IBM Security Privileged Identity Manager Version 1.0 › support › knowledgecenter ›...

IBM Security Privileged Identity ManagerVersion 1.0.1

Administrator Guide

SC27-5619-01

��

NoteBefore using this information and the product it supports, read the information in Notices.

Edition notice

Note: This edition applies to version 1.0.1 of IBM Security Privileged Identity Manager (product number 5725-H30)and to all subsequent releases and modifications until otherwise indicated in new editions.

© Copyright IBM Corporation 2013.US Government Users Restricted Rights – Use, duplication or disclosure restricted by GSA ADP Schedule Contractwith IBM Corp.

Contents

Figures . . . . . . . . . . . . . . . v

Tables . . . . . . . . . . . . . . . vii

About this publication . . . . . . . . ixAccess to publications and terminology . . . . . ixAccessibility . . . . . . . . . . . . . . xTechnical training. . . . . . . . . . . . . xSupport information . . . . . . . . . . . . xStatement of Good Security Practices . . . . . . x

Chapter 1. Shared access administration 1Administering shared access . . . . . . . . . 1Privileged Administrator view . . . . . . . . 2Privileged user view. . . . . . . . . . . . 3Manual checkout and check-in of shared credentials 3Administrative console host names, ports and URLs 4

Chapter 2. Session recordingadministration . . . . . . . . . . . . 7Session recording overview . . . . . . . . . 7Session recorder configuration . . . . . . . . 8

Recording policies . . . . . . . . . . . 8AccessProfiles . . . . . . . . . . . . . 8Adding security auditors . . . . . . . . . 9

Accessing recordings . . . . . . . . . . . 9Logging on to the IBM Privileged SessionRecorder console . . . . . . . . . . . . 9Searching for recordings . . . . . . . . . 10

Customizing the columns displayed . . . . . . 11Playing back recordings . . . . . . . . . . 11Search index . . . . . . . . . . . . . . 12

Backing up the full-text search index . . . . . 12Restoring the full-text search index . . . . . 12Online search index backup properties . . . . 13

Chapter 3. Modifying AccessProfiles 17Modifying AccessProfiles for the IBM PersonalCommunications application. . . . . . . . . 17Modifying AccessProfiles for the PuTTY application 19Privileged Session Recorder widgets . . . . . . 21

Initializing a session recording . . . . . . . 23Starting a session recording . . . . . . . . 23Stopping a session recording . . . . . . . 24Pausing a session recording . . . . . . . . 25Resuming a recording session . . . . . . . 25

Chapter 4. Reports and audit logs . . . 27Types of available reports. . . . . . . . . . 27Viewing reports with Tivoli Common Reporting . . 29Shared access objects for custom reports . . . . . 30Viewing audit logs for privileged identities . . . . 30Customizing Cognos-based reports for IBMPrivileged Session Recorder . . . . . . . . . 30Report examples. . . . . . . . . . . . . 31

Example: User information . . . . . . . . 31Example: Application usage . . . . . . . . 32Example: Shared access history . . . . . . . 33Example: Shared access entitlements by owner . 34Example: Shared access entitlements by role . . 35Example: IBM Privileged Session Recorder . . . 36

IBM Privileged Session Recorder Server Event IDdescriptions . . . . . . . . . . . . . . 36Privileged identity management messages . . . . 37Syslog forwarding properties . . . . . . . . 39

Notices . . . . . . . . . . . . . . 41

Glossary . . . . . . . . . . . . . . 45A . . . . . . . . . . . . . . . . . . 45C . . . . . . . . . . . . . . . . . . 45D . . . . . . . . . . . . . . . . . . 45E . . . . . . . . . . . . . . . . . . 45F . . . . . . . . . . . . . . . . . . 46I . . . . . . . . . . . . . . . . . . 46M . . . . . . . . . . . . . . . . . 46P . . . . . . . . . . . . . . . . . . 46R . . . . . . . . . . . . . . . . . . 46S . . . . . . . . . . . . . . . . . . 46W . . . . . . . . . . . . . . . . . 46

Index . . . . . . . . . . . . . . . 47

© Copyright IBM Corp. 2013 iii

iv IBM Security Privileged Identity Manager: Administrator Guide

Figures

1. Session recording components. . . . . . . 72. How the Privileged Session Recorder widgets

work . . . . . . . . . . . . . . . 213. Example of a basic recording AccessProfile

without check-in and check-out.. . . . . . 224. User information audit report . . . . . . 31

5. Application usage audit report . . . . . . 326. Shared access history report . . . . . . . 337. Shared access entitlements by owner report 348. Shared access entitlements by role report 359. IBM Privileged Session Recorder report 36

© Copyright IBM Corp. 2013 v

vi IBM Security Privileged Identity Manager: Administrator Guide

Tables

1. Shared access administration tasks . . . . . 12. Data reference for shared access . . . . . . 13. Description of variables for host names and

port numbers . . . . . . . . . . . . 44. Common administrative consoles for IBM

Security Privileged Identity Manager . . . . 45. Examples of how to search with the Start time

range and End time range in AdvancedSearch. . . . . . . . . . . . . . . 11

6. Playback controls . . . . . . . . . . 117. Details of the properties for online index

backup configuration in the psr.propertiesfile. . . . . . . . . . . . . . . . 13

8. Audit logs and reports for the IBM SecurityPrivileged Identity Manager solution. . . . . 27

9. Related reports for privileged identitymanagement . . . . . . . . . . . . 30

10. Privileged Session Recorder Server auditevents . . . . . . . . . . . . . . 36

11. List of message identifiers. . . . . . . . 3712. Details of the properties for Syslog forwarding

configuration. . . . . . . . . . . . . 39

© Copyright IBM Corp. 2013 vii

viii IBM Security Privileged Identity Manager: Administrator Guide

About this publication

IBM Security Privileged Identity Manager Administrator Guide describes theadministration tasks for managing privileged identities.

Access to publications and terminologyThis section provides:v A list of publications in the “IBM Security Privileged Identity Manager library.”v Links to “Online publications.”v A link to the “IBM Terminology website” on page x.

IBM® Security Privileged Identity Manager library

The following documents are available online in the IBM Security PrivilegedIdentity Manager library:v IBM Security Privileged Identity Manager Deployment Overview Guide, SC27-4382-02v IBM Security Privileged Identity Manager Administrator Guide, SC27-5619-01v IBM Security Privileged Identity Manager Virtual Appliance Deployment Guide,

SC27-5625-00

Online publications

IBM posts product publications when the product is released and when thepublications are updated at the following locations:

IBM Security Privileged Identity Manager libraryThe product documentation site (http://pic.dhe.ibm.com/infocenter/tivihelp/v2r1/topic/com.ibm.ispim.doc_1.0.1/kc-homepage.html) displaysthe welcome page and navigation for the library.

IBM Security Identity Manager libraryThe product documentation site (http://pic.dhe.ibm.com/infocenter/tivihelp/v2r1/topic/com.ibm.isim.doc_6.0.0.2/kc-homepage.htm) displaysthe welcome page and navigation for the IBM Security Identity Managerproduct.

IBM Security Access Manager for Enterprise Single Sign-On libraryThe product documentation site (http://pic.dhe.ibm.com/infocenter/tivihelp/v2r1/topic/com.ibm.itamesso.doc_8.2.1/kc-homepage.html)displays the welcome page and navigation for the IBM Security AccessManager for Enterprise Single Sign-On product.

IBM Security Systems Documentation centralIBM Security Systems Documentation Central provides an alphabetical listof all IBM Security Systems product libraries and links to the onlinedocumentation for specific versions of each product.

IBM Publications CenterThe http://www.ibm.com/e-business/linkweb/publications/servlet/pbi.wss site offers customized search functions to help you find all the IBMpublications you need.

© Copyright IBM Corp. 2013 ix

http://pic.dhe.ibm.com/infocenter/tivihelp/v2r1/topic/com.ibm.ispim.doc_1.0.1/kc-homepage.html

http://pic.dhe.ibm.com/infocenter/tivihelp/v2r1/topic/com.ibm.ispim.doc_1.0.1/kc-homepage.html

http://pic.dhe.ibm.com/infocenter/tivihelp/v2r1/topic/com.ibm.isim.doc_6.0.0.2/kc-homepage.htm


http://pic.dhe.ibm.com/infocenter/tivihelp/v2r1/topic/com.ibm.itamesso.doc_8.2.1/kc-homepage.html


https://www.ibm.com/developerworks/mydeveloperworks/wikis/home?lang=en#/wiki/IBM%20Security%20Systems%20Documentation%20Central/page/Welcome

http://www-05.ibm.com/e-business/linkweb/publications/servlet/pbi.wss

http://www-05.ibm.com/e-business/linkweb/publications/servlet/pbi.wss

IBM Terminology website

The IBM Terminology website consolidates terminology for product libraries in onelocation. You can access the Terminology website at http://www.ibm.com/software/globalization/terminology.

AccessibilityAccessibility features help users with a physical disability, such as restrictedmobility or limited vision, to use software products successfully. With this product,you can use assistive technologies to hear and navigate the interface. You can alsouse the keyboard instead of the mouse to operate all features of the graphical userinterface.

For additional information, see the IBM Security Privileged Identity ManagerDeployment Overview Guide.

Technical trainingFor technical training information, see the following IBM Education website athttp://www.ibm.com/software/tivoli/education.

Support informationIBM Support provides assistance with code-related problems and routine, shortduration installation or usage questions. You can directly access the IBM SoftwareSupport site at http://www.ibm.com/software/support/probsub.html.

The IBM Security Identity Manager Troubleshooting Guide and IBM Security AccessManager for Enterprise Single Sign-On Troubleshooting Guide provides details about:v What information to collect before contacting IBM Support.v The various methods for contacting IBM Support.v How to use IBM Support Assistant.v Instructions and problem-determination resources to isolate and fix the problem

yourself.

See IBM Security Privileged Identity Manager Deployment Overview Guide forinstructions and problem-determination resources for IBM Security PrivilegedIdentity Manager.

Note: The Community and Support tab on the product documentation canprovide additional support resources.

Statement of Good Security PracticesIT system security involves protecting systems and information throughprevention, detection and response to improper access from within and outsideyour enterprise. Improper access can result in information being altered, destroyed,misappropriated or misused or can result in damage to or misuse of your systems,including for use in attacks on others. No IT system or product should beconsidered completely secure and no single product, service or security measurecan be completely effective in preventing improper use or access. IBM systems,products and services are designed to be part of a comprehensive securityapproach, which will necessarily involve additional operational procedures, andmay require other systems, products or services to be most effective. IBM DOES

x IBM Security Privileged Identity Manager: Administrator Guide

http://www.ibm.com/software/globalization/terminology

http://www.ibm.com/software/globalization/terminology

http://www.ibm.com/software/tivoli/education

http://www.ibm.com/software/support/probsub.html

NOT WARRANT THAT ANY SYSTEMS, PRODUCTS OR SERVICES AREIMMUNE FROM, OR WILL MAKE YOUR ENTERPRISE IMMUNE FROM, THEMALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY.

About this publication xi

xii IBM Security Privileged Identity Manager: Administrator Guide

Chapter 1. Shared access administration

When your IBM Security Privileged Identity Manager deployment is configured,you can administer shared access features.

Administering shared accessThe IBM Security Identity Manager shared access module provides centralizedmanagement of shared and privileged accounts.

Table 1 describes administration tasks that you might want to complete, dependingon the requirements of your deployment.

Table 1. Shared access administration tasks

Administration Task Description

Setting the service uniqueidentifier

In the managed resource service definition, set theunique identifier for connecting to the managedresource. For example, the unique identifier might be anIP address or the host name of the server.

Managing the credential vault As an Administrator, you can manage the credentialsfor shared accounts through the credential vault.

Managing the credential pool As an Administrator, you can use IBM Security IdentityManager to manage credential pools. A credential poolprovides a way to group credentials that have similaraccess privileges. This grouping can be defined as aservice group or a set of service groups.

Managing shared access policies Shared access policies authorize role members to sharecredentials or credential pools.

Shared access bulk load As an Administrator, you can use the shared accesscomma-separated value (CSV) file to add accounts tothe credential vault. You also use the CSV file to addand update the credential pools in bulk. You can alsomodify credential settings for the accounts that are inthe credential vault.

Shared access objects for customreports

You can generate custom reports by using the SharedAccess objects. Use the shared access entities, such asCredential, Credential Pool, Credential Lease, andShared Access Policy to generate the custom reports.

Table 2 describes data references that you can use during administration tasks.

Table 2. Data reference for shared access

Data Reference Description

Default access control items Use the default access control items for shared access tomanage access security.

Shared access tables Database tables that IBM Security Identity Managercreates and uses to store information that is related toShared Access Module.

© Copyright IBM Corp. 2013 1

Table 2. Data reference for shared access (continued)

Data Reference Description

Shared access classes For Directory Server schema, shared access module hasseveral types object classes, such as credentialcomponent, credential, credential pool, credential lease,and shared access policy.

Auditing schema You can use auditing schema to track shared accesspolicy management, credential lease management,credential pool management, and credentialmanagement.

For more information:v See “Roadmap for configuring shared access for a managed resource” in the IBM

Security Privileged Identity Manager Deployment Overview Guide

v Shared access documentationIn the IBM Security Identity Manager product documentation, see the“Administration” section to find links to the documentation for administeringshared access.

v IBM Security Identity Manager product documentationTo find information about a task in either Table 1 on page 1 or Table 2 on page 1,go to this product documentation. On the home page, locate the productdocumentation search window, and enter the administration task name or datareference name, as listed in the table. For example, to administer shared accesspolicies, enter Managing shared access policies.

Privileged Administrator viewIn IBM Security Identity Manager, the shared access feature includes a defaultgroup and a default view for privileged Administrators. The default view showsthe administrative tasks that can be accessed by users who have the groupmembership.

The scope of activities for members of the Privileged Administrator group includethe following activities:v Manage a service, including the user accounts and requests for that servicev Manage and load privileged accounts from the managed service into the

credential vault

A privileged Administrator can manage and delegate the activities that are shownin administration console view for the Privileged Administrator group. ThePrivileged Administrator group can also view nearly all tasks on the self serviceconsole.

For more information:v Shared access documentation

In the IBM Security Identity Manager documentation, see the section “Features”for links to topics on privileged Administrators

v IBM Security Identity Manager product documentationTo find more information about privileged Administrators, search for Scope ofthe Privileged Administrator group.

2 IBM Security Privileged Identity Manager: Administrator Guide

http://pic.dhe.ibm.com/infocenter/tivihelp/v2r1/index.jsp?topic=/com.ibm.isim.doc_6.0.0.2/overview/cpt/sam_doc.htm




Privileged user viewIn IBM Security Identity Manager, the shared access feature includes a defaultgroup and a default view for privileged users. The default view shows the tasksthat can be accessed by users who have the group membership.

The scope of activities for members of the Privileged User group includes thefollowing activities:v Manage their own profilev Change their passwordv Check in and check out shared accounts from the credential vault

The Privileged User group has no default view on the administration console, andno default access control items.


In the IBM Security Identity Manager documentation, see the section “Features”for links to topics on privileged users.

v IBM Security Identity Manager product documentationTo find more information about privileged users, go to this productdocumentation. On the home page, locate the product documentation searchwindow, and enter Scope of the Privileged User group.

Manual checkout and check-in of shared credentialsUse the IBM Security Identity Manager self-service user interface console to accessshared credentials.

Some IBM Security Privileged Identity Manager deployments do not requireautomated access to shared credentials. These deployments use only the IBMSecurity Identity Manager component. In these deployments, users who havesufficient privileges, such as membership in the Privileged Users group, canmanually access shared credentials.v For initial access to the self service user interface console, see the topic “Initial

login and password information” in the IBM Security Identity Manager ProductOverview Guide in the IBM Security Identity Manager documentation.

v When you log in to the self-service interface, go to the My Shared Accesssection of the entry panel. You can select wizards to assist you with thefollowing tasks:– Checking out a credential

Check out the credential of your authorized shared accesses.– Checking in a credential

Check in the credential that you checked out previously.– Viewing a password

View the password for the credentials.v From anywhere in the self-service user interface, you can start the Help system

to view help topics. In the Shared access section of the Help system, see:– “Checking out a credential or credential pool”– “Viewing the password for a shared credential”– “Checking in credentials”

Chapter 1. Shared access administration 3




In the IBM Security Identity Manager documentation, see the section “Userscenarios for shared access” to view links to topics on user access.

v IBM Security Identity Manager product documentationTo find more information about manual access to shared credentials, go to thisproduct documentation. On the home page, locate the product documentationsearch window, and enter Checking out a credential or credential pool.

Administrative console host names, ports and URLsConfiguration and administration tasks for IBM Security Privileged IdentityManager require you to log on to administrative consoles.

Host names and ports

The following table contains the different variable host names and port numbersthat are used throughout the guide:

Table 3. Description of variables for host names and port numbers

Variable Description

<was_hostname> Name of the host where the WebSphere®

Application Server is installed.

<dmgr_hostname> Name of the host where the WebSphereApplication Server Network Deployment Manageris installed.

<ihs_hostname> Name of the host where the IBM HTTP Server isinstalled.

<loadbalancer_hostname> Name of the host where the load balancer isinstalled.

<ims_hostname> Name of the host where the IMS Server isinstalled.

<ihs_ssl_port> IBM HTTP Server SSL port number.

<admin_ssl_port> Administrative console secure port number.

<isim_hostname> Name of the host where the IBM Security IdentityManager Server is installed.

<recorder_hostname> Name of the host where the Privileged SessionRecorder Server is installed.

URLs

Table 4. Common administrative consoles for IBM Security Privileged Identity ManagerConsoles Format Example URL

IBM Security AccessManager for EnterpriseSingle Sign-OnAccessAdmin

v If you are using a load balancer:

https://<loadbalancer_hostname>:<ihs_ssl_port>/admin

v If you are not using a load balancer:

https://<ims_hostname>:<ihs_ssl_port>/admin

v If the web server is configured properly:

https://ims_hostname>/admin

v https://imsserver:9443/admin

v https://imsserver/admin




Table 4. Common administrative consoles for IBM Security Privileged IdentityManager (continued)Consoles Format Example URL

IBM Security AccessManager for EnterpriseSingle Sign-On IMSConfiguration Utility

v If you are using WebSphere ApplicationServer stand-alone:

https://<was_hostname>:<admin_ssl_port>/webconf

v If you are using WebSphere ApplicationServer Network Deployment:

https://<dmgr_hostname>:<admin_ssl_port>/webconf

https://localhost:9043/webconf

IBM Security IdentityManageradministrative console

https://<isim_hostname>/itim/console https://isimserver/itim/console

IBM Security IdentityManager self-serviceconsole

https://<isim_hostname>/itim/self https://isimserver/itim/self

IBM Privileged SessionRecorder console

v If you are using a load balancer:

https://<loadbalancer_hostname>:<ihs_ssl_port>/recorder/ui

v If you are not using a load balancer:

https://<recorder_hostname>:<ihs_ssl_port>/recorder/ui

v If the web server is configured properly:

https://<recorder_hostname>/recorder/ui

v https://recorderserver:9443/recorder/ui

v https://recorderserver/recorder/ui

v https://recorderserverihs/recorder/ui

v https://loadbalancerhost/recorder/ui

IBM Privileged SessionRecorder Server(Collector)

v https://<recorder_hostname>:<ihs_ssl_port>/recorder/collector

v https://<recorder_hostname>/recorder/collector

v https://recorderserver/recorder/collector

Chapter 1. Shared access administration 5

Chapter 2. Session recording administration

As an Administrator, you must have a comprehensive set of procedures andreference information for managing the resources for session recording.

Session recording overviewYou can record privileged identity sessions for auditing, security forensics, andcompliance.

The IBM Privileged Session Recorder is a virtual surveillance camera that capturesuser activity during an active session on a workstation. Captured recordings arestored in a centralized database. You can search for recordings and play backrecordings from a web-based interface.

The IBM Privileged Session Recorder captures user activity on Windowsapplications. The software includes session recording enabled AccessProfiles. Thefollowing applications are supported and have bundled AccessProfiles:v Terminal consoles or SSH sessions with PuTTY or IBM Personal

Communications.v Remote desktop sessions with Microsoft Remote Desktop connection, or

VMware vSphere.

For other applications, you can add session recording by configuring customAccessProfiles.

Screen recordings consist of multiple screen captures. Screen captures of the activeapplication window are captured. Depending on the application type, therecording includes metadata for the keys that are pressed, the window controlsthat are clicked, and the window title.

Each recording is identified by a Recording ID. A recording can include moresession metadata. The following items are examples of session metadata:

User IDThe IBM Security Access Manager for Enterprise Single Sign-On user whosigned on to a system.

Local user IDThe Windows user who logged on a client computer.

Client Server

AccessProfileRecorder

AgentRecorderDaemon

Collector Database Player

WebSphere ApplicationServer

WebSphere ApplicationServer

Figure 1. Session recording components.


Application User IDThe privileged account.

Local hostHost name of the client computer.

Service HostThe system that is accessed using the privileged account.

Application nameThe program on the end user computer where the privileged account isused.

Process nameThe executable file name of the application.

Start TimeThe date and time of day when the recording started on the clientworkstation.

End TimeThe date and time of day when the recording ended on the clientworkstation.

Session recorder configurationYou can start, stop, pause, or resume recording sessions by adding the PrivilegedSession Recorder widgets to an AccessProfile. You can also customize additonalsession recording options by configuring policies.

Recording policiesYou can use AccessAdmin to customize recording settings. You can customizesettings such as server location, recording quality, and keys to exclude.

Use AccessAdmin to configure the privileged identity management policies.

For example, you can customize some of the following options:v Enable or disable session recording. (pid_recorder_enabled)v Specify the Privileged Session Recorder Server URL. (pid_recorder_server)v Capture recording in full color or in grayscale for smaller recordings.

(pid_recorder_image_capture_option)v Enable or disable key logging. (pid_recorder_keyboard_capture_option)v Specify the action to take on the client computer when the Privileged Session

Recorder Server is not available. (pid_collector_comm_fail_action)

For more information about the policies for session recording, search for Policiesfor privileged identity management in the IBM Security Access Manager forEnterprise Single Sign-On product documentation.

AccessProfilesAdd the bundled Privileged Session Recorder widgets to custom AccessProfiles toenable session recording.

For example, to customize recording for a Microsoft Remote Desktop Connectionclient application, be sure to add the Recorder widget to the Remote DesktopConnection AccessProfile.




The controls for initializing, starting, stopping, pausing, or resuming a recordingdepend on how the AccessProfile is designed with the available Privileged SessionRecorder widgets.

For more information about customizing AccessProfiles, see Chapter 3, “ModifyingAccessProfiles,” on page 17.

Adding security auditorsYou can use the configuration utility to add members of security auditors to theISPIMRecorderAuditors group to access the Privileged Session Recorder console.

Before you begin

Install and configure the Privileged Session Recorder Server. For more information,see the IBM Security Privileged Identity Manager Deployment Overview Guide.

About this task

Members of the ISPIMRecorderAuditors group have privileges to view sessionrecordings on the Privileged Session Recorder console.

The configuration tool already creates one auditor. To add more auditors, followthis procedure.

Procedure1. Start the configuration tool. You can start the configuration tool from the

following location <recorder_install_home>/configtool/IBMCM.exe.2. When the configuration tool is displayed, click Configure Privileged Session

Recorder Server.3. Click Guided Configuration.4. Skip the steps in the configuration tool until the Configure Security Settings

page is displayed.5. In the Configure Security Settings page, specify the the user information you

want to add to the ISPIMRecorderAuditors group. Privileged Session Recorder.The user credentials you specify are used to log on to the Privileged SessionRecorder console.You can choose to create a user or specify an existing account. If you choose touse an existing account, the account must exist on WebSphere ApplicationServer.

6. Click Finish.

Accessing recordingsYou can access session recordings to play back, investigate, or audit the recordedusage of privileged identities.

Logging on to the IBM Privileged Session Recorder consoleTo log on to the Privileged Session Recorder console, the user must be a memberof ISPIMRecorderAuditors group.

Before you beginv Deploy and configure Privileged Session Recorder Server. See the IBM Security

Privileged Identity Manager Deployment Overview Guide.

Chapter 2. Session recording administration 9

About this task

To grant more users access to the IBM Privileged Session Recorder console, youcan add security auditors. For more information, see “Adding security auditors”on page 9.

Procedure1. Log on to the IBM Privileged Session Recorder console at https://

<recorder_hostname>/recorder/ui. For example: https://recorderserver/recorder/ui

2. Enter your ISPIMRecorderAuditors member credentials.The Privileged Session Recorder management console is displayed.

Searching for recordingsYou can locate recordings by keywords, filtering, or by sorting. You can also searchrecordings for custom metadata. You can also save frequent searches for fasteraccess the next time you log on.

Procedure1. Log on to the Privileged Session Recorder console.2. Use the search and filter controls to locate the recording you want.3. Play back the recording.

Global searchGlobal search provides you with the ability to search all the session recordings forspecific keywords that are embedded in the metadata.

For example, you can use the search function accomplish the following tasks:v Find recordings where a specific command was typed.v Find recordings that include a specific application or process.v Find recordings for a specific User ID, Application User ID, or Local User ID.

Note: Global search does not support searching by date and time. To filter thesearch results by date and time, use the filter box that is above the recording listtable.

Advanced searchTo retrieve recordings over a specific time range, use the Advanced Search.

Filters and search criteria

Use the provided filters to refine the results of your search results. For example,you can filter the search by process name, time range, or by combining differentkeywords. To learn about the available session recording attributes that you cansearch for, see “Session recording overview” on page 7.

Searching for recordings within a time span

To retrieve recording over a time span, use the following search filters:

Start time range (s1-s2)Where s1 is the beginning, and s2 is the end of the range for start time.


End time range (e1-e2)Where e1 is the beginning, and s2 is the end of the range for end time.

Table 5. Examples of how to search with the Start time range and End time range inAdvanced Search.

To search for Specify the following values

Recordings that start between 1 July 2013 to10 July 2013.

Start time range (1 July 2013 - 10 July 2013)

Recordings that end between on 1 July 2013to 10 July 2013.

End time range (1 July 2013 - 10 July 2013)

Recordings between 1 July 2013 to 10 July2013.

Start time range (none - 10 July 2013)

End time range (1 July 2013 - none)

For Search type, select Match all criteria.

Saving search queriesIf you repeat searches with specific criteria frequently, you can save your searchqueries for faster result retrieval.

Procedure1. In the IBM Privileged Session Recorder console, use the Advanced search fields

to refine and combine different search critieria.2. Click Saved searches.3. Specify a name for the saved search. For example: Logons by User1

Customizing the columns displayedYou can show or hide different columns in the Privileged Session Recorder consoleview. You can also rearrange the columns that are displayed.

Procedure1. Log on to the IBM Privileged Session Recorder console.2. Click Customize View.3. In the session recording view, complete any of the following tasks:

v Click the Plus or Minus symbols to add or remove a column from the view.v Click the Up or Down arrows to change the order of columns displayed.

4. Save the view.

Playing back recordingsYou can view recorded sessions from the IBM Privileged Session Recorder console.

About this task

The following playback controls are available when you view recordings.

Table 6. Playback controls

Controls Description

Play Plays the recorded session.

Pause Pauses the playback.


Table 6. Playback controls (continued)

Controls Description

Next Shows the next frame.

Previous Shows the previous frame.

Slider Drag the slider to the left or right to startplaying a recording from the new position.

Procedure1. Log on to the Privileged Session Recorder console.2. Search or filter the recordings that are based on the required fields.3. Select the recording. Do one of the following steps:

v Click View recording.v Double-click the recording.

4. Click Play. The recording playback is started.

Search indexThe IBM Privileged Session Recorder console uses an index to provide full-textsearch for session recordings.

Backing up the full-text search indexSet the time that the scheduled backup of the full-text index occurs for IBMPrivileged Session Recorder.

Procedure1. Open the <was_home>\profiles\<profile_name>\config\psr\psr.properties

file in a text editor.2. Specify an index backup storage location for the

recorder.indexer.backup.storage.dir property.For example:recorder.indexer.backup.storage.dir=c:\\psrindex\\backup

Important: Plan to archive or delete older backups in the target locationperiodically to avoid storage problems as the number of backups increase.

3. Configure the online index backup schedule. For more information, see the“Online search index backup properties” on page 13.

4. Save the file.5. For clustered deployments, synchronize and restart the cluster.6. For stand-alone deployments, restart the server.

Restoring the full-text search indexYou can use the backups that are created by the online index backup schedule torestore the indexes. Restoring the indexes from a backup is useful if the indexesare stale and if rebuilding the index from scratch is not feasible.

Before you begin

Create an index backup schedule.


Procedure1. Stop the Privileged Session Recorder Server.

For clustered deploymentsStop the cluster.

For stand-alone deploymentsStop the application server.

2. Move all the contents of the existing index in <was_home>/profiles/<profile_name>/ispimrindex/<servername>/recordings to another location.

3. Restore the contents in <was_home>/profiles/<profile_name>/ispimrindex/<servername>/recordings from the most recent backup.

4. Start the Privileged Session Recorder Server.

For clustered deploymentsStart the cluster.

For stand-alone deploymentsStart the application server.

Online search index backup propertiesYou can configure the backup schedule and backup storage location of thePrivileged Session Recorder Server search index. Plan to archive or delete olderbackups to avoid storage problems as the number of backups increase.

Locate the psr.properties in the following places:

For clustered deploymentsBrowse to the following directory: <was_home>\profiles\<dmgr_profile>\config\psr.

For stand-alone deploymentsBrowse to the following directory: <was_home>\profiles\<appsrv>\config\psr.

Table 7. Details of the properties for online index backup configuration in the psr.properties file.Property Name Description Example or Default Values

recorder.indexer.backup.enabled Specifies whether to enable full-text search indexbackup.

Valid values, not case-sensitive:

v true

v false

Default:

recorder.indexer.backup.enabled=false


Table 7. Details of the properties for online index backup configuration in the psr.properties file. (continued)Property Name Description Example or Default Values

recorder.indexer.backup.storage.dir Specifies the location on the server to store theindex backups.

For backups to start on the computer, thefollowing conditions must exist:

v The backup storage directory that you specifymust exist.

v The value for this property is not empty.

Specify a property value for this key if you wantto back up the index.

If you do not want to back up the index, leavethis property value blank and ensure that thestorage location does not exist.

For clustered deployments, you can choose tocreate backups only on specific nodes, bycompleting the following tasks:

v On the nodes you want backups to start, createthe backup storage directory.

v On the nodes you do not want backups,ensure that the backup storage directory doesnot exist on the node.

Example 1, with backward slash (\) in the propertyvalue:

recorder.indexer.backup.storage.dir=C:\\backups\\psr_index_backup

Example 2, with forward slash (/) in the propertyvalue:

recorder.indexer.backup.storage.dir=C:/backups/psr_index_backup

recorder.indexer.backup.frequency Specifies how frequent the search index backupsoccur.

Valid values:

v daily

v weekly

v monthly

recorder.indexer.backup.frequency=daily

recorder.indexer.backup.hourofday

recorder.indexer.backup.minute

recorder.indexer.backup.second

Specifies the time of day for the backup.

recorder.indexer.backup.hourofday is specifiedin 24 hour format. Valid values are 0-23.

Valid values forrecorder.indexer.backup.minuteare 0-59.

Valid values forrecorder.indexer.backup.secondare 0-59.

Not all the property keys and values must bedefined. If the property value is undefined, thedefault value is 0.

recorder.indexer.backup.hourofday=2

recorder.indexer.backup.dayofweek Specifies the day of the week.

Only required if backup is weekly(recorder.indexer.backup.frequency=weekly).

Valid values are 1 - 7.

where:

v 1 is Sunday

v 2 is Monday

v 3 is Tuesday

v 4 is Wednesday

v 5 is Thursday

v 6 is Friday

v 7 is Saturday

recorder.indexer.backup.dayofweek=7

recorder.indexer.backup.dayofmonth Specifies the day of the month.

Only required if backup is monthly(recorder.indexer.backup.frequency=monthly).

Valid values are 1 - 28.

recorder.indexer.backup.dayofmonth=15


Example configurationrecorder.indexer.backup.enabled=truerecorder.indexer.backup.storage.dir=C:\\backups\\psr_index_backuprecorder.indexer.backup.frequency=dailyrecorder.indexer.backup.hourofday=1


Chapter 3. Modifying AccessProfiles

Modify the AccessProfile to customize its functions for the application.

Some custom mainframe applications have more logon requirements.

For example:v Specifying more logon credential fields for credential injection.v Simulating different keyboard keys to shift the terminal entry focus.

To customize advanced AccessProfiles that are not covered, see the IBM SecurityAccess Manager for Enterprise Single Sign-On AccessStudio Guide. Alternatively, searchthe IBM website for “Advanced AccessProfile Redbooks®” for guidance.

Use the privileged identity management AccessProfiles for IBM PersonalCommunications as a template.

To enable session recording for customized AccessProfiles, see the bundledprivileged identity management AccessProfiles that use the Recorder widgets.

For more information, see:v “Modifying AccessProfiles for the IBM Personal Communications application”v “Modifying AccessProfiles for the PuTTY application” on page 19v “Privileged Session Recorder widgets” on page 21

Modifying AccessProfiles for the IBM Personal Communicationsapplication

Modify the Personal Communications AccessProfile to customize its behavior.

Before you beginv Install AccessStudio.v Install the IBM Personal Communications client.v Open the Personal Communications application.v Upload the AccessProfiles to the IMS Server. See “Uploading AccessProfiles to

the IMS Server” in the IBM Security Privileged Identity Manager DeploymentOverview Guide.

Tip: Before you apply any modifications, you can take a local backup of theAccessProfile. To back up the AccessProfile to file, you can save the AccessProfileto a location on your computer.

About this task

The window title of the Personal Communications application must match thesession name.

Procedure1. Start AccessStudio.


2. Import the Privileged Identity Management AccessProfile package into theAccessStudio workspace by clicking File > Import data from IMS.

3. In the AccessProfile pane, open profile_PCOMM_main.4. Select the States tab.5. In the AccessProfile state diagram canvas, select the Run a VBScript or

JScript action under the second state.6. In the Properties pane, select the Form Editor tab.7. Click Open Script Editor.8. Edit the script.

a. Select a unique text from the mainframe application screen.b. Remove the variable portion of the text.c. Retain the non-variable portion of the text in the form of a regular

expression. For example:v Unique text: Welcome UserA

v Variable: UserA

v Non-variable: Welcome

v Regular expression of the non-variable text: Welcome.*

This regular expression matches any instances of text that might bedisplayed as:

WELCOME-WELCOME-EXAMPLE APPLICATION WELCOME

This regular expression does not match the following instances:welcomeWelcomeExample WelcomeW.E.L.C.O.M.E

d. Modify the second argument for each pc.SetPropValue entry. You can addthe regular expression or replace the existing regular expression.pc.SetPropValue "text_to_identify_the_welcome_screen",

"^.*WELCOME.*$|.*User\sID\s:.*"

pc.SetPropValue "text_to_identify_and_initiate_PIM_workflow",".*WELCOME\sTO\sCICS.*|.*User\sID\s:.*"

pc.SetPropValue "text_is_found_for_injecting_username",".*[Ll]ogin.*:.*|.*LOGIN.*:.*|.*WELCOME\sTO\sCICS.*|.*Userid.*|.*User\sID.*"

pc.SetpropValue "text_is_found_for_injecting_password",".*(?i)(please type your password|missing password).*"

pc.SetpropValue "text_is_found_for_not_injecting_password",".*(?i)(your userid is invalid).*"

pc.SetPropValue "text_is_first_displayed_for_access_denied_or_failure",".*[Dd]enied.*|.*DENIED.*|.*[Ii]nvalid.*|.*not\sdefined\.*"

pc.SetPropValue "text_is_found_for_successful_logon",".*[Ll]ast login.*:.*|.*LAST LOGIN.*:.*|.*Microsoft\sWindows.*|.*Sign-on\sis\scomplete.*|.*Enterprise\sSummary.*"

pc.SetPropValue "Wnd_sig_Username","/child::wnd[@class_name=""PCSWS:Main:00400000""]"

pc.SetPropValue "wnd_for_text_identication_on_mainframe_screen","/child::wnd[@class_name=""PCSWS:Main:00400000""]/


child::wnd[@class_name=""PCSWS:Pres:00400000"" and @ctrl_id=2]"

pc.SetPropValue "Parent_Wnd_Signature","/child::wnd[@class_name=""PCSWS:Main:00400000""]/child::wnd[@class_name=""PCSWS:Pres:00400000"" and @ctrl_id=2]"

’Displays a consent dialog box with a custom message before startingsession recording.pc.SetPropValue "recording_consent_dialog_custom_message", ""

’Specifies the parent window signature for the consent dialog messagepc.SetPropValue "recording_consent_dialog_parent_xpath",

"/child::wnd[@class_name=""PCSWS:Main:00400000""]/child::wnd[@class_name=""PCSWS:Pres:00400000"" and @ctrl_id=2]"

’Specifies the additional custom metadata that will be passed to thePrivileged Session Recorder Server during session recording

’For example, pc.SetPropValue "param_custom_metadata", "Department_Name"pc.SetPropValue "param_custom_metadata", ""

’Specifies the value for the above specifiedcustom metadata that will be passed to the Privileged Session RecorderServer during session recording’For example, pc.SetPropValue "param_value", "IT"pc.SetPropValue "param_value", ""

9. Test the AccessProfile.a. Start Test Mode.b. Start IBM Personal Communications.

10. After the test is completed, save the AccessProfile. The AccessProfile on theIMS Server is updated.

Note: If you are working from a local copy of the AccessProfile, remember topublish the completed AccessProfile to the IMS Server.

Modifying AccessProfiles for the PuTTY applicationModify the PuTTY application AccessProfile to customize its behavior.

Before you beginv Install AccessStudio.v Install the PuTTY client.v Open the PuTTY application.v Upload the AccessProfiles to the IMS Server. See “Uploading AccessProfiles to

the IMS Server” in the IBM Security Privileged Identity Manager DeploymentOverview Guide.

Tip: Before you apply any modifications, you can take a local backup of theAccessProfile. To back up the AccessProfile to file, you can save the AccessProfileto a location on your computer.

Procedure1. Start AccessStudio.2. Import the Privileged Identity Management AccessProfile package into the

AccessStudio workspace by clicking File > Import data from IMS.3. In the AccessProfile pane, open profile_putty_main.4. Select the States tab.

Chapter 3. Modifying AccessProfiles 19

5. In the AccessProfile state diagram canvas, select the Run a VBScript orJScript action under the second state.

6. In the Properties pane, select the Form Editor tab.7. Click Open Script Editor.8. Edit the script.

a. Select a unique text from the mainframe application screen.b. Remove the variable portion of the text.c. Retain the non-variable portion of the text in the form of a regular

expression. For example:v Unique text: Welcome UserA

v Variable: UserA

v Non-variable: Welcome

v Regular expression of the non-variable text: Welcome.*

This regular expression matches any instances of text that might bedisplayed as:

WELCOME-WELCOME-EXAMPLE APPLICATION WELCOME

This regular expression does not match the following instances:welcomeWelcomeExample WelcomeW.E.L.C.O.M.E

d. Modify the second argument for each pc.SetPropValue entry. You can addthe regular expression or replace the existing regular expression.pc.SetpropValue "text_is_found_for_injecting_password",

".*[Pp]assword.*|.*PASSWORD.*"

pc.SetpropValue "text_is_found_for_not_injecting_password",".*[Dd]enied.*|.*DENIED.*"

pc.SetPropValue "text_is_first_displayed_for_access_denied_or_failure",".*[Dd]enied.*|.*DENIED.*|.*[Ii]nvalid.*|.*not\sdefined\.*"

pc.SetPropValue "text_is_found_for_successful_logon",".*[Ll]ast login.*:.*|.*LAST LOGIN.*:.*|.*$.*|.*>.*|.*#.*|.*Microsoft\sWindows.*|.*Sign-on\sis\scomplete.*|.*Enterprise\sSummary.*"

pc.SetPropValue "Parent_Wnd_Signature","/child::wnd[@title~"".*- PuTTY"" and @class_name=""PuTTY""]"

pc.SetPropValue "wnd_for_text_identication_on_mainframe_screen","/child::wnd[@title~"".*- PuTTY"" and @class_name=""PuTTY""]"

’Displays a consent dialog box with a custom message before startingsession recording.

’Specifies the text that would appear on the consentmessage (custom consent message) for session recordingpc.SetPropValue "recording_consent_dialog_custom_message", ""

’Specifies the parent window signature for the consent dialog messagepc.SetPropValue "recording_consent_dialog_parent_xpath",

"/child::wnd[@title~"".*- PuTTY"" and @class_name=""PuTTY""]"

’Specifies the additional custom metadata that will be passed to thePrivileged Session Recorder Server during session recording

’For example, pc.SetPropValue "param_custom_metadata", "Department_Name"


pc.SetPropValue "param_custom_metadata", ""

’Specifies the value for the above specified custom metadatathat will be passed to the Privileged Session Recorder Server duringsession recording

’For example, pc.SetPropValue "param_value", "IT"pc.SetPropValue "param_value", ""

9. Test the AccessProfile.a. Start Test Mode.b. Start IBM Personal Communications.

10. After the test is completed, save the AccessProfile. The AccessProfile on theIMS Server is updated.

Note: If you are working from a local copy of the AccessProfile, remember topublish the completed AccessProfile to the IMS Server.

Privileged Session Recorder widgetsUse the Privileged Session Recorder widgets in the bundled AccessProfiles to addsession recording support to your client application logon workflows.

To add session recording to custom applications, you can build a newAccessProfile or customize an existing AccessProfile. The Privileged SessionRecorder widgets are included with IBM Security Privileged Identity Manager.

Each recorder widget has an entry state, a success exit state, and a failed exit state.Some of the recorder widgets might have more than two pinnable states. For moreinformation about pinnable states and widgets, see the IBM Security Access Managerfor Enterprise Single Sign-On AccessProfile Widgets Guide.

IBM Security Privileged Identity Manager bundled AccessProfiles for RDP, PuTTY,IBM Personal Communications and VMware vSphere are integrated with thesession recording widgets. The widgets start session recording when shared accessidentities are checked out.

Session recording stops when the target application is closed. For PuTTY, therecording also stops when the session is inactive.

Start StateRecording

Started

Recorder Widget

To start recording When recording is started

RecordingFailed

If recording cannot start

Figure 2. How the Privileged Session Recorder widgets work


When you develop or customize an AccessProfile, add the appropriate recorderwidget to the state.

The following Privileged Session Recorder widgets are included:

Widget_PSR_InitGenerates the recording ID which will be used when the recording starts.Displays the message of consent dialog box.

Widget_PSR_StartStarts a session recording. For example:v Starts recording when a privileged identity is checked out.v Starts recording when a secured application is started.

Widget_PSR_PausePauses a session recording. For example, you can pause recording whenconfidential information from a personal application is being displayed in theapplication. Pausing a recording avoids including the confidential details in thesession recording.

Widget_PSR_ResumeResumes a session recording that is paused. For example, you can resumerecording after the confidential information is no longer shown.

Widget_PSR_StopStops a session recording. For example, you can stop recording when aprivileged identity is checked in.

Privileged Session Recorder with the bundled AccessProfiles work in the followingways:v Recording starts when the shared access user ID is checked out, and the user

agrees to give consent for recording.If the IBM Privileged Session Recorder Server connection is interrupted, anymouse or key input for the client application might be blocked depending on thepolicies you configure in AccessAdmin.

Start State

State 1 State 2 State 3

Init Rec Widget: StartState

Init Rec Widget(widget_psr_init)

Init Rec Widget: SuccessStart Rec Widget: StartState

Start Rec Widget: Recording_Started

Start Rec Widget(widget_psr_start)

Figure 3. Example of a basic recording AccessProfile without check-in and check-out.


For more information, see the IBM Security Access Manager for EnterpriseSingle Sign-On product documentation and search for privileged identitymanagement policies.

v Recording automatically stops when the application is closed. To stop therecording at a custom point, use the Widget_PSR_Stop widget.

Note: If the Privileged Session Recorder service is stopped on the clientworkstation, you can configure what action to take. For example, you can blockuser input, or close the application. Search for “Policies for Privileged IdentityManagement” in the IBM Security Access Manager for Enterprise Single Sign-Onproduct documentation.

Add session recording widgets with the following process:1. Open the bundled session recording AccessProfiles.2. Trace the states in each single sign-on AccessProfile.

Observe how the Privileged Session Recorder widgets and pinnable states arecombined with triggers for each state in the process.

3. Test the AccessProfile.Observe when the session recording process starts, pauses, resumes, and stops.

4. Customize the AccessProfile and test it again.5. Apply what you learn by taking one of the following actions:

v Customize an existing AccessProfile.v Build a new AccessProfile.

Initializing a session recordingInitialize a session recording with the Widget_PSR_Init widget. The widgetgenerates a Recording ID for the recording.

Procedure1. Add the Widget_PSR_Init to the AccessProfile.2. Pin the Init_Recording state from the Widget_PSR_Init widget.3. Specify the necessary parameters to pass to the widget.

Recorded Application Window's XPathSpecifies the window signature.

User Consent Dialog MessageSpecifies the user consent dialog box message.

Recorder Bag (Type: Account Data Bag)Specifies an empty account data bag for internal use by the recordingwidgets.

Recording IDThe ID to be associated with the recording.

Starting a session recordingYou can start or stop a recording session either by adding the Privileged SessionRecorder widgets in custom AccessProfiles or by using the AccessProfiles bundledwith IBM Security Privileged Identity Manager.






About this task

When a recording is started on the client workstation, a recorder tray notification isdisplayed in the Windows notification area. A recording session stops when themonitored client application is closed, or a Widget_PSR_Stop is encountered in theprocess.

Procedure1. Add the Widget_PSR_Start to the AccessProfile.2. Pin the Start_Recording state from the Widget_PSR_Start.3. Specify the necessary parameters to pass to the widget.

PIM Bag (Account Data Bag)Specifies the temporary data holder or cache that stores user credentialsthat must be checked in or checked out after AccessAgent capturescredentials from the application.

Application Name (Type: Account Data Bag)Specifies the application name that is recorded.


ISIM Authentication Service (Type: Account Data Bag)Specifies the configured IBM Security Identity Manager authenticationservice ID as an account data bag.

Custom Metadata Name (Type: Property Store Item)Specifies a custom metadata attribute as a property store item.

Custom Metadata Value (Type: Property Store Item)Specifies a custom metadata value as a property store item.

Recording IDThe ID to be associated with the recording.

4. In the next state, pin the Recording_Started state from the Widget_PSR_Start.

Note: The recording session ends when the AccessProfile workflow ends or themonitored client application is closed.

What to do next

If you plan to add session recording to more applications with customAccessProfiles, configure the AccessProfile for session recording.

Stopping a session recordingStop a session recording with the Widget_PSR_Stop widget.

Procedure1. Add the Widget_PSR_Stop to the AccessProfile.2. Pin the Stop_Recording state from the Widget_PSR_Stop widget.3. Specify the necessary parameters to pass to the widget.



Screen Capture Started (Type: Account Data Bag)Specifies whether screen capture is already started for the account data bag.


Pausing a session recordingYou can pause a recording that is in progress by adding an instance of theWidget_PSR_Pause widget to your AccessProfile. For example, you can pauserecording when confidential information is being displayed in an application.Pausing avoids including the confidential information in the session recording.

Before you begin

You must be familiar with adding widgets to an AccessProfile. For moreinformation about adding and pinning AccessProfile widgets, see the IBM SecurityAccess Manager for Enterprise Single Sign-On AccessProfile Widgets Guide.

About this task

To see an example of how the Widget_PSR_Pause widget is used, see the bundledAccessProfile profile_putty_main.

Procedure1. In AccessStudio, open your AccessProfile.2. Add an instance of the Widget_PSR_Pause widget to the AccessProfile. For

example: New Widget 1

3. With a state in the AccessProfile selected, pin the Pause_Recording pinnablestate. For example: New Widget 1::Pause_Recording_Widget::Pause_Recording

4. With the pinned state selected, specify the necessary account data bagparameters in the Form Editor. For example: New Widget 1::Pause_Recording

An account data bag is a temporary data holder or cache that stores usercredentials.


Screen Capture Started (Type: Account Data Bag)Specifies whether screen capture is already started for the account data bag.


5. In the next AccessProfile state, pin the Recording_Paused pinnable state.

What to do next

Resume a recording session.

Resuming a recording sessionYou can resume a recording session in an AccessProfile with the bundledWidget_PSR_Resume widget.


Before you begin

You must be familiar with adding widgets to an AccessProfile. For moreinformation about adding and pinning AccessProfile widgets, see the IBM SecurityAccess Manager for Enterprise Single Sign-On AccessProfile Widgets Guide.

About this task

To see an example of how the Widget_PSR_Resume is used, see the bundledAccessProfile profile_putty_main.

Procedure1. In AccessStudio, open your AccessProfile.2. Add an instance of the Widget_PSR_Resume widget to the AccessProfile. For

example: New Widget 2.3. With a state in the AccessProfile selected, pin the Resume_Recording pinnable

state from the widget. For example: New Widget2::Resume_Recording_Widget::Resume_Recording.

4. Add another state.5. Pin the Recording_Resumed state to the new state you added.


Chapter 4. Reports and audit logs

Use the reports or audit logs to investigate security events or collect metrics abouthow you are using privileged identities.

To view reports about privileged identity management activities, install IBMTivoli® Common Reporting. Use IBM Tivoli Common Reporting to view, andcustomize available shared access reports from IBM Security Access Manager forEnterprise Single Sign-On and IBM Security Identity Manager.

Types of available reportsIBM Security Privileged Identity Manager records some audit logs for all sharedaccess events.

Audit logs and reports are available in some of the following forms:v IMS Server audit log entries.v IBM Tivoli Common Reporting BIRT-based reports.v IBM Tivoli Common Reporting Cognos-based reports.

The privileged identity AccessProfile includes actions that generate an audit logentry. You can configure more audit log entries for either successful or unsuccessfullogon attempts.

To view the IBM Security Privileged Identity Manager reports, you must importand deploy the reports into IBM Tivoli Common Reporting.

Table 8. Audit logs and reports for the IBM Security Privileged Identity Manager solution.

Report or audit log Parameters or examples Description

Privileged ID Check-outApplicationName

Name of the application. For example:PuTTY.

ServiceURIEndpoint host name or IP address of themanaged resource you are logging on to.

Shared Access IDShared Access ID of the privileged account.

Privileged User IDUser ID of the privileged account.

Return codeReturn code of the checkout function. See“Privileged identity management messages”on page 37 for the example codes.

Recording IDRecording ID of the associated sessionrecording for playback.

Audit log report that isviewed in AccessAdmin.


Table 8. Audit logs and reports for the IBM Security Privileged Identity Managersolution. (continued)


Privileged ID Check-inApplicationName

Name of the application. For example:PuTTY.

ServiceURIEndpoint host name or IP address of themanaged resource you are logging on to.

Shared Access IDShared Access ID of the privileged account.

Privileged User IdUser ID of the privileged account.

Return codeReturn code of the checkout function. See“Privileged identity management messages”on page 37 for the example codes.

Audit log report that isviewed in AccessAdmin.

Shared access audithistory report

For the list of parameters, see the IBM SecurityIdentity Manager product documentation.

See “Example: Shared access history” on page 33.

BIRT-based report that isviewed on a reportingworkstation with IBMTivoli CommonReporting.

Shared accessentitlements by owner


See “Example: Shared access entitlements byowner” on page 34.


Shared accessentitlements by role


See “Example: Shared access entitlements byrole” on page 35.


User Information Report For the list of parameters, see the IBM SecurityAccess Manager for Enterprise Single Sign-Onproduct documentation.

See “Example: User information” on page 31.


Application UsageReport

For the list of parameters, see the IBM SecurityAccess Manager for Enterprise Single Sign-Onproduct documentation.

See “Example: Application usage” on page 32.















Table 8. Audit logs and reports for the IBM Security Privileged Identity Managersolution. (continued)


IBM Privileged SessionRecorder Audit ID

Specifies the unique audit ID.

Event IDSpecifies the unique ID of the event thatoccurred. For the list of Event IDdescriptions, see “IBM Privileged SessionRecorder Server Event ID descriptions” onpage 36.

Event TimeSpecifies the time that the event was logged.

Result CodeSpecifies the result code.

Event DetailsSpecifies more details that are based on therecorded event.

Server AddressSpecifies the target server host name or IPaddress location that the user is logged onto.

Client AddressSpecifies the client address location.

User NameSpecifies the user name.

See “Example: IBM Privileged Session Recorder”on page 36.

Cognos-based reportthat is viewed on areporting workstationwith IBM TivoliCommon Reporting.

Viewing reports with Tivoli Common ReportingYou can use the report console to view a larger collection of shared access andprivileged identity reports from a single console.

Before you beginv Install and configure IBM Tivoli Common Reporting.v Install the report packages for the following products:.

– IBM Security Identity Manager Server: See the IBM Security Identity Managerproduct documentation.

– IBM Security Access Manager for Enterprise Single Sign-On: See the IBMSecurity Access Manager for Enterprise Single Sign-On productdocumentation.

– IBM Security Privileged Identity Manager: See the IBM Security PrivilegedIdentity Manager Deployment Overview Guide.

Procedure1. Log on to the Tivoli Common Reporting instance.2. Expand Reporting > Common Reporting.3. To view related privileged identity management reports, browse for the

following reports:

Chapter 4. Reports 29






Table 9. Related reports for privileged identity management

Product Report

IBM Security Privileged Identity Manager IBM Privileged Session Recorder

IBM Security Access Manager for EnterpriseSingle Sign-On

User Information

Application Usage

IBM Security Identity Manager Shared access audit history

Shared access entitlements by owner

Shared access entitlements by role

Shared access objects for custom reportsYou can generate custom reports by using the Shared Access objects in IBMSecurity Identity Manager.

Use the Shared Access entities, such as Credential, Credential Pool, CredentialLease, and Shared Access Policy to generate the custom reports. For moreinformation, see Shared access objects for custom reports in the IBM Security IdentityManager Administration Guide in the IBM Security Identity Manager productdocumentation..

Viewing audit logs for privileged identitiesWhen you automatically log on with shared access credentials, an audit log entryis created. You can use the AccessAdmin utility to view audit log entries.

About this task

For more information about viewing:v IMS Server audit logs, see the IBM Security Access Manager for Enterprise

Single Sign-On product documentation.v IBM Security Identity Manager audit logs, see the IBM Security Identity

Manager product documentation.

Procedure1. Log on to the managed resource with shared access credentials to generate

valid audit entries.2. Log on to AccessAdmin.3. Under System, click Audit logs.4. Under Choose search criterion, choose the event name. For example:

Privileged ID Check Out.

Customizing Cognos-based reports for IBM Privileged SessionRecorder

You can customize the Cognos-based reports for IBM Privileged Session Recorder.

To customize Cognos-based reports for IBM Privileged Session Recorder, see theIBM Tivoli Common Reporting product documentation.








http://pic.dhe.ibm.com/infocenter/tivihelp/v3r1/topic/com.ibm.tivoli.tcr.doc_211/ic-home.html

Report examplesThis appendix provides examples of the shared access-related reports that youdeploy on the Tivoli Common Reporting instance. Use the included reports totrack how shared access privileged identities are used.

Example: User informationThe user information report contains the activity of one or more users, which aresorted by event, result, and time. The report also displays the computer IP addressof the user and the full name of the user.

example.com/

example.com/

example.com/

example.com/

example.com/

example.com/

example.com/

example.com/

example.com/

user1

user2

user3

user4

user5

user6

user7

user8

user9

192.0.2.22

192.0.2.0

192.0.2.1

192.0.2.5

192.0.2.6

192.0.2.7

192.0.2.8

192.0.2.9

192.0.2.10

Figure 4. User information audit report


Example: Application usageAn application usage report contains the authentication service activity of one ormore users, which are sorted by event and time. The report also displays the IPaddress of the computer and the full name of each user.

To view related shared access events, select one of the following events as reportparameters:v Privileged ID Check Inv Privileged ID Check Out

jk.example.com/user1




192.0.2.12

192.0.2.12

192.0.2.8

192.0.2.15

198.51.100.1

198.51.100.1

198.51.100.1

198.51.100.1

Figure 5. Application usage audit report


Example: Shared access historyThis report shows the shared access audit history.

JKE

JKE

JKE

JKELDAPService

Chuck M

chuck

mike

Mike

Figure 6. Shared access history report


Example: Shared access entitlements by ownerThis report lists shared access entitlements for an Owner. You can filter the reportby service business unit, service, shared access entitlement owner business unit,and shared access entitlement owner.

Figure 7. Shared access entitlements by owner report


Example: Shared access entitlements by roleThis report lists shared access entitlements for a role. You can filter the report bybusiness unit, role, and entitlement type.

Figure 8. Shared access entitlements by role report


Example: IBM Privileged Session RecorderThis report lists auditor activities on the Privileged Session Recorder console.

IBM Privileged Session Recorder Server Event ID descriptionsDescribes the event ID for the Privileged Session Recorder audit reports.

Table 10. Privileged Session Recorder Server audit events

Event ID Description

EV_PLAYER_API_SEARCH_RECORDINGS Searches for all recordings with a specificparameter with the IBM Privileged SessionRecorder console.

EV_PLAYER_API_VIEW_RECORDING Plays back the recording in the IBM PrivilegedSession Recorder console.

EV_PLAYER_API_GET_RECORDING_UNIVERSAL_SEARCH Gets a list of recordings that are based on globalsearch.

EV_PLAYER_API_GET_RECORDINGS_SEARCHABLE_METADATA

Gets a list of searchable metadata.

EV_PLAYER_API_SEARCH_RECORDING Gets details about a specific recording.

EV_PLAYER_API_INDEX_REFRESH_ISSUED Requests issued to refresh the index.

EV_PLAYER_API_DELETE_SAVED_QUERIES Deletes the saved search queries.

EV_PLAYER_API_UPDATE_SAVED_QUERIES Updates the saved search queries.

EV_PLAYER_API_SAVE_SAVED_QUERIES Saves the search queries.

EV_PLAYER_API_GET_SAVED_QUERIES Gets the saved search queries.

192.0.2.24

192.0.2.24

192.0.2.24

192.0.2.24

192.0.2.24

192.0.2.24

192.0.2.24

192.0.2.24

192.0.2.24

192.0.2.24

192.0.2.24

192.0.2.24

192.0.2.24

192.0.2.24

192.0.2.24

SRV1/198.51.100.0

SRV1/198.51.100.0

SRV1/198.51.100.0

SRV1/198.51.100.0

SRV1/198.51.100.0

SRV1/198.51.100.0

SRV1/198.51.100.0

SRV1/198.51.100.0

SRV1/198.51.100.0

SRV1/198.51.100.0

SRV1/198.51.100.0

SRV1/198.51.100.0

SRV1/198.51.100.0

SRV1/198.51.100.0

SRV1/198.51.100.0

Figure 9. IBM Privileged Session Recorder report


Privileged identity management messagesYou can search and view the error message codes for your AccessProfiles.

How to use the following messages

You can view the error codes in the audit logs.

Table 11. List of message identifiers.Error Code Identifier Description

0 CICO_MGR_SUCCESS Check-out and check-in is successful.

1 CICO_MGR_GENERAL_ERROR There is an unexpected or unknown error.Contact the Administrator.

2 CICO_MGR_SCRIPT_HOST_RUNTIME_ERROR There might be an error in theAccessAgent module. Contact theAdministrator.

3 CICO_MGR_ESSO_ID_RETRIEVAL_FAILED Cannot retrieve the AccessAgent user IDfrom AAScriptSupport. There might be anerror in the AccessAgent module. Contactthe Administrator.

4 CICO_MGR_REAUTH_PASSCODE_FAILED Reauthentication password is incorrect.Ensure that the entered credential iscorrect.

5 CICO_MGR_ISIM_CRED_RETRIEVAL_FAILED IBM Security Identity Manager credentialscannot be retrieved from the Wallet.Recapture the IBM Security IdentityManager credential and make sure that itis saved properly.

6 CICO_MGR_AUTH_SVC_ID_NOT_FOUND Application authentication service ID isnot found in PrivCredBag. It can be anAccessProfile problem. Contact theAdministrator.

7 CICO_MGR_ISIM_SRV_CONNECTION_FAILED Connection to IBM Security IdentityManager Server cannot be established.Check network connections and the IBMSecurity Identity Manager URL setting.

9 CICO_MGR_LOGON_ISIM_FAILED Log on to IBM Security Identity Managerfailed. Check whether your IBM SecurityIdentity Manager credentials are correct.

11 CICO_MGR_GET_ROLES_LIST_FAILED Get shared access list failed. Contact theIBM Security Identity ManagerAdministrator.

12 CICO_MGR_EMPTY_ROLES_LIST Shared access list from IBM SecurityIdentity Manager is empty. Shared accessis not properly set in the IBM SecurityIdentity Manager. Contact the IBMSecurity Identity Manager Administrator.

13 CICO_MGR_SHOW_ROLE_POPUP_FAILED Cannot show the Shared Access Selectionwindow. There might be an error in theAccessAgent module. Contact theAdministrator.

14 CICO_MGR_CHECKOUT_FAILED Check out from IBM Security IdentityManager failed. Contact the IBM SecurityIdentity Manager Administrator.

15 CICO_MGR_LOGOFF_ISIM_FAILED Log off from IBM Security IdentityManager failed. Contact the IBM SecurityIdentity Manager Administrator.

17 CICO_MGR_CHECKIN_FAILED Check in to IBM Security IdentityManager failed. Contact the IBM SecurityIdentity Manager Administrator.

18 CICO_MGR_RESPONSE_MSG_PARSE_ERROR An unknown exception is returned byIBM Security Identity Manager. Look inthe IBM Security Identity Manager logs.

19 CICO_MGR_USER_CANCELLED_ROLE_POPUP The user canceled the shared access dialogbox prompt.


Table 11. List of message identifiers. (continued)Error Code Identifier Description

20 CICO_MGR_PROPERTIES_CONTAINER_ERROR An error occurred on an operation thatrequires the properties container ofAccessAgent. There might be an error inthe AccessAgent module. Contact theAdministrator.

22 CICO_MGR_INVALID_ISIM_AUTH_SVC_ID Cannot retrieve the IBM Security IdentityManager Authentication Service ID fromthe system policy. Check the IMS Serversystem policy setting and do a fullsynchronization to the IMS Server.

23 CICO_MGR_ISIM_URL_NOT_DEFINED_FOR_CUSTOMER IBM Security Identity Manager serviceURL is not defined for this customeraccount. Check the IMS Server systempolicy setting and do a fullsynchronization to the IMS Server.

31 CICO_MGR_ISIM_CRED_INCOMPLETE The credential information from IBMSecurity Identity Manager or Bgmonitor isnot complete. Contact the Administrator.Note: Bgmonitor is a required componentfor managing the privileged identitymanagement workflow.

35 CICO_MGR_SERVICEURI_NOT_DEFINED Check-out and check-in service of theendpoint is not configured in the IBMSecurity Identity Manager. Contact theIBM Security Identity ManagerAdministrator.

36 CICO_MGR_NO_CREDENTIAL_AVAILABLE All available credentials are checked out.Try again later.

37 CICO_MGR_NO_RESPONSE_LOGIN No response from IBM Security IdentityManager for logon action.

38 CICO_MGR_NO_RESPONSE_GETSHAREDACCESS No response from IBM Security IdentityManager for getsharedaccess action. Itmight be an error in IBM Security IdentityManager. Contact the IBM SecurityIdentity Manager Administrator.

39 CICO_MGR_NO_RESPONSE_CHECKOUT No response from IBM Security IdentityManager for checkout action. It might bean error in IBM Security Identity Manager.Contact the IBM Security IdentityManager Administrator.

40 CICO_MGR_NO_RESPONSE_LOGOUT No response from IBM Security IdentityManager for logout action. It might be anerror in IBM Security Identity Manager.Contact the IBM Security IdentityManager Administrator.

41 CICO_MGR_NO_RESPONSE_CHECKIN No response from IBM Security IdentityManager for checkin action. It might bean error in IBM Security Identity Manager.Contact the IBM Security IdentityManager Administrator.

42 CICO_MGR_ISIM_USER_ID_NOT_MATCH_SAME_AA_USER Checked out IBM Security IdentityManager user name does not match IBMSecurity Identity Manager user name inthe Wallet during check-in. The IBMSecurity Identity Manager user name ischanged after check-out and beforecheck-in. This event is logged. No actionis required.

43 CICO_MGR_ISIM_USER_ID_NOT_MATCH_DIFFERENT_AA_USER AccessAgent user name at checkout doesnot match AccessAgent user name oncheck-in. Log on using the oldAccessAgent user name to check in.

44 CICO_MGR_ISIM_OBJECT_NOT_FOUND IBM Security Identity Manager returns anexception of CTGIMX202E. The object is notfound. It might be an error in IBMSecurity Identity Manager. Contact theIBM Security Identity ManagerAdministrator.


Table 11. List of message identifiers. (continued)Error Code Identifier Description

500 CICO_MGR_REUSE_ISIM_CREDENTIAL The IBM Security Identity Managercredential is reused. No action is required.

501 CICO_MGR_LEASE_EXPIRE The lease expired. Stop the process. Noaction is required.

Syslog forwarding propertiesYou can configure the IBM Privileged Session Recorder Server to forward the auditevents as Syslog messages for monitoring on SIEM (Security Information andEvent Management) and log management solutions.

To configure Syslog forwarding, specify the following properties in thepsr.properties file.

Locate the psr.properties in the following places:

For clustered deploymentsBrowse to the following directory: <was_home>\profiles\<dmgr_profile>\config\psr.

For stand-alone deploymentsBrowse to the following directory: <was_home>\profiles\<appsrv>\config\psr.

Table 12. Details of the properties for Syslog forwarding configuration.Property Name Description Default or Example Values

syslog.serverhost Specifies the Syslog host toforward messages to.

Example value:

syslog.serverhost=syslogsrv.example.com

syslog.facility Optional.

Specifies the Syslog facility to logat.

Default value:

syslog.facility=local5

Example configurationsyslog.serverhost=syslogsrv.example.comsyslog.facility=local2


Notices

This information was developed for products and services offered in the U.S.A.IBM may not offer the products, services, or features discussed in this document inother countries. Consult your local IBM representative for information on theproducts and services currently available in your area. Any reference to an IBMproduct, program, or service is not intended to state or imply that only that IBMproduct, program, or service may be used. Any functionally equivalent product,program, or service that does not infringe any IBM intellectual property right maybe used instead. However, it is the user's responsibility to evaluate and verify theoperation of any non-IBM product, program, or service.

IBM may have patents or pending patent applications covering subject matterdescribed in this document. The furnishing of this document does not give youany license to these patents. You can send license inquiries, in writing, to:

IBM Director of LicensingIBM CorporationNorth Castle DriveArmonk, NY 10504-1785 U.S.A.

For license inquiries regarding double-byte character set (DBCS) information,contact the IBM Intellectual Property Department in your country or sendinquiries, in writing, to:

Intellectual Property LicensingLegal and Intellectual Property LawIBM Japan, Ltd.19-21, Nihonbashi-Hakozakicho, Chuo-kuTokyo 103-8510, Japan

The following paragraph does not apply to the United Kingdom or any othercountry where such provisions are inconsistent with local law :

INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THISPUBLICATION "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHEREXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIEDWARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY OR FITNESSFOR A PARTICULAR PURPOSE.

Some states do not allow disclaimer of express or implied warranties in certaintransactions, therefore, this statement might not apply to you.

This information could include technical inaccuracies or typographical errors.Changes are periodically made to the information herein; these changes will beincorporated in new editions of the publication. IBM may make improvementsand/or changes in the product(s) and/or the program(s) described in thispublication at any time without notice.

Any references in this information to non-IBM Web sites are provided forconvenience only and do not in any manner serve as an endorsement of those Websites. The materials at those Web sites are not part of the materials for this IBMproduct and use of those Web sites is at your own risk.


IBM may use or distribute any of the information you supply in any way itbelieves appropriate without incurring any obligation to you.

Licensees of this program who wish to have information about it for the purposeof enabling: (i) the exchange of information between independently createdprograms and other programs (including this one) and (ii) the mutual use of theinformation which has been exchanged, should contact:

IBM Corporation2Z4A/10111400 Burnet RoadAustin, TX 78758 U.S.A.

Such information may be available, subject to appropriate terms and conditions,including in some cases payment of a fee.

The licensed program described in this document and all licensed materialavailable for it are provided by IBM under terms of the IBM Customer Agreement,IBM International Program License Agreement or any equivalent agreementbetween us.

Any performance data contained herein was determined in a controlledenvironment. Therefore, the results obtained in other operating environments mayvary significantly. Some measurements may have been made on development-levelsystems and there is no guarantee that these measurements will be the same ongenerally available systems. Furthermore, some measurement may have beenestimated through extrapolation. Actual results may vary. Users of this documentshould verify the applicable data for their specific environment.

Information concerning non-IBM products was obtained from the suppliers ofthose products, their published announcements or other publicly available sources.IBM has not tested those products and cannot confirm the accuracy ofperformance, compatibility or any other claims related to non-IBM products.Questions on the capabilities of non-IBM products should be addressed to thesuppliers of those products.

All statements regarding IBM's future direction or intent are subject to change orwithdrawal without notice, and represent goals and objectives only.

This information contains examples of data and reports used in daily businessoperations. To illustrate them as completely as possible, the examples include thenames of individuals, companies, brands, and products. All of these names arefictitious and any similarity to the names and addresses used by an actual businessenterprise is entirely coincidental.

COPYRIGHT LICENSE:

This information contains sample application programs in source language, whichillustrate programming techniques on various operating platforms. You may copy,modify, and distribute these sample programs in any form without payment toIBM, for the purposes of developing, using, marketing or distributing applicationprograms conforming to the application programming interface for the operatingplatform for which the sample programs are written. These examples have notbeen thoroughly tested under all conditions. IBM, therefore, cannot guarantee orimply reliability, serviceability, or function of these programs. You may copy,modify, and distribute these sample programs in any form without payment to


IBM for the purposes of developing, using, marketing, or distributing applicationprograms conforming to IBM's application programming interfaces.

Each copy or any portion of these sample programs or any derivative work, mustinclude a copyright notice as follows:

© (your company name) (year). Portions of this code are derived from IBM Corp.Sample Programs. © Copyright IBM Corp. 2012. All rights reserved.

If you are viewing this information in softcopy form, the photographs and colorillustrations might not be displayed.

Trademarks

IBM, the IBM logo, and ibm.com are trademarks or registered trademarks ofInternational Business Machines Corp., registered in many jurisdictions worldwide.Other product and service names might be trademarks of IBM or other companies.A current list of IBM trademarks is available on the Web at “Copyright andtrademark information” at http://www.ibm.com/legal/us/en/copytrade.shtml.

Adobe, Acrobat, PostScript and all Adobe-based trademarks are either registeredtrademarks or trademarks of Adobe Systems Incorporated in the United States,other countries, or both.

IT Infrastructure Library is a registered trademark of the Central Computer andTelecommunications Agency which is now part of the Office of GovernmentCommerce.

Intel, Intel logo, Intel Inside, Intel Inside logo, Intel Centrino, Intel Centrino logo,Celeron, Intel Xeon, Intel SpeedStep, Itanium, and Pentium are trademarks orregistered trademarks of Intel Corporation or its subsidiaries in the United Statesand other countries.

Linux is a trademark of Linus Torvalds in the United States, other countries, orboth.

Microsoft, Windows, Windows NT, and the Windows logo are trademarks ofMicrosoft Corporation in the United States, other countries, or both.

ITIL is a registered trademark, and a registered community trademark of the Officeof Government Commerce, and is registered in the U.S. Patent and TrademarkOffice.

UNIX is a registered trademark of The Open Group in the United States and othercountries.

Java and all Java-based trademarks and logos are trademarks or registeredtrademarks of Oracle and/or its affiliates.

Notices 43

http://www.ibm.com/legal/us/en/copytrade.shtml

Cell Broadband Engine is a trademark of Sony Computer Entertainment, Inc. in theUnited States, other countries, or both and is used under license therefrom.

Linear Tape-Open, LTO, the LTO Logo, Ultrium, and the Ultrium logo aretrademarks of HP, IBM Corp. and Quantum in the U.S. and other countries.

Privacy Policy Considerations

IBM Software products, including software as a service solutions, (“SoftwareOfferings”) may use cookies or other technologies to collect product usageinformation, to help improve the end user experience, to tailor interactions withthe end user or for other purposes. In many cases no personally identifiableinformation is collected by the Software Offerings. Some of our Software Offeringscan help enable you to collect personally identifiable information. If this SoftwareOffering uses cookies to collect personally identifiable information, specificinformation about this offering’s use of cookies is set forth below.

The IBM Security Access Manager for Enterprise Single Sign-On software usesother technologies that collect each user's user name, password or other personallyidentifiable information for purposes of session management, authentication, singlesign-on configuration or other usage tracking or functional purposes. Thesetechnologies can be disabled, but disabling them will also eliminate thefunctionality they enable.

The IBM Security Identity Manager and Role Management software does not usecookies or other technologies to collect personally identifiable information. Theonly information that is transmitted between the server and the browser through acookie is the session ID, which has a limited lifetime. A session ID associates thesession request with information stored on the server.

If the configurations deployed for this Software Offering provide you as customerthe ability to collect personally identifiable information from end users via cookiesand other technologies, you should seek your own legal advice about any lawsapplicable to such data collection, including any requirements for notice andconsent.

For more information about the use of various technologies, including cookies, forthese purposes, see IBM’s Privacy Policy at http://www.ibm.com/privacy andIBM’s Online Privacy Statement at http://www.ibm.com/privacy/details/us/ensections entitled “Cookies, Web Beacons and Other Technologies” and “SoftwareProducts and Software-as-a Service”.


http://www.ibm.com/privacy

http://www.ibm.com/privacy/details/us/en

Glossary

This glossary includes terms and definitions forIBM Security Privileged Identity Manager.

The following cross-references are used in thisglossary:v See refers you from a term to a preferred

synonym, or from an acronym or abbreviationto the defined full form.

v See also refers you to a related or contrastingterm.

To view glossaries for other IBM products, go towww.ibm.com/software/globalization/terminology (opens in new window).

Aaccount

An entity that contains a set ofparameters that define theapplication-specific attributes of a user,which include the identity, user profile,and credentials.

adapterAn intermediary software component thatallows two other software components tocommunicate with one another.

application serverA server program in a distributednetwork that provides the executionenvironment for an application program.

audit trailA chronological record of events ortransactions. An audit trail is used forexamining or reconstructing a sequence ofevents or transactions, managing security,and recovering lost transactions.

Ccollector

A web service that accepts uploads ofrecordings and stores them into apermanent storage medium. This webservice is a component of the sessionrecording server.

credentialInformation acquired during

authentication that describes a user, groupassociations, or other security-relatedidentity attributes, and that is used toperform services such as authorization,auditing, or delegation. For example, auser ID and password are credentials thatallow access to network and systemresources. See also shared access.

credential poolA group of credentials with similar accessprivileges. The pool can be defined as aservice group or a set of service groups.

credential vaultA configured repository that storescredentials for shared access management.

Ddeprovision

To remove a service or component. Forexample, to deprovision an accountmeans to delete an account from aresource.

digital certificateAn electronic document used to identifyan individual, a system, a server, acompany, or some other entity, and toassociate a public key with the entity. Adigital certificate is issued by acertification authority and is digitallysigned by that authority.

directory serverA server that can add, delete, change, orsearch directory information on behalf ofa client.

Eendpoint

The system that is the origin ordestination of a session.

event An occurrence of significance to a task orsystem. Events can include completion orfailure of an operation, a user action, orthe change in state of a process.


http://www-306.ibm.com/software/globalization/terminology/

http://www-306.ibm.com/software/globalization/terminology/

Fframe A unit of information in a recording. A

frame can either be a screen capture orinformation about mouse events,keyboard events, or other relevant events.

IIMS Server

An integrated management system forISAM ESSO that provides a central pointof secure access administration for anenterprise. It enables centralizedmanagement of user identities,AccessProfiles, authentication policies,provides loss management, certificatemanagement, and audit management forthe enterprise.

Mmanaged resource

An entity that exists in the runtimeenvironment of an IT system and that canbe managed. See also resource.

Ppassword

In computer and network security, aspecific string of characters used by aprogram, computer operator, or user toaccess the system and the informationstored within it.

permissionAuthorization to perform activities, suchas reading and writing local files, creatingnetwork connections, and loading nativecode.

plug-inA separately installable software modulethat adds function to an existing program,application, or interface.

policy A set of considerations that influence thebehavior of a managed resource or a user.

profileData that describes the characteristics of auser, group, resource, program, device, orremote location.

provisioning policyA policy that defines the access to variousmanaged resources, such as applications

or operating systems. Access is granted toall users, users with a specific role, orusers who are not members of a specificrole.

Rrecording

A collection of information about useractions performed on a monitoredapplication for some time.

recording agentA shared library loaded into a monitoredapplication's process space that capturesframes.

recording daemonA privileged process running on the sameendpoint as the monitored application,which performs operations that requireelevated privileges.

resourceA hardware, software, or data entity. Seealso managed resource.

retrieverA web application that provides access tostored recordings.

Sshared access

Access to a resource or application usinga shared credential. See also credential.

shared access policyA policy that authorizes role members toshare access by credentials or credentialpools. A policy can be defined for aspecific credential pool, specific credential,all pool or credentials with the sameorganization container context.

single sign-on (SSO)An authentication process in which a usercan access more than one system orapplication by entering a single user IDand password.

SSO See single sign-on.

Wwallet A secured data store of access credentials

of a user and related information, whichincludes user IDs, passwords, certificates,encryption keys.


Index

AAccessAdmin 8, 30accessibility xAccessProfiles

customize 17IBM Personal Communications 17modify 17Recorder widget 8Session Recording widget 21

AccessStudio 17account data bag 25administration

session recordings 7shared access 1

administrative consoleshost names 4URLs 4

advanced search 11agent, recorder 7audit logs

viewing 27, 30

Bbackup location 13Business Intelligence Reporting Tool

(BIRT) 29

Ccheck-in 3, 27, 32check-out 27, 32Cognos 29collector web service 7color customization 8credentials

check-in 3, 27check-out 3, 27

Ddaemon, recorder 7

Eeducation xerror messages

See system messagesevent codes 27Event ID 36

Fframes

capture 7full-text search 12

restore index 12

Ggrayscale, customize 8

IIBM

Software Support xSupport Assistant x

IBM Personal Communications 7, 17IBM Security Access Manager for

Enterprise Single Sign-Onaudit logs 30

IBM Security Identity Manageraudit logs 30

IBM Tivoli Common Reportingconfiguration 27

ISPIMRecorderAuditors group 9

Lload balancer 4Lucene index

See full-text search

Mmetadata 7Microsoft Remote Desktop 7

Oonline

publications ixterminology ix

Ppause 25policies 8privileged administrator view 2privileged user view 3problem-determination xpsr.properties file 13, 39publications

accessing online ixlist of for this product ix

PuTTY 7AccessProfile 19

RRecorder

agent 7daemon 7widget 8

recorder.indexer.backup.dayofmonthproperty 14

recorder.indexer.backup.dayofweekproperty 14

recorder.indexer.backup.enabledproperty 13

recorder.indexer.backup.frequencyproperty 14

recorder.indexer.backup.hourofdayproperty 14

recorder.indexer.backup.minuteproperty 14

recorder.indexer.backup.secondproperty 14

recorder.indexer.backup.storage.dirparameter 12

recorder.indexer.backup.storage.dirproperty 14

recording 7reports 27

application usage 32shared access entitlements by

owner 34shared access entitlements by role 35shared access history 33types 27user information 31view 29

retriever web application 7

Ssearch index 13

back up 12security auditors, add 9session recording 25

AccessProfiles 17start 24stop 24

Session Recording widget 21session recordings

AccessProfiles 8administration 7administrative consoles 4Administrators, add 9auditors, add 9columns, hide 11columns, show 11components 7customize 8general information 7initialization 23log on 9management console 9monitor 9recording options 8search for 10view 11

shared accessadministration 1

SIEM solutions 39SSH

capture 7


start session recording 24stop session recording 24Syslog 39syslog.facility property 39syslog.serverhost property 39system messages

error messages 37

Tterminal services 7terminology ixTivoli Common Reporting 29training xtroubleshooting x

Vview audit logs 30VMware vSphere 7

Wweb application, retriever 7web service, collector 7Widget_PSR_Init widget 23Widget_PSR_Pause widget 25Widget_PSR_Resume widget 26Widget_PSR_Start widget 24Widget_PSR_Stop widget 24widgets 23, 24, 25, 26

Privileged Session Recorder 8


��

Printed in USA

SC27-5619-01

IBM Security Privileged Identity Manager Version 1.0 › support › knowledgecenter ›...

Documents

Transcript of IBM Security Privileged Identity Manager Version 1.0 › support › knowledgecenter ›...