Configuration
Licenses
The section contains Axidian Privilege licensing information.
The section displays the following data:
- Installation ID — a unique installation code is required to generate a license.
- User licenses available — total number of user licenses.
- User licenses used — total number of licenses used.
- Resource licenses available — total number of resource licenses.
- Resource licenses used — number of licenses used.
The following data is displayed for each license:
- Start date — license start date.
- End date — license expiration date.
- User licenses — total number of user licenses.
- Resource licenses — total number of licenses used.
- Issue date — license release date.
Add License
Click Add and select a license file.
Removing Licenses
Mark the required license and click Delete.
System Settings
- Blocking when entering incorrect OTP
- Scheduled jobs
- Video
- Sessions
- Gateway connections
- RDP Proxy
- PostgreSQLProxy
- SSH Proxy
- Syslog
| Option | Description |
|---|---|
| Number of failed OTP access attempts allowed | After exceeding this value the user will be temporarily blocked, i.e. will not be able to enter OTP. Min value: 0 Default value: 10 Max Value: 99 0 means that no blocking is applied, i.e. the number of input attempts is not limited. |
| Lockout duration | Defines the period of time after which the user will be unblocked and will be able to enter OTP again. Min value: 1 Default value: 10 Max Value: 9999 |
| Option | Description |
|---|---|
| Account checking start time | At this time Axidian Privilege will start checking all active accounts in the Managed state |
| Resources and accounts syncing start time | At this time Axidian Privilege will start resource information syncing and accounts syncing for resources and domains |
| Account password reset start time | At this time Axidian Privilege will generate new passwords for accounts |
| Service connection checking start time | At this time Axidian Privilege will start checking service connection to resources and domains |
| Session log rotation start time | At this time Axidian Privilege will start session log rotation |
| Option | Description |
|---|---|
| Video recording codec options | The libx264 codec is used by default with the following settings: libx264 -preset medium -tune zerolatency |
| Video streaming codec options | The libx264 codec is used by default with the following settings: libx264 -g 10 -tune zerolatency |
| The duration of the recorded video segment, sec. | You can set the duration at which the video will be saved as an independent segment, the default is 3600 |
| Option | Description |
|---|---|
| Gateway connection timeout, sec. | Time after which connection will be closed if gateway isn't responding. Set the value to 0 if you do not want the connection to be interrupted |
| Time to connect, min. | Close session on the Gateway if a user did not connect to the resource |
| Legal notice | That text will be shown to user before session. Leave it empty if you don't need it |
| Maximum amount of sessions per user | Limiting the number of concurrent open sessions per user, 0 is the default with no limit |
| Notify user about session termination | The user will be notified before the session ends |
| Notifications threshold | Notification will be shown for the specified time before the session expires |
| Notification interval | Interval between notifications about expiring session |
| Option | Description |
|---|---|
| RDCB address | IP address or DNS name of Remote Desktop Connection Broker |
| RDCB collection name | Remote Desktop Connection Broker collection name for Axidian Privilege Gateway |
| Use RDGW | Check it for connecting to Axidian Privilege Gateway with Remote Desktop Gateway |
| RDGW address | Remote Desktop Gateway address for Axidian Privilege Gateway |
| Gateway RDP file parameters | These parameters will be added to RDP connection settings for Axidian Privilege Gateway. They will replace old ones |
| Option | Description |
|---|---|
| RDP Proxy address | IP or DNS, port (optional) |
| Option | Description |
|---|---|
| PostgreSQLProxy address | IP or DNS, port (optional) |
| Option | Description |
|---|---|
| SSH Proxy address | IP or DNS, port (required) Default port: 2222 |
| Authentication of resources using SSH server keys | Selected SSH server key fingerprint adding type. For more information, see the Types of Adding Fingerprints section. |
| Option | Description |
|---|---|
| Syslog server | IP address or DNS name of Syslog server |
| Port | Syslog server port |
| Protocol | Network protocol for connection to Syslog server: TCP, UDP |
| Format | Event format used by syslog server: CEF, LEEF |
| Syslog version | IETF standart of Syslog protocol: RFC3164, RFC5424 |
User Connection
Manage User Connections privileges are required to work with user connections. The following privileges are required:
- UserConnectionType.Create
- UserConnectionType.Read
- UserConnectionType.Update
- UserConnectionType.Delete
Axidian Privilege has the following built-in user connection types:
- RDP
- SSH
- Telnet
- PostgreSQL
Built-in types cannot be changed or deleted.
It is also possible to add custom user connection types.
Adding Custom User Connection Types
To add a new connection type, you need to research the client application and develop a template for Axidian Privilege ESSO Agent. The new connection type is unique for each application, for development please contact Technical Support.
Service Connection
Manage Service Connection Types privileges are required to work with service connections. The following privileges are required:
- ServiceConnectionType.Create
- ServiceConnectionType.Read
- ServiceConnectionType.Update
- ServiceConnectionType.Delete
Axidian Privilege has the following built-in service connection types:
- Windows
- SSH
- Microsoft SQL Server
- MySQL
- PostgreSQL
- Oracle Database
- Cisco IOS
- Inspur BMC
Built-in types cannot be changed or deleted.
It is also possible to add custom service connection types.
Adding Custom Service Connection Types
If your PAM installation's management server is installed on a Windows host, you can only add connectors with a powershell template.
If your PAM installation's management server is installed on a Linux host, you can only add connectors with a bash template.
- Open the Configuration → Service Connection section.
- Click Add Service Connection Type.
- In the window that opens, upload the ZIP archive with the connector file.
- Specify the Name of the service connection or use the value loaded from the metadata.
- Enter the Description of the service connection. Optional.
- Finish operation by clicking Add.
Connectors preparation
To prepare a ZIP archive with the connector file, use the Connector Creation Tool.
Editing Custom Service Connection Types
- Upload new connector
- Edit name or description
- Open the Configuration → Service Connection section.
- Click Edit next to the desired service connection type.
- Click Download archive and select a folder on your computer to save the current ZIP archive with the connector file. This archive will be needed to restore the previous state of the service connection if an error occurs when loading a new archive.
- Upload a new ZIP archive with connector file.
- If necessary, edit Name and/or Description.
- Finish editing by clicking Save.
- Open the Configuration → Service Connection section.
- Click Edit next to the desired service connection type.
- Edit Name and/or Description.
- Finish editing by clicking Save.
Connector Script Code Viewing
- Open the Configuration → Service Connection section.
- Click Show script code next to the desired service connection type.
Custom Connection Types Deleting
- Open the Configuration → Service Connection section.
- Click Delete next to the desired service connection type.
A service connection type cannot be deleted if a resource with that type exists.
Uploading the SSH Connector Template
The service operations template is unique for each *nix distribution. The PAM distribution includes templates for the following *nix distributions:
- Alt
- Astra
- CentOS
- Debian
- FreeBSD
- Gentoo
- Oracle
- RedOS
- RHEL
- Rocky
- SLES
- Ubuntu
Path to the templates in the PAM distribution: AxidianPAM_3.0_RU\indeed-pam-tools\ssh-templates\.
To add a template to Axidian Privilege:
- Open the Configuration → Service Connection section.
- Inside the SSH block, click Add.
- Select the file with the SSH connector template you need from the distribution by path AxidianPAM_3.0_RU\indeed-pam-tools\ssh-templates\.
If you need help with development of the new template, please contact Technical Support.
Network Location
The section contains information about adding network locations to limit the use of resources issued by addresses.
Adding the Network Location
Click Add.
Enter a Name and add the Network addresses of the resources to which you want to issue a limited connection.