Quest One Privileged Account Management Reviewer Manual Version 2.4
2011 Quest Software, Inc. ALL RIGHTS RESERVED. This guide contains proprietary information protected by copyright. The software described in this guide is furnished under a software license or nondisclosure agreement. This software may be used or copied only in accordance with the terms of the applicable agreement. No part of this guide may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying and recording for any purpose other than the purchaser s personal use without the written permission of Quest Software, Inc. The information in this document is provided in connection with Quest products. No license, express or implied, by estoppel or otherwise, to any intellectual property right is granted by this document or in connection with the sale of Quest products. EXCEPT AS SET FORTH IN QUEST'S TERMS AND CONDITIONS AS SPECIFIED IN THE LICENSE AGREEMENT FOR THIS PRODUCT, QUEST ASSUMES NO LIABILITY WHATSOEVER AND DISCLAIMS ANY EXPRESS, IMPLIED OR STATUTORY WARRANTY RELATING TO ITS PRODUCTS INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT. IN NO EVENT SHALL QUEST BE LIABLE FOR ANY DIRECT, INDIRECT, CONSEQUENTIAL, PUNITIVE, SPECIAL OR INCIDENTAL DAMAGES (INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF PROFITS, BUSINESS INTERRUPTION OR LOSS OF INFORMATION) ARISING OUT OF THE USE OR INABILITY TO USE THIS DOCUMENT, EVEN IF QUEST HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. Quest makes no representations or warranties with respect to the accuracy or completeness of the contents of this document and reserves the right to make changes to specifications and product descriptions at any time without notice. Quest does not make any commitment to update the information contained in this document. If you have any questions regarding your potential use of this material, contact: Quest Software World Headquarters LEGAL Dept 5 Polaris Way Aliso Viejo, CA 92656 email: legal@quest.com Refer to our Web site (www.quest.com) for regional and international office information. Trademarks Quest, Quest Software, and the Quest Software logo are trademarks and registered trademarks of Quest Software, Inc in the United States of America and other countries. For a complete list of Quest Software s trademarks, please see http://www.quest.com/legal/trademarks.aspx. Other trademarks and registered trademarks are property of their respective owners. Third Party Contributions Quest One Appliance-Based Privileged Account Management Solutions contain some third party components. Copies of their licenses may be found at http://www.quest.com/legal/third-party-licenses.aspx. 2
Table of Contents 1.0 Introduction... 5 2.0 Conventions Used in this Guide... 5 3.0 Accessing TPAM... 5 4.0 Getting Help... 6 4.1 Online User Manuals... 6 4.2 Help Bubbles... 7 4.3 Customer Portal... 7 4.4 Contacting Customer Support... 7 5.0 TPAM Definitions... 7 5.1 Terms... 7 5.2 User Types... 8 6.0 Permission Based Home Page... 9 6.1 Recent Activity Tab... 9 6.2 Pending Reviews Tab... 10 7.0 Managing Your Own Account... 10 7.1 User Time Zone Information... 11 8.0 Session Management (PSM Reviewers only)... 12 8.1 Replaying a Session Log... 12 8.2 Monitoring a Live Session... 15 9.0 Reviewing Sessions (PSM Reviewers only)... 16 9.1 Session Review Details Tab... 18 9.2 Session Review Responses Tab... 19 9.3 Session Logs Tab... 20 9.4 Reviews Tab... 21 9.5 Reviewers Tab... 21 9.6 Comments Tab... 22 9.7 File Transfers Tab... 22 10.0 Reviewing Password Releases (PPM Reviewers only)... 23 10.1 Password Release Review Details Tab... 25 10.2 Password Release Responses Tab... 26 10.3 Password Release Reviews Tab... 26 10.4 Password Release Reviewers Tab... 27 11.0 Reports... 27 11.1 Report Time Zone Options... 27 11.2 Report Layout Options... 28 11.3 Adjustable Column Widths... 29 11.4 Report Export Options... 29 11.5 Activity Report... 29 11.6 PSM Accounts Inventory (PSM Reviewers Only)... 29 11.7 Password Aging Inventory (PPM Reviewers only)... 30 11.8 File Aging Inventory (PPM Reviewers only)... 30 11.9 Release-Reset Reconcile (PPM Reviewers only)... 30 11.10 User Entitlement... 30 11.11 Password Update Activity (PPM Reviewers only)... 32 11.12 Password Update Schedule (PPM Reviewers only)... 32 11.13 Password Testing Activity (PPM Reviewers only)... 33 11.14 Password Test Queue (PPM Reviewers only)... 33 11.15 Expired Passwords (PPM Reviewers only)... 33 11.16 Passwords Currently In Use (PPM Reviewers only)... 34 3
11.17 Password Requests (PPM Reviewers only)... 34 11.18 Auto-Approved Releases (PPM Reviewers only)... 35 11.19 Password Release Activity (PPM Reviewers only)... 35 11.20 File Release Activity (PPM Reviewers only)... 35 11.21 Windows Domain Account Dependencies (PPM Reviewers only)... 36 11.22 Auto Approved Sessions (PSM Reviewers only)... 36 11.23 PSM Session Activity (PSM Reviewers only)... 36 11.24 PSM Session Requests (PSM Reviewers only)... 36 4
1.0 Introduction Total Privileged Access Management (TPAM) is a robust collection of integrated modular technologies designed specifically to meet the complex and growing compliance and security requirements associated with privileged identity management and privileged access control. The Privileged Password Manager (PPM) module provides secure control of administrative accounts. TPAM is a repository where these account passwords are stored until needed, and released only to authorized persons. Based on configurable parameters, the PPM module will automatically update these passwords. The Privileged Session Manager (PSM) module provides a secure method of connecting to remote systems, while recording all activity that occurs to a session log file that can be replayed at a later time. All connections to remote systems are proxied through Privileged Account Management (PAM) appliance ensuring a secure single access point. 2.0 Conventions Used in this Guide Element Bold Italics Text Note! Tip! Alert! Convention Where ever this symbol is displayed it means there is new functionality or an entirely new feature being discussed. Elements that appear in the TPAM interface such as menu options and field names. Used to highlight additional information pertinent to the process being described. Used to provide best practice information. A best practice details the recommended course of action for the best result. Important information about features that can affect performance, security or cause potential problems with your appliance. 3.0 Accessing TPAM To access TPAM, point your browser to TPAM s IP address or FQDN followed by /egp or /par. For example, if the IP address for TPAM has been configured as 192.168.1.100 1, the URL would be https://192.168.1.100/egp/. The initial TPAM administrator account is called paradmin and the initial password is provided with your licensing information. Connectivity To communicate with the TPAM appliance and successfully initiate a session your computer will need to be able to pass traffic on ports 443 (HTTPS) and 22 (SSH). If TPAM will be accessed via Microsoft Internet Explorer (IE), there are two important setting changes to verify or change in the IE configuration: Pop-Up Blocker When the /par website is accessed, the initial instance of the browser will be closed and a new window will open without menu or title bars. Browsers that are configured to block pop- 1 For additional information and instruction on the initial configuration of the appliance, see the Quest One Privileged Account Management Configuration and Administration Manual. 5
ups often interpret this as a pop-up and the page will not be displayed. Be sure to add the URL for TPAM to the list of allowed pop-ups. Tip: Holding the Ctrl key will temporarily allow pop-ups. User Authentication Settings It may also be necessary to modify the User Authentication option of the IE Security Settings. The recommended setting is Prompt for user name and password. A setting of Automatic logon may attempt to pass the username and password from the workstation or domain to TPAM. This will cause logon failures and may lockout the user s TPAM account. 4.0 Getting Help 4.1 Online User Manuals To access online user manuals click the Documents list located in the upper right hand corner of the application. The manuals that are available to you are based on your user type and the permissions assigned to your userid. 6
4.2 Help Bubbles Throughout the application you will also notice help bubbles ( ) next to many of the fields in the application. If you hover the mouse over the bubble a pop up window provides a brief explanation about what the field is used for. 4.3 Customer Portal The Quest Software Customer Portal is where you can find product updates, user manuals, WebEx Demos and FAQ s. To access the Portal you will need a username and password from the Quest Software Technical Support group. To login go to https://hq01.e-dmzsecurity.com/edmzcust. 4.4 Contacting Customer Support Quest Software's world-class support team is dedicated to ensuring successful product installation and use for all Quest Software solutions. SupportLink www.quest.com/support Email at support@quest.com You can use SupportLink to create, update, or view support requests 5.0 TPAM Definitions 5.1 Terms 5.1.1 System A system is a host computer, network device, or work station for which one or more account passwords will be maintained. It is also referred to as the managed system. 7
5.1.2 Collection A collection is a logical association of systems. In v2.4 collections can also include Accounts and Files. Permissions can be granted to a collection. All systems contained in the collection, or added to it, will inherit those permissions. A system can belong to multiple collections. A System cannot be in the same collection as any of its Accounts or Files. 5.1.3 UserID A UserID is defined as a user of the TPAM appliance. At the time the UserID is created the interface (Web or CLI/API) must be determined and cannot change. There are different types of UserID s (Basic, UserAdmin, Auditor, Administrator and Cache User). See section 5.2. 5.1.4 Group A Group is a logical association of UserIDs. Groups are a mechanism for easing the burden of assigning Access Policies on systems or collections to users. Access Policies that are assigned to a group are inherited by all members in the group. When a user is added to a group, they will immediately receive all permissions assigned to the group, and all permissions received through the group are revoked when a user is removed from the group. Users can be members of multiple groups. 5.1.5 Managed Account This is the account on the remote system to which a proxied connection can be made and/or whose password is being stored and maintained through the PPM portion of TPAM. For example, root is likely to be a managed account on many of the managed UNIX systems. 5.2 User Types 5.2.1 Basic A Basic user type can be assigned permissions for various functions throughout the application, such as requestor, reviewer, etc. 5.2.2 Administrator The Administrator is the most powerful user type for the TPAM User Interface. This user type can create and delete systems, users, groups, and collections. The administrator user type may also assign access policies to any user including themselves. An administrator may view all reports. It is recommended that this user type be assigned carefully. The Administrator may not delete or disable their user ID. 5.2.3 Auditor The auditor user type permits the individual to view reports, session logs and system information, but not to make any changes to data or view passwords. The Auditor may not delete or disable his own account. Auditors may also review completed password and session requests. 5.2.4 User Administrator This user type has the authority to manage Basic user types. User Administrators can disable and enable users, unlock user accounts, and 8
update account information. The User Administrator does not have the ability to add users to groups or manage permissions. CLI/API user accounts cannot be managed by a User Administrator. 5.2.5 Cache User If your company opted to purchase cache servers along with TPAM you will be setting up cache user types. A cache user can only retrieve passwords through the cache server that they are assigned to. A cache user will not have access to the TPAM interface. 6.0 Permission Based Home Page Your home page is based on the user type and permissions assigned to your user id in the TPAM application. You can return to the home page from anywhere in the TPAM application by clicking the home icon located on the far left side of the menu ribbon. Note! The screen shots in this manual represent a UserID that has been assigned a Global Reviewer Access Policy. The screens that you see when you log into the par interface may or may not have all of these options depending on your permissions. The first tab that displays is the default message of the day which is configured through the TPAM Administrative interface. 6.1 Recent Activity Tab The recent activity tab shows all of your activity in TPAM for the last 7 days. 9
6.2 Pending Reviews Tab If you are an eligible reviewer for any post password releases or sessions you will see the Pending Reviews tab on your home page. Any password releases or sessions that are pending review will be seen on this tab. By clicking on the request id you will be taken directly to the Password Release Review Details or Session Review Details tab. To use the auto-refresh option check the box and enter the number of minutes you would like the screen refreshed. 7.0 Managing Your Own Account Any user may change their password and update individual account details using the My Info menu option. To reset your own password, select My Info Change Password from the menu. Enter the existing password, the new password desired, and confirm the new password. User passwords are subject to the requirements of the Default Password Rule. 10
Other individual account information can also be self managed, such as contact information and full name. Select My Info User Details from the menu to make modifications to your own account information. A user may not modify the UserID, Last Name, or First Name fields. 7.1 User Time Zone Information You can edit your time zone information through the My Info User Details menu option. The TPAM administrator will also be able to edit your time zone. If you are in the same time zone as the server and follow the same Daylight Saving Time (DST) rules the first radio button should be selected. If you are in a different time zone and/or follow different DST rules and do not want to follow server time, the second radio button should be selected, and the appropriate time zone chosen from the list. With this option most dates and times that the user sees in the application or on reports will be converted to your local time. If a date or time still reflects server time it will be noted on the screen. 11
Note! It the Sys-Admin has disabled User Time zone changes in the paradmin interface the User Time Zone Information block shown above will be visible only for Administrator users. Example: TPAM appliance is located in New York, NY on Eastern Time. The user is located in Los Angeles, CA, which is on Pacific Time. If the user chooses to set their time zone to Pacific Time, any requests, approvals, etc that they make will be reflected in Pacific Time to them, and they will have the option to view some reports in their local time zone. If the TPAM Administrator is in the Eastern Time zone the admin will see this user s transactions stamped with the Eastern Time. Alert! If you are in Daylight Saving Time (DST) you must remember to check the DST box and uncheck it when it is over. This box does NOT automatically get changed for you. You will be automatically redirected to the User Details page when attempting a new transaction if: The server has undergone a DST transition since your last activity. The time zone on the server has been changed since your last activity. The server has had a patch applied that has rendered your current time zone obsolete according to Microsoft s time zone updates. You will be able to see the server time on the bottom left of your screen and your local GMT offset (if different from the server) in the middle bottom of the screen. You will see the time listed in reference to GMT (Greenwich Mean Time), using notation to indicate the number of hours ahead or behind GMT. So for example US Eastern Standard Time is 5 hours behind GMT, or GMT -05:00, New Delhi, India is 5 ½ hours ahead or GMT +05:30. 8.0 Session Management (PSM Reviewers only) The session management menu provides access to session logs and the ability to playback previous sessions to systems. This answers the critical question what did they do with respect to auditing access to privileged accounts. All user actions, whether performed via keyboard or mouse are recorded. 8.1 Replaying a Session Log Select Session Mgmt Session Logs from the menu. 12
Use the filter criteria to limit the list of session logs to those desired. From the Listing tab select the desired session to replay and click the button. Note! If the session log is stored on an archive server there may be a delay while TPAM retrieves the log from its remote storage location. 13
The remote access session will be displayed and played back in real time. The playback session may be paused and resumed, moved ahead or back at increased speed, or continuously played at various speeds. 8.1.1 Using the session playback controls To manipulate the playback of a session, the controls at the bottom of the session replay window allow the speed of the playback to be changed, ranging from ½ normal speed to 16 times normal speed. Replay may be paused at any point. 14
The session playback toolbar contains both session information and playback controls: Session system The name of the remote system to which the session was established. Session UserID The name of the remote account used to access the system during the session. Slider control Displays the current position of playback, and when the session is paused allows a new position to be selected. To reposition session replay, pause the session and position the slider control to the desired spot. Resume playback using the pause control. The session playback will move at maximum speed to the desired playback position. Note! The session time position is based on network packet timestamps. This means that the playback control slider may appear to move in an uneven fashion depending on the data density of each packet, especially for very short recorded sessions. If for some period time there is a minimal amount of activity followed by a flurry of dialog box openings and keystroke input, this would cause the uneven control slider movement. Longer session files tend to provide a smoother control slider movement. Session time position Shows the time position being displayed in relation to the session length: current position / total session time. Pause control When green the session is playing. When red the session is paused. To pause or resume playback simply click the control. Loop button selecting this button will set the session to replay over and over..5x The session will be played at ½ normal speed. 1x The session will be played at normal speed (real time). 2x The session will be played at 2 times normal speed. 4x The session will be played at 4 times normal speed. 8x The session will be played at 8 times normal speed. 16x The session will be played at 16 times normal speed. If a file was transferred during the session you are replaying you can view information about that file on the File Transfers tab. 8.2 Monitoring a Live Session You have the ability to monitor a session as it is being recorded. The user running the session has no indication that their session is being watched. To monitor a live session select Session Mgmt Session Logs from the menu. Use the filter criteria to limit the list of session logs to those desired. 15
Any live sessions will display Connected in the Status column. Select the session you want to view and click the button. Any user that has permission to playback a session log has permission to monitor a session for that account. 9.0 Reviewing Sessions (PSM Reviewers only) The user has the ability to configure Review Requirements for sessions on particular accounts. If you are designated as a reviewer for a session and there is a session that is pending review you will receive an e-mail notification. To review the session, select Review PSM Session from the menu. Enter the filter criteria for the session you want to review. Note that you have the option to filter by Review Status. 16
Select the session you want to review from the Listing tab and click on the Details tab. 17
9.1 Session Review Details Tab If the session you are reviewing was part of a multiple session request you have the option of reviewing all of these sessions at one time. By selecting each individual Request ID the Details tab will give you all the summary information about each session such as when the review needs to be completed by, how many reviews are required, start and end date of the session, etc. If provisional validation was enabled for the ticket system assigned to this account, when reviewing the session request you will see the following note on the Details tab: 18
Enter your comments in the Review Comment text box. Check the Apply Review box for each review you want these comments applied to. You have the option to enter comments and save them before officially marking the session as Reviewed. To do this click the button. This will add your comment to the Reviews tab, but the session review will not be flagged as complete. Every time you submit a comment for the session the Reviews Submitted field number will increase. Once you are done entering comments and ready to mark the session as reviewed click the button. The session will not be flagged as reviewed until this button has been clicked. Note! You will not be permitted to Complete the Review unless you have replayed at least one of the session logs from each session request. 9.2 Session Review Responses Tab The Responses gives visibility to the approval comments that were made by anyone who approved this request and any comments the requestor made if they expired the request early. 19
9.3 Session Logs Tab To actually play back the session you need to review click on the Session Logs tab. Select the session from the list and click the button to play back the session. If a File Transfer took place during the session you will see the number of files transferred in the File Transfer column of the Session Log tab. 20
To view details about the file transfer click on the session and then click the on the File Transfers tab. 9.4 Reviews Tab To see any comments entered by a reviewer click on the Session Reviews tab. 9.5 Reviewers Tab To see a list of other users eligible to review the session click on the Reviewers tab. 21
9.6 Comments Tab Users that have review permissions on the system as well as the requestor for a session have the ability to enter comments regarding the session. These comments do not flag a session as being reviewed, but may be informative to the user assigned to formally reviewing the session. To enter session comments select the Session from the Session Logs tab and then click on the Comments tab. Enter your comments into the New Comment box and click the The comments will be placed in a list above the New Comment box. button. 9.7 File Transfers Tab If a file was transferred during the session you are reviewing you can view information about that file by selecting a session from the Session Logs tab and then clicking on the File Transfers tab. 22
10.0 Reviewing Password Releases (PPM Reviewers only) You have the ability to review Password Releases. If there is a password release pending your review you will receive an e-mail notification. To review password releases select Review Password Releases from the main menu. Enter the filter criteria for the password release you want to review. Note that you have the option to filter by Review Status. A Password Release will only show up to be reviewed if, it is set to require reviews at the account level, the requestor actually accessed the password, and the password request has expired. 23
Select the password release you want to review from the Listing tab and click the Details tab. 24
10.1 Password Release Review Details Tab If the password release you are reviewing was part of a multiple password request you have the option of reviewing all of these password releases at one time. By selecting each individual Request ID the Details tab will give you all the summary information about each password release such as when the review needs to be completed by, how many reviews are required, request expiration date, etc. If provisional validation was enabled for the ticket system assigned to this account, when reviewing the password release you will see the following note on the Details tab: 25
Enter your comments in the Review Comment text box. Check the Apply Review box for each review you want these comments applied to. You have the option to enter comments and save them before officially marking the password release as Reviewed. To do this click the button. This will add your comment to the Reviews tab, but the password review will not be flagged as complete. Every time you submit a comment for the release the Reviews Submitted field number will increase. Once you are done entering comments and ready to mark the password release as reviewed click the button. The password release will not be flagged as reviewed until this button has been clicked. 10.2 Password Release Responses Tab The Responses tab gives visibility to the approval comments that were made by anyone who approved this request and any comments the requestor made if they expired the request early. 10.3 Password Release Reviews Tab To see any comments entered by a reviewer click the Password Reviews tab. 26
10.4 Password Release Reviewers Tab To see a list of other eligible reviewers for this password release click the Reviewers tab. 11.0 Reports TPAM includes a number of pre-defined reports to aid in system administration, track changes to objects, and provide a thorough audit trail for managed systems. All reports are accessed via the Reports menu. The reports can be filtered by criteria that are specific to each report type. Note! Access to different reports is based on the user s permissions. Only TPAM Administrators and Auditors have access to all reports. 11.1 Report Time Zone Options There are time zone filter parameters on most of the reports so that the user can choose to view the report data in their local time zone or the server time zone. These filter parameters will only be visible if the user is configured with a local time zone. This filter affects not only the data reported but also the filter dates used to pull the data. For example, the server is at GMT time and the user is in Athens, Greece (GMT +2). When the user enters a date range of 9/16/2009-9/17/2009 with the local time zone option, the report will pull transactions that happened on the server between 9/15/2009 22:00 through 9/17/2009 21:59. 27
All reports that use the local time zone filter now have an extra column indicating the GMT offset that was used to generate the report. This value will either be the current GMT offset of the server or the user. This column will also appear in reports that are exported using excel or csv. 11.2 Report Layout Options The user can select which columns they want to display on the report by clicking on the Report Layout tab. Also the user can decide which column they want the report sorted by clicking the radio button in the Sort Column. Also note the Max Rows to Display list. This limits the number of rows that are returned on the report even if there are more rows that meet this filter criteria. 28
11.3 Adjustable Column Widths The user can adjust the column size of any column on a report by hovering their mouse over the column edge and holding down the left mouse button and dragging the mouse to adjust the column width. 11.4 Report Export Options In addition to exporting the report to an Excel formatted file, the user can also export the file in a CSV (comma separated value) file format. Alert! If you expect your report results to be over 64,000 rows you must use the CSV export option. The Export to Excel option will only export a maximum of 64,000 rows! 11.5 Activity Report The activity report contains a detailed history of all changes made to TPAM. 11.6 PSM Accounts Inventory (PSM Reviewers Only) The PSM accounts inventory report will show a list of all accounts that are PSM enabled. 29
11.7 Password Aging Inventory (PPM Reviewers only) The password inventory report will display a list of all managed systems, and all accounts on those systems that are managed by PPM. 11.8 File Aging Inventory (PPM Reviewers only) Similar to the password inventory report, the file inventory report will display a list of secure stored files and the systems for which they are managed. 11.9 Release-Reset Reconcile (PPM Reviewers only) The purpose of the Release-Reset Reconciliation report is to provide auditable evidence that passwords have been reset appropriately after being released. The report can be filtered by date or date range, and sorted by system name, RequestID, or first release date. 11.10 User Entitlement In v2.4 we merged the Password, EGP and File User Entitlement reports all into one User Entitlement report, with additional filters. This report provides a mechanism to 30
review and audit individual users permissions for systems, accounts, commands and files on an enterprise scale. Based upon selected filter criteria, the report will show each user and their permissions to each system, whether based upon Collection, Group, or individual assignment. To reduce the size of the report for large organizations where numerous systems belong to collections, use the filters provided such as Show Only Effective Permissions. Turning on the checkboxes or radio buttons for the options will have the following effects on the report: Expand Collections to show all Systems, Accounts, & Files? When checked the report will expand any retrieved Collection-level permissions to show all the Systems, Accounts, and Files in the collection. Permissions are indicated as being at the Collection level by the presence of the Collection Name as well as the Permission Source column. When not checked only the Collection itself is shown. Expand Groups to show all Users? When checked the report will expand any retrieved Group to show all users within this group. Permissions are indicated as being at the Group level by the presence of a Group name as well as the Permission Source column. When not checked only the Group itself is shown. Expand Access Policies to show policy permissions details? When checked this will expand the Access Policy for each row to show the Permission Type (Password, Session, etc.) and Permission Name (Requestor, Approver, etc.) for 31
all detail rows for each Access Policy. When not checked only the Access Policy Name is displayed. Show All Permissions When this radio button is selected the report will show all possible policies for each assignee (User or Group) to each entity (System, Account, File, or Collection) with the effective permission indicated. Show Only Effective Permissions When this radio button is selected the report will show only the effective permission for each assignee to each entity. Alert! If you select any of the Expand options you must fill in at least one of the text filters with a non-wildcard value. For very large data sources the expansion of Collections, Groups, and/or Access Policies can very easily create a report beyond the retrieval and display capabilities of a web browser. For large datasets (10 s of thousands of accounts or thousands of large collections to expand) it is recommended to rely on the Data Extracts for unfiltered versions of the Entitlement Report. 11.11 Password Update Activity (PPM Reviewers only) The password update report shows an audit-trail report containing detailed records of all password modifications to all systems managed by PPM. 11.12 Password Update Schedule (PPM Reviewers only) The password update schedule report will show all currently scheduled password changes and the reason for the change such as a change due to default change settings or in response to a password release, etc. 32
11.13 Password Testing Activity (PPM Reviewers only) The password testing activity report shows the results of automated testing of each managed account s password. 11.14 Password Test Queue (PPM Reviewers only) The password test queue report will list all accounts currently queued for password tests. This is a useful report to view when troubleshooting performance related issues. A high number of queued password tests can impact system response time if the check agent is running. This report does not provide a mechanism for exporting data but does provide for deleting passwords from the test queue. So if there is some known reason why a large group of password tests will fail such as a network outage, that group can be filtered out in the report and then deleted. An alternative would be to just stop the check agent. 11.15 Expired Passwords (PPM Reviewers only) This report allows you to report on currently expired passwords, or passwords that are going to expire within a certain date range. You can also filter based on whether the system/account has password management enabled or set to manual. In v2.4 we added a Reason Code column to the report. 33
11.16 Passwords Currently In Use (PPM Reviewers only) This report defines In Use as passwords that: Have been retrieved by the ISA/CLI/API that have not yet been reset Passwords that have been requested and retrieved, but not yet reset If password has been manually reset from the account details or password management pages but not yet reset by PPM. If the password has been manually entered on the Account Details page but not reset by PPM. If the account is created either from the TPAM interface or as a result of Batch Import Accounts and is assigned a password by the user (as opposed to allowing the system to generate a random password). Passwords manually changed prior to TPAM 2.1.711 will not show as IN USE 11.17 Password Requests (PPM Reviewers only) This report allows you to view all password requests within a specified time period and view details relating to the request. Selecting a row in the report, and clicking on the Responses, Reviews and Releases tab will give you additional details on the request. In v2.4 we added a Reason Code column to the report. 34
11.18 Auto-Approved Releases (PPM Reviewers only) Password and stored file releases made by requestors that did not require dualcontrol approval (auto-approved requests) may be reviewed in the Auto Approved Releases and Auto Approved File Releases reports. 11.19 Password Release Activity (PPM Reviewers only) The password release activity report displays a history of password releases, based upon filter criteria selected for the report. The reason text and ticket system information is also provided in the report. column to the report. In v2.4 we added a Reason Code 11.20 File Release Activity (PPM Reviewers only) The file release report is essentially identical to a password release report, but will show the release activity associated with stored files. Reason Code column to the report. In v2.4 we added a 35
11.21 Windows Domain Account Dependencies (PPM Reviewers only) This report shows which managed domain accounts have dependencies on other systems. 11.22 Auto Approved Sessions (PSM Reviewers only) This report lists all sessions that were auto approved because the account had no approvals required for session requests. 11.23 PSM Session Activity (PSM Reviewers only) This report shows the details on any sessions that occurred within a specified time period or for a specific system/account. column to the report. In v2.4 we added a Reason Code 11.24 PSM Session Requests (PSM Reviewers only) This report allows you to view all session requests within a specified time period and view details relating to the request. Selecting a row in the report, and clicking on the Responses, Reviews and Releases tab will give you additional details on the request. In v2.3.765 we added a Reviews Required column to this report. In v2.4 we added a Reason Code column to the report. 36
37