SSH Commands Access Control

SSH commands white-listing or black-listing (Commands Access Control) in PSM gives an organization the ability to block unauthorized SSH commands if attempted to be executed by a privileged user on a network, security or other device or any SSH-based target system.

Users can connect transparently to a target system or device through the PSM, and run specific commands on the target according to the user’s permissions and the allowed commands as defined by the organization's security policy in the Vault. Unauthorized commands will be blocked and will not be sent to the target.

The solutions’ architecture does not require installation of an agent on the target machine or device. Instead, PSM can recognize the command the user entered by analyzing the output of the terminal channel.

The solution aims to prevent user errors and provide a basic ability to block unauthorized commands, especially where agents cannot be installed due to an organizations’ policy or environment requirements (for example, when restricting access to a network or security devices).


Universal keystroke recording cannot be applied with Commands Access Control in PSM.

For considerations when using Command Access Control, descriptions on how to enable, configure and manage ACLs, and how to modify and delete Commands Access Control, refer to the following section SSH Commands Access Control.

TruePrivileged Access Security11.1