Managing General Settings
Using the General Settings section of PAM360, you can carry out important setting changes such as enforcing Password Policies, enabling the Forgot Password option to reset user passwords, configuring to send Email Notifications on user creation or role modification, provision for managing Personal Passwords, exporting resources, remote password reset and so on.
Configuring General Settings
To configure the general settings in PAM360, navigate to:
Admin >> Settings >> General Settings.
You will see different settings categorized under the following sections. Click each link to view the details:
- Password Retrieval
- Password Reset
- Resource / Password Creation
- Resource Group Management
- User Management
- High Availability
- Personal Passwords
- Usage Statistics Collection
1. Password Retrieval
To view and manage all global settings related to password retrieval, click Password Retrieval from the left pane.
1.1 Allow plain text view of passwords, if auto logon is configured
Enable this option to allow the users to view the passwords of shared resources in plain text when auto logon is configured. If this option is disabled, users cannot retrieve the password, however they can still launch remote sessions through auto logon. This restriction applies only to Password Users, Password Auditors and custom user type roles with the same privileges as Password Users and Auditors.
1.2 Automatically hide passwords after 5 seconds (specify '0' to never hide passwords automatically)
By default, passwords are hidden behind a string of hash symbols. On clicking the string, the passwords appear in plain text. By default, the passwords are shown for 10 seconds only, after which they will be automatically hidden. Specify the desired value in seconds in the Automatically hide passwords after X seconds option. If you specify 0, passwords will continue to remain in plain text until you click the password to hide.
1.3 Maximum X approval admins (You may give minimum of 1 to maximum of 10 admins)
Select a maximum number of admins (upto 10 admins) needed to approve a password request for resources which have the password access control workflow set up. The number of admins selected here will reflect in the Password Access Control workflow configuration, under the option "Enforce approval by at least __ administrators".
1.4 Automatically clear clipboard data after 30 seconds (specify '0' to never clear clipboard automatically)
PAM360 uses the clipboard utility of browsers to copy passwords when you copy them from PAM360. By default, the copied passwords will be available for 30 seconds. In this option, specify the time in seconds after which the clipboard will be cleared and the copied password will no longer be available. If you specify 0, clipboard will not be cleared automatically.
1.5 Enforce users to provide reason for password retrieval
Enable this option to enforce users to provide a reason for requesting access to the password. This reason for retrieval will be recorded in the audit logs.
1.6 Allow users to retrieve password without ticket ID
If ticketing system integration is done in your environment, then by default, users will be prompted to provide a ticket ID while requesting for a password. Enable this option to allow users to retrieve passwords without providing a ticket ID.
1.7 Display password history for users with View Only and Modify share permissions
Password History (available under Account Actions) shows the previously used passwords for a particular account as well as the details on who modified it. Enable the option Display password history for users with View Only and Modify share permissions to display the password history details for users with View Only and Modify share permissions.
1.8 Allow all admin users to manipulate the entire explorer tree
Once this option is enabled, PAM360 creates an organization-wide, global explorer tree structure containing the names of resource groups under a root node and the following things will apply:
- Any administrator in PAM360 can create/edit the explorer tree structure of resource groups.
- Admins and Password Admins can add their resource groups into the global tree and the whole structure will be available for view to all the end users.
- Types of users who will be able to access this tree structure: Administrators, Privileged Administrators, Password Administrators and Password Users.
- If this option is disabled, users can modify only their portion of the tree with the resources that are shared to them.
Show unshared resource groups to all admins: If this option is enabled, resource groups of all the admins will be available visible to other admins but they will be disabled as the resource groups are not shared. If this option is disabled then only the shared resource groups will be available for the admins.
By default, the nodes of the password explorer tree are shown in expanded form. Enable this option to collapse the explorer tree view.
1.10 Disable SSH, SQL and Telnet console chat
By default, SSH, SQL and Telnet console chat will be enabled. Select this option to disable the console chat for remote sessions.
1.11 Allow users to download the private key
If this option is enabled, the user will be able to download the private key that is added to an account shared with them. Click here for more about adding a key to an account.
2. Password Reset
To view and manage all global settings related to password reset in PAM360, click Password Reset from the left pane.
2.1 Enforce users to provide a reason when changing the resource password
Enable this option to prompt users to enter a reason while attempting to change the password of a resource. This reason will be recorded in the audit logs.
2.2 Allow users to reset password without giving a ticket ID
If ticketing system integration is done in your environment, then by default, users will be prompted to provide a ticket ID when they try to reset the password of a resource. Enable this option to allow users to reset passwords without providing a ticket ID.
2.3 Default selection for user-initiated remote password change action. Users can override this setting while modifying passwords.
When changing the password of a resource in the PAM360 console, by default the password changes are applied in the remote resource instantaneously. (Resource types supported for remote synchronization are: Windows, Windows Domain, and Linux). Select the option Do not apply changes to the resource to not change the password in the remote resource automatically.
2.4 Wait for X seconds between stopping and starting the services after service account password reset
You can configure PAM360 to wait for a specified time (in seconds) before stopping and restarting the services after automatically resetting the service account password. This is useful in cases where service account password reset is enabled for a Windows Domain account and the corresponding domain password is changed.
2.5 Enforce users to provide two different accounts for use with remote password reset for UNIX / Linux resources
Enable this option to enforce users to provide provide two different accounts for password reset for Unix/Linux resources. If this option is disabled, then users will be allowed to enable remote synchronization with just one account. To know more about remote password reset, click here.
3. Resource/Password Creation
To view and manage all global settings related to resource/password creation in PAM360, click Resource / Password creation from the left pane.
By default, password policies are enforced for passwords in PAM360 only at the time of password change.
Enable this option to check policy compliance at the time of resource/account addition itself. Once you enable this, you will be permitted to add your resource / account only if the password is in accordance with the password policy defined in PAM360.
3.2 When agents are deployed in resources for remote password reset, the accounts in the resource are automatically added to PAM360. There is also option to synchronize account addition or deletion afterwards:
- Sync account addition:
Enable this option to add new accounts into PAM360 whenever they are added in the remote resource.
- Sync account deletion:
Enable this option to delete an account in PAM360 whenever the account is deleted in the remote resource.
4. Resource Group Management
To view and manage all global settings related to resource group management in PAM360, click Resource Group Management from the left pane.
4.1 Resource group creation options
You can allow users to create:
- Static resource groups by picking individual resources.
- Dynamic resource groups by specifying criteria.
- Both static and dynamic resource groups.
Select the required option and click Save.
To view and manage all global settings related to notifications in PAM360, click Notifications from the left pane.
5.1 Default selection for notifying users about change in access permissions
i. Notify users about the change in access permissions: Select this option to notify the respective users whenever their access permission is changed.
ii. Do not notify users about the change in access permissions: Select this option if you do not wish to notify users regarding the change in their access permissions.
Note: Admins can override this setting while modifying the access permission.
When an API user is created, an auth token (API key) will be generated. You can specify a date on which the API key will expire. Enable this option to notify the users about the expiry of the API key. Three notifications will be sent as follows:
- A notification 7 days before expiry.
- A notification on the day of expiry.
- A notification every day after the day of expiry.
Click here for more about adding API users in PAM360.
5.3 Do not display product announcements and promotional messages
Enable this option if you do not wish users to see any promotional in-product banners or messages in PAM360.
6. User Management
To view and manage all global settings related to user management in PAM360, click User Management from the left pane.
6.1 Default user language
You can choose a default user language for the web interface from the given drop down.
6.2 Automatically log off users after X minutes of inactivity (specify '0' to never log off users automatically).
Specify a specific time in minutes after which an inactive user session will timeout and log off automatically; by default, the time will be set as 30 minutes. You can specify '0' minutes to never log off inactive users automatically. To impose the same restriction on users logged in through the browser extensions, select the option: Enforce this as a maximum time limit also for users logged in through browser extension.
6.3 Disable local authentication
PAM360 provides three types of authentication:
- LDAP authentication
- AD authentication/Azure AD authentication
- PAM360's local authentication.
By default, PAM360 allows local authentication along with LDAP or AD authentication. If you want to restrict either the LDAP or AD/Azure AD authentication alone, then select the respective options: All users or . Once the local authentication is disabled, the PAM360 users will be able to login to PAM360 using their workstation password alone.
6.4 Choose default-selected domain in the login screen. (Applicable only when AD/Azure AD authentication is enabled).
If you have users from various domains, the PAM360 login screen will list down all the domains in the drop-down. You can choose the frequently used domain here for ease of use for the users. Once you do so, that domain will be shown as selected by default in the login screen.
6.5 Show 'Forgot Password' option in the login screen
By default, the 'Forgot Password' option is enabled for all users who use PAM360's local authentication. By clicking on 'Forgot Password', users can get a new login password sent to their email. Disable this option if you do not wish to display the 'Forgot Password' option in the login screen for all users.
6.6 Notify users through email during account creation or modification
By default, users are notified via email whenever their account is added in PAM360 or an existing account is modified. Disable this option if you do not wish to send email notifications to users regarding account creation or modification.
6.7 Enable 'Support' link for password administrators
By default, Password Administrators in PAM360 cannot view the 'Support' option in their profile. Enable this option to make the 'Support' option accessible for password administrators also.
6.8 Notify users through email 30 and 15 days prior to PAM360 license expiry
You can notify all administrators or any users regarding the expiry of PAM360 license.
Two notifications will be sent:
- 15 days prior to the expiry.
- 30 days prior to the expiry.
To send notifications you can either select all administrators as recipients or specify email addresses separated by a comma (',').
6.9 Default selected tab
Select a default tab which will open for users right after logging in:
6.10 Allow password caching for offline access via mobile
Enable this option to allow saving password cache in the PAM360 mobile application so that users can access the passwords offline.
6.11 Enable logins to mobile apps with fingerprint authentication
Enable this option to allow users to login to their PAM360 mobile applications using their device's fingerprint authentication.
6.12 Allow website auto-fill actions using browser extensions
Website forms can be auto-filled using PAM360 browser extensions, allowing users to log on to websites with just a click. Enable this option to allow auto filling of login credentials for saved website accounts through the PAM360 browser extensions.
6.13 Allow website auto-logon actions using browser extensions
PAM360 enables automatic login to websites and allows users to launch connections to applications directly through native browser extensions. Enable this option to allow users to connect to a remote resource through the auto logon feature using the PAM360 browser extensions.
Disable this option to prevent users from adding accounts to resources through the PAM360 browser extensions. The option to add accounts through browser extension is available only for the Chrome browser. To know more about PAM360 browser extensions, click here.
6.15 Enable discovery in client organization
Enable this option to allow every client organization to discover accounts and resources using the Discovery option in PAM360.
6.16 Use 'Organization Name' in Organization drop down list
Enable this option to display the Organization Name in the Organization drop down list; the Organization display name will be shown on mouseover.
7. High Availability
In a High Availability (HA) set up, constant replication of data takes place between Primary and Standby servers. High Availability status 'Alive' indicates perfect data replication and data synchronization between both servers. In case of any disruption like network problems between Primary and Standby (in turn between the databases), the status will change to 'Failed'. This may happen when there is no communication/connection between the database of primary server and that of the standby server.
When the connection gets re-established, data synchronization will happen and both databases will be in sync with each other. During the intervening period, those who have connected to the primary and standby will not face any disruption in service. This status is only an indication of the connection/communication between databases and does not warrant any troubleshooting.
To configure periodic status check for high availability in PAM360:
- Click High Availability from the left pane.
- Specify the number of minutes to check the status in the option Check High Availability Status Every --- Minutes.
To know more about High Availability, click here.
8. Personal Passwords
Individual users can manage their personal passwords such as credit card PIN numbers, bank accounts credentials etc in PAM360 through the personal password management feature. This personal password management section will be visible exclusively to the individual users and not even the Super Admin users will have access to it. To access this section, click Personal Passwords from the left pane.
8.1 Allow users to manage their personal passwords
Select this option to enable the Personal tab in which users can save their personal passwords. To disable the Personal tab, uncheck this option.
Note: In MSP editions of PAM360, only the MSP administrator can enable or disable this option.
8.2 Disable default personal categories
In the Personal tab, you will find a few default categories for various personal passwords such as bank credentials. You can disable the default categories and allow users to create their own custom categories for saving personal passwords. You can disable categories either for all organizations or for MSP organization only.
8.3 Enforce password policy for personal passwords
Enabling this option will apply the password policy selected for accounts in PAM360 to the personal passwords of users too. You can disable this option to allow users to set personal passwords without any complexity restrictions.
8.4 Allow users to choose their own passphrase
By default, when you allow users to manage their personal passwords, PAM360 will prompt them to choose a passphrase. Once set, there is no way to change or reset this passphrase.
i. Enforce users to create passphrase, which will be used as the encryption key for storing personal passwords. In addition, select the complexity rule for the passphrase
Select this option to enforce a password policy for the passphrase. By default, there are four options: low, medium, strong and an offline password file option. To create a custom password policy for personal passwords, navigate to Admin >> Customization >> Password Policies. If the chosen enterprise policy is deleted, the default password policy will be automatically chosen for passphrase complexity.
- If you do not want to enforce passphrase complexity, select [-None-] in complexity option.
- If you do not want to enforce users with own encryption passphrase complexity, uncheck this option.
9. Usage Statistics Collection
By selecting this option, you can choose to send information to ManageEngine about how the product is used. As per the product End-user License Agreement (EULA), the data collected will pertain to the license details, configuration of the system in which PAM360 is installed, usage statistics on the frequency of use of various features. This is a feedback mechanism to improve the product. You can uncheck the option if you don't wish to allow usage data collection.
Click Miscellaneous from the left pane; this section consists of optional customizations you can apply to PAM360 based on your requirement.
10.1 Disable SSH Keys feature
Selecting this option will disable the SSH Keys tab from your installation. However, the feature will not be removed completely; you can enable the SSH Keys tab again by deselecting this option.
10.2 Disable Certificates feature
Selecting this option will disable the Certificates tab from your installation. However, the feature will not be removed completely; you can enable the Certificates tab again by deselecting this option.
10.3 Enable Splitting of SSH and Telnet Session Recordings into Multiple Files
PAM360 offers the option to split larger session recording files from the SSH and Telnet remote sessions into several smaller files. This will ensure a smooth, uninterrupted session playback without a buffer time. Select this option to enable splitting of the session recordings.
To know more about privileged session recording, click here.
After making changes in the settings, click Save to save the changes.