
Opt
Name of group. Membership in groups tied to auto-discovery cannot be
changed.
TPAM 2.5
Administrator Guide
256
Table 116. DropGroupMember options
Option name
Req/Opt
Description
--GroupID
Opt
Unique identifier assigned to group by TPAM.
--UserName
Req
Name of user to remove from the group.
Legacy support:
DropGroupMember <UserName>,<GroupName>
DropSyncPwdSub--options
Removes a subscriber from a synchronized password. Must have administrator privileges.
Table 117. DropSyncPwdSub options
Option name
Req/Opt
Description
--SyncPassName
Req
Synchronized password name.
--SystemName
Req
System name of account to unsubscribe.
--AccountName
Req
Account name to unsubscribe.
ForceReset--options
Forces a password change for the specified system account. The CLI user must have administrator privilege or
ISA permission over the system. The specified system must be auto managed.
Table 118. ForceResetManual options
Option name
Req/Opt
Description
--SystemName
Req
Name of system for the account.
--AccountName
Req
Account name to reset.
ForceResetManual--options
Allows password reset for a manually managed account through the CLI. This command will return a password to
be set manually and a PasswordID to be used by the ManualPasswordReset to indicate the success or failure of
updating the password.
Table 119. ForceResetManual options
Option name
Req/Opt
Description
--SystemName
Req
Name of system for the account.
--AccountName
Req
Account name to reset.
GetPwdRequest--options
Returns the details associated with the specified password request.
Table 120. GetPwdRequest options
Option name
Req/Opt
Description
--RequestID
Req
Password request ID.
--IncludeLinked
Opt
For requests that are part of a multi-account request, Y will return the
details on all linked requests. N will only return information on the specific
request ID. Y is the default value.
Legacy support:
GetPwdRequest <RequestID>
TPAM 2.5
Administrator Guide
257
GetSessionRequest--options
Returns the details associated with the specified session request.
Table 121. GetSessionRequest options
Option name
Req/Opt
Description
--RequestID
Req
Session request ID.
--IncludeLinked
Opt
For requests that are part of a multi-account request, Y will return the
details on all linked requests. N will only return information on the specific
request ID. Y is the default value.
Legacy support:
GetSessionRequest <RequestID>
ListAccounts--options
Lists all defined system accounts. Only systems for which the CLI user has ISA privilege will be listed.
Administrators may list all accounts.
Table 122. ListAccounts options
Option name
Req/Opt
Description
--AccountName
Opt
Account name to filter. Use * for wildcard.
--SystemName
Opt
System name to filter. Use * for wildcard.
--NetworkAddress
Opt
Network address to filter. Use * for wildcard.
--CollectionName
Opt
Collection name to filter. User * for wildcard
--Platform
Opt
Platform name to filter. Use ALL to filter for all platforms. Default is ALL.
Use “Custom/customPlatName” to indicate a custom platform.
--SystemAutoFlag
Opt
Filter on the auto-management flag on the system. Y = auto-managed, N=
not managed, or ALL, the default.
--AccountAutoFlag
Opt
Filter on the auto-management flag on the account. Y = auto-managed,
N= not managed, M = manually managed or ALL, the default.
--DualControlFlag
Opt
All is the default, Y = > 1 approver required, N = zero approvers required.
--SystemCustom1
Opt
Filter based on contents of system level custom columns. Ignored if the
appropriate custom column has not been defined in Global Settings.
--SystemCustom2
Opt
See --SystemCustom1
--SystemCustom3
Opt
See --SystemCustom1
--SystemCustom4
Opt
See --SystemCustom1
--SystemCustom6
Opt
See --SystemCustom1
--AccountCustom1
Opt
Filter based on contents of account level custom columns. Ignored if the
appropriate custom column has not been defined in Global Settings.
--AccountCustom2
Opt
See --AccountCustom1
--AccountCustom3
Opt
See --AccountCustom1
--AccountCustom4
Opt
See --AccountCustom1
--AccountCustom5
Opt
See --AccountCustom1
--AccountCustom6
Opt
See --AccountCustom1
--PasswordChangeProfile Opt
Name of assigned password change profile.
--PasswordCheckProfile
Opt
Name of assigned password check profile.
--DisableSchedules
Opt
Filter by disabled password check or change schedule. Allowed values are
ALL (default), Either, Check, Change, Both, or None.
TPAM 2.5
Administrator Guide
258
Table 122. ListAccounts options
Option name
Req/Opt
Description
--Sort
Opt
Sort results by SystemName (default), AccountName, or NextChangeDate.
--MaxRows
Opt
Maximum number of rows to return. 25 is the default.
Legacy support:
ListAccounts SystemName (* for wildcard)],AccountName (* for
wildcard)],[NetworkAddress (* for wildcard)],[CollectionName (* for
wildcard)],[Platform (All| (see Supported platform list)) default=All],[SysAutoFl
(All|Y|N) default=All],[AcctAutoFl (All|Y|N|M) default=All],[Dual Control Required
Flag (All|Y|N) default=All],[Sort (SystemName|AccountName|NextChangeDt)
default=SystemName],[MaxRows Default=25]
ListAcctsForPwdRequest--options
Provides a list of accounts that the user can submit a password request for.
Table 123. ListAcctsForPwdRequest options
Option name
Req/Opt
Description
--AccountName
Opt
Account name to filter. Use * for wildcard.
--SystemName
Opt
System name to filter. Use * for wildcard.
--MostRecent
Opt
Numeric value. Only display the most recently requested number of
accounts.
--SystemCustom1-6
Opt
Filter results base on data in any of the custom system fields. Use * for
wildcard. These columns are defined by the system administrator and
will be ignored if a given column is not defined.
--AccountCustom1-6
Opt
Filter results base on data in any of the custom account fields. Use * for
wildcard. These columns are defined by the system administrator and
will be ignored if a given column is not defined.
--ForUserName
Opt
List accounts that can be requested for the user specified here. If the
user running the command is an Administrator all accounts for the user
ID will be listed. If the user running the command is an ISA, only
accounts that the ISA also has permissions to will be listed.
--MaxRows
Opt
Maximum number of rows to return. 25 is the default.
ListAcctsForSessionRequest--options
Provides a list of accounts that the user can submit a session request for.
Table 124. ListAcctsForSessionRequest options
Option name
Req/Opt
Description
--AccountName
Opt
Account name to filter. Use * for wildcard.
--SystemName
Opt
System name to filter. Use * for wildcard.
--MostRecent
Opt
Numeric value. Only display the most recently requested number of
accounts.
--SystemCustom1-6
Opt
Filter results base on data in any of the custom system fields. Use * for
wildcard. These columns are defined by the system administrator and
will be ignored if a given column is not defined.
--AccountCustom1-6
Opt
Filter results base on data in any of the custom account fields. Use * for
wildcard. These columns are defined by the system administrator and
will be ignored if a given column is not defined.
TPAM 2.5
Administrator Guide
259
Table 124. ListAcctsForSessionRequest options
Option name
Req/Opt
Description
--ForUserName
Opt
List accounts that can be requested for the user specified here. If the
user running the command is an Administrator all accounts for the user
ID will be listed. If the user running the command is an ISA, only
accounts that the ISA also has permissions to will be listed.
--MaxRows
Opt
Maximum number of rows to return. 25 is the default.
ListAssignedPolicies--options
Lists access policies assigned to accounts, collections, files, groups, systems or users based on specified filter
criteria. ListAssignedPolicies takes the place of both ListPermissions and ListEGPPermissions.
The output of this command is essentially the same data as the entitlement report. All users will be listed,
along with their effective permissions over any system. The output can potentially be very large. The CLI user
must be an Administrator to return the full list. ISA users will obtain a limited list based upon the scope of their
privilege.
TIP: At least one of the following options must contain a non-wildcard value in order to run this report:
AccessPolicyName, AccountName, CollectionName, FileName, GroupName, SystemName, UserName.
Table 125. ListAssignedPolicies options
Option name
Req/Opt
Description
--AccessPolicyName
Opt*
Access policy names to include in the listing. User * for wildcard. If the
policy name includes spaces the string must be quoted appropriately.
--AccountName
Opt*
Account name to filter. Use * for wildcard.
--AllorEffectiveFlag
Opt
A = show all policies affecting each entry or E = only the one effective
policy. When all policies are shown the effective policy is indicated.
--CollectionName
Opt*
Collection name to filter. Use * for wildcard.
--ExpandCollectionFlag
Opt
Whether to expand the collections to show all member systems,
accounts, and files. Y or N. Default is N.
--ExpandGroupFlag
Opt
Whether to expand the groups to show all user members. Y or N.
Default is N.
--ExpandPolicyFlag
Opt
Whether to expand the access policies to show underlying permissions.
When not expanded only the access policy name shows. Y or N. Default
is N.
--FileName
Opt*
File name to filter. User * for wildcard.
--GroupName
Opt*
Group name to filter for.User * for wildcard.
--MaxRows
Opt
Maximum number of rows to return. The default is 25.
--PermissionName
Opt
Permissions to include in the listing. Multiple types may be included
with a semi-colon between each. Valid types are: DEN, ISA, APR, REQ,
REV, PAC and ALL (default).
--PermissionType
Opt
Permission types to include in the listing. Multiple types may be
included with a semi-colon between each. Valid types are: Pwd, Sess,
File, Cmd and ALL (default).
--SortOrder
Opt
Sort results by UserName (default), SystemName, AccountName,
FileName, PolicyName, GroupName or CollectionName.
--SystemName
Opt*
System name to filter. Use * for wildcard.
--UserName
Opt*
User name to filter. Use * for wildcard.
ListCollections--options
Lists collections and collection members, specified by collection name or system name.
TPAM 2.5
Administrator Guide
260
Table 126. ListCollections options
Option name
Req/Opt
Description
--CollectionName
Opt
Collection name to filter. Use * for wildcard.
--SystemName
Opt
Indicating the system name will return a list of collections that this system
belongs to.
--AccountName
Opt
Account name for membership to filter. Use * for wildcard. Use ! to find
collections that do not contain any accounts as members.
--FileName
Opt
File name for membership to filter. Use * for wildcard. Use ! to find
collections that do not have any files as members.
ListCollectionMembership--options
Lists collection system, account, and file name for all collections, specified collections, or specified systems.
The CLI user must have administrator privilege or the ISA permission over the collection and system.
Table 127. ListCollectionMembership options
Option name
Req/Opt
Description
--CollectionName
Opt
Collection name to filter. Use * for wildcard.
--SystemName
Opt
Indicating the system name will return a list of collections that this system
belongs to.
--AccountName
Opt
Account name for membership to filter. Use * for wildcard.
--FileName
Opt
File name for membership to filter. Use * for wildcard.
--MaxRows
Opt
Maximum number of rows to return. The default is 25.
Legacy support:
ListCollectionMembership [CollectionName (* for wildcard)],[SystemName (* for
wildcard)],[MaxRows Default=25 (0 for unlimited)]
ListDependentSystems--options
Lists status of systems (dependent or not dependent) for a specific account. You must have administrator or PPM
ISA privileges on the system.
Table 128. ListDependentSystems options
Option name
Req/Opt
Description
--SystemName
Req
System name.
--AccountName
Req
Account name.
--DependentStatus
Opt
Status of dependents to list: Both (default), Dependent, Not Dependent.
--DependentName
Opt
Filter list of dependents by system name. User * for wildcard.
--MaxRows
Opt
Maximum number of rows to return. The default is 25.
ListEGPAccounts--options
Lists all accounts that can be PSM enabled. This command has been replaced by ListPSMAccounts. See
ListLinkedAccounts--options.
ListGroups--options
Lists groups and group members, specified by group name or member name, or GroupID.
TPAM 2.5
Administrator Guide
261
Table 129. ListGroups options
Option name
Req/Opt
Description
--GroupName
Opt
Group name to filter. Use * for wildcard.
--GroupID
Opt
Unique identifier assigned to group by TPAM.
--UserName
Opt
Indicating the user name will return a list of groups that this user belongs to.
Use a single ! (exclamation point) to find groups with no users assigned.
ListGroupMembership--options
Lists group name and username for all groups, specified groups, or specified users. The CLI user must have
administrator privilege.
Table 130. ListGroupMembership options
Option name
Req/Opt
Description
--GroupName
Opt
Group name to filter. Use * for wildcard.
--GroupID
Opt
Unique identifier assigned to group by TPAM.
--UserName
Opt
Use * for a wildcard. Indicating the user name will return a list of groups that
this user belongs to.
--MaxRows
Opt
Maximum number of rows to return. The default is 25.
Legacy support:
ListGroupMembership [GroupName (* for wildcard)],[UserName (* for
wildcard)],[MaxRows Default=25 (0 for unlimited)]
ListLinkedAccounts--options
List linked accounts tied to one of the options below.
Table 131. ListLinkedAccounts options
Option name
Req/Opt
Description
--UserName
Opt
User name to filter. Use * for wildcard.
--Systemname
Opt
System name to filter. Use * for wildcard.
--DomainName
Opt
Domain name to filter. Use * for wildcard.
--AccountName
Opt
Account name to filter. Use * for wildcard.
ListPwdChangeProfiles--options
Lists password change profiles.
Table 132. ListPwdChangeProfiles options
Option name
Req/Opt
Description
--Name
Opt
Specific or wildcard profile name to list. Use * for wildcard. If the profile
name includes spaces the string must be quoted appropriately.
--Description
Opt
Profile description to filter. Use * for wildcard. If the description includes
spaces the string must be quoted appropriately.
--MaxRows
Opt
Maximum number of rows to return. Default is 25. Pass zero (0) to list all
rows.
ListPwdCheckProfiles--options
Lists password check profiles.
TPAM 2.5
Administrator Guide
262
Table 133. ListPwdCheckProfiles options
Option name
Req/Opt
Description
--Name
Opt
Specific or wildcard profile name to list. Use * for wildcard. If the profile
name includes spaces the string must be quoted appropriately.
--Description
Opt
Profile description to filter. Use * for wildcard. If the description includes
spaces the string must be quoted appropriately.
--MaxRows
Opt
Maximum number of rows to return. Default is 25. Pass zero (0) to list all
rows.
ListPSMAccounts--options
Lists all accounts that can be PSM enabled.
Table 134. ListPSMAccounts options
Option name
Req/Opt
Description
--AccountAutoFlag
Opt
Y = managed, N = not managed, M = manually managed, or ALL
(default).
--AccountEGPFlag
Opt
This option is obsolete. Any value passed for this option will be used for
--AccountPSMFlag.
--AccountPSMFlag
Opt
Filter on PSM enabled check box. Y= enabled, N = disabled or ALL
(default).
--AccountName
Opt
Account name to filter. Use * for wildcard.
--AccountCustom1
Opt
Filter based on contents of account level custom columns. Ignored if
the appropriate custom column has not been defined in Global Settings.
--AccountCustom2
Opt
See --AccountCustom1
--AccountCustom3
Opt
See --AccountCustom1
--AccountCustom4
Opt
See --AccountCustom1
--AccountCustom5
Opt
See --AccountCustom1
--AccountCustom6
Opt
See --AccountCustom1
--CollectionName
Opt
Collection name to filter. Use * for wildcard.
--DualControlFlag
Opt
All is the default, Y = 1 or more approvers required, N = zero approvers
required.
--AccountLockFlag
Opt
Filter on the account locked flag. Y = locked, N = not locked, or ALL
(default).
--NetworkAddress
Opt
Network address to filter. Use * for wildcard.
--Platform
Opt
Platform to filter. Use ALL for all platforms. Use
“Custom/custPlatName” to indicate a custom platform.
--SystemAutoFlag
Opt
Filter on the auto-management flag on the system. Y = auto-managed,
N= not managed, or ALL, the default.
--SystemCustom1
Opt
Filter based on contents of system level custom columns. Ignored if the
appropriate custom column has not been defined in Global Settings.
--SystemCustom2
Opt
See --SystemCustom1
--SystemCustom3
Opt
See --SystemCustom1
--SystemCustom4
Opt
See --SystemCustom1
--SystemCustom6
Opt
See --SystemCustom1
--SystemEGPFlag
Opt
This option is obsolete. Any value passed in this option will be used for
--SystemPSMFlag.
--SystemPSMFlag
Opt
Filter on if the system is enabled for PSM. Y = enabled, N = disabled, or
ALL (default).
TPAM 2.5
Administrator Guide
263
Table 134. ListPSMAccounts options
Option name
Req/Opt
Description
--SystemName
Opt
Filter on system name. Use * for wildcard.
--Sort
Opt
Sort results by SystemName (default) or AccountName.
--SortType
Opt
Ascending (default) or Descending.
--MaxRows
Opt
Maximum number of rows to return. The default is 25.
ListReasonCodes
Will list any active reason codes and their description that have been defined in TPAM.
ListRequest--options
Lists basic details about password requests for which the CLI user is an approver or requestor.
Table 135. ListRequest options
Option name
Req/Opt
Description
--Status
Opt
Choose from ALL, PENDING, ACTIVE, CURRENT or OPEN (default).
--RequestorName
Opt
User name of the requestor to filter. Use * for wildcard. Use the name
"User=Myself" to list your own requests, as opposed to requests for
approval.
--AccountName
Opt
Account name to filter. Use * for wildcard.
--SystemName
Opt
System name to filter. Use * for wildcard.
--StartDate
Opt
Start date of requested release date.
--EndDate
Opt
End date of requested release. To select a single date enter a Start Date
and empty End Date.
--MaxRows
Opt
Maximum number of rows to return. The default is 25.
Legacy support:
ListRequest[Status(All|Pending|Active|Open|Current)Default=Open],[RequestorName(*
for wildcard)],[AccountName(* for wildcard)], [SystemName(* for
wildcard)],[StartDate (MM/DD/YY)],[EndDate (MM/DD/YY)],[MaxRows Default=25]
ListRequestDetails--options
Lists specific details about password requests for which the CLI user is an approver or requestor, such as
submission date, release duration, expiration date, etc.
Table 136. ListRequestDetails options
Option name
Req/Opt
Description
--Status
Opt
Choose from ALL, PENDING, ACTIVE, CURRENT or OPEN (default).
--RequestorName
Opt
User name of the requestor to filter. Use * for wildcard. Use the name
"User=Myself" to list your own requests as opposed to requests for
approval.
--AccountName
Opt
Account name to filter. Use * for wildcard.
--SystemName
Opt
System name to filter. Use * for wildcard.
--StartDate
Opt
Start date of requested release date.
--EndDate
Opt
End date of requested release. To select a single date enter a Start Date
and empty End Date.
--MaxRows
Opt
Maximum number of rows to return. The default is 25.
Legacy support:
TPAM 2.5
Administrator Guide
264
ListRequestDetails [Status(All|Pending|Active|Open|Current)
Default=Open],[RequestorName (* for wildcard)],[AccountName(* for
wildcard)],[SystemName (* for wildcard)],[StartDate (MM/DD/YY)], [EndDate
(MM/DD/YY)],[MaxRows Default=25]
ListSessionRequest--options
Lists basic details about session requests for which the CLI user is an approver or requestor.
Table 137. ListSessionRequest options
Option name
Req/Opt
Description
--Status
Opt
Choose from ALL, PENDING, ACTIVE, CURRENT or OPEN (default).
--RequestorName
Opt
User name of the requestor to filter. Use * for wildcard. Use the name
"User=Myself" to list your own requests as opposed to requests for
approval.
--AccountName
Opt
Account name to filter. Use * for wildcard.
--SystemName
Opt
System name to filter. Use * for wildcard.
--StartDate
Opt
Start date of requested release date.
--EndDate
Opt
End date of requested release. To select a single date enter a Start Date
and empty End Date.
--MaxRows
Opt
Maximum number of rows to return. The default is 25.
Legacy support:
ListSessionRequest[Status(All|Pending|Active|Open|Current)Default=Open],[RequestorN
ame(* for wildcard)],[AccountName(* for wildcard)], [SystemName(* for
wildcard)],[StartDate (MM/DD/YY)],[EndDate (MM/DD/YY)],[MaxRows Default=25]
ListSessionRequestDetails--options
Lists specific details about session requests for which the CLI user is an approver or requestor, such as
submission date, release duration, expiration date, etc.
Table 138. ListSessionRequestDetails options
Option name
Req/Opt
Description
--Status
Opt
Choose from ALL, PENDING, ACTIVE, CURRENT or OPEN (default).
--RequestorName
Opt
User name of the requestor to filter. Use * for wildcard. Use the name
"User=Myself" to list your own requests as opposed to requests for
approval.
--AccountName
Opt
Account name to filter. Use * for wildcard.
--SystemName
Opt
System name to filter. Use * for wildcard.
--StartDate
Opt
Start date of requested release date.
--EndDate
Opt
End date of requested release. To select a single date enter a Start Date
and empty End Date.
--MaxRows
Opt
Maximum number of rows to return. The default is 25.
Legacy support:
ListSessionRequestDetails[Status(All|Pending|Active|Open|Current)Default=Open],[Req
uestorName(* for wildcard)],[AccountName(* for wildcard)], [SystemName(* for
wildcard)],[StartDate (MM/DD/YY)],[EndDate (MM/DD/YY)],[MaxRows Default=25]
ListSynchronizedPasswords
Lists all synchronized passwords configured in TPAM.
TPAM 2.5
Administrator Guide
265
ListSyncPwdSubscribers--options
List the subscribers of a specific synchronized password. You must have administrator privileges.
Table 139. ListSyncPwdSubscribers option
Option name
Req/Opt
Description
--SyncPassName
Req
Synchronized password name.
ListSystems--options
Lists all defined systems. Only systems for which the CLI user has ISA privilege will be listed. Administrators may
list all systems.
Table 140. ListSystems options
Option name
Req/Opt
Description
--SystemName
Opt
System name to filter. Use * for wildcard.
--NetworkAddress
Opt
Network address to filter. Use * for wildcard.
--CollectionName
Opt
Collection name to filter. Use * for wildcard.
-- Platform
Opt
Name of platform to filter or ALL (default).Use “Custom/custPlatName”
for a custom platform.
--AutoFlag
Opt
Filter on the auto-management flag on the system. Y = auto-managed,
N= not managed, or ALL, the default.
--SystemCustom1
Opt
Filter based on contents of system level custom columns. Ignored if the
appropriate custom column has not been defined in Global Settings.
--SystemCustom2
Opt
See --SystemCustom1
--SystemCustom3
Opt
See --SystemCustom1
--SystemCustom4
Opt
See --SystemCustom1
--SystemCustom6
Opt
See --SystemCustom1
--PasswordChangeProfile Opt
Name of the assigned password change profile.
--PasswordCheckProfile
Opt
Name of the assigned password check profile.
--SortOrder
Opt
Sort results by SystemName (default), NetworkAddress, or
PlatformName.
--MaxRows
Opt
Maximum number of rows to return. The default is 25.
Legacy support:
ListSystems <SystemName (* for wildcard),[NetworkAddress (* for
wildcard)],[CollectionName (* for wildcard)],[Platform (All| (see Supported platform
list)) default=All],[SysAutoFl (All|Y|N) default=All],[Sort
(SystemName|NetworkAddress|PlatformName) default=SystemName],[MaxRows Default=25]
ListUsers--options
Lists all non-CLI users defined in TPAM. The CLI user must have administrator or user administrator privilege.
Table 141. ListUsers options
Option name
Req/Opt
Description
--UserName
Opt
User name to filter. Use * for wildcard.
--EmailAddress
Opt
Email address to filter. Use * for wildcard.
--GroupName
Opt
Group name to filter. Use * for wildcard.
--UserInterface
Opt
Filter for API, CLI, WEB or ALL (default).
--UserType
Opt
Filter for BASIC,ADMIN, AUDITOR, USERADMIN, or ALL (default).
TPAM 2.5
Administrator Guide
266
Table 141. ListUsers options
Option name
Req/Opt
Description
--Status
Opt
Filter for ENABLED, DISABLED, LOCKED, or ALL (default).
--ExternalAuthType
Opt
obsolete, replace by --SecondaryAuthType
--SecondaryAuthType
Opt
Filter for SAFEWORD, SECUREID, LDAP, WINAD, RADUIS, DEFENDER,
NONE, or ALL (default).
--UserCustom1
Opt
Filter based on contents of user level custom columns. Ignored if the
appropriate custom column has not been defined in Global Settings.
--UserCustom2
Opt
See --UserCustom1
--UserCustom3
Opt
See --UserCustom1
--UserCustom4
Opt
See --UserCustom1
--UserCustom6
Opt
See --UserCustom1
--SortOrder
Opt
Sort results by UserName (default), FirstName, or LastName.
--MaxRows
Opt
Maximum number of rows to return. The default is 25.
Legacy support:
ListUsers <UserName (* for wildcard),>[EmailAddress (* for wildcard)],[GroupName (*
for wildcard)],[UserInterface (All|CLI|WEB|API) default=All],[UserType
(All,Basic,Admin,Auditor,UAdmin) default=All],[Status (All|Enabled|Disabled|Locked)
default=All],[SecondaryAuthType (All|SafeWord|SecureID|LDAP|RADIUS|WINAD|DEFENDER
|None) default=All],[Sort (UserName|FirstName|LastName) default=UserName],[MaxRows
Default=25]
ManualPasswordReset--options
Ability to indicate if resetting a password for a manually managed account succeeded or failed.
Table 142. ManualPasswordReset options
Option name
Req/Opt
Description
--PasswordID
Req
Password ID returned from ForceResetManual command.
--Status
Req
Whether the password change/sync worked or not. Success/Fail.
ProfileCertificate--options
Allows an Administrator or PPM ISA to download password profile notification certificates assigned to a managed
system. The certificate type must be either user supplied or created by TPAM. No certificate is stored for a
TPAM 2.5
Administrator Guide
267
thumbprint only type so there is nothing to download. This command cannot change the certificate type stored
with the system.
When the Certificate Type is Created by TPAM this command can also be used to regenerate the certificate
with an optional password.
Can also be used to download the TPAM Root Certificate.
Table 143. ProfileCertificate options
Option name
Req/Opt
Description
--SystemName
Opt*
Name of the managed system to retrieve or regenerate. The system must
already be set to use either a TPAM generated or user-supplied certificate
for profile notification.
--RootCert
Opt*
No value. Download the TPAM root certificate. Must also specify the
Retrieve option. Cannot be used with the SystemName, Password or
Regenerate options.
--Retrieve
Opt*
No value. Must indicate either Retrieve and/or Regenerate. If both are
specified the newly regenerated certificate is retrieved. Retrieve the
certificate assigned to the system. The certificate will be hex-encoded
output that must be transformed using xxd or an equivalent utility. The
transformed file will be in the same form it was stored, i.e. a p12 binary
certificate or CER-encoded text file.
--Regenerate
Opt*
No value. Must indicate either Retrieve and/or Regenerate. If both are
specified the newly regenerated certificate is retrieved.
Regenerate a TPAM-supplied certificate used to call the Notifier service.
The regenerated certificate and thumb print will be stored for the system.
A user supplied certificate can only be retrieved, not regenerated.
NOTE: Regenerating the certificate will immediately void the previous
certificate. The system will not be able to use the Notifier service until the
new certificate is installed.
--Password
Opt*
Optional password for TPAM generated certificate. The password will be
required to install the certificate on the target system. Maximum of 30
characters.
NOTE: The password is not stored by TPAM. If you lose or forget the
password there is no way to recreate or retrieve it. A new certificate must
be generated.
ReportActivity--options
Ability to run the activity report from the CLI.
Table 144. ReportActivity options
Option name
Req/Opt
Description
--StartDate
Opt
Start date of activities. Must be a valid date time in the form of
MM/DD/YYYY HH:MM. The time portion is optional. If included it must
be in 24 hour format with a space in between date and time.
--EndDate
Opt
End date of activity. Must be a valid date time in the form of
MM/DD/YYYY HH:MM. The time portion is optional. If included it must
be in 24 hour format with a space in between date and time. To select a
single date enter the same start and end date. If not dates are provided
the report will cover all dates in the activity log.
--UserName
Opt
User name to filter for. Use * for wildcard.
--Role
Opt
ISA, REQ, or APR. If role is not passed all roles will be returned.
--GroupName
Opt
Filter for user membership in a group. Use * for wildcard.
TPAM 2.5
Administrator Guide
268
Table 144. ReportActivity options
Option name
Req/Opt
Description
--Operation
Opt
Single operation to filter. ALL is the default.
--Target
Opt
Target text to filter. Use * for wildcard.
--ObjectType
Opt
Object type to filter. Default is ALL.
--Sort
Opt
Sort options are LogTime (default), UserName, ObjectType, or
Operation.
--Direction
Opt
Sort direction. ASC (default) or DESC.
--MaxRows
Opt
Maximum number of rows to return. The default is 25.
Retrieve--options
Provides a mechanism to retrieve a password for a managed system/account. The CLI user ID must be
authorized to retrieve the password, by either having ISA permissions for the account or having an approved
request ID. If a requestor the --RequestID parameter must be used. The optional requirement for dual control
does not apply to CLI releases. The comment is not required.
Table 145. Retrieve options
Option name
Req/Opt
Description
--SystemName
Req*
System name. If the caller only has request permissions then the
RequestID parameter must be used instead of the system and account
name.
--AccountName
Req*
Account name. If the caller only has request permissions then the
RequestID parameter must be used instead of the system and account
name.
--RequestID
Req*
The requestID must be an approved password release request and the
caller must be the requestor. If the caller has ISA permissions the
system and account name must be supplied instead of the requestID.
--ReasonCode
Opt*
Reason code for retrieving the password. Based on global settings, a
reason code may be required, optional, or not allowed.
--ReasonText
Opt*
ISA reason for retrieving the password. Based on global settings, reason
text may be required, optional, or not allowed.
--TicketNumber
Opt*
Ticket number to validate. Based on account settings, a ticket number
may be required, optional, or not allowed. Parameter ignored when
using RequestID.
--TicketSystemName
Opt*
Name of ticket system to validate. Based on account settings, a ticket
number may be required, optional, or not allowed. Parameter ignored
when using RequestID.
--TimeRequired
Opt
Number of minutes to release the password. The default duration is set
at the account level. Ignored when using RequestID.
Legacy support:
Retrieve <systemname>, <accountname>, <TimeRequired(in minutes)>,<comment>
SetAccessPolicy--options
Allows you to add or remove an access policy assignment to an account, collection, file, group, system, or user.
Replaces the old CLI commands of GrantPermission, SetPermission, SetEGPPermission, and RevokePermissions.
TPAM 2.5
Administrator Guide
269
Table 146. SetAccessPolicy options
Option name
Req/Opt
Description
--AccessPolicyName
Req
Name of access policy to assign.
--Action
Req
Add or Drop.
--AccountName
Opt
Account affected by the assignment. If account is specified then -SystemName must also be specified. The value must be empty if
CollectionName is specified.
--CollectionName
Opt
Collection affected by the assignment. If this value is provided, then
SystemName, AccountName and FileName must not be provided.
--FileName
Opt
File name affected by the assignment. SystemName must also be
provided.
--GroupName
Opt
Group name affected by the assignment. Either UserName or Group
must be specified, but not both. Global groups cannot have their
permissions altered.
--SystemName
Opt
System name affected by the assignment or the system name for the
account or file provided.
--UserName
Opt
User name affected by the assignment. Either user or group must be
specified, but not both. Auditor, cache, useradmin, and sysadmin users
cannot be assigned permissions.
SSHKey--options
Retrieves or regenerates system and PSM specific keys. Also can retrieve system standard keys.
Table 147. SSHKey options
Option name
Req/Opt
Description
--KeyFormat
Opt
Format of the SSH key output - OpenSSH (default) or SecSSH.
--StandardKey
Req*
Name of the system standard key to export. You must pass either -StandardKey name OR --SystemName / --AccountName.
--SystemName
Req*
Name of managed system to retrieve or regenerate keys for. The system
must have Use System Specific Key selected for connections. When
retrieving the system’s key do not pass a value for --AccountName.
--AccountName
Req*
The name of the managed account to retrieve a PSM specific DSS key.
The PSM session authentication must have Use Specific Key selected.
The --SystemName must be included when specifying --AccountName.
--Regenerate
Opt
Y/N (default is N). Regenerate the system key or account key before
retrieving. The system or PSM account must already be set to use a
specific key before calling this.
NOTE: A standard key cannot be regenerated! Regenerating a key will
immediately make the old key unusable. The new key will have to be
put in place before being able to access the system again.
SyncPassForceReset--options
Forces the reset of a synchronized password, changing it in priority order.You must have administrator
privileges.
Table 148. SyncPassForceReset options
Option name
Req/Opt
Description
--SyncPassName
Req
Name of synchronized password to reset.
--NewPassword
Opt
Password to set as the new password.
TPAM 2.5
Administrator Guide
270
TestSystem--options
Initiates a system test. The CLI user must have administrator privilege or the ISA permission over the system.
Table 149. TestSystem option
Option name
Req/Opt
Description
--SystemName
Req
Name of system to test.
Legacy support:
TestSystem <SystemName>
UnlockUser--options
Unlocks a currently locked user account. The CLI user must have ISA, User Administrator or Administrator
privilege.
Table 150. UnlockUser option
Option name
Req/Opt
Description
--UserName
Req
Name of user to unlock. Cannot be a system administrator user ID.
Legacy support:
UnlockUser <UserName>
UpdateAccount--options
Modifies an existing account. The CLI user must have ISA or Administrator privilege. You can only update the
password for an account that is not auto-managed.
Table 151. UpdateAccount options
Option name
Req/Opt
Description
--SystemName
Req
System Name. Maximum 30 characters.
--AccountName
Req
Account Name. Maximum 30 characters.
--AliasAccessOnlyFlag
Opt
This option is obsolete. Any value passed in using this option will
be used for the --IgnoreSystemPoliciesFlag option.
--AllowISADurationFlag
Opt
Allow the ISA to specify a duration when retrieving a password.
Y/N
--AutoFlag
Opt
Account Password Management type. N=None, Y=Automatic,
M=Manual
--BlockAutoChangeFlag
Opt
THIS OPTION IS OBSOLETE AND WILL BE REMOVED IN A FUTURE
RELEASE. The functionality of the option has been assumed by the
Password Change Profile.
--ChangeFrequency
Opt
THIS OPTION IS OBSOLETE AND WILL BE REMOVED IN A FUTURE
RELEASE. The functionality of the option has been assumed by the
Password Change Profile.
--ChangeTime
Opt
THIS OPTION IS OBSOLETE AND WILL BE REMOVED IN A FUTURE
RELEASE. The functionality of the option has been assumed by the
Password Change Profile.
--CheckFlag
Opt
THIS OPTION IS OBSOLETE AND WILL BE REMOVED IN A FUTURE
RELEASE. The functionality of the option has been assumed by the
Password Check Profile.
--ChangeServiceFlag
Opt
Change the password for Windows® Services started by this
account. Y/N (Windows® platforms only)
TPAM 2.5
Administrator Guide
271
Table 151. UpdateAccount options
Option name
Req/Opt
Description
--ChangeTaskFlag
Opt
Change the password for the Windows® scheduled tasks started by
this account. (Windows® platforms only)
--Custom[1-6]
Opt
Custom Account Columns, if defined. Use !NULL to clear the
value.
--Description
Opt
Use !NULL to clear the value. Maximum of 255 characters.
--DomainAccountName
Opt
For Windows® or BoKS platforms. Enter
domainname\accountname
--EnableBeforeReleaseFlag
Opt
Y/N. When set to Y, TPAM will disable the account on the remote
system until the password is released or a session started which
requires the password to authenticate. (Windows® platforms only)
--EscalationEmail
Opt
If a password post-release review is not completed within the
number of hours in EscalationTime send an email to this address.
Use !NULL to clear the value.
--EscalationTime
Opt
Number of hours after which to send an escalation email if a
password post-release has not been completed. Expressed in
hours. Use 0 (zero) to disable the notification.
--IgnoreSystemPoliciesFlag
Opt
Ignore System Policies Flag. Y/N. When set to Y any System-level
Access Policies are ignored, and only Account-level policies are
used for permissions.
--LockFlag
Opt
Account Lock Flag. Y/N. Passwords for locked accounts cannot be
retrieved, released, or changed
--MaxReleaseDuration
Opt
The maximum duration for a password request, expressed in
minutes. The value will be rounded to the nearest 15-minute
increment. Valid values are 1-30240 (21 days).
--MinimumApprovers
Opt
Minimum number of approvals required for a password release
request. 0 (zero) indicates that all requests are auto-approved.
--NextChangeDate
Opt
Schedule an account password to be changed at a specific
date/time. Overrides password change profile schedule. Password
mismatch, post release reset, and force resets will still be
processed as they occur.
--OverrideAccountability
Opt
When the Global Setting to Allow Account specific override is
enabled this flag can be turned on at the account level to allow
simultaneous, overlapping password requests to be approved.
When the Global Setting is not enabled this flag is ignored. Y/N
--Password
Opt
Initial or new password for the account. The password cannot be
changed for auto-managed accounts. Maximum of 128 characters.
--PasswordChangeProfile
Opt
A profile which controls when the account will have it’s password
changed.
--PasswordCheckProfile
Opt
A profile which controls when the account will have it’s password
checked.
--PasswordRule
Opt
Name of the Password Rule used to generate passwords for the
account. The default rule for new accounts is set on the managed
system. You may also specify “Default Password Rule” or another
rule to override this.
--ReleaseNotifyEmail
Opt
Use !NULL to clear the value.
--ReleaseChangeFlag
Opt
Change the password after any ISA, CLI, or API release. Y/N
TPAM 2.5
Administrator Guide
272
Table 151. UpdateAccount options
Option name
Req/Opt
Description
--ReleaseDuration
Opt
The default duration for an ISA/CLI/API retrieval of a password,
expressed in minutes. The value will be rounded to the nearest 15
minute increment. Valid values are 0-30240 (21 days). If 0 is
entered the ISA retrieval of a password will not trigger a post
release reset of the password. This is ignored if
ReleaseChangeFlag is N.
--RequireTicketForAPI
Opt
Require a valid Ticket System & Number for any API password
retrieval on this account. Y/N. Ignored if RequireTicketForRequest
is N.
--RequireTicketForCLI
Opt
Require a valid Ticket System & Number for any CLI password
retrieval on this account. Y/N. Ignored if RequireTicketForRequest
is N.
--RequireTicketForISA
Opt
Require a valid Ticket System & Number for any ISA password
retrieval on this account. Y/N. Ignored if RequireTicketForRequest
is N.
--RequireTicketForPSM
Opt
Require a valid Ticket System & Number for any PSM request on
this account. Y/N.
--RequireTicketForRequest
Opt
Require a valid Ticket System & Number for any password request
on this account. Y/N
--ResetFlag
Opt
THIS OPTION IS OBSOLETE AND WILL BE REMOVED IN A FUTURE
RELEASE. The functionality of the option has been assumed by the
Password Check Profile.
--RestartServiceFlag
Opt
Restart Windows® services started by this account, following a
password change. Y/N (Windows® only)
--ReviewCount
Opt
Number of post-release reviews required after a password
release. 0-n If ReviewCount is zero updates to ReviewerName and
ReviewerType are ignored.
--ReviewerName
Opt
User Name or Group Name of required reviewer. Only valid when
ReviewerType is User or Group.
--ReviewerType
Opt
Type of reviewer. Valid values are: Any (default), Auditor, User,
Group
--SimulPrivAccReleases
Opt
Number of simultaneous Privileged Access Users who may retrieve
the password. 0-99
--TicketSystemName
Opt
When RequireTicketForRequest is Y this is the Ticket System that's
required. Use a value of “!Any” to allow tickets from any valid
ticket system.
--TicketEmailNotify
Opt
Email to notify if a password is retrieved via API, CLI, or ISA
without a ticket number. Ignored when RequireTicketForRequest
is N or ticket is required for all three (API, CLI, and ISA). Use
!NULL to clear the value.
--UseSelfFlag
Opt
Use the account's current password to change the password. Y/N.
If the functional account is flagged as “non-privileged” at the
system level this value is forced to Y.
TPAM 2.5
Administrator Guide
273
UpdateCollection--options
Allows you to update the PSM Affinity assignment for a collection.
Table 152. UpdateCollection options
Option name
Req/Opt
Description
--CollectionName
Req
Collection name.
--Description
Opt
Collection description. Max of 50 characters.
--PSMDPAAffinity
Opt
List of all DPA’s to use for PSM Affinity in the form of
DPAName1/priority;DPAName2/priority. Pass “Any” to rest the list and
allow any DPA to be used. Priority must be > 0 to add a DPA. A priority
of 0 removes the DPA from the list.
UpdateDependentSystems--options
Allows you to update the dependent systems assigned to an account. You must have Administrator or PPM ISA
privileges on the system.
Table 153. UpdateDependentSystems options
Option name
Req/Opt
Description
--SystemName
Req
System name.
--AccountName
Req
Account name.
--Assign
Opt
Semi-colon separated list of systems to assign as dependents. The
dependent must be an auto-managed system with a platform of
Windows® or SPCW, and cannot be the parent system named in the
SystemName parameter. You may specify a list of systems to both assign
and unassign in the same command.
--Unassign
Opt
Semi-colon separated list of systems to remove as dependents. You may
specify a list of systems to both assign and unassign in the same
command.
UpdateEGPAccount--options
Modifies the PSM details of an existing account. The CLI user must have PPM ISA and PSM ISA or Administrator
privilege. Same parameters as UpdatePSMAccount.
UpdateProfile--options
Updates a profile. The CLI user must have administrator privilege. When typing the command the --Type is a
required parameter. Some of the parameters below only apply to check password profiles and some only apply
to change password profiles.UpdatePSMAccount--options
Table 154. UpdateProfile options
Option name
Req/Opt Description
--Type
Req
Profile type to add.
--PasswordChange
--PasswordCheck
--Name
Req
Name of the profile.
--NewName
Opt
New name for existing profile. Omit if the profile name is not being
changed.
--Description
Opt
Description of the profile. If the description contains spaces or non-alpha
numeric characters it must be properly quoted. Use !NULL to delete the
description of an existing profile.
TPAM 2.5
Administrator Guide
274
Table 154. UpdateProfile options
Option name
Req/Opt Description
--DefaultFlag
Opt
Y/N. Defaults to N. If Y, marks this as the default change profile. Only one
change profile may be marked as the default. --DefaultFlag set to Y will
set DefaultFlag on all other change profiles to N.
--FrequencyOption
Req
Used in combination with --Frequency to set the check/change schedule
for the profile.
--Frequency
Opt*
•
N - schedule checks/changes are disabled
•
D - schedule checks/changes are X times per day
•
E - check/change passwords every X days
•
W - check/change passwords every week on specified weekdays
•
M - check/change passwords on a monthly schedule on specified
day(s) of the month.
Based on the value passed in --Frequency option.
•
N - No frequency. Value ignored.
•
D- number between 1 and 48. Number of times per day to
check/change the password.
•
E - number between 1 and 999. Number of days between scheduled
password checks/changes.
•
W - 7 character string to specify days of the week for scheduled
password checks.changes. Specify days with a string of 7 X’s (to
indicate the “on” day) or period (for an “off” day) to represent the
week from Sunday thru Saturday. For example, .X.X.X. would
indicate check/change scheduled on Mondays, Wednesday, and
Fridays.
•
M - Days of the month on which to schedule password
checks/changes. Specific days may be entered separated with
semi-colons using -1 to indicate the last day of the month. For
example, 10;15;-1 would schedule checks/changes on the 10th,
15th and last day of the month. Invalid days such as February 30th
will be skipped.
--AllowNotifyFlag
Opt
Y/N. Defaults to N. If Y, this allows a system to notify TPAM that it is online
and available for checks/changes. See How to call the notification service
for more details.
--Times
Opt*
Required when --Frequency option is other than N. A semi-colon separated
list of time ranges when scheduled checks/changes are allowed. For
example, 00:00-06:00;18:00-23:59.
--Timeout
Opt
Number of seconds a password check/change operation will be allowed to
run before timing out. If no value is entered the timeout value from the
managed system will be used.
--ConsecFailCount
Opt
Numeric value greater than or equal to zero. Performs the accompanying
action and/or notification after this number of consecutive failed
attempts to check/change the password. User zero (the default) to
indicate no extra action or notification.
--ConsecFailAction
Opt*
When ConsecFailCount is greater than zero, this must be one of the
following:
•
Nothing - perform no action
•
Disable - account is ignored for any future checks/changes until
Administrator or ISA goes to the account details management tab
and clears the Check schedule disable check box.
•
Lock - locks account in TPAM, no checks, password releases or
password requests permitted until it is unlocked.
•
Increase - increase the retry interval
TPAM 2.5
Administrator Guide
275
Table 154. UpdateProfile options
Option name
Req/Opt Description
--FailNotifyOwnerFlag
Opt
Y/N. Default is N. If Y, after consecutive failure limit is reached an email is
sent to the account owner.
--MismatchAction
Opt
Determines how TPAM handles the scenario. Options are:
--MismatchNotifyOwne
•
Nothing
•
Reset - schedule the account for immediate password change
•
Disable - account is ignored for any future checks until
Administrator or ISA goes to the account details management tab
and clears the Check schedule disable check box.
•
Lock-locks account in TPAM, no password releases or password
requests permitted until it is unlocked.
Opt
Y/N, defualt is N. If Y, notifies account owner when a password mismatch
is detected.
--RetryIncrease
Opt*
When --ConsecFailAction is Increase, each time the consecutive failure
count is reached this number of minutes will added to the retry interval
for the next check.
--RetryMax
Opt*
The maximum retry time. Must be greater than the automation engine’s
Check Retry Interval.
--BlockAccountAutoCh
Opt
Y/N. Default is N. If Y, scheduled checks/changes will be blocked if the
account is in use by a PSM session or password release request.
--TestPortFlag
Opt
Y/N. Default is N. If Y, the password check/change process will check that
the required port on the target system is available for attempting to
check/change the password.
--TestPortTimeout
Opt
Required when --TestPortFlag is set to Y. Values 1-999, default is 5.
Number of seconds before the pre-change port test times out.
--PreChangeEmailSche
Opt
A semi-colon separated list. The number of days prior to a scheduled
change when email reminders will be sent of the upcoming event. Ignored
unless --FrequencyOption is M (monthly) or E (every X days, where X is
greater than 2). Use !NULL to clear the schedule (you will also have to use
!NULL to clear the PreChangeEmailAddress at the same time).
rFl
angeFlag
dule
Example: 14;7;1 will send emails 14, 7, and 1 day prior to scheduled
changes.
--PreChangeEmailAddre Opt
ss
A semi-colon separated list of email address or placeholders to notify prior
to a scheudled change per the --PreChangeEmailSchedule. Email addresses
may be static ([email protected]) or any of the following placeholder
values:
•
:Group=group1,group2...: List of TPAM group names. Email
addresses of all users in the list of groups.
•
:User=user1,user2...: List of TPAM user names. Email addresses of
all users in list.
•
:RelNotify: Release Notification Email of the account
•
:System: Primary Contact Email of the system
•
:ISA: Email address of all users with PPM ISA permissions on the
account
•
:Functional: Release Notification Email of the functional account
for the system
TPAM 2.5
Administrator Guide
276
Table 154. UpdateProfile options
Option name
Req/Opt Description
--PostChangeEmailAdd
Opt
A semi-colon separated list of email addresses or placeholders to receive a
Password Post-Change email after any scheduled, forced, or post-release
change of a password.The email addresses may be static
([email protected]) or any of the placeholder values described above.
Use !NULL to clear the value.
-Opt
NoPostRequestResetFla
g
Y/N. Default is N. If Y, the password WILL NOT be scheduled for a postrelease reset when released by a password request. Does not apply to ISA
password retrievals or synchronized passwords.
ress
Replaces the UpdateEGPAccount command.
Table 155. UpdatePSMAccount options
Option name
Req/Opt
Description
--SystemName
Req
System Name. Maximum 30 characters.
--AccountName
Req
Account Name. Maximum 30 characters.
--ClipboardFlag
Opt
Whether to enable clipboard support to/from host to the session.
Y or N.
--CLIAccountName
Opt
The account name on the remote TPAM to retrieve. Use !NULL to
clear the value.
--CLIDomainName
Opt
The AD or Netbios name to use when starting the session. Use
!NULL to clear the value.
--CLISystemName
Opt
When a TPAMCLIUserName is specified, you may also include an
optional system and account name for retrieval on the remote
TPAM. The CLISystemName, CLIAccountName, and
CLIDomainName values are ignored if the TPAMCLIUserName is not
specified. Use !NULL to clear the value.
--ColorDepth
Opt
Color depth of the PSM session. Values of 8 or 16 for RDP proxy
type. Values of 0, 1,2, and 3 for VNC proxy type.
--ConnectionProfile
Opt
Name of the optional custom connection profile to use for
sessions on this account. Connection profiles are tied to specific
proxy types. Use the value Standard to revert to default
connection information.
--ConsoleFlag
Opt
Y or N.
--DSSKey
Opt
The DSS key to use for session authentication when the
DSSKeyType is Upload. The key may be up to 4096 characters.
--DSSKeyName
Opt
Name of specific DSS Key.
--DSSKeyType
Opt
The source of the DSS key used for session authentication when
PasswordMethod is set to DSSKey. Valid values are:
•
Standard - use of any of the standard keys
•
Specific - generate and use a specific DSS key for this
account
--DefaultSessionDuration
Opt
Default value used for duration of a session request, in minutes.
The value will be rounded to the nearest 15 minute increment.
--DomainAccount
Opt
The Windows® domain account used to authenticate the session
when PasswordMethod is Windows domain account.
--EnableFlag
Opt
Indicates if this account may be requested for PSM sessions. Y or
N.
--EscalationEmail
Opt
If a session post-release review is not completed within the
number of hours in EscalationTime send an email to this address.
Use !NULL to clear the value.
TPAM 2.5
Administrator Guide
277
Table 155. UpdatePSMAccount options
Option name
Req/Opt
Description
--EscalationTime
Opt
Number of hours after which to send an escalation email if a
session post-release review has not been completed. Expressed in
hours. Use 0 (zero) to disable the notification.
--FileTransAuthMethod
Opt
Choices are:
•
Same - use same credentials as the session
•
Prompt - ask for credentials at the time of transfer
When setting FileTransType, FileTransPath or
FileTransAuthMethod you must supply all three at the same time
even when the other values are not being changed. When
FileTransType is being disabled you may omit the other values.
--FileTransDownFlag
Opt
Whether to allow the transfer of files from the session to the
host. Y or N.
--FileTransPath
Opt
A directory path on the target machine where the transferred file
will be placed. Directory syntax is platform specific. When setting
FileTransType, FileTransPath or FileTransAuthMethod you must
supply all three at the same time even when the other values are
not being changed. When FileTransType is being disabled you may
omit the other values.
--FileTransType
Opt
The file transfer method. Values are platform specific. Values are
as follows:
•
DIS - file transfer disabled (default)
•
WFC - Windows® file copy
•
SCP - secure copy
•
FTP - file transfer protocol
•
ECP - SCP using PSM functional account.
When setting FileTransType, FileTransPath or
FileTransAuthMethod you must supply all three at the same time
even when the other values are not being changed. When
FileTransType is being disabled you may omit the other values.
--FileTransUp
Opt
Whether to allow the transfer of files from the host to the
session. Y or N.
--MaxSessionCount
Opt
The maximum number of simultaneous sessions that may be
running for this account. For proxy types that display a password
this value is set to 1 and cannot be changed.
--MinApprovers
Opt
Minimum number of approvals required for a session request. 0
(zero) indicates that all session requests are auto-approved. If the
proxy type requires the display of a password, this value is
overridden by the PPM release minimum approval value.
--NotifyFrequency
Opt
If NotifyThreshold is greater than zero this is the frequency at
which PSM expired session emails will be sent.
--NotifyThreshold
Opt
If greater than zero this indicates the number of minutes after the
expiration of the session request when TPAM should send
notification emails of a still active session. The email notification
will continue until the session is terminated.
--PARCLIUserName or
Opt
The CLI user on another TPAM appliance used to retrieve the
password when the PasswordMethod is Remote TPAM CLI. The CLI
user must already be defined on this appliance and is in the form
of TPAMName/CLIUserName.
--TPAMCLIUserName
TPAM 2.5
Administrator Guide
278
Table 155. UpdatePSMAccount options
Option name
Req/Opt
Description
--PasswordMethod
Opt
Method PSM uses to authenticate sessions to the account. The
option values must be surrounded by quotes because of spaces.
Valid values are:
•
“Local TPAM” - use the local TPAM appliance for the
password. (default)
•
“Remote TPAM CLI” -use another TPAM appliance for the
password. TPAMCLIUserName must be supplied.
•
“DSS Key” - use a DSS Key.
•
“Not Stored” - the user will be prompted for the password
when starting the session.
•
“Windows Domain Account” - use the account in
DomainAccount for the password.
--PostSessionProfile
Opt
Name of post session profile to control activities that take place
after the session expires. Use the value Standard to revert to
default processing.
--ProxyType
Opt*
Type of proxy connection used for the session. Values are platform
dependent. Proxy type is required when changing the EnableFlag
on accounts. Use the entire text as seen on the PSM Details tab in
the TPAM interface.
--RecordingRequiredFlag
Opt
Whether to require all sessions are recorded. Y or N.
--ReviewCount
Opt
Number of post-release reviews required after a session expires.
--ReviewerName
Opt
User name or group name of required reviewer.
--ReviewerType
Opt*
Type of reviewer. This value is required when ReviewCount is >0.
Valid values are:
SessionStartNotifyEmail
Opt
•
Any (default)
•
Auditor
•
User
•
Group
If populated, an email will be sent any time a session is started on
this account. Use !NULL to clear the value.
UpdateSyncPass--options
Allows you to update a synchronized password.
Table 156. UpdateSyncPass options
Option name
Req/Opt
Description
--SyncPassName
Req
Name of synchronized password. You must have administrator
privileges.
--AccountLevelCheckProfile Opt
Y/N. Default is N. If Y, then the Synchronized Password does not have
Password Check Profile and the password checks are based on the
password check profile assigned to each member account.
--ChangeFrequency
Opt
THIS OPTION IS OBSOLETE AND WILL BE REMOVED IN A FUTURE RELEASE.
The functionality of the option has been assumed by the Password
Change Profile.
--ChangeTime
Opt
THIS OPTION IS OBSOLETE AND WILL BE REMOVED IN A FUTURE RELEASE.
The functionality of the option has been assumed by the Password
Change Profile.
TPAM 2.5
Administrator Guide
279
Table 156. UpdateSyncPass options
Option name
Req/Opt
Description
--CheckFlag
Opt
THIS OPTION IS OBSOLETE AND WILL BE REMOVED IN A FUTURE RELEASE.
The functionality of the option has been assumed by the Password Check
Profile.
--DisableFlag
Opt
Disable synchronizing subscribed accounts. Y/N
--Description
Opt
Use !NULL to clear the value. Maximum of 255 characters.
--NextChangeDate
Opt
Schedule an account password to be changed at a specific date/time.
Overrides password change profile schedule. Password mismatch, post
release reset, and force resets will still be processed as they occur.
--Password
Opt
Initial or new password for the account. The password cannot be
changed for auto-managed accounts. Max of 128 characters.
--PasswordChangeProfile
Opt
A profile which controls when the account will have it’s password
changed.
--PasswordCheckProfile
Opt*
A profile which controls when the account will have it’s password
checked. *Required when AccountLevelCheckProfile is N.
--PasswordRule
Opt
Name of the Password Rule used to generate passwords for the account.
The default rule for new accounts is set on the managed system. You
may also specify Default Password Rule or another rule to override this.
--ReleaseNotifyEmail
Opt
Use !NULL to clear the value. This email address receives an email
when the password is released.
--ReleaseChangeFlag
Opt
THIS OPTION IS OBSOLETE AND WILL BE REMOVED IN A FUTURE RELEASE.
The functionality of the option has been assumed by the Password
Change Profile.
--ReleaseDuration
Opt
The default duration for an ISA/CLI/API retrieval of a password,
expressed in minutes. The value will be rounded to the nearest 15
minute increment. Valid values are 0-30240 (21 days). If 0 is entered the
ISA retrieval of a password will not trigger a post release reset of the
password. This value is ignored if ReleaseChangeFlag is N.
--ResetFlag
Opt
Reset the password if a regular check finds a mismatch. Y/N. This value
is ignored if CheckFlag is N.
UpdateSystem--options
Modifies an existing system. The CLI user must have ISA or Administrator privilege.
Table 157. UpdateSystem options
Option name
Req/Opt
Description
--SystemName
Req
System Name. Must be between 2 and 30 characters in length and
consist of only upper or lower case letters, numbers, hyphen,
underscore, period, or US dollar sign ($).
--NewSystemName
Opt
New name to apply to system.
--AllowFuncReqFlag
Opt
Whether to allow the functional account password to be requested and
released. Y/N. Default N.
--AllowISADurationFlag
Opt
Allow an ISA to enter a duration when releasing a password in the GUI.
Y/N. Default N.
--AlternateIP
Opt
Obsolete as of TPAM v2.5.909.
--AutoDiscoveryExcludeList Opt
List of account names (up to 1,000 characters) separated by semicolons which will be ignored when processing the auto-discovery
profile on this system. Use !NULL to clear the value or override the
template’s value.
TPAM 2.5
Administrator Guide
280
Table 157. UpdateSystem options
Option name
Req/Opt
Description
--AutoDiscoveryProfile
Opt
Name of auto-discovery profile which will be used to discover
new/deleted accounts on this system. Use !NULL to clear the value or
override the template’s value. Auto-discovery is only valid for
Windows®, *nix, and DBMS platforms.
--AutoDiscoveryTimeout
Opt
Timeout (in seconds) when discovering accounts on this system.
Default is 300. If the discovery process times out it will continue to
discover accounts at the next scheduled run. Use 0 (zero) to set the
default.
--BoksServerOS
Opt
The OS Name (platform) for a Boks server.
--ChangeFrequency
Opt
THIS OPTION IS OBSOLETE AND WILL BE REMOVED IN A FUTURE
RELEASE. The functionality of the option has been assumed by the
Password Change Profile.
--ChangeTime
Opt
THIS OPTION IS OBSOLETE AND WILL BE REMOVED IN A FUTURE
RELEASE. The functionality of the option has been assumed by the
Password Change Profile.
--Custom[1-6]
Opt
Custom system columns, if defined. Use !NULL to clear the value.
--CheckFlag
Opt
THIS OPTION IS OBSOLETE AND WILL BE REMOVED IN A FUTURE
RELEASE. The functionality of the option has been assumed by the
Password Check Profile.
--Description
Opt
Use !NULL to clear the value. Maximum of 255 characters.
--DomainFuncAccount
Opt
The domain account to be used as the functional account. Must be in
the form SystemName\AccountName and the account must already be
defined in TPAM. When specified the FunctionalAccount and
FuncAcctCred are ignored.
--DomainName
Opt*
The domain name for Windows®.*Required for Windows AD systems.
--EGPOnlyFlag
Opt
Setting this value to Yes will disabled *ALL* PPM functionality on this
system and all its accounts and will delete any existing password
history or secure stored files. Y/N.
--EnablePassword
Opt
Password to use for the “ENABLE” account (Cisco platforms only) or
“Expert” account (CheckPoint SP platform only).
--EscalationEmail
Opt
If a password post-release review is not completed within the number
of hours in EscalationTime send and email to this address. Use !NULL
to clear the value.
--EscalationTime
Opt
Number of hours after which to send an escalation email if a password
post-release has not been completed. Expressed in hours. Use 0 (zero)
to disable the notification.
--FuncAcctCred
Opt
Password for the account indicated in the FunctionalAccount option.
Use a password or DSS to have the system use system standard keys for
functional account credentials or a password of SPECIFIC to use a
system specific key.
--FuncAcctDN
Opt*
The distinguished name of the functional account. Required for Novell
NDS, LDAP pr LDAPS systems. Ignored for all others.
--FunctionalAccount
Opt
Account name of the functional account for the system. This is the
account which will be used to change other passwords on the system.
--LineDef
Opt
Mainframe and Cisco telnet attribute.
--MaxReleaseDuration
Opt
The maximum duration for a password request, expressed in minutes.
The value will be rounded to the nearest 15-minute increment. Valid
values are 1-30240 (21 days).
--NetBiosName
Opt
Required for Windows® AD or SPCW (DC) platforms.
TPAM 2.5
Administrator Guide
281
Table 157. UpdateSystem options
Option name
Req/Opt
Description
--NetworkAddress
Opt
Network address of the system. May be an IP V4 address or a fully
qualified domain name.
--NonPrivFuncFlag
Opt
Y/N. Default is N. Set to Y when the functional account is not
authorized to change passwords.
--OracleSIDSN
Opt
Either the SID or Service Name (as indicated in the OracleType option)
used to connect to the Oracle® system.
--OracleType
Opt
May be either SID or SN. Only accepted for Oracle® platform.
--PasswordChangeProfile
Opt
A profile which controls when the account will have it’s password
changed.
--PasswordCheckProfile
Opt*
A profile which controls when the account will have it’s password
checked. *Required when AccountLevelCheckProfile is N.
--PasswordRule
Opt
The name of the Password Rule used to generate random passwords for
this system. Leave empty to use the default password rule for new
Systems. Must use the text “Default Password Rule” to change existing
systems.
--PlatformName
Opt
Any recognized platform name. Note that certain platforms, once set,
cannot be changed. For custom platform names the platform name is
indicated by “Custom” or “Custom Platform” followed by a forward
slash (/) and the custom platform name.
--PlatSpecificValue
Opt
A platform specific value, e.g., Linux® Delegation prefix or Windows®
Computer Name. Not all platforms support this value.
--PortNumber
Opt
Port number used for SSH communication with the system. Default
values are platform specific.
--PPMDPAAffinity
Opt
List of DPAs to use for PPM affinity in the form
DPAName1/priority;DPAName2/priority. Use Local to reset the list
and only use the appliance for password checks/changes. Use a
priority of 0 (zero) to remove a DPA from the list. PPM affinity cannot
be set when adding a system from a template, but after the system is
created the affinity may be changed.
--PSMDPAAffinity
Opt
List of DPAs to use for PSM affinity in the form
DPAName1/priority;DPAName2/priority. Use Any to allow any DPA to
be used. Priority must be a number greater than zero. Use a priority of
0 (zero) to remove a DPA from the list. PSM affinity cannot be set when
adding a system from a template, but after the system is created the
affinity may be changed.
--PrimaryEmail
Opt
Primary email contact for this system. Max of 255 characters. Use
!NULL to clear the value.
--ProfileCertType
Opt
One of the following values:
•
N - no thumbprint or certificate. Default
•
T- Thumbprint only. The SHA1 thumbprint of the certificate
used by the system to notify TPAM of availability for check and
change operations.
•
G- Generated. TPAM will generate a certificate and record the
thumbprint. This certificate must be installed on the system in
order to call the TPAM notifier service.
--ProfileCertThumbprint
Opt
Thumbprint of certificate. Only used if ProfileCertType is T.
--ReleaseChangeFlag
Opt
THIS OPTION IS OBSOLETE AND WILL BE REMOVED IN A FUTURE
RELEASE. The functionality of the option has been assumed by the
Release Duration Value.
TPAM 2.5
Administrator Guide
282
Table 157. UpdateSystem options
Option name
Req/Opt
Description
--ReleaseDuration
Opt
The default duration for an ISA/CLI/API retrieval of a password,
expressed in minutes. The value will be rounded to the nearest
15minute increment. Valid values are 0-30240 (21 days). If 0 is entered
the ISA retrieval of a password will not trigger a post release reset of
the password.
--RequireTicketForAPI
Opt
Require a valid Ticket System & Number for any API password retrieval
on this account. Y/N. Ignored if RequireTicketForRequest is N.
--RequireTicketForCLI
Opt
Require a valid Ticket System & Number for any CLI password retrieval
on this account. Y/N. Ignored if RequireTicketForRequest is N.
--RequireTicketForISA
Opt
Require a valid Ticket System & Number for any ISA password retrieval
on this account. Y/N. Ignored if RequireTicketForRequest is N.
--RequireTicketForRequest
Opt
Require a valid Ticket System & Number for any password request on
this account. Y/N
--RequireTicketForPSM
Opt
Require a valid Ticket System & Number for any PSM request on this
account. Y/N.
--ResetFlag
Opt
THIS OPTION IS OBSOLETE AND WILL BE REMOVED IN A FUTURE
RELEASE. The functionality of the option has been assumed by the
Password Change Profile.
--SSHAccount
Opt
The account name to use when communicating with this system via
SSH. This is required when the UseSshFlag is set to Y.
--SSHKey
Opt
Either “Standard” to use the appliance's system standard keys or
“Specific” to generate a specific key for this system. “Standard” is the
default.
--SSHPort
Opt
The port number for SSH communication. If not specified a default of
22 is used.
--SystemAutoFlag
Opt
Whether or not to enable automatic password management for
accounts on this system. Y/N. If set to N the account auto flags may
only be N (none) or M (Manual). Y/N.
--TicketEmailNotify
Opt
Email to notify if a password is retrieved via API, CLI, or ISA without a
ticket number. Ignored when RequireTicketForRequest is N or ticket is
required for all three (API, CLI, and ISA). Use !NULL to clear the value.
--TicketSystemName
Opt
When RequireTicketForRequest is Y this is the Ticket System that's
required. Use a value of “!Any” to allow tickets from any valid ticket
system.
--Timeout
Opt
The number of seconds TPAM will attempt to communicate with the
system for password checks and changes before issuing a “timed out”
error. Default is 20 seconds.
--UseSslFlag
Opt
Whether or not to use SSL to communicate with the system. Y/N.
Support for this is platform specific. NOTE: The UseSsl and UseSsh
Flags are mutually exclusive. You may only set one or the other, not
both.
--UseSshFlag
Opt
Whether or not to use SSH to communicate with the system. Y/N.
Support for this is platform specific. NOTE: The UseSsl and UseSsh
Flags are mutually exclusive. You may only set one or the other, not
both.
UpdateUser--options
Modifies an existing user account. The CLI user must have user administrator or administrator privilege.
TPAM 2.5
Administrator Guide
283
Table 158. UpdateUser options
Option name
Req/Opt
Description
--UserName
Opt
User Name. Maximum 30 characters.
--LastName
Opt
Maximum of 30 characters.
--FirstName
Req
Maximum of 30 characters.
--Email
Opt
Maximum of 255 characters. Use !NULL to clear.
--Phone
Opt
Maximum of 30 characters. Use !NULL to clear.
--Mobile
Opt
Maximum of 30 characters. Use !NULL to clear. Also recognizes the
value --pager for legacy support.
--UserType
Opt
Basic (default), Admin, Auditor, or UserAdmin
--Disable
Opt
Whether the user's ID is currently disabled. Y/N. Disabled users cannot
log in to the appliance.
--ExternalAuth
Opt
Obsolete, replaced with SecondaryAuth
--SecondaryAuth
Opt
Secondary authentication system used for user login. Valid values are
None (default), SecureID, Safeword, Radius, WinAD, Defender and
LDAP.
--ExternalAuthSystem
Opt
Obsolete, replaced with SecondaryAuthSystem
--SecondaryAuthSystem
Opt
Name of the secondary authentication system of the type indicated in
ExternalAuth. Values are defined by the appliance SysAdmin.
--ExternalUserID
Opt
Obsolete, replaced with SecondaryUserID
--SecondaryUserID
Opt*
User ID to use for secondary authentication. This is required when
SecondaryAuth is other than None.
--PrimaryAuthExtra
Opt
The LDAP Primary Authentication Types support an “Extra” UserID. The
User logs in using a shorthand value in the PrimaryAuthID, but the data
in the PrimaryAuthExtra will be used to do the actual authentication
against the external system. Use !NULL to clear.
--PrimaryAuthID
Opt*
The User ID to use for primary authentication when a non-local
authentication system is used.
--PrimaryAuthType
Opt
The type of the primary authentication system for this user. Current
values are Local, Certificate, LDAP, WinAD, Radius or Defender. When
Local is used the PrimaryAuthID, PrimaryAuthExtra and
PrimaryAuthSystem values are ignored.
--PrimaryAuthSystem
Opt*
Name of the defined system to use when the PrimaryAuthType is not
local. Systems are defined by the appliance System Administrator.
--CertThumbprint
Opt
The SHA1 or SHA256 thumbprint of the user’s certificate. SHA1
thumbprints must be 64 characters. Both should consist of only
numbers and the letters A-F. This value is ignored unless the
PrimaryAuthType is Certificate.
--Description
Opt
Maximum of 255 characters. Use !NULL to clear.
--DfltConnectOptions
Opt
Semi-colon separated list of name=value pairs of default PSM
connection options when a user starts a PSM session. In the /tpam
interface go to Batch Processing/Import UserIDs for a list of names and
values. Use !NULL to clear the value when updating.
--LogonHoursFlag
Opt
Indicates whether the LogonHours value represents allowed or
prohibited hours. Valid values are A, P, or N (no restrictions).
--LogonHours
Opt
A listing of up to 4 hour ranges. Times must be expressed in 24-hour
format in any of the following forms: 7, 07, 700, 0700, 07:00 (all
indicating 07:00 AM). Separate multiple ranges with semi-colons,
07:00-12:00;18:00-23:59 (7AM-12AM and 6PM-11:59PM). If the
LogonHoursFlag value is N this value is ignored.
TPAM 2.5
Administrator Guide
284
Table 158. UpdateUser options
Option name
Req/Opt
Description
--LogonDays
Opt
When Logon Hours are specified you may also specify the days of the
week those hours are effective. Specify days with a string of 7 X's (to
indicate an “on” day) or periods (for an “off” day) to represent the
week from Sunday-Saturday. For example, .XXXXX. is Mon-Fri on, Sun
and Sat off. If LogonHours are specified and LogonDays is left empty
the default is all days “on”, e.g., XXXXXXX.
--MobileAllowedFlag
Opt
Whether to allow this user to log in to the system from a mobile device
(Blackberry, iPhone, etc.). Y/N.
--LocalTimezone
Opt
The user's local time zone. You may enter any part of the time zone
name as long as it is unique in the list, e.g., entering Guam will only
find one time zone while entering 02:00 or US will find multiple
entries. A value of “Server” indicates that the user is in the same time
zone as the server and follows the same DST rules.
--DstFlag
Opt
Obsolete. Users will now automatically adjust DST per the local time
zone which they are assigned.
--Custom1
Opt
Custom user columns, if defined. Use !NULL to clear the value when
updating.
--Custom2
Opt
see --Custom1
--Custom3
Opt
see --Custom1
--Custom4
Opt
see --Custom1
--Custom5
Opt
see --Custom1
--Custom6
Opt
see --Custom1
Legacy support:
UpdateUser
<UserName>,[LastName],[FirstName],[EmailAddress],[Phone],[Mobile],[UserType
(Basic|Admin|Auditor|UserAdmin)],[DisableFl(Y|N)],[SecAuthType(NONE,SAFEWORD,SECURE
ID,LDAP,RADIUS,DEFENDER WINAD)],[SecAuthUserID],[Description]
UserLinkedAccounts--options
Add or remove linked accounts for a user.
Table 159. UserLinkedAccounts options
Option name
Req/Opt
Description
--UserName
Req
User name to add/drop linked accounts. User must be a web enabled
administrator or basic user type.
--AccountList
Req
One or more accounts in a semi-colon separated list. Precede each entry
with a + to add or a - to remove the linked account for the user. Enter
accounts as [email protected] or SystemName\AccountName.
Pass !NULL to remove all linked accounts for this user.
UserSSHKey--options
Regenerate or retrieve a key for yourself or others. Must be an Administrator.
IMPORTANT: If regenerating your own key make sure not to overwrite the old key file before the command
has completed.
IMPORTANT: Regenerating a user’s key will immediately make their old key invalid. The user will have to
put this new key in place before being able to access TPAM again.
TPAM 2.5
Administrator Guide
285
Table 160. UserSSHKey options
Option name
Req/Opt
Description
--UserName
Opt
User name to retrieve. If no user name is supplied your own user name will
be used. If retrieving or regenerating a key for a user other than yourself
the user must be key based with NOTPAM web access.
--KeyType
Opt
The DSS key to retrieve. Must be CLI or API. The default is the key type of
the calling interface.
--PassPhrase
Opt
Only allowed when regenerating a CLI key. Passphrase must be at least 5
characters long and may be up to 128 characters and contain anything
except double quote characters (").
--Regenerate
Opt
Regenerate the key before retrieving. Users without web access must
retrieve and regenerate their own keys. Y/N. Default is N.
TPAM 2.5
Administrator Guide
286
43
Application Programming Interface (API)
•
Introduction
•
C++ library
•
.NET library
•
PERL library
•
Java® library
•
C++ examples
•
.NET examples (C#)
Introduction
The TPAM Application Programming Interface (API) allows client applications, via an SSH (Secure Shell)
connection to the TPAM appliance, to perform many of the operations provided in the TPAM User Interface.
The operations supported by the TPAM API are identical to the operations provided by the TPAM Command Line
Interface (CLI). See CLI Commands for details on the TPAM CLI.
The TPAM API is available in several programming languages to allow customers to use their choice of
programming languages when working with the API. Details for using the API in each programming language are
provided in later sections of this document.
As mentioned above, the operations are invoked on the TPAM appliance via an SSH connection. An identity file
key created by TPAM and a user ID with API key based authentication selected are required for the API to be
able to establish the SSH connection.The necessary SSH client software is included with the TPAM API library,
except for non-Windows® installations of the Perl version of the TPAM. In this case, the client machine must
have SSH software installed and available in the directory path.
C++ library
The TPAM API C++ library is provided as a static library. It is distributed with several other libraries that are
required by the TPAM API C++ library.
The main class of the library is ApiClient. This class provides the SSH connection to TPAM and provides the
method used to execute the various operations on TPAM.
Additionally, there are several categories of classes that will be used by application code using the C++ library.
Most classes fall into the category of business objects, commands, results, or exceptions.
See C++ examples for examples of using the C++ library.
Class APIClient
Class ApiClient is used to create the SSH connection to TPAM and execute the various commands provided by the
library. This main class contains only a few functions.
TPAM 2.5
Administrator Guide
287
Table 161. Class APIClient functions
Method
Description
constructor
Constructor for the class.
Parameters
•
String Host - IP address of TPAM appliance
•
String keyFileName - local path to identity
key file created by and downloaded from
TPAM
•
String userName - user name of API user ID
defined in TPAM
connect
This method initiates the SSH
connection to TPAM.
None
sendCommand
This method invokes the requested
operation on TPAM and processes the
response. The response attributes are
available via the appropriate “result”
class described below.
An object of type “command” class as discussed
below
disconnect
This method disconnects the SSH
session.
None
Business object classes
The business object classes describe the entities in TPAM that can be queried or manipulated in some manner
via the TPAM API.
Table 162. C++ Library: Business object classes
Class
Description
Account
This class contains the attributes of an account.
Alias
This class contains the attributes of an alias.
CollectionMembership
This class contains the attributes of a collection membership.
EDMZSystem
This class contains the attributes of a system.
EgpAccount
This class contains the attributes of a EGP account.
GroupMembership
This class contains the attributes of a group membership.
Permission
This class contains the attributes of a permission.
Policy
This class contains the attributes of an access policy.
PsmAccount
This class contains the attributes of a PSM account.
PwdRequest
This class contains the attributes of a password request. It is based on the Request
class.
Request
This class contains the attributes common to a password or session request.
SessionRequest
This class contains the attributes of a session request. It is based on the Request
class.
SynchronizedPassword
This class contains the attributes of a synchronized password.
SyncPwdSubscriber
This class contains the attributes of a synchronized password subscriber.
User
This class contains the attributes of a user.
Command classes
Each “command” class implements a single operation that can be performed on TPAM. The constructor for each
class accepts the mandatory data that is required by TPAM to execute the operation.
TPAM 2.5
Administrator Guide
288
Some operations have optional values that may be specified. Several of the add and update operations allow
optional attributes of the business object being added or updated to be set. The list operations allow optional
selection criteria to be specified in order to narrow the results returned by TPAM. See Setting operational values
for operations for details.
An instance of one of these “command” classes is passed to method sendCommand of class ApiClient to have
the operation carried out on TPAM. After execution, a “result” class can be queried for details of the outcome
of the operation. This result class is accessed via method getResult() of the “command” class. In the case of
commands that query data from TPAM, if the result indicates success, the retrieved data will be available within
the “command” class after execution of the operation on TPAM.
Table 163. C++ Library: Command classes
Class
Result class detailing
execution outcome
Method used to access retrieved data
AddAccountCommand
IDResult
N/A
AddCollectionCommand
Result
N/A
AddCollectionMemberCommand
Result
N/A
AddGroupCommand
Result
N/A
AddGroupMemberCommand
Result
N/A
AddPwdRequestCommand
IDResult
N/A
AddSessionRequestCommand
IDResult
N/A
AddSyncPassCommand
Result
N/A
AddSyncPwdSubCommand
Result
N/A
AddSystemCommand
IDResult
N/A
AddUserCommand
IDResult
N/A
ApproveCommand
Result
N/A
ApproveSessionRequestCommand
Result
N/A
CancelCommand
Result
N/A
CancelSessionRequestCommand
Result
N/A
ChangeUserPasswordCommand
Result
N/A
CheckPasswordCommand
Result
N/A
ClearKnownHostsCommand
Result
N/A
DeleteAccountCommand
Result
N/A
DeleteSyncPassCommand
Result
N/A
DeleteSystemCommand
Result
N/A
DeleteUserCommand
Result
N/A
DropCollectionCommand
Result
N/A
DropCollectionMemberCommand
Result
N/A
DropGroupCommand
Result
N/A
DropGroupMemberCommand
Result
N/A
DropSyncPwdSubCommand
Result
N/A
ForceResetCommand
Result
N/A
ForceResetManualCommand
IDResult
getID() returns the password ID.
getMessage() returns the password.
GetPwdRequestCommand
ListResult
getPwdRequest() returns a single
PwdRequest object
GetSessionRequestCommand
ListResult
getSessionRequest() returns a single
SessionRequest object
GrantPermissionCommand
Result
N/A
TPAM 2.5
Administrator Guide
289
Table 163. C++ Library: Command classes
Class
Result class detailing
execution outcome
ListAccountsCommand
ListResult
getAccountList() returns a vector of
Account objects
ListAcctsForPwdRequestCommand
ListResult
getAccountList() returns a vector of
Account objects
ListAcctsforSessionRequestCommand
ListResult
getAccountList() returns a vector of
Account objects
ListAssignedPoliciesCommand
ListResult
getAssignedPoliciesList returns a
vector of Policy objects
ListCollectionMembershipCommand
ListResult
getCollectionMembershipList() returns
a vector of CollectionMembership
objects
ListCollectionsCommand
ListResult
getCollectionList() returns a vector of
Collection objects
ListDependentSystemsCommand
ListResult
getDependentSystemsList() returns a
vector of DependentSystem objects
ListEgpAccountsCommand
ListResult
getEgpAccountList() returns a vector
of EgpAccount objects
ListEgpPermissionsCommand
ListReult
getPermissionsList() returns a vector
of Permission objects
ListGroupMembershipCommand
ListResult
getMembershipList() returns a vector
of GroupMembership objects
ListGroupsCommand
ListResult
getGroupList() returns a vector of
Group objects
ListLinkedAccountsCommand
ListResult
getLinkedAccountList() returns a
vector of LinkedAccount objects
ListPsmAccountsCommand
ListResult
getPSMAccountList() returns a vector
of PsmAccount objects
ListReasonCodesCommand
ListResult
getReasonCodeList() returns a vector
of ReasonCode objects
ListRequestCommand
ListResult
getRequestList() returns a vector of
Request objects
ListRequestDetailsCommand
ListResult
getRequestDetailsList() returns a
vector of Request objects
ListSessionRequestCommand
ListResult
getSessionRequestList() returns a
vector of SessionRequest objects
ListSessionRequestDetailsCommand
ListResult
getSessionRequestDetailsList() returns
a vector of SessionRequest objects
ListSynchronizedPasswordCommand
ListResult
getSynchronizedPasswordsList()
returns a vector of
SynchronizedPassword objects
ListSyncPwdSubscribersCommand
ListResult
getSyncPwdSubscribers() returns a
vector of SyncPwdSubscriber objects
ListSystemsCommand
ListResult
getSystemList() returns a vector of
EDMZSAystem objects
ListUsersCommand
ListResult
getUserList() returns a vector of User
objects
ManualPasswordResetCommand
Result
N/A
Method used to access retrieved data
TPAM 2.5
Administrator Guide
290
Table 163. C++ Library: Command classes
Class
Result class detailing
execution outcome
ProfileCertificateCommand
Result
getMessage() method of Result
contains returned certificate, if
requested
ReportActivityCommand
ListResult
getActivities() returns a vector of
Activity objects
RetrieveCommand
Result
getPassword() returns the password as
a string
RetrieveWithTicketCommand
Result
getPassword() returns the password as
a string
SetAccessPolicyCommand
Result
N/A
SshKeyCommand
Result
getMessage() method of Result
contains returned SSH key
SyncPassForceResetCommand
Result
N/A
TestSystemCommand
Result
N/A
UnlockUserCommand
Result
N/A
UpdateAccountCommand
IDResult
N/A
UpdateAccountTicketCommand
IDResult
N/A
UpdateCollectionCommand
Result
N/A
UpdateDependentSystemsCommand
Result
N/A
UpdateEgpAccountCommand
IDResult
N/A
UpdatePsmAccountCommand
IDResult
N/A
UpdateSyncPassCommand
Result
N/A
UpdateSystemCommand
IDResult
N/A
UpdateSystemTicketCommand
IDResult
N/A
UpdateUserCommand
IDResult
N/A
UserLinkedAccountsCommand
Result
N/A
UserSshKeyCommand
Result
getMessage() method of Result
contains returned SSH key
Method used to access retrieved data
Setting operational values for operations
Add and update “command” classes that allow optional values to be set contain an instance of the
corresponding business object. Mandatory values specified in the “command” class constructor are populated in
the business object. The optional values can be set by obtaining a reference to the business object from the
“command” class, and setting the desired attributes of the business object.
For example, when adding a new system, the constructor for class AddSystemCommand requires parameters
specifying the system name, network address, and platform name. These values are populated in the
EDMZSystem object contained within the AddSystemCommand object. To set optional attributes, obtain a
reference to this EDMZSystem object by calling method getSystem() on the AddSystemCommand object, and
then call the desired setter methods of the EDMZSystem object. This is demonstrated in the example code
provided in C++ examples.
The add and update “command” classes that contain these business objects that allow setting of optional values
are shown in the following table.
TPAM 2.5
Administrator Guide
291
Table 164. Command classes
Class
Method used to get business object reference
AddAccountCommand
getAccount()
UpdateAccountCommand
AddCollectionMemberCommand
getCollectionMembership()
AddGroupMemberCommand
getGroupMembership
AddSystemCommand
getSystem()
UpdateSystemCommand
AddUserCommand
getUser()
UpdateUserCommand
Selection criteria for the list operations are specified by using the setter methods of the “command” classes
that perform the list operations. See the example code provided in C++ examples.
Results classes
The “result” classes detail the result of the execution of operations on TPAM.
Table 165. C++ Library: Results classes
Class
Attributes
Result
Integer return code: zero indicates successful execution of command, non-zero indicates
failure.
String message: a message returned by TPAM with brief information about the execution of
command.
IDResult
Integer return code: see Result class for description.
String message: see Result class for description.
Integer ID: on successful command execution, this box shows the row number of the
modified database record.
ListResult
Integer return code: see Result class for description.
String message: see Result class for description.
Integer row count: on successful list operations, this value tells how many entries have
been returned by TPAM. Query the appropriate attribute of the "command" class to access
the data returned by TPAM.
Exception classes
The C++ TPAM API Library will throw exceptions under error conditions. Each exception contains a message
describing the failure.
Table 166. C++ Library: Exception classes
Class
Description
ParseException
This exception will be thrown if there is a failure while parsing a response from TPAM.
SshException
This exception will be thrown if there is a problem with the SSH connection being used
to communicate TPAM.
ValidationException
This exception will be thrown if validation fails on any data prior to sending that data to
TPAM for processing. Note that most data validation is done by TPAM itself. Under this
scenario, if invalid data is passed to TPAM, ValidationException is not raised. Instead,
the result from execution of the command on TPAM will indicate a failure and the result
message details the failure reason.
TPAM 2.5
Administrator Guide
292
.NET library
The TPAM API .NET library is provided as a Windows® DLL file. It is distributed alongside the TPAM API C++
Library.
The main class of the library is ApiClientWrapper. This class provides the SSH connection to TPAM and methods
to execute all available operations on TPAM.
Additionally, there are several categories of classes that will be used by application code using the .NET library.
These classes fall into the categories of business objects, filters, and results.
See .NET examples (C#) for examples of using the .NET library.
Class ApiClient wrapper
Class ApiClientWrapper is used to create the SSH connection to TPAM, and it provides methods to implement the
various operations available in the library.
Methods in ApiClientWrapper will throw an ApplicationException on error. A message describing the failure is
included in the exception.
Table 167. ApiClientWrapper methods
Method
Parameters
Returns
constructor
System::String^ host: IP address of TPAM appliance.
N/A
System:: String^ keyFileName: local path to identity key
file created and downloaded from TPAM.
System:: String^ userName: user name of "API" defined
user in TPAM.
connect (initiate the SSH
connection to TPAM)
None
Void
disconnect (disconnect the SSH
session)
None
Void
setCommandTimeout (sets the time int
out for execution of a command
over SSH)
Void
addAccount
Account^ account
IDResult
System::String^ collectionName
Result
addCollection
System::String^ description
addCollectiom
System::String^ collectionName
Result
AddCollectionParms^parms
addCollectionMember
System::String^ description
System::String^ collectionName
AddCollectionMemberParms^ parms
addGroup
System::String^ groupName
addGroupMember
System::String^ userName
Result
System::String^ description
Result
System::String^ groupName
addGroupMember
System::String^ username
Result
int groupID
TPAM 2.5
Administrator Guide
293
Table 167. ApiClientWrapper methods
Method
Parameters
Returns
addPwdRequest
System::String^ systemName
IDResult
System::String^ accountName
System::String^ forUserName
System::String^ requestNotes
AddPwdRequestParms^ parms
addSessionRequest
System::String^ systemName
IDResult
System::String^ accountName
System::String^f orUserName
System::String^ requestNotes
AddSessionRequestParms^ parms
addSyncPass
System::String^ syncPassName
addSyncPwdSub
System::String^ syncPassName
Result
AddSyncPassParms^ parms
Result
System::String^ systemName
System::String^ AccountName
addSystem
EDMZSystem^ system
IDResult
addUser
User^ user
IDResult
approve
int requestID
Result
System::String^ comment
approveSessionRequest
int requestID
Result
System::String^ comment
cancel
int requestID
Result
System::String^ comment
cancelSessionRequest
int requestID
Result
System::String^ comment
changeUserPassword
System::String^ userName
Result
System::String^ password
checkPassword
System::String^ systemName
Result
System::String^ accountName
clearKnownHosts
System::String^systemName
Result
deleteAccount
System::String^ systemName
Result
deleteSyncPass
System::String^ syncPassName
Result
deleteSystem
System::String^ systemName
Result
deleteUser
System::String^ userName
Result
dropCollection
System::String^ collectionName
Result
dropCollectionMember
System::String^ systemName
Result
System::String^ accountName
System::String^ collectionName
dropGroup
System::String^ groupName
Result
dropGroup
int groupID
Result
dropGroupMember
System::String^ userName
Result
System::String^ groupName
TPAM 2.5
Administrator Guide
294
Table 167. ApiClientWrapper methods
Method
Parameters
Returns
dropGroupMember
System::String^ userName
Result
int groupID
dropSyncPwdSub
System::String^ SyncPassName
Result
System::String^ systemName
System::String^ accountName
forceReset
System::String^ systemName
Result
System::String^ accountName
forceResetManaul
System::String^ systemName
IDResult
System::String^ accountName
getPwdRequest
System::String^ accountName
ListResult
[System::RunTime::InteropServices::Out] PwdRequest^
%request
getSessionRequest
int requestID
ListResult
[System::RunTime::InteropServices::Out]
SessionRequest^ %sessionRequest
grantPermission
System::String^ permName
Result
UserOrGroup userOrGroupChoice (possible values are
USER or GROUP)
System::String^ userOrGroupName
SystemOrCollection systemOrCollectionChoice (possible
values are SYSTEM or COLLECTION)
System::String^ systemOrCollectionName
listAccount
AccountFilter^ filter
ListResult
[System::RunTime::InteropServices::Out]
array<Account^>^% accounts
listAcctsForPwdRequest
AcctForPwdRequestFilter^ filter
ListResult
[System::RunTime::InteropServices::Out]
array<AccountForPwdRequest^>^% accounts
listAcctsforSessionRequest
AcctForSessionRequestFilter^ filter
ListResult
[System::RunTime::InteropServices::Out]
array<AccountForSessionRequest^>^% accounts
listAssignedPolicies
PolicyFilter^ filter
ListResult
[System::RunTime::InteropServices::Out]
array<Policy^>^% policies
listCollectionMembership
System::String^ collectionName
ListResult
System::String^ systemName
int maxRows
[System::RunTime::InteropServices::Out]
array<CollectionMembership^>^% membership
listCollectionMembership
CollectionMembershipFilter^ filter
ListResult
[System::RunTime::InteropServices::Out]
array<CollectionMembership^>^%membership
listCollections
CollectionFilter^ filter
ListResult
[System::RunTime::InteropServices::Out]
array<Collection^>^% collections
TPAM 2.5
Administrator Guide
295
Table 167. ApiClientWrapper methods
Method
Parameters
Returns
listDependentSystems
System::String^ systemName
ListResult
System::String^ accountName
DependentSystemFilter^ filter
[System::RunTime::InteropServices::Out]
array<DependentSystem^>^%dependentSystems
listEgpAccounts
EgpAccountFilter^filter
ListResult
[System::RunTime::InteropServices::Out]
array<EgpAccount^>^% egpAccounts
listPermissions
PermissionFilter^ filter
listEgpPermissions
[System::RunTime::InteropServices::Out]
array<Permission^>^% permissions
listGroups
GroupFilter^ filter
ListResult
ListResult
[System::RunTime::InteropServices::Out]
array<Group^>^% groups
listGroupMembership
System::String^ groupName
ListResult
System::String^ userName
int maxRows
[System::RunTime::InteropServices::Out]
array<GroupMembership^>^% membership
listLinkedAccounts
LinkedAccountFilter^ filter
ListResult
[System::RunTime::InteropServices::Out]
array<LinkedAccount^>% accounts
listPsmAccounts
PsmAccoutFilter^ filter
ListResult
[System::RunTime::InteropServices::Out]
array<PsmAccount^>^% psmAccounts
listReasonCodes
[System::RunTime::InteropServices::Out]
array<ReasonCode^>^% reasonCodes
ListResult
listRequest
RequestFilter^ filter
ListResult
[System::RunTime::InteropServices::Out]
array<Request^>^% requests
listRequestDetails
RequestFilter^ filter
ListResult
[System::RunTime::InteropServices::Out]
array<Request^>^% requests
listSessionRequest
SessionRequestFilter^ ilter
ListResult
[System::RunTime::InteropServices::Out]
array<SessionRequest^>^% sessionRequests
listSessionRequestDetails
SessionRequestFilter^ filter
ListResult
[System::RunTime::InteropServices::Out]
array<SessionRequest^>^% sessionRequests
listSynchronizedPassword
[System::RunTime::InteropServices::Out]
array<SynchronizedPassword^>^%
synchronizedPasswords
ListResult
listSyncPwdSubscribers
System::String^ SyncPassName
ListResult
[System::RunTime::InteropServices::Out]
array<SyncPwdSubscriber^>^% syncPwdSubscribers
TPAM 2.5
Administrator Guide
296
Table 167. ApiClientWrapper methods
Method
Parameters
Returns
listSystems
SystemFilter^ filter
ListResult
[System::RunTime::InteropServices::Out]
array<EDMZSystem^>^% systems
listUsers
UserFilter^ filter
ListResult
[System::RunTime::InteropServices::Out]
array<User^>^% users
manualPasswordReset
System::String^ passwordID
Result
System::String^ status
profileCertificate
ProfileCertificateParms^ parms
Result
reportActivity
System::String^ accountName
ListResult
[System::RunTime::InteropServices::Out]
array<Activity^>^% activities
retrieve
System::String^ systemName
Result
System::String^ accountName
int timeRequired
System::String^ comment
retrieve (v2.3+)
System::String^ systemName
Result
System::String^ accountName
System::String^ comment
RetrieveParms^ parms
retrieve(v2.3+)
System::String^ systemName
Result
System::String^ accountName
RetrieveParms^ parms
retrieveWithTicket
System::String^ systemName
Result
System::String^ accountName
int timeRequired
System::String^ ticketSystemName
System::String^ ticketNumber
System::String^ comment
setAccessPolicy
System::String^ accessPolicyName
Result
System::String^ action
SetAccessPolicyParms^ parms
sshKey
SshKeyParms^parms
Result
syncPassForceReset
System::String^ syncPassName
Result
testSystem
System::String ^systemName
Result
unlockUser
System::String^ userName
Result
updateAccount
Account^ account
IDResult
System::String^ newPassword
TPAM 2.5
Administrator Guide
297
Table 167. ApiClientWrapper methods
Method
Parameters
Returns
updateAccountTicket
System::String^ systemName
IDResultl
System::String^ accountNamet
System::String^ ticketSystemName
eDMZ::ParAPI::Flag RequireTicketForRequest
eDMZ::ParAPI::Flag RequireTicketForISA
eDMZ::ParAPI::Flag RequireTicketForCLI
eDMZ::ParAPI::Flag RequireTicketForAPI
System::String^ ticketEmailNotify
updateCollection
System::String^collectionName
Result
UpdateCollectionParms^ parms
updateDependentSystems
System::String^ systemName
Result
System::String^ accountName
UpdateDependentSystemsParms^ parms
updateEgpAccount
System::String^ systemName
IDResult
System::String^ accountName
UpdateEgpAccountParms^ parms
updatePsmAccount
System::String^ systemName
IDResult
System::String^ accountName
UpdatePsmAccountParms^ parms
updateSyncPass
System::String^ syncPassName
Result
UpdateSyncPassParms^ parms
updateSystem
EDMZSystem^ system
IDResult
updateSystemTicket
System::String^ systemName
IDResult
System::String^ ticketSystemName
eDMZ::ParAPI::Flag RequireTicketForRequest
eDMZ::ParAPI::Flag RequireTicketForISA
eDMZ::ParAPI::Flag RequireTicketForCLI
eDMZ::ParAPI::Flag RequireTicketForAPI
System::String^ ticketEmailNotify
updateUser
User^ user
IDResult
userLinkedAccounts
System::String^ userName
Result
System::String^ accountList
userSshKey
UserSshKeyParms^ parms
Result
Business object classes
The business object classes describe the entities in TPAM that can be queried or manipulated in some manner
via the TPAM API.
Table 168. .Net Library: Business object classes
Class
Description
Account
This class contains the attributes of an account.
AcctForPwdRequest
This class contains the attributes of an account that is available for password request.
TPAM 2.5
Administrator Guide
298
Table 168. .Net Library: Business object classes
Class
Description
AcctforSessionRequest
This class contains the attributes of an account that is available for session request.
Activity
This class contains the attributes of an entry in the activity report.
Collection
This class contains the attributes of a collection.
CollectionMembership
This class contains the attributes of a collection membership.
DependentSystem
This class contains the attributes of a dependent system.
EDMZSystem
This class contains the attributes of a system.
EgpAccount
This class contains the attributes of an Egp account.
Group
This class contains the attributes of a group.
GroupMembership
This class contains the attributes of a group membership.
LinkedAccount
This class contains the attributes of a linked account.
Policy
This class contains the attributes of an access policy.
PsmAccount
This class contains the attributes of a PSM account.
PwdRequest
This class contains the attributes of a password request. It is based on the Request
class.
ReasonCode
This class contains the attributes of a reason code.
Request
This class contains the attributes common to a password or session request.
SessionRequest
This class contains the attributes of a session request. It is based on the Request class.
SynchronizedPassword
This class contains the attributes of a synchronized password.
SyncPwdSubscriber
This class contains the attributes of a synchronized password subscriber.
User
This class contains the attributes of a user.
Filter classes
The “filter” classes are used to specify selection criteria for data being requested from TPAM.
Table 169. .Net Library: Filter classes
Class
Description
AccountFilter
Provides selection criteria for ListAccounts
AcctForPwdRequestFilter
Provides selection criteria for listAccountsForPwdRequest
AcctforSessionRequestFilter
Provides selection criteria for listAccountsForSessionRequest
ActivityFilter
Provides selection criteria for reportActivity
CollectionFilter
Provides selection criteria for listCollections
CollectionMembershipFilter
Provides selection criteria for listCollectionMembership
DependentSystemFilter
Provides selection criteria for listDependentSystems
EgpAccountFilter
Provides selection criteria for listEgpAccounts
GroupFilter
Provides selection criteria for listGroups
LinkedAccountFilter
Provides selection criteria for listLinkedAccounts
PolicyFilter
Provides selection criteria for listAssignedPolicies
PsmAccountFilter
Provides selection criteria for listPSMAccounts
RequestFilter
Provides selection criteria for listRequestDetails
SessionRequestFilter
Provides selection criteria for listSessionRequestDetails
SystemFilter
Provides selection criteria for listSystems
UserFilter
Provides selection criteria for listUsers
TPAM 2.5
Administrator Guide
299
Parms classes
The “parms” classes are used to specify optional parameters for various methods implemented in
ApiClientWrapper.
Table 170. .Net Library: Parms classes
Class
Description
AddCollectionMemberParms
Allows setting of optional parameters for addCollectionMember method
AddCollectionParms
Allows setting of optional parameters for addCollection method
AddPwdRequestParms
Allows setting of optional parameters for addPwdRequest method
AddSessionRequestParms
Allows setting of optional parameters for addSessionRequest method
AddSyncPassParms
Allows setting of optional parameters for addSyncPass method
DropCollectionMemberParms
Allows setting of optional parameters for dropCollectionMember method
ProfileCertificateParms
Allows setting of optional parameters for profileCertificate method
RetrieveParms
Allows setting of optional parameters for the retrieve method
SetAccessPolicyParms
Allows setting of optional parameters for the setAccessPolicy method
SshKeyParms
Allows setting of optional parameters for sshKey method
UpdateCollectionParms
Allows setting of optional parameters for updateCollection method
UpdateDependentSystemParms
Allows setting of optional parameters for updateDependentSystems method
UpdateEgpAccountParms
Allows setting of optional parameters for updateEgpAccount method
UpdatePsmAccountParms
Allows setting of optional parameters for updatePsmAccount method
UpdateSyncPassParms
Allows setting of optional parameters for updateSyncPass method
UserSshKeyParms
Allows setting of optional parameters for userSshKey method
Results classes
The “result” classes detail the result of the execution of operations on TPAM.
Table 171. .Net Library: Results classes
Class
Attributes
Result
Integer return code: zero indicates successful execution of command, non-zero indicates
failure.
String message: a message returned by TPAM with brief information about the execution of
command.
IDResult
Integer return code: see Result class for description.
String message: see Result class for description.
Integer ID: on successful command execution, this box shows the row number of the modified
database record.
ListResult
Integer return code: see Result class for description.
String message: see Result class for description.
Integer row count: on successful list operations, this value tells how many entries have been
returned by TPAM.
Array of Objects: array containing "row count" elements, with each element being an object of
type described under business objects as requested by the operation.
NOTE: This array is used internally by the API. It simply refers to the data being returned as an
OUT parameter of list operations. It is suggested that applications using the API use the OUT
parameters instead of this array.
TPAM 2.5
Administrator Guide
300
PERL library
Documentation for the TPAM API Perl library is available in PERL POD format. This can be downloaded from the
customer portal at https://hq01.e-dmzsecurity.com/edmzcust.
Java® library
Documentation for the TPAM API Java® library is available in Javadoc format. This can be downloaded from the
customer portal at https://hq01.e-dmzsecurity.com/edmzcust.
C++ examples
The following examples have minimal error checking for simplicity.
void addSystem(ApiClient& client)
{
// Add a dummy system.
AddSystemCommand asc("testsys", "147.148.149.150", "AS400");
// Set some attributes of the system being added.
asc.getSystem().setSystemAutoFl(Flag::FLAG_N);
asc.getSystem().setDescription("Description for testsys");
// Execute the operation on TPAM.
client.sendCommand(asc);
// Check the outcome of the operation.
IDResult* idresult = asc.getResult();
cout << "addSystem: rc = " << idresult->getReturnCode()
<< " message = " << idresult->getMessage() << endl;
}
void addAccount(ApiClient& client)
{
// Add a dummy account.
AddAccountCommand aac("testsys", "testacct");
// Set an attribute of the account being added.
aac.getAccount().setDescription("Description for testacct");
// Execute the operation on TPAM.
client.sendCommand(aac);
// Check the outcome of the operation.
IDResult* idresult = aac.getResult();
cout << "addAccount: rc = " << idresult->getReturnCode()
<< " message = " << idresult->getMessage() << endl;
}
void updateAccount(ApiClient& client)
{
// Update the account password.
UpdateAccountCommand uac("testsys", "testacct");
uac.getAccount().setPassword("a1b2c3d4e5");
// Execute the operation on TPAM.
TPAM 2.5
Administrator Guide
301
client.sendCommand(uac);
// Check the outcome of the operation.
IDResult* idresult = uac.getResult();
cout << "updateAccount: rc = " << idresult->getReturnCode()
<< " message = " << idresult->getMessage() << endl;
}
void retrieve(ApiClient& client)
{
// Get the password for testsys/testacct.
RetrieveCommand rc("testsys", "testacct", 30, "This is my comment");
// Execute the operation on TPAM.
client.sendCommand(rc);
Result* result = rc.getResult();
if (result->getReturnCode() == 0)
{
cout << "retrieve: The password is " << rc.getPassword() << endl;
}
else
{
cout << "Failed retrieving password: " << result->getMessage() << endl;
}
}
void listAccounts(ApiClient& client)
{
// List the accounts, but set filters to see only testsys/testacct.
ListAccountsCommand lac;
lac.setSystemName("testsys");
lac.setAccountName("testacct");
// Execute the operation on TPAM.
client.sendCommand(lac);
ListResult* listresult = lac.getResult();
// Since we set filters for just testsys/testacct,
// there should be just 1 entry returned.
if ((listresult->getReturnCode() == 0) &&
(listresult->getRowCount() == 1))
{
cout << "listAccounts: The description for testsys/testacct is "
<< lac.getAccountList().at(0).getDescription() << endl;
}
else
{
cout << "Unexpected result for listAccounts: "
<< listresult->getMessage() << endl;
}
}
void listSystems(ApiClient& client)
{
// We'll list all defined systems.
ListSystemsCommand lsc;
// Execute the operation on TPAM.
client.sendCommand(lsc);
TPAM 2.5
Administrator Guide
302
ListResult* listresult = lsc.getResult();
if (listresult->getReturnCode() == 0)
{
for (int i=0; i<listresult->getRowCount(); i++)
{
cout << "listSystems: System name: "
<< lsc.getSystemList().at(i).getSystemName() << endl;
}
}
}
void deleteAccount(ApiClient& client)
{
// Delete the account.
DeleteAccountCommand dac("testsys", "testacct");
// Execute the operation on TPAM.
client.sendCommand(dac);
// Check the outcome of the operation.
Result* result = dac.getResult();
cout << "deleteAccount: rc = " << result->getReturnCode()
<< " message = " << result->getMessage() << endl;
}
void deleteSystem(ApiClient& client)
{
// Delete the system.
DeleteSystemCommand dsc("testsys");
// Execute the operation on TPAM.
client.sendCommand(dsc);
// Check the outcome of the operation.
Result* result = dsc.getResult();
cout << "deleteSystem: rc = " << result->getReturnCode()
<< " message = " << result->getMessage() << endl;
}
void getPwdRequest(ApiClient& client)
{
GetPwdRequestCommand gprc(9);
// Execute the operation on TPAM.
client.sendCommand(gprc);
ListResult* listresult = gprc.getResult();
// This operation always returns just 1 entry.
if ((listresult->getReturnCode() == 0) &&
(listresult->getRowCount() == 1))
{
cout << "getPwdRequest: Status of request "
<< gprc.getPwdRequest().getRequestID()
<< " is "
<< gprc.getPwdRequest().getRequestStatus() << endl;
}
else
{
cout << "Unexpected result for getPwdRequest: "
<< listresult->getMessage() << endl;
TPAM 2.5
Administrator Guide
303
}
}
int main()
{
ApiClient client("192.168.70.3", "C:/keys/parapiuser.txt", "parapiuser");
try
{
client.connect();
try
{
addSystem(client);
addAccount(client);
updateAccount(client);
retrieve(client);
listAccounts(client);
listSystems(client);
deleteAccount(client);
deleteSystem(client);
getPwdRequest(client);
}
catch (ValidationException& vex)
{
cout << "ValidationException: " << vex.toString() << endl;
}
catch (ParseException& pex)
{
cout << "ParseException: " << pex.toString() << endl;
}
// Call disconnect() on the ApiClient after commands have completed.
client.disconnect();
}
catch (SshException& sshex)
{
cout << "SshException: " << sshex.toString() << endl;
}
}
.NET examples (C#)
The following examples have minimal error checking for simplicity.
static void addSystem(ApiClientWrapper client)
{
// Add a dummy system.
EDMZSystem edmzsys = new EDMZSystem();
edmzsys.systemName = "testsys";
edmzsys.networkAddress = "147.148.149.150";
edmzsys.platformName = "AS400";
edmzsys.systemAutoFl = Flag.N;
edmzsys.description = "Description of testsys";
// Execute the operation on TPAM.
IDResult idresult = client.addSystem(edmzsys);
// Check the outcome of the operation.
Console.WriteLine("addSystem: rc = {0}, message = {1}",
TPAM 2.5
Administrator Guide
304
idresult.returnCode, idresult.message);
}
static void addAccount(ApiClientWrapper client)
{
// Add a dummy account.
Account account = new Account();
account.systemName = "testsys";
account.accountName = "testacct";
account.description = "Description for testacct";
// Execute the operation on TPAM.
IDResult idresult = client.addAccount(account);
// Check the outcome of the operation.
Console.WriteLine("addAccount: rc = {0}, message = {1}",
idresult.returnCode, idresult.message);
}
static void updateAccount(ApiClientWrapper client)
{
Account account = new Account();
account.systemName = "testsys";
account.accountName = "testacct";
account.password = "a1b2c3d4e5";
// Execute the operation on TPAM.
IDResult idresult = client.updateAccount(account);
// Check the outcome of the operation.
Console.WriteLine("updateAccount: rc = {0}, message = {1}",
idresult.returnCode, idresult.message);
}
static void retrieve(ApiClientWrapper client)
{
Result result = client.retrieve(
"testsys", "testacct", 30, "This is my comment");
if (result.returnCode == 0)
{
// If returnCode indicates success, the message is the password.
Console.WriteLine("retrieve: The password is {0}",
result.message);
}
else
{
// If returnCode indicates failure,
// the message is an actual message.
Console.WriteLine("Failed retrieving password: {0}",
result.message);
}
}
static void listAccounts(ApiClientWrapper client)
{
// List the accounts, but set filters to see only testsys/testacct.
AccountFilter af = new AccountFilter();
af.systemName = "testsys";
af.accountName = "testacct";
TPAM 2.5
Administrator Guide
305
// Execute the operation on TPAM.
Account[] accounts = null;
ListResult lr = client.listAccounts(af, out accounts);
// Since we set filters for just testsys/testacct,
// there should be just 1 entry returned.
if ((lr.returnCode == 0) && (lr.rowCount == 1))
{
Console.WriteLine(
"listAccounts: The description for testsys/testacct is {0}",
accounts[0].description);
}
else
{
Console.WriteLine("Unexpected result for listAccounts: {0}",
lr.message);
}
}
static void listSystems(ApiClientWrapper client)
{
// We'll list all defined systems.
EDMZSystem[] systems = null;
ListResult lr = client.listSystems(null, out systems);
if (lr.returnCode == 0)
{
for (int i = 0; i < lr.rowCount; i++)
{
Console.WriteLine("listSystems: System name: {0}",
systems[i].systemName);
}
}
}
static void deleteAccount(ApiClientWrapper client)
{
// Delete the account.
Result result = client.deleteAccount("testsys", "testacct");
// Check the outcome of the operation.
Console.WriteLine("deleteAccount: rc = {0}, message = {1}",
result.returnCode, result.message);
}
static void deleteSystem(ApiClientWrapper client)
{
// Delete the system.
Result result = client.deleteSystem("testsys");
// Check the outcome of the operation.
Console.WriteLine("deleteSystem: rc = {0}, message = {1}",
result.returnCode, result.message);
}
static void getPwdRequest(ApiClientWrapper client)
{
PwdRequest request;
ListResult lr = client.getPwdRequest(9, out request);
if (lr.returnCode == 0)
TPAM 2.5
Administrator Guide
306
{
Console.WriteLine(
"getPwdRequest: Status of request {0} is {1}",
request.requestID,
request.requestStatus);
}
else
{
Console.WriteLine("Unexpected result for getPwdRequest: {0}",
lr.message);
}
}
static void Main(string[] args)
{
ApiClientWrapper client = new ApiClientWrapper(
"192.168.70.3",
"C:\\keys\\parapiuser.txt",
"parapiuser");
try
{
client.connect();
addSystem(client);
addAccount(client);
updateAccount(client);
retrieve(client);
listAccounts(client);
listSystems(client);
deleteAccount(client);
deleteSystem(client);
getPwdRequest(client);
}
catch (ApplicationException aex)
{
Console.WriteLine("Exception: {0}", aex.Message);
}
finally
{
client.disconnect();
}
}
TPAM 2.5
Administrator Guide
307
44
Configuration for Capturing Events on
Windows® Systems
•
Introduction
•
General j-Interop requirements
•
Summary of common problems
•
Firewall related problems
•
Explicitly opening DCOM ports
•
Dynamically opening DCOM ports
•
Remote registry related problems
•
Local security policy related problems
•
User account control (UAC) related problems
•
Registry key related problems
•
Operating systems
•
Windows® event requirements
Introduction
TPAM provides the ability to capture events during PSM sessions to certain platforms. J-Interop is used on DPAs
to help capture events on Windows® systems. Special configuration may be required on Windows® systems in
order for j-Interop to work. In addition to setting up the Windows® system so that j-Interop works correctly,
certain Windows® events must be generated in order for the event capture code to determine when sessions
start and stop.
This chapter describes configuration that may be necessary to enable event capture on Windows® systems.
These are general directions, so buttons, dialog boxes, etc. discussed here may be slightly different than those
encountered on the various Windows®operating systems.
General j-Interop requirements
In order for j-Interop to communicate with a remote Windows® system there are a number of requirements that
have to be met.
•
Running "Remote Registry" service
•
Prevent the firewall from blocking the j-Interop traffic
•
Prevent the Windows® User Account Control (UAC) from interfering
•
Configure other permissions
TPAM 2.5
Administrator Guide
308
Depending on which version of Windows® you are using, different steps have to be taken or have to be taken
differently.
Summary of common problems
Table 172. Common problems
Operating
system
Firewall
Remote
registry
service
Windows® XP
Action
Required
Local security
permissions
User account
control (UAC)
Registry key
permissions
No Changes
Needed
Action Required
N/A
No Changes
Needed
Windows® Vista Action
Required
Action
Required
No Changes Needed Action Required
No Changes
Needed
Windows® 7
Action
Required
Action
Required
No Changes Needed Action Required
Action Required
Windows®
Server 2003
No Changes
Needed
No Changes
Needed
No Changes Needed N/A
No Changes
Needed
Window®s
Server 2008
Action
Required
No Changes
Needed
No Changes Needed Action Required
No Changes
Needed
Window®s
Server 2008 R2
and later
Action
Required
No Changes
Needed
No Changes Needed Action Required
Action Required
Firewall related problems
The firewall of the Windows® system may block j-Interop communication. The following ports have to be
available:
•
TCP 135: General RPC Port (When doing asynchronous RPC call the service listening on this port will tell
the client on which port the component servicing his request will be waiting on)
•
UDP 137: NetBIOS Name Resolution
•
UDP 138: NetBIOS Datagram Service
•
TCP 139: NetBIOS Session Service
•
TCP 445: SMB
•
TCP ???: When doing asynchronous RPC calls the remote host dllhost.exe starts a "server" dealing with the
request. The port this service listens on can be dynamic, and therefore tricky to configure. See the
following articles for more details:
•
Service overview and network port requirements for Windows® http://support.microsoft.com/kb/832017
•
How to configure RPC dynamic port allocation to work with firewalls http://support.microsoft.com/kb/154596
•
WMI troubleshooting - http://msdn.microsoft.com/enus/library/windows/desktop/aa394603%28v=vs.85%29.aspx
In order to open the DCOM ports there are two options:
•
Explicitly open DCOM ports
•
Dynamically open DCOM ports
TPAM 2.5
Administrator Guide
309
Explicitly opening DCOM ports
If you want to control which ports DCOM may open, you can limit the port range by using dcomcnfg. This makes
it possible to explicitly open ports for DCOM communication. Otherwise the DCOM system will use any free port.
To explicitly open the ports:
1
Start dcomcnfg.
2
Right click Component Services | Computers | My Computer and select Properties.
3
Click the Default Protocols tab.
4
Select Connection-oriented TCP/IP and click Properties.
5
By clicking on the Add... button you can add one (or multiple) ranges of ports. Don't set this range too
small. You should probably configure at least 20-40 ports for DCOM.
6
Click the OK button to close all dialog boxes.
7
You will have to reboot in order for these changes to take effect.
For the first 5 entries all Windows® versions already have predefined rules that can be activated:
•
TCP 135: Windows® Management Instrumentation (DCOM-In)
•
UDP 137: File and Printer Sharing (NB-Name-In)
•
UDP 138: File and Printer Sharing (NB-Datagram-In)
•
TCP 139: File and Printer Sharing (NB-Session-In)
•
TCP 445: File and Printer Sharing (SMB-In)
In order to make asynchronous requests (with fixed or dynamic ports) you have to add rules to the firewall
configuration manually. This is where most tutorials on the web recommend adding a port based rule opening a
range of ports. Not all versions of Windows® allow you to define a port range in a firewall rule (actually only
Windows®Server 2008 R2 and newer server OSs and Windows® 7 and newer client OSs support providing a port
range). Without the port range capability, you would have to define numerous individual rules.
You can however add ports from the command line. So start a command line (cmd) as Administrator and
using the following command you could add a port range by calling the "add one port" in a for loop:
FOR /L %I IN (9000,1,9099) DO netsh firewall add portopening TCP %I "DCOM dynamic
Port %I"
As a result, your firewall configuration will be populated with 100 new entries that all have about the same
name.
Dynamically opening DCOM ports
Alternatively, you could allow a program to open ports. Asynchronous calls are opened by a program called
dllhost.exe. You can create a program-based rule that opens all ports created by dllhost.exe or one of its' child
processes. For this simply add the program: %SystemRoot%\System32\dllhost.exe as the target program. If you
use this method, then you don't have to define a port range for DCOM at all.
Remote registry related problems
In order for j-Interop to be able to connect to the remote system, the Remote Registry service has to be running
on the remote Windows® system. Usually this service is running on all Windows® systems except Windows® Vista
and Windows® 7. If you set the service to be started Automatic, then the service will also start automatically
the next time the system boots.
TPAM 2.5
Administrator Guide
310
Local security policy related problems
This seems to be a problem that is related only to Windows® XP systems. Even if this configuration option is
present in all Windows® operating systems, only with Windows® XP is it configured in a way that prevents jInterop from working correctly.
The security policy Network access: Sharing and security model for local accounts is set to: Guest only: local
users authenticate as Guest per default. This has to be changed to Classic: local users authenticate as
themselves. If this is set to Guest only, all remotely logged-in users have only guest permissions on the target
system.
User account control (UAC) related
problems
Starting with Windows® Vista and Windows® Server 2008, Microsoft introduced User Account Control (UAC). In
order to prevent unwanted modifications, Microsoft introduced UAC which separates the Admin Account login
from actual Admin tasks. In order to actually perform an Admin task, the operating system now requests
permission by displaying a popup.
This behavior breaks most functionality that j-Interop would execute, since with a non-interactive session there
is no way to display and click a button in a popup, therefore the operating system dispatches a "permission
denied" failure. There are a few options to make it possible to connect.
•
Use the built in local Administrator account for the functional account (Not a domain Admin account,
only the built in one works - you may have to enable this account first and set a password for it)
•
Turn off UAC entirely
•
Change the local security policy to disable Admin Approval Mode for administrators
Activating the local administrator account
To activate the local admin account:
1
Start lusrmgr.msc
2
Select Local Users and Groups | Users.
3
Right-Click the Administrator account and select Properties.
4
Clear the Account is disabled check box.
5
Save with OK
6
Right-Click the Administrator account again and select Set Password...
7
Confirm the warning
8
Enter the new password twice
9
Set/Change the password with OK
Turn off the UAC
To turn off UAC:
1
Refer to Microsoft documentation for how to turn off UAC for the Windows® system.
2
Turn off UAC.
TPAM 2.5
Administrator Guide
311
3
Reboot to activate UAC changes.
Disable admin approval mode for administrators
To disable admin approval mode for administrators:
1
Start secpol.msc
2
Select Security Settings | Local Policies | Security Options.
3
Right-click the list entry User Account Control: run all administrators in Admin Approval mode and
select Properties.
4
Select Disabled.
5
Confirm with OK.
6
Reboot the machine for the change to take effect.
Registry key related problems
In order to be able to use an OLE/COM component remotely, an AppID key has to be added in that object's
registry entry. J-Interop will attempt to add the registry entry if it does not already exist. However, starting
with Windows® 7 and Window® Server 2008 R2 the registry key has the TrustedInstaller set as owner and only
that user has full access. When j-Interop tries to add the AppID key, Windows® reports an error back to jInterop.
There are several ways to solve this problem:
•
Give the functional account (j-Interop user) full permissions to the key
•
Manually add the AppID to the
•
OLE object's registry, thereby doing manually what j-Interop intends to do automatically
In order for event capture to work, access to the following object is required:
•
WBEM Scripting
•
Locator: HKCR/CLSID/{76A64158-CB41-11D1-8B02-00600806D9B6}
More information on this is found in the j-Interop FAQ: http://www.j-interop.org/faq.html#A6
Give functional account full permissions to key
In order to perform the change, you have do the following for the above key.:
1
Execute regedit in order to start the registry editor
2
Select the key (using the search helps)
3
Right-click the key and select Permissions...
4
Currently only the owner is allowed to change the permissions and currently this owner is the
TrustedInstaller user. Therefore we have to change the ownership first. In order to do so, click
Advanced.
5
Click the Owner tab.(in some releases this is not a tab, so find the mechanism used to change the
owner)
6
Select Administrators
7
Click OK
TPAM 2.5
Administrator Guide
312
8
In order to make the ownership change effective, you have to commit the changes by clicking on OK first
and then reopening the Permissions dialog
9
In the reopened Permissions dialog, add or select the user or group you want to access the system under
and select the check box for allowing Full Control.
10 Click OK
11 Right-click the key a third time and select Permissions...
12 Click Advanced
13 Select the Owner tab. (In some releases this is not a tab, so find the mechanism used to change the
owner.)
14 Enter the following username (you can't select it from any list) NT Service\TrustedInstaller.
15 Click OK as necessary to exit
NOTE: After the first session is started, and j-Interop has created these registry entries, it is safe to reset
the permissions back to original values.
Manually add the AppID to the OLE object’s registry
To manually add the AppID:
1
Search for the OLE object's registry entry (HKCR/CLSID/{76A64158-CB41-11D1-8B02-00600806D9B6})
2
Create a new "String Value" in this entry
•
AppID (REG_SZ): Set the Data field to {76A64158-CB41-11D1-8B02-00600806D9B6}
3
After this add a new key to HKCR/AppID (HKCR/AppID/{76A64158-CB41-11D1-8B02-00600806D9B6})
4
Inside this new key, simply add two new String Values:
•
(Default) (REG_SZ): (The parentheses are required) - You can set the Data field to a name
describing the object or just leave it blank.
•
DllSurrogate (REG_SZ): (The Data field can be left blank)
Operating systems
The following sections describe changes that may be required for each Windows® operating system to support jInterop.
Windows® XP
All Microsoft client operating systems starting with Windows® XP SP2 and later were shipped with a firewall.
This is blocking almost all inbound traffic. See Firewall related problems for more information.
After the firewall is configured on Windows® XP systems some Local Security Policy settings have to be changed,
or j-Interop will not be able to connect. See Local security policy related problems for more information on how
to resolve that problem.
Now the system should be accessible.
TPAM 2.5
Administrator Guide
313
Windows® Vista
Starting with Windows® Vista the client operating systems have the Remote Registry Service disabled per
default. Therefore check see Remote registry related problems for how to fix this.
As with Windows® XP the firewall has to be configured.See Firewall related problems for more information.
Also, Windows® Vista introduced the User Account Control (UAC). See User account control (UAC) related
problems for details.
Now the system should be accessible.
Windows® 7
In order to have Windows® 7 accessible the same steps have to be done as with Windows® Vista: configure the
firewall, start the Remote Registry service and configure the User Account Control (UAC).
There were also some changes with permissions in the Registry. These are preventing j-Interop from functioning
correctly. See the Registry key related problems.
Now the system should be accessible.
Windows® Server 2003
It appears that no changes are needed for j-Interop to work with Windows® Server 2003.
Windows® Server 2008
Windows® Server 2008 was the first Microsoft Server operating system to be shipped with a firewall, so this has
to be configured prior to be able to connect to it. See the chapter Firewall related problems for more
information.
It was also the first server product that included User Account Control (UAC) so this is interfering too. See the
chapter User account control (UAC) related problems for more information.
After resolving the firewall and UAC problems, connections work without any problems.
Windows® Server 2008 R2 and later
Windows® Server 2008 R2 is configured almost identically to Windows® 2008, so please follow the firewall and
UAC configuration guide of that system.
One difference however is how the User Account Control is disabled. Instead of a check box in this case there is
a slider. In order to turn off the UAC, just drag the Slider to the bottom. After rebooting UAC should be disabled.
The biggest differences are small changes in the permissions of the systems registry. See the chapter on Registry
key related problems.
After these changes the connection should work with Windows® Server 2008 R2 and later operating systems.
TPAM 2.5
Administrator Guide
314
Windows® event requirements
The event capture code must be able to track the beginning and end of a specific Windows® login session. This
is accomplished by monitoring specific Windows® logon and logoff events, Therefore, events indicating
successful logon or reconnect and logoff or disconnect must be generated by the Windows® system. The IDs of
the specific events required to be generated by the Windows® system and where to configure generation of the
events are as follows.
Table 173. Windows® XP/Server 2003 events
Operation
Windows® XP / Server 2003 event ID
Security path policy
Logon
528 - A user successfully logged on to a computer.
Audit Policy - Audit logon events
Logoff
538 - THe logoff process was completed for a user.
Audit Policy - Audit logon events
Logoff
551 - A user initiated the logoff process.
Audit Policy - Audit logon events
Reconnect
682 - A user has reconnected to a disconnected terminal Audit Policy - Audit logon events
server session.
Disconnect
683 - A user disconnected a terminal server session
without logging off.
Audit Policy - Audit logon events
Table 174. Windows® Vista/Server 2008 and later events
Operation
Windows® Vista / Server 2008 and later
event ID
Logon
4624 - An account was successfully logged on.
Advanced Audit Policy Configuration Logon/Logoff - Audit Logon
Logoff
4634 - An account was logged off.
Advanced Audit Policy Configuration Logon/Logoff - Audit Logoff
Logoff
4647 - User initiated logoff.
Advanced Audit Policy Configuration Logon/Logoff - Audit Logon
Reconnect
4778 - A session was reconnected to a
Windows® station.
Advanced Audit Policy Configuration Logon/Logoff - Audit Other Logon/Logoff
events
Disconnect
4779 - A session was disconnected from a
Windows® station.
Advanced Audit Policy Configuration Logon/Logoff - Audit Other Logon/Logoff
events
Security path policy
TPAM 2.5
Administrator Guide
315
45
Appliance Specifications
Table 175. Application specifications
Feature/
Spec
Standard TPAM
Standard DPA
Standard cache
Enterprise TPAM
Processor
E3-1220 Intel® Xeon® processor family
E5-2600 Intel® Xeon® processor family
# of Processors
1
2
# of Cores per
Processor
Four
Six
L2/L3 Cache
10 MB
10 MB
Chipset
Intel C236 series
Intel® C610 series
DIMMs
DDR4 R-DIMMs
DDR4 R-DIMMs
RAM
8 GB
32 GB
HD Bays
4 x 3.5 Hot Plug
4 x 3.5 Hot Plug
HD Types
SATA/SAS
SAS add-in controller
Internal HD
Controller
PERC H310 Integrated RAID Controller
PERC H710P Integrated RAID Controller, 1 GB
NV Cache
Disk
2 x 500 GB
4 x 300 GB SAS
Availability
ECC Memory, Hot-swap HDD; Redundant
PSU, TPM
Hot-swap HDD; Redundant PSU; Memory
mirroring, TPM
I/O Slots
1 x PCIe x 16
2 x PCIe x16; half height, half length
RAID
RAID 1 Mirrored
RAID10
NIC/LOM
2x GbE LOM
2x GbE LOM
®
DRAC
iDRAC8 Enterprise
iDRAC8 Enterprise
USB
2 front/2 rear/2 internal
2 front/2 rear/2 internal
Power Supplies/
Details
Redundant, 350W, Auto Ranging
(100V~240V), ACPI compatible
Redundant, 550W, Auto Ranging (100V~240V),
ACPI compliant
Fans
3 Non-redundant, non-hot swappable
4 Non-redundant, non-hot-swappable
Chassis
1U rack
1U rack
Dimension
(HxWxD)
42.8 x 434.0 x 625.0 (mm) (w/o bezel)
1.68 x 17.08 x 24.6(in)
42.8 x 434.0 x 607 (mm) (w/o ear, w/o bezel)
1.68 x 17.08 x 23.9 (in)
Weight
Max: 30.42lbs (13.8Kg)
Max: 43.87 lbs (19.9Kg)
Misc.
Intrusion switch detects when cover is
opened, Hype-threading(8 threads),
128x20 LCD
Intrusion switch detects when cover is
opened, simultaneous multi-threading, status
LCD module
TPAM 2.5
Administrator Guide
316
Table 175. Application specifications
Feature/
Spec
Standard TPAM
Standard DPA
Standard cache
Enterprise TPAM
Operating Temp
10° to 35°C
10° to 35°C
Regulatory
Certifications
Class A: Australia/ N.Z. - AMCA or C-Tick Class A: Australia/ N.Z. - AMCA or C-Tick
Canada - SCC, IES
Canada - SCC, IES
Additional country
certification
available upon
request
European Union - CE
European Union - CE
Germany - TUV
Germany - TUV
United States - FCC, NRTL
United States - FCC, NRTL
TPAM 2.5
Administrator Guide
317
About Dell
Dell listens to customers and delivers worldwide innovative technology, business solutions and services they
trust and value. For more information, visit www.software.dell.com.
Contacting Dell
Technical Support:
Online Support
Product Questions and Sales:
(800) 306-9329
Email:
[email protected]
Technical Support Resources
Technical support is available to customers who have purchased Dell software with a valid maintenance
contract and to customers who have trial versions. To access the Support Portal, go to
https://software.dell.com/support/.
The Support Portal provides self-help tools you can use to solve problems quickly and independently, 24 hours a
day, 365 days a year. In addition, the portal provides direct access to product support engineers through an
online Service Request system.
The site enables you to:
•
Create, update, and manage Service Requests (cases)
•
View Knowledge Base articles
•
Obtain product notifications
•
Download software. For trial software, go to Trial Downloads.
•
View how-to videos
•
Engage in community discussions
•
Chat with a support engineer
TPAM 2.5
Administrator Guide
318
Was this manual useful for you? yes no
Thank you for your participation!

* Your assessment is very important for improving the work of artificial intelligence, which forms the content of this project

Download PDF

advertisement