Privileged Session Management Interface
The Privileged Session Management UI parameters of the Configuration Options determine how PSM-related items are displayed in the PVWA, as well as the user experience during PSM sessions.
User experience
The following general Privileged Session Management UI parameters configure the user experience for PSM sessions and define which method used to establish the connection:
Parameter |
Description |
---|---|
UseRemoteApp |
This parameter determines whether or not PSM sessions are displayed in a standard client window, facilitating an intuitive user experience. This is only relevant when PSM connections are established using an RDP file. You can disable RemoteApp user experience for each connection component by setting the parameter DisableRemoteApp for the relevant connection component. |
You can configure PSM to provide secure remote access to a target machine through an HTML5 gateway. With HTML5 connections, the session to the remote machine is displayed in a browser regardless of the settings in the table above.
Requirements for PSM connection using an RDP file
-
Requires PSM 9.2 or later and Vault/PVWA 9.2 or later.
-
RemoteApp user experience requires RDP client v6.1.7601 or above (RDP protocol version v7.1 or later) on end user machines.
Enable multiple monitors
Use the native span method to extend a Remote Desktop Connection across multiple monitors to benefit from extra desktop space and near seamless experience with the client desktop.
For details on the native span method, see https://www.nextofwindows.com/how-to-use-dual-monitors-in-remote-desktop-session-on-windows-7.
To enable your users to extend their desktop over multiple screens during a RDP session, enable the RemoteApp user experience by doing the following:
-
In the PVWA go to Administration > Options > Configurations > Privileged Session Management UI and verify the following property settings:
Property
Setting
NonIERemoteDesktopAccess
RDPFile
UseRemoteApp
Yes
-
Go to Administration > Options > Configurations > Connection Components > PSM-RDP > Component Parameters and verify the following:
Property
Setting
DisableRemoteApp
No
-
Go to Administration > Options > Configurations > Connection Components > PSM-RDP > Target Setting > Client Specific. Right-click, select Add Parameter:
Property
Setting
EnableMultiMonitor
Yes
If you are working with the RemoteApp UX and you have enabled session video recording, PSM performance is affected by the client machine's resolution. This means as the number of screens on the client machines increases, PSM can support fewer concurrent sessions. |
View high risk sessions
PSM can integrate with CyberArk Privileged Threat Analytics (PTA) in order to analyze the details of PSM privileged sessions and user activities in each session. The PTA receives details of each session and analyzes them, and then assigns a risk score. This score is sent to the Vault when it is created and when it is updated in real time as the session proceeds. The risk score is displayed in the PVWA MONITORING page, in the PSM recordings details for active sessions and for privileged sessions that have already finished. For more information about PTA functionality and risk scores, refer to the PTA Implementation Guide.
The following workflow describes how to configure PSM to integrate with PTA and display risk scores for privileged sessions.
1. | Configure PSM connections so that users can access remote machines through the PSM. |
2. | Make sure that PSM detailed audit capabilities are enabled. For more information, refer to Configure detailed audit in PSM. |
3. | Install PTA and configure it to integrate with PSM. For more information, refer to the PTA Implementation Guide. |
4. | In the PVWA, configure PSM integration with PTA: |
a. | Click ADMINISTRATION, then in the System Configuration page, click Options; the Web Access Options page appears. |
b. | Display the Privileged Session Management UI parameters and configure the following property: |
Property | Description |
---|---|
PSMandPTAIntegration | The parameter determines whether or not security incident data received from PTA will be displayed. This includes the risk score column in the Sessions List and the incident details in the Recording Details page. |
5. | Define the Security Incident details that will be displayed in the Recording Details page and the Active Sessions page. |
a. | Under the Privileged Session Management UI parameters, expand the Recording Details parameters, and then Recordings Security Incidents Properties. |
b. | Select the Displayed Properties parameters, and set the following properties: |
Property | Description |
---|---|
IncidentName |
The name of the security incident.
Default value: Name |
IncidentID |
The unique ID of the security incident.
Default value: ID |
IncidentLink |
A link to the PTA page that displays more information about the security incident.
Default value: URL |
RiskScore |
The risk score that was allocated to the security incident.
Default value: Risk Score |
IncidentStartDate |
The date and time when the security incident began.
Default value: Incident Start Date |
Activity |
The activity that caused a security incident.
Default value: Highest Risk Activity |
ActivityOffset |
The length of time after the privileged session started that the risk activity was performed.
Default value: Activity Offset from Start of Session |
6. | Click Apply to save these configurations and apply them. |
Search for session recordings
Search Session Recordings
These parameters, in the Privileged Session Management UI parameters, configure the Search for Sessions page.
The following General parameters configure the search criteria that users can specify in order to locate session recordings.
Parameter |
Description |
---|---|
DefaultFilterByDates | Determines whether or not the ‘Filter by dates’ section is enabled. By default, this parameter is set to ‘No’. |
DefaultFromTime | Specifies the default filter time for the search if a ‘From date’ is specified. By default, searches include recordings that occurred after 08:00. |
DefaultToTime | Specifies the default filter time for the search if a ‘To date’ is specified. By default, searches include recordings that occurred before 23:45. |
DisplaySafeInSearch | Determines whether or not an additional text box is displayed in the search bar to enable users to specify a Safe pattern. This used to filter Safes during a search. By default, this parameter is set to ‘No’. |
OptimizeRecordingsSearch |
Specifies whether or not recording searches are optimized. Specify ‘Yes’ to enable faster searches, with the following limitations:
|
Recordings Displayed Columns
These parameters define the columns displayed in the list of recordings as a result of the search process.
Parameter |
Description |
---|---|
SortBy | Specifies the name of the column by which to sort the recordings displayed in the search results. By default, the recordings are sorted by the Safe column. |
The specified columns are properties of the password or recording. By default, the following columns can be specified to locate session recordings:
|
|
|
|
||||||||||||
|
|
|
|
||||||||||||
|
|
|
|
||||||||||||
|
|
|
|
||||||||||||
|
|
|
|
||||||||||||
|
|
The following parameters define each column that are displayed:
Parameter |
Description |
---|---|
Name | Specifies the name of the property that are displayed in this column |
DisplayName | Specifies the title of the column that are displayed. If this is not specified, the default property name is displayed. |
Width | Specifies the width of the column in pixels. |
DataType | Specifies the type of information that is displayed in the column. The data type can be a string, date, or image. |
Visible | Determines whether or not the column is visible. |
View recording details
These parameters, in the Privileged Session Management UI parameters, configure the Recording Details page.
The parameters define the buttons that appear on the toolbar in the Recording Details page. You can specify the name of each button and whether or not it is displayed.
Parameters |
Description |
---|---|
Recording Descriptor Properties | Define the recording properties that comprise the display name of the PSM recordings. You can specify the name of each property and whether or not it is displayed. |
Recording Details Properties | Define the recording properties that are displayed in the Recording Details page. You can specify the name of each property, the display name, and whether or not it is displayed. |
Recording Details Password Properties | Define the properties of the password that was used during the recording session that is displayed. You can specify the name of each property, the display name, and whether or not it is displayed. |
Toolbar Actions Recording Details Tabs |
Define the tabs that are displayed in the Recording Details page. For each tab, you can specify the following:
|
View account recordings
The Account Details Session Recordings parameters, in the Privileged Session Management UI parameters, define the columns that are displayed in the Recordings tab in the Account Details page.
The SortBy parameter specifies the name of the column by which to sort the recordings in the tab. By default, the recordings are sorted by the Safe column.
You can specify the following parameters for each column:
Parameter | Description |
---|---|
Name | Specifies the name of the property that is displayed in this column. |
DisplayName | Specifies the title of the column that is displayed. If this is not specified, the default property name is displayed. |
Width | Specifies the width of the column in pixels. |
DataType | Specifies the type of information that is displayed in the column. The data type can be a string, date, or image. |
Visible | Determines whether or not the column is visible. |
Display active sessions
The following Active Sessions Displayed Columns parameters define the columns displayed in the list of active sessions.
The SortBy parameter specifies the name of the column by which to sort the sessions. By default, the sessions are sorted by the Safe column.
The specified columns are properties of the password or sessions. By default, the following columns can be specified to locate active sessions:
|
|
|
|
||||||||||||
|
|
|
|
||||||||||||
|
|
|
|
||||||||||||
|
|
|
The following parameters define each column that are displayed:
Parameter |
Description |
---|---|
Name | Specifies the name of the property that is displayed in this column. |
DisplayName | Specifies the title of the column that is displayed. If this is not specified, the default property name is displayed. |
Width | Specifies the width of the column in pixels. |
DataType | Specifies the type of information that is displayed in the column. The data type can be a string, date, or image. |
Visible | Determines whether or not the column is visible. |
Configure direct playback in the PVWA
The JumpOffset parameter in the Commands parameters in the Privileged Session Management UI parameters, defines the time (in seconds) prior to the location of a selected command that the recording will begin to play.
The Streaming parameters, in the Privileged Session Management UI parameters, define the embedded video player that is used to play PSM recordings directly in the PVWA.
The embedded video player requires that Adobe Flash player 10.0 browser add-on or later is installed on the end users’ browser. |
Parameter |
Description |
---|---|
Enabled | Determines whether or not authorized users can play recordings directly in the PVWA . If this parameter is set to Yes, users will be able to play recordings using an embedded video player. If this parameter is set to No, recordings are downloaded and played using the default media player. The default value is Yes. |
Width | Determines the width of the embedded video player that is displayed. The default value is 800 pixels. |
Height | Determines the height of the embedded video player that is displayed. The default value is 600 pixels. |
AutoPlay | Determines whether direct playback starts automatically after selecting the recording to play, or whether the embedded video player is displayed and the user is able to start playback by clicking the Play button. The default value is Yes, indicating that the direct playback starts playing automatically. |
AllowFullScreen | Determines whether or not users can expand the video display area to utilize the entire screen. The default value is Yes. |
AllowDownload | Determines whether or not users can download recordings as files when streaming is enabled. The default value is Yes. |
BufferSize | Specifies the size, in megabytes, that the video player requests from the server on each data request. The default value is 1 (one) megabyte. |
Display notification when remote session starts
A notification can be displayed when a remote session is opened and the PSM starts recording it, and ensures that users know that their session is being recorded. This notification is displayed at the bottom right corner of the remote session window.
This notification can be configured with the following parameters in the Privileged Session Management parameters of each platform configured for PSM:
Parameter |
Description |
---|---|
ShowRecordedSessionNotification | Determines whether or not a notification are displayed when the PSM starts recording a remote session. The default value is Yes. |
RecordedSessionNotificationDisplayTime | Determines the number of seconds that the recorded session notification is displayed. The default value is 5 seconds. If 0 (zero) is specified, the notification is not closed automatically and is displayed until the user closes it. |
-
In the PVWA, go to Administration > Platform Management.
-
Select the platform to configure, then click Edit; the settings page for the selected platform appears.
-
Expand UI & Workflows, and then right-click Privileged Session Management.
-
In the Properties list, specify a value for the ShowRecordedSessionNotification property.
-
Specify a value for the RecordedSessionNotificationDisplayTime property.
-
Save your changes.