Symantec Privileged Access Management

CA PAM v3.2.6

I need some confirmation of whether or not PAM able to either kick user access or give them alert when their access request duration about to come to an end. Currently, user still able to access target device even after their requested duration is over as long as they do not close their access session.

------------------------------
Regards,
Jorghy M.
------------------------------

Hi Jorghy, PAM doesn't have "access request duration". PAM has a password view duration, i.e. a time window during which you are allowed to view or use the password of a target account. This is required only at the time you log on to a target server. Once logged on, the password is not needed anymore (unless you have a transparent login configuration). The only timeout that impacts an established access session is the idle timeout that you configure in Global Settings.
Original Message:
Sent: 11-13-2019 03:08 AM
From: Jorghy Misnan
Subject: Kick/ Alert Mechanism for Access Request Duration

CA PAM v3.2.6

I need some confirmation of whether or not PAM able to either kick user access or give them alert when their access request duration about to come to an end. Currently, user still able to access target device even after their requested duration is over as long as they do not close their access session.

------------------------------
Regards,
Jorghy M.
------------------------------

Yes, i meant Password View under Workflow Approval duration, but i only use it for Auto Connect and not View. When a user requesting access to target device that needs approval, they have to put Request Start - End Date with maximum length of duration which limited by our configuration of Maximum Request Interval under Dual Authorization. There's a need for both alert notification and force termination after the requested duration is over, is it possible?
Original Message:
Sent: 11-13-2019 09:21 AM
From: Ralf Prigl
Subject: Kick/ Alert Mechanism for Access Request Duration

Hi Jorghy, PAM doesn't have "access request duration". PAM has a password view duration, i.e. a time window during which you are allowed to view or use the password of a target account. This is required only at the time you log on to a target server. Once logged on, the password is not needed anymore (unless you have a transparent login configuration). The only timeout that impacts an established access session is the idle timeout that you configure in Global Settings.
Original Message:
Sent: 11-13-2019 03:08 AM
From: Jorghy Misnan
Subject: Kick/ Alert Mechanism for Access Request Duration

CA PAM v3.2.6

I need some confirmation of whether or not PAM able to either kick user access or give them alert when their access request duration about to come to an end. Currently, user still able to access target device even after their requested duration is over as long as they do not close their access session.

------------------------------
Regards,
Jorghy M.
------------------------------

No, PAM doesn't kill active connections to target devices. Again, the request interval is for the password, not for the access session itself.
Original Message:
Sent: 11-14-2019 03:28 AM
From: Jorghy Misnan
Subject: Kick/ Alert Mechanism for Access Request Duration

Yes, i meant Password View under Workflow Approval duration, but i only use it for Auto Connect and not View. When a user requesting access to target device that needs approval, they have to put Request Start - End Date with maximum length of duration which limited by our configuration of Maximum Request Interval under Dual Authorization. There's a need for both alert notification and force termination after the requested duration is over, is it possible?
Original Message:
Sent: 11-13-2019 09:21 AM
From: Ralf Prigl
Subject: Kick/ Alert Mechanism for Access Request Duration

Hi Jorghy, PAM doesn't have "access request duration". PAM has a password view duration, i.e. a time window during which you are allowed to view or use the password of a target account. This is required only at the time you log on to a target server. Once logged on, the password is not needed anymore (unless you have a transparent login configuration). The only timeout that impacts an established access session is the idle timeout that you configure in Global Settings.
Original Message:
Sent: 11-13-2019 03:08 AM
From: Jorghy Misnan
Subject: Kick/ Alert Mechanism for Access Request Duration

CA PAM v3.2.6

I need some confirmation of whether or not PAM able to either kick user access or give them alert when their access request duration about to come to an end. Currently, user still able to access target device even after their requested duration is over as long as they do not close their access session.

------------------------------
Regards,
Jorghy M.
------------------------------

I see. That means PAM cannot do any termination or alerting againts active access session even when their duration is up. Thanks for your reply Ralf.
Original Message:
Sent: 11-14-2019 09:47 AM
From: Ralf Prigl
Subject: Kick/ Alert Mechanism for Access Request Duration

No, PAM doesn't kill active connections to target devices. Again, the request interval is for the password, not for the access session itself.
Original Message:
Sent: 11-14-2019 03:28 AM
From: Jorghy Misnan
Subject: Kick/ Alert Mechanism for Access Request Duration

Yes, i meant Password View under Workflow Approval duration, but i only use it for Auto Connect and not View. When a user requesting access to target device that needs approval, they have to put Request Start - End Date with maximum length of duration which limited by our configuration of Maximum Request Interval under Dual Authorization. There's a need for both alert notification and force termination after the requested duration is over, is it possible?
Original Message:
Sent: 11-13-2019 09:21 AM
From: Ralf Prigl
Subject: Kick/ Alert Mechanism for Access Request Duration

Hi Jorghy, PAM doesn't have "access request duration". PAM has a password view duration, i.e. a time window during which you are allowed to view or use the password of a target account. This is required only at the time you log on to a target server. Once logged on, the password is not needed anymore (unless you have a transparent login configuration). The only timeout that impacts an established access session is the idle timeout that you configure in Global Settings.
Original Message:
Sent: 11-13-2019 03:08 AM
From: Jorghy Misnan
Subject: Kick/ Alert Mechanism for Access Request Duration

CA PAM v3.2.6

I need some confirmation of whether or not PAM able to either kick user access or give them alert when their access request duration about to come to an end. Currently, user still able to access target device even after their requested duration is over as long as they do not close their access session.

------------------------------
Regards,
Jorghy M.
------------------------------