Symantec Privileged Access Management

Expand all | Collapse all

Disable Inactive After (Days)

  • 1.  Disable Inactive After (Days)

    Posted 09-25-2020 03:36 PM
    Hi team, still I don´t have patch 3.4.1 applied to fix the issue below, Do you think if I set the option Disable Inactive After (Days) to 0 would solve my issue? I am getting a lot of users complaining about being deactivated without any reason.


    Case Number
    Internal Defect ID
    Resolved Issue
    1367542
    DE421294
    PAM user account gets deactivated automatically for an unknown reason 


    ------------------------------
    Security Analyst
    DXC Technology
    ------------------------------


  • 2.  RE: Disable Inactive After (Days)

    Broadcom Employee
    Posted 09-27-2020 12:25 PM
    Hi Higor, No, the problem you list was related to user deactivations based on incorrect detection of connection tampering. The problem that is related to the Disable Inactive After setting is the following item on page https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/privileged-access-manager/3-4-1/release-information/Resolved-Issues-in-3_4_1.html:

    31921223, 31907650
    DE466462, DE466199, DE465062, DE464813, DE461904
    Users are being deactivated for inactivity even though they are using the environment



  • 3.  RE: Disable Inactive After (Days)

    Posted 09-28-2020 07:24 AM

    Thanks Ralf, my bad.

     

    But do you think if I set Disable Inactive After (Days) to 0 would stop users being deactivated so I can prepare my upgrade to 3.4.1?

     

    Higor

     

     






  • 4.  RE: Disable Inactive After (Days)

    Broadcom Employee
    Posted 09-28-2020 03:39 PM
    Hello Higor, Per discussion above there are two separate problems that can cause user deactivations, and the Disable Inactive After setting only affects one of them. Without knowing which problem your users run into, I cannot know whether this setting will help you. The session logs should have messages showing whether a user got disabled due to inactivity, or due to tampering detection. Keep in mind that session logs are node-specific and in a cluster you may have to check multiple nodes for log messages. Filter for "deactivated", "inactivity" or "tampering" in column Details.


  • 5.  RE: Disable Inactive After (Days)

    Posted 09-28-2020 03:46 PM

    All issues in my environment is related to user got disabled due to inactivity. All in my filters show PAM-CMN-0903: This account is deactivated. See your CA PAM Administrator.

     

    Higor

     

     






  • 6.  RE: Disable Inactive After (Days)

    Broadcom Employee
    Posted 09-28-2020 04:01 PM
    Ok, in that case the configuration setting will help. If set to 0, users will not be deactivated based on inactivity.


  • 7.  RE: Disable Inactive After (Days)

    Posted 09-28-2020 04:07 PM

    thanks