Apply Global Settings
The Global Settings page includes the master provisioning settings for Privileged Access Manager. Credential Manager specific settings, however, are in a separate location.
The Global Settings page includes the master provisioning settings for
Privileged Access Manager. Credential Manager specific settings, however, are in a separate location. See Set Up Credential Manager Operation Settings for more information.
Global Settingspage contains options that let you customize functions for all Users and Devices. The tabs allow customization of global user policies, such as passwords and access methods
To save the settings, select the
Savebutton at the bottom of the page. The screen refreshes to display the updated configuration and the "Global Settings Saved" text appears on the screen. The login page has a non-configurable timeout of 3 minutes. This time is for the life of the page itself, not the Login Timeout setting for logged-in idle time. After that time, the page must be refreshed before
Privileged Access Manageraccepts a login.
The basic settings include:
- Default Auth Method(Login Page): Specify the default authentication method that appears on the login page from the following values. At least one user must be created with that authentication method before this option becomes available. The options are:
- Default Page Size: The number of Device line items when a user initially hits the Access page after login.
- Login Timeout: Set the number of minutes of inactivity before your connection toCA PAMtimes out. Activity is communication between the client user and theCA PAM, including connections to targets. A timeout requires you to log in again with your user name and password. Set to zero for no timeout.
- Applet Timeout: Set the number of minutes of inactivity before a session (such as Telnet, SSH, Virtual Machine) with an external device times out. In that case, you connect to that device again. Set to zero for no timeout, though after 48 hours, it will time out.
- Table Refresh Interval: Set the default refresh interval, in seconds, for Discovery Scan tables. The default interval is 60, and 0 indicates no refresh. See Device Discovery for information about Discovery.
- Scan Purge Interval: Set the number of days to keep Discovery scans.
- Default Device Type: Define the default template that is provided when a Device is added manually. The choices can be overridden on the template itself.
- Access: Default: Initially active and selected
- Password Management: Checkbox is active only with a Password Management license.
- A2A: Checkbox is active only with an A2A license.
- External API Buttons
- Enable: Show and activate theTry It Outtest button at the bottom of every API page in theAPI Doc. TheTry it Outbutton enables external API calls from that page. This option is activated by default, but the Enable External REST API option inConfiguration,Security,Accessis not.To prevent external API calls from that page, clear the Enable checkbox for the Enable API Buttons setting.
You can customize the password requirements for
Localusers by changing these fields. Other authentication method password policies are enforced by their infrastructure and
CA PAMcannot control them. Unlike other accounts, the
superaccount never expires.
Superis not deactivated, even if the password failures limit is activated.
- Security Level: Set the level of password security you require for User passwords:
- 0 - New Password: The new password must be different from the previous password.
- 1 - 0+ Length Constraints: Level 0 and password length must be between the Minimum Password Length and the Maximum Password Length, which are defined on this page
- 2 - 1+ Require [a-zA-Z0-9]: Level 0, 1 and password must have both an alphabet character and a digit.
- 3 - 2+ Both Upper and Lower Case: Level 0, 1, 2 and password must have both an Upper and Lower alphabet character.
- 4 - 3+ Special Character: Level 0, 1, 2, 3 and password must contain a special character such as: !, @, #, $, %, ^
- 5 - DoD strong password: DoD requires a minimum of 15 characters. There must beat least:
- Two uppercase letters
- Two lowercase letters
- Two integers
- Two special characters, such as: !, @, #
- Minimum Length: If the Password Level is 1 or above, set the minimum password length.
- Maximum Length:If the Password Level is 1 or above, set the maximum password length.
- Change Interval(Days): Set the number of days between forced password changes for all users.
- History:Set the number of recent passwords that cannot be reused.
- Failure Limit: Set the number of failed login attempts before a user account is deactivated.
- Failure Counter Reset(Minutes): Set the number of minutes for which an account is deactivated after exceeding theFailure Limit.
- Disable Inactive After(Days): Set the number of days after which inactive user accounts are disabled. If the backup is older than the time limit, accounts are disabled when restoring a database from a backup.
- Remove Disabled After(Days): Set the number of days from when an account is disabled until it is deleted.
- Forced Deactivation Alert: Select an administrator to receive an alert when a user is deactivated. Monitoring must be configured for this feature to function.
Two optional warning messages can be applied to users. They can be customized to reflect individual company policies. The License Warning box scrolls to accommodate a long message. Upon setting either option, a text field in which you can customize the warning message appears.
- Show License Warning:Set this option to display the specified warning text on the login page for all users. Double-byte characters such as those used for traditional Chinese are supported for warning messages.SelectUser must accept licenseto require each user to accept the license.
- Show Recording Warning: Set this option to display the specified notification when a user opens a recorded applet or service session. For example, when a user opens an SSH console, the following warning appears in the window title bar and in the console: "Warning you are being monitored."TheShow Recording Warningoption is ignored forappletsessions that are made by users who are a member of any user group, deferring to setting of theApplet Recording Warningspecified for the group or groups. This global setting applies forallTCP/UDP and RDP service sessions.The specified message text is also used for applet recording warnings, even if theShow Recording Warningoption is not set.
Applet Customizationtab allows specification of the default terminal display characteristics for all users and all devices. These settings apply for Telnet and SSH applets, and include a switch to allow or disallow copy-and-paste text buffering.
- An administrator can override the defaults on a device basis by changing theTerminal Type, Key Mapping,andTerminal Customizationsettings for individual devices.
- A user can override the defaults by changing theSSH and Telnet CLI Terminal Customizationon theUser Informationpage.
Configure Terminal Settingslink button brings up a submenu with various terminal settings that you can define on a global basis. These settings are the systemwide default settings. Any terminal customization that is made at the user, user group, device, or device group level takes precedence.
User terminal customization supersedes Device terminal customization, which in turn supersedes global terminal customization.
- Character Encoding:Default:UTF-8
- Font Family:Default:Monospaced
- Font Size:Default:12
- Cursor Foreground:Default:#33ff33
- Foreground Color:Default:#ffffff
- Background Color:Default:#000000
- Terminal Size:Default:[80,24]
- Buffer Size:Default:100
- Scroll Position:Default:Left
- RDP Keyframes Duration: The keyframe duration determines how RDP is compressed. A small keyframe duration is equivalent to more frequent full frames of video data. The increased frequency results in a large file, but allows more a rapid seek in the RDP viewer. For sessions using RDP 6.1, file size can be reduced significantly by increasing the keyframe duration. Reductions to about half the size have been observed.
- Small (Fast Seek/Large File):Default
- X Large (Slow Seek / Small File)
- Web Recording Quality: Specify the color depth and frame rate to use when recording a web portal session:
- High: 24 BPP / 7 FPS (default)
- Medium: 16 BPP / 5 FPS
- Low: 8 bits per pixel / 3 frames per second
- Applet Copy Paste: Enable the use of copy and paste within any applet: This feature activates in the applet window an Edit menu with Copy and Paste commands. When this option is disabled, the Edit tab is still visible but it is dimmed.
- RDP Drive Mapping: Configure RDP drive mapping to provide faster file sharing between the user workstation and the target server. Do the following steps to enable and configure this feature:
- Set theRDP Drive Mappingoption. A button Appears beside the pin icon in the upper toolbar. Hovering your cursor over the icon displays a tool tip that says "Add new device for mapping"
- Click theAdd new device for mappingbutton.
- On the dialog that appears, select a folder on the local system to map to the target server.The name of the folder on the local system must only contain ASCII characters (that is, characters in non-English locales are not supported) The folder name must not exceed seven characters.
- SSH Terminal File Transfer: When "Enable SCP/SFTP" is selected, the MindTerm based SSH Access Method applet provides the menu items "Plugins,SFTP File Transfer" and "Plugins,SCP File Transfer". Each menu item invokes a new applet window to operate SFTP or SCP, which provides a file transfer interface. See Display and Access Devices for details on the controls.
- Transparent Login Cache: After using the Learn Tool and testing transparent login configurations, you can enable the Transparent Login Cache. This feature caches the Learn Tool, the Transparent Login Agent, and the Control Viewer on the RDP server. On subsequent connections to that Windows target, the load times for these applications are reduced.
- Retrieve Public Address: An administrator can enable or disable the Java applet Access Agent to retrieve the public address of the user. After a user logs in toCA PAM, the Java Applet Access Agent is downloaded to the user desktop. The applet retrieves the address of the gateway that is used for external access for auditing and for the VMware NSX feature. In some environments, this behavior is not desirable. The Retrieve Public Address setting lets administrators disable this feature.
Use these settings to control distribution and use of the
- Operating Mode: Select "Enabled" to allowCA PAMClients to log in to this appliance.
- Distribution Method: Select "Internet (CA Delivery Network)" to allowCA PAMto engage CDN to deliver client installers (following requests from the GUI login page). Select "Intranet" to specify a CDN conforming server to deliver installers, and enter it in the text box.
- Download Button on Login Page: Select "Enabled" to display and activate theDownloadbuttons. These buttons appear below the white panel on the login page.CA PAMClient
Use these settings to adjust SAML Web SSO authentication.
- Require Inherited SAML Auth: Select this option to force the inheritance of the user recordAuthenticationsetting on all members of a User Group. All group members inherit the settings regardless of whether individual authentication settings are set to "SAML". This setting is selected by default.
- SAML Re-authentication Period: Set the number of minutes of inactivity before a SAML session times out. The session is between the RP andCA PAMas an Identity Provider. After a timeout, the next SSO request requires the user to log in again. Default: 60 minutes
CA Threat Analytics
See the CA Threat Analytics documentation for information about the options on the CA Threat Analytics tab.
You can customize how
Privileged Access Managerdisplays dates and times in the UI. Dates are stored in UTC, but can be displayed in the specified time zone for the user. Selecting a custom time zone can only be done through the GUI. This tab sets Default Preferences for all users, while User Information Preferences set preferences only for the logged on user.
- Select aDate Format, such as MM/DD/YYYY.
- Select aTime Format, such as 12 or 24 Hour.
- Select aTime Zone Region, then aTime Zone.
Server Timeis always displayed in UTC. If the user saves any changes, they are reflected in
User's Current Time. Modifications do not take effect until the next login session.
Select this checkbox to enable graphical charts in the Credential Manager Activities reports.