CA Privileged Access Manager Tech Tip by Kelly Wong, Principal Support Engineer for 22nd August 2017
Issue
You can provision a CA Privileged Access Manager device to permit execution of sudo or BeyondTrust PowerBroker pbrun using the login password for the device from the SSH Access Method applet.
Important:
- Security Requirement: Configure sudo or pbrun on the target so that each execution requires a password from the client. Otherwise, security can be compromised.
- Transparent login cannot be applied to Device Groups.
Policy setup against individual device -- Transparent Login option is available:
Policy setup against (Device Group) -- Transparent Login option is not available:
Cause
The SSH Transparent Login option is made available to policy against individual device ONLY when Transparent Login is configured at the device level.
Workaround
Create a dummy RDP Application ('Hide from User' option checked) in PAM and associate that service with the Device Group:
Transparent Login option is now made available to the Device Group:
NOTE:
As the checking for Transparent Login configuration is at device level, the suggested workaround is practically bypassing this validation. Hence, the Transparent Login might be enabled on the Device Group level, but the Transparent Login configuration need to be done on device level.
Also, the suggested workaround is not suitable for 'Command String' Transparent Login.
Additional Information