Apply Global Settings

The Global Settings page includes the master provisioning settings for Privileged Access Manager. Credential Manager specific settings, however, are in a separate location. 
capam32
HID_GlobalSettingsPanel
The Global Settings page includes the master provisioning settings for 
Privileged Access Manager
. Credential Manager specific settings, however, are in a separate location. See Set Up Credential Manager Operation Settings for more information.
The 
Settings
,
Global Settings
 page contains options that let you customize functions for all Users and Devices. The tabs allow customization of global user policies, such as passwords and access methods
To save the settings, select the 
Save
button at the bottom of the page. The screen refreshes to display the updated configuration and the "Global Settings Saved" text appears on the screen. The login page has a non-configurable timeout of 3 minutes. This time is for the life of the page itself, not the Login Timeout setting for logged-in idle time. After that time, the page must be refreshed before 
Privileged Access Manager
 accepts a login.
2
 
Basic Settings
The basic settings include:
  • Default Auth Method
     (Login Page): Specify the default authentication method that appears on the login page from the following values. At least one user must be created with that authentication method before this option becomes available. The options are:
    • Local
    • LDAP
    • RSA
    • RADIUS
    • TACACS+
    • PKI-CAC
    • LDAP+RSA
    • LDAP+RADIUS
  • Default Page Size
    : The number of Device line items when a user initially hits the Access page after login.
  • Login Timeout
    : Set the number of minutes of inactivity before your connection to 
    CA PAM
     times out. Activity is communication between the client user and the 
    CA PAM
    , including connections to targets. A timeout requires you to log in again with your user name and password. Set to zero for no timeout.
  • Applet Timeout
    : Set the number of minutes of inactivity before a session (such as Telnet, SSH, Virtual Machine) with an external device times out. In that case, you connect to that device again. Set to zero for no timeout, though after 48 hours, it will time out.
  • Table Refresh Interval
    : Set the default refresh interval, in seconds, for Discovery Scan tables. The default interval is 60, and 0 indicates no refresh. See Device Discovery for information about Discovery.
  • Scan Purge Interval
    : Set the number of days to keep Discovery scans.
  • Default Device Type
    : Define the default template that is provided when a Device is added manually. The choices can be overridden on the template itself.
    • Access
      : Default: Initially active and selected
    • Password Management
      : Checkbox is active only with a Password Management license.
    • A2A
      : Checkbox is active only with an A2A license.
  • External API Buttons
    • Enable
      : Show and activate the 
      Try It Out
       test button at the bottom of every API page in the 
      API Doc
      . The 
      Try it Out
       button enables external API calls from that page. This option is activated by default, but the Enable External REST API option in 
      Configuration
      Security
      Access
       is not.
      To prevent external API calls from that page, clear the Enable checkbox for the Enable API Buttons setting.
Passwords
You can customize the password requirements for 
Local
 users by changing these fields. Other authentication method password policies are enforced by their infrastructure and 
CA PAM
 cannot control them. Unlike other accounts, the 
super
 account never expires. 
Super
 is not deactivated, even if the password failures limit is activated.
  • Security Level
    : Set the level of password security you require for User passwords:
    • 0 - New Password
      : The new password must be different from the previous password.
    • 1 - 0+ Length Constraints
      : Level 0 and password length must be between the Minimum Password Length and the Maximum Password Length, which are defined on this page
    • 2 - 1+ Require [a-zA-Z0-9]
      : Level 0, 1 and password must have both an alphabet character and a digit.
    • 3 - 2+ Both Upper and Lower Case
      : Level 0, 1, 2 and password must have both an Upper and Lower alphabet character.
    • 4 - 3+ Special Character
      : Level 0, 1, 2, 3 and password must contain a special character such as: !, @, #, $, %, ^
    • 5 - DoD strong password
      : DoD requires a minimum of 15 characters. There must be 
      at least
      :
      • Two uppercase letters
      • Two lowercase letters
      • Two integers
      • Two special characters, such as: !, @, #
  • Minimum Length
    : If the Password Level is 1 or above, set the minimum password length.
  • Maximum Length:
     If the Password Level is 1 or above, set the maximum password length.
  • Change Interval
     (Days): Set the number of days between forced password changes for all users.
  • History:
     Set the number of recent passwords that cannot be reused.
  • Failure Limit
    : Set the number of failed login attempts before a user account is deactivated.
  • Failure Counter Reset
     (Minutes): Set the number of minutes for which an account is deactivated after exceeding the 
    Failure Limit
    .
Accounts
  • Disable Inactive After
     (Days): Set the number of days after which inactive user accounts are disabled. If the backup is older than the time limit, accounts are disabled when restoring a database from a backup.
  • Remove Disabled After
     (Days): Set the number of days from when an account is disabled until it is deleted.
  • Forced Deactivation Alert
    : Select an administrator to receive an alert when a user is deactivated. Monitoring must be configured for this feature to function.
Warnings
Two optional warning messages can be applied to users. They can be customized to reflect individual company policies. The License Warning box scrolls to accommodate a long message. Upon setting either option, a text field in which you can customize the warning message appears.
  • Show License Warning:
     Set this option to display the specified warning text on the login page for all users. Double-byte characters such as those used for traditional Chinese are supported for warning messages.
    Select 
    User must accept license
     to require each user to accept the license.
  • Show Recording Warning
    : Set this option to display the specified notification when a user opens a recorded applet or service session. For example, when a user opens an SSH console, the following warning appears in the window title bar and in the console: "
    Warning you are being monitored
    ." 
    The 
    Show Recording Warning
     option is ignored for 
    applet
     sessions that are made by users who are a member of any user group, deferring to setting of the 
    Applet Recording Warning
     specified for the group or groups. This global setting applies for 
    all
     TCP/UDP and RDP service sessions.
    The specified message text is also used for applet recording warnings, even if the 
    Show Recording Warning
     option is not set.
Applet Customization
The 
Applet Customization
 tab allows specification of the default terminal display characteristics for all users and all devices. These settings apply for Telnet and SSH applets, and include a switch to allow or disallow copy-and-paste text buffering.
  • An administrator can override the defaults on a device basis by changing the 
    Terminal Type, Key Mapping, 
    and 
    Terminal Customization
     settings for individual devices.
  • A user can override the defaults by changing the 
    SSH and Telnet CLI Terminal Customization
     on the 
    User Information
     page.
Clicking the 
Configure Terminal Settings
 link button brings up a submenu with various terminal settings that you can define on a global basis. These settings are the systemwide default settings. Any terminal customization that is made at the user, user group, device, or device group level takes precedence.
User terminal customization supersedes Device terminal customization, which in turn supersedes global terminal customization.
  • Character Encoding
    Default:
     UTF-8
  • Font Family
    Default:
     Monospaced
  • Font Size
    Default:
     12
  • Cursor Foreground
    Default:
     #33ff33
  • Foreground Color
    Default:
     #ffffff
  • Background Color
    Default:
     #000000
  • Terminal Size
    Default:
     [80,24]
  • Buffer Size
    Default:
     100
  • Scroll Position
    Default:
     Left
  • RDP Keyframes Duration
    : The keyframe duration determines how RDP is compressed. A small keyframe duration is equivalent to more frequent full frames of video data. The increased frequency results in a large file, but allows more a rapid seek in the RDP viewer. For sessions using RDP 6.1, file size can be reduced significantly by increasing the keyframe duration. Reductions to about half the size have been observed.
    • Small (Fast Seek/Large File): 
      Default
       
    • Medium
    • Large
    • X Large (Slow Seek / Small File)
  • Web Recording Quality
    : Specify the color depth and frame rate to use when recording a web portal session:
    • High: 24 BPP / 7 FPS (default)
    • Medium: 16 BPP / 5 FPS
    • Low: 8 bits per pixel / 3 frames per second
  • Applet Copy Paste
    : Enable the use of copy and paste within any applet: This feature activates in the applet window an Edit menu with Copy and Paste commands. When this option is disabled, the Edit tab is still visible but it is dimmed.
  • RDP Drive Mapping
    : When you enable this feature, a mouseover popup appears with a list of the mapped client Windows drives. Each available drive can be selected using a checkbox for mapping.
  • SSH Terminal File Transfer
    : When "Enable SCP/SFTP" is selected, the MindTerm based SSH Access Method applet provides the menu items "
    Plugins
    SFTP File Transfer
    " and "
    Plugins
    SCP File Transfer
    ". Each menu item invokes a new applet window to operate SFTP or SCP, which provides a file transfer interface. See Display and Access Devices for details on the controls.
  • Transparent Login Cache
    : After using the Learn Tool and testing transparent login configurations, you can enable the Transparent Login Cache. This feature caches the Learn Tool, the Transparent Login Agent, and the Control Viewer on the RDP server. On subsequent connections to that Windows target, the load times for these applications are reduced.
  • Retrieve Public Address
    : An administrator can enable or disable the Java applet Access Agent to retrieve the public address of the user. After a user logs in to 
    CA PAM
    , the Java Applet Access Agent is downloaded to the user desktop. The applet retrieves the address of the gateway that is used for external access for auditing and for the VMware NSX feature. In some environments, this behavior is not desirable. The Retrieve Public Address setting lets administrators disable this feature.
Client Settings
Use these settings to control distribution and use of the 
CA PAM
 Client.
  • Operating Mode
    : Select "Enabled" to allow 
    CA PAM
     Clients to log in to this appliance.
  • Distribution Method
    : Select "Internet (CA Delivery Network)" to allow 
    CA PAM
     to engage CDN to deliver client installers (following requests from the GUI login page). Select "Intranet" to specify a CDN conforming server to deliver installers, and enter it in the text box.
  • Download Button on Login Page
    : Select "Enabled" to display and activate the 
    Download 
    CA PAM
     Client
     buttons. These buttons appear below the white panel on the login page.
SAML
Use these settings to adjust SAML Web SSO authentication.
  • Require Inherited SAML Auth
    : Select this option to force the inheritance of the user record 
    Authentication
     setting on all members of a User Group. All group members inherit the settings regardless of whether individual authentication settings are set to "SAML". This setting is selected by default.
  • SAML Re-authentication Period
    : Set the number of minutes of inactivity before a SAML session times out. The session is between the RP and
    CA PAM
     as an Identity Provider. After a timeout, the next SSO request requires the user to log in again. Default: 60 minutes
CA Threat Analytics
See the CA Threat Analytics documentation for information about the options on the CA Threat Analytics tab.
Default Preferences
You can customize how 
Privileged Access Manager
 displays dates and times in the UI. Dates are stored in UTC, but can be displayed in the specified time zone for the user. Selecting a custom time zone can only be done through the GUI. This tab sets Default Preferences for all users, while User Information Preferences set preferences only for the logged on user.
  • Select a 
    Date Format
    , such as MM/DD/YYYY.
  • Select a 
    Time Format
    , such as 12 or 24 Hour.
  • Select a 
    Time Zone Region
    , then a 
    Time Zone
    .
The 
Server Time
 is always displayed in UTC. If the user saves any changes, they are reflected in 
User's Current Time
. Modifications do not take effect until the next login session.
Enable Charts
Select this checkbox to enable graphical charts in the Credential Manager Activities reports.