Symantec Privileged Access Management

 View Only
  • 1.  CA PAM Concurrent Sessions Support

    Broadcom Employee
    Posted Nov 02, 2016 08:10 AM

    Hello All,

     

    As per the documentation it has been mentioned that CA PAM can support 2000 concurrent sessions with session recording capability. I would need some help to understand if that is applicable for Virtual Appliance, AMI Application and Hardware Appliance? If not then what are the figures for each deployment on concurrent session capability?

     

    Also do we have any feature in CA PAM which can help the "SUPER" user to view from PAM appliance console:

     

    1) How many users are currently using PAM and are connected to which end device?

    2) Force log off some users if they see any suspicious behavior?

     

    Thank you all in advance for your kind support.

     

    Regards,

    Suvajit

    +91 9739559994



  • 2.  Re: CA PAM Concurrent Sessions Support

    Broadcom Employee
    Posted Nov 02, 2016 12:04 PM

    Hello dassu10,

     

    I believe the 2000 concurrent session estimate is based on the Hardware appliance & may differ on the VM & AMI as they can have different "hardware" specifications. If you use the recommended settings (mainly switching the appliance to use 16 GB of RAM) it should be able to handle similar loads. We do not have any specific estimates for AMI/VM.

     

    As for seeing who is logged in, as a Global Admin (super or any other user with this privilege) you can click Sessions > Manage Sessions to see a list of currently logged in users along with some information about their session. Here we have main 2 options for managing the session: You can force the user to re-authenticate or you can completely log the user out and kill their entire session.

     

    There are also options to force recording or disconnect an active connection to a device.

     

    Here is a screenshot of this page for reference:

    Red = Force re-authentication (current connections & session will be hidden from user and paused until re-authenticated)

    Orange = Log out (also kills all connections & the session)

    Green = Force start recording for this connection

    Blue = Disconnect this connection

     

     

    Hope this helps,

    -Christian



  • 3.  Re: CA PAM Concurrent Sessions Support

    Broadcom Employee
    Posted Nov 07, 2016 12:29 AM

    Hello Christian,

     

    Thanks for your kind and to the point reply.

     

    On the second part, I tried doing the steps in our DOD environment however the experience was bit different.

     

    On Mozilla logged into the PAM console using a normal user and on IE at the same time logged in as Super. However when I went to the check the active sessions, it is only showing the session of Super.

     

    Could it be possible that in our DOD environment user "super" is actually not a super user. If so, could you please help me as how do we check that?

     

    Thanking you in advance.

     

    Suvajit Das



  • 4.  Re: CA PAM Concurrent Sessions Support
    Best Answer

    Broadcom Employee
    Posted Nov 07, 2016 09:04 AM

    Hi dassu10,

     

    Under normal circumstances super will almost always be global administrator. It is impossible to change the role associated with the super account, you would get this message if you try: "Message 2046:  User super may not have its roles changed." It is possible however to change the name of the super account by logging into the special config page as your config user. After changing supers username it becomes possible to create a new user with the name super and assign it whatever role you want. 

     

    In your case I believe super is probably set up normally as Global Admin because standard users do not have access to anything besides the Access page and you are able to get to the Sessions > Manage Sessions page. my best guess as to what is happening for you is that you are logged into 2 different nodes on the same cluster. This page will only show the users logged into the same exact CA PAM appliance as you. If you wanted to manage all sessions for all appliances you would need to log into each individually. Please test again using a single node address to login instead of the cluster VIP/Virtual hostname.

     

    Note: The same idea applies to the logs. Logs are not replicated across the cluster, they are kept locally for each node.

     

    -Christian