Configure live session monitoring

This topic describes how to enable and disable active session monitoring.

Overview

Authorized users can monitor active sessions from their workstation and take part in controlling these sessions. Users can also suspend or terminate active sessions based on their group assignment.

By default, active session monitoring is enabled at system level for all authorized users, and can be disabled at platform level. Active session monitoring can also be disabled at system level, but when it is disabled, it cannot be enabled at platform level.

Authorized users monitor or terminates an active session using the same connection method (RDP file or HTML5 Gateway) as the end user.

Required permissions for the Monitoring page

Users must be part of the Auditors group or members in the relevant Account Safes and Recording Safes with the following authorizations:

Safe type	Permissions
Account Safes	List accounts/files This authorization specifically enables users to access recordings from the Account Details page. View audit
Recording Safes	Retrieve accounts/files List accounts/files View audit

Active session monitoring settings

You can enable or disable active session monitoring and set the control level that authorized users will have.

Configure active session monitoring

In the Privilege Cloud Portal, click Administration > Configuration Options.
In the left pane, go to Configurations > Privileged Session Management > General Settings > Server Settings> Live Sessions Monitoring Settings.

In the Properties pane, enter the following information, and then save your changes:

Property	Description
AllowMonitor	Permits authorized users to monitor active sessions. Set value to Yes or No. The exact monitoring task is determined by the MonitoringLevel property.
MonitoringLevel	Specifies the monitoring task that authorized users can perform. Available options: View – Users can view active sessions from their own workstation, but cannot participate in the session. Control – Users can participate in active sessions and can control them in the same way as the original user.
AllowTerminate	Permits authorized users to terminate active sessions.
AllowPSMNotifications	To enable users to manually suspend a session, set to Yes.

Enable users and groups to suspend or terminate a session

When active session monitoring is enabled, you can decide which users and groups can suspend and terminate a session.

By default, users who belong to the following group can suspend or terminate sessions:

PSMLiveSessionTerminators

To enable users to suspend or terminate a session, you can either add them to this existing group or add a new group in the Configuration Options.

To add a new group or user to the Configuration Options

In the Privilege Cloud Portal, click Administration > Configuration Options.
In the left pane, go to Configurations > Privileged Session Management > General Settings > Server Settings> Live Sessions Monitoring Settings.
Right-click either Terminating Live Sessions Users and Groups or Suspending Live Sessions Users and Groups, and then click Add User or Group.
In the Properties pane, enter the name of the user or group you want to enable, and then save your changes.

Enable or disable active session monitoring at the platform level

You can override active sessions monitoring settings in individual platforms. you can determine whether or not authorized users can or cannot monitor active sessions during privileged sessions that use accounts managed by specific platforms, regardless of the general active sessions monitoring settings.

When active session monitoring is disabled at system level, it cannot be enabled at platform level.

To monitor active sessions at platform level, users require the Safe ownership and permissions listed above in Configure live session monitoring.

Enable or disable active session monitoring at platform level

In the Privilege Cloud Portal, click Administration, and then click Platform Management.
Click the platform type that you want to edit: Targets, Dependents, Groups, or Rotational Groups.
Select the platform, click the ellipsis button next to that platform, and then click Edit.
In the left pane, expand UI & Workflows, right-click Privileged Session Management and select Add Override Live Sessions Monitoring Settings.

In the Properties pane, enter the following information, and then save your changes:

Property	Description
AllowMonitor	Whether or not authorized users can view or control active sessions that use accounts managed by this platform. The monitoring task level (View/Control) is taken from the general active sessions monitoring settings.
AllowTerminate	Whether or not authorized users can terminate active sessions that use accounts managed by this platform.

Configure live monitoring notifications

When authorized users begin monitoring an active session, a notification can be displayed to indicate the session is being monitored. This is configured separately for each platform.

When authorized users suspend an active session, a notification is displayed.

This notifications are displayed at the bottom right corner of the remote active session window.

To configure an active session monitoring notification

In the Privilege Cloud Portal, click Administration, and then click Platform Management.
Click the platform type that you want to edit: Targets, Dependents, Groups, or Rotational Groups.
Select the platform, click the ellipsis button next to that platform, and then click Edit.
In the left pane, go to UI & Workflows > Privileged Session Management.

In the Properties pane, enter the following information, and save your changes:

Property	Description
ShowLiveMonitoringNotification	Whether or not authorized users can view or control active sessions that use accounts managed by this platform. The monitoring task level (View/Control) is taken from the general active sessions monitoring settings.
LiveMonitoringNotificationDisplayTime	Time in seconds to display the alert during active sessions, indicating that this session is being monitored. Specify ‘0’ (zero) to display it indefinitely. The default value is 5 seconds.