Optional General Settings
In PMP, there are certain important features such as enforcement of password policy, 'Forgot Password' option to reset PMP user passwords, email notification on PMP user creation or role modification, provision for managing personal passwords, exporting resources, remote password reset etc.
While these features are very much needed for certain organizations, some others find them a hindrance. To cater to the needs of these two sets of user, PMP strikes balance through the general optional settings.
To access the settings page,
- Go to "Admin" tab
- Click "General Settings" under the section "General"
- In the UI that opens, following options are listed
- Password Retrieval
- Password Reset
- Resource/ Password Creation
- Resource Group Management
- User Management
- High Availability
- Personal Passwords
Allow password users and auditors to retrieve passwords for which auto logon is configured
Through the auto logon feature, PMP provides the option to establish direct connection to the resource eliminating the need for copy-paste of passwords. By default, password users and auditors will be able to retrieve the passwords that are shared with them. If auto logon is configured, they might not need access to the passwords. In such cases, you can take a decision on allowing/restricting access to passwords. Select the checkbox to allow access and uncheck it to restrict.
Automatically hide passwords after X seconds (specify '0' to never hide passwords automatically)
By default, passwords are shown in hidden form behind asterisks. On clicking the asterisks, the passwords appear in plain text. By default, the passwords are shown for 10 seconds only. After that, they will be automatically hidden. If you want to increase or decrease this time period, specify the desired value in seconds. If you specify 0, passwords will continue to remain in plain text until you click the password to hide.
Automatically clear clipboard data after seconds (specify '0' to never clear clipboard automatically)
PMP leverages clipboard utility of browsers to copy passwords when you intend to copy and paste passwords. By default, the copied passwords will be available for pasting for 30 seconds. If you want to increase or decrease this time period, specify the desired value in seconds. If you specify 0, clipboard will not be cleared automatically.
Include passwords when resource details are exported to CSV format
When you export PMP resources to a CSV file, by default, password of the accounts are included in plain text. In case, for security reasons, you wish to mask the password in the report, you can do so by unchecking this checkbox. Once you uncheck this option, the passwords would be masked in the exported CSV file.
Force users to provide reason while retrieving the passwords
By default, when a user tries to retrieve the password of a resource, on clicking the asterisks, the passwords appear in plain text. If you want to force your users to provide a reason why access to the password was needed, you can enable this option by selecting the checkbox.
When access control is enabled and a password has been released to a 'password user', allow admins to view the password
When password access control is enabled and when a user is viewing the password, no one else would be allowed concurrent view by default. While giving the exclusive access to a user temporarily, PMP provides the flexibility to enable administrators view the password concurrently. Through a simple administrative setting from "General Settings", users will be able to do that, if required. If you select this check box the user who makes a request for a password, will not have the exclusive privilege. All PMP administrators will be able to view the password concurrently.
Enable display of Password History in Home tab
By default, in Home tab, Password History icon remains grayed out. If you want to enable it, select this check box. Once you do this, Password History will be displayed to all users.
Allow all admin users to manipulate the entire explorer tree
PMP offers provision to allow admin users to manipulate the entire explorer tree structure as they wish. Once this is enabled, PMP creates an organization wide, global explorer tree structure containing the names of resource groups under a root node. Any administrator in PMP would be able to create/edit the explorer tree structure of resource groups. The tree structure will be accessible to all admins, password admins and end users. Admins and password admins can add their resource groups anywhere into the global tree and the whole structure will be available for view to all the end users. If this option is disabled, users can modify only their portion of the tree.
Collapse password explorer tree view in Home Tab
By default, the nodes of the password explorer tree are shown in expanded form. By enabling this option, the explorer tree can be viewed in collapsed format.
Enforce users to provide a reason when changing the resource password
When resource passwords are changed by a user, by default, it is not mandatory to add a comment providing the reason for the change. However, enforcing the users to enter a comment would be a good practice and aid in auditing user actions. If you want to enforce this, select this checkbox. Once you do this, users will be prompted to enter a comment as reason when attempting change password.
Default selection for user initiated remote password change action
One of the important capabilities of PMP is Remote password reset, which enables users to change password of a resource in PMP console and apply the change in the remote resource instantaneously. This remote synchronization of passwords can be done for resources of the type Windows, Windows Domain and Linux. By default, when you try to change the password of an account belonging to the above three types, the remote synchronization option is enabled. If you want to disable this option, click the radio button "Do not apply changes to the resource". At any point of time, you can override this option while invoking the change password option.
Wait for X seconds between stopping and starting the services after service account password reset
For every Windows domain account for which the service account reset is enabled, PMP will find out the services which use that particular domain account as service account, and automatically reset the service account password if this domain password is changed. In certain cases, there would be requirements for stopping and starting the services. In such cases, you can configure PMP to wait for a specified time period (in seconds) between stopping and starting the services. By default, PMP waits for 60 seconds. You may configure it in accordance with your needs.
Enforce users to provide two different accounts for use with remote password reset for UNIX / Linux resources
To enable remote password reset for UNIX/Linux resource types, you can enforce users to provide two different accounts for password reset. If you do not opt this, users will be allowed to enable remote synchronization with just one account.
Enforce password policy during resource or password creation
By default, when you are adding your resource to PMP, it does not check for compliance to the password policy already defined by the IT administrator. It is enforced only at the time of doing change password. In case, you wish to check policy compliance at the time of resource / account addition itself, just click this checkbox. Once you click this, you will be permitted to add your resource / account only if the password is in accordance with the policy defined.
When agents are deployed in resources for remote password reset, the accounts in the resource are automatically added to PMP. There is also option to synchronize account addition or deletion afterwards:
- Sync account addition:
- Sync account deletion:
If you enable this option, whenever a new account gets added to the resource, that will be synchronized in PMP too.
If you enable this option, whenever an account gets deleted in the resource, that will be synchronized in PMP too. The account will be deleted in PMP too.
Resource Group Management
Show the option to create static resource groups by picking resources individually
By default, two options are available for resource group creation - static resource group creation by picking resources individually and dynamic group creation by specifying criteria. If you want to remove the option of static resource group creation, de-select this check box. Once you do this, you will have only one option for resource group creation - dynamic group creation by specifying a criteria.
Automatically log off users after X minutes of inactivity
As PMP users are dealing with sensitive passwords, from the information security point of view, it would be hazardous to allow the web-interface session to remain alive if users leave their workstation unattended. Inactivity timeout could be configured by specifying the time limit in minutes. If a user is inactive with the GUI for the specified time limit, the user will be automatically logged out of the session. By default, if PMP remains unattended for 30 minutes, user will be automatically logged out. If you specify '0' as the value, the users will not be logged out for inactivity.
Allow 'Local Authentication' when AD/LDAP authentication is enabled
As explained earlier, PMP provides three types of authentication - LDAP authentication, AD authentication and PMP's local authentication. By default, PMP allows local authentication along with LDAP or AD authentication. If you want to strictly the restrict to LDAP or AD authentication alone, uncheck the checkbox. Once you do this, the PMP users would be allowed to login using their workstation password alone.
Configure default-selected domain in the login screen. (Applicable only when AD authentication is enabled).
If you have users from various domains, the PMP login screen will list-down all the domains in the drop-down. For ease of use, you may specify the domain used by the largest number of users or the frequently used domain here. Once you do so, that domain will be shown selected by default in the login screen.
Show 'Forgot Password' option in the login screen
If a PMP user forgets his/her login password, they can rely on the 'Forgot Password' option, which sends a new login password to that user via email. By default, this option remains enabled. If you do want to display this option, uncheck the checkbox. Once you do this, from the login onwards, this option would not be visible to all the users.
Notify users through email during account creation or modification
By default, whenever a new user account is added in PMP or an existing account is modified, an email is triggered to the respective user with information about the login password in the case of new user addition and details of changes (in the case of account modification) are sent. If you want to disable this option, uncheck this checkbox. Once you do this, emails will not be sent on user addition or modification.
Enable 'Support Link' for Password Administrators
By default, PMP users with the role 'Password Administrator' will not be able to view the 'Support' tab in the GUI. If you want Password Administrators to view the support tab, select the checkbox.
Notify Users through Email 30 and 15 days Prior to PMP License Expiry
Prior to the expiry of PMP license, email notifications could be sent to all administrators or to any desired user(s). Two notifications will be sent - one, 30 days prior to the expiry and another 15 days earlier.
Check High Availability Status Every --- Minutes
In High Availability set up, constant replication of data takes place between Primary and Standby servers. High Availability status 'Alive' indicates perfect data replication and data synchronization. If there happens any disruption like network problems between Primary and Standby (in turn between the databases), the status will get changed to 'Failed'. This may happen when there is no communication/connection between the database of primary server and that of the standby server.
When the connection gets reestablished, data synchronization will happen and both databases will be in sync with each other. During the intervening period, those who have connected to the primary and standby will not face any disruption in service. This status is only an indication of the connection/communication between databases and does not warrant any troubleshooting.
To check the status periodically and get notifications, select this option and specify the time interval in minutes.
Allow users to manage their personal passwords
PMP provides personal password management feature as a value addition to individual users to manage their personal passwords such as credit card PIN numbers, bank accounts etc while using the software for enterprise password management. The personal password management belongs exclusively to the individual users. If you do not want to allow personal password management for your PMP users, uncheck this checkbox. Once you do this, the 'Personal' tab will not appear in the PMP GUI.
Allow users to choose their own encryption key for managing personal passwords
By default, when you allow users to manage their personal passwords, PMP provides three options to secure the personal passwords - using the encryption key provided by the customers and storing it / using the encryption key provided by the customers and not storing it / using PMP's encryption key. When you allow the users to manage personal passwords, you can either allow the users to define their own encryption key or force them to use PMP's encryption key itself. If you want to allow them to choose their own personal passwords, select the checkbox. This option will take effect only for those users who are added after setting this.