Skip to main content

Session monitor options plugin

You can use a plugin to activate session monitoring based on the requester, privileged account, or system, and override policy settings. The input into the plugin can include the:

  • Requester’s profile ID

  • Requester’s group memberships

  • Requester’s profile attributes

  • Requested account

  • Managed system

  • Managed system’s attributes

If enabled, the plugin is called when a user checks out privileged access or a product administrator accesses a password directly. This applies only to disclosure methods that support session monitoring. The output of the plugin contains session monitoring settings that override managed system policy settings.

You enable this plugin by typing the name of the program or script in the SMON OPTIONS PLUGIN field on the Manage the system > Modules > Session monitor page.

Some data is not input by default. You must manually enable specific registry settings to allow the plugin to receive this information.

Warning

Ensure that you are comfortable and knowledgeable in the mechanics of the registry before you attempt to change any configuration settings. Contact support@bravurasecurity.com if in doubt.

There is a sample plugin script, plugin-smon-options.psl, located in the samples\ directory. You can copy the script to the \<instance>\plugin\ directory and modify it to suit your environment.

SMON OPTIONS PLUGIN registry settings

To enable additional SMON OPTIONS PLUGIN input, set these entries in the following key:

HKLM\SOFTWARE\Bravura Security\Bravura Security Fabric\<instance>\idarch

  • Groups

    Entry name plugin_smon_options_groups

    Value 0—1

    Data type DWORD

    Default 0

  • Profile attributes

    Entry name plugin_smon_options_profile_attrs

    Value 0—1

    Data type DWORD

    Default 0

  • Discovered system attributes

    Entry name plugin_smon_options_found_comp_attrs

    Value 0—1

    Data type DWORD

    Default 0

  • Discovered system multi-value attributes

    Entry name plugin_smon_options_found_comp_mv_attrs

    Value 0—1

    Data type DWORD

    Default 0

Write a custom session monitor options plugin

Requirements

See Writing plugins for general requirements.

Execution points

When configured, the plugin is called for each applicable access disclosure plugin when a user checks out privileged access or a product administrator accesses a password directly.

Input

The plugin will receive the following input:

# KVGROUP-V1.0
  "" "" = {
    "ead_computer_attributes" "" = {
      "mv_attributes" "" = {
        "<attribute key>" = "<attribute value>" # 0 or more
      } # if plugin_smon_options_found_comp_mv_attrs is set
      "sv_attributes" "" = {
        "<attribute key>" = "<attribute value>" # 0 or more
      } # if plugin_smon_options_found_comp_attrs registry entry is set
        # See Subsection 31.5.1.
    }
    "groups" "" = {
       "<targetid>" = "<groupid>"
    } # if plugin_smon_options_groups registry entry is set
    "managedaccount" "" = {
      "accountid" = "<Managed Account>"
      "msp" = "<Managed System Policy>"
      "resourceid" = "<Managed System>"
    }
    "plugin" "" = {
      "accessdisclosure" = "<ActiveX control name>"
    }
    "request" "" = {
      "requestID" = "<Request ID>" # if applicable
    }
    "smonvars" "" = {
      "<smon variable name>" = "<value>" # 1 or more
    }
    "viewer" "user" = {
      "id" = "<Profile ID>"
      "attribute" "<Profile attribute key>" = {
        "value" "" = {
          "value" = "<Profile value>" # 0 or more
        }
      } # if plugin_smon_options_profile_attrs registry entry is set
    }
  }

Output

The plugin returns:

"" "" = {
    "retval" = "<#>" # 0 on success; Otherwise, failure
    "<smon variable name>" = "<value>" # Optional; 0 or more
         }
In this section: