Privileged access app

The Privileged access app allows regular users to request and temporarily check out privileged access to accounts and systems.

To configure Bravura Privilege web management options:

Click Manage the system > Modules > Privileged access .
Configure the options in Table 1, “Modules > Privileged access options” as required.
Configure event options listed in Table 2, “Privileged access app events that launch interface programs”.
Click Update to submit the changes.

Table 1. Modules > Privileged access options

Options	Description
ACCESS ACCOUNTSETS USERCLASS	Specify a user class that filters users to access account sets
ACCESS EXTENSIONS USERCLASS	Specify the user class that filters users to access their own check-out extensions.
ACCESS GROUPSETS USERCLASS	Specify the user class that filters users to access group sets.
ACCESS PERSONALADMINACCOUNTS USERCLASS	Specify a user class that filters users who can view the personal administrative accounts filter.
IDARCHIVE GSET REQUESTED	By default, any user can request access for any group set. Disabling this means that users must be assigned to a user group with appropriate permission.
IDARCHIVE MANAGEMENT GUARD	By default, this value is set to 1000. It controls the maximum number of discovered systems that can be managed or deleted from the Bravura Security Fabric on a single auto discovery run. This prevents issues where product administrators accidentally configure the target system import rule incorrectly and unexpectedly add or remove too many managed systems.
IDARCHIVE PASSWORD REQUESTED	By default, any user can request access any managed account. Disabling this means that users must be assigned to a user group with appropriate permission.
IDARCHIVE VIEW MANAGED SYSTEM ACCOUNT INFO	By default, any user can view managed system and account information in managed account requests. Setting this to Disabled means that this information will not be disclosed when requesting accounts from managed system policies created later on.
LWS ENABLE NETWORK ADAPTER ATTRIBUTE DISCOVERY	The Local workstation service CGI (pamlws.exe) will submit network adapter computer attributes to the `iddiscover` service, leading to their storage in the database. When this is set to false, network adapter computer attributes will no t be sent to `iddiscover` and stored in the database. When false, the load on the `iddiscover` service and replication will be decreased, especially in cases where local service mode systems are often moved from one network to another (for example where a laptop is often moved between home and office).
LWS LAST CONNECTION UPDATE INTERVAL	The minimum interval, in minutes, to determines how often lastSuccessConnection is recalculated if it is the only calculated attribute requiring during a poll. By default this is set to 1440 (one day).
LWS RES VALID ADMIN CREDENTIAL	Set this option to determine what happens when a local service mode managed system has invalid target system administrator credentials associated with it.
MANAGED ACCOUNT ATTR DISPLAY LIST	Specify a comma-limited list of attributes to display for managed accounts. These attributes will be shown in some privileged access configuration pages and request pages.
MANAGED SYSTEM ATTR DISPLAY LIST	Specify a comma-limited list of attributes to display for managed systems. These attributes will be shown in some privileged access configuration pages and request pages.
MAQ MAX ACCOUNTS	The maximum number of managed accounts that a user can add to account sets. If exceeded, access will be denied. The default is 500.
PAM USE SUGGESTED PASSWORD	By default, password fields are automatically populated when a suggested password is selected to override a managed account.
PAM WEBAPP ENFORCE SSL	By default, SSL is enforced when using the Web app privileged sign-on disclosure.
PSW ACL CHECK RECIPIENT	Enable this option to check the recipient’s privileges when requesting access for others. By default, this is disabled, and the recipient’s privileges are not checked when requesting access for others.
PSW CHECKIN CHECKOUT AGE ALERT THRESHOLD	If a user has an account that is checked out for longer than this value, they will receive an alert in the ‘Check-out age’ column. Default value is 120.
PSW CHECKIN CHECKOUT AGE WARNING THRESHOLD	If a user has an account that is checked out for longer than this value, they will receive a warning in the ‘Check-out age’ column. Default value is 60. This value must be less than or equal to the PSW CHECKIN CHECKOUT AGE ALERT THRESHOLD.
PSW CHECKIN TIME REMAINING ALERT THRESHOLD	An alert is given in the ‘Time remaining’ column when a user has less than the specified amount of time before they are forced to check in. Default value is 30.
PSW CHECKIN TIME REMAINING WARNING THRESHOLD	A warning is given in the ‘Time remaining’ column when a user has less than the specified amount of time before they are forced to check in. Default value is 60. This value must be greater than or equal to the PSW CHECKIN TIME REMAINING ALERT.
PSW CLEAN DELETED WSTN DELAY	Set the delay between when workstation entries are flagged for deletion and when they actually are deleted from the database tables. Default is 10 years. Workstations are flagged for deletion when the: Target system is no longer configured as a managed system Target system is deleted Managed system is deleted from the managed system policy. Managed system is flagged for deletion via the IDAPI.
PSW CLEAN NEVER MANAGED LWS DELAY	Set the delay between the last discovery time of local service mode systems that were never managed and when they are deleted from the database tables. Default is one year.
PAM ALLOW ONE TIME DISCLOSURE	Allow one-time disclosure option when accessing privileged passwords. This is enabled by default.
PSW DISCLOSURE PLUGIN	Type the name of the plugin used to define what access disclosure plugins, and with what settings, are available to users when attempting to access privileged passwords. The recipient may be a product administrator with permissions to access a managed password, or a user with an approved request.
PSW DISCLOSURE PLUGIN PROVIDE CONFIG	Enable to provide existing configuration data to plugin.
PSW MAX PARALLEL RESETS	Set the maximum number of parallel password resets to get higher performance. The default is one for every processing core.
PSW RECENT REQUEST GSET	Set the number of days (between 1-30 days) that a group set request is considered recent. This setting allows users to access their temporary group membership requests.
PSW RECENT REQUEST PASSWORD	Set the number of days (between 1-30 days) that a password request is considered recent. This setting allows users to access their previous account and account set requests.
PSW REQUEST SHOW FUTURE	Include future requests for approval notification to privileged access. This option is disabled by default.
RES GSET CHECKIN MAX RETRY	Set the maximum number of check-in retries performed after a failed managed group set check-in. The default is 3.
RES GSET CICO VIEW DETAILS	Disable this if you want to prevent regular users from seeing details about who has currently checked out a group set and the maximum number of checkouts allowed when they request a group set. This also applies to notification emails.
RES PWD CICO VIEW DETAILS	Disable this if you want to prevent regular users from seeing details about who has currently checked out a password and the maximum number of checkouts allowed when they request a password. This also applies to notification emails.
RUN MSP REPORTS	Disable this if you do not want the ’Run reports about privileged access for this policy’ access control to be granted to members of the MSP REPORT USERS user group whenever a new managed system policy is created. When disabled, you must explicitly grant the ’Run reports about privileged access for this policy’ access control via user groups. This option is enabled by default.

Table 2. Privileged access app events that launch interface programs

Option	Description
IDARCHIVE MANAGEMENT GUARD EXCEEDED	The maximum number of discovered systems to onboard or offboard in single auto discovery run, as defined by IDARCHIVE MANAGEMENT GUARD, has been exceeded.
PAMLWS CONFLICT DETECTED	A system's UUID cannot be changed due to a conflict with an existing UUID.
PAM CHECKIN FAILURE	A generic access check-in has failed.
PAM CHECKIN OPERATION FAILURE	An operation ran as part of a generic access check-in has failed. This event is pre-configured to run pxnull with the configuration file pxnull-pam-cico.cfg.
PAM CHECKIN OPERATION SUCCESS	An operation ran as part of a generic access check-in is successful.
PAM CHECKIN PARTIAL	A generic access check-in is only partially successful.
PAM CHECKIN SUCCESS	A generic access check-in is successful.
PAM CHECKOUT EXPIRY	A generic access check-out expires.
PAM CHECKOUT FAILURE	A generic access check-out has failed.
PAM CHECKOUT LIMIT REACHED	The check-out limit is exceeded for generic access check-outs.
PAM CHECKOUT OPERATION FAILURE	An operation ran as part of a generic access check-out has failed.
PAM CHECKOUT OPERATION SUCCESS	An operation ran as part of a generic access check-out is successful.
PAM CHECKOUT PARTIAL	A generic access check-out is only partially successful.
PAM CHECKOUT SUCCESS	A generic access check-out is successful.
PAM CONFLICTED PASSWORDS UPDATED	Conflicting passwords are discovered and updated.
PSW MSP CHANGE	A managed system policy was directly modified by a product administrator.
RES GSET CHECKIN GRP NOT FOUND	A group cannot be located during a group-set check-in.
RES GSET CHECKIN GRP NO SUCH MEMBER	An account is not a member of a group during a group-set check-in.
RES GSET CHECKIN RETRY FAILURE	An overdue temporary group membership fails to be removed after exhausting all retries.
RES GSET CHECKIN RETRY SUCCESS	An overdue temporary group membership is successfully removed after subsequent retries.
RES PAMLWS OGRUA	The local workstation service detects an out-of-band group membership addition.

In this section:

Privileged access app

Search results