Manage application policies
This topic describes how administrators can view and manage application security policies.
Overview
The Secure Web Sessions portal displays all the SSO applications that you can apply policies to. For each application, you can apply specific protections and security layers. For CyberArk Identity applications, you can also apply security layers either by group membership, or to individual users.
You can apply three types of security layers:
Security layer |
Description |
---|---|
Step Recording |
Allows SWS to monitor and record all actions and events and use of the application. The recording is not a video, but a step-by-step log with screenshots, and is fully searchable. User events are captured locally in the browser via the Secure Web Sessions browser extension. For more information, see What is Step Recording? |
Session Protection |
Allows SWS to protect the users web session in the browser, and the specific tab. This protects high-risk web sessions from malicious processes originating on the endpoint. The following protections can be applied:
For more information, see What is Session Protection? |
Continuous Authentication |
Allows SWS to validate and verify the user throughout their web session, based on certain conditions. For more information, see What is Continuous Authentication? |
Edit security layers for application members
Use this procedure to change security layers for members of an application.
Applies to CyberArk Identity SSO applications only.
-
From the Secure Web Sessions portal, go the Application policies page, and select a CyberArk Identity application.
-
To change the security layers for all members of the application:
-
In the table heading, select the security layer/s you want applied to all members.
-
In the pop-up message, click Add.
-
-
To change the security layers for individual users or groups:
-
Click the Edit button in the row of the group or user.
-
In the pop-up message, select the security layers you want to apply, and click Save.
-
Edit security layers per application
-
From the Secure Web Sessions portal, go the Application policies page and select an application.
-
Click the Edit button. In the pop-up message, select the security layers you want to apply for this application, and click Save.
Define security layer configurations per application policy
From the Secure Web Sessions portal, go the Application policies page, select an application, and click the Configuration tab.
Details |
Description |
---|---|
Identity app key |
The application key received from CyberArk Identity. |
Step recording |
|
Session protection |
Set the level of session protection you want applied to application sessions:
|
Continuous authentication |
Apply the Enforce pedometer lock to lock a sensitive web session when the end user has taken the maximum configured number of footsteps. This is to monitor if a session might have been left unattended. When the maximum number of steps is reached, the end user is required to re-authenticate to their session with a QR code using the CyberArk Mobile app. This feature is enabled in Settings > Security layers. |
Set default security layers for new application members
Use this procedure to set the default security layers that will be applied to new members of an application.
Applies to CyberArk Identity SSO applications only.
New applications enabled for SWS have step recording enabled by default. |
-
From the Secure Web Sessions portal, go the Application policies page, and select a CyberArk Identity application.
-
From the right side of the window, click Edit default.
-
In the pop-up message, select the security layers you want to apply, and click Save default.
The saved default security layers will be applied to all new members added for this application.
Deactivate application policies
When new applications are configured with SWS, by default they are in active mode. This means that SWS security layers are applied when users access the application.
You can deactivate application policies so that users are no longer routed through SWS security layers. Deactivating application policies does not delete any configurations, and can be activated again at any time.
-
From the Secure Web Sessions portal, go the Application policies page, and select an application.
-
Change the toggle from Active to Inactive.
Delete application policies
-
In CyberArk Identity Admin Portal > Web Apps, select the application where you want to remove SWS.
-
Click the Secure Web Sessions page, deselect Enable Secure Web Sessions, and then click OK at the confirmation message.
-
Click Save.
-
In the SWS portal, go to the Application policies page.
-
On the tile of an application, open the additional options menu, and click Delete application.
Deleting an application with a external IdP will break the custom links that were configured for rerouting users through the SWS security layers. Make sure you update your IdP and target app configurations,
Alternatively, you can deactivate the app. Deactivating the app will still allow end users to access the app, without changing app configurations, while removing the SWS security layers only.
Step recording limitations
-
Keyboard shortcut user action doesn't trigger a recorded step.
-
Drag-and-drop isn't recorded as a user action.
-
Web applications based on WebGL might not capture all user actions when using step recording. Some of Microsoft Office applications use this technology. Therefore, while recordings of Office 365 web apps include the name and type of files, users actions done inside the file won't be captured.