General policy management options

Use options available in the Manage the system > Privileged access > Options > Managed system policies menu to control:

Local service mode discovery queue space

When local service mode discoveries encounter failures, they can rapidly cause disks to fill up via archived discovery queues.

Enable LWS SAVE QUEUE SPACE to preserve disk space by allocating smaller queue files for local workstation service discoveries.

Local service mode workstation keys

Bravura Privilege uses a key to ensure secure communication between a local service mode managed system and the Bravura Security Fabric server. For security purposes, this key is changed periodically.

Set the RESOURCE KEY CHANGE INTERVAL to control the interval, in days, after which workstation keys are changed. The default is 30 days.

See Resource key for more information.

Local service mode create credentials retry

Bravura Privilege can be configured to create administrative accounts on Local Workstation Service mode target systems. If the initial create fails, additional retries are governed by RES ADMIN CREATE RETRY INTERVAL .

Configure the RES ADMIN CREATE RETRY INTERVAL to determine the interval at which to retry. The default is 1440 minutes.

See Creating administrator accounts on target systems for more information.

Local service mode software installation

After a Local Workstation Service registers with the Bravura Privilege server and is managed, it continues to contact the server at the interval set by RES POLL INTERVAL . The default is 60 minutes.

The default port number for the Local Workstation Service listener using the RES LISTENER PORT option.

The Local Workstation Service will periodically contact the Bravura Privilege server to obtain the options that are set. The default interval is 86400 seconds. You can use the RES CONFIG UPDATE INTERVAL option to change this interval; the change will take effect the next time the Local Workstation Service contacts the server.

Local service mode connection timeout

When the Bravura Privilege server is slow in responding to a Local Workstation Service the service will retry after an amount of time set by RES CONNECTION TIMEOUT . The default timeout is 600 seconds.

Local service mode resynchronization

After a Local Workstation Service registers with the Bravura Privilege server and is managed, it will automatically resynchronize itself with the Bravura Privilege server as configured by the system variables in the table below.

Table 1. Privileged access: local workstation mode resynchronization variables

Option	Description
RES RESYNC FAILURE RETRY INTERVAL	The interval (in minutes) a managed local service mode system will wait before attempting to resynchronize with the instance server after a failed attempt. The default is 120 minutes.
RES RESYNC INTERVAL	The interval (in minutes) a managed local service mode system will wait before resynchronizing with the instance server. The default is 10080 minutes (approximately 1 week).
RES TRANSACTION FAILURE RETRY INTERVAL	The interval (in minutes) a managed local service mode system will wait before sending a transaction to the instance server after a failed attempt. The default is 60 minutes.

See Resynchronizing a local service mode system for more information about resynchronization.

User attribute updates on local service mode systems

Changes made to user attributes on a local service mode managed system are updated on the next poll of the Local Workstation Service. You can configure this so that some user attributes are updated less frequently than the default poll time of the Local Workstation Service.

Using a separate time interval RES ATTRIBUTE UPDATE DELAY, you can control the delay in which the user attributes will be updated. By default, the delay is set to 1440 minutes (once a day).

Only user attributes specified in RES DELAY UPDATE ATTRIBUTES are updated according to this time interval, otherwise they are updated after every poll. By default, the pwda (password age) and llogon user attributes are updated using the RES ATTRIBUTE UPDATE DELAY.

Display of policy member systems

Bravura Privilege displays member systems for each managed account on the Managed accounts page.

Set the RES NUM SYSTEMS DISPLAY option to control the maximum number of member systems to display per account the Managed accounts page of a managed system policy. The default value is 3.

Global managed system external program triggers

Managed system policy exit points do not override global settings and vice versa; however, in the case where an exit point is configured to run the same program from both locations, only one instance of the program is run.

The system always defaults to request access events before generic events are fired. For example, PAM CHECKOUT EXPIRY will not fire if RES CHECKOUT EXPIRY has been triggered. Events defined for "Account access request", "Account set access request" and "Group set access request" will always fire instead of generic events. The events listed in the table below can trigger email or other external program actions.

See Event actions (exit traps) for more information about configuring event actions.

Table 2. Privileged managed systems policies events that launch interface programs

Option	Description
RES ADD WSTN FAILURE	A system fails to be added to the list of managed systems.
RES ADD WSTN SUCCESS	A system is successfully added to the list of managed systems.
RES DEL GROUP FAILURE	A policy fails to be removed from the list of managed system policies.
RES DEL GROUP SUCCESS	A policy is removed from the list of managed system policies.
RES DEL WSTN FAILURE	A managed system fails to be removed from the list of managed systems. The trap is triggered when: A system (push, local service, or user managed) is successfully deleted from the list of managed systems. The Automatically create a Privileged Access Manager managed system option is unchecked on the Target system information page for a push mode managed system. The push mode managed system is deleted from the list of target systems.
RES DEL WSTN SUCCESS	A system is removed from the list of managed systems.
RES GROUP WSTN FAILURE	A system fails to be added to a managed system policy.
RES GROUP WSTN SUCCESS	A system was successfully added to a managed system policy. The exit point is triggered when: A managed system is manually added to a managed system policy. A managed system can be added to a policy from either the Managed systems menu or the Managed system policies menu. The exit point is triggered in both scenarios. A local service mode system successfully adds itself as a managed system. A PSLang expression or plugin is used to add a managed system to a managed system policy.
RES ID CONFLICT	Local service mode managed systems with conflicting system identifiers are detected. The Privileged Access Manager Local Workstation Service (`hipamlws`) on the affected system will be shut down.
RES REINSTALL	A local service is reinstalled.
RES UNGROUP WSTN FAILURE	A managed system is successfully removed from a managed system policy. The trap is not triggered when a managed system is deleted from the list of managed systems, even though that also removes the system from all the policies it belongs to.
RES UNGROUP WSTN SUCCESS	The configuration settings of a managed system fail to be updated from the Request privileged access (PSW) module.
RES UPDATE WSTN FAILURE	A managed system fails to be removed from a managed system policy.
RES UPDATE WSTN SUCCESS	The configuration settings of a managed system are successfully updated from the Request privileged access (PSW) module.

Conflicting passwords

You can choose whether to automatically resolve conflicting passwords or set a limit on how many conflicting passwords can be processed at once.

Table 3. Privileged access: conflicting passwords variables

Option	Description
PASSWORD CONFLICT ATTEMPT VERIFICATION	Attempt to automatically resolve conflicted passwords by running agents and querying replicas. This is enabled by default.
PASSWORD VERIFICATION BATCH LIMIT	The maximum size of a password verification batch. The default is 50.

See Conflict resolution for more information.

Generic access check-in and check-out retries

If a generic access check-in or check-out fails, automatic retry attempts occur as configured by the system variables in the table below.

Table 4. Privileged access: generic access variables

Option	Description
PAM ACTION CI RETRY INTERVAL	The interval (in minutes) to wait before retrying a generic access check-in attempt. The default is 1 minute. This value must be less than PAM ACTION CI RETRY TIMEOUT .
PAM ACTION CI RETRY TIMEOUT	The timeout (in minutes) at which retry attempts stop for generic access check-ins. The default is 10 minutes.
PAM ACTION CO RETRY INTERVAL	The timeout (in minutes) at which retry attempts stop for generic access check-ins. The default is 10 minutes.

Generic access check-in retry attempts cannot be disabled.

In this section: