Policy Setup
Policies
The section contains a list of policies, sorted by priority.
The following data is displayed for policies:
- Priority — a number indicating the order in which a particular policy is applied. Zero priority is the default policy that is applied last. The higher the policy, the higher its priority, and vice versa.
- Name — policy name.
- Description — policy description.
— number of users with policy.
— number of user groups with policy.
— number of accounts with policy.
— number of resources with policy.
— number of domains with policy.
The default policy contains a set of parameters for all available sections and applies to all new objects, so it is advisable to start configuring there.
note
The default policy also applies to sessions opened on behalf of user accounts, unless other policies are explicitly applied to these users.
Open the policy page, set the desired parameters for the Accounts, Sessions, RDP sections, save settings.
Adding New Policy
caution
To add, view, edit and delete policies, you may need the appropriate claims from the POLICIES MANAGEMENT section (Policy.Create, Policy.Read, Policy.Update, Policy.Delete).
Click Add in the Policies section, fill in the Policy Name, Description, and Priority fields. The new policy will appear in the list.
General Information
Open the policy page, review the general information, edit Name, Description, or Priority if necessary by clicking the pencil icon
- Name — the name of the policy, it is set when creating a new policy. It can be changed at any time.
- Description — policy description.
- Priority — a number indicating the order in which a particular policy is applied. Zero priority is the default policy that is applied last.
- Created by — Axidian Privilege administrator name.
- Date created — date and time when the policy was created.
- Changed by — name of Axidian Privilege administrator who saved the policy settings.
- Date changed — date and time when the policy settings were saved.
To edit Name, Description and Priority click 
Sections
Go to the Sections and mark the sections which will be determined by the policy, save the changes. The corresponding sections will become available for setting up.
note
For unchecked sections, other policies will be applied by priority.
Scope
caution
To assign policies you may need the appropriate claims (User.SetPolicy, UsersGroup.SetPolicy, Account.SetPolicy, Resource.SetPolicy, Domain.SetPolicy).
Contains information about which users, user groups, accounts, resources, or domains the policy is applied to.
To apply a policy to an object, click Add, select the type of object to apply the policy,select the objects.
To remove the policy from objects, select the required objects and click Remove.
Creating a Copy of the Policy
Check the policy in the Policies section and click Create copy, fill in the Policy name, Description and Priority fields. The copied policy will appear in the list.
Removing Policy
Before removing a policy, make sure that it does not apply to any objects.
Check the required policies in the Policies section and click Remove.
note
The Default policy cannot be removed.
Changing the Priority of a Policy
Check one policy under Policies, click Change priority and enter a number for the policy priority value.
You can also change the priority by opening the required policy and in the General Information section click the pencil icon next to the priority value.
Policy Sections
Accounts
Show Credentials Settings
| Option | Description |
|---|---|
| Reset account password and SSH key after showing | If this option is enabled, the password and SSH key of the privileged account will be reset every time the user views it in his self service (user console). |
| Reset password and SSH key after X minutes | After viewing, the password and SSH key will be reset to a random value after the specified number of minutes. |
| Require a reason of password and SSH key viewing | If this option is enabled, the directory user must provide a reason before viewing the password or SSH key of the privileged account. |
| Password and SSH key viewing must be confirmed by Axidian Privilege administrator | Before each credentials viewed by user it must be confirmed by Axidian Privilege administrator |
| Password and SSH key confirmation timeout, min. | Timeout of waiting for confirmation of password and SSH key viewing, from 1 to 180 minutes. |
| Encrypt SSH key using generated password before showing to user | If this option is enabled, the SSH key will be shown in encrypted form, and the generated encryption password will be hidden. The encryption key and password is generated by Axidian Privilege every time the data is viewed. |
Set credential settings
| Option | Description |
|---|---|
| Allow Axidian Privilege users to set credentials for accounts if they are not set | If this option is enabled, Axidian Privilege users can set password/SSH keys for privileged account before connection. |
Check and Reset Credentials Settings
| Option | Description |
|---|---|
| Periodically synchronize resources and accounts | If this option is enabled, then an automatic search for data and privileged accounts on resources will be performed. |
| Synchronize resources and accounts once in X days | Automatic search for resource data and privileged accounts will be performed once every specified number of days, from 1 to 10,000 days |
| Periodically check account password and SSH key | If this option is enabled, then passwords and SSH keys will be automatically checked for privileged accounts. |
| Check password and SSH key once in X days | Automatic check of the password and SSH key of privileged accounts will be performed once every specified number of days, from 1 to 10,000 days. |
| Reset password and SSH key if a mismatch is detected | If this option is enabled, then passwords and SSH keys will be automatically reset in case of mismatch between Axidian Privilege and resources. |
| Remove SSH keys unmanaged by Axidian Privilege | If there is no SSH key for the added account in Axidian Privilege, but there is one on the resource, then all discovered keys from the resource will be removed. |
| Check password and SSH key if it's set manually | If this option is enabled, a check will be performed when setting or changing a password or SSH key. |
| Periodically change account password and SSH key | If this option is enabled, the password or SSH key will be automatically changed to a random value for privileged accounts. |
| Change password and SSH key every X days | Automatic change of password or SSH key for privileged accounts will be performed once every specified number of days. |
Password Generator Requirements
| Option | Description |
|---|---|
| Generated password length | Total number of characters for automatically generated and manually entered passwords. |
| Lowercase letters | If this option is enabled, then automatically generated passwords will consist of lowercase letters. When combined with other settings, the password will contain at least one lowercase letter. |
| Uppercase letters | If this option is enabled, then automatically generated passwords will consist of capital letters. When combined with other settings, the password will contain at least one uppercase letter. |
| Digits | If this option is enabled, then automatically generated passwords will consist of digits. When combined with other settings, the password will contain at least one digit. |
| Special characters | If this option is enabled, then automatically generated passwords will consist of special characters. When combined with other settings, the password will contain at least one special character. |
| Prohibit the use of special characters at the beginning of the password | If this option is enabled, then the password will start with a letter or a number. |
| Maximum number of consecutive special characters | This parameter determines how many special characters are allowed to be used one after another. For example, if you specify a value of 1, then the password#! password will not be valid. But the passwor#d! password will be valid, because the special characters are not consecutive, they are separated by a letter. To allow any number of consecutive special characters, specify 0. |
| Prohibited characters | Characters that should not be used by the password generator when generating passwords. The field may be empty. In this case, no restrictions apply. |
| Required characters | Characters, at least one of which will definitely be used when generating a password. The field may be empty. In this case, no restrictions apply. |
| Number of passwords that should not be repeated | The number of previous passwords for the account with which the new password should not match. |
Password Requirements for Manual Entry
| Option | Description |
|---|---|
| Minimum password length | Minimum number of characters for manual password entry. |
| Limit characters for manual password entry | If the option is enabled, the settings described in this table are available for being set. If the option is disabled, any characters are allowed in passwords. |
| Lowercase letters | If this option is enabled, the password must contain at least one lowercase letter. |
| Uppercase letters | If this option is enabled, the password must contain at least one uppercase letter. |
| Digits | If this option is enabled, the password must contain at least one digit. |
| Special characters | If this option is enabled, the password must contain at least one special character. |
| Allow white space | If this setting is enabled, white spaces are allowed in the password, but are not required. You cannot enter a space in the Prohibited Characters and Required Characters fields. |
| Prohibit the use of special characters at the beginning of the password | If this option is enabled, the password must start with a letter or a digit. |
| Maximum number of consecutive special characters | This parameter determines how many special characters are allowed to be used one after another. For example, if you specify a value of 1, then the password#! password will not be valid. But the passwor#d! password will be valid, because the special characters are not consecutive, they are separated by a letter. To allow any number of consecutive special characters, specify 0. |
| Prohibited characters | Characters that should not be used in passwords. You cannot enter a white space in this field. The field may be empty. In this case, no restrictions apply. |
| Required characters | Characters, at least one of which must be used in passwords. You cannot enter a white space in this field. The field may be empty. In this case, no restrictions apply. |
| Number of passwords that should not be repeated | The number of previous passwords for the account with which the new password should not match. |
Sessions
General
| Option | Description |
|---|---|
| User must specify the connection reason | If the option is enabled, then when connecting to the resource, the user must enter the reason for starting the session. Attention! If you use PostgreSQL Proxy, warn users that they will need to enter the reason in the same field as the account name. For more information, see Connection to the PostgreSQL Proxy section. |
| Maximum session duration | The option enables the session duration limit in hours and minutes, after which the session will ends automatically. |
| Enforce exclusive usage of account | If the option is enabled, then the only one active session can be opened for account |
| Start of the session must be confirmed by Axidian Privilege administrator | If this option is enabled, then manual confirmation by the Axidian Privilege administrator is required for each opened session. Attention! Leave this option disabled if you use PostgreSQL Proxy, otherwise it will be impossible to open an SQL session. |
| Session confirmation timeout, min. | Timeout for confirmation by the Axidian Privilege administrator, in the range from 1 to 180 minutes |
| Terminate session when there is no user activity | If the option is enabled, then if the user is inactive for a specified period of time, their session is terminated. For existing policies this option is disabled by default, and for new ones it is enabled by default. User activity refers to user interaction with the screen or session terminal, as well as file transfer operations. This option only applies to sessions opened via SSH Proxy and RDP Proxy. |
| Session termination timeout, min. | Minimum value: 1 minute Default value: 30 minutes Maximum value: 720 minutes |
| Reset password and SSH key at the end of the session | If the option is enabled, the password and SSH key will be reset after each session. |
Session Artifacts
| Option | Description |
|---|---|
| Save text | If the option is enabled, then after the session will be available for viewing and downloading a text log. |
| Proceed with the RDP session without logging if the text log could not be retrieved | When option is enabled: If connection with the PAM agent is lost, the session is not terminated, users can continue working in this session. The event "Lost connection with PAM Agent" is entered into the log once. The line "WARNING: Lost connection with PAM Agent" is written once into the text session log. When the connection with the PAM agent is restored, the event "Connection with PAM Agent restored" is entered into the log once, and the line "INFO: Connection with PAM Agent restored" is written once into the text session log. When option is disabled (by default): If connection with the PAM agent is lost, the session is terminated. |
| Save video | If the option is enabled, then after the session is completed, video recording will be available. |
| Frames per second | The setting determines the frame rate for video recording. The range of values from 1 to 10. |
| Video resolution | The setting allows you to set the resolution for video recording. |
| Video log rotation | If this option is enabled, then video recordings will be automatically deleted. |
| Remove video older than X days | Automatically delete video recordings older than the specified number of days. Minimum is 1 day. |
| Save screenshots | If this option is enabled, then screenshots of the session will be saved. |
| Screenshots interval, sec. | Saving a screenshot after a specified number of seconds. Minimum interval is 60 seconds. |
| Screenshots resolution | Setting allows you to set the resolution of the screenshot. |
| Screenshots log rotation | If this option is enabled, screenshots will be automatically deleted. |
| Remove screenshots older that X days | Automatically delete screenshots older than the specified number of days. |
| Save transferred files | If the option is enabled, then files when transferred from the local machine to the resource will be duplicated in the specified network folder. Supported only for Windows resources with disk forwarding enabled. |
| Transferred files rotation | If this option is enabled, transferred files will be automatically deleted. |
| Remove transferred files older than X days | Automatically delete transferred files older than the specified number of days. |
Sending Text Log via Syslog
| Option | Description |
|---|---|
| Send text logs via syslog | The text log lines will be sent via syslog using the specified keywords. A keyword can be a regular expression. |
Gateway and SSH Proxy
| Option | Description |
|---|---|
| Override Gateway settings | If this option is enabled, the following settings will be used instead of those specified in the Configuration section. |
| RDCB address | Remote Desktop Connection Broker IP address/DNS name |
| RDCB collection name | Remote Desktop Connection Broker collection name for Axidian Privilege Gateway |
| Use RDGW | Connect to Axidian Privilege Gateway with Remote Desktop Gateway |
| RDGW address | Remote Desktop Gateway address for Axidian Privilege Gateway |
| Gateway RDP file parameters | The parameters will be added to the Axidian Privilege gateway RDP settings and will override the default settings. |
| Override SSH Proxy settings | If this option is enabled, the following settings will be used instead of those specified in the Configuration section. |
| SSH Proxy address | IP address or DNS name and port (optional) |
RDP
note
The settings are applied only when connecting to servers via RDP.
| Option | Description |
|---|---|
| Printers | If the option is enabled, then the user will be able to forward the printer from his workplace to the final resource. |
| Clipboard | If the option is enabled, the user will be able to use the clipboard between his workstation and the end resource. |
| Smart cards | If the option is enabled, the user will be able to forward the smart card from his workplace to the resource. |
| Ports | If the option is enabled, then the user will be able to forward COM ports from his workstation to the final resource. |
| Local drives | If the option is enabled, then the user will be able to forward local disks from his workplace to the resource. |
| RDP file parameters | Parameters that will be added to RDP connection settings, also they will override the default settings. |
| Require a trusted resource certificate to open an RDP session | If the option is enabled and the resource certificate is invalid, the user will not be able to open a session. If the option is disabled and the resource certificate is invalid, the user will be able to open a session. |
SSH
Privilege Elevation
| Option | Description |
|---|---|
| Allow run pamsu | Support for executing commands with root privileges on resources with the PamSu component installed. |
info
Allowing to use PamSu while creating the permission takes priority over the setting in the policy.
Allowed and Forbidden Commands
| Option | Description |
|---|---|
| Prompt | Regular expression to correctly recognize command input. When entering a regular expression, note that you do not need to escape the < and > characters, as they are not included in the list of special characters: .[{}()*+?\|^$. The ] character is also special, but only when entered after [. More information on Boost regular expression syntax is available here. |
| Reaction to forbidden command | Terminal behavior in response to a forbidden command: CTRL + C (cancel execution) or Abort the session. |
| SSH commands | List of commands allowed or prohibited to execute in an SSH session. |
Creating a list of controlled commands:
Click the Add button.
Enter the command or regular expression.
When entering a regular expression, note that you do not need to escape the
<and>characters, as they are not included in the list of special characters:.[{}()\*+?|^$. The]character is also special, but only when entered after[.More information on Boost regular expression syntax is available here.
Select the status Allowed or Forbidden.
info
Restricting command execution takes priority over permission.
Without explicit permission, commands will be considered forbidden, so it is not recommended to remove the last rule that allows command execution.
To allow or prohibit several commands at once, select them with the check boxes and click the appropriate button.
When working with the list of commands, as well as when trying to execute a prohibited command, the corresponding events are recorded in the Events section.
Data Transfer
| Option | Description |
|---|---|
| SCP | SCP file transfer option. |
| SFTP | SFTP file transfer option. |
| Maximum file size, MB | A file larger than this value cannot be transferred. |