Skip to main content

Configuring global access disclosure options

You configure access disclosure plugins globally, and then override settings and behavior for different managed system policies if necessary. Attributes control the behavior of the access disclosure plugins.

Getting started

To configure system-wide access disclosure options:

  1. Click Manage the system > Privileged access > Access disclosure plugins.

  2. To define a:

    • New access disclosure plugin, click Add new… .

    • Existing access disclosure plugin, select the plugin you want to view or modify.

You can now:

  • Define common access disclosure parameters.

  • Modify attributes that control disclosure

  • Add attributes that control disclosure

Defining access disclosure plugins

You can add custom access disclosure plugins to make them available to managed system policies. For each access disclosure plugin, you can configure one or more attributes that modify the behavior of the plugin.

To define common parameters for an access disclosure plugin:

  1. Navigate to the access disclosure plugin configuration page

  2. Set the access disclosure plugin options as described in Table 1, “Access disclosure plugin global options.

    Caution

    For existing plugins, it is recommended that you only modify Description or the options to automatically add this plugin to new managed system policies.

  3. Click Update to modify an existing plugin, or Add new… to add a new plugin.

Table 1. Access disclosure plugin global options

Option

Description

ID

Automatically generated ID

Filename

The filename of the access disclosure plugin. The file must either be deployed to client workstations or located in the \<instance>\wwwdocs\ directory on the Bravura Security Fabric server

Class ID

The GUID of the access disclosure plugin. This is not applicable for Guacamole access disclosure plugins.

ActiveX server/type

The server name of the access disclosure plugin. This is not applicable for Guacamole access disclosure plugins

Version

The version of the access disclosure plugin

Description

The plugin description presented to users

Notes

Additional details about this plugin to be displayed under the description

Allow this as a selectable option for group sets

Check to make group sets selectable during managed system policy configuration

Allow this as a selectable option for current passwords

Check to make current passwords selectable during managed system policy configuration

Allow this as a selectable option for old passwords

Check to make old passwords selectable during managed system policy configuration

Allow this as a selectable option for SSH keys

Check to make SSH keys selectable during managed system policy configuration

Automatically enable for group sets on new managed system policies

New managed system policies created will include this plugin to access the current group sets

Automatically enable for current passwords on new managed system policies

New managed system policies created will include this plugin to access the current privileged password

Automatically enable for old passwords on new managed system policies

New managed system policies created will include this plugin to access old privileged passwords

Automatically enable for SSH keys on new managed system policies

New managed system policies created will include this plugin to access privileged accounts using SSH keys



Defining access disclosure attributes

You can add or modify attributes to customize the plugin behavior.

To define access disclosure plugin attributes:

  1. Navigate to the access disclosure plugin configuration page

  2. Select to update and modify an existing plugin, or Add new.. to add a new plugin

Table 2. access disclosure plugin attribute options

Option

Description

Name

The name of the plugin attribute. Cannot be modified after attribute has been added.

Description

The description of the plugin attribute.

Type

Choose the plugin attribute type:

  • Binary

  • Boolean

  • GUID

  • Integer

  • String

    Cannot be modified after attribute has been added.

User access

Sets the options that a user has for the attribute:

  • Locked: The user can see the control but not modify it

  • Override allowed: The user can modify the value

  • Hidden: The control is hidden from the user

    When at least one attribute for a plugin allows override, end users can save sessions with their preferred values.

    Allowing override for an attribute potentially allows users to modify options in such away to exploit and expose the password information. The option should be used with caution and only when absolutely required.

    If the "Override allowed" user access was set but revoked later on, any previous changes made to the attribute by the user will be removed in favor of the global attribute value. If this user access is re-enabled, the user-defined attribute value will be regained.

Default value

Use only if the user does not override the value, or it is not overridden at the managed system policy level.

Allowed values (comma-delimited list)

A restricted list of values that the attribute value can take. This option is only displayed for type integer and strings.

Value must match this regular expression

A value must be validated with this regular expression in order for the plugin to be enabled. This option is only displayed for type integer and strings.

Minimum

If set, no value can be less than the value set. This option is only displayed for type integer.

Maximum

If set, no value can be more than the value set. This option is only displayed for type integer.

Value is required

If checked, a value must be set in order for the plugin to be enabled. This option is only displayed for type integer and strings.



You can override these default settings on the managed system policy level. See Overriding global settings in managed system policies .

Configuring string plugin attribute values

All access disclosure plugin attributes of type String can be defined with variables. You can define discovered system attribute values in this manner.

To use the discovered system attribute as-is, simply enter the following in the attribute’s Default value field:

% <attribute name> %

For example, the default domain value for a remote desktop plugin is:

%netBIOSDomainName%

String attributes can be manipulated by using the following syntax:

%k:(start position):(end position):<attribute name>%

For example:

%netBIOSDomainName% = corporate.domain
%k:3:12:netBIOSDomainName% = porate.dom
%username% = CORP\account00
%k:5:username% = account00

Cloning access disclosure plugins

In some scenarios, it may be desirable to have multiple instances of the same access disclosure plugin but with different settings; for example:

  1. Some end users like to use a PuTTY terminal; others prefer Tera Term.

  2. A product administrator defines two disclosure plugins; one for PuTTY, one for Tera Term.

  3. The PSW disclosure plugin dynamically selects which disclosure plugin to display to an end user using a request or profile attribute.

Product administrators can create new instances of the same access disclosure plugin by cloning.

To clone an access disclosure plugin:

  1. Navigate to the access disclosure plugin configuration page

  2. Select to update and modify an existing plugin.

  3. Click Clone .

  4. Specify a description and modify other options as needed.

  5. Click Add.

    When using the pswdisclosure script, you will need to know the new disclosure plugin’s ID in order for it to be available to the plugin.

Enabling saved sessions

In scenarios where end users can override disclosure plugin attributes, they may want to save their modified values as a saved session ; for example if they want to:

  • Specify a webpage to log into with a directory account

  • Specify an RDP destination to log into with a directory account

  • Choose a synthetic attribute that expresses a common set of values that will be used to gain access to a system

This allows end users to save their preferences, improves usability and reduces the likelihood of error. It also requires less administrative work than cloning.

To enable users to save sessions for a disclosure plugin, at least one attribute must be set to allow overrides , on either the global or managed-system-policy level.

This capability is not available for Copy, Display, or Run command plugins.

The Functional.pam_saved_session_policy component allows administrators to configure global saved sessions that are available for all end users.

To learn how to save sessions as an end user, see Saving sessions in the User Guide.

Configuring pam_saved_session_policy

To configure saved session policies:

  1. Install the Functional.pam_saved_session_policy component.

  2. Click Manage external data store to edit the following tables in the external data store (extdb) :

    • pam_saved_session_policy

      Define the policy to apply the saved session.

    • pam_saved_session_action

      Define the saved session to apply to the selected policy.

      If the saved session overrides multiple disclosure attributes, then an entry needs to be created for each disclosure attribute that will be modified.

If there are multiple entries with the same SavedSessionName value, those entries will be treated as the same saved session.

If there are multiple entries with the same SavedSessionName value but different SavedSessionCategory and SavedSessionNotes values, the value from the latest entry will be used (unless the value is empty).

If any entries are modified or added to an existing saved session, end-users will need to remove the existing saved session from the Privileged Access App in order to use the saved session with the updated settings.

In this section: