Highlighted
prasenjitmass Respected Contributor.
Respected Contributor.
991 views

Blocked users notification should go to admin through mail

Hi,
Is there any option in PAM that if an user get blocked by PAM because of using risky command, this notification will be send to administrator through mail ?
0 Likes
3 Replies
Micro Focus Expert
Micro Focus Expert

Re: Blocked users notification should go to admin through ma

Do you have an approach for blocking risky command for user session? Is this for Linux? The answer might depend on your approach..
0 Likes
prasenjitmass Respected Contributor.
Respected Contributor.

Re: Blocked users notification should go to admin through ma

Hi tdharris,
hank s for reply. This is for Windows, linux and DB monitoring. Is this possible for all these three?
0 Likes
Micro Focus Expert
Micro Focus Expert

Re: Blocked users notification should go to admin through ma

Currently it's not as straight-forward, in regards to the same view as the "Command Risk" configuration I think you are referencing here:
https://www.netiq.com/documentation/privileged-account-manager-35/npam_admin/data/bjfzqbk.html#cc_command_risk

Ideally, we would have a Notify / Alert toggle in this same view. If you agree, would you please write this need up in our PAM Idea Portal?
https://ideas.microfocus.com/MFI/pam

This will bring attention to it from our PM and allow the community to vote for the enhancement as well. I think this would be a simpler product approach to address this need.

--

Alternatively, there are Email Notification scripts in CmdCtrl that can be attached to CmdCtrl rules, but I'm not sure how we would configure it to notify when a user is auto blocked based on command risk..

There is also the Compliance Auditor, which might be useful in this regard.. This can be configured with an Audit Rule to "pull-in/sync" sessions that have "risky" commands based on the configured risk level. There is a life-cycle to manage these audit records so the organization can monitor/be aware of them. But you can also create an Audit Report from this perspective as well to notify certain users of new/pending audit records.

So to sum up the Compliance Auditor approach to this.. You could configure an Audit Rule to create Audit Records based on Command Risk filter that matches the command(s) you are interested in. Once they are in the Compliance Auditor, then they exist as Audit Records which point to the actual audited session keystroke report, etc. An Audit Report could be configured to automatically notify users of these new records on a particular schedule. These compliance-type users/admins could then come into the Compliance Auditor and view the Audit Record, make notes on the session and set the status to either Authorized or Unauthorized from an auditing perspective. This would be a good approach to ensure / verify the risky commands are handled appropriately.
https://www.netiq.com/documentation/privileged-account-manager-35/npam_admin/data/bjglbku.html
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.