Hello, I have a potential PAM customer running SAP(ERP Software). They **also** badly wants to monitor(record) SAP Administrator activities, and challenge here is that SAP Administrators use a client(SAP GUI) for SAP administration which installs/runs on their workstations.
How PAM can help this customer ? any suggestions ?
I found out that Desktop support for Windows 7 and 8.1 is included in PAM 3.1.. and Windows 10 is planned for 3.2.. for 7 and 8.1 though, I don’t think SAP Client was officially tested yet, but there are plans for that
I don't understand why there is an agent available for Desktop OS ? what's the purpose ? if PAM agent is installed on a workstation of a System/Mail/ERP/DB admin then that agent not just monitor/record admin's "administrative" activities but obviously would also record/monitor non-administrative(personal/private) activities e.g IM and Email Clients, Web Browsers etc and recording/monitoring such apps are neither required nor acceptable.
I think a "Desktop Specific" agent is required which can monitor/record all activities of users except web browsers, IM and E-mail clients, so that any administrative tool be it Putty, Database Administration/Management Tool, Mail Server Administration tools, or SAP Administration tool(SAP GUI) would be recorded.
I recall these scenarios being discussed in implementation of Desktop OS monitoring and there are plans to address these concerns as I recall. I'll forward this thread to the Product Manager and see if a response can be posted here.
>There's also the option to 'Run as User' that could be a workaround approach >to have only specific applications monitored rather than all applications.
I don't thing "Run as User" could be a workaround here, as how can one restrict an Admin to only run the console/tool(e.g SAP GUI or Putty) via "Run as User". SAP GUI is a tool that any ordinary(non-priviledged) user can run if installed on his/her workstation, its the credentials that authorized what a user can/can't do within SAP. Similarly any one can run the "Putty" if available on his/her system(yes we can track/monitor direct ssh logins via PAM too), successful login and rights are dependent on the credentials provided, but Putty does not require any special permissions.
So in all such scenarios where tools/consoles could be run by any ordinary user "Run as User" feature won't help because we can't restrict users to run the consoles/tools via "Run as User" feature only.