The Privileged Appliance and Modules

(TPAM) 2.5
Administrator Guide
Copyright© 2015 Dell Inc. All rights reserved.
This product is protected by U.S. and international copyright and intellectual property laws. Dell™, SonicWALL and the Dell
logo are trademarks of Dell Inc. in the United States and/or other jurisdictions. MAC OS, OS X are trademarks of Apple, Inc.,
registered in the U.S. and other countries. Check Point is a registered trademark of Check Point Software Technologies Ltd. or
its affiliates. Cisco is a registered trademark of Cisco Systems, Inc. and/or its affiliates in the United States and certain other
countries. ForeScout and CounterACT are trademarks of ForeScout Technologies, Inc. Fortinet is a registered trademark of the
Fortinet Corporation in the United States and/or other countries. FreeBSD is a registered trademark of the FreeBSD foundation.
H3C is a trademark of Hangzhou H3C Technologies, Co. Ltd. Google and Chrome are trademarks of Google, Inc., used with
permission. HP, OPENVMS and Tru64 are registered trademarks of Hewlett-Packard Development Company. AS/400, IBM and
AIX are registered trademarks of International Business Machines Corporation, registered in many jurisdictions worldwide.
Juniper, JUNOS and NetScreen are registered trademarks of Juniper Networks, Inc. in the United States and other countries.
Linux® is a registered trademark Linus Torvalds in the United States, other countries, or both. MariaDB is a registered
trademark of MariaDB Corporation. Microsoft, Active Directory, Internet Explorer, and Windows are either registered
trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. Mozilla and Firefox are
registered trademarks of the Mozilla Foundation. NetApp is a registered trademark of NetApp, Inc., registered in the U.S. and
other countries. Nokia is a registered trademark of Nokia Corporation. Novell is a registered trademark of Novell, Inc. in the
United States and/or other countries. Oracle, Java, MySQL, and Solaris are trademarks of Oracle and/or its affiliates. PAN-OS
is a registered trademark of Palo Alto Networks, Inc. PowerPassword is a registered trademark of BeyondTrust Software, Inc.
PROXYSG is a trademark of Blue Coat Systems, Inc., registered in the United States and other countries. Stratus is a registered
trademark of Stratus Technologies Bermuda Ltd. Teradata is a registered trademark of Teradata Corporation or its affiliates in
the United States or other countries. UNIX and UNIXWARE is a registered trademark of The Open Group in the United States
and other countries. VMware is a registered trademark or trademark of VMware, Inc. in the United States and/or other
jurisdictions. Other trademarks and trade names may be used in this document to refer to either the entities claiming the marks
and names or their products. Dell disclaims any proprietary interest in the marks and names of others.

Legend

CAUTION: A CAUTION icon indicates potential damage to hardware or loss of data if instructions are not followed.

WARNING: A WARNING icon indicates a potential for property damage, personal injury, or death.

IMPORTANT NOTE, NOTE, TIP, MOBILE, or VIDEO: An information icon indicates supporting information.

TPAM Administrator Guide

Updated - November 2015
Software Version - 2.5

TPAM 2.5
2
Administrator Guide
Contents

Privileged Password Management Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .13
Resource requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .14
Access the privileged password appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .14

Initial Set Up . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .15
Recommended steps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .15

Permission Based Home Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17
Message of the day tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17
Recent activity tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .18
Approvals tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .18
Pending reviews tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .19
Current requests tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .19

User ID’s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .20
Details tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .21
Web tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .22
Key based tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .24
Cache tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .24
Time tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .25
Custom information tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .26
Template tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .26
Group membership tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .27
Permissions tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .27
Add a web user ID . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .28
Add a user template . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .29
Add a user ID using a template . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .30
Add a CLI user ID . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .31
Add an API user ID . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .31
Regenerate keys for CLI/API users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .32
Duplicate a user ID . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .32
Disassociate a user from a template . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .33
Delete a user ID . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .33
Delete a user template . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .33
Disable/enable a user ID . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .34
Unlock a user ID . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .34
Reset user ID password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .34
Manage the paradmin user ID . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .35

TPAM 2.5
3
Administrator Guide
List user IDs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .36
Manage your TPAM user ID . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .37

Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .39
Details tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .39
Members tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .40
Permissions tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .40
Add a group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .41
Duplicate a group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .42
Delete a group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .42
List groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .43
Default global groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .43

Permission Hierarchy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .45
Permission precedence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .45
Permissions example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .46

Access Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .48
Details tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .48
Permission types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .50
Add an access policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .51
Make an access policy inactive . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .52
Reactivate an access policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .52
Duplicate an access policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .53
Delete an access policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .53
Rebuild assigned policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .53

Password Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .55
Add a password check profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .55
Add a password change profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .57
Delete a password check/change profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .59
Assign a password check /change profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .59

Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .61
Information tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .62
Custom information tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .64
Connection tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .65
Management tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .68
Ticket system tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .70
LDAP schema tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .71
Template tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .71
Account discovery tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .72

TPAM 2.5
4
Administrator Guide
Affinity tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .73
Collections tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .74
Permissions tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .75
Add a system . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .76
Add a system template . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .77
Add a system using a template . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .78
Test a system . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .78
Clear a stored system host entry . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .78
Duplicate a system . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .79
Disassociate a system from a template . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .79
Delete a system . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .80
Delete a system template . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .81
List systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .81
Local appliance systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .81

Custom Platforms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .82
Custom platform Details tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .82
Add a conversational custom platform . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .84
Add a jump box custom platform . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .85
Test a custom platform . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .85
Duplicate a custom platform . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .85
Delete a custom platform . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .86
Using custom platforms in TPAM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .86
Batch processing custom platform systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .87
CLI and API commands for custom platform systems . . . . . . . . . . . . . . . . . . . . . . . . .88
Jump boxes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .88

Collections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .95
Details tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .95
Members tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .96
Permissions tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .96
Affinity tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .98
Add a collection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .98
Duplicate a collection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .99
Delete a collection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .99
List collections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100

Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .101
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101
Information tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102
Reviews tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105
Custom Information tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106
Management tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106
Ticket System tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107

TPAM 2.5
5
Administrator Guide
Dependents tab (Windows® AD only) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108
Logs tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108
Past Password tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109
Current Password tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109
Collections tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110
Permissions tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110
PSM Details tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112
General tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112
Session Authentication tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117
File Transfer tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118
Review Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118
Add an account . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119
Duplicate an account . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120
Delete an account . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120
Retrieve a password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121
List accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122
List PSM accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122
Password current status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123
Manual password management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123
Password management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124
Managing services in a Windows® domain environment . . . . . . . . . . . . . . . . . . . . . . 126
Add generic account to TPAM for PSM sessions to a user specified Windows account . . . 127

Using Quest Authentication Services with TPAM . . . . . . . . . . . . . . . . . . . . . . . . . .129

Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129
Configure QAS integration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129
How it works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130

TPAM Account Discovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .132

Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132
Configure account discovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132
Account discovery profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135
Add an account discovery profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138
Delete an account discovery profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138
Assign an account discovery profile to a system/system template . . . . . . . . . . . . . . . 139
Combine account discovery with auto discovery . . . . . . . . . . . . . . . . . . . . . . . . . . . 139

Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .140
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140
Details tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140
Ticket System tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142
Logs tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143
File History tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143
Current File tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143
Collections tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144
Permissions tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145

TPAM 2.5
6
Administrator Guide
Add a file . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146
Duplicate a file . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147
Review file history . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147
Delete a file . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147
Retrieve a file . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148
List files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148

Auto Discovery - LDAP Integration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .149

Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149
LDAP directory mapping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149
Source tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149
Add a LDAP data source . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151
Add user/system template . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152
Add LDAP user/system mapping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153
Delete a LDAP system/user mapping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154
Discover accounts on auto discovered systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154

Auto Discovery - Generic Integration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .155

Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155
Generic directory mapping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155
Source tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156
System tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158
User tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159
Add a generic system mapping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160
Add a generic user mapping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160
Delete a generic system/user mapping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161

Application Password Virtual Cache . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .162

Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162
Importing the virtual cache . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163
Boot the cache . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163
Configure network settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164
Enable remote access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165
Change setup password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165
Define remote IP address restrictions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166
Prepare the cache for enrollment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166
Add the cache in the TPAM interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167
Add cache users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167
Add cache client hosts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168
Add cache trusted root certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168
Add the cache server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169
Details tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170
WSDL tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171
Accounts tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172
Root Certificates tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172
Users tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173

TPAM 2.5
7
Administrator Guide
Hosts tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173
Cache server permissions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173
Cache current status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174
Create a cache team . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174
Remove a cache team member . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175
Alerts for the cache appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175
Delete a cache . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176
List cache server permissions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176
Cache logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176
Usage examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177

Batch Processing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .181

Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181
Advanced file settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181
Import user IDs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182
Import systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186
Import accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188
Import or update collections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191
Import or update groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193
Add or drop collection members . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195
Add or drop group members . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197
Batch update user IDs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199
Batch update systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201
Batch update accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203
Batch update PSM accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205
Batch update permissions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207
Batch update cache server permissions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209
Cancel a batch process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 210
View batch job history . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211

PSM Connection Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .212

Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212
Add a PSM connection profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213
Delete a PSM connection profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213
Assign a PSM connection profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213

Post Session Processing Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .215

Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 215
Add a post session processing profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 215
Delete a post session processing profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 216
Assign a post session processing profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 216

Privileged Command Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .217

Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217
Add a command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217
Commands to assist with authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 218

TPAM 2.5
8
Administrator Guide
Duplicate a command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 218
Delete a command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 218
Create access policy with the command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 219
Assign access policy to user or group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 219
Setup requirement for Windows® . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220

Restricted Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .221

Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221
System requirements for restricted commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221
Add a restricted command profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222
Assign profile to access policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223
Restricted command account settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 224
Command detection during a session . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 225

Archive Session Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .227

Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 227
Configure session log archive settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 227
Configure session log archive server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 228
Test the archive server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 230
View archive files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 230
View archive log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 231
Delete a session log archive server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 231
Clear a stored system host entry . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 232

Synchronized Passwords . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .233

Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 233
Details tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 234
Candidates tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 235
Subscriber status tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 236
Logs tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 236
Add synchronized password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 236
Add subscriber to a synchronized password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 237
Remove a subscriber from a synchronized password . . . . . . . . . . . . . . . . . . . . . . . . 237
Delete a synchronized password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 237
Force reset of synchronized password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 238

Scheduled Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .239

Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 239
Enable/disable scheduled reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 239
Send scheduled reports to archive server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 240
Subscribe/unsubscribe to scheduled reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 241
Add/remove additional recipients to scheduled reports . . . . . . . . . . . . . . . . . . . . . . 241
View scheduled reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 242
Resubmit scheduled reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 243

Data Extracts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .244

Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 244

TPAM 2.5
9
Administrator Guide
Configure data extracts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 244
Customize data extract dataset file names . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 246

TPAM CLI IDs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .248

Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 248
Add a TPAM CLI ID . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 248
Connect PSM account to TPAM CLI ID . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249
Delete a TPAM CLI ID . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 250

Password Requests . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .251

Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 251
Request a password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 251
Email notification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 253
View submitted password requests . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 253
Access the password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 254
Cancel/expire a password request . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 255

Approve/Deny Password Request . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .256

Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 256
Approve/deny password request . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 256
Revalidate ticket on a request . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 257
Deny request after it is approved . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 257

Review a Password Release . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .258

Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 258
Review status definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 258
Review a password release . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 258
Provisional ticket validation on a password release . . . . . . . . . . . . . . . . . . . . . . . . . 260

Session Requests . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .261

Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 261
Request a session . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 261
Email notification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 263
View submitted session requests . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 264
Cancel/expire a session request . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 264

Approve/Deny Session Request . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .266

Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 266
Approve/deny session request . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 266
Revalidate ticket on a request . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 267
Deny request after it is approved . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 267

Start a Remote Session . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .268

Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 268
Client requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 268
Start a session . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 268
File transfer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 271
End a session . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 272
TPAM 2.5
10
Administrator Guide
Session Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .273
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 273
Session playback controls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 273
Meta data window . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 274
Replay a session log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 275
Add a bookmark to a session . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 275
View bookmarks/captured events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 276
Jump to a bookmark . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 277
Jump to an event . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 278
Monitor a live session . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 279
Terminate a session . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 279

Review a Session . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .280

Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 280
Review status definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 280
Review a session . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 280
Provisional ticket validation on a session . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 282

File Requests . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .284

Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 284
Request a file . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 284
Email notification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 286
View submitted file requests . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 286
Access the file . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 286
Cancel/expire a file request . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 287

Approve/Deny File Request . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .288

Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 288
Approve/deny file request . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 288
Revalidate ticket on a request . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 289
Deny request after it is approved . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 289

On Demand Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .290

Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 290
Report time zone options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 290
Run a report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 290
Report descriptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 291

Network Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .293

Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 293
The ping utility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 293
Nslookup utility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 294
TraceRoute utility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 294
Telnet test utility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 295
Display routes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 295

CLI Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .296

TPAM 2.5
11
Administrator Guide
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 296
Command standards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 296
Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 297

Application Programming Interface (API) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .336

Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 336
C++ library . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 336
.NET library . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 342
PERL library . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 349
Java® library . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 349
C++ examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 350
.NET examples (C#) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 353

Configuration for Capturing Events on Windows® Systems . . . . . . . . . . . . . . . . . . .357

Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 357
General j-Interop requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 357
Summary of common problems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 358
Firewall related problems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 358
Explicitly opening DCOM ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 359
Dynamically opening DCOM ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 359
Remote registry related problems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 359
Local security policy related problems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 360
User account control (UAC) related problems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 360
Registry key related problems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 361
Operating systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 362
Windows® event requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 364

Appliance Specifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .365

About Dell . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .367

Contacting Dell . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 367
Technical Support Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 367

TPAM 2.5
12
Administrator Guide
 1
Privileged Password Management
Overview

• Introduction
• Resource requirements
• Access the privileged password appliance

Introduction
TPAM is a robust collection of integrated modular technologies designed specifically to meet the complex and
growing compliance and security requirements associated with privileged identity management and privileged
access control.
NOTE: This guide explains the core functionality available in TPAM regardless of the product licenses that
has been applied.

Privileged Password Manager

The Privileged Password Manager (PPM) module provides secure control of administrative accounts. TPAM
is a repository where these account passwords are stored until needed, and released only to authorized
persons. Based on configurable parameters, the PPM module will automatically update these passwords.

Privileged Session Manager

The Privileged Session Manager (PSM) module provides a secure method of connecting to remote
systems, while recording all activity that occurs to a session log file that can be replayed at a later time.
All connections to remote systems are proxied through Privileged Account Management (TPAM) appliance
ensuring a secure single access point.
The TPAM appliance has several methods of access:
• Configuration interface (HTTPS via direct connection, with network option)
• Administrative interface (HTTPS via network access)
• User interface (HTTPS via network access)
• Admin CLI (SSH via network access)
• User CLI (SSH via network access)
• User API (SSH client application via network access)
All data stored in TPAM is encrypted in storage and transit. Careful attention has been placed on the security
and audit capabilities of the appliance, due to the high security implications of the data it contains.
To support this high level of security, TPAM is designed to ensure segregation of duties and dual control. The
segregation of duties is accomplished through permission based authorization. Dual control is accomplished by
optionally requiring multiple pre-defined individuals to be involved in the connection to a system.

TPAM 2.5
13
Administrator Guide
Resource requirements
One IP address is required for each TPAM appliance in a cluster. The 1U hardware design provides a small
footprint for the device and requires minimal rack space.

Access the privileged password appliance

To access TPAM, point the browser to TPAM’s IP address or FQDN followed by /tpam. For example, if the IP
address for the appliance has been configured as 192.168.1.100, the URL would be
https://192.168.1.100/tpam/. The initial TPAM administrator account is paradmin and the initial password is
provided with your licensing information.

Connectivity
To communicate with TPAM and successfully initiate a session your computer needs to be able to pass traffic on
ports 443 (HTTPS), 8000, and 22 (SSH).

If TPAM will be accessed via Microsoft® Internet Explorer® (IE), there is one important setting to verify or
change in the IE configuration:

Pop-Up blocker
When the /tpam website is accessed, the initial instance of the browser is closed and a new window opens
without menu or title bars. Browsers that are configured to block pop-ups often interpret this as a Popup and
the page will not display. Be sure to add the URL for TPAM to the list of allowed pop ups. If your desktop
environment does not allow pop-up blockers to be disabled, this functionality may be disabled by the system
administrator with a global setting in the /admin interface.

TPAM 2.5
14
Administrator Guide
 2
Initial Set Up

• Introduction
• Recommended steps

Introduction
This chapter covers the recommended steps for the initial set up of the TPAM appliance in the /tpam interface.
Before proceeding, the configuration of the /config and /admin interface should be completed. See the System
Administrator Guide for details. The order of the information presented in this manual reflects the
recommended steps outlined below.

Recommended steps
To configure the /tpam interface:
1 Login to the /tpam interface with the paradmin user ID.
2 Add a CLI user ID with a user type of administrator. Download and store the key outside of the appliance.
See Add a CLI user ID for details.
3 Create password check and change profiles. See Password Profiles.
4 Create password rules. See the TPAM System Administrator Guide.
5 If LDAP or Generic Integration will be utilized, add the necessary system and user templates. See Add a
system template and Add a user template.
6 Outline the desired groups within LDAP that will be used to create TPAM groups for assigning permissions.
With those groups, add LDAP mappings to create the groups and provision the users. See .
7 If Auto Discovery is not utilized, load TPAM users through Import user IDs.
8 Configure any Cache servers. See Add the cache in the TPAM interface.
9 Outline the desired OU’s within LDAP that will be used to create TPAM Collections and provision systems.
With those OU’s, add LDAP mappings to create the collection and provision the system.
NOTE: The system template can be used to add accounts as well.

10 If Auto Discovery is not used, load the systems to be managed through Import systems or Add a system.
See the Client Set Up Guide for details on configuring specific platforms.
11 If desired, add any files to be managed. See Add a file.
12 If Cache servers and/or DPAs were purchased, make the affinity assignments at the system level. See
Affinity tab.
13 For any accounts that were not provisioned using the auto-discovery process for adding systems, load the
accounts in TPAM through Import accounts.

TPAM 2.5
15
Administrator Guide
14 To utilize collections (buckets of systems, accounts and/or files) other than the ones created using auto-
discovery, add collections and then load collection membership. See Add a collection and Add or drop
collection members.
15 To utilize groups (buckets of users) other than the ones created using auto-discovery, add groups and
then load group membership. See Add a group and Add or drop group members.
16 See Permissions tab to add the permissions desired to allow the group access to the collections or to
individual systems.
17 If Privileged Session Manager (PSM) was purchased and Privileged Command Manager (PCM) will be used,
configure PCM Commands. See Add a command.
18 Create any custom Access Policies. See Add an access policy.
19 Update permissions with access policy assignment. See Batch update permissions.
20 If a PSM customer, add any PSM Connection Profiles and Post Session Processing Profiles. See Add a PSM
connection profile and Add a post session processing profile.
NOTE: In the admin interface the Post Processing Agent must be started for post session profiles to
take effect.

21 If a PSM customer see Batch update PSM accounts to update the PSM permissions for accounts.
22 If a PSM customer see Configure session log archive settings and Configure session log archive server to
configure retention settings for session logs.
23 Configure the Batch Report subscriptions and recipients. See Enable/disable scheduled reports.
24 Configure the Data Extract Schedule and data Sets. See Configure data extracts.
25 Configure Synchronized Passwords. (Optional) See Add synchronized password.
26 Configure TPAM CLI IDs. (Optional) See Add a TPAM CLI ID.

TPAM 2.5
16
Administrator Guide
 3
Permission Based Home Page

• Introduction
• Message of the day tab
• Recent activity tab
• Approvals tab
• Pending reviews tab
• Current requests tab

Introduction
Your home page is based on the user type and permissions assigned to your user ID in the TPAM application.
Return to the home page from anywhere in the TPAM application by clicking the home icon located on the far
left side of the menu ribbon.

Message of the day tab

The first tab that displays is the default message of the day, which is configured through the admin interface. To
immediately make a session, password or file request as well as approve any pending requests click the links.

TPAM 2.5
17
Administrator Guide
Recent activity tab

The recent activity tab shows all your activity in TPAM for the last 7 days.

Approvals tab

The Approvals tab displays any requests (Password, File or Session) that require approval. After they are
approved or denied the request can be seen on this list until the release duration expires. Clicking on the
request id opens the appropriate Requests Approval Detail tab to approve or deny the request. To use the auto-
refresh option select the box and type the number of minutes you would like the window refreshed.

TPAM 2.5
18
Administrator Guide
Pending reviews tab

Eligible reviewers for any post password releases or sessions see the Pending Reviews tab on the home page. Any
password releases or sessions that are pending review are seen on this tab. Clicking on the request ID opens the
Password Release Review Details or Session Review Details tab. To use the auto-refresh option select the box
and type the number of minutes you would like the window refreshed.

Current requests tab

The Current Requests tab displays any request (Password, File or Session) that you have made. The requests stay
visible on this tab until the release duration expires. Clicking on the Request ID link opens the Session, Password
or File Request Management tabs to view details on a request.

TPAM 2.5
19
Administrator Guide
 4
User ID’s

• Introduction
• Add a web user ID
• Add a user template
• Add a user ID using a template
• Add a CLI user ID
• Add an API user ID
• Regenerate keys for CLI/API users
• Duplicate a user ID
• Disassociate a user from a template
• Delete a user ID
• Delete a user template
• Disable/enable a user ID
• Unlock a user ID
• Reset user ID password
• Manage the paradmin user ID
• List user IDs
• Manage your TPAM user ID

Introduction
This chapter covers, adding and managing TPAM User ID’s.
To add and manage user ID’s, information is entered on the following tabs in the TPAM interface:

Table 1. Management: TPAM interface tabs

Tab name Description

Details Define main information, such as name, contact information, and user type.
Details/Web Configure access and authentication methods.
Details/Key Based Define key based authentication method.
Details/Cache For cache users only, generate or upload the user’s certificate.
Details/Time Define time zone and access times.
Details/Custom Information Custom boxes available for use.
Template Used to save user ID settings as a template.
Group Membership Assign group membership.
Permissions Assign access policies for systems, accounts, and/or files for this user.

TPAM 2.5
20
Administrator Guide
Details tab

The table below explains all of the box options available on the Details tab.

Table 2. User Management: Details tab options

Element Description Required? Default

User Name The user’s login id. User names may be a maximum of 30 Yes
characters long. The following special characters are allowed
in the user name: `~#%&(){}.!'
User Disabled? If selected, the user cannot access TPAM. No Off
Last Name Last name of the user. Yes
First Name First name of the user. Yes
Phone Number Phone number associated with the user ID in TPAM. No
Mobile Number Mobile number associated with the user ID in TPAM. No
Email Address The email address that TPAM will use for email notifications No
from TPAM.
If multiple email addresses are to be associated with the user,
this may be accomplished by using a semicolon and no spaces
to separate them. An alias name can also be designated for
the email (this name is displayed in the To: box). Example:
John Doe<[email protected];[email protected]>,…
To create an alias, type it as: alias<email-address-1;email-
address-2> Double quotes may be required to include spaces
in email addresses.

TPAM 2.5
21
Administrator Guide
Table 2. User Management: Details tab options

Element Description Required? Default

Description The description box may be used to provide additional details No
about the user.
User Type Select the user type. Available choices are: Yes Basic
• Basic: If selected, the user can be a requestor,
approver, reviewer, privileged access, denied or ISA but
does not have any administrator privileges.
• Administrator: If selected, this user account has
Administrator privileges to the TPAM interface. The
administrator is the most powerful user type for the
TPAM user interface. This user type can create and
delete systems, users, groups, and collections. The
administrator user type may also assign access policies
to any user – including themselves. An administrator
may view all reports. It is recommended that this user
type be assigned carefully. The administrator may not
delete or disable their user id.
• Auditor: If selected, this user has Auditor privileges in
TPAM. Auditor is a special user type that may view
reports, systems, and users, but may not request or
approve passwords, files and sessions or modify any
data. Auditors may also review completed password
and session requests. At this time Auditors cannot view
the key stoke log for a session.
• User Administrator: If selected, this user has the
authority to manage Basic user types. User
Administrators may disable and enable users, unlock
user accounts, and update account information. The
User Administrator does not have the ability to add
users to groups or modify permissions. CLI/API user
accounts cannot be managed by a User Administrator.
• Cache User: If selected, this user can only retrieve
passwords through an assigned Cache server and
cannot log in to TPAM. A security certificate must be
loaded for each Cache user. If using a user-supplied
certificate, the customer may also have to provide the
certificate password depending on format of
certificate being uploaded.

Web tab

The table below explains all of the box options available on the Web tab:

TPAM 2.5
22
Administrator Guide
Table 3. User Management: Details Web tab options

Field Description Required? Default

Allow this user If selected, users can make requests, deny or approve No Off
to access TPAM requests, and review password releases and sessions by using
from a Mobile their personal mobile device (Blackberry®, iPhone®). User
Device? administrators and cache user types may not access TPAM via
a mobile device.
Allow WEB If selected, the user can access TPAM via the web. No On
Access? NOTE: Allowing web access is permanent once saved. The only
way to remove web access for the user id is to delete the user
and add the user back.
Password/ Enter/confirm a password for the user account.If left blank, a No
Confirm random password is generated by the TPAM system. The TPAM
Password default password rule configured by the System Administrator
is used for these passwords.
Certificate For users who authenticate using a client certificate, the No
Thumbprint certificate’s SHA1 or SHA2 thumbprint should be entered here.
This option will not appear unless certificate is selected as the
primary user authentication type.
Primary User If selected, user can use primary authentication to Yes Local
Authentication authenticate. The primary authentication user ID cannot be
the same as any other user’s TPAM user name or primary
authentication ID. Available choices are:
• Certificate - User’s authenticate using a client
certificate.
• Local - TPAM
• Windows Active Directory® - WinAD is configured in
the admin interface as an external source of
authentication. The Windows® AD primary user ID must
always be in (user principle name) format, allowing the
use of multiple domains. The primary authentication ID
cannot be the same as any other user’s User Name or
primary ID.
• LDAP - LDAP is configured in the admin interface as an
external source of authentication. Users can type a
shortened version of their LDAP user ID that expands to
the full LDAP user ID for authentication.
• Radius - Radius is configured in the admin interface as
an external source of authentication.
• Defender - Defender is configured in the admin
interface as an external source of authentication
Secondary User If the user is using secondary authentication select the type, No None
Authentication source and enter their user ID here. Choices of secondary
authentication are:
• None
• Safeword
• SecurID
• LDAP
• Radius
• WinAD
• Defender

TPAM 2.5
23
Administrator Guide
Key based tab

The table below explains all of the box options available on the Key Based tab:

Table 4. User Management: Details Key Based tab options

Field Description Required? Default

CLI If selected, the user can access TPAM via the command line No Off
interface (CLI).
API If selected the user can access TPAM via the API. No Off
CLI Key Only applies to CLI users. This is an optional pass phrase to No
Passphrase encrypt the user’s private key. The phrase is case sensitive, up
to 128 characters, and does not allow double quotes (“). The
phrase is not stored and cannot be retrieved after the key is
generated. Remember to give the pass phrase to the CLI user
along with their private key file.
NOTE: If the CLI user ID and key are going to be used in any
type of scripting or automation, be aware that any time a CLI
key with a passphrase is used the passphrase must be typed by
the user via the keyboard. Passphrase entry via any type of
scripting is not allowed for DSS Keys
Restricted IP Only applies to CLI/API users. If an address is specified, the No
Address user may only access TPAM from this address. More than one IP
address may be specified by separating each with a comma –
up to a limit of 100 characters for the entire string. The use of
wildcards is also permitted to specify a complete network
segment – i.e. 10.14.10.*
Since a CLI/API user cannot be disabled with a check box, this
box can be used to temporarily disable the user access by
setting the value to an invalid IP address such as “disabled”.

Cache tab
The Cache tab is only enabled when a user type of cache user is selected. For more details on cache users see
Add cache users.

The table below explains all of the box options available on the Cache tab:

TPAM 2.5
24
Administrator Guide
Table 5. User Management: Details Cache tab options

Field Description Required? Default

Certificate Type A security certificate must be loaded for the cache user. If Yes User-
User-Supplied is selected, certificate is loaded by clicking the Supplied
Select File button. If Created by TPAM is selected, the
certificate is generated by clicking the Download the TPAM
Root Certificate button.
Password / If uploading a PKCS12 file or generating a certificate a No
Confirm password must be supplied.
Password

Time tab
The Time tab allows administrators and user administrators to set a user’s local time zone. This tab is not
enabled for Cache, CLI and API users.
NOTE: The TPAM server is always at UTC time and never uses daylight savings time.

The table below explains all of the box options available on the User ID Time tab:

Table 6. User Management: Details Time tab options

Field Description Required? Default

User Timezone Select a local time zone for the user. Yes Will default to
NOTE: If the user is in a time zone that follows DST, TPAM the default user
will automatically adjust the time for them. timezone global
setting value.
Time Based System Choices are: Yes No Restrictions
Access • No Restriction - if selected, the user can access
TPAM at any time/day.
• Allow - To limit a user’s access to TPAM, select the
Allow button, select days of the week and enter up
to 4 time ranges. Multiple ranges must be separated
by semi-colons. The ranges must be entered using
24-hour times with a hyphen between start and end
times.
• Prohibit - To restrict a user’s access to TPAM, select
the Prohibit button, select days of the week and
enter up to 4 time ranges. The ranges must be
entered using 24-hour times with a hyphen between
start and end times.

TPAM 2.5
25
Administrator Guide
Custom information tab
There are six custom boxes that can be used to track information about each user. These custom boxes are
enabled and configured by the System Administrator in the /admin interface. If these boxes have not been
enabled the Custom Information tab will not be visible.

Template tab
The template tab is used to save all the settings for a user ID as a template. Templates may be used to quickly
create new users with a given set of default values via the web interface, CLI or API. Templates can only be
created and edited by TPAM Administrators. User templates do not store a default password. Only TPAM
Administrators and ISAs may use templates.

The table below explains all of the box options available on the User ID Template tab:

Table 7. User Management: Details Template tab options

Field Description Required? Default

Create a Template Selecting this flag saves the values for this user ID as a User No Off
from this User Template.
Use this as the If selected, this template is used when adding new user IDs No Off
default template unless another template is chosen with the Use Template
button.
Only one template can be designated as the “Default” at a
time. Only a template with a user type of Basic and user
interface of Web can be used as a default template. If a
template is designated as the “Default” it is listed in green
italics on the Manage UserIDs listing.
Retain Group If selected, TPAM creates the template with all the group No Off
Membership in the memberships currently defined on this user. User IDs
template created from this template will have the same group
memberships.
NOTE: If this user ID is a member of an AD Integration
Group, that membership is not transferred to the template
and subsequent users.
Retain Permissions If selected, TPAM creates the template with all the system No Off
in the template and collection permissions (Access Policy assignments)
currently defined for the user. User IDs created from this
template will have the same permissions.

TPAM 2.5
26
Administrator Guide
Group membership tab
A group is a container of users, which can share common permissions. The group membership tab is used to
assign users to groups.
NOTE: If a group is tied to either AD or Generic Integration the user’s membership status in that group
cannot be changed.

The table below explains all of the box options available on the User ID Group Membership tab:

Table 8. User Management: Group Membership tab options

Field Description Required? Default

Name The name of the group. Clicking on the name will opens the No
group management listing tab.
Membership To modify group membership, simply click the Not Assigned or No Not
Status Assigned
Assigned buttons next to each collection name and click the
Save Changes button. Pressing the Ctrl key and clicking on any
Assigned or Unassigned option will set all the rows in that
column to the same value.
NOTE: If the System Administrator has disabled Global Groups
in the admin interface the groups will not be visible in this
listing.

Permissions tab
The permissions tab is used to assign systems, accounts, files and/or collections an access policy for this user.

TPAM 2.5
27
Administrator Guide
To assign Access Policies:
1 Use the table on the left of the page to select the name/s of the system/s, account/s, file/s and/or
collection/s to which the selected access policy is to be assigned.
2 Select an access policy from the Access Policy list in the access policy details pane, located in the right
upper side of the results tab. Selecting an access policy on the list displays the detailed permissions
describing this access policy on the rows below.
3 Select one of the icons in the access policy details pane (right upper side of page) to make the
assignment.

Table 9. Access policy details pane icons

Icon Action
Refreshes the list of Access Policies.

Scrolls the currently selected row into view.

Applies the currently selected policy to the current row. Assigning a policy of “Not
Assigned” removes the current assignment. This affects only the current row (row with the
dotted border) even if multiple rows are selected.
Applies the currently selected policy to all selected rows in the list. Confirmation of the
assignment is required if more than 10 rows are affected.

Removes the currently selected policy from all selected rows in the list. If a row is not
currently set to the selected policy it will not be changed. Confirmation the assignment is
required if more than 10 rows are affected.
Removes unsaved edits on the current row. This only affects the current row (row with the
dotted border) even if multiple rows are selected.

Removes unsaved edits on all currently selected rows.

This icon ( ) next to any row on the list simply means that row has been edited since the last save
changes occurred.
Pressing the SHIFT key and left clicking the mouse can be used to select a range of rows. The first row
clicked will be surrounded by purple dashed lines. The next row that you “Shift-Click” on will cause all
the rows in between the original row and current row to be highlighted.

4 When finished assigning/un-assigning Access Policies, click the Save Changes button.
TIP: The results list can be re-filtered and re-retrieved without losing existing edits. As the Results
tab is reloaded any systems, accounts, files, or collections that have already been edited reflect
their edited policy assignment. When the Save Changes button is clicked all the Access Policy
assignment changes for the user are saved. The appliance saves these in batches, reporting of the
number of assignments added, removed, or changed for each batch.

Using Ctrl-Click or Shift-Click on the hyperlink in the Name column will open the details page for this entity in a
new tab or window.

Add a web user ID

When adding a user ID in TPAM, information is entered on the following tabs to configure the user:
• Details
• Details/Web

TPAM 2.5
28
Administrator Guide
 • Details/Time
• Details/Custom
• Template
• Group Membership
• Permissions
The following procedure describes the steps to add a user ID.

To add a new web user ID:

1 Select Users & Groups | UserIDs | Add UserID from the menu.
2 Enter information on the Details tab. For more information on this tab see Details tab.
3 Enter information on the Web tab. For more information on this tab see Web tab.
4 To set time zone and access rules, click the Time tab and make changes. For more details see Time tab.
(Optional)
5 TO enter custom information, click the Custom Information tab. For more details see Custom
information tab. (Optional)
6 To save this user ID as a template, click the Template tab and enter the requested information. For more
details see Template tab. (Optional)
7 Click the Group Membership tab and assign/remove membership. For more details see Group
membership tab. (Optional)
8 Click the Permissions tab and assign/remove permissions. For more details see Permissions tab.
(Optional)
9 Click the Save Changes button.

Add a user template

NOTE: Any templates used by LDAP or generic integration and have a WinAD primary authentication type,
the primary user ID must be empty, or one of the following values: UPN, UserPrimaryName or
SAMAccountName.
If any external authentication is set the external user ID must still be populated to save the template,
however when a user is created from the template the UserName is used as the default externalID.

To add a User Template:

1 Select Users & Groups | UserIDs | Add User Template from the menu.

TPAM 2.5
29
Administrator Guide
 2 Enter the template name and placeholder first and last names.
3 Change any other settings on the various tabs.
4 Click the Save Changes button.

Add a user ID using a template

Users added using a template will automatically inherit the time information, group membership and
permissions from the template used.

To add a user using a template:

1 Select Users & Groups | UserIDs | Add UserID from the menu.
2 Click the Use Template button.

3 Select a template on the Listing tab.

4 Click the Details tab.
5 Enter the user name, first name, last name, and other contact information.
6 Make any other changes as desired.
7 Click the Save Changes button.

TPAM 2.5
30
Administrator Guide
Add a CLI user ID
A CLI user ID is a special user account used to access TPAM remotely via the CLI (command line interface). It is
now possible for one user ID to be both a web and CLI user. When accessing TPAM through the CLI they can only
execute specific commands supported by the TPAM CLI.
NOTE: The paradmin user ID cannot be given CLI access.

To add a new CLI user ID:

1 Select Users & Groups | UserIDs | Add UserID from the menu.
2 Enter information on the Details tab. For more information on this tab see Details tab.
3 Enter information on the Web tab. For more information on this tab see Web tab.
4 Click the Key Based tab. Select the CLI check box. Enter information on the Key Based tab. For more
information see Key based tab.
5 To enter custom information, click the Custom Information tab. For more details see Custom
information tab. (Optional)
6 To save this user ID as a template, click the Template tab and enter the requested information. For more
details see Template tab. (Optional)
7 Click the Group Membership tab and assign/remove membership. For more details see Group
membership tab. (Optional)
8 Click the Permissions tab and assign/remove permissions. For more details see Permissions tab.
(Optional)
9 Click the Save Changes button.
TIP: If a user ID that has both Web access and CLI or API access is added, to generate keys they must first
log in to TPAM and go to the User menu to generate and download their keys. Steps 10-13 do not apply.

10 Click the Details tab.

11 Click the Key Based tab.
12 Click the Download Key button.
13 Save the key file that is generated.
14 Give this key file to the user. This key file must be placed on any computer that uses this user ID to
access TPAM’s command line functions.
NOTE: The name of the key file can be renamed.

IMPORTANT: If a user ID has both web and API or CLI access to TPAM you will not be able to download or
generate keys for that user ID. They must log on to TPAM to download and/or regenerate their own DSS
key.

Add an API user ID

An API user ID is required to use TPAM’s Application Programming Interface (API).The TPAM API allows client
applications, via an SSH (Secure Shell) connection to the TPAM appliance, to perform many of the operations
provided in the TPAM User Interface. For more on the API see the Application Programming Interface chapter
later in this guide.

To add an API user ID:

1 Select Users & Groups | UserIDs | Add UserID from the menu.
2 Enter information on the Details tab. For more information on this tab see Details tab.

TPAM 2.5
31
Administrator Guide
 3 Enter information on the Web tab. For more information on this tab see Web tab.
4 Click the Key Based tab. Select the API check box. Enter information on the Key Based tab. For more
information see Key based tab.
5 To enter custom information, click the Custom Information tab. For more details see Custom
information tab. (Optional)
6 To save this user ID as a template, click the Template tab and enter the requested information. For more
details see Template tab. (Optional)
7 Click the Group Membership tab and assign/remove membership. For more details see Group
membership tab. (Optional)
8 Click the Permissions tab and assign/remove permissions. For more details see Permissions tab.
(Optional)

9 Click the Save Changes button.

TIP: If you are adding a user ID that has both Web access and CLI or API access, to generate keys they must
first log in to TPAM and go to the User menu to generate and download their keys. Steps 10-13 do not
apply.

10 Click the Details tab.

11 Click the Key Based tab.
12 Click the Download Key button.
13 Save the key file that is generated.
14 Give this key file to the user. The key file created by TPAM and a the user ID are required for the API to
be able to establish the SSH connection.

Regenerate keys for CLI/API users

TIP: You cannot regenerate a key for a CLI/API user that also has web access. These users must log on to
the TPAM web interface to retrieve or regenerate their own keys.

To generate a new key:

1 Select Users & Groups | UserIDs | Manage UserIDs from the menu.
2 Enter your search criteria on the Filter tab.
3 Click the Listing tab.
4 Select the user.
5 Click the Details tab.
6 Click the Key Based tab.
7 If you require a CLI Key Passphrase, enter one. If not proceed to step 8.
8 Click the Regenerate Key button.

Duplicate a user ID
To ease the burden of administration and help maintain consistency, user IDs can be duplicated. This allows the
administrator to create new user IDs that are very similar to those that exist, while only having to modify a few
details. The new user ID inherits time information, group membership, and permissions settings from the
existing user ID.

TPAM 2.5
32
Administrator Guide
To duplicate a user ID:
1 Select Users & Groups | UserIDs | Manage UserIDs from the menu.
2 Enter your search criteria on the Filter tab.
3 Click the Listing tab.
4 Select the user ID to be duplicated.
5 Click the Duplicate button. A new user ID is created and the User ID Details page displays. The name of
the new user ID is automatically DuplicateoOfXXXXX.
6 Enter a first name and last name for the user.
7 Make any changes to the user configuration on the various tabs.
8 Click the Save Changes button.

Disassociate a user from a template

To disassociate a user from the template is was created from:
1 Select Users & Groups | UserIDs | Manage UserIDs from the menu.
2 Enter your search criteria on the Filter tab.
3 Click the Listing tab.
4 Select the user to disassociate.
5 Click the Details tab.
6 Click the Disassociate button.
7 Click the OK button on the confirmation window.
8 Click the Save Changes button.

Delete a user ID
To delete a user ID:
1 Select Users & Groups | UserIDs | Manage UserIDs from the menu.
2 Enter your search criteria on the Filter tab.
3 Click the Listing tab.
4 Select the user ID to be deleted.
5 Click the Delete button.
6 Click the OK button on the confirmation window.

Delete a user template

To delete a user template:
1 Select Users & Groups | UserIDs | Manage UserIDs from the menu.
2 Enter your search criteria on the Filter tab.
3 Click the Listing tab.

TPAM 2.5
33
Administrator Guide
 4 Select the user template to be deleted.
5 Click the Delete button.
6 Click the OK button on the confirmation window.
NOTE: A template that is currently being used by AD or Generic Integration cannot be deleted.

Disable/enable a user ID
To disable/enable a user ID:
1 Select Users & Groups | UserIDs | Manage UserIDs from the menu.
2 Enter your search criteria on the Filter tab.
3 Click the Listing tab.
4 Select the user ID to be changed.
5 Click the Details tab.
6 Select/Clear the User Disabled? box.
7 Click the Save Changes button.

Unlock a user ID
A user may need to be unlocked if they enter an incorrect password multiple times.

To unlock a user:
1 Select Users & Groups | UserIDs | Manage UserIDs from the menu.
2 Enter your search criteria on the Filter tab.
3 Click the Listing tab.
4 Select the user ID to be unlocked.
5 Click the Unlock button.

Reset user ID password

To reset a user’s password:
1 Select Users & Groups | UserIDs | Manage UserIDs from the menu.
2 Enter your search criteria on the Filter tab.
3 Click the Listing tab.
4 Select the user ID to be reset.
5 Click the Details tab.
6 Enter the new password in the Password and Confirm boxes.
7 Click the Save Changes button.
8 Notify the user of their new password.

TPAM 2.5
34
Administrator Guide
This creates a one time use password that the user will be forced to change upon logging on.
NOTE: You cannot change passwords for users with external primary authentication. If Primary
Authentication has been minimilized then you cannot change the user’s local password.

Manage the paradmin user ID

There is the option to have TPAM manage the paradmin user ID, so that any user wanting to log on as paradmin
must go through the TPAM request and approval process to obtain the account password. When the paradmin
account is managed through TPAM you cannot enter a new password for this account on the User Management
Details page. Additionally, when a user is logged on as paradmin they will not have access to the User menu
Change Password option.

To manage the paradmin user ID:

1 Create an administrator account. See Add a web user ID.
2 Log on to the /tpam interface using the new administrator account.
3 Select Users & Groups | Manage Sys-Admin UserIDs from the menu.
4 Filter for the paradmin account. Click the Listing tab.
5 Select the paradmin account.
6 Click the Details tab.
7 Select the Administer account password with local PPM? check box.

8 Click the Save Changes button.

After this is saved the paradmin account on the managed system Local_Appliance_paradmin will be set with the
Automatic Password Management selected.
NOTE: The Local_Appliance systems cannot be deleted, duplicated or tested. Users cannot add or delete
accounts on the Local_Appliance. The Local_Appliance systems do not count against licensed systems.

TPAM 2.5
35
Administrator Guide
 9 Select Accounts | Manage Accounts from the menu.
10 Filter for the paradmin account. Click the Details tab.
11 Click the Management tab. Verify that the password check and changes profiles you want used to manage
this account are assigned.
The password will be scheduled for an immediate reset. Depending on the number of password changes in the
queue it may take some time to reset. Any users currently logged on as paradmin will be prompted to enter a
new password once it has been reset.

To disable management of the paradmin user ID:

1 Log on to the /tpam interface using an admin account other than paradmin
2 Select Users & Groups | Manage UserIDs from the menu.
3 Filter for the paradmin account. Click the Listing tab.
4 Select the paradmin account.
5 Click the Details tab.
6 Clear the Administer account password with local PPM? check box.
7 Enter a new password in the password and confirm boxes.
8 Click the Save Changes button.

List user IDs

The List UserIDs option allows you to export the user data from TPAM to Microsoft Excel® or CSV format. This is
a convenient way to provide an offline work sheet and also to provide data that may be imported into another
TPAM – for example, to populate a lab appliance with data for testing, without making the lower level changes
that restoring a backup would cause.
The last access date/time on the report is in server time (UTC).

To list the user IDs:

1 Select Users & Groups | UserIDs | List UserIDs from the main menu.
2 Enter your search criteria on the Filter tab.
3 Click the Layout tab to select the columns and sort order for the listing.
4 To view and store the data outside of the TPAM interface, click the Export to Excel button, or the
Export to CSV button.
5 To view the data in the TPAM interface, click the Listing tab.

TPAM 2.5
36
Administrator Guide
 6 To view group membership for a user, select the user ID and click the Groups tab.
7 To view the permissions assigned to the user, select the user and click the Permissions tab.

Manage your TPAM user ID

Any user may change their password and update individual account details using the User menu option.

To reset your password:

1 From the User Menu select Change Password.

2 Enter the Old Password, the New Password, and Confirm New Password.
3 Click the Save Changes button.
NOTE: User passwords are subject to the requirements of the Default Password Rule.

To edit your user details:

1 From the User menu select User Details.

2 Make changes in the following boxes:

Table 10. Fields available on My User Details

Field name Description

Phone Number Phone number that is associated with your user id in TPAM.
Mobile Number Mobile number that is associated with your user id in TPAM.
E-mail The email address that TPAM will use for email notifications from
TPAM.
My Timezone The appropriate time zone must be chosen from the list. With this
option most dates and times that the user sees in the application or
on reports are converted to their local time. If a date or time still
reflects server time it is noted on the window.
Description The description box may be used to provide additional details about
the user.

TPAM 2.5
37
Administrator Guide
 Table 10. Fields available on My User Details

Field name Description

CLI Key Passphrase Only applies to CLI users. This is an optional pass phrase to encrypt
the user’s private key. The phrase is case sensitive, up to 128
characters, and does not allow double quotes (“). The phrase is not
stored and cannot be retrieved after the key is generated.
Reset CLI Key Click this button to create a new CLI key for the user ID.
Get CLI Key Click the button to retrieve the new CLI key.
Get API Key Click this button to create a new API key for the user ID.
Get API Key Click the button to retrieve the new API key.

NOTE: If the System-Administrator disables User Time zone changes in the /admin interface the
User Time Zone Information block shown above is visible only for Administrator users.

3 Click the Save Changes button.

TPAM 2.5
38
Administrator Guide
 5
Groups

• Introduction
• Add a group
• Duplicate a group
• Delete a group
• List groups
• Default global groups

Introduction
Groups are defined sets of users. Groups can be used to simplify the process of assigning permissions.
To add and manage groups, information is entered on the following tabs in the TPAM interface:

Table 11. Group Management: TPAM interface tabs

Tab name Description

Details Define group name.
Members Assign members to the group.
Permissions Assign systems, accounts, files and/or collections permissions for the group.

Details tab

Table 12. Group Management: Details tab options

Field Description Required?

Group Name Unique name for the group. Yes
Description Used to provide additional information about the group. No

TPAM 2.5
39
Administrator Guide
Members tab

The table below explains the fields on the Members tab.

Table 13. Group Management: Members tab options

Field Description Required?

Name Name of the user.
Membership To modify group membership, simply click the Not Assigned or Assigned Yes
Status buttons next to each user. You can set all displayed users to either Assigned or
Not Assigned by holding down the Ctrl key when clicking on any button.

Permissions tab
The Permissions tab is used to assign users and/or groups an Access Policy for this group.

TPAM 2.5
40
Administrator Guide
To assign Access Policies:
1 Use the table on the left of the page to select the name/s of the user/s to which the selected access
policy is to be assigned.
2 Select an Access Policy from the Access Policy list in the Access Policy Details pane, located in the right
upper side of the Results tab. When you select an Access Policy on the list the detailed permissions
describing this Access Policy are displayed on the rows below.
3 Select one of the icons in the Access Policy Details pane (right upper side of page) to make the
assignment.

Table 14. Access Policy Details pane icons

Icon Action
Refreshes list of available Access Policies.

Scrolls the currently selected User into view.

Applies the currently selected policy to the current row. Assigning a policy of “Not
Assigned” removes the current assignment. This affects only the current row (row with the
dotted border) even if multiple rows are selected.
Applies the currently selected policy to all selected rows in the list. You are asked to
confirm the assignment if more than 10 rows are affected.

Removes the currently selected policy from all selected rows in the list. If a row is not
currently set to the selected policy it will not be changed. You are asked to confirm the
assignment if more than 10 rows are affected.
Removes unsaved edits on the current row. This only affects the current row (row with the
dotted border) even if multiple rows are selected.

Removes unsaved edits on all currently selected rows.

This icon ( ) next to any row on the list simply means that row has been edited since the last save
changes occurred.
You can “Shift+Click” to select a range of rows. The first row you click will be surrounded by purple
dashed lines. The next row that you “Shift-Click” on will cause all the rows in between the original row
and current row to be highlighted.

4 When you are finished assigning/un-assigning Access Policies, click the Save Changes button.
TIP: You may re-filter and re-retrieve the results list without losing existing edits. As the Results tab is
reloaded any Users that you have already edited reflect their edited policy assignment. When you click
the Save Changes button all the Access Policy assignment changes for the account are saved. The
appliance saves these in batches, informing you of the number of assignments added, removed, or
changed for each batch.

Using Ctrl-Click or Shift-Click on the hyperlink in the Name column will open the details page for this entity in a
new tab or window.

Add a group
When adding a group in TPAM, information is entered on the following tabs to configure the group:
• Details
• Members

TPAM 2.5
41
Administrator Guide
 • Permissions
The following procedure describes the required steps to add a group.

To add a new group:

1 Select Users & Groups | Groups | Add Group from the menu.
2 Enter information on the Details tab. For more information on this tab see Details tab.
3 Click the Members tab.
4 Enter your search criteria on the Filter tab.
5 Click the Results tab to assign/remove members from the group. For more detail see the Members tab.
NOTE: A group used by either AD or Generic Integration cannot have its membership changed here.
The current member status is displayed, but all buttons in the list are disabled.

TIP: You can set all the displayed members to either Assigned or Not Assigned by holding down the
Ctrl key when clicking on any button.

6 Click the Permissions tab and assign/remove permissions. For more details see Permissions tab.
NOTE: The Permissions tab is disabled for any of the default Global Groups because you cannot
change the Access Policy for a system generated group.

7 Click the Save Changes button.

Duplicate a group
To ease the burden of administration and help maintain consistency, groups can be duplicated. This allows the
administrator to create new groups that are very similar to those that exist, while only having to modify a few
details. The new group inherits membership and permissions from the existing group.

To duplicate a group:
1 Select Users & Groups | Groups | Manage Groups from the menu.
2 Enter your search criteria on the Filter tab.
3 Click the Listing tab.
4 Select the group to be duplicated.
5 Click the Duplicate button. A new group is created and the Group Details page displays. The name of the
new group is automatically DuplicateofXXXXX.
6 Make any changes to the group on the various tabs.
7 Click the Save Changes button.

Delete a group
To delete a group:
1 Select Users & Groups | Groups | Manage Groups from the menu.
2 Enter your search criteria on the Filter tab.
3 Click the Listing tab.
4 Select the group to be deleted.
5 Click the Delete button.

TPAM 2.5
42
Administrator Guide
 6 Click the OK button on the confirmation window.

List groups
The List Groups option allows you to export the group data from TPAM to Microsoft Excel or CSV format. This is
a convenient way to provide an offline work sheet and also to provide data that may be imported into another
TPAM – for example, to populate a lab appliance with data for testing, without making the lower level changes
that restoring a backup would cause.

To list the groups:

1 Select Users & Groups | Groups | List Groups from the main menu.
2 Enter your search criteria on the Filter tab.
3 Click the Layout tab to select the columns and sort order for the listing.
4 To view and store the list of group names outside of the TPAM interface, click the Export to Excel
button, or the Export to CSV button. To view and store the list of group members outside of the TPAM
interface, click Export Members to Excel button, or the Export Members to CSV button.
5 To view the data in the TPAM interface, click the Listing tab.
6 To view membership of a group, select the group and click the Members tab.
7 To view the permissions granted to the group, select the group and click the Permissions tab.

Default global groups

Included with TPAM are several default global groups that can be used for assigning permissions. These are only
visible in TPAM if the System Administrator has enabled these in the admin interface.
IMPORTANT: Any users assigned to a global group will gain the associated permissions on all systems unless
overridden by other assignments.

To view global groups:

1 Select Users & Groups | Groups | Manage Groups from the main menu.
2 Click the Listing tab.

TPAM 2.5
43
Administrator Guide
3 Select a global group.
4 Click the Members tab to edit membership to the group.

5 Select the Not Assigned or Assigned button.

6 Click the Save Changes button.
NOTE: The Permissions tab is disabled for all global groups because you cannot change the Access Policy
for a global group.

TPAM 2.5
44
Administrator Guide
 6
Permission Hierarchy

• Introduction
• Permission precedence
• Permissions example

Introduction
Because TPAM allows groupings of users (Groups) and remote systems (Collections), it is possible, even likely,
that a user could appear to have multiple conflicting permissions for a particular system, account, and or file.
To prevent this, TPAM implements a precedence of permissions.

Permission precedence
The precedence, in order of decreasing priority is:
• An Access Policy assigned to a User for an Account/File (most specific)
• An Access Policy assigned to a User for a Collection containing Accounts or Files
• An Access Policy assigned to a User for a System
• An Access Policy assigned to a User for a Collection of Systems
• An Access Policy assigned to a Group for an Account /File
• An Access Policy assigned to a Group for a Collection containing Accounts or Files
• An Access Policy assigned to a Group for a System
• An Access Policy assigned to a Group for a Collection of Systems (least specific)(*)
(*) This category includes Users who are assigned to any of the “Global XXX” Groups. The groups grant their
respective permissions to an internally-maintained “All Systems” collection.
IMPORTANT: A Denied access policy assignment at any level overrides all other permissions at that level.

After any permissions are changed, for example, by adding or removing a user from a group, the precedence is
recalculated, and if necessary, the permissions for the user are changed to reflect the new level that results.

TPAM 2.5
45
Administrator Guide
Permissions example

In the scenario shown above, the groups and users have been assigned Access Policies that grant the permissions
specified. In this situation, the precedence of permissions will be applied and the effective permissions would
be as follows:
• User A has Approver permission on System C through the Group to System assignment.
• User A has been assigned Reviewer rights on System A, Account B1, and File C1 via Group A to Collection
B assignment. These Review rights on File C1 take precedence over the Approve rights on System C
because assignment to a Collection containing an Account or File is more specific than a collection
containing just the System. User A may still Approve requests to all accounts on System C and all of C’s
files with the exception of File C1.
• Users A, C, and D have Request rights on System A, Account B1, and File C1 through Group B. Note that
as with above, the Group B to Collection B assignment of Request rights for User A on File C1 override
the Approver rights from Group A.
• Since User A is in both Groups A and B he has both Review and Request rights on all the items in
Collection B. Assignments at the same hierarchy level are combined.
• User B has been Denied access to System B, which includes all Accounts and Files thereon. Even though
the Group A to Collection B assignment User B grants Review to Account B1 on System B, User B is still
denied access because the User to Collection assignment trumps the Group to Account in a Collection
assignment. If User B had instead been assigned the Review permission directly (as opposed to through
Group A) to Account B1 that would have replaced the Denied assignment on System B, but only for that
one account.
• User B also has Review rights on all Accounts and Files on System A and File C1 on System C.
• User C has been granted explicit ISA rights on Account B1. This User to Account assignment supersedes
both policies User C received via the Group to Collection assignments, but only for Account B1. User C
still has Review and Request permissions to System A and File C1.
• User D has been granted ISA rights over Collection A. This assignment takes precedence over D’s Request
permission on System A, which is through the Group B to Collection B. D still retains the Request
permissions on Account B1 and File C1 from the Group assignment, however that removes D’s ISA
permissions on Account B1 (although D still has ISA permissions over any other accounts on System B).
Where there is more than one permission granted at the same level of the permission hierarchy those
permissions are combined, as long as one of those permissions is not “Denied”. If a User is in 3 different groups

TPAM 2.5
46
Administrator Guide
(A, B, and C) with policies to the same System (A grants Approver, B grants Reviewer, and C grants Requestor)
the user has all three permissions in effect on that system. However, if Group B has Denied permissions instead
of Reviewer that takes precedence over all other "Group to System" assignments for that User on that System.

TPAM 2.5
47
Administrator Guide
 7
Access Policies

• Introduction
• Details tab
• Permission types
• Add an access policy
• Make an access policy inactive
• Reactivate an access policy
• Duplicate an access policy
• Delete an access policy
• Rebuild assigned policies

Introduction
Access polices allow permissions to be assigned at the system, account and file level. Access policies allow
permissions to be broken down and assigned at a more granular level. For example you could create one access
policy that would allow someone to review password releases, request password releases and request a session
that would limit them to two commands. Default access policies exist in TPAM that mimic the old TPAM roles of
“EGP Requestor”, “PAR ISA” etc, so that existing permission assignments are migrated to the new access policy
model and so that the default Global Groups can be supported.

Details tab

The table below explains all of the box options available on the details tab.

TPAM 2.5
48
Administrator Guide
Table 15. Access Policies: Details tab options

Field Description Required?

Policy Name The unique policy name. When assigning access policies you select this Yes
name from a list so make it as descriptive as possible. Limited to 30
characters.
Description The description box may be used to provide additional information about No
the access policy. This information is only visible to Administrators when
editing the policy.
System This box is selected if the access policy was automatically crated by TPAM. No
Generated System generated access policies are created for backwards compatibility
in the migration from system level permissions and aliases to account level
permissions and access policies. System generated access policies cannot
be altered in any way, only made inactive. System generated access
policies can be duplicated but not deleted.
Active If selected, this access policy can be assigned to users/groups. Yes
Used By Displays the count of entities that are using this access policy. NA
Summary
Access Policy Choices are All, Password, File, Session or Command. When command is Yes
Type selected a list of commands is available to select from. These are the
entities that you are granting permissions on.
Access Policy Permission choices are: Yes
Permission • DEN - Denied
• ISA - Information Security Administrator
• APR - Approver
• REQ - Requester
• REV - Reviewer
• PAC - Privileged Access
See Permission types for a detailed explanation of each permission.
Use Defaults The data on this section of the page replaces the details that were No
from System, formerly configured on the Alias Account Details tab in releases prior to
Account, or File v2.4. To override the settings at the system, account or file, clear the Use
defaults check box and adjust the settings.
Allow Clipboard This option is only enabled for session and command types. If selected, the No
user can use the clipboard function for copy/paste of text during a
session.
Allow File This option is only enabled for session and command types. If selected, file No
Uploads uploads are allowed during sessions with this account.
Allow File This option is only enabled for session and command types. If selected, file No
Downloads can be downloaded from the remote system to the local system/network
drive during a session.
Prevent This option is only enabled for session and command types. If selected, No
Password prevents a user from requesting a session where the proxy type is
Release interactive login.
Record Sessions This option is only enabled for session and command types. If selected, the No
session is recorded.
Record If selected, creates a keystroke log (KSL) of the user’s activity during the No
Keystrokes session.
NOTE: A DPA is required for a keystroke log to be created.
Allow KSL View If selected, allows people replaying the session to see the keystroke log. No
This check box applies only when ISA, APR, or REV permissions are
selected.

TPAM 2.5
49
Administrator Guide
Table 15. Access Policies: Details tab options

Field Description Required?

Record Events If selected, a log of events during the session is created. These events can No
be searched or book marked during playback.
Restr. Cmd Prof. Can select a profile which restricts the commands the user may run during No
a session. The Record Session option must be selected in order to select a
profile.
Min Approvers The request will use the value here or the value set at the account, No
whichever is greater.

Max Duration The request will use the value here or the value set at the account, No
whichever is less.

Permission types
When creating access policies in TPAM there are several different permission types to choose from. The table
below explains the different types.

Table 16. Access Policies: Available permission types

Type Description
Denied This permission type was created so that collection permissions could be assigned
to a user and then the denied permission set for specific entities within this
collection that the user should not have access to. If a user is Denied for a system
but has access to a specific account/file on that system they can still access the
account/file, because account or file permission assignment holds precedence over
system.
ISA (Information Security The role of ISA is intended to provide the functionality needed for security help
Administrator) desk personnel, and as a way to delegate limited authority to those responsible for
resource management.
An ISA permission with a type of session allows the user to add and update all
aspects of PSM Only systems, PSM only accounts, and for PSM supported platforms.
An ISA permission with a type of password allows the user to add and update
systems and accounts for all platforms except those that are PSM only.
A user must be assigned an access policy with a type of both password and session
and permission of ISA to be able to assign access policies to other entities. The ISA
permission does not allow the user to delete a system.
Approver An approver can be configured to approve password, session and / or file requests.
An approver can also be configured to only approve sessions that are requesting
specific commands.
Requestor A Requestor can be configured to request password, session, and / or file requests.
A requestor can also be configured to only request sessions that run specific
commands.
NOTE: A user requesting a session that has an interactive proxy type must also have
an access policy assigned to them that includes password/requestor for that
account.
Reviewer The reviewer role permits the individual to view reports on specific systems that
they have been granted reviewer rights. A session/command reviewer can also
replay sessions and review/comment on these sessions. If the user has password
reviewer permissions they can review a password release that has expired and
comment on that password release.

TPAM 2.5
50
Administrator Guide
Table 16. Access Policies: Available permission types

Type Description
PAC (Privileged Access) With a PAC permission type, the user must go through the request process for
passwords, files, and sessions but after they submit the request it is automatically
approved, regardless of the number of approvers required.
NOTE: If a user has session /PAC permissions but does NOT have password/PAC
permissions on an account, they can only start a session that is configured for one
of the automatic proxy connection types, since they do not have permissions to
access the password.

Add an access policy

To add an access policy:
1 Select Management | Access Policies from the menu.
2 Click the Add Policy button.
3 Enter the policy name.
4 Enter the policy description. (Optional)
5 Select a type/s. If command is selected, select a command from the list.
6 Select the permission/s.
7 If Session is selected as a type, along with a permission of REQ or PAC, you have the option to clear the
User defaults check box, and selecting Allow Clipboard, Allow File Uploads, Allow File Downloads,
Prevent Password Release, Record Sessions, Record Keystrokes, Allow KSL Monitor, Record Events,
and or select a Command Restriction Profile. (Optional)
8 If REQ is selected as a permission, you have the option to clear the Use defaults check box and enter Min
Approvers and Max Duration. (Optional)
9 To add another type/permission combination, click the Add button and repeat steps 5-8.
10 Click the Save Changes button.
IMPORTANT: Commands on access policies are not limited by proxy type, so it IS possible to create an
access policy with commands that cannot be executed on the assigned account due to proxy type
limitations.

NOTE: There is no way to create a policy that allows a user to “Request, Approve or Review any Session
using any PCM Command”. A separate detail row must be created for each PCM command that is allowed
through the policy.

TIP: Any detail rows on an access policy that include a command permission need to have their own line.
See the example screen shot below.

Detail rows should not conflict with each other in the same policy. For example, if you have one row granting
Password/REQ, you cannot have another row with Password/DEN. Nor are you allowed to have two rows in the
policy that grant the same permission to the same type or command, e.g., you cannot have two rows both
granting Password/REQ, however you may have two (or more) rows granting Command/REQ as long as all the
rows reference different PCM Commands.

TPAM 2.5
51
Administrator Guide
Make an access policy inactive
Making an access policy inactive removes it from the list of possible access polices that can be assigned to users
or groups for a system, account, collection or file. Also making the policy inactive will remove it from any entity
it is assigned to.

To make an access policy inactive:

1 Select Management | Access Policies from the menu.
2 Enter your search criteria on the Filter tab.
3 Click the Listing tab.
4 Select the access policy to make inactive.
5 Click the Details tab.
6 Clear the Active check box. If the access policy is currently assigned, you will see the following warning
message.

7 After reading the warnings, to proceed select the Yes, this is really what I want to do check box.
8 Click the Save Changes button.
NOTE: If this is a system generated policy it makes the associated Global XXX Group effectively useless,
but does not change membership in the group.

Reactivate an access policy

To reactivate an access policy:
1 Select Management | Access Policies from the menu.
2 Enter your search criteria on the Filter tab.
3 Click the Listing tab.
4 Select the access policy to make active.
5 Click the Details tab.
6 Select the Active check box.

TPAM 2.5
52
Administrator Guide
 7 Click the Save Changes button.
NOTE: Reactivating a system-generated access policy brings back assignments of the associated global
group to the “All Systems” collection.

Duplicate an access policy

To ease the burden of administration and help maintain consistency, access policies can be duplicated. This
allows the administrator to create new policies that are very similar to those that exist, while only having to
modify a few details.
Duplicating an access policy duplicates all information about the policy itself (with the exception of the System
Generated setting), but does not duplicate any policy assignments.

To duplicate an access policy:

1 Select Management | Access Policies from the menu.
2 Enter your search criteria on the Filter tab.
3 Click the Listing tab.
4 Select the access policy to be duplicated.
5 Click the Duplicate Policy button. A new policy is created and the Details tab displays.
6 Enter the Policy Name.
7 Make any changes to the access policy.
8 Click the Save Changes button.

Delete an access policy

NOTE: An access policy can only be deleted if it is currently marked inactive.

To delete an access policy:

1 Select Management | Access Policies from the menu.
2 Enter your search criteria on the Filter tab.
3 Click the Listing tab.
4 Select the access policy to be deleted.
5 Click the Delete Policy button.
6 Click the OK button on the confirmation window.

Rebuild assigned policies

If the "Always use cached permission data" global setting is set to Yes or Not for Password/File Retrieval and
Session Start, then it is recommended that Administrators and ISAs use the rebuild assigned policy page to
update the cached permissions to the latest changes they have made. These changes include:
• Editing any permission assignment
• Adding/deleting systems, accounts, files, users, groups, or collections
• Changing the Ignore System Policies check box on the account
• Changing the user type (Administrator, Basic, Auditor, User Admin)

TPAM 2.5
53
Administrator Guide
 • Changing collection membership
• Changing the Global Groups setting in Global Settings
The Rebuild Assigned Policies page shows how much data is in the cache, when it was last updated, and the
current state of the background job. An Administrator or a user with both PPM and PPM ISA permissions may use
the Run Now button to run the job immediately if there are pending changes. This job will automatically run in
the background every 60 seconds as needed to update changes.

To rebuild the assigned policies:

1 Select Management | Rebuild Assigned Policies from the menu.
2 Click the Run Now button to update TPAM with the latest changes.
The Refresh Data button can be clicked to see if there are any new changes in the queue that need to be
processed.

TPAM 2.5
54
Administrator Guide
 8
Password Profiles

• Introduction
• Add a password check profile
• Add a password change profile
• Delete a password check/change profile
• Assign a password check /change profile

Introduction
Password check and change profiles define the rules for the checking and changing of an account’s password.On
a brand new TPAM appliance there will be 3 factory default check profiles and 5 factory default change profiles
that can be used to assign to systems/accounts as desired or new ones can be configured. The three check
profiles available are:
• Check and Reset- marked as default until another profile is marked as default.
• Check, No Reset
• Check Disabled.
The change profiles available are:
• Change Disabled
• Change Daily
• Change Every 5 days
• Change on First of Month - marked as default until another profile is marked as default.
• Change on Last of Month

Add a password check profile

To add a password check profile:
1 Select Management | Profile Management from the menu.
2 Select Password Check from the Profile Type list.
3 Click the New Profile button.
4 Complete the boxes as the table below describes.

Table 17. Password check profile page options

Field Description Required? Default

Profile Name Enter a unique profile name. Yes
Description Enter information about the password check profile. No

TPAM 2.5
55
Administrator Guide
Table 17. Password check profile page options

Field Description Required? Default

Default Check If selected, this password check profile will automatically be No Off
Profile assigned to any new system added.
Schedule Specifies the interval that the password is checked.Choices Yes Daily, 1 time
are: per day
• No scheduled password checks
• Daily - password checked n time(s) per day.
• Weekly - password is checked once on the day(s)
selected.
• Every n Days- password is checked every n days. The n
value can be between 1 and 999.
• Monthly - if selected then the password is checked every
month depending on one of the options below:
• First Day of the Month – the password is checked
every month, on the first day of the month
• Last Day of the Month – the password is checked
every month, on the last day of the month,
• Days of the Month- specific days can be entered.
Multiple days can be entered separated with
semi-colons. -1 can be entered to represent the
last day of the month.
Checks will be The time windows entered indicate the time(s) the password is Yes 00:00-23:59
scheduled scheduled to be checked. Time windows are entered as
during the StartTime-EndTime. Times must be entered using a 24 hour
following format. Multiple time windows may be entered separated by a
window(s) semi-colon. Up to 4 windows may be entered. Each window
must be a minimum of 60 minutes long, and there must be at
least 30 minutes in between each window. Windows that cross
midnight will be listed as two separate windows once the
profile is saved.
Allow system If selected, the system can notify TPAM that is online and No Off
to notify TPAM available for password checks. If this selected and the system is
it is available online, a password check will be scheduled if the last
for check successful check date indicates that a password check is
overdue. The system must have a unique certificate thumbprint
assigned in order to use this option. See How to call the
notification service for details. Account that are overdue for a
check will be scheduled regardless of the current schedule
settings, unless this account has No scheduled password
checks selected. Accounts subscribed to a Synchronized
Password will be checked against the current synchronized
password and reset if needed.
NOTE: If the account is on a custom platform system, the
custom platform must have the Automation Active check box
selected.
Check Determines the amount of time in seconds that an attempt to Yes 20
password check the password remains active before being aborted. In
timeout most cases, it is recommended to use the default value (20
seconds). If there are problems with connection failures with
the system, this value can be increased

TPAM 2.5
56
Administrator Guide
Table 17. Password check profile page options

Field Description Required? Default

After n n is a value between 0-99. Options available if failure occur Yes 0, Do nothing
consecutive are:
failures to • Do nothing
check do ...
• Disable check schedule -account is ignored for any
future checks until Administrator or ISA goes to the
account details management tab and clears the Check
schedule disable check box.
• Lock - locks account in TPAM, no password releases or
password requests permitted until it is unlocked.
• Increase retry interval- if selected enter retry interval
>0 and greater than the current check retry interval
setting on the Auto management agent in the admin
interface.
Also notify Only available if consecutive failures setting is greater than 0. No Off
account Email addresses saved on the system detail information tab will
owner of receive notifications when the nth failure occurs and every nth
check failure time after. Ex. 3 failures, email sent, 3 more failures, email
sent.
On password Option selected determines how TPAM handles the scenario. Yes Do nothing
mismatch do Options are:
... • Do nothing
• Reset Password - schedule the account for immediate
password change.
• Disable check schedule - account is ignored for any
future checks until Administrator or ISA goes to the
account details management tab and clears the Check
schedule disable check box.
• Lock-locks account in TPAM, no password releases or
password requests permitted until it is unlocked.
Also notify Email addresses saved on the system detail information tab will No Off
account receive notifications when there is a password mismatch.
owner of
mismatch

5 Click the Save Changes button.

Add a password change profile

To add a password change profile:
1 Select Management | Profile Management from the menu.
2 Select Password Change from the Profile Type list.
3 Click the New Profile button.

4 Complete the boxes as the table below describes.

Field Description Required? Default

Profile Name Enter a unique profile name. Yes
Description Enter information about the password change profile. No

TPAM 2.5
57
Administrator Guide
Field Description Required? Default
Default If selected, this password change profile will automatically be No Off
Change Profile assigned to any new system added.
Schedule Specifies the interval that the password is changed.Choices Yes Daily, 1 time
are: per day
• No scheduled password changes - accounts or
synchronized password with this setting will never be
scheduled for changes. Post-release resets may still
occur based on the account level setting.
• Daily - password changed n time(s) per day.
NOTE: If a password is scheduled to be changed more than
once a day the recommendation is to use the Test Port option
as well.
• Weekly - password is changed once on the day(s)
selected.
• Every n Days- password is changed every n days. The n
value can be between 1 and 999.
• Monthly - if selected then the password is changed every
month depending on one of the options below:
• First Day of the Month – the password is changed
every month, on the first day of the month
• Last Day of the Month – the password is changed
every month, on the last day of the month,
• Days of the Month- specific days can be entered.
Multiple days can be entered separated with
semi-colons. -1 can be entered to represent the
last day of the month.
Changes will The time windows entered indicate the time(s) the password is Yes 00:00-23:59
be scheduled scheduled to be changed. Time windows are entered as
during the Starttime-EndTime. Times must be entered using a 24 hour
following format. Multiple time windows may be entered separated by a
window(s) semi-colon. Up to 4 windows may be entered. Each window
must be a minimum of 60 minutes long, and there must be at
least 30 minutes in between each window. Windows that cross
midnight will be listed as two separate windows once the
profile is saved.
Allow system If selected, the system can notify TPAM that is online and No Off
to notify TPAM available for password changes. If this selected and the system
it is available is online, a password change will be scheduled if the last
for change successful change date indicates that a password change is
overdue. The system must have a unique certificate thumbprint
assigned in order to use this option. The certificate is assigned
to the system on the System Management tab. See Management
tab for details.
Account that are overdue for a change will be scheduled
regardless of the current schedule settings, unless this account
has No scheduled password changes selected. Accounts
subscribed to a Synchronized Password will be checked against
the current synchronized password and reset if needed.
Do not change If selected, the password while not be changed while the No Off
password account has an active request open.
while release
is active

TPAM 2.5
58
Administrator Guide
Field Description Required? Default
Change Determines the amount of time in seconds that an attempt to Yes 20
password change the password remains active before being aborted. In
timeout most cases, it is recommended to use the default value (20
seconds). If there are problems with connection failures with
the system, this value can be increased
Test If selected, the port that is used for the password change is No Off
Port/Timeout tested before attempting to change the password. If selected a
timeout in seconds is required. Recommend a small value for
timeout. Using the test port helps reduce the number failed
passwords that TPAM has to store as well as reduces network
resources waiting on unsuccessful change password attempts. A
test port failure is logged, but does not count as a failed
password change.
After n n is a value between 0-99. Options available if failure occur Yes 0, Do nothing
consecutive are:
failures to • Do nothing
change do ...
• Disable change schedule -account is ignored for any
future checks until Administrator or ISA goes to the
account details management tab and clears the Change
schedule disable check box.
• Lock - locks account in TPAM, no password releases or
password requests permitted until it is unlocked.
NOTE: Test port failures do no count toward consecutive
failures.
Also notify Only available if consecutive failures setting is greater than 0. No Off
account Email addresses saved on the system detail information tab will
owner of receive notifications when the nth failure occurs and every nth
change failure time after. Ex. 3 failures, email sent, 3 more failures, email
sent.

5 Click the Save Changes button.

Delete a password check/change profile

To delete a password check or change profile:
1 Select Management | Profile Management from the menu.
2 Select Password Change or Password Check as the profile type.
3 Select the profile to be deleted from the list.
4 Click the Delete Profile button.
5 Click the OK button on the confirmation window.
NOTE: A password check or change profile can only be deleted if it is not assigned to any systems,
accounts or synchronized passwords.

Assign a password check /change profile

Password check and change profiles can be assigned using the batch processing, CLI/API or by following the
procedure below.

TPAM 2.5
59
Administrator Guide
To assign a password check or change profile to an system:
1 Select Systems, Accounts, & Collections | Accounts | Manage Systems.
2 Select the system on the Listing tab.
3 Click the Management tab.
4 Select the profiles from the lists.
5 Click the Save Changes button.

TPAM 2.5
60
Administrator Guide
 9
Systems

• Introduction
• Add a system
• Add a system template
• Add a system using a template
• Test a system
• Clear a stored system host entry
• Duplicate a system
• Disassociate a system from a template
• Delete a system
• Delete a system template
• List systems
• Local appliance systems

Introduction
This chapter covers the steps to add and manage systems in TPAM. To add and manage systems, information is
entered on the following tabs in the TPAM interface:

Table 18. Systems Management: TPAM interface tabs

Tab name Description

Details/Information
Details/Custom Information
Details/Connection
Details/Management
Details/Ticket System
Details/LDAP Schema
Template
Account Discovery
Affinity
Collections
Permissions
Define main system information, such as name, IP address, contact.
Enter data in custom fields, if they have been defined.
Define functional account credentials.
Configure the settings for how TPAM will manage the passwords for the
accounts on this system.
Configure Ticket System Validation for requests on this system.
For LDAP Directory systems, whose schema may require customizing.
Used to save system settings as a template.
Assign the account discovery profile to be used for this system.
Define Distributed Processing Appliance (DPA) assignment for a system.
Assign a system to a collection/s.
Assign users and groups permissions on this system.

TPAM 2.5
61
Administrator Guide
Information tab

The table below explains all of the box options available on the details information tab.

Table 19. Systems Management: Details information tab options

Field Description Required? Default

System Name Descriptive name of the system. Typically, the host name (for Yes
UNIX® systems) or the machine name (for Windows® systems) is
used.
Within TPAM, the system name must be unique. The name can
be 1-30 characters long, but cannot include empty space (i.e.
spaces, carriage-returns, etc.).
Network The IP address (example: 192.168.0.15) or DNS name Yes
Address (example:server1.domain.bigco.com) of the system.
It is imperative that this information is entered correctly, as the
back-end automation procedures use this address to connect to
the remote system.
NOTE: MS SQL Server® systems with dynamic ports can be
entered as the networkaddress\namedinstance in this box. For
more details see the Client Set Up Guide.
ISA Policy This option is listed after adding a system if your user ID is
assigned an Access Policy that contains an ISA permission. From
this list, select the ISA policy to be applied which allows you to
access the system after it has been saved. If you have ISA access
granted via a single Access Policy it is pre-selected.
NOTE: If you select Do not Assign an ISA Policy you must assign
the system to a collection to which you have access; otherwise
once the system is saved you will no longer have access unless
you are an administrator.
Platform This list shows the operating system platforms currently Yes AIX
supported for proxied connections by TPAM. The platform of
Other can be chosen for platforms not currently supported for
TPAM auto management. Select the appropriate platform for
the operating system running on the remote host.
For PSM this box is primarily descriptive, since it is the proxy
connection type that actually determines how the session is
established. However, if the passwords for this system are
managed by PPM, ensure the correct platform is selected, as
PPM uses it to determine the most secure and reliable way to
manage the passwords on the remote system.

TPAM 2.5
62
Administrator Guide
Table 19. Systems Management: Details information tab options

Field Description Required? Default

Password Rule The password rule to serve as the default for all accounts Yes Default
defined for the system. If the selection is not changed (or if no Password
other rules have been defined in TPAM) the Default Password Rule
Rule is selected. The password rule governs the construction
requirements for new passwords generated by PPM. Password
rules are managed by Sys-Admin users in the admin interface.
Maximum This is the maximum duration for a password release on the Yes 7 Days
Duration account. If this is overridden by an Access Policy assignment,
the lower of the two durations is used. The default duration
that the requestor sees for any new password request is 2
hours, or the maximum duration, whichever is less.
Contact E-mail Allows support personnel to receive email notifications from No
TPAM. Alerts are sent when there is a:
• Password check or change failure based on password
profile settings.
• Scheduled password changes for a manually managed
account
• A PSM session expires
• A non-managed account password release notification
This box can be left blank, in which case errors are logged but
notifications are not sent.
Description The description box may be used to provide additional No
information about the system, special notes, business owner,
etc.
Enable Tells TPAM whether to automatically manage remote system No Enabled on
Automatic account passwords, based upon configuration parameters for appliances
Password each system. Auto-management includes automatic testing and with
Management? changing of the passwords. Selected = enabled, cleared = Privileged
disabled. This option is available at both the system and Account
account levels, therefore it is possible to allow TPAM to auto- Manager
manage one account on a specific system, while another licenses.
account on the same system is not auto-managed. However, if
the option is not selected at the system configuration level, no
accounts on the system can be auto-managed.
NOTE: If the appliance has exceeded the number of PPM
managed systems that were licensed this option cannot be
selected for any new systems until you select the Disable all
PPM functions ... check box on another managed system or
increase your system license quantity.
Disable all PPM This check box sets the system to “PSM only”, which means you No Off
functions and cannot use any of the PPM features on this system such as
delete any password change history, release logs, password checking and
existing changing, and releasing passwords.
password The reason for this is product licensing. You are not limited to
history or the number of “PSM only” systems you can add, but the number
secured files? of managed (PPM) systems you can add is limited to the number
(PSM of system licenses you purchased.
Customers
Only)
Approver You have the ability to send an escalation to a specific email No
Escalation address if no approvers have responded to a Password/File
request within X minutes. You can enter multiple email
addresses by separating them with a comma up to the box
maximum of 255 characters.

TPAM 2.5
63
Administrator Guide
Table 19. Systems Management: Details information tab options

Field Description Required? Default

Delegation This box can be used to preface the commands that PPM uses to No
Prefix (specific manage passwords for this system. The delegation prefix can
platforms only) also be used to specify an absolute path to the command that
PPM uses to manage passwords for the system.
Computer This box is designated for the system’s computer name and is Yes for
Name (specific required for proper password management. If it is not specific
platforms only) populated, TPAM attempts to determine the system’s computer platforms.
name when the system is tested and update the box. The
Computer Name box is also used with TPAM’s Autologon feature.
You have the option to have TPAM log the user into the remote
system using the WORKSTATION\USERID format.This prevents
any incorrect logon if the Default domain is saved as the
DOMAIN name versus the Local Workstation. If a Domain user is
selected from the Session Authentication window on PSM
details, the user credentials are passed as DOMAIN\USERID.
With both options the DOMAIN box is disabled at login.
Workstation ID For AS400 systems a specific workstation ID can be entered here No
(Specific that will be used when TPAM tries to connect to the system.
platforms only)
Restricted If a URL is entered the user is restricted to this address during No
URL(PSM Web the PSM web access session. If ALLOWNAV; is typed in before
Access the restricted URL, the user can navigate away from the
platform only) restricted URL.
Initial Initial command sent to the system. No
Command (HP
Non-Stop
platform only)
Client ID (SAP® ALS Client ID. No
platform only)
Password Type in OLD, NEW, or BOTH to indicate which password should No
Release on be supplied to the command.
Change (SPCW
Pwd platform
only)
Extra DB Used to store extra database connection string. For details see No
Connection the Client Setup Guide.
String (DB
platforms only)

Custom information tab

TPAM 2.5
64
Administrator Guide
There are six fields that can be customized to track information about each system. These custom fields are
enabled and configured by the System Administrator in the /admin interface. If these fields have not been
enabled then this sub-tab is not visible.

Connection tab
The connection tab is used to configure the functional account that TPAM will use to connect to the system. This
tab is not enabled unless the Enable Automatic Password Management? check box is selected on the details
information tab (except for the SPCW platforms). The fields available on the connection tab are dependent on
the platform type of the system being configured.

The table below describes the different box options on the Connection tab.

Table 20. Systems Management: Details Connection tab options

Field Description Required? Default

Functional The functional account defines the account that is used to Yes funcacct
Account Name manage the accounts on the managed system. This account
must be defined and configured on the managed system as
defined in the appropriate Client Setup Instructions. The
credential defines whether SSH uses a predefined key (DSS)
to authenticate or a standard password. DSS is the preferred
and more secure way of managing accounts on systems that
support SSH. You have the option to let PPM manage the
functional account.
The auto-change parameters for this password may then be
configured via the account information tab, as with any
other account. This helps to secure the managed system, by
not maintaining a “static” password on a functional account.
NOTE: After a system is saved for the first time, any changes
in the system parameters are not automatically applied to
the functional account, unless the Push defaults out to All
Accounts switch on the management tab has been selected.
The auto manage function never propagates to the
functional account. It must be manually set.
Alternate Port Most non-Windows® platforms allow alternate ports to be No
(platform configured for communication of standard protocols, such as
specific) SSH, Telnet, or database ports.

TPAM 2.5
65
Administrator Guide
Table 20. Systems Management: Details Connection tab options

Field Description Required? Default

Domain Name When the system platform being created represents a Yes
(platform central authority such as Active Directory®, BokS, or
specific)
PowerPassword®, the fully qualified domain name must be
specified. DO not enter an alias, simple name or NetBIOS
name. Max of varchar(255).
Distinguished LDAP/LDAPS and Novell® systems require this field. Max is Yes
Name (platform varcahr(2000).
specific)
NetBIOS Domain Windows® domain systems (Active Directory® or SPCW) also Yes
Name (platform include the NetBIOS Domain Name box. Specify the name of
specific) the domain in NetBIOS format.
SID/ Specifies either the security ID (SID) or the service name for Yes
Service_Name Oracle® databases, and should match the setting in
(Oracle® DB SQLNET.ORA at the database server.
only)
Server O/S Select the O/S running on the server from the list. Yes AIX
(BoKS only)
Use Domain If selected, uses the domain account to change accounts No
Account passwords on the central authority.
(platform
specific)
Local Computer If selected, uses Windows® account on the host system, No
Account (MS SQL which also must be configured as a managed account in
Server® only) TPAM, to connect to the system. Format should be
system\account. Named pipe connections must be enabled
using SQL Server® Configuration Manager on the target
system.
Connection The connection timeout value determines the amount of Yes 20
Timeout time in seconds that a connection attempt to the managed
system remains active before being aborted. In most cases,
it is recommended to use the default value (20 seconds). If
there are problems with connection failures with the
system, this value can be increased (for example,
connections to Windows® systems are often slower than SSH
connections and may require a significantly higher timeout
value). Max value 9999.
PSM Functional The PSM functional account is used to provide secure Yes psmfuncacct
Account (SPCW communication during the session and file transfer during a
only) session. If the PSM enabled account on the system is
configured to use a proxy type of RDP through SSH, the PSM
functional account is used during this connection.
Tunnel DB Database tunneling through SSH provides the ability to No Off
Connection securely connect to a remote database. Enter the account
Through SSH name used to connect to the remote system. If SSH is not
(platform listening on port 22, enter the correct port number to be
specific) used. For DBMS accounts, SSH tunneling only uses the public
key for establishing the SSH connections.
NOTE: Make sure that the default of AllowTCP Forwarding is
set to Yes on the SSH Configuration file of the managed
system.

TPAM 2.5
66
Administrator Guide
Table 20. Systems Management: Details Connection tab options

Field Description Required? Default

DSS Account When using DSS key authentication, a function is available to No
Credentials permit specific configuration of the public/private keys
used.
• Avail. System Std. Keys – uses the single standard
SSH keys (either Open SSH or the commercial key)
stored centrally on TPAM. You have the ability to
have up to three active keys simultaneously. These
keys are configured in the admin interface. Use the
list to select the key you want to retrieve.
NOTE: When using the Avail. System Std. Keys you cannot
specify the key that is used. One or all available keys may be
downloaded to the remote system, but TPAM attempts to
use all currently active keys when communicating with the
remote system.
• Use System Specific Key – allows the generation and
download of a specific SSH key to be used with this
system only. The key must first be generated using
the Get/Regen Key button, and then downloaded in
either Open SSH or Sec SSH (commercial) format.
Password If a password is entered it must match the password for the No
Account account on the managed system, otherwise password
Credentials changes for accounts on this system will fail.
Enable Password Some systems may require the use of very specific accounts
(platform for access. Password to use for the “ENABLE” account (Cisco
specific) platforms only) or “EXPERT” account (for CheckPoint SP
platforms only.
Authentication Username/password is used when a username is needed to Yes Username/
Method (Cisco connect to the system. Line definition is used when there is Password
Router TEL only) no username to be specified, it is simply a password on the
terminal connection.
Expert Password Setting up an Expert Password allows configuration access to Yes
(CheckPoint SP the system.
only)
Custom If there is a special command that needs to be entered prior No
Command to being prompted for authentication credentials, it is
(Mainframe specified by placing the command in the custom command
only) box.
Use SSL? Select this box if communications between TPAM and the No Off
(platform device requires the SSL option.
specific)
Non-Privileged If selected, any password changes for accounts on this No Off
Functional system use the managed account’s current password to log
Account in and make the password change instead of using the
(Windows® AD functional account password.
only)
Allow Functional If selected, requestors on this system can make a request to No Off
Account to be release the password for the functional account. If not
Requested for selected, the functional account passwords are not available
Password for release to a requestor and are only accessible to an ISA.
Release

TPAM 2.5
67
Administrator Guide
Management tab
The management details tab is used to configure how TPAM manages the passwords for accounts on this system.
This tab is not enabled unless the Enable Automatic Password Management? check box is selected on the
details information tab. Once set, these parameters are inherited by accounts added to this system. These
options can be overridden at the account level.

The table below explains the options on the Management Details tab.

Table 21. Systems Management: Details Management tab options

Field Description Required? Default

Password Select a password check profile from the list to determine the Yes, if Default
Check Profile rules for how the password is checked on the system against automatic from
Name what is stored in TPAM. The password check profiles are password system
configured by the TPAM Administrator. See Password Profiles for management template,
more details. has been or one
selected. marked as
default.
Password Select a password change profile from the list to determine the Yes, if Default
Change Profile rules for how the password is changed on the managed automatic from
Name system.The password change profiles are configured by the password system
TPAM Administrator. See Password Profiles for more details. management template,
has been or one
selected. marked as
default.
Push Defaults Default change settings and management properties can be No Off
out to All configured differently between systems and the defined
Accounts accounts for those systems. If the desire is to ensure
consistency throughout this parent-child relationship, it is
possible to push the configuration of the default check and
change settings from the system object to all child objects
defined for the system. If selected, these settings will be
pushed to the accounts when the Save Changes button is
clicked. This is a one-time synchronization and may still be
changed at the account level.
NOTE: Synchronized password subscribers will not receive these
updates.

TPAM 2.5
68
Administrator Guide
Table 21. Systems Management: Details Management tab options

Field Description Required? Default

Enable auto To enable this check box the Push Defaults out to All Accounts No Off
management must be selected first. If selected, auto management will be
on All Accounts enabled on all accounts under this system when the Save
Changes button is clicked. This is a one-time synchronization
and may still be changed at the account level.
NOTE: The functional account defined for the system does not
receive the Enable Auto Management on All Accounts setting
during a push. The auto-manage property must be manually
enabled for the functional account.
NOTE: Synchronized password subscribers will not receive these
updates.
Default The duration for an ISA release may be specified up to a No 2 Hours
duration for maximum of 7 days. This is the amount of time that transpires
ISA releases of between the initial ISA retrieval and the automatic reset of the
password password (if enabled). If 0 is entered the ISA retrieval of a
password will not trigger a post release reset of the password.
Allow ISA to If selected, an ISA may enter a release duration other than the No Off
enter Duration default when retrieving a password. The duration must be
on Release greater than zero and less than or equal to the maximum
specified for either the ISA Duration or Max Release Duration
(details information tab).
This check box is disabled when the Default duration for ISA
releases of passwords is set to 0.
Profile This is required if this system is using a check or change profile Yes,
Notification that is using the Allow system to notify TPAM it is available for depending on
Certificate check/change. password
• No certificate - no thumbprint or certificate. Default profile
options.
• Thumbprint Only - The SHA1 thumbprint of the
certificate used by the system to notify TPAM of
availability for check/change operations.
• User-Supplied - user can upload their own certificate to
TPAM.
• Created by TPAM -TPAM will generate a certificate and
record the thumbprint. This certificate must be installed
on the system in order to call the TPAM notification
service. There is an optional password on a TPAM
generated certificate. This password will be required to
install the certificate on the target system. The
password is NOT stored and cannot be retrieved if
forgotten.

How to call the notification service

For systems that are going to notify TPAM that they are online and available for check and changes, there is a
new REST service endpoint is available on the TPAM appliance.
A system can make a call to the following address to notify TPAM that it is online and available for
check/change: https://tpamAddress:9443/available
The call can be made using a language or scripting environment of the user's choice.It requires a certificate to
be included with the http request. The thumbprint of that certificate must be on file in TPAM for a managed
system. When the call succeeds and TPAM finds the thumbprint all accounts on that system which have profiles
allowing notification will be scheduled for checks/changes as required. The service returns a JSON dataset with
the following information:

TPAM 2.5
69
Administrator Guide
 • CertificateThumbprint - 40-byte hexadecimal value of the certificate attached to the request. This does
not indicate the request was accepted or not - it's just an echo of what the cert is. Debug purposes
primarily. This value may or may not stay.
• ErrorID - number - 0 = good, non-zero = error occurred. Note that "success" does not necessarily mean
anything was added flagged for processing.
• ResultMessage - text. Either "Success" or some error message. Right now it will return an error message
informing you of an unrecognized thumbprint.
• If no certificate is attached the call will result in a 403 error (403 - Forbidden: Access is denied).

Ticket system tab

The ticket system tab is used to configure third party ticket system requirements when submitting password
release, file release or session requests for this system. The ticket system tab is only enabled if the TPAM
System Administrator has configured ticket system/s in the admin interface. The settings on this tab become
the default settings for any accounts or files added to this system.

The following table explains the options on this tab.

Table 22. Systems Management: Details Ticket system tab options

Field Description Required? Default

Ticket By selecting the check boxes you can require that ticket No Off
Required for validation is enforced for Password/Files requests and/or
Session requests.You also have the option to require ISAs to
supply a ticket number prior to retrieving a password or file as
well as requests made through the CLI or API. If a check box is
not selected, users can still enter a ticket number on a request,
but it is not required.
Require Ticket If multiple ticket systems are enabled they are listed in the list No Off
Number from for selection. You can specify the ticket system or allow entry
of a ticket number from any system that is enabled.
Send Email to If any of the ISA, CLI or API required check boxes are left clear No No
you have the option of entering one or more email addresses
(up to 255 characters) that will receive an email when an ISA,
CLI or API user releases or retrieves a password or file without
supplying a ticket.
Push ticket If selected, when the Save Changes button is clicked, it will No Off
defaults out to push these settings to all accounts and files under the system.
all accounts New accounts and files will inherit these settings.
and files NOTE: The propagation is a one time update each time this
check box is selected and the Save Changes button is clicked.
After that there is no forcing of the settings to remain in synch.
The settings on the accounts and files can be overridden.

TPAM 2.5
70
Administrator Guide
LDAP schema tab
This tab is only enabled for LDAP, LDAPS and Novell® NDS® systems. It is used to customize the schema. The
fields in this tab specify the value of core attributes as well as the name(s) of optional attributes. For example
‘objectClass’ is a core attribute with defined values that distinguish the specific directory object as group, user
or computer. Similarly with attribute naming, a group object’s member attribute may be called ‘member’
‘uniquemember’ or ‘memberUid’, first name attribute may be called ‘givenName’, etc.

Template tab
The template tab is used to save all the settings for a system as a template. Templates may be used to quickly
create new systems with a given set of default values via the web interface, CLI or API. Templates can only be
created and edited by TPAM Administrators. Only TPAM Administrators and ISAs may use templates.

The table below explains all of the box options available on the Template tab.

TPAM 2.5
71
Administrator Guide
Table 23. Systems Management: Template tab options

Field Description Required? Default

Create a Selecting this flag saves this system as a System Template. No Off
Template from NOTE: After a template has been created you cannot clear this
this System flag.
Use this as the If selected, this template is used when adding new systems No Off
Default unless another template is chosen with the Use Template
Template button.
Only one template can be designated as the “Default” at a
time. If a template is designated as the “Default” it is listed in
green italics on the Manage Systems listing.
Retain If selected, TPAM creates the template with all the collection No Off
Collection memberships currently defined on this system. Systems created
Membership in from this template will have the same collection memberships.
the template NOTE: If this system is a member of an AD Integration
Collection, that membership is not transferred to the template
and subsequent systems.
Retain If selected, TPAM creates the template with all the User and No Off
User/Group Group permissions (Access Policy assignments) currently defined
Permissions in on the system. Systems created from this template will have
the template the same permissions.
Retain Existing When creating a template based on an existing system, this No Off
Accounts in the option allows you to retain up to 10 accounts from the existing
template system (including the functional account.)
If this option is selected, use the table located below this
option to select the accounts to be included in the template.
The functional account cannot be cleared.
NOTE: Accounts included in the template do not retain any
passwords, password history, or dependent system information.

Account discovery tab

Account discovery profiles allow TPAM to periodically check for accounts on a managed system and add or
remove them from TPAM. Account discovery profiles can only be assigned to Windows®, *nix and database
systems. If account discovery is going to be used for a system, the account discovery profile to be used is
assigned on this tab. The time displayed on the Log tab is the user’s time zone.

The table below describes the options available on the Account Discovery tab

TPAM 2.5
72
Administrator Guide
Table 24. Systems Management: Account Discovery tab options

Field Description Required? Default

Discovery Select the profile to be used for account discovery. Only No
Profile available for Windows®, *nix, and database platforms.
Exclude List Any accounts that you want to be excluded from the account No
discovery process can be listed here. Up to 1000 characters,
case insensitive.
Timeout The number of seconds the auto discovery process will run No 300
(seconds) before it will time out. If the discovery process times out it will
continue to discover the remaining accounts during the next
scheduled run. If the box is left null the default value of 300
seconds is used.
Test Discovery Once the profile has been saved, click the Test Discovery n/a
Profile Profile button to see what accounts and actions are found. No
changes are made, it is only a test.
Run Discovery Click this button to run account discovery for this system on n/a
Profile demand, rather than waiting for the scheduled run. The number
of accounts that can be discovered by clicking this button is
limited to 5,000. More than 5,000 can be discovered during the
automated runs.

Affinity tab
The Affinity tab is used to assign the system to a distributed processing appliance (DPA) if DPA’s are configured
to work with the TPAM appliance. Assigning the system to a DPA can help optimize performance for session
recording, session playback and password checking and changing. The affinity tab is not enabled until the
system has been saved.

The table below describes the options available on the Affinity tab.

TPAM 2.5
73
Administrator Guide
Table 25. Systems Management: Affinity tab options

Field Description Required? Default

Allow PSM If selected, TPAM will select the DPA that has the least number No Yes
Sessions to be of sessions running on it to conduct the session.
run on any
defined DPA
Selected DPA Select this option to prioritize which DPA is used for sessions No No
affinity and conducted on this system. The default DPA is LocalServer, which
priority is the local TPAM appliance.
Use the Priority column in the table below this option to enter a
priority number next to each DPA. Leave the box blank (NULL)
for any DPAs you do not want to use for session recordings.
When determining which DPA to use, the appliance looks at
them in order from lowest to highest and uses the first one that
has an open slot.
Use local PPM If selected, then all password checks and changes will be run on No Yes
appliance for the TPAM appliance.
password
checks and
changes
Selected DPA Select this option to prioritize which DPA is used for password No No
Affinity checking and changing on this system.
NOTE: We do not support using named instances for SQL
Server® when using a DPA for password checks and changes. The
workaround is to specify the port.
Use the Priority column in the table below this option to enter a
priority number next to each DPA. Leave the box blank (NULL)
for any DPAs you do not want to use for password management.
When determining which DPA to use, the appliance looks at
them in order from lowest to highest and uses the first one that
has an open slot. A value of 0 (zero) is simply “more important”
than any other value.

Collections tab
A collection is a group of systems, accounts and or files. The collections tab is used to assign the system to a
collection/s. Systems can belong to more than one collection. The collections list shows all collections that
have been defined to the TPAM appliance if the user modifying the system is an administrator. If the user
modifying the system is an ISA, only the collections that the user holds the ISA role for are displayed. By
assigning the system to collections, the system automatically inherits user and group permissions that have
been assigned at the collection level.
NOTE: A system cannot belong to a collection that already contains any of its accounts or files.
Conversely, an account or file cannot be added to a collection that already contains that entity’s parent
system.

NOTE: If a collection is tied to either AD or Generic Integration the system’s membership status in that
collection cannot be changed.

Use the Filter tab to enter search criteria for the collections to assign/un-assign. Click the Results tab.

TPAM 2.5
74
Administrator Guide
The table below explains the fields on the Results tab.

Table 26. Systems Management: Collections Results tab options

Field Description Required? Default

Type On this tab type will always say Collection.
Name The name of the collection. Clicking on the name will take you No
to the collection management listing tab.
Membership To modify collection membership, simply click the Not Assigned No Not
Status or Assigned buttons next to each collection name and click the Assigned
Save Changes button. You can set all members to either
Assigned or Not Assigned by holding down the Ctrl key when
clicking on any button.

Permissions tab
The permissions tab is used to assign users and/or groups an access policy for this system.

To assign Access Policies:

1 Use the table on the left of the page to select the name/s of the user/s and/or group/s to which the
selected access policy is to be assigned.
2 Select an access policy from the Access Policy list in the access policy details pane, located in the right
upper side of the results tab. When you select an access policy on the list the detailed permissions
describing this access policy are displayed on the rows below.
3 Select one of the icons in the access policy details pane (right upper side of page) to make the
assignment.

TPAM 2.5
75
Administrator Guide
 Table 27. Access policy details pane icons

Icon Action
Refreshes list of available Access Policies.

Scrolls the currently selected User or Group into view.

Applies the currently selected policy to the current row. Assigning a policy of “Not
Assigned” removes the current assignment. This affects only the current row (row with the
dotted border) even if multiple rows are selected.
Applies the currently selected policy to all selected rows in the list. You are asked to
confirm the assignment if more than 10 rows are affected.

Removes the currently selected policy from all selected rows in the list. If a row is not
currently set to the selected policy it will not be changed. You are asked to confirm the
assignment if more than 10 rows are affected.
Removes unsaved edits on the current row. This only affects the current row (row with the
dotted border) even if multiple rows are selected.

Removes unsaved edits on all currently selected rows.

This icon ( ) next to any row on the list simply means that row has been edited since the last save
changes occurred.
You can “Shift+Click” to select a range of rows. The first row you click will be surrounded by purple
dashed lines. The next row that you “Shift-Click” on will cause all the rows in between the original row
and current row to be highlighted.
4 When you are finished assigning/un-assigning Access Policies, click the Save Changes button.
TIP: You may re-filter and re-retrieve the results list without losing existing edits. As the Results tab is
reloaded any Groups or Users that you have already edited reflect their edited policy assignment. When
you click the Save Changes button all the Access Policy assignment changes for the system are saved. The
appliance saves these in batches, informing you of the number of assignments added, removed, or
changed for each batch.

NOTE: You must be both a PPM and PSM ISA over a system to be allowed to assign an access policy.

Using Ctrl-Click or Shift-Click on the hyperlink in the Name column will open the details page for this entity in a
new tab or window.

Add a system
When adding a system in TPAM, information is entered on the following tabs to configure the system:
• Details
• Template
• Connection
• Management
• Affinity
• Ticket System
• Collections

TPAM 2.5
76
Administrator Guide
 • Permissions
• Account Discovery
• LDAP Schema
The following procedure describes the required steps to add a system.

To add a system:
1 Select Systems, Accounts, & Collections | Systems | Add System from the menu.
2 Enter information on the details information tab. For more information on this tab see Information tab.
3 Click the Custom Information tab to add custom information about this system. (Optional) For more
details see Custom information tab.
4 Click the Connection tab to configure the functional account that TPAM will use to connect to the
system. For more details see Connection tab.
5 Click the Management tab and select preferences for managing account passwords. For more details see
Management tab.
6 Click the Ticket System tab and set external ticket system requirements for submitting password release
requests. For more details see How to call the notification service. (Optional)
7 Click the LDAP Schema tab to tweak LDAP mapping attributes. For more details see LDAP schema tab.
(Optional)
8 To save this system as a template, click the Template tab and enter the requested information. For more
details see Template tab. (Optional)
9 Click the Account Discovery tab to assign an account discovery profile. (Optional) For more details see
Account discovery tab.
10 Click the Affinity tab and make DPA assignments. For more details see How to call the notification
service. (Optional)
11 Click the Collections tab and assign/remove membership. For more details see Collections tab.
(Optional)
12 Click the Permissions tab and assign/remove permissions. For more details see Permissions tab.
(Optional)
13 Click the Save Changes button.

Add a system template

To add a system template:
1 Select Systems, Accounts, & Collections | Systems | Add System Template from the menu.

TPAM 2.5
77
Administrator Guide
 2 Enter the template name and a placeholder network address.
3 Change any other settings on the various tabs.
4 Click the Save Changes button.

Add a system using a template

To add a system using a template:
1 Select Systems, Accounts, & Collections | Systems | Add System from the menu.
2 Click the Use Template button.

3 Select a template on the listing tab.

4 Click the Details tab.
5 Enter the system name.
6 Change the system IP address.
7 Make any other changes as desired.
8 Click the Save Changes button.

Test a system
Once a system has been saved, to test TPAM’s connectivity to the system, click the Test System button. The
results of the test will be displayed on the Results tab.

Clear a stored system host entry

The Clear Sys. Host Entry button removes the host entry from TPAM’s known hosts file. An example of the
necessity for this would be a situation where the SSH package on a managed system has been reinstalled, or the
OS itself may be reinstalled. A test of the system would indicate that the host key entry does not match, and is
preventing password authentication because of a perceived “man in the middle” attack. This can be performed
through the CLI by running the ClearKnownHosts command.

TPAM 2.5
78
Administrator Guide
To clear the System Host entry:
1 Select Systems, Accounts, & Collections | Systems | Manage Systems from the menu.
2 Enter your search criteria on the filter tab.
3 Click the Listing tab.
4 Select the system whose host entry is to be removed from TPAM’s known hosts file.
5 Click the Clear Sys. Host Entry button.

Duplicate a system
To ease the burden of administration and help maintain consistency, systems can be duplicated. This allows the
administrator to create new systems that are very similar to those that exist, while only having to modify a few
details. The new system inherits collection membership, permissions, affinity and ticket system settings from
the existing system.

To duplicate a system:
1 Select Systems, Accounts, & Collections | Systems | Manage Systems from the menu.
2 Enter your search criteria on the Filter tab.
3 Click the Listing tab.
4 Select the system to be duplicated.
5 Click the Duplicate button. A new system object is created and the System Details page displays. The
name of the new system is automatically DupofXXXXX.
6 Make any changes to the system configuration on the various tabs.
7 Click the Save Changes button.

Disassociate a system from a template

To disassociate a system from the template is was created from:
1 Select Systems, Accounts, & Collections | Systems | Manage Systems from the menu.
2 Enter your search criteria on the Filter tab.
3 Click the Listing tab.
4 Select the system to disassociate.
5 Click the Details tab.
6 Click the Disassociate button.
7 Click the OK button on the confirmation window.
8 Click the Save Changes button.

TPAM 2.5
79
Administrator Guide
Delete a system
When you delete a system from the Manage Systems listing it is “soft” deleted. This means that the system
information is retained in TPAM for “X” days depending on how the System Administrator has set the Days in
Trash global setting in the admin interface.
NOTE: You cannot delete a system that has an active PSM session or any accounts with pending session or
password reviews.

To “soft” delete a system:

1 Select Systems, Accounts, & Collections | Systems | Manage Systems from the menu.
2 Enter your search criteria on the Filter tab.
3 Click the Listing tab.
4 Select the system to be deleted.
5 Click the Delete button.
6 Click the OK button on the confirmation window.
To view “soft” deleted systems go to Systems, Accounts, & Collections | Systems | Deleted Systems on the
main menu.
TPAM allows you to undo a soft deletion prior to the Days in Trash global setting taking effect.

NOTE: A soft deleted system using an inactive custom platform cannot be un-deleted until the custom
platform is made active again.

To undo a “soft” delete:

1 Select Systems, Accounts, & Collections | Systems | Deleted Systems from the main menu.
2 Enter your search criteria on the Filter tab.
3 Click the Listing tab.
4 Select the system to be restored.
5 Click the Undo Delete button.

To undo a soft delete for all the systems in the listing:

1 Click the Undo Delete All button.
2 Click the Yes, continue with undo delete button.
Hard deleting a system removes all records of the system from the TPAM interface. Hard deletion is only allowed
if the Allow Manual Hard Deletes global setting has been enabled by the System Administrator.

To “hard” delete a System:

1 Select Systems, Accounts, & Collections | Systems | Deleted Systems from the main menu.
2 Enter your search criteria on the Filter tab.
3 Click the Listing tab.
4 Select the system to be deleted.
5 Click the Hard-Delete button.
6 Click the OK button on the confirmation window.

To hard delete all the systems in the listing:

1 Click the Hard-Delete All button.

TPAM 2.5
80
Administrator Guide
 2 Click the Yes, continue with hard-delete button.

Delete a system template

To delete a system template:
1 Select Systems, Accounts, & Collections | Systems | Manage Systems from the menu.
2 Enter your search criteria on the Filter tab.
3 Click the Listing tab.
4 Select the system template to be deleted.
5 Click the Delete button.
6 Click the OK button on the confirmation window.
NOTE: A template that is currently being used by AD or Generic Integration cannot be deleted.

List systems
The List Systems option allows you to export the system data from TPAM to Microsoft Excel or CSV format. This
is a convenient way to provide an offline work sheet and also to provide data that may be imported into another
TPAM – for example, to populate a lab appliance with data for testing, without making the lower level changes
that restoring a backup would cause.

To list the systems:

1 Select Systems, Accounts, & Collections | Systems | List Systems from the main menu.
2 Enter your search criteria on the Filter tab.
3 Click the Layout tab to select the columns and sort order for the listing.
4 To view and store the data outside of the TPAM interface, click the Export to Excel button, or the
Export to CSV button.
5 To view the data in the TPAM interface, click the Listing tab.
6 To view collection membership for a system, select the system and click the Collections tab.
7 To view the permissions assigned for the system, select the system and click the Permissions tab.

Local appliance systems

When looking at the system listing in TPAM, you will see two systems that are there by default,
Local_Appliance_paradmin, and Local_Appliance_parmaster. These systems do not count against the total
licensed systems in TPAM and are used for managing the paradmin and parmaster accounts if
desired.Administrator Guide

TPAM 2.5
81
Administrator Guide
 10
Custom Platforms

• Introduction
• Custom platform Details tab
• Add a conversational custom platform
• Add a jump box custom platform
• Test a custom platform
• Duplicate a custom platform
• Delete a custom platform
• Using custom platforms in TPAM
• Batch processing custom platform systems
• CLI and API commands for custom platform systems
• Jump boxes

Introduction
Custom Platforms allow you to create new platforms for managed systems which cannot be managed by existing
platforms. A custom platform allows you to customize the check system, check password, and change password
operations used to check and change passwords of managed accounts. PSM sessions are also available or custom
platforms. There are two types of custom platforms:
• Jump Box - This platform type uses an intermediary server on your network to do all communication to
the target system and returns the results to the TPAM appliance. TPAM will call a script of your choosing
on the jump box passing all parameters relevant to the operation being performed. The script must
communicate with the target system, perform the indicated action, and return the result. A jump box
can be used when platforms require the use of an API or SDK that is not supported natively by TPAM. For
details on how to configure the jump box see Jump Boxes.
• Conversational - A conversational platform is created by importing an XML file to create or update a
platform file on the appliance. The XML file describes the entire conversation with a managed system
when performing the check system, check password, or change password operations. It includes
parameters describing how the communication is done, commands issued to test a system and check or
change a password, and how to interpret the results of those commands.

Custom platform Details tab

To add and manage custom platforms information is entered on the Custom Platform Details tab.

TPAM 2.5
82
Administrator Guide
Table 28. Custom Platforms: Details tab

Field Description Required?

Platform Name Descriptive name that is used to select the platform when adding a Yes
system via the TPAM user interface, CLI, or API or batch processes. The
platform name must be unique among custom platforms but can be the
same name as an existing standard TPAM platform.
Active If selected, this custom platform can be selected when adding a system No
to TPAM. A platform may be made inactive only if it is not being used
by any managed systems or used only by a soft-deleted system.
NOTE: A conversational platform cannot be marked selected as Active
until at least one successful upload has been processed.
Automation Active If selected, and at least one managed system is using this platform, No
only the name and description of the platform can be edited. If clear,
the platform can be edited, but the automated check and change
password engines will skip any accounts on systems using this platform.
Manual check and change of the account passwords may still be done
from the Account Management page or via the CLI/API.
Description The description box may be used to provide additional information No
about the custom platform. This information is only visible to
Administrators when editing the custom platform.
Platform Type Platform type choices are: Yes
• Conversational
• Jump Box
The platform type cannot be changed once the platform is being used
by a system.
Jump Box Select the name of jump box the custom platform will use. Applies to Yes for jump box
jump box custom platforms only.
Script Name The name of the script or executable which will be invoked on the Yes for jump box
jump box to perform the check system, check password or change
password operation. A path may be included with the script name.
Port The port number which will be used to communicate to the managed Yes
system.
NOTE: For jump box platforms this is NOT the port used to
communicate with the jump box.
Functional Account Functional account choices are: Yes
Access via • DSS Key - if selected and the platform type is jump box, the
system must use a system specific key.
• Password
Platform Specific If defined this will add a box to the Managed System Details No
Label Information tab which allows input of system-specific information
which will be included with each command. This text will be the label
of the exposed box.
Enable Account If selected, an Enable Account box will be available for input on the No
Connection tab of a managed system using this platform.
NetBIOS Domain If selected, a NetBIOS Domain Name box will be available for input on No
Name the Connection tab of a managed system using this platform.
Domain Name If selected, a Domain Name box will be available for input on the No
Connection tab of a managed system using this platform.
PSM Sessions If selected, PSM sessions can be configured for accounts on this type of No
platform.

TPAM 2.5
83
Administrator Guide
Field Description Required?
Port Test Applies to jump box custom platforms only. If selected and the No
assigned password change profile also has test port selected, a call will
be made to the jump box script for test port. The script must return
“host unreachable’, “check failure”, or “check success”. If the
assigned password change profile has the test port selected and the
jump box does not, the test port call will fail.
Allowable Proxy Proxy types selected here will display on the PSM Details tab for Yes, if PSM
Types accounts set up on this platform type. sessions
selected.
Allowable File File transfer types selected here will display on the File transfer tab Yes, if PSM
Transfer Types for accounts set up on this platform type. sessions
selected.

Add a conversational custom platform

To add a conversational custom platform:
1 Select Management | Custom Platforms from the main menu.
2 Click the Add Platform button.
3 Enter information on the Details tab. Select Conversational as the platform type.
4 Click the Save Changes button.
5 Click the Select File button to upload an XML file describing the platform conversations.

IMPORTANT: For help building the XML file please contact Dell Software Professional Services.

TPAM 2.5
84
Administrator Guide
 6 Click the Compile Platform from Upload button. If successful a Y will appear in the Success? column
when complete and the custom platform can me marked active. See example below:

If a N appears in the Success? column, click on the hyper-link to view the compilation output on the
Results tab.

NOTE: The platform file on the appliance will reflect the most recent successful compilation indicated by
Current in the Success? column.

Add a jump box custom platform

To add a jump box custom platform at least one jump box must be configured in TPAM. For instructions on how
to add a jump box see Jump Boxes.

NOTE: For help building the script please contact Dell Software Professional Services.

To add a jump box custom platform:

1 Select Management | Custom Platforms from the main menu.
2 Click the Add Platform button.
3 Enter information on the Details tab. Select Jump Box as the platform type.
4 Click the Save Changes button.

Test a custom platform

It is recommended that when implementing a custom platform for the first time that you leave the Automation
Active check box on the custom platform clear until you have confirmed that the platform file or jump box are
handling check system, check password, and change password operations correctly. With the check box clear
you will be able to go back and forth and change the custom platform details without having to worry that
automation will attempt to process any accounts using this platform. Once all tests confirm that the custom
platform works as expected you may select the Automation Active check box and save the custom platform.

Duplicate a custom platform

To ease the burden of administration custom platforms can be duplicated. This allows the administrator to
create new custom platforms that are very similar to those that exist, while only having to modify a few details.

To duplicate a custom platform:

1 Select Management | Custom Platforms from the main menu.
2 Click the Listing tab.

TPAM 2.5
85
Administrator Guide
 3 Select the custom platform to duplicate.
4 Click the Duplicate button. A new custom platform is created and the Custom Platform Details page
displays. The name of the new custom platform is automatically named Copy_of_XXXXXXX.
5 Make any changes to the custom platform configuration.
6 Click the Save Changes button.
7 For a conversational custom type platform click the Select File button to upload an XML file describing
the platform conversations.

IMPORTANT: For help building the XML file please contact Dell Software Professional Services.

8 For a conversational custom platform type click the Compile Platform from Upload button. If successful
a Y will appear in the Success? column when complete and the custom platform can me marked active.
See example below:

If a N appears in the Success? column, click on the hyper-link to view the compilation output on the
Results tab.

Delete a custom platform

NOTE: A custom platform can only be deleted if it is not in use by any system or “soft-deleted” system.

To delete a custom platform:

1 Select Management | Custom Platforms from the main menu.
2 Click the Listing tab.
3 Select the custom platform to be deleted.
4 Click the Delete button.
5 Click the OK button on the confirmation window.

Using custom platforms in TPAM

If an active custom platform exists, the custom platform will appear in the Platform list on the System Details
Information tab and Filter tabs throughout TPAM:

TPAM 2.5
86
Administrator Guide
When using a Filter tab in TPAM you have the option to select Custom Platform (Any) to pull all custom
platforms meeting the filter criteria or you can select a specific custom platform name.

Batch processing custom platform systems

To batch import or batch update a custom platform system, the platform name is indicated by “Custom” or
“Custom Platform” followed by a forward slash (/) and the custom platform name. For example
custom/testjumpboxplatform.

TPAM 2.5
87
Administrator Guide
CLI and API commands for custom platform
systems
For CLI and API commands, when passing the PlatformName parameter the platform name is indicated by
“Custom” or “Custom Platform” followed by a forward slash (/) and the custom platform name. The “Custom
Platform” must be properly quoted on the CLI command line based on the shell being used. For example in
Windows cmd.exe the format would be as follows:
ssh -i keyFile [email protected] “AddSystem --SystemName newSystem --
PlatformName \”Custom Platform/Router Jumpbox\” […other options…]”
When specifying functional account credentials using CLI, API or batch processing you can pass SPECIFIC as a
value to indicate that the account will be using a system specific key. A system specific key is required for jump
box custom platforms. Conversational custom platforms may also use the credential DSS to indicate the use of
any of the system standard keys defined on the appliance.

Jump boxes
One aspect of custom platforms is the use of a jump box. A jump box can be used when platforms require the
use of an application programing interface (API) or software development kit (SDK) that is not supported
natively by TPAM. Users can call a script on the jump box from TPAM to perform platform management on
target systems. The script (or program) is responsible for requesting the information, performing the password
management task, and reporting back the status during the connection to TPAM. The data that is available for
request will be listed in each of the function sections.

Platform management can be divided into three functions: CheckSystem, CheckPassword, and ChangePassword.
Each function is described below.

TPAM 2.5
88
Administrator Guide
Check system
The CheckSystem function is designed to determine platform connectivity using the functional account. The
table below describes the tags available for request.

Table 29. Jump Boxes: CheckSystem Tags

Tag Description
%netaddr% Target system’s address
%funcacct% Target system’s functional account
%funcacctpwd% Target system’s functional account password
%port% Target system’s port
%timeout% Time to wait before ending the connection
%key% The DSS key used for the functional account.
NOTE: The key is sent as a string with ; representing carriage returns. The
script called should format the key output to file replacing ; with a
carriage return/new line character. This will result in a properly formatted
private key. See examples below.
%platspecificvalue% This value is associated with the Platform Specific Label box. When setting
up the custom platform in TPAM, the user can define the Platform Specific
Label. This label will display on the System Details Information tab.
%funcacctdesc% Functional account description. Currently this is used for LDAP platforms.
%domainname% Target system’s domain name
%netbiosname% Target system’s netBIOS name
%enablepwd% Target system’s enable password

The following tags are recognized as return tags from the jump box:
• %host unreachable% - Return this to TPAM when the host is unreachable
• %account does not exist% - Return this to TPAM when the account does not exist
• %check failure% - Return this to TPAM when the target system fails the check
• %check success% -Return this to TPAM when the target systems passes the check

Check password
The CheckPassword function is designed to determine if an account’s password is correct on the target system.
The table below describes the tags available for request.
Table 30. Jump Boxes: CheckPassword Tags

Tag Description
%netaddr% Target system’s address
%funcacct% Target system’s functional account
%funcacctpwd% Target system’s functional account password
%funcacctdn% Target system’s functional account distinguished name
%port% Target system’s port
%timeout% Time to wait before ending the connection
%key% The DSS key used for the functional account.
NOTE: The key is sent as a string with ; representing carriage returns. The
script called should format the key output to file replacing ; with a
carriage return/new line character. This will result in a properly formatted
private key. See examples below.

TPAM 2.5
89
Administrator Guide
Table 30. Jump Boxes: CheckPassword Tags

Tag Description
%platspecificvalue% This value is associated with the Platform Specific Label box. When setting
up the custom platform in TPAM, the user can define the Platform Specific
Label. This label will display on the System Details Information tab.
%funcacctdesc% Functional account description. Currently this is used for LDAP platforms.
%acctdesc% Managed account description
%acctdn% Managed account distinguished name
%domainname% Target system’s domain name
%netbiosname% Target system’s netBIOS name
%enablepwd% Target system’s enable password
%acctname% Account name to check the password on the system.
%acctpwd%‘ Account’s password to check on the target system.

The following tags are recognized as return tags from the jump box:
• %host unreachable% - Return this to TPAM when the host is unreachable
• %account does not exist% - Return this to TPAM when the account does not exist
• %check failure% - Return this to TPAM when the target system fails the check
• %check success% -Return this to TPAM when the target systems passes the check

Change password
The ChangePassword function uses the functional account to connect to the target and change the target
account’s password. The table below describes the tags available for request.
Table 31. Jump Boxes: ChangePassword Tags

Tag Description
%netaddr% Target system’s address
%funcacct% Target system’s functional account
%funcacctpwd% Target system’s functional account password
%port% Target system’s port
%timeout% Time to wait before ending the connection
%key% The DSS key used for the functional account.
NOTE: The key is sent as a string with ; representing carriage returns. The
script called should format the key output to file replacing ; with a
carriage return/new line character. This will result in a properly formatted
private key. See examples below.
%platspecificvalue% This value is associated with the Platform Specific Label box. When setting
up the custom platform in TPAM, the user can define the Platform Specific
Label. This label will display on the System Details Information tab.
%funcacctdesc% Functional account description. Currently this is used for LDAP platforms.
%acctdesc% Managed account description
%domainname% Target system’s domain name
%netbiosname% Target system’s netBIOS name
%enablepassword% Target system’s enable password
%acctname% Account name to check the password on the system.

TPAM 2.5
90
Administrator Guide
Table 31. Jump Boxes: ChangePassword Tags

Tag Description
%oldacctpwd% Account’s current password on the target system.
%newacctpwd% Account’s password to be changed to on the target system.

The following tags are recognized as return tags from the jump box:
• %host unreachable% - Return this to TPAM when the host is unreachable
• %account does not exist% - Return this to TPAM when the account does not exist
• %change failure% - Return this to TPAM when the target system fails the check
• %change success% -Return this to TPAM when the target systems passes the check

Examples of DSS key script

#!/bin/bash
echo -n "%Funcacct%"
read facct
echo -n "%funcacctpwd%"
read fcred
echo -n "%netaddr%"
read ipaddress
echo -n "%key%"
read keyin
#perform action based on inputs, if actions are successful, return change success
echo -n "%change success%"
#Log inputs for debugging
echo FA:$facct >> testlog
echo FC:$fcred >> testlog
echo IP:$ipaddress >> testlog
echo KEY:$keyin >> testlog

Jump box Details tab

To add and manage jump boxes information is entered on the Jump Box Management Details tab.

TPAM 2.5
91
Administrator Guide
 TPAM 2.5
92
Administrator Guide
Table 32. Jump Boxes: Details tab

Field Description Required?

Jump Box Name Descriptive name that is used to select the jump box when adding a Yes
custom jump box platform.
Network Address The IP address (example: 192.168.0.15) or DNS name Yes
(example:server1.domain.bigco.com) of the system.
It is imperative that this information is entered correctly, as the back-
end automation procedures use this address to connect to the jump
box.
Timeout The timeout value determines the amount of time in seconds that a Yes
connection attempt to the jump box remains active before being
aborted. In most cases, it is recommended to use the default value (20
seconds). If there are problems with connection failures with the jump
box, this value can be increased (for example, connections to Windows
systems are often slower than SSH connections and may require a
significantly higher timeout value).
Port Alternate port to be used instead of the default SSH port of 22. No
DSS Key Details When using DSS key authentication, a function is available to permit No
specific configuration of the public/private keys used.
• Avail. System Std. Keys – uses the single standard SSH keys
(either Open SSH or the commercial key) stored centrally on
TPAM. You have the ability to have up to three active keys
simultaneously. These keys are configured in the admin
interface. Use the list to select the key you want to retrieve.
NOTE: When using the Avail. System Std. Keys you cannot specify the
key that is used. One or all available keys may be downloaded to the
remote system, but TPAM attempts to use all currently active keys
when communicating with the remote system.
• Use System Specific Key – allows the generation and download
of a specific SSH key to be used with this jump box only. The
key must first be generated using the Get/Regen Key button,
and then downloaded in either Open SSH or Sec SSH
(commercial) format.
Account Name Account name on the jump box used to manage target systems. This is Yes
the account that TPAM will use authenticate to the jump box and then
execute the named script for managing passwords.
Description The description box may be used to provide additional information No
about the jump box.

Add a jump box

Before a jump box custom platform can be added to TPAM, the jump box must first be added to TPAM.

To add a jump box:

1 Select Management | Jump Box from the main menu.
2 Click the Add Jump Box button.
3 Enter information on the Details tab.
4 Click the Save Changes button.

TPAM 2.5
93
Administrator Guide
Delete a jump box
A jump box can only be deleted if there are no custom platforms dependent on the jump box. To see a list of
dependent platforms click the Dependent Platforms tab.

To delete a jump box:

1 Select Management | Jump Box from the main menu.
2 Select the jump box to be deleted.
3 Click the Delete button.
4 Click the OK button on the confirmation window.

TPAM 2.5
94
Administrator Guide
 11
Collections

• Introduction
• Add a collection
• Duplicate a collection
• Delete a collection
• List collections

Introduction
Collections are groups of systems, accounts and/or files. Collections can be used to simplify the process of
assigning permissions.
To add and manage collections, information is entered on the following tabs in the TPAM interface:

Table 33. Collection Management: TPAM interface tabs

Tab name Description

Details Define collection name.
Members Assign members to the collection.
Permissions Assign users and groups permissions for the collection.
Affinity Assign a DPA to be used for sessions on collection members.

Details tab

Table 34. Collection Management: Details tab options

Field Description required?

Collection Name Unique name for the collection. Yes
Description Used to provide additional information about the collection. No

TPAM 2.5
95
Administrator Guide
Members tab

The table below explains the fields on the Members tab.

Table 35. Collection Management: Members tab options

Field Description required?

Type Indicates whether the member is a system, account of file.
Name Name of the system, account or file.
Membership To modify collection membership, simply click the Not Assigned or Yes
Status Assigned buttons next to each system, account of file. You can set all
members to either Assigned or Not Assigned by holding down the Ctrl key
when clicking on any button.

Permissions tab
The Permissions tab is used to assign users and/or groups an Access Policy for this collection.

TPAM 2.5
96
Administrator Guide
To assign Access Policies:
1 Use the table on the left of the page to select the name/s of the user/s and/or group/s to which the
selected access policy is to be assigned.
2 Select an Access Policy from the Access Policy list in the Access Policy Details pane, located in the right
upper side of the Results tab. When you select an Access Policy on the list the detailed permissions
describing this Access Policy are displayed on the rows below.
3 Select one of the icons in the Access Policy Details pane (right upper side of page) to make the
assignment.

Table 36. Access Policy Details pane icons

Icon Action
Refreshes list of available Access Policies.

Scrolls the currently selected User or Group into view.

Applies the currently selected policy to the current row. Assigning a policy of “Not
Assigned” removes the current assignment. This affects only the current row (row with the
dotted border) even if multiple rows are selected.
Applies the currently selected policy to all selected rows in the list. You are asked to
confirm the assignment if more than 10 rows are affected.

Removes the currently selected policy from all selected rows in the list. If a row is not
currently set to the selected policy it will not be changed. You are asked to confirm the
assignment if more than 10 rows are affected.
Removes unsaved edits on the current row. This only affects the current row (row with the
dotted border) even if multiple rows are selected.

Removes unsaved edits on all currently selected rows.

This icon ( ) next to any row on the list simply means that row has been edited since the last save
changes occurred.
You can “Shift+Click” to select a range of rows. The first row you click will be surrounded by purple
dashed lines. The next row that you “Shift-Click” on will cause all the rows in between the original row
and current row to be highlighted.
4 When you are finished assigning/un-assigning Access Policies, click the Save Changes button.
TIP: You may re-filter and re-retrieve the results list without losing existing edits. As the Results tab is
reloaded any Groups or Users that you have already edited reflect their edited policy assignment. When
you click the Save Changes button all the Access Policy assignment changes for the account are saved.
The appliance saves these in batches, informing you of the number of assignments added, removed, or
changed for each batch.

NOTE: You must be both a PPM and PSM ISA over an account to be allowed to assign an Access Policy.

Using Ctrl-Click or Shift-Click on the hyperlink in the Name column will open the details page for this entity in a
new tab or window.

TPAM 2.5
97
Administrator Guide
Affinity tab
The Affinity tab is used to assign the collection to a distributed processing appliance (DPA) if DPA’s are
configured to work with the TPAM appliance. Assigning the collection to a DPA can help optimize performance
for session recording and session playback. The Affinity tab is not enabled until the Collection has been saved.

The table below describes the options available on the Affinity tab.

Table 37. Collection Management: Affinity tab options

Field Description Required? Default

Allow PSM If selected, TPAM will select the DPA that has the least number No Yes
Sessions to be of sessions running on it to conduct the session.
run on any
defined DPA
Selected DPA Select this option to prioritize which DPA is used for sessions No No
affinity and conducted on this collection. The default DPA is LocalServer,
priority which is the local TPAM appliance.
NOTE: If a system has a different affinity priority assignment,
the priority at the system level takes precedence over the
collection affinity setting.
Use the Priority column in the table below this option to enter a
priority number next to each DPA. Leave the box blank (NULL)
for any DPAs you do not want to use for session recordings.
When determining which DPA to use, the appliance looks at
them in order from lowest to highest and uses the first one that
has an open slot. A value of 0 (zero) is simply “more important”
than any other value.
More than one DPA can have the same number ranking. DPA’s
with the same number will automatically be load balanced.

Add a collection
When adding a collection in TPAM, information is entered on the following tabs to configure the collection:
• Details
• Members
• Permissions
• Affinity
The following procedure describes the required steps to add a collection.

To add a new collection:

1 Select Systems, Accounts, & Collections | Collections | Add Collection from the menu.

TPAM 2.5
98
Administrator Guide
 2 Enter information on the Details tab. For more information on this tab see Details tab.
3 Click the Members tab.
4 Enter your search criteria on the Filter tab.
5 Click the Results tab to assign/remove members from the collection. For more details see Members tab.
NOTE: A system cannot be in the same collection as any of its accounts or files and vice versa.

NOTE: A collection used by either AD or Generic Integration cannot have its membership changed
here. The current member status is displayed, but all buttons in the list are disabled.

TIP: You can set all the displayed members to either Assigned or Not Assigned by holding down the
Ctrl key when clicking on any button.

6 Click the Permissions tab and assign/remove permissions. For more details see Permissions tab.
7 Click the Save Changes button.
8 Click the Affinity tab and make DPA assignments. (Optional) For more details see Affinity tab.
9 Click the Save Changes button.

Duplicate a collection
To ease the burden of administration and help maintain consistency, collections can be duplicated. This allows
the administrator to create new collections that are very similar to those that exist, while only having to modify
a few details. The new collection inherits membership and permissions, affinity settings from the existing
collection.

To duplicate a collection:
1 Select Systems, Accounts, & Collections | Collections | Manage Collections from the menu.
2 Enter your search criteria on the Filter tab.
3 Click the Listing tab.
4 Select the collection to be duplicated.
5 Click the Duplicate button. A new collection is created and the Collection Details page displays. The
name of the new collection is automatically DupofXXXXX.
6 Make any changes to the collection on the various tabs.
7 Click the Save Changes button.

Delete a collection
To delete a collection:
1 Select Systems, Accounts, & Collections | Collections | Manage Collections from the menu.
2 Enter your search criteria on the Filter tab.
3 Click the Listing tab.
4 Select the collection to be deleted.
5 Click the Delete button.
6 Click the OK button on the confirmation window.

TPAM 2.5
99
Administrator Guide
List collections
The List Collections option allows you to export the collection data from TPAM to Microsoft Excel or CSV format.
This is a convenient way to provide an offline work sheet and also to provide data that may be imported into
another TPAM – for example, to populate a lab appliance with data for testing, without making the lower level
changes that restoring a backup would cause.
TIP: Enter ! in the System, Account and File name filters to find empty collections.

To list the collections:

1 Select Systems, Accounts, & Collections | Collections | List Collections from the main menu.
2 Enter your search criteria on the Filter tab.
3 Click the Layout tab to select the columns and sort order for the listing.
4 To view and store the list of collection names outside of the TPAM interface, click the Export to Excel
button, or the Export to CSV button. To view and store the list of collection members outside of the
TPAM interface, click Export Members to Excel button, or the Export Members to CSV button.
5 To view the data in the TPAM interface, click the Listing tab.
6 To view membership of a collection, select the collection and click the Members tab.
7 To view the user and groups with permissions on the collection, select the collection and click the
Permissions tab.

TPAM 2.5
100
Administrator Guide
 12
Accounts

• Introduction
• Add an account
• Duplicate an account
• Delete an account
• Retrieve a password
• List accounts
• List PSM accounts
• Password current status
• Manual password management
• Password management
• Managing services in a Windows® domain environment
• Add generic account to TPAM for PSM sessions to a user specified Windows account

Introduction
This chapter covers the steps to add and manage accounts in TPAM. To add and manage accounts, information is
entered on the following tabs in the TPAM interface:

Table 38. Account Management: TPAM interface tabs

Tab name Description

Details/Information Define main account information, such as name, password rule, contact.
Details/Reviews Set review requirements for password releases on this account.
Details/Custom Information Enter data in custom fields, if they have been defined.
Details/Management Configure the settings for how TPAM will manage the password for the
account.
Details/Ticket System Configure Ticket System Validation for requests on this system.
Dependents Set systems that are dependent on the domain level account.
Logs Can view test, change and release history for the account.
Passwords Can view past passwords and retrieve current password with ISA PPM
permissions.
Collections Assign an account to a collection/s.
Permissions Assign users and groups permissions on this account.
PSM Details/General Enable PSM functionality for the account and set approval requirements.
PSM Details/Session Set authentication method sessions using this account.
Authentication
PSM Details/File Transfer Enable/disable file transfer.
PSM Details/Review Requirements Set review requirements for sessions.

TPAM 2.5
101
Administrator Guide
Information tab

The table below explains all of the box options available on the details information tab.

Table 39. Account Management: Details information tab options

Field Description Required? Default

Account Name This is the descriptive name of the account. Within TPAM, all Yes
the account names on one system must be unique. The name
can be 1-30 characters long, but cannot include empty spaces.
Account is This check box gives Administrators and ISA’s the ability to No Off
Locked “lock” and “unlock” an account. When an account is locked
passwords for that account cannot be retrieved, released or
changed. Password requests or session requests can be
submitted but the password or session is not available until the
account is unlocked.
Password Enter the active current password for the account. If no No
password is specified (left blank), PPM stores the value default
initial password as the password for the account.
Confirm To confirm the password reenter it in this box. No
Password Rule Select the password rule to serve as the default for the Yes Default
account. If the selection is not changed (or if no other rules Password
have been defined in TPAM) the Default Password Rule is Rule
selected. The password rule governs the construction
requirements for new passwords generated by PPM.
Distinguished Only required for LDAP, LDAPS, and Novell® platforms. Yes
Name
Issue ndmcom Only visible for HP NonStop Tandem platform. If selected the No Off
for this ndmcom command is issued after the password for the account
account? is changed.
Change Only visible for Windows® platforms. If this is the Administrator No Off
password for account, or another functional account that runs system
Windows® services, this option ensures that the password change is also
Services applied to each service the account runs.
started by this
Account?

TPAM 2.5
102
Administrator Guide
Table 39. Account Management: Details information tab options

Field Description Required? Default

Automatically ®
Only visible for Windows platforms. If selected, after the No Off
restart such password is changed the services will automatically be stopped
services? and restarted.
Change the Only visible for Windows® platforms. If selected, after a task No Off
password for has been completed it will change the password.
Scheduled
Tasks started
by this
account?
Use this Only visible for Windows® platforms. This may be necessary on No See Note
account’s
Windows® XP and Windows® Server 2003 where Encrypting File
current
System or other third-party security products are used, and rely
password to
on authentication certificates stored in that account’s personal
change the
store.
password?
NOTE: If the system is configured with a “non-privileged
functional account” then this setting defaults for all accounts
added to this system.
Description This is a free text box where additional descriptive information No
may be entered.
Password By default, the property of the parent system is inherited at the Yes Defaults to
Management account level as either None or Automatic. what is set
• None - The Management tab will be disabled, and TPAM at the
will not automatically check, change or reset the system
password. Manually pressing the Check Password or level.
Reset Password buttons WILL result in a check or reset
for this account.
• Automatic - TPAM manages the password for this
account based on the settings configured on the
Management tab.
• Manual - TPAM sends an email to the primary contact at
the system and account level when it is time to manually
reset the password. The email is sent based on the
change frequency settings on the Management tab. The
contact/s will keep receiving this email at regular
intervals based on how this is configured by the Sys-
Admin in the Auto Management Agent settings, until the
password has been confirmed to be reset in PPM.
NOTE: The manual password email notification relies on the
Man Pwd Change Agent. If it is not running no email
notifications to reset the password will be sent.
Ignore System If selected, any access policies assigned to the system will not No Off
Access Policies apply to this account.

TPAM 2.5
103
Administrator Guide
Table 39. Account Management: Details information tab options

Field Description Required? Default

Enable account Only visible for Windows® platforms. If selected TPAM will No Off
before release enable the account when:
- releasing the password for a request
- ISA password release
- starting a PSM session which uses password authentication
If the account cannot be enabled the password will not be
released and the session will not start. If the account cannot be
disabled when the password is changed the change will be
marked as successful but an alert will raised. The alert must be
subscribed to in the admin interface. See the help bubble text
in the TPAM interface for more details.
If this check box is selected, this account cannot be added as a
Synchronized Password subscriber.
Approvals The default value of 1, indicates that a single approval allows Yes 1
Required the requestor to view the password. A value greater than 1
requires multiple approvers to approve each release request. A
value of 0 means any release requests will be auto-approved by
TPAM. If this value is overridden by an access policy the greater
of the two values is used.
Require Multi- Can only be selected if Approvals Required is greater than 1. If No Off
Group Approval selected, you can require that approvals for requests come
from from two or more groups. At least 1 approval must come from
each group.
NOTE: Any user with approver permissions will be able to
approve the request, but unless the user is a member of one of
the selected groups, their approval will not count.
NOTE: Any authorized approver can deny the request.
Maximum Maximum duration for a password release on the account. If this Yes
Duration is overridden by an Access Policy assignment, the lower of the
two durations is used. The default duration that the requestor
sees for any new password request is 2 hours, or the maximum
duration, whichever is less.
Notification The email address specified in this box receives notification of No Null
Email certain password releases. This would apply to releases by ISA
users, CLI/API users under all circumstances, and requests when
no approvals are required. This email address also receives
notification if a manually managed password needs to be
changed. Multiple email addresses can be specified by entering
each email address separated by a comma, up to a maximum of
255 characters.
Any time a change is made to the notification email address
box, an email is automatically sent to the old email address
with a notification that this change has occurred.

TPAM 2.5
104
Administrator Guide
Table 39. Account Management: Details information tab options

Field Description Required? Default

Simultaneous This option allows an Admin or a PPM ISA to grant more than Yes 1
Privileged one Privileged Access User (PAC) to request and retrieve a
Access Release password/session during the same or overlapping time period.
NOTE: If another Requestor already has the password checked
out the Privileged Access users must wait for that release
window to expire before they can gain access.
Override The System Administrator must have this global setting turned
Individual on in order for the TPAM Administrator or ISA to select this flag.
Accountability If selected, more than one requestor can request the password
at the same time or during an overlapping duration. Any
changes made to the override individual accountability check
box at the account level are logged in the Activity Log.
If the System Administrator disables the Global Setting allowing
account override, any accounts that had been selected to
override individual accountability will have their check boxes
cleared.

Reviews tab

The table below explains all of the options available on the Reviews tab.

Table 40. Account Management: Review tab options

Field Description Required? Default

Reviews Number of reviews required after a password release has No 0
Required expired.
Any Authorized If selected, any auditor, and any user or group member with an No Off
Reviewer access policy of Review Password permission will be eligible to
(excluding complete the review.
Requestor)
Specific User If selected, the specific user with review permission will be the No Off
only user allowed to review password releases for this account.
Any Auditor If selected, any user with a user type of auditor will be eligible No Off
to review password releases for this account.

TPAM 2.5
105
Administrator Guide
Table 40. Account Management: Review tab options

Field Description Required? Default

Member of a If selected, any users that are members of the group that is No Off
Group chosen will be eligible to review password releases for this
account. Only groups that have review permissions will be
available in the list.
If the review To have a user receive an email notification if the review is not No NullDetails
isn’t complete complete within X hours, enter the hours threshold and the
... email address. The password release is not eligible for review
until the release duration expires.

Custom Information tab

There are six fields that can be customized to track information about each account. These custom fields are
enabled and configured by the System Administrator in the /admin interface. If these fields have not been
enabled then this sub-tab is not visible.

Management tab
The Management tab is used to configure how TPAM manages the passwords for this account. This tab is not
enabled unless Automatic or Manual is selected on the Details Information tab. The settings here will default
from the system settings but can be overridden.

The table below explains the options on the Management Details tab.

TPAM 2.5
106
Administrator Guide
Table 41. Account Management: Details Management tab options

Field Description Required? Default

Password Select a password check profile from the list to determine the Yes, if Whatever
Check Profile rules for how the password is checked on the system against automatic profile is
Name what is stored in TPAM. The password check profiles are password assigned for
configured by the TPAM Administrator. See Password Profiles for management the system.
more details. has been
selected.
Password Select a password change profile from the list to determine the Yes, if Whatever
Change Profile rules for how the password is changed on the managed automatic profile is
Name system.The password change profiles are configured by the password assigned for
TPAM Administrator. See Password Profiles for more details. management the system.
has been
selected.
Pull Defaults If selected, upon saving, the Management settings of the system No Off
from System are populated at the account level. This is a one time action
and does not prevent any of these settings from being modified
again at the account level.
Default The duration for an ISA release may be specified up to a No From
duration for maximum of 7 days. This is the amount of time that transpires System
ISA releases of between the initial ISA retrieval and the automatic reset of the
password password (if enabled). If 0 is entered the ISA retrieval of a
password will not trigger a post release reset of the password.
Allow ISA to If selected, an ISA may enter a release duration other then the No From
enter Duration default when retrieving a password. The duration must be System
on Release greater than zero and less than or equal to the maximum
specified for either the ISA Duration (Mgt Details tab) or Max
Release Duration (Details tab).
This check box is disabled when the Default duration for ISA
releases of passwords is set to 0.

Ticket System tab

The Ticket System tab is used to configure third party ticket system requirements when submitting password
release requests for this account. The Ticket System tab is only enabled if the TPAM System Administrator has
configured ticket system/s in the /admin interface.

The following table explains the options on this tab.

TPAM 2.5
107
Administrator Guide
Table 42. Account Management: Details Ticket System tab options

Field Description Required? Default

Ticket By selecting the check boxes you can require that ticket No Off
Required for validation is enforced for Password/Files requests and/or
Session requests.You also have the option to require ISAs to
supply a ticket number prior to retrieving a password or file as
well as requests made through the CLI or API. If a check box is
not selected, users can still enter a ticket number on a request,
but it is not required.
Require Ticket If multiple ticket systems are enabled they are listed in the list No Off
Number from for selection. You can specify the ticket system or allow entry
of a ticket number from any system that is enabled.
Send Email If any of the ISA, CLI or API required check boxes are left clear No From
notification to you have the option of entering one or more email addresses System
(up to 255 characters) that will receive an email when an ISA,
CLI or API user releases or retrieves a password without
supplying a ticket.
Pull defaults If selected, when the Save Changes button is clicked, it will No Off
from system pull these settings from the system
The propagation is a one time update each time this check box
is selected and the Save Changes button is clicked. After that
there is no forcing of the settings to remain in synch. The
settings on the accounts can be overridden.

Dependents tab (Windows® AD only)

If the account managed by PPM is a Windows® domain account (the system is defined as Active Directory® ),
services running on domain member systems using this account can also be managed in terms of password
changes.

Logs tab
The Logs tab contains three sub-tabs that provide detailed password history for the account. The log data
displays the user’s time zone. The following table explains the sub-tabs.

TPAM 2.5
108
Administrator Guide
Table 43. Account Management: Logs tab sub-tabs

Tab Description
Filter This filter tab can be used to specify your search criteria in any of the other log tabs.
Change Log Provides details on password change history.
Test Log Provides details on password test activity.
Release Log Provides details on password release history.
Dependent Only visible if account resides on Windows® Domain Controller with dependent systems
Change Log assigned. Provides details on changes of the domain account.
Change Agent Provides details on change agent log records for the account that have occurred after a 2.3+
Log TPAM upgrade.

Past Password tab

This tab allows an administrator to view past password for an account. This allows you to select a password that
was valid for a specific period of time. This is especially important if the managed system has been restored
from a backup and the password that was effective at the time of the backup is required.

Current Password tab

The tab allows users with ISA password permissions to retrieve the current password. By default administrators
do not have ISA permissions, they must be assigned.

TPAM 2.5
109
Administrator Guide
Collections tab
A collection is a group of systems, accounts and or files. The Collections tab is used to assign the account to a
collection/s. Accounts can belong to more than one collection. The collections list shows all collections that
have been defined in the TPAM appliance if the user modifying the account is an administrator. If the user
modifying the account is an ISA, only the collections that the user holds the ISA role for are displayed. By
assigning the account to collections, the account automatically inherits user and group permissions that have
been assigned at the collection level.
NOTE: An account cannot belong to the same collection as its parent system, or vice versa.

Use the Filter tab to enter search criteria for the collections to assign/un-assign. Click the Results tab.

The table below explains the fields on the Results tab.

Table 44. Account Management: Collection Results tab options

Field Description Required? Default

Type On this tab type will always say Collection.
Name The name of the collection. Clicking on the name will take you No
the collection management listing tab.
Membership To modify collection membership, simply click the Not Assigned No Not
Status or Assigned buttons next to each collection name and click the Assigned
Save Changes button. You can set all members to either
Assigned or Not Assigned by holding down the Ctrl key when
clicking on any button.

Permissions tab
The Permissions tab is used to assign users and/or groups an Access Policy for this account.

TPAM 2.5
110
Administrator Guide
To assign Access Policies:
1 Use the table on the left of the page to select the name/s of the user/s and/or group/s to which the
selected access policy is to be assigned.
2 Select an Access Policy from the Access Policy list in the Access Policy Details pane, located in the right
upper side of the Results tab. When you select an Access Policy on the list the detailed permissions
describing this Access Policy are displayed on the rows below.
3 Select one of the icons in the Access Policy Details pane (right upper side of page) to make the
assignment.

Table 45. Access Policy Details pane icons

Icon Action
Refreshes list of available Access Policies.

Scrolls the currently selected User or Group into view.

Applies the currently selected policy to the current row. Assigning a policy of “Not
Assigned” removes the current assignment. This affects only the current row (row with the
dotted border) even if multiple rows are selected.
Applies the currently selected policy to all selected rows in the list. You are asked to
confirm the assignment if more than 10 rows are affected.

Removes the currently selected policy from all selected rows in the list. If a row is not
currently set to the selected policy it will not be changed. You are asked to confirm the
assignment if more than 10 rows are affected.
Removes unsaved edits on the current row. This only affects the current row (row with the
dotted border) even if multiple rows are selected.

Removes unsaved edits on all currently selected rows.

This icon ( ) next to any row on the list simply means that row has been edited since the last save
changes occurred.

TPAM 2.5
111
Administrator Guide
 You can “Shift+Click” to select a range of rows. The first row you click will be surrounded by purple
dashed lines. The next row that you “Shift-Click” on will cause all the rows in between the original row
and current row to be highlighted.
4 When you are finished assigning/un-assigning Access Policies, click the Save Changes button.
TIP: You may re-filter and re-retrieve the results list without losing existing edits. As the Results tab is
reloaded any Groups or Users that you have already edited reflect their edited policy assignment. When
you click the Save Changes button all the Access Policy assignment changes for the account are saved.
The appliance saves these in batches, informing you of the number of assignments added, removed, or
changed for each batch.

NOTE: You must be both a PPM and PSM ISA over an account to be allowed to assign an Access Policy.

Using Ctrl-Click or Shift-Click on the hyperlink in the Name column will open the details page for this entity in a
new tab or window.

PSM Details tab

The PSM Details tab is composed of four sub-tabs: General, Session Authentication, File Transfer, and Review
Requirements, that allow users to configure the account for Privileged Session Manager (PSM). PSM licences are
required for this functionality to be enabled.

NOTE: PSM sessions to Windows® machines using an RDP proxy connection type can be configured on the
Windows® machine to use SSL/TLS security for RDP connections. Note that the computer name set in
TPAM for the system may need to be uppercase for the connections to succeed.

General tab

The following table explains the options on this tab.

TPAM 2.5
112
Administrator Guide
Table 46. Account Management: PSM General tab options

Field Description Required? Default

Enable PSM If selected, allows users to request access to this account No Off
Sessions? through a recorded session. All subsequent options on the PSM
tabs are contingent upon this being selected.
Proxy Used to select the type of remote connection compatible with Yes, if PSM
Connection the configuration of the remote systems. Options are Enabled
Type dependent on the system platform.
NOTE: When choosing any of the proxy methods listed below
that use Automatic Login, the password is not automatically
reset after the session is completed because the password is
never displayed to the user.
Available choices are:
• DPA - ICA Access - Using a DPA, establish a connection to
the system using Citrix ICA web client. (For PSM ICA
Access only)
• DPA - Web Browser - Using a DPA, establish a connection
to the system using a web browser. (For PSM Web Access
only)
• RDP-Automatic Login Using Password – Connect to the
system using RDP (Terminal services protocol) client and
automatically login using the password retrieved from
the local or remote TPAM. This ensures that the
password is never displayed or known to the user.
• RDP-Interactive Login – Connect to the system using an
RDP client that PSM does not provide automatic login for.
If the password is managed by PPM, it is displayed on the
window when the session is started, otherwise the user
must know the account password when the
authentication dialog is presented.
• RDP Through SSH – Automatic Login Using Password
(for SPCW systems only) Connect to the system using RDP
client via the SSH protocol and automatically login using
the password retrieved from the local or remote TPAM.
• RDP Through SSH – Interactive Login (for SPCW systems
only) Connect to the system using RDP client via the SSH
protocol and allow the user to manually type the
password. If the password is managed by PPM, it is
displayed on the window when the session is started,
otherwise the user must know account password when
the authentication prompt is presented.
• SQLPlus – Automatic Login Using Password - Connect to
the system using the SQLPlus client and automatically
login using the password retrieved from the local or
remote TPAM.
• SQLPlus –Interactive Login - Establish a connection to
the remote system using the SQLPlus client. The user
must know the SQLPlus password for the system. If the
password is managed by PPM, it is displayed on the
window when the session is started, otherwise the user
must know the account password when the
authentication dialog is presented.
• SQL Window – Automatic Login Using Password -
Connect to the system using the Sql Window Client and
automatically login using the password retrieved from
the local or remote TPAM.

TPAM 2.5
113
Administrator Guide
Table 46. Account Management: PSM General tab options

Field Description Required? Default

Proxy • SQL Window – Interactive Login - Establish a connection
Connection to the remote system using the SQL Window client. The
Type user must know the SQL Window password for the
system. If the password is managed by PPM, it is
displayed on the window when the session is started,
otherwise the user must know the account password
when the authentication dialog is presented.
• SSH-Automatic Login Using DSS Key – Connect to the
system using SSH and authenticate via DSS private key.
The private key must be previously uploaded to TPAM for
this purpose.
• SSH – Automatic Login Using Password (for UNIX®
systems only) – Connect to the system using SSH and
automatically login using the password retrieved from
the local or remote TPAM.
• SSH - Interactive Login – Establish an SSH session to the
remote system and allow the user to manually type the
password. If the password is managed by a PPM, it is
displayed on the window when the session is started,
otherwise the user must know account password when
the authentication prompt is presented.
• Telnet-Automatic Login Using Password – Connect to
the system using the Telnet protocol and automatically
login using the password retrieved from the local or a
remote TPAM. This ensures that the password is never
displayed or known to the user.
• Telnet-Interactive Login – Connect to the system using
the Telnet protocol, to which PSM does not provide
automatic login. If the password is managed by a PPM, it
is displayed on the window when the session is started,
otherwise the user must know the account password
when the authentication dialog is presented.
• VNC Enterprise - Interactive Login - Establish a
connection to the remote system using the VNC®
Enterprise client. The user must know the VNC password
for the system. If the password is managed by a PPM, it
is displayed on the window when the session is started,
otherwise the user must know the account password
when the authentication dialog is presented.
• VNC-Interactive Login – Establish a connection to the
remote system using the VNC client. The user must know
the VNC password for the system. If the password is
managed by PPM, it is displayed on the window when the
session is started, otherwise the user must know the
account password when the authentication dialog is
presented.
• x3270 - Automatic Login - Establish a connection to the
remote system using a 3270 emulator and automatically
login using the password retrieved from the local or a
remote TPAM.

TPAM 2.5
114
Administrator Guide
Table 46. Account Management: PSM General tab options

Field Description Required? Default

Proxy • x3270 - Interactive Login Using Password - Connect to
Connection the system using a 3270 emulator and allow the user to
Type manually type the password. If the password is managed
by a PPM, it is displayed on the window when the session
is started, otherwise the user must know account
password when the authentication prompt is presented.
• x5250 - Interactive Login - Connect to the system using
a 5250 emulator and allow the user to manually type the
password. If the password is managed by a PPM, it is
displayed on the window when the session is started,
otherwise the user must know account password when
the authentication prompt is presented.
Custom The connection profile can be used to override the default No Use
Connection connection parameters. If any custom profiles have been Standard
Profile created they will be available in this list. See Add a PSM Settings
connection profile for more on creating custom connection
profiles.
Post Session The post session file is used to add additional steps at the end No Use
Profile of a session request. If any post session profiles have been Standard
created they will be available in this list. For more details on Settings
Post Session Profiles see Add a post session processing profile.
Color Depth Only an option for some proxy types. Used to set the number of No 8 or 0,
possible colors displayed in the recorded sessions for this depending
account. The choices are proxy type dependent. Options are: on proxy
• 8 - 256 colors type.
• 16 - 65,000 colors
• 0 - very low
• 1 - low
• 2 - medium
• 3 - auto select/full color
Required # of The number of approvers required for each session request. A Yes 0
Approvals value greater than 1 requires multiple approvers to approve
each session request. A value of 0 means any session requests
will be auto-approved by TPAM.
If this value is overridden by an access policy the greater of the
two values is used.
If the system/account is managed by PPM it is possible to have a
different value for session and password request approvals. In
the event of such a conflict, the value set on the password
approvals required may override the value set here. This occurs
only for connection types that use interactive login (where the
password is displayed).
Require Multi- Can only be selected if Approvals Required is greater than 1. If No Off
Group Approval selected, you can require that approvals for requests come
from from two or more groups. At least 1 approval must come from
each group.
NOTE: Any user with approver permissions will be able to
approve the request, but unless the user is a member of one of
the selected groups, their approval will not count.
NOTE: Any authorized approver can deny the request.

TPAM 2.5
115
Administrator Guide
Table 46. Account Management: PSM General tab options

Field Description Required? Default

Maximum Specifies the maximum number of simultaneous sessions that 1
Simultaneous may be established for account.
Sessions This option only exists for accounts configured to auto-
authenticate the user. If the password is provided by TPAM for
interactive logon then only one concurrent session is allowed to
preserve individual accountability.
Default Session Session duration that is displayed by default when requesting a Yes 2 hours
Duration session. It can be changed within the limits set by the max
password duration and the access policy session duration.
Notify primary Allows email notifications to be sent to the primary contact No 0,0, null
contact .... specified for the system if a session exceeds the maximum
session time for the request. Configurable parameters are:
frequency (in minutes) of notifications; and threshold time (in
minutes) before initial notification is sent for a session. Both
values must be non-zero for notifications to be sent.
Send PSM Start Email address that receives notification when a session on this No null
Notification account starts. The following special addresses may also be
included:
• :AllApprovers - all users who can approve the request
• :Approvers - users that approved the request
• :Group=Group1,Group2... - comma separated list of one
or more group names
• :RelNotify - release notification email for the account
• :System - primary email contact for the account
Enable If selected, during a session, the user can use the clipboard No On
Clipboard? option for copy/paste.
Enable Console If selected, during a session, the user can connect to the system No Off
Connection? console. This option is only available with RDP proxy types.
Record All If selected, all sessions for this account will be recorded. No On
Sessions?
Enable File If selected, files can be uploaded from the remote system No Off
Uploads? during the session.
NOTE: This option cannot be selected until file transfer is
enabled on the File Transfer tab.
Enable File If selected, files can be downloaded to the remote system No Off
Downloads? during the session.
NOTE: This option cannot be selected until file transfer is
enabled on the File Transfer tab.
Capture If selected, events during the session are captured and listed in No Off
Events? session logs with hyper links to that point in the session. This
option is only available for specific platforms. Clicking the Test
Event Configuration button will mimic event capture during a
session for testing with the system. There is a scheduled report,
Daily Session Activity Detailed, that will list captured events
during a session.
NOTE: For capturing events on Windows® systems see
Configuration for Capturing Events on Windows® Systems.
NOTE: A DPA is required to capture events.

TPAM 2.5
116
Administrator Guide
Session Authentication tab

The following table explains the options on this tab.The option selected on the session authentication tab
determines the authentication credential storage method.
Table 47. Account Management: PSM Details Session Authentication tab options

Field Description Required? Default

Password If selected, the local TPAM manages this account. No Yes
Managed by
Local TPAM
Use Remote Select this option if the account is managed by another TPAM No No
TPAM CLI appliance, and specify the CLI user ID to be used to retrieve the
password. This TPAM appliance makes a CLI call to the remote
TPAM and pulls the password for the system/account specified
and formats the account name at login time using the specified
Domain. If the System and Account box are left blank then the
system and account name of the account being configured is
used. Access to the public key for the CLI ID is required, and
must be supplied to TPAM. When this method of password
retrieval is used, the number of approvals specified on the
remote TPAM is ignored and access to the password is not
limited to a single release.
Use DSS Key Select this option if an authentication key is used for the No No
account instead of a password. You have the additional options
of using a system standard DSS Key (TPAM allows you to
configure up to 3 active keys) or having TPAM generate a pair of
keys for you.
Not Stored - Select this option if the account’s password is not stored or No No
Specify managed by any TPAM. When this option is used the password
password must be specified when the session is initiated.
during session
Use Windows® Select this option if the account’s password is not stored or No No
Domain managed by any TPAM. The named account is a placeholder for
Account the domain account TPAM uses to authenticate to the system.
Through this method you can connect to a system using a
domain account instead of a local account. On the Session
Authentication tab the user name used to log in to the remote
session must be added as an account associated with a Windows
Active Directory® System.

TPAM 2.5
117
Administrator Guide
File Transfer tab

The following table explains the options on this tab.

Table 48. Account Management: PSM Details File Transfer tab options

Field Description Required? Default

File Transfer Select the method used to transfer the files. The options No File
Method available in this list are platform dependent. Transfer
Disabled
NOTE: If using Windows® File copy make sure that port 139 or
445 is open on the target system.
File Transfer The share where the files will be uploaded/downloaded. Yes, if file Null
Share/Path transfer
enabled.
Same as Session If selected, the same credentials that are used for the session No Yes
Authentication will be used to transfer the file.
Specify at file If selected, the user is prompted to specify the account name No No
transfer time and password at the time of file transfer.

Review Requirements

The following table explains the options on this tab.

Table 49. Account Management: PSM Details Review Requirements tab options

Field Description Required? Default

Reviews Number of reviews required after a session has expired. No 0
Required
Specific User If selected, the specific user with review permission will be the No Off
only user allowed to review sessions for this account.

TPAM 2.5
118
Administrator Guide
Table 49. Account Management: PSM Details Review Requirements tab options

Field Description Required? Default

Any Auditor If selected, any user with a user type of auditor will be eligible No Off
to review sessions for this account.
Member of a If selected, any users that are members of the group that is No Off
Group chosen will be eligible to review sessions for this account. Only
groups that have review permissions will be available in the
list.
If the review To have a user receive an email notification if the review is not No Null
isn’t complete complete within X hours, enter the hours threshold and the
... email address. The session is not eligible for review until the
release duration expires.

Add an account
When adding an account in TPAM, information is entered on the following tabs to configure the account:
• Details - Information, Reviews, Custom Information, Management, Ticket System
• Dependents
• Collections
• Permissions
• PSM Details - General, Session Authentication, File Transfer, Review Requirements
The following procedure describes the required steps to add an account.

To add a new account:

1 Select Systems, Accounts, & Collections | Accounts | Add Account from the menu.
2 Enter filter criteria on the Filter tab to find the system to add the account to.
3 Click the System tab.
4 Select the system or system template.
NOTE: A total of 10 accounts can be added to a system template (including the functional
account). Any accounts added in this way are added to new systems created from the template.
Existing systems based on the template will not have any new accounts added or existing accounts
removed. ISA users cannot add, view, or edit accounts on template systems.

5 Click the Details tab. Enter information on the Details tab. For more information on this tab see
Information tab.
6 Click the Reviews sub-tab to configure review requirements for password releases. For more information
on this tab see the Reviews tab. (Optional)
7 Click the Custom Information sub-tab to enter custom information for the account. For more
information on this tab see Custom Information tab. (Optional)
8 Click the Management sub-tab and select preferences for managing account passwords. For more details
see Management tab.
9 Click the Ticket System sub-tab and set external ticket system requirements for submitting password
release requests. For more details see Ticket System tab. (Optional)
10 Click the PSM Details tab to enable/disable PSM sessions. For more information see PSM Details tab.
(Optional)
11 Click the Session Authentication sub-tab to select session authentication method. For more information
see The following table explains the options on this tab.. (Optional)

TPAM 2.5
119
Administrator Guide
 12 Click the File Transfer sub-tab to enable file transfers during sessions. For more information see File
Transfer tab. (Optional)
13 Click the Review Requirements sub-tab to set review requirements for sessions. For more information
see Review Requirements. (Optional)
14 Click the Save Changes button.

15 Click the Dependents tab to assign/remove dependents to Windows Active Directory® systems. For more
details see Dependents tab (Windows® AD only). (Optional)
16 Click the Collections tab and assign/remove membership. (Optional) For more information on this tab
see Collections tab.
17 Click the Permissions tab and assign/remove permissions. For more details see Permissions tab.
(Optional)
18 Click the Save Changes button.

Duplicate an account
To ease the burden of administration and help maintain consistency, accounts can be duplicated. This allows the
administrator to create new accounts that are very similar to those that exist, while only having to modify a few
details. The new account inherits password management, review, ticket system, and PSM details settings from
the existing account. Collections and permissions assignments are not inherited.

To duplicate an account:
1 Select Systems, Accounts, & Collections | Accounts | Manage Accounts from the menu.
2 Enter your search criteria on the Filter tab.
3 Click the Listing tab.
4 Select the account to be duplicated.
5 Click the Duplicate button. A new account object is created and the Details tab displays.
6 Enter the Account Name.
7 Make any changes to the account configuration on the various tabs.Click the Collections tab and assign
membership. (Optional)
8 Click the Permissions tab and assign access policies. (Optional)
9 Click the Save Changes button.

Delete an account
When you delete an account from the Manage Accounts listing it is “soft” deleted. This means that the account
information is retained in TPAM for “X” days depending on how the System Administrator has set the Days in
Trash global setting in the /admin interface.
IMPORTANT: The only way to delete a functional account is to delete the system.

NOTE: You cannot delete an account that has an active PSM session.

To “soft” delete an account:

1 Select Systems, Accounts, & Collections | Accounts | Manage Accounts from the menu.
2 Enter your search criteria on the Filter tab.
3 Click the Listing tab.

TPAM 2.5
120
Administrator Guide
 4 Select the account to be deleted.
5 Click the Delete button.
6 Click the OK button on the confirmation window.
To view “soft” deleted accounts go to Systems, Accounts, & Collections | Accounts | Deleted Accounts on the
main menu.
TPAM allows you to undo a soft deletion prior to the Days in Trash global setting taking effect.

To undo a “soft” delete:

1 Select Systems, Accounts, & Collections | Accounts | Deleted Accounts from the main menu.
2 Enter your search criteria on the Filter tab.
3 Click the Listing tab.
4 Select the account to be restored.
5 Click the Undo Delete button.

To undo a soft delete for all the accounts in the listing:

1 Click the Undo Delete All button.
2 Click the Yes, continue with undo delete button.
Hard deleting an account removes all records of the account from the TPAM interface. Hard deletion is only
allowed if the Allow Manual Hard Deletes global setting has been enabled by the System Administrator.

To “hard” delete an account:

1 Select Systems, Accounts, & Collections | Accounts | Deleted Accounts from the main menu.
2 Enter your search criteria on the Filter tab.
3 Click the Listing tab.
4 Select the account to be deleted.
5 Click the Hard-Delete button.
6 Click the OK button on the confirmation window.

To hard delete all the accounts in the listing:

1 Click the Hard-Delete All button.
2 Click the Yes, continue with hard-delete button.

Retrieve a password
A user with PPM ISA permission over an account can retrieve a password.

To retrieve a password:
1 Select Retrieve | Retrieve Password from the menu.
2 Enter your search criteria on the Filter tab.
3 Click the Listing tab.
4 Select the account.
5 Click the Passwords tab.
6 Complete the following fields:

TPAM 2.5
121
Administrator Guide
 Table 50. Password tab fields

Field name Description

Release Reason Used to provide a brief description of the reason for the password
release. May be optional, required or not allowed, depending on
configuration.
Reason Code Reason codes will appear if they have been configured by the System
Administrator. Reason codes streamline the request process, and
may be optional, required, or not allowed depending on how they
are configured.
Ticket System May be required, based on configuration.
Ticket Number May be required, based on configuration. If the ticket number fails
validation the ISA will not be able to retrieve the password.
Proxy Release For If the ISA is retrieving the password on behalf of another user, enter
the user’s name here. This name will be displayed on the Password
Release Activity report.

7 Click the Password tab. The password will be displayed for 20 seconds after which time the ISA must
click the password tab again to view the password.

List accounts
The List Accounts option allows you to export the account data from TPAM to Microsoft Excel or CSV format.
This is a convenient way to provide an offline work sheet and also to provide data that may be imported into
another TPAM – for example, to populate a lab appliance with data for testing, without making the lower level
changes that restoring a backup would cause.

To list the accounts:

1 Select Systems, Accounts, & Collections | Accounts | List Accounts from the main menu.
2 Enter your search criteria on the Filter tab.
3 Click the Layout tab to select the columns and sort order for the listing.
4 To view and store the data outside of the TPAM interface, click the Export to Excel button, or the
Export to CSV button.
5 To view the data in the TPAM interface, click the Listing tab.
6 To view collection membership for an account, select the account and click the Collections tab.
7 To view the permissions assigned to the account, select the account and click the Permissions tab.

List PSM accounts

The List PSM Accounts option allows you to export the account data from TPAM to Microsoft Excel or CSV format.
This lists all accounts that are PSM enabled or have the option of being PSM enabled. This is a convenient way to
provide an offline work sheet and also to provide data that may be imported into another TPAM – for example,
to populate a lab appliance with data for testing, without making the lower level changes that restoring a
backup would cause.

To list the accounts:

1 Select Systems, Accounts, & Collections | Accounts | List PSM Accounts from the main menu.
2 Enter your search criteria on the Filter tab.

TPAM 2.5
122
Administrator Guide
 3 Click the Layout tab to select the columns and sort order for the listing.
4 To view and store the data outside of the TPAM interface, click the Export to Excel button, or the
Export to CSV button.
5 To view the data in the TPAM interface, click the Listing tab.

Password current status

The current status of a password for an account will report last password release, open password requests,
scheduled password resets, password checks and reset history.

To check the current status of a password:

1 Select Systems, Accounts, & Collections | Accounts | Manage Accounts from the main menu.
2 Enter your search criteria on the Filter tab.
3 Click the Listing tab.
4 Select the account to check.
5 Click the Current Status button.

Manual password management

Accounts that are not auto-managed by PPM may still take advantage of the secure storage and release
mechanisms, as well as the logging and reporting functions of TPAM. Password changes for such system accounts
can be accomplished in two ways – PPM generated passwords and User generated passwords.
When a non-managed account’s password has been released to a user, the defined system contact email address
for the system receives a notice when the release duration expires. This provides the opportunity to have the
password manually reset. If the request is expired early, the email notification is sent immediately.

To use passwords generated by PPM:

1 Select Systems, Accounts, & Collections | Accounts | Manage Accounts from the main menu.
2 Enter your search criteria on the Filter tab.
3 Click the Listing tab.
4 Select the account from the listing.
5 Click the Details tab.
6 Select Manual for the password management setting. If this was already selected, skip to step 8.
7 Click the Save Changes button.
8 Click the Reset Password button.

TPAM 2.5
123
Administrator Guide
 9 Take the new password that PPM has generated, in this example, rHH1omoG1, and set it to this on the
remote system.
10 If the password update on the remote system was successful, click the Update Successful button. If the
password was unable to be reset on the remote system, click the Update Failed button. PPM will discard
the new password and rollback to the previously stored password.

To use password not generated by PPM:

1 Select Systems, Accounts, & Collections | Accounts | Manage Accounts from the main menu.
2 Enter your search criteria on the Filter tab.
3 Click the Listing tab.
4 Select the account from the listing.
5 Click the Details tab.
6 Select Manual for the password management setting. If this was already selected, skip to step 8.
7 Click the Save Changes button.
8 Enter the new password in the Password and Confirm fields.

9 Click the Save Changes button.

Password management
Password Management allows TPAM Administrators and PPM ISA’s to do a “mass” forced reset of account
passwords that are auto-managed. If manually managed passwords are scheduled for reset, the automatic email
notification will be generated to the system contact to manually reset the password.
NOTE: If the account is a synchronized password subscriber, it cannot be reset from this window.

This window also gives you a central location to view the current password status for all passwords.

TPAM 2.5
124
Administrator Guide
To perform a mass password reset:
1 Select Systems, Accounts, & Collections | Passwords | Manage Passwords from the main menu.
2 Enter your search criteria on the Filter tab.
3 Click the Listing tab.
4 To select all passwords returned on the Listing tab for reset, select the All check box in the column
header. To select more than one, but not all, select the check box in the Select for Scheduling column
for the passwords to be reset.

5 Click the Schedule Resets button.

To select one password for reset:

1 Select Systems, Accounts, & Collections | Passwords | Manage Passwords from the main menu.
2 Enter your search criteria on the Filter tab.
3 Click the Listing tab.
4 Select the individual row.

5 Click the Reset Individual button.

6 If the account is manually managed, after manually resetting the password on the system, click the
Update Successful or Update Failed button, according to the results.

To view password history:

1 Select Systems, Accounts, & Collections | Passwords | Manage Passwords from the main menu.
2 Enter your search criteria on the Filter tab.
3 Click the Listing tab.

TPAM 2.5
125
Administrator Guide
 4 Select an account.
5 Click the Logs tab.
6 Enter your search criteria on the Filter tab.

7 Click the Change Log, Test Log, Release Log, Dependent Change Log, or Change Agent Log to view the
specific history.

Managing services in a Windows® domain

environment
If the account managed by PPM is a Windows® domain account (the system is defined as Active Directory® in
TPAM), services running on domain member systems using this account can also be managed in terms of
password changes.
The prerequisite for domain members systems to have these service account passwords changed is that each
system must be configured in TPAM and the domain functional account must be properly privileged on that
system (i.e. member of local Administrators group).

NOTE: Dependent systems will always have the passwords for Windows Services and Scheduled Tasks
changed regardless if the check boxes are selected on the Account Details Information tab.

To assign domain members to have their passwords changed:

1 Select Systems, Accounts, & Collections | Accounts | Manage Accounts from the main menu.
2 Enter your search criteria on the Filter tab.
3 Click the Listing tab.

4 Select the Windows® Domain account.

5 Click the Dependents tab.
6 Enter your search criteria on the Filter tab.
7 Click the Results tab.

TPAM 2.5
126
Administrator Guide
 8 Select the Dependent button for systems with dependencies on the domain level account.
9 Click the Save Changes button.
When the password for the managed domain account (i.e. Administrator) is changed, PPM enumerates the
services on each selected dependant system and changes the password for all services being run by the domain
account.
In the example used in the figures above, ‘Administrator’ is a domain account, specified on a domain controller
called Saturn. The system Jupiter is defined as a dependant system to this account, indicating that services are
running on Jupiter using the domain Administrator account. When the password for ‘Administrator’ is changed
by PPM, each system defined as dependant, such as Jupiter, has the password changed for any service using the
domain Administrator password.

Add generic account to TPAM for PSM

sessions to a user specified Windows
account
TPAM provides the ability to create a generic TPAM account that can be used to log in to any user-specified
Windows account during a PSM session. The user is prompted to input the desired Windows account name and
password when the PSM session is starting. This allows TPAM to provide the account name and password during
RDP session initiation, thereby allowing the RDP session to succeed even when the RDP session security layer is
set to SSL/TLS on the Windows machine.

To configure a generic TPAM account:

1 The target system must be added to TPAM. The platform for the system can be any of the Windows or
SPCW platforms. For details on how to add a system see Add a system.
2 Select Systems, Accounts, & Collections | Accounts | Add Account from the menu.
3 Enter filter criteria on the Filter tab to find the system to add the account to.
4 Click the System tab.
5 Select the system in the listing.
6 Click the Details tab.
7 Enter :prompt: for the account name.
8 Select None for the Password Management option.
9 Click the PSM Details tab.
10 Select the Enable PSM Sessions check box.

TPAM 2.5
127
Administrator Guide
 11 Select RDP- Interactive Login as the Proxy Connection Type.
12 Click the Session Authentication tab. Select Not Stored - Specify password during session.
13 Click the Permissions tab. Assign permissions to this account. For details see Permissions tab. Assign
Requestor permissions to the appropriate TPAM users.

How it works
A TPAM user requests a session using the :prompt: account on the target system. When the PSM session is
initiated, the user is prompted to enter the Windows account name and password.

After the account name and password are entered, the RDP session is connected as desired.

NOTE: It is not possible to monitor events in this scenario,

NOTE: If performing file transfer, credentials must be specified at file transfer time.

TPAM 2.5
128
Administrator Guide
 13
Using Quest Authentication Services
with TPAM

• Introduction
• Configure QAS integration
• How it works

Introduction
Quest Authentication Services (QAS) is patented technology that empowers non-Windows® systems to become
members of Active Directory® (AD) for centralized authentication. The ability for Linux®, UNIX® and Mac®
systems to join the Active Directory® domain provides the benefit of central control over which an AD user is
permitted to authenticate to which non-Windows® system.

TPAM is able to leverage QAS with UNIX®, Linux®, and Mac® systems to allow for Active Directory® functional
accounts on UNIX®, Linux®, and Mac systems. TPAM also allows for currently logged on users to request a session
using it’s currently logged on username through a special account defined in TPAM for each system called
:myaccount: This is beneficial because many implementations use Active Directory® as the primary
authentication source and are granted permissions through this integration. A user may request access to a
system using their own username and password by requesting a session with the account :myaccount:. The user
then proxies access to the system through TPAM using their own credentials, without having to store additional
information on each defined system in TPAM for that user.

Configure QAS integration

Before integration with TPAM can be configured QAS must be installed on the target system prior to configuring
the integration in TPAM. See the documentation provided with QAS for these steps.
The target system must be added to TPAM. For details on how to add a system see Add a system template.

To create an account for QAS to use with TPAM:

1 Log on to the /tpam interface.
2 Select Systems, Accounts, & Collections | Accounts | Add Account from the menu.
3 Enter filter criteria on the Filter tab to find the system to add the account to.
4 Click the System tab.
5 Select the system in the listing.
6 Click the Details tab.
7 Enter :myaccount: for the account name.
8 Select None for the Password Management option.
NOTE: The password for the domain account is not stored in this account.

TPAM 2.5
129
Administrator Guide
 9 Click the PSM Details tab.
10 Select the Enable PSM Sessions check box.
11 Select one of the "interactive" proxy types as the Proxy Connection Type.
12 Click the Session Authentication tab. Select Not Stored - Specify password during session.
13 Click the Permissions tab. Assign permissions to this account. For details see Permissions tab. Assign
Requestor permissions to the appropriate TPAM users.

14 Click the Save Changes button.

How it works
A TPAM user requests a session using :myaccount: on the target system. In this example the TPAM user ID of the
requestor is testuser.
The user requests a session.

TPAM 2.5
130
Administrator Guide
When the PSM session is initiated the account of the user is sent to the target system as the TPAM user ID and
they must provide the domain password for authentication. The domain password is then sent to QAS for
authentication.

TPAM 2.5
131
Administrator Guide
 14
TPAM Account Discovery

• Introduction
• Configure account discovery
• Account discovery profiles
• Add an account discovery profile
• Delete an account discovery profile
• Assign an account discovery profile to a system/system template
• Combine account discovery with auto discovery

Introduction
For Windows®, *nix, and database systems, account discovery can be configured in TPAM. Configuration allows
these accounts to be added or removed from TPAM as they are discovered or removed from the remote system.
Administrators can also opt to just have email notifications sent when these accounts are discovered/removed.

Configure account discovery

To configure account discovery:
1 Create a system template.

2 Add an account to the system template. Select Accounts | Add Account from the menu. Filter for the
system template you just created. Select the template from the System tab and click the Details tab.

TPAM 2.5
132
Administrator Guide
 Configure the account and click the Save Changes button.
When creating the account discovery profile you will select this account to be the template account.

The template account is what is used to add accounts during account discovery. The accounts added will
be set up with the same permissions, collections membership, etc as the account on this template.For
more information on system templates see Add a system template and Add an account.
NOTE: For a disabled account that is newly discovered, if the Enable Account Before Release check box
is selected on the template used in account discovery the account WILL be brought into TPAM. If the
Enable Account Before Release check box is clear on the template the disabled account will not be
brought into TPAM.
NOTE: For a disabled account that exists in TPAM, and the Enable Account Before Release check box is
selected on the template used in account discovery, the account WILL NOT be considered deleted. For a
disabled account that exists in TPAM, and the Enable Account Before Release check box is clear on the
template used in account discovery, the account WILL be considered deleted.

3 Create an account discovery profile. For more information on how to create an account discovery profile
see Account discovery profiles.

TPAM 2.5
133
Administrator Guide
4 Assign the account discovery profile to the system and click the Save Changes button. Click the Test
Account Discovery button to see what accounts are found.

5 If desired click the Run Discovery Profile button to immediately have the profile run instead of waiting
for the next scheduled run. A maximum of 5,000 accounts can be discovered this way.(Optional)

Accounts will display on the Discovered Accounts tab if the Delete Account Action or New Account
Action setting is set to Notify via Email on the account discovery profile. If accounts are discovered,
select from the following options:
• Add Account - If selected, the account will be added to the system using the indicated template
account.
• Turn Off Auto - Accounts with this option have been deleted from the target system, but are still
set up as a managed account in TPAM. If Turn Off Auto is selected, the password management
setting for this account will be set to None.
• Add to Exclude - If selected, the account will be added to the system’s exclude list. The account
will be ignored during auto discovery processing.
After making selections click the Process Selected Actions button to execute the selections.

TPAM 2.5
134
Administrator Guide
 Clicking the Clear All Staged Accounts button clears out all staged account rows for this system without
processing them.
Clicking the Refresh Current List button refreshes the list with whatever filter applies.
6 Confirm with the System Administrator that the Account Discovery agent has been enabled in the admin
interface.

Account discovery profiles

Account Discovery profiles allow TPAM to periodically check for accounts on a managed system and add or
remove them from TPAM. Account Discovery profiles can only be assigned to Windows®, *nix and database
systems.

The table below explains the options on the Account Discovery profile page.

Table 51. Account Discovery profile page options

Field Description Required? Default

Profile Type Account Discovery should be selected from the list. Yes Account
Discovery
Profile Name Enter a unique profile name Yes

TPAM 2.5
135
Administrator Guide
Table 51. Account Discovery profile page options

Field Description Required? Default

Description Enter a brief description of this profile. No
Time of Day Enter the time of day that TPAM should check the assigned Yes 23:00/Daily
managed systems for account changes.
• Disabled - Processing of the account discovery profile is
suspended. The profile can still be assigned to systems,
and clicking the Test and Run buttons on the Account
Discovery tab on the systems page will still work, but
future runs will not be scheduled.
• Daily - If selected, the check will occur every day at the
configured time.
• Weekly - If selected, the check will occur on the days
selected, at the configured time.
• Monthly - If selected, the check will occur on the days of
the month listed. Multiple days may be entered
separated by a semi-colon. Use a value -1 to run on the
last day of the month, regardless of length.
Delete The action to take when an existing account has been removed Yes Do Nothing
Account from the system.
Action • Do Nothing - no action taken
• Turn off Auto-Management - If the managed account is
currently set to be auto-managed or is a subscriber to a
synchronized password, the password management
setting for the account will be change to None.
• Notify via Email - the account is not changed, but an
email is sent to the addresses specified that it has been
removed from the remote system. Information will also
be displayed on the Discovered Accounts tab when this
option is selected.
• Both - the account’s auto-management is set to None,
and an email notification is sent out.
Delete A list of email addresses, separated by semi-colons, to be No
Notification notified based on the New/Delete Account Action selections.
Email Allows up to 255 characters. Two special addresses are
recognized:
• :System: - sends an email to the primary contact
entered on the System Details tab.
• :Functional: - sends an email to the notification email
entered for the functional account.
New Account The action to take when a new account is entered on an Yes Do Nothing
Action assigned system. Choices are:
• Do Nothing - no action taken
• Create an Account - a new managed account will be
created on the system using the template account
• Notify - the account is not created, but an email is sent
to the addresses specified.
• Both - the account is created, and an email notification
is sent out.
Template Select a template from the list to be used for the accounts Yes First
Account created. They will be listed as template name/account name. template in
The discovered accounts will assigned the attributes of the the list
template account selected.

TPAM 2.5
136
Administrator Guide
Table 51. Account Discovery profile page options

Field Description Required? Default

UID Only applies to *nix systems. A comma separated list of numeric At least one
filter values. Only UID (User Id) values that match one of the filter criteria
following values will be discovered. Values may be entered as is required to
follows: save the
• # - only a numeric UIDs will be recognized. profile.
• #-# - numeric UIDs between these two values.
• <# - UIDs less than, but not equal to
• ># - UIDs greater than, but not equal to
• !# - UIDs not equal to
SID Only applies to Windows® systems. A string list values. Only SID At least one
(Security Identifier) values that match one of the following filter criteria
values will be discovered. Values may be entered as follows: is required to
save the
• # - only a numeric SIDs will be recognized.
profile.
• #-# - numeric SIDs between these two values.
• <# - SIDs less than, but not equal to
• ># - SIDs greater than, but not equal to
• !# - SIDs not equal to
Name A comma separated list of values. Only account names that At least one
match one of the following values will be discovered. Values filter criteria
may be entered as follows: is required to
• text - only this account will be recognized save the
profile.
• *text - account names ending in text
• text* - account names starting with text
• !text - account names not equal to text
Group Only applies to Windows® and *nix platforms. A comma At least one
separated list of group names. Only accounts which are filter criteria
members of the indicated group(s) will be discovered. Vales is required to
may be entered as follows: save the
profile.
• text - only this group will be recognized
• *text - group names ending in text
• text* - group names starting with text
• !text - group names not equal to text
Role Only applies to database systems. A comma separated list of At least one
role names. Only accounts which are members indicated role(s) filter criteria
will be discovered. Values may be entered as follows: is required to
• text - only this role will be recognized save the
profile.
• *text - role names ending in text
• text* - role names starting with text
• !text - role names not equal to text
Task Only applies to Windows® systems. If selected, discovers an At least one Off
® filter criteria
account if it is being used to run any Windows scheduled task.
is required to
save the
profile.
Service Only applies to Windows® systems. If selected, discovers an At least one Off
filter criteria
account if it is being used to run any Windows®services.
is required to
save the
profile.

TPAM 2.5
137
Administrator Guide
Add an account discovery profile
IMPORTANT: An account discovery profile cannot be added unless at least one system template has been
added to TPAM.

To add an account discovery profile:

1 Select Management | Profile Management from the menu.
2 Select Account Discovery from the Profile Type list.
3 Click the New Profile button.

4 Enter a unique name for the profile.

5 Enter a description for the profile. (optional)
6 Enter a time of day and frequency for the auto discovery check to run.
7 Click the Add Detail button.

8 Select the various detail options available. For more information on how these are configured see the
table in the Account discovery profiles section.
9 To add another detail row repeat steps 7 and 8.
10 Click the Save Changes button.

Delete an account discovery profile

To delete an account discovery profile:
1 Select Management | Profile Management from the menu.

TPAM 2.5
138
Administrator Guide
 2 Select Account Discovery as the profile type.
3 Select the profile to be deleted from the list.
4 Click the Delete Profile button.
5 Click the OK button on the confirmation window.
NOTE: An account discovery profile can only be deleted if it is not assigned to any systems.

Assign an account discovery profile to a

system/system template
Account Discovery connection profiles can be assigned using the Import Systems or Update Systems batch
processing functions, or by following the procedure below.

To assign a connection profile to a system:

1 Select Systems, Accounts, & Collections | Systems| Manage Systems.
2 Select the system/system template on the listing tab.
3 Click the Account Discovery tab.
4 Select the profile from the discovery profile list.
5 Enter any accounts to be excluded from the discovery profile actions in the excluded box.
6 Click the Save Changes button.
IMPORTANT: The profile being assigned to the template cannot have any accounts in common with the
template it is being assigned to.

Combine account discovery with auto

discovery
TPAM can be configured to integrate with LDAP, LDAPS, Novell® NDS and Windows Active Directory® to
automatically detect, enroll, and modify users and systems through Auto Discovery integration. To take this
process once step further, once a system is “auto discovered” and added to TPAM, account discovery can also be
configured to find accounts on this newly added system. To combine auto discovery with account discovery see
Discover accounts on auto discovered systems.

TPAM 2.5
139
Administrator Guide
 15
Files

• Introduction
• Add a file
• Duplicate a file
• Review file history
• Delete a file
• Retrieve a file
• List files

Introduction
In addition to the secure storage and release capabilities for passwords, TPAM facilitates the same secure
storage and retrieval controls for files. This functionality can be used for many file types, but its intent is to
securely store and control access to public/private key files and certificates.
To add and manage files, information is entered on the following tabs in the TPAM interface:

Table 52. Files Management: TPAM interface tabs

Tab name Description

Details Define main file information, such as name, approvals required, contact.
Ticket System Configure Ticket System Validation for requests on this file.
Collections Assign a file to a collection/s.
Permissions Assign users and groups permissions on this file.

Details tab
The Details tab is where you upload the file to TPAM and set approval requirements.

TPAM 2.5
140
Administrator Guide
The table below explains all of the options available on the File Details tab.

Table 53. Files Management: Details tab options

Field Description Required? Default

File Display The name users see when requesting access to stored files. Yes
Name
Filesize (in Display only. The size of the file that is uploaded.
bytes)
Select Local Where the file is uploaded by clicking the browse button. Yes
Filename
Approvals The default value of 1, indicates that a single approval allows No 1
Required the requestor to access the file. A value greater than 1 requires
multiple approvers to approve each request. A value of 0 means
any requests will be auto-approved by TPAM. If overridden by an
access policy the greater of the two values will be used.
Maximum This is the maximum duration for a file release. If this is Yes 7 Days
Duration overridden by an Access Policy assignment, the lower of the two
durations is used. The default duration that the requestor sees
for any new file request is 2 hours, or the maximum duration,
whichever is less.
Require Multi- Can only be selected if Approvals Required is greater than 1. If No Off
Group Approval selected, you can require that approvals for requests come
from: from one or more groups. If only one group is selected, all
approvals must come from members of this group. If more than
one group is selected, at least 1 approval must come from each
group.
NOTE: Any user with approver permissions will be able to
approve the request, but unless the user is a member of one of
the selected groups, their approval will not count.
Any authorized approver can deny the request.

TPAM 2.5
141
Administrator Guide
Table 53. Files Management: Details tab options

Field Description Required? Default

Notification The email address specified in this box receives notification of No Null
Email certain file releases. This would apply to releases by ISA users,
CLI/API users under all circumstances, and requests when no
approvals are required. Multiple email addresses can be
specified by entering each email address separated by a
comma, up to a maximum of 255 characters.
Any time a change is made to the notification email address
box, an email is automatically sent to the old email address
with a notification that this change has occurred.
Description The description box may be used to provide additional No
information about the file, special notes, business owner, etc.

Ticket System tab

The Ticket System tab is used to configure third party ticket system requirements when submitting file release
requests for this file. The Ticket System tab is only enabled if the TPAM System Administrator has configured
ticket system/s in the /admin interface.

The following table explains the options on this tab.

Table 54. Files Management: Ticket System tab options

Field Description Required? Default

Require Ticket Select this check box to require ticket number validation every time a No From
Number from file request is submitted. If multiple Ticket Systems are enabled they System
are listed in the list for selection. You can specify the ticket system or
allow entry of a ticket number from any system that is enabled. If this
check box is not selected, users can still enter a Ticket Number on a
request, but it is not required.
Perform Ticket If ticket validation is required, then all requestors are required to No From
Validation for provide a ticket number. You also have the option to require ISAs to System
supply a ticket number prior to retrieving a file.
Send Email If any of the ISA, CLI or API required check boxes are left clear you No From
notification to have the option of entering one or more email addresses (up to 255 System
characters) that will receive an email when an ISA, CLI or API user
releases or retrieves a file without supplying a ticket.
Pull defaults If selected, when the Save Changes button is clicked, it will pull No Off
from system these settings from the system.
The propagation is a one time update each time this check box is
selected and the Save Changes button is clicked. After that there is
no forcing of the settings to remain in synch. The settings on the file
can be overridden.

TPAM 2.5
142
Administrator Guide
Logs tab
The Logs tab for stored files shows the activity associated with accessing the file.

The following table explains the fields on this tab.

Table 55. Files Management: Logs tab options

Field Description
Request ID Request ID for the file request.
User Name User ID of the requestor.
User Full Name Full name of the requestor.
Release Date Date and time that the file was retrieved.
Release Type Indicates of the file was retrieved by a requestor or an ISA.

File History tab

This tab shows the history of all physical files that have been associated with the file display name as well as
the dates the file was originally stored and replaced. The older files, though no longer associated with the
display name, remain on the appliance and may be accessed by and administrator using the filename link. Older
files may also be deleted from history.

The following table explains the fields on this tab.

Table 56. Files Management: File History tab options

Field Description
Actual Filename The name of the file that was stored on TPAM.
Stored Date The date the file was uploaded to TPAM.
Replaced Date The date the file was replaced with another file.
Filesize Size of the file in bytes.

Current File tab

The Current File tab allows you to retrieve the file if you have ISA permission for the file.

TPAM 2.5
143
Administrator Guide
The following table explains the options on this tab.

Table 57. Files Management: Current File tab options

Field Description Required?

Release Reason The reason for the file release. Depends on configuration by System
Administrator
Reason Code The reason for the file release. Depends on configuration by System
Administrator
Ticket System Ticket system to validate the request against. Depends on configuration by
Administrator.
Ticket Number Ticket number to validate the request against. Depends on configuration by
Administrator.

Collections tab
A collection is a group of systems, accounts and or files. The Collections tab is used to assign the file to a
collection/s. Files can belong to more than one collection. The collections list shows all collections that have
been defined in the TPAM appliance if the user modifying the file is an administrator. If the user modifying the
file is an ISA, only the collections that the user holds the ISA role for are displayed. By assigning the file to
collections, the file automatically inherits user and group permissions that have been assigned at the collection
level.
NOTE: A file cannot belong to the same collection as its parent system, or vice versa.

Use the Filter tab to enter search criteria for the collections to assign/un-assign. Click the Results tab.

The table below explains the fields on the Results tab.

Table 58. Files Management: Collections Results tab options

Field Description Required? Default

Type On this tab type will always say Collection.
Name The name of the collection. Clicking on the name will take you No
the collection management listing tab.

TPAM 2.5
144
Administrator Guide
Table 58. Files Management: Collections Results tab options

Field Description Required? Default

Membership To modify collection membership, simply click the Not Assigned No Not
Status or Assigned buttons next to each collection name and click the Assigned
Save Changes button. You can set all members to either
Assigned or Not Assigned by holding down the Ctrl key when
clicking on any button.

Permissions tab
The Permissions tab is used to assign users and/or groups an Access Policy for this file.

To assign Access Policies:

1 Use the table on the left of the page to select the name/s of the user/s and/or group/s to which the
selected access policy is to be assigned.
2 Select an Access Policy from the Access Policy list in the Access Policy Details pane, located in the right
upper side of the Results tab. When you select an Access Policy on the list the detailed permissions
describing this Access Policy are displayed on the rows below.
3 Select one of the icons in the Access Policy Details pane (right upper side of page) to make the
assignment.

Table 59. Access Policy Details pane icons

Icon Action
Refreshes list of available Access Policies.

Scrolls the currently selected User or Group into view.

Applies the currently selected policy to the current row. Assigning a policy of “Not
Assigned” removes the current assignment.This affects only the current row (row with the
dotted border) even if multiple rows are selected.
Applies the currently selected policy to all selected rows in the list. You are asked to
confirm the assignment if more than 10 rows are affected.

TPAM 2.5
145
Administrator Guide
 Table 59. Access Policy Details pane icons

Icon Action
Removes the currently selected policy from all selected rows in the list. If a row is not
currently set to the selected policy it will not be changed. You are asked to confirm the
assignment if more than 10 rows are affected.
Removes unsaved edits on the current row. This only affects the current row (row with the
dotted border) even if multiple rows are selected.

Removes unsaved edits on all currently selected rows.

This icon ( ) next to any row on the list simply means that row has been edited since the last save
changes occurred.
You can “Shift+Click” to select a range of rows. The first row you click will be surrounded by purple
dashed lines. The next row that you “Shift-Click” on will cause all the rows in between the original row
and current row to be highlighted.
4 When you are finished assigning/un-assigning Access Policies, click the Save Changes button.
TIP: You may re-filter and re-retrieve the results list without losing existing edits. As the Results tab is
reloaded any Groups or Users that you have already edited reflect their edited policy assignment. When
you click the Save Changes button all the Access Policy assignment changes for the file are saved. The
appliance saves these in batches, informing you of the number of assignments added, removed, or
changed for each batch.

NOTE: You must be both a PPM and PSM ISA over an account to be allowed to assign an Access Policy.

Using Ctrl-Click or Shift-Click on the hyperlink in the Name column will open the details page for this entity in a
new tab or window.

Add a file
When adding a file in TPAM, information is entered on the following tabs to configure the file:
• Details - File name, Approvals required
• Ticket System
• Collections
• Permissions
The following procedure describes the required steps to add a file.

To add a new file:

1 Select Systems, Accounts, & Collections | Files | Add File from the menu.
2 Enter filter criteria on the Filter tab to find the system to add the file to.
3 Click the System tab.
4 Select the system.
5 Click the Details tab. Enter information on the Details tab. For more information on this tab see Details
tab.
6 Click the Ticket System tab and set external ticket system requirements for submitting file release
requests. For more details see Ticket System tab. (Optional)
7 Click the Save Changes button.

TPAM 2.5
146
Administrator Guide
 8 Click the Collections tab and assign/remove membership. (Optional) For more information on this tab
see Collections tab.
9 Click the Permissions tab and assign/remove permissions. For more details see Permissions tab.
(Optional)
10 Click the Save Changes button.

Duplicate a file
To ease the burden of administration and help maintain consistency, files can be duplicated. This allows the
administrator to create new files that are very similar to those that exist, while only having to modify a few
details. The new file inherits approval requirements, ticket system settings, collection and permission
assignments from the existing file.

To duplicate a file:
1 Select Systems, Accounts, & Collections | Files | Manage Files from the menu.
2 Enter your search criteria on the Filter tab.
3 Click the Listing tab.
4 Select the file to be duplicated.
5 Click the Duplicate button. A new file object is created and the Details tab displays.
6 Enter the file name.
7 Upload the file.
8 Make any other additional changes on the Details and Ticket System tabs. (Optional)
9 Click the Save Changes button.
10 Click the Collections tab and assign membership. (Optional)
11 Click the Permissions tab and assign access policies. (Optional)
12 Click the Save Changes button.

Review file history

To view file history:
1 Select Systems, Accounts, & Collections | Files | Manage Files from the menu.
2 Enter your search criteria on the Filter tab.
3 Click the Listing tab.
4 Select the file.
5 Click the File History tab. For more information see File History tab.

Delete a file
To delete a file:
1 Select Systems, Accounts, & Collections | Files | Manage Files from the menu.
2 Enter your search criteria on the Filter tab.

TPAM 2.5
147
Administrator Guide
 3 Click the Listing tab.
4 Select the file to be deleted.
5 Click the Delete button.
6 Click the OK button on the confirmation window.

Retrieve a file
A user with ISA permission over a file can retrieve it.

To retrieve a file:
1 Select Retrieve | Retrieve File from the menu.
2 Select the file to retrieve.
3 Click the Current File tab.
4 Complete the following fields:

Table 60. Current File tab fields

Field name Description

Release Reason Used to provide a brief description of the reason for the password release. May be
optional, required or not allowed, depending on configuration.
Reason Code Reason codes will appear if they have been configured by the System
Administrator. Reason codes streamline the request process, and may be optional,
required, or not allowed depending on how they are configured.
Ticket System May be required, based on configuration.
Ticket Number May be required, based on configuration. If the ticket number fails validation the
ISA will not be able to retrieve the file.

5 Click the Retrieve File button.

List files
The List Files option allows you to export the account data from TPAM to Microsoft Excel or CSV format. This is
a convenient way to provide an offline work sheet.

To list files:
1 Select Systems, Accounts, & Collections | Files | List Files from the main menu.
2 Enter your search criteria on the Filter tab.
3 Click the Layout tab to select the columns and sort order for the listing.
4 To view and store the data outside of the TPAM interface, click the Export to Excel button, or the
Export to CSV button.
5 To view the data in the TPAM interface, click the Listing tab.
6 To view collection membership for the file, select the file and click the Collections tab.
7 To view the permissions assigned to the file, select the file and click the Permissions tab.

TPAM 2.5
148
Administrator Guide
 16
Auto Discovery - LDAP Integration

• Introduction
• Source tab
• Add a LDAP data source
• Add user/system template
• Delete a LDAP system/user mapping
• Discover accounts on auto discovered systems

Introduction
TPAM can be configured to integrate with LDAP, LDAPS, Novell® NDS and Windows Active Directory® to
automatically detect, enroll, and modify users and systems.
To configure Auto Discovery you must complete the following steps:
• Set up the LDAP data source as system in TPAM
• Add templates for the systems and/or users you want to import
• Set up the LDAP Directory Mapping
• Confirm that the Auto Discovery Agent is running

LDAP directory mapping

To configure the LDAP Directory Mapping, information is entered on the following tabs in the TPAM interface:

Table 61. LDAP Directory Mapping: TPAM interface tabs

Tab name Description

Source Define the source for the LDAP data and collision strategies for integrating users or systems.
Also specify the group/collection and template to be used for mapping integrated
users/systems.
Template Displays selected template details when clicking the “eye” button below the template list.

Source tab
The table below explains all of the options available on the LDAP Source tab. The field names and collision
strategy questions and answers will differ based on whether you are mapping systems or users.

TIP: Hover your mouse over the buttons on this page for descriptions of how each button functions. Click
the help buttons for more details on the Filter and Template Name fields.

TPAM 2.5
149
Administrator Guide
Table 62. LDAP Directory Mapping: Source tab options

Field Description Required? Default

LDAP Directory Select a system from the list. The system must be set up as a Yes
Windows® AD, LDAP, LDAPS or Novell® NDS system in TPAM.
TPAM Collection Enter name of the TPAM Collection for these systems. This Yes
Name needs to be a collection name that does not already exist in
TPAM and membership changes are not allowed outside this
mapping.
TPAM Group Name Enter name of the TPAM Group for these users. This needs to Yes
be a group name that does not already exist in TPAM and
membership changes are not allowed outside this mapping.
System If selected, any users created are created as system
Administrator? administrator users.
Distinguished Click the Plus button to enter the full distinguished name of Yes
Name/Directory the source container. The other option is to click the
Explorer magnifying glass button browse the LDAP directory to select
an entry.
Filter Using LDAP filter syntax, you can narrow the results of the No
Distinguished Name entry. The filter is wrapped with a
standard filter used to return only computers or users based
on the type of LDAP mapping. The standard filter syntax is
included in the listing above once you enter any text into the
filter, but you cannot edit any part of the standard filter. The
filter you enter will be validated for basic syntax as you edit,
but the content is not checked until the Distinguished Name
is validated. Valid/invalid syntax will be indicated with a
green check mark or red X to the left of the text.
Template Name Select or edit an existing system/user template. Each Yes
Distinguished Name/Filter row can be assigned a different
template. System/User Templates are used to create
systems/users from the LDAP directory source. Any new
systems/users added are created in TPAM using the default
settings from the template chosen here. This includes all
parameters on the Details tab, as well as all the other tabs.
Template values only affect new systems/users added from
the LDAP container. The template is not used when updating
existing systems/users. If the template selected has an
Account Discovery profile assigned to it, then the account
discovery process will occur at the next schedule run of the
Account Discovery agent.
Automatically Select how often you want TPAM to pull updates from the No 0
Update every... LDAP directory. The update pulls changes in last name, first
name, email, phone number, mobile number, network
address, comments/notes and if the user has been disabled
or a system/user added.
NOTE: This can be set to 0 when the host is unavailable.
Send Messages You have the option of sending an email to a specific user No None
to... every time an update occurs, or only when failures occur
trying to perform an update.
What to do for Option selected determines how TPAM handles the scenario. Yes Report as
usernames that Options are: Error
conflict with • Report as Error
TPAM restricted
• Create Unique
usernames

TPAM 2.5
150
Administrator Guide
Table 62. LDAP Directory Mapping: Source tab options

Field Description Required? Default

System/User Option selected determines how TPAM handles the scenario. No No Action
name exists in Options are:
TPAM with no • No Action
distinguished
• Create Unique TPAM System/User
name mapping
• Map to existing
• Report as Error
System/User Option selected determines how TPAM handles the scenario. No No Action
name exists in Options are:
TPAM with a • No Action
distinguished
• Create Unique TPAM System/User (system/user will
name mapping
be added as "newsystemname_1" or
"newusername_1")
• Report as Error
What to do when Option selected determines how TPAM handles the scenario. No Leave
LDAP Directory Options for systems are: System/
system/user • Leave System, remove mapping User,
mapped to a Remove
• Soft Delete System, regardless of other mappings,
system/user in mapping
remove mapping
TPAM is removed
from the source • Report as Error
container Options for users are:
• Leave User, remove mapping
• Disable user in TPAM
• Report as Error
Ignore Updates to Updates from the mapped data source will always overwrite No Clear
existing TPAM data. To preserve data which may be updated
in TPAM use Ctrl-Click to select or clear individual columns in
the list. TPAM data in the selected columns will not be
overwritten by updates from the data source.

Add a LDAP data source

To add a LDAP data source:
1 Add the LDAP Directory server as a managed system in TPAM. For more details on adding a system see
Add a system.

TPAM 2.5
151
Administrator Guide
 2 Click the Connection tab to configure the details for the functional account, distinguished name and
other communication options.
NOTE: When setting up a Windows Active Directory® domain controller for LDAP integration TPAM
relies on the domain name to leverage Active Directory’s built in fail over capabilities. TPAM must
be able to resolve the domain name, either via DNS or by adding a mapping in the hosts file. See
the System Administrator manual.

3 Click the LDAP Schema tab. This tab is pre-populated with well known attributes and changes to the
mappings can be made here.(Optional)

4 Click the Save Changes button.

Add user/system template

Templates must be added to TPAM for the systems and/or users that are found and added to TPAM during the
auto discovery process. The systems and users added to TPAM use the attributes as they have been set on the
template when they are added to TPAM. For instructions on how to add a system template see Add a system
template. For instructions on how to add a user template see Add a user template.
Templates can also be added or edited using the buttons below the Templates list on the Source tab of the LDAP
Directory Mapping.
NOTE: Any templates used by LDAP or generic integration and have a WinAD primary authentication type,
the primary user ID must be empty, or one of the following values: UPN, UserPrimaryName or
SAMAccountName.
If any external authentication is set the external user ID must still be populated to save the template,
however when a user is created from the template the UserName is used as the default externalID.

TPAM 2.5
152
Administrator Guide
Add LDAP user/system mapping
To add a LDAP User/System Mapping:
1 Select Auto Discovery | LDAP Directory from the menu.
2 Click the Add Systems or Add Users button.
3 Complete the information on the Source tab.
1 Select the LDAP Directory.
2 Enter the TPAM Group/Collection name.
3 Click the Plus button to add a Distinguished Name and Filter (optional). Click the check box
button to validate the DN name and the filter. Repeat as needed to add more filters.The validate
button will either return the number of discovered entities or an error.
NOTE: During auto discovery the query will be executed in the order that the filters are
listed. This order can be changed by using the arrow buttons on the left of the Filters
listing.

4 Select or create a template. Click the Save Changes button.

NOTE: Each Distinguished Name/Filter row can have a different template assigned.

5 Complete the automatically update section.

6 Select the collision strategy choices.
4 Click the Save Changes button. All Distinguished Name/Filter rows must be validated and a template
selected before the Save Changes button will enable.
5 Confirm with your System Administrator that the Auto Discovery Agent has been started in the /admin
interface.
For users discovered from LDAP directory, the full primary user ID is set to their distinguished name if primary
authentication is set to LDAP. Similarly, the secondary authentication user ID is set to the distinguished name if
secondary authentication is set to LDAP. This facilitates LDAP directory synchronized Users to be able to login to
TPAM.

TPAM 2.5
153
Administrator Guide
Delete a LDAP system/user mapping
To delete a LDAP System/User Mapping:
1 Select Auto Discovery | LDAP Directory from the menu.
2 Enter your search criteria on the Filter tab.
3 Click the Listing tab.
4 Select the mapping to delete.
5 Click the Delete button.
When the mapping is deleted the association of the system/user with that mapping are removed.

Discover accounts on auto discovered

systems
To take auto discovery one step further and discover accounts on a system once it has been found, make sure
that the system template that is selected on the System tab has an account discovery profile assigned. For more
information on Account Discovery see Assign an account discovery profile to a system/system template.

TPAM 2.5
154
Administrator Guide
 17
Auto Discovery - Generic Integration

• Introduction
• Source tab
• System tab
• User tab
• Add a generic system mapping
• Add a generic user mapping
• Delete a generic system/user mapping

Introduction
TPAM can be configured to integrate with MySQL®, Oracle®, SQL Server® and Sybase® to automatically detect,
enroll, and modify users and systems.
To configure Auto Discovery you must complete the following steps:
• Set up the database server as system in TPAM
• Create templates for the systems and/or users you want to import
• Set up the Generic Directory Mapping
• Confirm that the Auto Discovery Agent is running

Generic directory mapping

To configure the Generic Directory Mapping, information is entered on the following tabs in the TPAM interface:

Table 63. Generic Auto Discovery Mappings: TPAM interface tabs

Tab name Description

Source Define the source for the data (database server and source SQL query) and define
collision strategies.
User Define the group and template to be used for mapping integrated users.
System Define the collection and template to be used for mapping integrated systems.

TPAM 2.5
155
Administrator Guide
Source tab

Special note regarding MySQL® data sources

If your MySQL® data source contains any columns with string data types which have a collation other than
Latin1, you must use the following syntax in your SQL command:
;CharSet=X;YourSQLCommand
The semi-colon before CharSet and after X are required, and there are no spaces before or after the semi-
colon. Replace the X with the name of the character set for the collation being used. For example:
;CharSet=utf8;select * from userintegration.usersource
Note that all of the string type columns which are present in the data set must use the same collation. You
cannot have one returned column as Latin1 and another as utf8. The CharSet indicator is not needed if your
result set contains only numeric, date, or time column types
The table below explains all of the options available on the Generic Source tab. The collision strategy questions
and answers will differ based on whether you are mapping systems or users.

Table 64. Generic Auto Discovery Mappings: Source tab options

Field Description Required? Default

System Name Enter the data source system name. This must be configured Yes
as a managed system in TPAM with a platform type of
Sybase® , Oracle®, MySQL®, or MS SQL Server®.
Account Name Enter the account name. The account must be configured on Yes
the system in TPAM and have the permissions to execute the
SQL command.
SQL Command Enter the SQL command that will pull the data from the data Yes
source.

TPAM 2.5
156
Administrator Guide
Table 64. Generic Auto Discovery Mappings: Source tab options

Field Description Required? Default

Result Set Map This table is populated after completing the Source, User or Yes
System tabs, saving changes and clicking the Test SQL
button. After the Source Columns are populated you must
map the data to the TPAM Target columns.

Auto-Map Result Set - Attempts to match Source

Columns to Target columns based on column names and
types. The code will look for names that match
alphanumerically (spaces, case, and punctuation are
ignored), have the same data type (char and varchar are
interchangeable), and where the width of the source column
is less than or equal to the width of the target column. Any
column that's not an exact match on type and length will be
highlighted will show in bold red text. Hovering the mouse
over the target column will explain any discrepancy in a hint
bubble.

Clear all target columns - Clears all TPAM Target

Column assignments.

Show only unmapped or multiple mapped - Filters the

result set to show only unmapped (no Target Column
assigned) or multiple mapped (same target column assigned
to 2 or more Source Columns) target columns.

Show all columns - Removes filter set by clicking Show

only unmapped[…] button
NOTE: The value assigned to the target column labeled
UniqueUserID is used to identify one specific user regardless
of the user name or data source. For example: You have two
Generic Integration Data Sources using a MySQL® database,
one for “Management” users and one for “Operations”. The
data sources both point to the same database, but use
different query strings to select the different types of users
based on a Department box. A user with UserName of
JGreene has just been promoted from Operations to
Management. In the MySQL® database you change her
department from Operations to Management. When the
Generic Integration mappings are processed they see that
JGreene no longer displays in the “Operations” source and
removes her UserName from the associated group in TPAM.
Later it sees a “new” user named JGreene in the mapping for
the “Management” source. The UniqueUserID value is used to
tell TPAM if this is the same JGreene as before, in which case
she is simply added to the new TPAM Group, or a totally new
JGreene user that is handled by the collision strategy.
Automatically Select how often you want TPAM to pull updates from the No 0
Update every... data source. All of TPAM’s system parameters (those that can
be set by batch system import) can be pulled from the data
source. This can be set to 0 when the host is unavailable.
Send Messages You have the option of sending an email to a specific user No None
to... every time an update occurs, or only when failures occur
trying to perform an update.

TPAM 2.5
157
Administrator Guide
Table 64. Generic Auto Discovery Mappings: Source tab options

Field Description Required? Default

What to do for Option selected determines how TPAM handles the scenario. Yes Report as
usernames that Options are: Error
conflict with • Report as Error
TPAM restricted
• Create Unique
usernames
System/User Option selected determines how TPAM handles the scenario. No No Action
name exists in Options are:
TPAM with no • No Action
unique
• Create Unique TPAM System/User
SystemID/UserID
mapping • Map to existing
• Report as Error
System/User Option selected determines how TPAM handles the scenario. No No Action
name exists in Options are:
TPAM and a • No Action
unique
• Create Unique TPAM System/User (system will be
SystemID/UserID
added as “newsystemname_1” or “newusername_1”)
mapping exists
• Report as Error
What to do when Option selected determines how TPAM handles the scenario. No Leave
a computer Options are: System
mapped to a • Leave System/User, remove mapping /User,
TPAM system/user Remove
• Disable User in TPAM
is removed from mapping
the source • Soft Delete System, regardless of other mappings,
container remove mapping
• Report as Error
NOTE: If a user is a member of more than one group, it will
only be disabled when it is removed from all groups.
Ignore Updates to Updates from the mapped data source will always overwrite No Clear
existing TPAM data. To preserve data which may be updated
in TPAM use Ctrl-Click to select or clear individual columns in
the list. TPAM data in the selected columns will not be
overwritten by updates from the data source.

System tab
The table below explains all of the options available on the Generic Auto Discovery System tab. Clicking on the
Edit Template button will take you to the system template page to make your changes.

TPAM 2.5
158
Administrator Guide
Table 65. Generic Auto Discovery Mappings: System tab options

Field Description Required? Default

TPAM Collection Enter name of the TPAM Collection for these systems. This Yes
Name needs to be a collection name that does not already exist in
TPAM and membership changes are not allowed outside this
mapping.
Use Template Select or edit an existing system template. System Templates Yes
System/Edit are used to create systems from the Generic data source. Any
Template new systems added are created in TPAM using the default
settings from the template chosen here. This includes all
parameters on the Systems Details tab, as well as all the other
tabs. Template System values only affect new systems added
from the generic data source. The template is not used when
updating existing systems.

User tab

The table below explains all of the options available on the Generic User tab. Clicking on the Edit Template
button will take you to the user template page to make your changes.

Table 66. Generic Auto Discovery Mappings: User tab options

Field Description Required? Default

TPAM Group Enter name of the TPAM Group for these users. This needs to Yes
Name be a group name that does not already exist in TPAM and
membership changes are not allowed outside this mapping.

TPAM 2.5
159
Administrator Guide
Table 66. Generic Auto Discovery Mappings: User tab options

Field Description Required? Default

System If selected, any users created are created as system
Administrator? administrator users.
Use Template Select or create a user template. User Templates are used to Yes
User/Create create users from the generic data source. Any new users
Template added are created in TPAM using the default settings from the
template chosen here. This includes all parameters on the
User Details tab, as well the Time Information tab. User
templates may also include Group Membership and
System/Account/Collection permissions. Template user values
only affect new users added from the generic data source. The
template is not used when updating existing users.

Add a generic system mapping

To add a Generic System Mapping:
1 Add the generic data source as a managed system in TPAM. For more details see Add a system.
2 Create a system template for systems that are imported through this mapping. For more details see
Connection tab.
3 Select Auto Discovery | Generic from the menu.
4 Click the Add Systems button.
5 Complete the information on the Source tab. For more details see Source tab.
6 Click the System tab.
7 Complete the information on the System tab. For more details see System tab.
8 Click the Save Changes button.
9 Click the Test SQL button to retrieve the source column set.
10 Map the source columns to the TPAM target columns.
11 Click the Save Changes button.
12 Confirm with your System Administrator that the Auto Discovery Agent has been started in the /admin
interface.

Add a generic user mapping

To add a Generic User Mapping:
1 Add the generic data source as a managed system in TPAM. For more details see Add a system.
2 Create a user template for users that are imported through this mapping. For more details see Template
tab.
3 Select Auto Discovery | Generic from the menu
4 Click the Add Users button.
5 Complete the information on the Source tab. For more details see Source tab.
6 Click the User tab.
7 Complete the information on the User tab. For more details see User tab.

TPAM 2.5
160
Administrator Guide
 8 Click the Save Changes button.
9 Click the Test SQL button to retrieve the source column set.
10 Map the source columns to the TPAM target columns.
11 Click the Save Changes button.
12 Confirm with your System Administrator that the Auto Discovery Agent has been started in the /admin
interface.

Delete a generic system/user mapping

To delete a Generic System/User Mapping:
1 Select Auto Discovery | Generic from the menu.
2 Enter your search criteria on the Filter tab.
3 Click the Listing tab.
4 Select the mapping to delete.
5 Click the Delete button.
When the mapping is deleted the association of the system/user with that mapping are removed.

TPAM 2.5
161
Administrator Guide
 18
Application Password Virtual Cache

• Introduction
• Importing the virtual cache
• Boot the cache
• Configure network settings
• Enable remote access
• Change setup password
• Define remote IP address restrictions
• Prepare the cache for enrollment
• Add the cache in the TPAM interface
• Add cache users
• Add cache client hosts
• Add cache trusted root certificates
• Add the cache server
• Cache server permissions
• Cache current status
• Create a cache team
• Remove a cache team member
• Alerts for the cache appliance
• Delete a cache
• List cache server permissions
• Cache logs
• Usage examples

Introduction
The Password Virtual Cache is an add-on product designed to provide additional performance capability and
support distributed architecture deployment for TPAM. It provides extremely fast, concurrent, password
retrieval to support high demand application to application (A2A) requirements. To support this, the data stored
on the cache(s) must be current. The following gives a very high level overview of how this is accomplished.
As cache provisioning data (such as users, accounts, hosts, and permissions) is set up within TPAM, the relevant
data is pushed by TPAM to the virtual cache via secure connection. Passwords that are cached on the virtual
cache need to be updated whenever TPAM changes the account passwords. This is accomplished by pushing the
new password to the cache as soon as the password is successfully changed on the device and stored within
TPAM. The password is updated on the cache within a few seconds of being changed and stored within TPAM.

TPAM 2.5
162
Administrator Guide
All updates are pushed from TPAM to the necessary cache(s). The cache does not pull any data from TPAM. If a
cache is restarted for any reason, during the cache initialization, a message will be sent to TPAM requesting that
all data for that cache to be sent to it again. TPAM will then push the required data to the cache.
Retrieval of passwords from the cache is via secure web service using certificate authentication. Using this
technology makes access possible from clients written in numerous programming languages. Client
authentication is described and programming examples are provided later in this document.
To get the cache up and running you must perform the following steps:
• Import the cache file
• Boot the cache virtual
• Configure the network settings
• Enable remote access (Optional)
• Define remote access IP restrictions (Optional)
• Prepare the cache for enrollment
• Add the cache to the TPAM interface
• Test the connection between TPAM and the cache.

Importing the virtual cache

The virtual cache is distributed as an open virtual appliance (.OVA) file. There are numerous virtualization
products available which can be used as the host for the virtual cache machine. Please consult your virtual
product's documentation for instructions on deploying the OVA file.
Minimum resources required for the cache are 1 gigabyte of memory and 1 processor. These numbers may need
to be increased depending on the number of account passwords contained in the cache and the number of
requests expected to be made to the cache. Performance improvements will be realized with the allocation of
more memory and additional processor(s) to the cache.

Boot the cache

To boot the cache:
1 Power on the cache using your virtualization product.
2 The appliance will boot to a login prompt.
3 Enter accsetup for the user ID and Setup4ACC as the password. Both the user ID and password are case-
sensitive, enter them exactly as shown. This is the only user ID that can be used to connect to the cache,
and it can be logged on from the console only.
The following menu will appear listing all of the commands available from the configuration console.

TPAM 2.5
163
Administrator Guide
Configure network settings
1 Enter 4 and press the ENTER key to configure the network settings.

2 Enter 2 and press the ENTER key.

3 Enter the IP Address for eth0 as prompted and press the ENTER key
4 Enter the Network Mask for eth0 as prompted and press the ENTER key.
5 Enter the Gateway for eth0 as prompted and press the ENTER key.
6 Enter Y and press the ENTER key to save your changes.
7 From the Manage Network Settings menu, enter 1 and press the ENTER key to display the new running
values.
8 If a different network address is required/desired for application access to the cache, enter 3 and press
the ENTER key.
9 Repeat steps 3-6 for eth1.
10 Press the ENTER key to return to the manage network settings menu.
11 Enter 4 and press the ENTER key to modify the DNS settings.

TPAM 2.5
164
Administrator Guide
 12 Enter the DNS IP and press the ENTER key.
13 Enter the Secondary DNS IP and press the ENTER key. (Optional)
14 Enter the DNS Domain and press the ENTER key. (Optional)
15 Enter Y and press the ENTER key to save your changes.
16 Press the ENTER key to return to the manage network settings menu.
17 Enter Q and press the ENTER key to return to the main menu.

Enable remote access

This step allows remote SSH access to the cache appliance setup menu. You may elect to skip this step but be
mindful that Step 4 involves a rather long “enrollment string” that must be provided in the TPAM application
interface when pairing the cache Server to TPAM. Allowing remote SSH access gives you the ability to copy and
paste the string rather than having to write it down and type it in manually. By default remote access to the
cache is disabled.

To enable remote access:

1 From the main menu, enter 5 and press the ENTER key.

2 Enter 2 and press the ENTER key.

3 Enter E and press the ENTER key to enable remote access to the cache.
4 Enter and confirm a password for the raccsetup user.
5 Enter Q and press the ENTER key to return to the main menu.
6 Enter 8 and press the ENTER key to shutdown the appliance.
7 Place the cache on your network.
8 Power the virtual appliance on.
9 Using an SSH client, connect to the cache with the user ID raccsetup using the password you just set.

Change setup password

This step allows you to change the password associated with the accsetup account.

To change the password for the accsetup account:

1 From the main menu enter 5 and press the ENTER key.
2 Enter 1 and press the ENTER key.
3 Enter Y and press the ENTER key.

TPAM 2.5
165
Administrator Guide
 4 Enter the current password and press the ENTER key.
5 Enter the new password and press the ENTER key.

Define remote IP address restrictions

If remote IP address restrictions are configured, the IP address of the remote machine is checked against all
restrictions that are entered. If it meets all specified criteria, the login is allowed to proceed.
All restrictions must be entered at one time, comma separated. Wildcards and negation are allowed. An asterisk
(*) matches zero or more characters. A question mark (?) matches exactly one character. An exclamation point
(!) negates the criterion. In the example below, “192.168.30.*” says all IP addresses starting with “192.168.30.”
are allowed. Then, the “!192.168.30.???” excludes 192.168.30.100 through 192.168.30.255. Also, 192.168.30.1
is explicitly excluded.

To configure restrictions:
1 From the main cache menu, enter 5 and press the ENTER key.

2 Enter 3 and press the ENTER key.

3 Enter the restriction rules and press the ENTER key.
4 Enter Y and press the ENTER key.

Prepare the cache for enrollment

The next step is to prepare the cache for enrollment to your TPAM appliance. This step prepares temporary keys
that will be used to establish the secure connections between cache and your TPAM appliance(s). This step is
best done remotely as the string necessary to enroll the cache is rather long and remote accessing the cache
allows you to copy the string more easily.

TPAM 2.5
166
Administrator Guide
To prepare for enrollment:
1 From the main menu, enter 3 and press the ENTER key.

2 When prompted, enter the IP address of the TPAM primary or standalone device, and press the ENTER
key.
3 Enter the IP address (es) of the replica(s), if applicable, and press the ENTER key.
4 Enter E and press the ENTER key to enroll the cache.
5 Enter Y and press the ENTER key.
6 Copy the key that is presented. You will need to enter this key in procedure below.

Add the cache in the TPAM interface

Once the cache virtual has been booted and prepared for enrollment in TPAM it is ready to be configured in the
TPAM interface. The Cache Details page is where the cache is configured.
To configure the cache in the TPAM interface you must perform the following steps:
• Add cache users.
• Add cache client hosts. (Optional)
• Add cache trusted root certificate. (Optional)
• Add and configure the cache server.

Add cache users

To add a cache user:
1 Select Users & Groups | UserIDs | Add UserID from the menu.
2 Enter information on the Details tab. For more information on this tab see Details tab.
3 Select Cache User as the User Type.
4 Applications requesting passwords from the Password Virtual Cache must provide a client certificate in
order to be authenticated by the Cache. The client, or user certificate can be created by TPAM or

TPAM 2.5
167
Administrator Guide
 supplied by the customer. Each certificate is associated with a user type of Cache User in TPAM. Use one
of the following methods to select certificate type:
• Select User-Supplied. Click the Select File button. Click the Browse button and select the file.
Click the Upload button. When uploading a user-supplied certificate, you can upload a
PKCS12/PFX file (password is typically associated with this type of file since they contact a
private key) or a PEM-encoded text file (password not required). Additionally, when using a user-
supplied certificate, a trusted root certificate that can establish trust in the user certificate must
be uploaded to TPAM and assigned to the Cache(s) from which the user will request passwords.
This is needed so that applications requesting passwords using this user-supplied certificate can
be authenticated by the Cache. See Add cache trusted root certificates.
• Select Created by TPAM. Click the Download TPAM Root Certificate button to generate the
certificate.The generated user certificate must be downloaded and used by applications
requesting passwords from the Cache.
5 Enter and confirm the Password. The password is not required if uploading a PEM encoded text file.
6 Click the Save Changes button.

Add cache client hosts

As an extra security precaution you have the option to specify the client host that the cache users are using to
access the cache server.

To configure the client host/s:

1 Select Management | Cache Servers | Manage Client Hosts from the menu.
2 Click the Add Host button.

3 Enter the Network Address for the client host.

4 To enable the host, select the Enabled? check box.
5 Enter a description for the client host. (Optional)
6 Click the Save Changes button.

Add cache trusted root certificates

A trusted root certificate needs to be added to the cache server if a user-supplied certificate is used for a cache
user.To add a root certificate:
1 Select Management | Cache Servers | Manage Trusted Roots from the menu.
2 Click the Add Certificate button.

TPAM 2.5
168
Administrator Guide
 3 Enter a name for the certificate.
4 Enter a description for the certificate. (Optional)
5 Use one of the following methods to select the certificate source:
• Select Upload certificate file. Click the Select File button. Click the Browse button and select
the file. Click the Upload button.
• Select Enter Certificate. Paste the certificate in the text area.
6 Click the Save Changes button.

Add the cache server

To add a cache server, information is entered on the following tabs in the TPAM interface:

Table 67. Cache Server Management: TPAM interface tabs

Tab name Description

Details Define name, network addresses and contact information.
WSDL XML provided to program interface to virtual cache.
Accounts Where accounts are assigned to the cache.
Root Certificates Where trusted root certificates are assigned to the cache.
Users Where cache user IDs are assigned to the cache server.
Hosts Where you can assign client hosts that are allowed to access this cache server.

To add a cache server in the TPAM interface:

1 Select Management | Cache Servers | Manage Cache Servers from the menu.
2 Click the Add Server button.
3 Enter the information on the Details tab. For more information on these fields see Details tab.
4 Click the Save Changes button.
5 Click the Accounts tab. Assign and enable the desired accounts. See Accounts tab for details.
6 Click the Root Certificates tab. Load root certificates. See Root Certificates tab. (Optional)
7 Click the Users tab. Assign users to the cache. See Users tab.
8 Click the Hosts tab. Assign hosts to the cache. See Hosts tab. (Optional)
9 Click the Save Changes button.
10 Click the Permissions button. Assign permissions to the cache. See Cache server permissions.
11 Click the Save Changes button.

TPAM 2.5
169
Administrator Guide
Details tab

The table below explains the fields available when adding a cache server in the TPAM interface.

Table 68. Cache Server Management: TPAM interface fields

Field Description Required? Default

Cache Server Descriptive name for the cache. Yes
Name
Enabled? If selected, this cache server will be available to be assigned to No Off
systems.
Secure Bus The network address that TPAM and the cache use to Yes
communicate.
Appl Interface The network address that cache user IDs use to access the Yes
cache server.
Upload A Custom Application Interface Certificate (or server No Off
Custom certificate) for cache servers can be uploaded. This enables the
Application use of third-party certificates as the server certificate for
Interface cache servers. If a custom certificate is not uploaded, a default
Certificate? server certificate will still be generated by TPAM. Note that for
client applications to trust the cache server when requesting
passwords, the client will need to have access to either the
root certificate of the CA that generated the Custom
Application Interface Certificate if a custom server certificate
is in use on the cache server or the TPAM root certificate
(downloadable from User Management) if the default server
certificate generated by TPAM is in use on the cache server. If
the Application Interface Certificate is changed by uploading a
custom certificate or by reverting back to the default
certificate by removing a Custom Application Interface
Certificate, a restart of the application running on the cache
server is triggered. This will result in unavailability of the cache
server for a couple of minutes.

TPAM 2.5
170
Administrator Guide
Table 68. Cache Server Management: TPAM interface fields

Field Description Required? Default

Description The description box may be used to provide additional No
information about the cache, special notes, business owner,
etc.
Retention? If selected, and the cache server does not communicate with No Off
TPAM within X minutes entered in the Disable After box, the
cache server will shut down. This is a safeguard to prevent
users retrieving passwords when the TPAM appliance may be
down.
Enroll String The enroll string functions as the key exchange with the cache. Yes
The enroll string is provided by the cache when you execute
the prepare to enroll/re-enroll with TPAM option of the Setup
menu.
Logging You have the option of having logs sent to a syslog address No
and/or a specific email address.
Alerting You have the option of having alerts sent to an SNMP address No
and/or a specific email address.
SMTP Required if you want the cache server to send email No
notifications.
Use DNS? If selected, DNS is used to ask for the MX record, specifying the No
correct server to use for sending mail.

WSDL tab

On the WSDL (Web Services Description Language) tab the developers can find the XML they need when
programming the interface to the cache server.

TPAM 2.5
171
Administrator Guide
Accounts tab

The table below explains all of the options available on the Accounts tab:

Table 69. Cache Server Management: Accounts tab options

Field Description
System Name The system name.
Account Name The account name.
Sys Auto? Indicates whether the system is auto-managed by TPAM (Y) or not managed (N).
Acct Auto? Indicates whether the account is auto-managed by TPAM (Y), manually managed (M), not
managed (N), or a member of a synchronized password (S).
Assigned? If selected, the account is assigned to this cache server. Pressing the Ctrl key and selecting
one row will select or clear all check boxes in the column.
Enabled? If selected, the password for this account can be retrieved from the cache server. Pressing
the Ctrl key and selecting one row will select or clear all check boxes in the column.

Root Certificates tab

By default TPAM generates its own root certificate that can be assigned to the cache server. You also have the
option to upload your root certificates that can be assigned to the cache server. To add your certificates see Add
cache trusted root certificates. Select the Assigned box to assign the certificate to the cache server and then
click the Save Changes button.

TPAM 2.5
172
Administrator Guide
Users tab

The Users tab is where you configure the users that can access the cache server. Select the Assigned? box next
to the users for this cache server and click the Save Changes button.

Hosts tab

Any hosts that you have configured in TPAM are listed on the Hosts tab. See Add cache client hosts to configure
cache client hosts. Select the Assigned? check box next to each host you want to be able to access this cache
server and click the Save Changes button.

Cache server permissions

The cache server permissions page is where you configure the combination of accounts, users and hosts to
specify who and what are able to be accessed on a specific cache server
IMPORTANT: This page will accommodate a maximum of 512 possible permissions (#users * #accounts*
#hosts) before forcing you to use Update Cache Server Permissions under the Batch Processing menu.

To add permissions:
1 Select Management | Cache Servers | Manage CS Permissions from the menu.

TPAM 2.5
173
Administrator Guide
 2 Select the cache server from the list.
3 Using the mouse, select the combination of accounts, users, and hosts that you want to configure for the
cache server.
4 Click the Add Items button to add the selections to the list.
5 To remove any combinations on the list select the Select? check box and click the Remove Selected
button.
6 After you are finished adding and removing entries to the list click the Save Changes button.
TIP: You can use Shift-Click and Ctrl-Click mouse gestures to select more than one item on each list. Then
when you click Add Items it adds all combinations of the selected items to the list.

Cache current status

If you click the Current Status button you see if the cache server is found/enabled and the current values for
the number of users, hosts, accounts and permissions.

Create a cache team

More than one cache appliance can added to a "team". Any cache servers added to a team after the first team
member has been added will inherit the accounts, users, and permissions configured for the first team member
and lose any previously configured assignments. As instructed below the cache server should be "disabled" when
joining a team.
Team members will become mirror images of one another, so that if needed users can be redirected to use
another cache server team member for password requests. Once a cache server is a team member, any changes
in assignments on a team member will effect assignments on all team members.

To create a cache team:

1 Select Management | Cache Servers | Manage Cache Servers from the menu.
2 Enter the filter criteria and click the Listing tab.
3 From the list select the cache that will act as the initial cache team member.
4 Click the Details tab.
5 Enter the team name in the HA Team Name box. This box will only appear for enrolled cache servers.

6 Click the Save Changes button.

7 Click the Listing tab.

TPAM 2.5
174
Administrator Guide
 8 Select the cache server you want to add to the team. This cache will act as a mirror image of the first
team member.
9 Click the Details tab.
10 If selected, clear the Enabled check box.
11 Click the Save Changes button.
12 Enter the same exact team name from Step 5 in the HA Team Name box. This box will only appear for
enrolled cache servers.
13 Click the Save Changes button.
14 Select the Enabled check box.
15 Click the Save Changes button.
16 Repeat steps 8-15 to add additional team members.

Remove a cache team member

When a cache server is removed from a team, it will retain all its existing account, user and permission
configurations but will no longer receive any updates or changes to these relationships. It will lose these
configurations if it is assigned to a new team.

To remove a cache team member:

1 Select Management | Cache Servers | Manage Cache Servers from the menu.
2 Enter the filter criteria and click the Listing tab.
3 Select the cache server to be removed from the team.
4 Click the Details tab.
5 If selected, clear the Enabled check box.
6 Click the Save Changes button.
7 Delete the team name from the HA Team Name box.
8 Click the Save Changes button.
9 Select the Enabled check box.
10 Click the Save Changes button.

Alerts for the cache appliance

There are alerts that are issued from the Cache server when specific situations arise. These alerts can be
subscribed to through the /admin interface. These alerts are listed under the Cache Server Component Name on
the Alerts tab.

In addition to the alerts above, these alerts can also be generated by the cache server:(% shows variable data)
“Alert from Password Cache Appliance: Communication with TPAM restored. AlertDate:
%“
"Alert from Password Cache Appliance: Communication with TPAM has failed.
AlertDate: %"

TPAM 2.5
175
Administrator Guide
"Alert from Password Cache Appliance: The Password Cache(%) at % is shutting down
because there has been no communication to/from TPAM for over % minutes AlertDate:
%"
"Alert from Password Cache Appliance: The Password Cache needs to be disabled and
re-enabled to complete configuration changes. AlertDate: %"
"Alert from Password Cache Appliance: Unable to communicate with any SMTP servers
returned in the MX lookup for %. No mail will be sent. AlertDate: %"
"Alert from Password Cache Appliance: Unable to locate MX records for %: %
AlertDate: %"
"Alert from Password Cache Appliance: Unable to communicate to the SMTP server at
%. No mail will be sent. AlertDate: %"

Delete a cache
To delete a cache:
1 Select Management | Cache Servers | Manage Cache Servers from the menu.
2 Enter your search criteria on the Filter tab.
3 Click the Listing tab.
4 Select the cache to be deleted.
5 Click the Delete button.
6 Click the OK button on the confirmation window.

List cache server permissions

To view a list of existing cache server permissions:
1 Select Management | Cache Servers | List CS Permissions from the menu.
2 Enter your search criteria on the Filter tab.
3 Click the Listing tab.

Cache logs
On the cache console there are a variety of logs that can be viewed.

To view cache logs:

1 From the cache console main menu enter 6 and press the ENTER key.

TPAM 2.5
176
Administrator Guide
 2 Enter the number for the log you wish to view and press the ENTER key.

Usage examples
Any programming language capable of invoking secure web services over SSL/TLS using client certificates for
authentication can be used to request passwords from the Password Virtual Cache. Below are some examples of
requesting a password from the Cache using various programming languages. In all cases, the WSDL file,
available within TPAM for each Cache, is used to generate web service client code that is used by the client
application when requesting passwords.
For brevity, in each example, only one password is retrieved and displayed, and there is no error handling.
Note that if a nonzero value is returned when invoking the web service method handleRequestWS, a descriptive
reason for the failure is provided in place of the password. This can prove useful when setting up accounts,
users, and permissions for the Cache within the TPAM web interface.

Perl
Perl package SOAP::Lite can be used when requesting passwords from the Cache.
The first thing to do is to generate client stubs from the WSDL file. The SOAP::Lite package contains a Perl
script named stubmaker.pl that can generate the client stubs. Assuming the WSDL file is named cache.wsdl,
execute the following command to generate the client stub file:
perl path\to\stubmaker.pl file:cache.wsdl

A file named HandlePWRequestService.pm will be created. You can see by editing this file that it uses
SOAP::Lite, so this package must be present on the machine where the Perl application will be run.
Next, create the Perl application that will use the client stub file generated by stubmaker.pl, and add code to
request a password. Here is a very simple example, in a file named perlclient.pl.
use HandlePWRequestService;

my $certfile = "cacheuser.p12";
my $certpw = "CertPassword";
my $system = "linux10";
my $account = "linuxacct1";

$ENV{HTTPS_PKCS12_FILE} = $certfile;
$ENV{HTTPS_PKCS12_PASSWORD} = $certpw;

my $pwservice = new HandlePWRequestService;

my @rc = $pwservice->handleRequestWS($system,$account);
print "rc=$rc[0], password=$rc[1]\n";

TPAM 2.5
177
Administrator Guide
The output from execution of "perl perlclient.pl" is:
rc=0, password=linuxacct1pw
There are other Perl packages besides SOAP::Lite that can be used to generate web service client stubs and
request passwords, but SOAP::Lite is one of the simplest.
NOTE: Perl installations vary due to different versions of Perl itself and different versions of installed Perl
modules. The differences in installations may sometimes keep this simple example from working as
expected. Also, for simplicity, this client intentionally omits some security checks such as server
certificate validation and server host name validation.

Java®
This Java® example was created using MyEclipse™. For this example, a Java® project has been created, and
within that project, packages sample.client and sample.generated have been created.
Within MyEclipse, use the New Web Service Client tool and provide the location of the WSDL file. MyEclipse will
generate the client web service code (have the tool put the generated code in the package sample.generated).
Next, create a new Java® class in package sample.client, and write the code that requests a password. This
example shows setting of the keystore and truststore properties inline, but this can also be done by providing
the appropriate arguments when starting the Java® application.
package sample.client;

import javax.xml.ws.Holder;

import sample.generated.HandlePWRequest;
import sample.generated.HandlePWRequestService;

public class Client {

public static void main(String[] args)

{
System.setProperty("javax.net.ssl.keyStore",
"path\\to\\cacheuser.p12");
System.setProperty("javax.net.ssl.keyStoreType", "pkcs12");
System.setProperty("javax.net.ssl.keyStorePassword", "CertPassword");

// Need to convert parRootCA.crt downloaded from TPAM

// into jks type truststore using Java's keytool.
// keytool -importcert -trustcacerts -file parRootCA.crt -keystore
truststore.jks
System.setProperty("javax.net.ssl.trustStore",
"pat\\to\\truststore.jks");
System.setProperty("javax.net.ssl.trustStoreType", "jks");
System.setProperty("javax.net.ssl.trustStorePassword", "TruststorePassword");

HandlePWRequestService service = new HandlePWRequestService();

HandlePWRequest port = service.getHandlePWRequestPort();
Holder<String> pw = new Holder<String>();

int rc = port.handleRequestWS("linux10", "linuxacct1", pw);

if (rc == 0)
{
System.out.println("Password is " + pw.value);
}
else
{
System.err.println("Request failed: rc=" + rc + ", msg=" + pw.value);

TPAM 2.5
178
Administrator Guide
 }
}
}

The output from execution of the Java® client application is:

Password is linuxacct1pw

Other IDEs that are used for Java® development should also provide a way to generate the client stub code from
the WSDL.

C#
This C# example was created using Visual Studio® 2010. For this example, a C# Console Application has been
created.
Within Visual Studio, use the Add Service Reference tool and provide the location of the WSDL file. In this
example, when adding the service reference, we named it HandlePWRequestReference. Visual Studio will
generate the client web service code, and then the client application can make use of that reference. Now, add
the code that requests a password.
using System;
using System.Net;
using System.Security.Cryptography.X509Certificates;
using System.ServiceModel;

namespace CacheWSClient
{
class Program
{
static void Main(string[] args)
{
// For testing, we'll accept the server certificate instead of
// having to put the trusted root in our certificate store.
ServicePointManager.ServerCertificateValidationCallback =
(sender, certificate, chain, sslPolicyErrors) => true;

// The configuration file created when adding the service reference

// does not indicate that the client credential is certificate. The
// configuration file can be modified for this, or override as below.
// Create a BasicHttpBinding and set credential type to certificate.
var binding = new BasicHttpBinding(BasicHttpSecurityMode.Transport);
binding.Security.Transport.ClientCredentialType =
HttpClientCredentialType.Certificate;

// The Cache is at 192.168.30.241.

var ea = new EndpointAddress
("https://192.168.30.241/HandlePWRequestService/HandlePWRequest");

// Get a reference to the web service.

var client = new HandlePWRequestReference.HandlePWRequestClient(binding, ea);

// Get our client certificate.

client.ClientCredentials.ClientCertificate.Certificate =
new X509Certificate2("path\\to\\cacheuser.p12", "CertPassword");

string pw;
// Invoke the web service to get the password.
var rc = client.handleRequestWS(out pw, "linux10", "linuxacct1");
if (rc == 0)

TPAM 2.5
179
Administrator Guide
 {
Console.WriteLine("Password is {0}", pw);
}
else
{
Console.WriteLine("Request failed: rc={0}, msg={1}", rc, pw);
}
}
}
}
The output from execution of the C# client application is:
Password is linuxacct1pw

TPAM 2.5
180
Administrator Guide
 19
Batch Processing

• Introduction
• Advanced file settings
• Import user IDs
• Import systems
• Import accounts
• Import or update collections
• Import or update groups
• Add or drop collection members
• Add or drop group members
• Batch update user IDs
• Batch update systems
• Batch update accounts
• Batch update PSM accounts
• Batch update permissions
• Batch update cache server permissions
• Cancel a batch process
• View batch job history

Introduction
For ease of administration, new systems, accounts, and users can be imported into TPAM. Also if mass changes
are needed these same entities can be updated without having to make individual changes one at a time in the
GUI. The following sections will describe the various import and update options available in TPAM.

Advanced file settings

TPAM 2.5
181
Administrator Guide
Advanced File Settings are an option on all of TPAM’s batch processing pages. These settings allow the user to
specify in more detail how TPAM should process the upload file. The table below explains all of the Advanced
File Settings options.

Table 70. Advanced File Settings options

Field Description Default

Column headers in Possible values are Yes, No and Detect. Detect
first non-blank
row?
Skip first X non If Yes is selected for Column Headers, then TPAM will skip the first X non- 0
blank rows blank rows before the header. If No is selected for Column Headers, then
TPAM will skip the first X non-blank rows.
Skip first X rows of If Yes is selected for Column Headers, then TPAM will skip the first X rows 0
data, after header, of data after the header. If No is selected for Column Headers, then TPAM
if found. will skip the first X rows of data.
Only process X If Yes is selected for Column Headers, then TPAM will process X rows of 0
rows of data, not data not including the header. If No is selected for Column Headers, then 0 = all
including header TPAM will process X rows of data.
Row Delimiters Possible values are CR (carriage return)/LF (line feed), LF only, CR only Auto detect
and other.
Column Delimiters Possible values are Tab, comma-separated value (CSV), or Other. Auto detect
Text Delimiter Any single character allowed, but usually either single or double quotes. Double Quote
(’ or ") Can only be changed when Column Delimiter is set to Other. (“)

Import user IDs

Rather than individually adding users to TPAM, they may be bulk imported. Importing users can ease
administrative burden and expedite migration to TPAM.
When importing users it is critical that the import file be formatted correctly. Files may be either CSV or tab
delimited.

To create an import file:

1 Select Batch Processing | Import UserIDs from the main menu.

TPAM 2.5
182
Administrator Guide
2 Click the Show Template button.

3 Select the Comma or Tab button, depending on the file format you are going to use.
4 Select and copy all of the template text.

5 Paste the template text into the header row of your CSV or tab delimited file.

6 Enter the data for the various columns in the import file.

As of the writing of this manual, the valid local time zone values for a user can be used from the list
below. As needed Dell Software will post OS patches on the Customer Portal to update time zone
information. Any portion of the time zone name may be used as long as it is unique. For example, using

TPAM 2.5
183
Administrator Guide
“Guam” will find only one time zone but using “02:00” or “US” will find multiple entries. A value of
“Server” sets the user to follow the Server time zone.

Table 71. Time zones

(UTC+04:00) Abu Dhabi, Muscat (UTC+02:00) Harare, Pretoria

(UTC+09:30) Adelaide (UTC-10:00) Hawaii
(UTC-09:00) Alaska (UTC+02:00) Helsinki, Kyiv, Riga, Sofia,
Tallinn, Vilnius
(UTC+02:00) Amman (UTC+10:00) Hobart
(UTC+01:00) Amsterdam, Berlin, Bern, Rome, Stockholm, (UTC-05:00) Indiana (East)
Vienna
(UTC-07:00) Arizona (UTC-12:00) International Date Line West
(UTC+06:00) Astana (UTC+09:00) Irkutsk
(UTC-04:00) Asuncion (UTC+05:00) Islamabad, Karachi
(UTC+02:00) Athens, Bucharest (UTC+02:00) Istanbul
(UTC-04:00) Atlantic Time (Canada) (UTC+02:00) Jerusalem
(UTC+12:00) Auckland, Wellington (UTC+04:30) Kabul
(UTC-01:00) Azores (UTC+03:00) Kaliningrad, Minsk
(UTC+03:00) Baghdad (UTC+05:45) Kathmandu
(UTC-08:00) Baja California (UTC+08:00) Krasnoyarsk
(UTC+04:00) Baku (UTC+08:00) Kuala Lumpur, Singapore
(UTC+07:00) Bangkok, Hanoi, Jakarta (UTC+03:00) Kuwait, Riyadh
(UTC+08:00) Beijing, Chongqing, Hong Kong, Urumqi (UTC+12:00) Magadan
(UTC+02:00) Beirut (UTC-02:00) Mid-Atlantic
(UTC+01:00) Belgrade, Bratislava, Budapest, Ljubljana, (UTC) Monrovia, Reykjavik
Prague
(UTC-05:00) Bogota, Lima, Quito (UTC-03:00) Montevideo
(UTC-03:00) Brasilia (UTC+04:00) Moscow, St. Petersburg,
Volgograd
(UTC+10:00) Brisbane (UTC-07:00) Mountain Time (US & Canada)
(UTC+01:00) Brussels, Copenhagen, Madrid, Paris (UTC+03:00) Nairobi
(UTC-03:00) Buenos Aires (UTC-03:30) Newfoundland
(UTC+02:00) Cairo (UTC+02:00) Nicosia
(UTC+10:00) Canberra, Melbourne, Sydney (UTC+07:00) Novosibirsk
(UTC-01:00) Cape Verde Is. (UTC+13:00) Nuku'alofa
(UTC-04:30) Caracas (UTC+09:00) Osaka, Sapporo, Tokyo
(UTC) Casablanca (UTC-08:00) Pacific Time (US & Canada)
(UTC-03:00) Cayenne, Fortaleza (UTC+08:00) Perth
(UTC-06:00) Central America (UTC+12:00) Petropavlovsk-Kamchatsky -
Old
(UTC-06:00) Central Time (US & Canada) (UTC+04:00) Port Louis
(UTC+05:30) Chennai, Kolkata, Mumbai, New Delhi (UTC-03:00) Salvador
(UTC-07:00) Chihuahua, La Paz, Mazatlan (UTC+13:00) Samoa
(UTC) Coordinated Universal Time (UTC-04:00) Santiago
(UTC+12:00) Coordinated Universal Time+12 (UTC+01:00) Sarajevo, Skopje, Warsaw,
Zagreb
(UTC-02:00) Coordinated Universal Time-02 (UTC-06:00) Saskatchewan

TPAM 2.5
184
Administrator Guide
 Table 71. Time zones

(UTC-11:00) Coordinated Universal Time-11 (UTC+09:00) Seoul

(UTC-04:00) Cuiaba (UTC+11:00) Solomon Is., New Caledonia
(UTC+02:00) Damascus (UTC+05:30) Sri Jayawardenepura
(UTC+09:30) Darwin (UTC+08:00) Taipei
(UTC+06:00) Dhaka (UTC+05:00) Tashkent
(UTC) Dublin, Edinburgh, Lisbon, London (UTC+04:00) Tbilisi
(UTC-05:00) Eastern Time (US & Canada) (UTC+03:30) Tehran
(UTC+06:00) Ekaterinburg (UTC+08:00) Ulaanbaatar
(UTC+12:00) Fiji (UTC+11:00) Vladivostok
(UTC-04:00) Georgetown, La Paz, Manaus, San Juan (UTC+01:00) West Central Africa
(UTC-03:00) Greenland (UTC+01:00) Windhoek
(UTC-06:00) Guadalajara, Mexico City, Monterrey (UTC+10:00) Yakutsk
(UTC+10:00) Guam, Port Moresby (UTC+06:30) Yangon (Rangoon)
(UTC+04:00) Yerevan

7 Save the file.

NOTE: The file format requirements and a description of all the columns in the import file are listed on
the Import Users page.

To load the import users file into TPAM:

1 Select Batch Processing | Import UserIDs from the main menu.
2 Click the Select File button.
3 Click the Browse button. Select the file.
4 Click the Upload button.
5 Enter an import comment. This comment will be saved with the import history. (optional)
6 Click the Adv. File Settings button to specify how the rows and columns in your file should be treated.
(optional) See Advanced file settings for details.
7 Click the Process File button.
As the user IDs are being imported the results will be displayed on the Details tab. There will be a count
of the number of users successfully imported and error messages for any user IDs that did not import.

TPAM 2.5
185
Administrator Guide
To view import history:
1 Select Batch Processing | Import UserIDs from the main menu.
2 Click the History tab.
3 Select the import to view.
4 Click the Detail tab.

Import systems
Rather than individually adding systems to TPAM, they may be bulk imported. Importing systems can ease
administrative burden and expedite migration to TPAM.
When importing systems it is critical that the import file be formatted correctly. Files may be either CSV or tab
delimited.

To create an import file:

1 Select Batch Processing | Import Systems from the main menu.

2 Click the Show Template button.

3 Select the Comma or Tab button, depending on the file format you are going to use.
4 Select and copy all of the template text.

TPAM 2.5
186
Administrator Guide
 5 Paste the template text into the header row of your CSV or tab delimited file.

6 Enter the data for the various columns in the import file.

NOTE: The file format requirements and a description of all the columns in the import file are
listed on the Import Systems page.

7 Save the file.

To load the import systems file into TPAM:

1 Select Batch Processing | Import Systems from the main menu.
2 Click the Select File button.
3 Click the Browse button. Select the file.
4 Click the Upload button.
5 Enter an import comment. This comment will be saved with the import history. (optional)
6 Click the Adv. File Settings button to specify how the rows and columns in your file should be treated.
(optional) See Advanced file settings for details.
7 Click the Process File button.
8 As the systems are being imported the results will be displayed on the Details tab. There will be a count
of the number of systems successfully imported and error messages for any systems that did not import.

TPAM 2.5
187
Administrator Guide
 NOTE: Platform Name is not required when importing systems if a system template is being used or if a
default template has been defined in TPAM.

1 To view import history:

1 Select Batch Processing | Import Systems from the main menu.
2 Click the History tab.
3 Select the import to view.
4 Click the Detail tab.

To cancel a System Import:

1 Select Batch Processing | Import Systems from the main menu.
2 Click the History tab.
3 Select the import you want to cancel.
4 Click the Cancel Batch button.
NOTE: A System Import can only be cancelled if the Start Date column on the History tab is still null.

Import accounts
Rather than individually adding accounts to TPAM, they may be bulk imported. Importing accounts can ease
administrative burden and expedite migration to TPAM.
When importing accounts it is critical that the import file be formatted correctly. Files may be either CSV or tab
delimited.

To create an import file:

1 Select Batch Processing | Import Accounts from the main menu.

TPAM 2.5
188
Administrator Guide
2 Click the Show Template button.

3 Select the Comma or Tab button, depending on the file format you are going to use.
4 Select and copy all of the template text.

5 Paste the template text into the header row of your CSV or tab delimited file.

6 Enter the data for the various columns in the import file.

TPAM 2.5
189
Administrator Guide
 NOTE: The file format requirements and a description of all the columns in the import file are
listed on the Import Accounts page.

7 Save the file.

To load the import accounts file into TPAM:

1 Select Batch Processing | Import Accounts from the main menu.
2 Click the Select File button.
3 Click the Browse button. Select the file.
4 Click the Upload button.
5 Enter an import comment. This comment will be saved with the import history. (optional)
6 Click the Adv. File Settings button to specify how the rows and columns in your file should be treated.
(optional) See Advanced file settings for details.
7 Click the Process File button.
8 As the accounts are being imported the results will be displayed on the Details tab. There will be a count
of the number of accounts successfully imported and error messages for any accounts that did not
import.

To view import history:

1 Select Batch Processing | Import Accounts from the main menu.
2 Click the History tab.
3 Select the import to view.
4 Click the Detail tab.

TPAM 2.5
190
Administrator Guide
To cancel an Account Import:
1 Select Batch Processing | Import Accounts from the main menu.
2 Click the History tab.
3 Select the import you want to cancel.
4 Click the Cancel Batch button.
NOTE: An Account Import can only be cancelled if the Start Date column on the History tab is still null.

Import or update collections

In TPAM you can mass add, update or delete collection names.

To create the file:

1 Select Batch Processing | Import/Update Collections from the main menu.

2 Click the Show Template button.

3 Select the Comma or Tab button, depending on the file format you are going to use.
4 Select and copy all of the template text.

5 Paste the template text into the header row of your CSV or tab delimited file.

TPAM 2.5
191
Administrator Guide
 6 Enter the data for the various columns in the import file.

NOTE: The file format requirements and a description of all the columns in the import file are
listed on the Update Collections page.

7 Save the file.

To load the changes into TPAM:

1 Select Batch Processing | Import/Update Collections from the main menu.
2 On the File Selector tab, click the Select File button to locate the file to load.
3 Click the Browse button. Select the file.
4 Click the Upload button.
5 Select the update action to be taken on each row.

• To drop all rows, select the Drop option.

• To add all rows, select the Add option.
• To specify different actions for specific rows, select the Specified in File option.
NOTE: If the Drop or Add button is selected, the Update Action column in the file is ignored.

6 Add a comment (optional). This comment will be saved with the batch history.
7 Click the Adv. File Settings button to specify how the rows and columns in your file should be treated.
(optional) See Advanced file settings for details.
8 Click the Process File button.
As the updates are being loaded the results will be displayed on the Detail tab. There will be a count of
the number of records successfully updated and error messages for any updates that did not process.

TPAM 2.5
192
Administrator Guide
To view import history:
1 Select Batch Processing | Import/Update Collections from the main menu.
2 Click the History tab.
3 Select the import to view.
4 Click the Detail tab.

Import or update groups

In TPAM you can mass add, update or delete group names.

To create the file:

1 Select Batch Processing | Import/Update Groups from the main menu.

2 Click the Show Template button.

TPAM 2.5
193
Administrator Guide
 3 Select the Comma or Tab button, depending on the file format you are going to use.
4 Select and copy all of the template text.

5 Paste the template text into the header row of your CSV or tab delimited file.

6 Enter the data for the various columns in the import file.

NOTE: The file format requirements and a description of all the columns in the import file are
listed on the Update Groups page.

7 Save the file.

To load the changes into TPAM:

1 Select Batch Processing | Import/Update Groups from the main menu.
2 On the File Selector tab, click the Select File button to locate the file to load.
3 Click the Browse button. Select the file.
4 Click the Upload button.
5 Select the update action to be taken on each row.

• To drop all rows, select the Drop option.

• To add all rows, select the Add option.
• To specify different actions for specific rows, select the Specified in File option.
IMPORTANT: If the Drop or Add button is selected, the Update Action column in the file is ignored.

6 Add a comment (optional). This comment will be saved with the batch history.
7 Click the Adv. File Settings button to specify how the rows and columns in your file should be treated.
(optional) See Advanced file settings for details.
8 Click the Process File button.

TPAM 2.5
194
Administrator Guide
 As the updates are being loaded the results will be displayed on the Details tab. There will be a count of
the number of records successfully updated and error messages for any updates that did not process.

To view import history:

1 Select Batch Processing | Import/Update Groups from the main menu.
2 Click the History tab.
3 Select the import to view.
4 Click the Detail tab.

Add or drop collection members

Rather than individually adding/editing collection members in TPAM, they may be bulk loaded.

To create the membership file:

1 Select Batch Processing | Add/Drop Collection Members from the main menu.

2 Click the Show Template button.

TPAM 2.5
195
Administrator Guide
 3 Select the Comma or Tab button, depending on the file format you are going to use.
4 Select and copy all of the template text.

5 Paste the template text into the header row of your CSV or tab delimited file.

6 Enter the data for the various columns in the import file.

NOTE: The file format requirements and a description of all the columns in the import file are
listed on the Update Collection Membership page.

7 Save the file.

To load the collection changes into TPAM:

1 Select Batch Processing | Add/Drop Collection Members from the main menu.
2 On the File Selector tab, click the Select File button to locate the file to load.
3 Click the Browse button. Select the file.
4 Click the Upload button.
5 Select the update action to be taken on each row.

• To drop all rows, select the Drop option.

• To add all rows, select the Add option.
• To specify different actions for specific rows, select the Specified in File option.
IMPORTANT: If the Drop or Add button is selected, the Update Action column in the file is ignored.

6 Add a comment (optional). This comment will be saved with the batch history.
7 Click the Adv. File Settings button to specify how the rows and columns in your file should be treated.
(optional) See Advanced file settings for details.
8 Click the Process File button.
TPAM 2.5
196
Administrator Guide
 As the updates are being loaded the results will be displayed on the Details tab. There will be a count of
the number of records successfully updated and error messages for any updates that did not process.

To view import history:

1 Select Batch Processing | Add/Drop Collection Members from the main menu.
2 Click the History tab.
3 Select the import to view.
4 Click the Detail tab.

Add or drop group members

Rather than individually adding/editing group members in TPAM, they may be bulk loaded.

To create the membership file:

1 Select Batch Processing | Add/Drop Group Members from the main menu.

2 Click the Show Template button.

TPAM 2.5
197
Administrator Guide
 3 Select the Comma or Tab button, depending on the file format you are going to use.
4 Select and copy all of the template text.

5 Paste the template text into the header row of your CSV or tab delimited file.

6 Enter the data for the various columns in the import file.

NOTE: The file format requirements and a description of all the columns in the import file are
listed on the Update Group Membership page.

7 Save the file.

To load the group changes into TPAM:

1 Select Batch Processing | Add/Drop Group Members from the main menu.
2 Click the Select File button.
3 Click the Browse button. Select the file.
4 Click the Upload button.
5 Select the update action to be taken on each row.

• To drop all rows, select the Drop option.

• To add all rows, select the Add option.
• To specify different actions for specific rows, select the Specified in File option.
IMPORTANT: If the Drop or Add button is selected, the Update Action column in the file is ignored.

6 Add a comment (optional). This comment will be saved with the batch history.
7 Click the Adv. File Settings button to specify how the rows and columns in your file should be treated.
(optional) See Advanced file settings for details.
8 Click the Process File button.

TPAM 2.5
198
Administrator Guide
 As the updates are being loaded the results will be displayed on the Detail tab. There will be a count of
the number of records successfully updated and error messages for any updates that did not process.

To view import history:

1 Select Batch Processing | Add/Drop Group Members from the main menu.
2 Click the History tab.
3 Select the import to view.
4 Click the Detail tab.

Batch update user IDs

In cases where a large number of user IDs require edits, batch updates can be performed using CSV or .txt files
as input.

To create a batch update file:

1 Select Users & Groups | List UserIDs.
2 Create a CSV or Excel file using List UserIDs with the data you want to update. See for the steps to create
the file.
3 Open the file.
4 If you exported the User Listing to Excel, delete the first row in the file.

5 Select Batch Processing | Update UserIDs from the main menu.

6 Select update action to be taken on each row.

TPAM 2.5
199
Administrator Guide
 • To delete all rows, select the Delete option. Skip to step 9.
• To update all rows, select the Update option. Skip to step 9.
• To specify different actions for specific rows, select the Specified in File option. Continue to step
7.
7 Insert a column in the file with a column name of Update Action.
8 Enter D (delete) or U (update) as appropriate for each account.

9 Edit any of the other columns as needed to update the data in TPAM.
NOTE: The file format requirements and a description of all the columns in the import file are
listed on the Update Users page.

10 Save the file.

To upload the batch update file into TPAM:

1 Select Batch Processing | Update UserIDs from the main menu.
2 Click the Select File button.
3 Click the Browse button. Select the file.
4 Click the Upload button.
5 Add a comment (optional). This comment will be saved with the batch history.
6 Click the Adv. File Settings button to specify how the rows and columns in your file should be treated.
(optional) See Advanced file settings for details.
7 Click the Process File button.
8 As the updates are being loaded the results will be displayed on the Detail tab. There will be a count of
the number of records successfully updated and error messages for any updates that did not process.

TPAM 2.5
200
Administrator Guide
To cancel a batch update:
1 Select Batch Processing | Update UserIDs from the main menu.
2 Click the History tab.
3 Select the batch to cancel.
4 Click the Cancel Batch button.
NOTE: A batch update can only be cancelled if the Start Date column on the History tab is still null.

To view update history:

1 Select Batch Processing | Update UserIDs from the main menu.
2 Click the History tab.
3 Select the batch to view.
4 Click the Detail tab.

Batch update systems

In cases where a large number of systems require edits, batch updates can be performed using CSV or .txt files
as input.

To create a batch update file:

1 Select Systems, Accounts, & Collections | Systems | List Systems.
2 Create a CSV or Excel file using List Systems with the data you want to update. See List systems for the
steps to create the file.
3 Open the file.
4 If you exported the System Listing to Excel, delete the first row in the file.

TPAM 2.5
201
Administrator Guide
 5 Select Batch Processing | Update Systems from the main menu.
6 Select update action to be taken on each row.

• To delete all systems, select the Delete option. Skip to step 9.

• To update all systems, select the Update option. Skip to step 9.
• To specify different actions for specific rows, select the Specified in File option. Continue to step
7.
7 Insert a column in the file with a column name of Update Action.
8 Enter D (delete) or U (update) as appropriate for each system.

9 Edit any of the other columns as needed to update the data in TPAM.
NOTE: The file format requirements and a description of all the columns in the import file are
listed on the Update Accounts page.

10 Save the file.

To upload the batch update file into TPAM:

1 Select Batch Processing | Update Systems from the main menu.
2 Click the Select File button.
3 Click the Browse button. Select the file.
4 Click the Upload button.
5 Add a comment (optional). This comment will be saved with the batch history.
6 Click the Adv. File Settings button to specify how the rows and columns in your file should be treated.
(optional) See Advanced file settings for details.
7 Click the Process File button.
8 As the updates are being loaded the results will be displayed on the Detail tab. There will be a count of
the number of records successfully updated and error messages for any updates that did not process.

TPAM 2.5
202
Administrator Guide
To cancel a batch update:
1 Select Batch Processing | Update Systems from the main menu.
2 Click the History tab.
3 Select the batch to cancel.
4 Click the Cancel Batch button.
NOTE: A batch update can only be cancelled if the Start Date column on the History tab is still null.

To view update history:

1 Select Batch Processing | Update Systems from the main menu.
2 Click the History tab.
3 Select the batch to view.
4 Click the Detail tab.

Batch update accounts

In cases where a large number of accounts require edits, batch updates can be performed using CSV or .txt files
as input.

To create a batch update file:

1 Select Systems, Accounts, & Collections | Accounts | List Accounts.
2 Create a CSV or Excel file using List Accounts with the data you want to update. See List accounts for the
steps to create the file.
3 Open the file.
4 If you exported the Account Listing to Excel, delete the first row in the file.

TPAM 2.5
203
Administrator Guide
 5 Select Batch Processing | Update Accounts from the main menu.
6 Select update action to be taken on each row.

• To delete all rows, select the Delete option. Skip to step 9.

• To update all rows, select the Update option. Skip to step 9.
• To specify different actions for specific rows, select the Specified in File option. Continue to step
7.
7 Insert a column in the file with a column name of Update Action.
8 Enter D (delete) or U (update) as appropriate for each account.

9 Edit any of the other columns as needed to update the data in TPAM.
NOTE: The file format requirements and a description of all the columns in the import file are
listed on the Update Accounts page.

10 Save the file.

To upload the batch update file into TPAM:

1 Select Batch Processing | Update Accounts from the main menu.
2 Click the Select File button.
3 Click the Browse button. Select the file.
4 Click the Upload button.
5 Add a comment (optional). This comment will be saved with the batch history.
6 Click the Adv. File Settings button to specify how the rows and columns in your file should be treated.
(optional) See Advanced file settings for details.
7 Click the Process File button.
8 As the updates are being loaded the results will be displayed on the Detail tab. There will be a count of
the number of records successfully updated and error messages for any updates that did not process.

TPAM 2.5
204
Administrator Guide
To cancel a batch update:
1 Select Batch Processing | Update Accounts from the main menu.
2 Click the History tab.
3 Select the batch to cancel.
4 Click the Cancel Batch button.
NOTE: A batch update can only be cancelled if the Start Date column on the History tab is still null.

To view update history:

1 Select Batch Processing | Update Accounts from the main menu.
2 Click the History tab.
3 Select the batch to view.
4 Click the Detail tab.

Batch update PSM accounts

Batch updating PSM accounts allows mass updating of the PSM settings for accounts.
For details on the update values available see PSM Details tab.

To create a batch update file:

1 Select Systems, Accounts, & Collections | Accounts | List PSM Accounts.
2 Create a CSV or Excel file using List PSM Accounts with the data you want to update. See List PSM
accounts for the steps to create the file.
3 Open the file.
4 If you exported the Account Listing to Excel, delete the first row in the file.

TPAM 2.5
205
Administrator Guide
 5 Edit any of the other columns as needed to update the data in TPAM.
NOTE: The file format requirements and a description of all the columns in the import file are
listed on the Update PSM Accounts page.

6 Save the file.

To upload the batch update file into TPAM:

1 Select Batch Processing | Update PSM Accounts from the main menu.
2 Click the Select File button.
3 Click the Browse button. Select the file.
4 Click the Upload button.
5 Add a comment (optional). This comment will be saved with the batch history.
6 Click the Adv. File Settings button to specify how the rows and columns in your file should be treated.
(optional) See Advanced file settings for details.
7 Click the Process File button.
8 As the updates are being loaded the results will be displayed on the Detail tab. There will be a count of
the number of records successfully updated and error messages for any updates that did not process.

To cancel a batch update:

1 Select Batch Processing | Update PSM Accounts from the main menu.
2 Click the History tab.
3 Select the batch to cancel.
4 Click the Cancel Batch button.
NOTE: A batch update can only be cancelled if the Start Date column on the History tab is still null.

To view update history:

1 Select Batch Processing | Update PSM Accounts from the main menu.
2 Click the History tab.
3 Select the batch to view.
4 Click the Detail tab.

TPAM 2.5
206
Administrator Guide
Batch update permissions
System, Account, File, Collection, User and Group permissions can be updated through Update Permissions.

To create an import file:

1 Select Batch Processing | Update Permissions from the main menu.

2 Click the Show Template button.

3 Select the Comma or Tab button, depending on the file format you are going to use.
4 Select and copy all of the template text.

5 Paste the template text into the header row of your CSV or tab delimited file.

6 Enter the data for the various columns in the batch update permissions file.

TPAM 2.5
207
Administrator Guide
 NOTE: The file format requirements and a description of all the columns in the import file are
listed on the Update Permissions page.

7 Save the file.

To load the batch update file into TPAM:

1 Select Batch Processing | Update Permissions from the main menu.
2 On the File Selector tab, click the Select File button to locate the file to load.
3 Click the Browse button. Select the file.
4 Click the Upload button.
5 Select the update action to be taken on each row.

• To drop all rows, select the Drop option.

• To add all rows, select the Add option.
• To specify different actions for specific rows, select the Specified in File option.
IMPORTANT: If the Drop or Add button is selected, the Update Action column in the file is ignored.

6 Add a comment (optional). This comment will be saved with the batch history.
7 Click the Adv. File Settings button to specify how the rows and columns in your file should be treated.
(optional) See Advanced file settings for details.
8 Click the Process File button.
9 As the updates are being loaded the results will be displayed on the Detail tab. There will be a count of
the number of records successfully updated and error messages for any updates that did not process.

To view batch update history:

1 Select Batch Processing | Update Permissions from the main menu.
2 Click the History tab.

TPAM 2.5
208
Administrator Guide
 3 Select the import to view.
4 Click the Detail tab.

To cancel a batch update:

1 Select Batch Processing | Update Permissions from the main menu.
2 Click the History tab.
3 Select the batch you want to cancel.
4 Click the Cancel Batch button.
NOTE: A batch update can only be cancelled if the Start Date column on the History tab is still null.

Batch update cache server permissions

Cache server permissions can be updated through Update Cache Server Permissions.

To create an import file:

1 Select Management | Cache Servers | List CS Permissions from the main menu.
2 Create a CSV or Excel file using List UserIDs with the data you want to update. See List cache server
permissions for the steps to create the file.
3 Open the file.
4 If you exported the User Listing to Excel, delete the first row in the file.
5 Select Batch Processing | Update Cache Server Permissions from the main menu.
6 Select update action to be taken on each row.

• To delete all rows, select the Delete option. Skip to step 9.

• To update all rows, select the Update option. Skip to step 9.
• To specify different actions for specific rows, select the Specified in File option. Continue to step
7.
IMPORTANT: If the Drop or Add button is selected, the Update Action column in the file is ignored.

7 Insert a column in the file with a column name of Update Action.

8 Enter D (delete) or U (update) as appropriate for each account.
9 Edit any of the other columns as needed to update the data in TPAM.
NOTE: The file format requirements and a description of all the columns in the import file are
listed on the Update Users page.

10 Save the file.

To load the batch update file into TPAM:

1 Select Batch Processing | Update Cache Server Permissions from the main menu.
2 On the File Selector tab, click the Select File button to locate the file to load.

TPAM 2.5
209
Administrator Guide
 3 Click the Browse button. Select the file.
4 Click the Upload button.
5 Click the Adv. File Settings button to specify how the rows and columns in your file should be treated.
(optional) See Advanced file settings for details.
6 Click the Process File button.
7 As the updates are being loaded the results will be displayed on the Detail tab. There will be a count of
the number of records successfully updated and error messages for any updates that did not process.

To view batch update history:

1 Select Batch Processing | Update Cache Server Permissions from the main menu.
2 Click the History tab.
3 Select the import to view.
4 Click the Detail tab.

To cancel a batch update:

1 Select Batch Processing | Update Cache Server Permissions from the main menu.
2 Click the History tab.
3 Select the batch you want to cancel.
4 Click the Cancel Batch button.
NOTE: A batch update can only be cancelled if the Start Date column on the History tab is still null.

Cancel a batch process

NOTE: We do not recommend canceling a batch job unless the wrong file was selected for processing or if
there is a degradation in the TPAM appliance performance as a result of the batch job.

To cancel a batch import/update that is still running:

1 Select Batch Processing | Manage Batches from the main menu.
2 Enter your filter criteria on the Filter tab and click the Listing tab.
3 Select the batch job on the Listing tab.
4 Click the Details tab.

TPAM 2.5
210
Administrator Guide
 5 Click the Cancel Select Batch button.

6 Enter the text displayed to continue with the batch job cancellation and click the Continue button.

View batch job history

To view batch job history:
1 Select Batch Processing | Manage Batches from the main menu.
2 Enter your filter criteria on the Filter tab and click the Listing tab.
3 Select the batch job on the Listing tab and click the Details tab.

TPAM 2.5
211
Administrator Guide
 20
PSM Connection Profiles

• Introduction
• Add a PSM connection profile
• Delete a PSM connection profile
• Assign a PSM connection profile

Introduction
PSM connection profiles allow for overriding the default connection parameters during a session. These
connection profiles can be modified by the Administrator to specify other connection settings for mainframe
connections.
The table below explains the options on the PSM Connection profile page.

Table 72. PSM Connection profile page options

Field Description Required? Default

Profile Type PSM Connection should be selected from the list. Yes PSM
Connection
Proxy Type This PSM connection will only be available for sessions using the Yes
proxy type selected from the list.
Domain User This option is available for SSH- Automatic Login Using No
Format Password, RDP-Automatic Login Using Password, RDP Through
SSH-Automatic Using Password. When connecting to a PSM
session using a domain account you may adjust the format of
the account here. Enter a string using the words account
and/or domain with other characters as necessary. Any text
entered other than the words account and domain will be used
as-is. Common formats are account@domain (default) and
domain\account.
Profile Name Enter a unique profile name Yes
Description Enter a descriptive text for the profile No
Alternate Port Option to enter an alternate port for the connection No
SSL Option for x3270 and x5250 proxy types. If selected, SSL will be No Off
used during the connection.
Custom Option for x3270 and x5250 proxy types.This command is sent No
Command at the beginning of the connection.
Post-Auth Option for x3270 and x5250 proxy types. Used in conjunction No
Control Char with the post-auth command in which after typing the
password the post-auth control char is pressed followed by the
post -auth command.
Post-Auth Option for x3270 and x5250 proxy types. Used in conjunction No
Command with the post-auth control char.

TPAM 2.5
212
Administrator Guide
Add a PSM connection profile
To add a connection profile:
1 Select Management | Profile Management from the menu.
2 Select PSM Connection from the Profile Type list.
3 Click the New Profile button.

4 Select a proxy type from the list.

5 Enter a unique name for the profile.
6 Enter a description for the profile. (optional)
7 Enter an alternate port. (optional)
8 Complete the fields as described in the table above.
9 Click the Save Changes button.

Delete a PSM connection profile

To delete a connection profile:
1 Select Management | Profile Management from the menu.
2 Select PSM Connection as the profile type.
3 Select the profile to be deleted from the list.
4 Click the Delete Profile button.
5 Click the OK button on the confirmation window.
NOTE: A connection profile can only be deleted if it is not assigned to any accounts.

Assign a PSM connection profile

PSM connection profiles can be assigned using the Batch Update PSM Accounts function, or by following the
procedure below.

TPAM 2.5
213
Administrator Guide
To assign a connection profile to an account:
1 Select Systems, Accounts, & Collections | Accounts | Manage Accounts.
2 Select the account on the Listing tab.
3 Click the PSM Details tab.
4 Select the profile from the Custom Connection Profile list.
5 Click the Save Changes button.

TPAM 2.5
214
Administrator Guide
 21
Post Session Processing Profiles

• Introduction
• Add a post session processing profile
• Delete a post session processing profile
• Assign a post session processing profile

Introduction
Post session processing profiles can be used to trigger specific events after a session request has expired. For
post session profiles to take affect the System Administrator must have enabled the Post Session Processing
Agent in the /admin interface.

Add a post session processing profile

To add a post session processing profile select Management | Profile Management from the menu.

Click the New Profile button.

The table below explains the options on the Profile Editor page:

Table 73. Profile Editor page options

Field Description Required? Default

Profile Type Post Session Processing should be selected from the list. Yes Account Auto
Discovery
Profile Name Enter a unique profile name. Yes
Description Enter a descriptive text for the profile. No
Check If selected, password for all accounts on the managed system No Off
Password of will be checked after the session expires. Passwords are only
all Managed changed if a mismatch is found and the account has the “reset
Accounts on on mismatch” check box selected on its Check Password
the requested Profile.
System?

TPAM 2.5
215
Administrator Guide
Table 73. Profile Editor page options

Field Description Required? Default

Trigger post- If selected, the password will be treated as if it were released, No Off
release which will trigger post-release processing for managed
processing for accounts and synchronized password subscribers.
requested Synchronized password subscribers are processed in priority
account’s order. If any of the subscribers fail to change, the agent stops
password? and tries again based on the Synch Pass Change agent retry
interval setting. If the prioritized subscribers succeed but some
non-prioritized subscribers fail, then the failures will be
processed by the regular change agent.
Manual subscribers are scheduled with the regular manual
change agent.
Send an email If selected, once the session expires, the primary contact for No Off
to the Primary the system will be sent an email notifying them the session is
Contact on over.
the System?
Other E-Mail Option to enter additional email addresses to notify when the No
Notification session expires. Up to 255 characters can be entered, using
commas to separate multiple email addresses.

Enter the settings as desired and click the Save Changes button.

Delete a post session processing profile

To delete a post session processing profile:
1 Select Management | Profile Management from the menu.
2 Select Post Session Processing from the Profile Type list.
3 Select the profile to be deleted from the list.
4 Click the Delete Profile button.
5 Click the OK button on the confirmation window.
NOTE: A post session processing profile can only be deleted if it is not assigned to any accounts.

Assign a post session processing profile

Post session processing profiles can be assigned using the Update PSM Accounts function, or by following the
procedure below.

To assign a post session processing profile to an account:

1 Select Systems, Accounts, & Collections | Accounts | Manage Accounts.
2 Select the account on the Listing tab.
3 Click the PSM Details tab.
4 Select the profile from the Post Session Profile list.
5 Click the Save Changes button.

TPAM 2.5
216
Administrator Guide
 22
Privileged Command Management

• Introduction
• Add a command
• Commands to assist with authentication
• Duplicate a command
• Delete a command
• Create access policy with the command
• Assign access policy to user or group
• Setup requirement for Windows®

Introduction
Privileged command management provides command control for administrative tasks that require elevated
credentials. The commands a user can execute using privileged session manager can be controlled.

Add a command
The first step in using privileged command manager is setting up the commands. PCM comes with a set of
default commands, but custom commands can be added.

To add a command:
1 Select Management | Command Management from the main menu.
2 Click the Add Command button.

TPAM 2.5
217
Administrator Guide
 3 Enter the Command Name.
4 Enter the Command Text.
5 Enter the Working Directory.
6 Enter the Description of the command. (optional)
7 Click the Save Changes button.
8 Click the Proxy Types tab.
9 Select the Proxy Types for this command.
10 Click the Save Changes button.

Commands to assist with authentication

The following commands can be added here:
• :accountname: - will pass the requested account name
• :accountpwd: - will pass the requested account password
• :myaccount: - will pass the TPAM user name.
These can be passed on the command line during a PSM session to facilitate authentication.

Duplicate a command
For the ease of creating commands that are similar, commands can be duplicated.

To duplicate a command:
1 Select Management | Command Management from the main menu.
2 Select the command to duplicate.
3 Click the Duplicate Command button.
4 Edit the Command Name, Command Text, Working Directory and Description as needed.
5 The proxy types are inherited from the command duplicated. Click the Proxy Types tab to edit the proxy
types.
6 Click the Save Changes button.

Delete a command
To delete a command:
1 Select Management | Command Management from the main menu.
2 Select the command to delete.
3 Click the Delete Command button.
4 Click the OK button on the confirmation window.
NOTE: A command cannot be deleted if it is associated with an Access Policy.

TPAM 2.5
218
Administrator Guide
Create access policy with the command
Once the commands have been created, the next step is to create an access policy that includes this command.

To add a command to an Access Policy:

1 Select Management | Access Policies from the main menu.
2 Click the Add Policy button.

3 Enter a unique policy name. This is the name that appears in the list when selecting it for assignment, so
be as descriptive as possible.
4 Enter a description. This information is only visible to administrators when editing the policy. (optional)
5 Select the Command check box.
6 Select the command from the list.
7 Select the REQ check box.
8 To add another command to the access policy click the Add button.
9 Repeat steps 5, 6 and 7.
10 Click the Save Changes button.

Assign access policy to user or group

Once the access policy is created, it can be assigned to a user or group for permissions on Systems, Accounts,
Files or Collections. The example below will cover assigning the access policy to a group of users for a system.
Access policies can also be assigned through the update permissions batch process.

To assign the access policy to a user or group:

1 Select Users & Groups | Groups | Manage Groups from the main menu.
2 Enter filter criteria to find the appropriate group.
3 Click the Listing tab.
4 Select the group.
5 Click the Permissions tab

TPAM 2.5
219
Administrator Guide
 6 Enter the filter criteria to find the system.
7 Click the Results tab.

8 Select the system.

9 Select the access policy from the list.
10 Click the single green check icon.
11 Click the Save Changes button.
When a user in this group submits a session request on this system they will only be allowed to execute the
command/s specified in the access policy during the session.

Setup requirement for Windows®

For Windows® 7, 2008 and 2012 additional configuration is required to get privileged command management to
work.

Configure the following registry changes on the Windows® server:

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal
Services\fAllowUnlistedRemotePrograms = [REG_DWORD, value: 00000001]
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal
Services\fTurnOffSingleAppMode = [REG_DWORD, value: 00000000]

If the above doesn't work, additionally modify/add:

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Terminal Server\HonorLegacySettings
= [REG_DWORD, value: 00000001]

TPAM 2.5
220
Administrator Guide
 23
Restricted Commands

• Introduction
• Add a restricted command profile
• Assign profile to access policy
• Restricted command account settings
• Command detection during a session

Introduction
Restricted command profiles enable the TPAM administrator to restrict the commands that can be executed
during a session, and/or put notifications in place when specific commands are executed.
IMPORTANT: Restricted commands cannot always detect and terminate a command when it is executed. It
is possible that some commands complete execution before TPAM has time to detect them.

Restricted commands are limited to Windows® and *nix platforms. The restricted command functionality also
requires a DPA.
To configure restricted commands you must perform the following steps:
• Add a restricted command profile
• Add restricted command profile to an access policy.
• Assign access policy to a user or group for a system or account.
• Enable account to capture events during a session.

System requirements for restricted

commands
There are requirements for the target system that must be met in order for restricted commands to be detected
during PSM sessions. For Windows® and *nix platforms, the PPM functional account is used to detect the
commands being run on the target system.The relevant configuration discussed below pertains to the PPM
functional account.

*nix platforms
In order to detect and kill processes on *nix systems, the DPA connects to and monitors the target system using
SSH. The following commands must be executable on the target system by the functional account in order to
detect and kill processes.
• - uname
• - echo
• - kill

TPAM 2.5
221
Administrator Guide
 • - "ps -ef" or "ps -axlww" depending on *nix variant
• - "netstat -ntp", "sockstat -c4", or "lsof -i -n -P" depending on *nix variant
Delegation prefixes are supported for the relevant platforms.

Windows®
In order to detect and kill processes on Windows®, the DPA connects to and monitors the target system using
WMI. There are a number of items that must be configured to allow these WMI connections, which may include
but are not limited to setting up remote WMI access, setting WMI CIMV2 namespace security, setting DCOM
security to allow remote access and launch, altering firewall settings to allow the WMI traffic, and handling
UAC. Notes related to UAC are provided when executing Test Event Configuration.

Additionally, various security events must be generated by Windows® to identify the beginning and end of PSM
sessions. For operating systems prior to Windows® Vista, events with event identifiers of 528, 538, 551, 682, and
683 must be generated. For Windows® Vista and later operating systems, events with event identifiers of 4624,
4634, 4647, 4778, and 4779 must be generated. Note that restricted command detection for operating systems
prior to Windows® XP and Windows Server 2003 in not supported.

Add a restricted command profile

To add a restricted command profile:
1 Select Management | Profile Management from the main menu.
2 Select Restricted Command from the Profile Type list.
3 Click the New Profile button.

4 Enter a unique profile name.

5 Select one or both notifications types for the commands in the profile:
• Notify via Alert? - If command has the Notify? check box selected and the command is detected
during a session a SNMP alert will be sent. The SNMP session events alert subscriptions must be
subscribed to by the system administrator in the /admin interface.

TPAM 2.5
222
Administrator Guide
 • Notify via Email? - If command has the Notify? check box selected and command is detected
during a session an email will be sent to the email addresses listed. Multiple email addresses can
be entered separated by a semi-colon. You can also enter :System: or :Account: to have the
notification sent to the system or account contacts.
6 Click the Add Cmd Detail button.
7 Select platform/s that command applies to:

• *nix? - any UNIX® type platform.

• Win? - Windows® platform.

8 Enter the command. The command text accepts a regular expression pattern to identify the name of the
command executable to be restricted. For Windows® commands, TPAM searches for process name and
parameters. For *nix commands, TPAM searches the process name and parameters in the output of the
relevant "ps" command.
9 Select the Notify? check box to be notified when this command is detected during a session.
10 Select one of the following actions for when the command is detected:
• Do Nothing - nothing is done to stop the session
• Kill Command - the command is terminated, but the session is left open.
IMPORTANT: The command can only be terminated if TPAM has time to detect the command
before it finishes running.

• Kill Login - the login to the remote system is terminated, but the session remains open.
• Kill Session - the current session to the remote system is terminated.
NOTE: None of the actions above will cancel the session request.

11 To add additional commands to the profile repeat steps 6-10.

12 Click the Save Changes button.

Assign profile to access policy

Once a restricted command profile has been created, the next step is to assign the profile to an access policy.

To assign a restricted command profile to an access policy:

1 Select Management | Access Policies from the main menu.
2 Filter for an existing access policy or click the Add Policy button to add a new one.

TPAM 2.5
223
Administrator Guide
 3 Select the Record Events check box.
4 Select the restricted command profile from the list.
5 Click the Save Changes button.
6 The access policy then needs to be assigned to the appropriate, system, account, or group.

Restricted command account settings

To complete command restriction for an account:
1 Select Systems, Accounts, & Collections | Accounts | Manage Accounts from the menu.
2 Enter filter criteria for the specific account and click the Listing tab.
3 Select the account and click the PSM Details tab.

4 The Enable PSM Sessions? check box must be selected.

5 The proxy connection type must be one of the following:
• RDP - Automatic Login Using Password

TPAM 2.5
224
Administrator Guide
 • RDP - Interactive Login
• SSH - Automatic Login Using Password
• SSH- Automatic Login Using DSS key
• SSH - Interactive Login
• Telnet - Automatic Login Using Password
• Telnet - Interactive Login
6 Click the Test Event Configuration button.

7 If the test events was successful, select the Capture Events? check box.

Command detection during a session

If a restricted command is executed during a session the user may see one of the following, depending on how
the restricted command policy is configured:
If the profile is configured to kill the command, the user will see the following:

If the profile is configured to kill the login, the user will see the following:

If the profile is configured to kill the session, the user will see the following and then the session is closed a few
seconds later:

TPAM 2.5
225
Administrator Guide
 TPAM 2.5
226
Administrator Guide
 24
Archive Session Logs

• Introduction
• Configure session log archive settings
• Configure session log archive server
• Test the archive server
• View archive files
• View archive log
• Delete a session log archive server
• Clear a stored system host entry

Introduction
This chapter covers the configuration and settings for session log archive.

Configure session log archive settings

Session logs can be archived to external storage to ensure that physical resources on the appliance are not
exhausted. The frequency of when these logs are transferred must be set as well as the retention period for the
logs on the appliance and the external storage.
To configure session log archive settings select Management | Session Mgmt | Archive Settings from the menu.

The table below explains the options on the Session Logs Archival Settings page:

Table 74. Session Logs Archival Settings page options

Field Description Required? Default

Max Age in Days This option specifies the maximum period of time that session Yes 1
for session log logs are maintained on the appliance. Session logs older than
archival (0-90) the n value are sent to the archive server. Valid configuration
is 0 to 90 days.

TPAM 2.5
227
Administrator Guide
Table 74. Session Logs Archival Settings page options

Field Description Required? Default

Max Age in days This value specifies that session logs are permanently deleted Yes 90
for session log from TPAM or the archive server after they become older than
deletion (1-999) y days. This setting is limited by the Session Request Retention
Period in global settings.
CAUTION: Session logs are deleted regardless of their
location – whether stored on TPAM or on an archive server.
If the value (y) to delete session logs is less than the value
(n) to archive session logs, the logs are deleted on the
appliance without ever being sent to an archive server.
IMPORTANT: If TPAM tries to delete session logs from an
archive server and it fails, TPAM will not re-attempt to do so.
This means that these records may need to be manually
deleted if the archive server comes back up. A CSV export of
detailed files is available for each archive server to assist with
this.
Percentage full This option allows for an automated safety net to ensure that Yes 80
to trigger forced the hard disk resources of the appliance are not filled to
archival of capacity. If the disk space reaches x% of storage capacity a
oldest session forced archive occurs to free disk space.
logs (30-80)
Send archival Messages regarding archival events can be sent from TPAM via Yes
messages to email to a specified address. Valid choices are:
• All
• Failed
• None

Enter the settings as desired and click the Save Changes button.

Configure session log archive server

Archive Servers must be pre-configured to receive the archived sessions from TPAM. For a server to be eligible
to receive the archives, it must be running the UNIX®/Linux® file system. This can be accomplished on a
Windows® server by installing OpenSSH or other UNIX® emulation software that creates a directory structure
containing /home. There are readily available products that create a Linux® environment for Windows®.
TPAM uses only DSS authentication to connect to archive servers and transfer session logs. This requires a
matched public/private key pair to exist between TPAM and the archive server. The public key is located on the
archive server, while TPAM maintains the private key.
To configure an archive server select Management | Session Mgmt | Archive Servers from the menu.

TPAM 2.5
228
Administrator Guide
The table below explains the options on the archive server management page:

Table 75. Archive Server Management: Details tab options

Field Description Required? Default

Server Name The unique server name. Yes
Network The IP address or fully qualified domain name. Yes
Address
Port Port number for TPAM to use. No
DSS Key Details When using DSS key authentication, a function is available to No
permit specific configuration of the public/private keys used.
• Avail. System Std. Keys – uses the single standard SSH
keys (either Open SSH or the commercial key) stored
centrally on TPAM. You have the ability to have up to
three active keys simultaneously. These keys are
configured in the paradmin interface. Use the list to
select the key you want to retrieve.
NOTE: When using the Avail. System Std. Keys you cannot
specify the key that is used. One or all available keys may be
downloaded to the remote system, but TPAM attempts to use
all currently active keys when communicating with the remote
system.
• Use System Specific Key – allows the generation and
download of a specific SSH key to be used with this
system only. The key must first be generated using the
Get/Regen Key button, and then downloaded in either
Open SSH or Sec SSH (commercial) format.
The public key must be placed into the proper directory on
the archive server. For most systems this is [user’s home
directory]/.ssh (create the directory if it does not exist). The
public key must also be specified as an authorized
authentication method for the functional account. A new DSS
key pair can be generated at any time (if for example it is felt
that the existing keys have been compromised). Clicking the
Regen Key Pair button generates a new public/private key
pair. The Regen Key Pair only regenerates the system specific
key for the selected archive server, so only that archive server
is affected.
Account Name Used to authenticate to the archive server, and within whose Yes
home directory the logs are stored.

TPAM 2.5
229
Administrator Guide
Table 75. Archive Server Management: Details tab options

Field Description Required? Default

Archive Server Prior to TPAM v2.0 the path was hard coded to ./egparch. It is Yes
Path assumed that old sessions that have already been archived are
stored in ./egparch. It is important to ensure that this
directory is owned by the functional ID, and that the
functional ID has proper permissions (600 is recommended).
Description Descriptive text for the archive server. No
Make Default? If selected, this is the default archive server for all session No Off
logs.

Enter the settings as desired and click the Save Changes button.

Test the archive server

Once the archive server has been saved it is recommended that connection to TPAM be tested by clicking the
Test button. The results of the test are displayed on the Results tab.

View archive files

To view the files stored on an archive server:
1 Select Management | Session Mgmt | Archive Servers from the menu.
2 Select the server on the Listing tab.
3 Click the Archived Files tab.
4 Enter your search criteria on the Filter tab.
5 Click the Session Logs tab or click the Export to CSV button.

TPAM 2.5
230
Administrator Guide
View archive log
To view the archive log:
1 Select Management | Session Mgmt | Archive Log from the menu.
2 Enter your filter criteria.
3 Click the Report Layout tab. (Optional)
4 Select the appropriate boxes in the Column Visible column to specify the columns to be displayed on the
report.
5 Select the appropriate box in the Sort Column column to specify sort order.
6 Select the Sort Direction.
7 If viewing the report in Privileged Account Manager, select the Max Rows to display.
IMPORTANT: The Max Rows to Display limits the number of rows that are returned even if the
number of rows that meet the filter criteria is greater than what is selected.

8 To view the report results in Privileged Account Manager click the Report tab. To adjust the column size
of any column on a report hover the mouse over the column edge while holding down the left mouse
button and dragging the mouse to adjust the width.
9 To view the report results in an Excel or CSV file click the Export to Excel or Export to CSV button.
IMPORTANT: If you expect the report results to be over 64,000 rows you must use the CSV export
option. The Export to Excel option only exports a maximum of 64,000 rows.

10 Open or Save the report file.

Delete a session log archive server

To delete a session log archive server:
1 Select Management | Session Mgmt | Archive Servers from the menu.
2 Select the server to be deleted.
3 Click the Delete button.
NOTE: You cannot delete an archive server that is flagged as the default archive server. This flag
must be cleared and saved before the delete button will enable.

TPAM 2.5
231
Administrator Guide
 4 Click the Delete Server button.
5 Click the OK button on the confirmation window.

Clear a stored system host entry

The Clear Sys. Host Entry button removes the host entry from TPAM’s known hosts file. An example of the
necessity for this would be a situation where the SSH package on a managed system has been reinstalled, or the
OS itself may be reinstalled. A test of the system would indicate that the host key entry does not match, and is
preventing password authentication because of a perceived “man in the middle” attack.

To clear the System Host entry:

1 Select Management | Session Mgmt | Archive Servers from the menu.
2 Select the archive server whose host entry is to be removed from TPAM’s known hosts file.
3 Click the Clear Sys. Host Entry button.

TPAM 2.5
232
Administrator Guide
 25
Synchronized Passwords

• Introduction
• Logs tab
• Add synchronized password
• Add subscriber to a synchronized password
• Remove a subscriber from a synchronized password
• Delete a synchronized password
• Force reset of synchronized password

Introduction
Synchronized Passwords (formerly known as Collection Accounts prior to v2.3.761) provide a way to allow
multiple accounts, on different systems, to have the passwords synchronized.
The synchronized password functionality depends heavily on the Synch Pass Change Auto Agent that must be
enabled by the System Administrator in the admin interface. If the agent is not running, synch member
passwords are not changed unless you perform a manual forced reset.
To add and manage synchronized passwords, information is entered on the following tabs in the TPAM interface:

Table 76. Synchronized Password Management: TPAM interface tabs

Tab name Description

Details Define password name, and password management options.
Candidates Used to assign accounts as subscribers of the synchronized password.

TPAM 2.5
233
Administrator Guide
Details tab

The table below explains all of the options available on the details tab:

Table 77. Synchronized Password Management: Details tab options

Field Description Required? Default

Password Name Descriptive name of the synchronized password. Yes
Password If a manual password is entered here, any scheduled post- Yes
release resets will be canceled, and any subscriber whose
password does not match will be scheduled for a mismatch
reset.
Confirm Where the manual password is retyped for confirmation. Yes
Disable Synch. If selected, subscriber passwords are not synchronized. This can No Off
be used when changing subscriber priority and then force a
reset; otherwise new subscribers are not synchronized by
priority. While synchronization is disabled new subscribers are
not scheduled for a mismatch reset if their current password
does not match.
Password Rule The password rule to serve as the default for the synchronized Yes Default
password. The password rule governs the construction Password
requirements for new passwords generated by PPM. Rule
Description The description box may be used to provide additional No
information about the synchronized password, special notes,
business owner, etc.
Notification The email address specified in this box receives email No
Email notifications when a password is released without approval, and
scheduled password changes for manually managed accounts.
Default ISA Rel. The duration for an ISA release may be specified up to a No 2 Hours
Duration maximum of 7 days. This is the amount of time that transpires
between the initial ISA retrieval and the automatic reset of the
password (if enabled). If 0 is entered the ISA retrieval of a
password will not trigger a post release reset of the password.
Use the check If selected, the password check profile assigned to each No Off
profiles on the subscriber will be used instead of the password check profile
subscribed listed below.
accounts

TPAM 2.5
234
Administrator Guide
Table 77. Synchronized Password Management: Details tab options

Field Description Required? Default

Password Select a password check profile from the list to determine the Opt
Check Profile rules for how the password is checked for the synchronized
password. The password check profiles are configured by the
TPAM Administrator. See Password Profiles for more details.
Password Select a password change profile from the list to determine the Yes
Change Profile rules for how the password is changed on the synchronized
password.The password change profiles are configured by the
TPAM Administrator. See Password Profiles for more details.

Candidates tab

The table below explains all of the options available on the candidates tab:

Table 78. Synchronized Password Management: Candidates tab options

Field Description
Candidate Name System name and account name of the candidate. Only accounts that are auto-managed or
manually managed are eligible.
Account Auto Management setting for the account.
Network Address Network address for the account.
Platform System platform for the account.
Select If selected the account becomes a member of the synchronized password.
Priority Level Number entered here represents the order that the Synch Pass Change agent uses to
synchronize the subscribers. Only auto-managed accounts can be assigned a priority
level.The agent attempts to synchronize the prioritized subscribers from lowest to
highest. If any subscribers fail to synchronize then the process stops, and the agent does
not attempt to process any other subscribers. Next, any auto-managed non-prioritized
accounts are synchronized. Any non-prioritized accounts that fail to synchronize are
scheduled through the regular password change agent. Then any manually managed
accounts get put in the manual password notification queue. If the subscriber is in the
regular change queue any ISA or Administrator can force a password reset through the
password management page or account management listing page.

TPAM 2.5
235
Administrator Guide
Subscriber status tab

The table below explains all of the options available on the subscriber status tab:

Table 79. Synchronized Password Management: Subscriber Status tab options

Field Description
Subscriber Name System name and account name of subscriber.
Account Auto Indicates whether the account is auto-managed by TPAM (Y) or manually managed (M).
Network Address Network address for the system.
Platform Platform for the system.
Unsubscribe / If unsubscribe is selected and changes saved, the subscriber is removed from the
Priority synchronized password. Priority level can be edited and saved here.
Password Status Password will either be current or out of synch. If the password is out of synch then the
Synch Now button will be available to force an immediate synchronization.
Pending Change Displays status if password is in the regular change queue.
Pending Check Displays status is password is in the regular check queue.

Logs tab
The logs tab contains three sub-tabs that provide detailed password history for the subscribers of the
synchronized password. The following table explains the sub-tabs. The time displayed on the logs is in server
time (UTC).

Table 80. Synchronized Password Management: Logs tab sub-tabs

Tab Description
Filter This filter tab can be used to specify your search criteria in any of the other log tabs.
Change Log Provides details on password change history.
Test Log Provides details on password test activity.
Release Log Provides details on password release history.
Dependent Only visible if account resides on Windows® Domain Controller with dependent systems
Change Log assigned. Provides details on changes of the domain account.
Change Agent Provides details on change agent log records for the accounts that have occurred after a 2.3+
Log TPAM upgrade.

Add synchronized password

To add a new synchronized password:
1 Select Systems, Accounts, & Collections | Passwords | Add Synchronized Password from the menu.
2 Enter information on the details tab. For more information see Details tab.

TPAM 2.5
236
Administrator Guide
 3 Click the Save Changes button.

Add subscriber to a synchronized password

1 Select Systems, Accounts, & Collections | Passwords | Manage Synchronized Passwords from the
menu.
2 Enter your search criteria on the Filter tab.
3 Click the Listing tab.
1 Select the synchronized password.
2 Click the Add Subscribers button.
3 Enter your search criteria on the Filter tab.
4 Click the Candidates tab.
5 Select the Select check box to add candidates to the synchronized password. For more information see
Candidates tab.
IMPORTANT: If you add one or more accounts belonging to a System Template as subscribers, any
new systems added to TPAM using that template will automatically have those accounts be
subscribers to this synchronized password.

6 Enter a Priority Level for subscribers. (Optional)

7 Click the Save Changes button.

Remove a subscriber from a synchronized

password
To remove a subscriber/s from a synchronized password:
1 Select Systems, Accounts, & Collections | Passwords | Manage Synchronized Passwords from the
menu.
2 Enter your search criteria on the Filter tab.
3 Click the Listing tab.
4 Select the synchronized password.
5 Click the Subscriber Status tab.
6 Select the Unsubscribe check box for any subscribers to be removed.
7 Click the Save Changes button.
NOTE: Any accounts removed from the synchronized password will be immediately scheduled for a
password reset.

Delete a synchronized password

To delete a synchronized password:
1 Select Systems, Accounts, & Collections | Passwords | Manage Synchronized Passwords from the
menu.
2 Enter your search criteria on the Filter tab.

TPAM 2.5
237
Administrator Guide
 3 Click the Listing tab.
4 Select the synchronized password.
5 Click the Delete button.
6 Click the OK button on the confirmation window.
NOTE: After the synchronized password is deleted the subscribers revert to the Password Management
settings that they had prior to becoming a subscriber.

Force reset of synchronized password

To schedule a forced reset of a synchronized password:
1 Select Systems, Accounts, & Collections | Passwords | Manage Synchronized Passwords from the
menu.
2 Enter your search criteria on the Filter tab.
3 Click the Listing tab.
4 Select the synchronized password.
5 Click the Reset Password button.

TPAM 2.5
238
Administrator Guide
 26
Scheduled Reports

• Introduction
• Enable/disable scheduled reports
• Send scheduled reports to archive server
• Subscribe/unsubscribe to scheduled reports
• Add/remove additional recipients to scheduled reports
• View scheduled reports
• Resubmit scheduled reports

Introduction
Scheduled reports (also known as Batch Reports) are standard reports available in TPAM. The TPAM
Administrator configures these reports to automatically run on a daily, or weekly basis. The reports are run by
the Daily Maintenance job which is configured in the /admin interface. The reports are stored on the appliance
and can be emailed to designated subscribers or sent directly to an archive server. Only Administrators and
Auditors can view these reports from the TPAM interface. Additional users can be configured to receive these
reports via email.

Enable/disable scheduled reports

Administrators can enable or disable which scheduled reports can be subscribed to. On a new TPAM appliance all
reports will be disabled by default.
NOTE: The run time for these reports is controlled by the daily maintenance start time that is configured
by the System Administrator in the admin interface.

To enable/disable scheduled reports:

1 Select Reports | Scheduled Reports | Report Subscriptions from the main menu.

TPAM 2.5
239
Administrator Guide
 2 Next to each report select one if the following from the far right hand column:
• Disabled - the report will not run.
• HTML Only- only the HTML version of the report will run.
• CSV Only - only the CSV version of the report will run.
• HTML & CSV - CSV and HTML versions will be run.
• XML Only - the report will only be run in XML format.
3 Click the Save Changes button.
NOTE: If any option other than Disabled is selected the XML file is always generated (a zero byte file will
be generated even if no data is reported).

IMPORTANT: The Entitlement reports are very resource intensive and can cause severe performance
degradation for online users during the daily report cycle. If the reports will be used on a daily basis it is
recommended that only the versions required are enabled. It is very common for these reports to be over
1 million rows and customers have found that the CSV files are more manageable.

Send scheduled reports to archive server

To have scheduled reports automatically sent to an archive server:
1 Select Reports | Scheduled Reports | Report Subscriptions from the main menu.

TPAM 2.5
240
Administrator Guide
 2 Select an archive server from the list. An archive server must be already configured in TPAM by the
System Administrator to display in this list.
3 Click the Save Changes button.

Subscribe/unsubscribe to scheduled reports

Only Administrators and Auditors have permission to edit report subscriptions.

To subscribe/unsubscribe to Scheduled Reports:

1 Select Reports | Scheduled Reports | Report Subscriptions from the main menu.
2 In the Subscribed column select one or more of the output options (HTML, CSV or XML), for the reports
you want to subscribe to.
3 Clear the HTML, CSV or XML check boxes in the Subscribe column for the reports you want to
unsubscribe to.
4 Select the Zip check box to zip all subscribed formats of the report into one file to be emailed.
5 Click the Save Changes button.
NOTE: When the select list does not include a format that is selected in the Subscribed column, the
selection will be highlighted in red.

Add/remove additional recipients to

scheduled reports
Only Administrators and Auditors can view Scheduled Reports from the TPAM interface. Additional users can be
configured to receive these reports via email.

To add additional recipients:

1 Select Reports | Scheduled Reports | Report Subscriptions from the main menu.
2 Select the report from the list.

TPAM 2.5
241
Administrator Guide
 3 Click the Additional Recipients tab.

4 Enter the email address for the additional recipient in the EmailAddress box.
5 Select the report format/s from the Type list. If None is selected, the recipient will receive an email
informing the report has been generated but without an attachment.
6 Select the Zip check box to zip all subscribed format into one file that will be emailed.
7 Click the Add New Recipient button.
8 Repeat steps 4 through 6 for any additional email addresses.

To delete additional recipients:

1 Select Reports | Scheduled Reports | Report Subscriptions from the main menu.
2 Select the report from the list.
3 Click the Additional Recipients tab.
4 Click the Delete button in the Action column next to the recipient you want to remove.

To edit a recipient’s email address:

1 Select Reports | Scheduled Reports | Report Subscriptions from the main menu.
2 Select the report from the list.
3 Click the Additional Recipients tab.
4 Edit the address in the EmailAddress box.
5 Click the Update button in the Action column.

View scheduled reports

Scheduled Reports are generated daily by TPAM and stored internally. These reports are available for viewing by
any administrator or auditor user. Stored reports are retained for a period of time specified by the System
Administrator.
NOTE: The date and timestamp on the stored reports is server time.

To view scheduled reports that have run:

1 Select Reports | Scheduled Reports | Browse Stored Reports from the menu.
2 Select the date by clicking the hyperlink, formatted yyyymmdd.
3 The reports run on that date will be displayed. Click the hyperlink for the report you want to view.
4 Select Open to view the report immediately or Save to save the report.

TPAM 2.5
242
Administrator Guide
Resubmit scheduled reports
The System Administrator has the ability to resubmit batch report runs for a prior date. Once the report run has
been resubmitted, the reports can be viewed on the same page as the daily report runs. See the procedure
above.

To resubmit a batch report run:

1 Log on to the /admin interface of TPAM. (accessible to system administrators)
2 Select System Status / Settings | Resubmit Batch Reports from the menu.

3 Enter the date to rerun the batch reports for.

4 Click the Resubmit button.
NOTE: When scheduled report runs are resubmitted, the new run date and time is appended to the end of
the file name. For example, if you rerun the 10/1/2011 reports on 11/13/2011 at 1 pm, the filename will
be 20111001_20111113_130000.

TPAM 2.5
243
Administrator Guide
 27
Data Extracts

• Introduction
• Configure data extracts
• Enable/disable a data extract schedule
• Data extract logs
• Customize data extract dataset file names

Introduction
Data extracts are defined data sets that can be extracted from TPAM on a scheduled basis and automatically
transferred to a pre-configured Archive server.
Extracted data is supplied as a *.CSV file and is easily viewed with MS Excel or any text editor. Information that
may be extracted includes lists of systems, accounts, users, etc. and many logs of user activity and entitlement.
The extracted files are compressed (ZIP file format) and named with a date and time stamp.
Data extracts are configured much in the same way as TPAM system backups. The extracts can be set to occur
daily, weekly or monthly at a specific time.

Configure data extracts

Up to five different data extract schedules can be configured. Repeat the procedure below as needed to
configure multiple data extract schedules.

To configure a data extract:

1 Select Reports | Scheduled Reports | Data Extract Schedules from the main menu.
2 Select one of the Schedule Names from the Schedule tab and click the Details tab.

3 Edit the Schedule Name. (optional)

4 Select the Enabled check box to enable the data extract schedule.
5 Select the Zip check box to have the extract files saved in a zip file format. (optional)

TPAM 2.5
244
Administrator Guide
 6 To have the file formatted differently than comma delimited, type another format in the Delimiter box.
If left blank, tab is the default. (optional)
7 Set the frequency for the data extract run:
• Daily
• Weekly - select day/s of the week.
• Monthly - choose First, Last, or specific Day of the Month.
8 Enter the time when the extraction is to start running. Time must be entered in 24 hour format.
9 Select the archive server where the data is to be transferred. The TPAM System Administrator is
responsible for configuring the Archive Servers.
10 Select All or Failed and enter the email address of the recipient who is to receive data extract results.
(optional)
11 Click the Data Sets tab.

12 Select the Enabled? check box to add the Data Set as part of the scheduled extract.
13 Select the Column Headings? check box to have column headings included in the CSV file results.
(optional)
14 Click the Save Changes button.
The Password Release Activity and Password Update Activity data extracts will pull the last 24 hours of activity.
The Activity Log, Password Release Log and SysAdmin Activity Log data extracts will pull data based on the
number of days configured as the retention period in global settings.

Enable/disable a data extract schedule

To enable/disable a Data Extract Schedule:
1 Select Reports | Scheduled Reports | Data Extract Schedules from the main menu.
2 Select the schedule you want to enable/disable.
3 Click the Details tab.
4 Select/Clear the Enabled check box.
5 Click the Save Changes button.

TPAM 2.5
245
Administrator Guide
To immediately kick off a Data Extract:
1 Select Reports | Scheduled Reports | Data Extract Schedules from the main menu.
2 Select a schedule from the list.
3 Click the Start button.

Data extract logs

The data extract log tab displays the logged results of each scheduled extraction.

To view a data extract log:

1 Select Reports | Scheduled Reports | Data Extract Schedules from the main menu.
2 Select a schedule from the list.
3 Click the Log tab.
4 Enter filter criteria on the Filter tab.
5 Click the Data Extract Log tab.

To clear data extract log/s:

1 Select Reports | Scheduled Reports | Data Extract Schedules from the main menu.
2 To clear a specific log, select the schedule from the list and click the Clear Log button.
3 To clear all the logs, click the Clear Log button without selecting a specific schedule from the list.

Customize data extract dataset file names

The procedure below describes how to customize the default file names for the dataset extract results. The
customized file names apply to all the schedules that are configured.

To customize dataset file names:

1 Select Reports | Scheduled Reports | Data Extract Schedules from the main menu.

TPAM 2.5
246
Administrator Guide
2 Click the Dataset Filenames tab.

3 Place your cursor in the FileName box and rename the file for all the file names to be changed.
4 Click the Save Filename Changes button.

TPAM 2.5
247
Administrator Guide
 28
TPAM CLI IDs

• Introduction
• Add a TPAM CLI ID
• Connect PSM account to TPAM CLI ID
• Delete a TPAM CLI ID

Introduction
In some cases it might be necessary to use an account for PSM authentication which is managed by another,
independent TPAM device. An example use case is an MSP managing systems for several customers which require
password data to be stored in a physically separate database like financial institutions. This can be
accomplished by using TPAM CLI IDs.
A CLI user ID is a special account used to access TPAM remotely via the CLI (command line interface). TPAM CLI
IDs may be defined to TPAM and used to access passwords that may be stored and managed on a remote TPAM
appliance.

Add a TPAM CLI ID

In this example a TPAM CLI ID will be set up on TPAM01 and TPAM02 will use the account for PSM log on for an
account managed by TPAM01.

Add a CLI user ID on TPAM01:

1 Select Users & Groups | UserIDs | Add UserID from the menu.

2 Enter the user details, clear the Allow Web Access check box on the Web tab and select CLI key based
authentication on the Key Based tab.

TPAM 2.5
248
Administrator Guide
 3 Click the Save Changes button.
4 Click the Download key button to download and save the key.

To add a TPAM CLI ID on TPAM02:

1 Select Management | TPAM CLI IDs | Add TPAM CLI ID from the menu.

2 Enter the CLI user ID configured on the remote TPAM appliance.

3 Enter a name to identify the TPAM appliance hosting the CLI ID.
4 Enter the IP address or FQDN of the TPAM primary appliance.
5 Paste the contents of the DSS key into the DSS Key box. This is the private key that was downloaded from
TPAM when the specified CLI user ID was created.
6 Click the Save Changes button.
7 To test connectivity to the remote TPAM appliance with the CLI ID click the Test button.

Connect PSM account to TPAM CLI ID

To connect the PSM account to the TPAM CLI ID:
1 Add the system in TPAM02 you need to connect to via PSM.
2 Add the account you want to use for PSM.
3 Click on the PSM Details tab.

4 Select User Remote TPAM CLI.

5 In the list select the TPAM CLI ID you created.
6 Click the Save Changes button.

TPAM 2.5
249
Administrator Guide
When initiating a session for this account, TPAM02 will now log on to TPAM01 and request the password for
qsrv_qppm, managed by TPAM01 and use this to authenticate the session. After the session, the password will
be checked back in to TPAM01 and will be changed.

Delete a TPAM CLI ID

To delete a TPAM CLI ID:
1 Select Management | TPAM CLI IDs | Manage TPAM CLI IDs from the menu.
2 Enter your search criteria on the Filter tab.
3 Click the Listing tab.
4 Select the CLI ID to be deleted.
5 Click the Delete button.
6 Click the OK button on the confirmation window.

TPAM 2.5
250
Administrator Guide
 29
Password Requests

• Introduction
• Request a password
• Email notification
• View submitted password requests
• Access the password
• Cancel/expire a password request

Introduction
System account passwords that are configured using Privileged Password Manager can be released by submitting
a password request. The request will either require approval by one or more TPAM users, or be auto-approved,
based on how the account is configured. This process ensures the security of the system account password,
provides accountability, and provides dual control over the system accounts.

Request a password
To request a password:
1 Select Request | Password | Add Request from the main menu.
2 To request a password on a specific system or a specific account enter the criteria on the Filter tab.
3 Click the Accounts tab.

4 Select the check box next to each account to be included in the password request. When selecting
multiple accounts in one request, the request time and release duration will be the same for all accounts
requested.
NOTE: If, through a Group or Collection assignment, the user has multiple Access Policies granting
a REQ permission to the account, the account will be listed multiple times on the Accounts listing
tab. Each row will show the Access Policy, Minimum Approvers, and Maximum Release Duration
associated with it.

TPAM 2.5
251
Administrator Guide
 5 Click the Details tab.

6 Complete the following fields:

Table 81. Password Request Management: Details tab fields

Field name Description

Request Immediate Select this check box to immediately request the password.
Date/Time Required To have a password released on a future date and time, enter the
date and time when the password is required. Enter the time in the
user’s local time.
Requested Duration The requested duration is the period of time that the password(s) is
available for release. Once the request is saved this duration is
added to the requested release date to determine the request
expiration date. Valid parameters for release durations are from 15
minutes to 7 days, in 15 minute increments – however, the effective
valid parameter for the maximum allowable release request
duration is the value configured for maximum release duration at
the account level. When requesting passwords for multiple accounts
together, the Requested Duration defaults to the shortest “Maximum
Duration” for all accounts listed on the request.
Reason Code Reason codes will appear if they have been configured by the System
Administrator. Reason codes streamline the request process, and
may be optional, required, or not allowed depending on how they
are configured.
Request Reason Used to provide a brief description of the reason for the password
release. May be optional, required or not allowed, depending on
configuration.
Ticket System May be required, based on configuration. Any boxes on the request
highlighted in red, require a ticket system to be chosen from the
list.
Ticket Number May be required, based on configuration. If the ticket number fails
validation when the request is submitted, then the request is
automatically canceled.

7 Click the Save Changes button.

NOTE: If a request is submitted that does not have enough approvers configured to meet the approval
requirements, then the request is not submitted and the following message is presented at the bottom of
the page:

Once the request has been submitted it will reflect one of these statuses:

TPAM 2.5
252
Administrator Guide
 • Pending Approval - waiting for authorized approver/s to approve the request.
• Active/Approved - the request has been approved and is within the release duration window.
• Approved - the request has been approved but the request date/time is in the future.
• Denied - the request was denied by the approver/s.
• Canceled - the submitted request conflicts with a request that has already been approved for the same
time period or the requestor decides to cancel the request prior to accessing the password. The request
will also be cancelled if the ticket number entered on the request requires validation, and fails.
• Expired - the release window for the password has passed or the requestor is done accessing the
password and expires the request early.
If a request has a status of Pending Approval, additional accounts can be added up to 15 minutes from the
original expiration date/time for the request.

To add accounts to a request once it has already been submitted:

1 Select Request | Password | Manage Requests from the main menu.
2 Enter filter criteria on the Filter tab.
3 Click the Listing tab.
4 Select the request to add accounts to.
5 Click the Details tab.
6 Click the New Accounts button.
7 Enter filter criteria to find the accounts you want to add.
8 Click the Accounts tab.
9 Select the check box on the Selected column for the accounts you want to add.
10 Click the Details tab.
11 Enter a Ticket System/Ticket Number if required.
12 Click the Save Changes button.

Email notification
Once a password request is submitted, the requestor receives an email notification when the request is
approved, denied, or automatically cancelled as a result of a request conflict.
If a password request is submitted and does not require any approvals, the request is auto-approved by PPM and
the requestor immediately sees this message in the feedback area.

View submitted password requests

To view requests that have been submitted:
1 Select Request | Password | Manage Requests from the main menu.
2 Enter filter criteria on the Filter tab.
3 Click the Listing tab.
4 Select the request.

TPAM 2.5
253
Administrator Guide
 5 Open the following tabs to view more detailed information about the request.
• Details - Date and time stamps relevant to the life cycle of the request.
• Responses - Request responses from approvers, or responses auto-generated by TPAM for auto-
approved or cancelled requests.
• Approvers - All TPAM users with permissions to approve or deny the request.
• Password - If enabled, displays the password for the account for 20 seconds.

Access the password

Once a request is approved to view the account password:
1 Select Request | Password | Manage Requests from the main menu.
2 Enter filter criteria on the Filter tab.
3 Click the Listing tab.
4 Select the request.
5 Click the Password tab.The password will be displayed for 20 seconds. Depending on how your TPAM is
configured the password will display in one of three ways:
a The password will be revealed on the screen. To copy and paste the password, click the mouse
once over the password which will automatically select the password.

b The Reveal Password button can be clicked to reveal the password or the password can be copied
to the clipboard without displaying it on the screen.

c You must put your mouse in the designated area, and press the Ctrl-C keys to copy the password
to a clipboard.

The password can be displayed by the requestor as often as necessary during the release duration period.

Password reset during release window

While a requestor has an active release duration window, three possible circumstances could cause the
password to be changed by TPAM during that time:
• The configured Default Change Setting for the account occurs during the release window. For example, if
the password is to be changed every 30 days which happens to occur while a requestor has a password.

TPAM 2.5
254
Administrator Guide
 This scenario can be prevented by selecting Do not automatically change the password while a release
is active on the account details management tab.
• The ISA post-release reset interval has occurred. In this case, an ISA may have recently retrieved the
password and it is being reset because the configured interval for that action has expired. This scenario
can be prevented by selecting Do not automatically change the password while a release is active on
the account details management tab.
• The ISA or the Administrator has forced a reset of the password.

The requestor should try and access the password at a later time.

Cancel/expire a password request

A password request can be cancelled by the requestor if the status is Pending Approval. Once approved, a
password request can be expired to immediately end the release duration. Expiring a request early makes the
account available for request for other users and immediately queues the password for a reset (if so
configured).

To cancel/expire a password request:

1 Select Request | Password | Manage Requests from the main menu.
2 Enter filter criteria on the Filter tab.
3 Click the Listing tab.
4 Select the request.
5 Click the Details tab.

6 Enter a reason in the Cancel/Expire Reason box.

7 If the request contains multiple accounts, select the Apply Reason check box next to the applicable
accounts.
8 Click the Save Changes button.

TPAM 2.5
255
Administrator Guide
 30
Approve/Deny Password Request

• Introduction
• Approve/deny password request
• Revalidate ticket on a request
• Deny request after it is approved

Introduction
When a password request is submitted, the associated approver(s) is notified via email of the pending request.
The approver logs on to TPAM to approve/deny the request.

Approve/deny password request

The requested date/time of the request will be displayed to the approver in their local time, as configured for
their user ID in TPAM.

To approve/deny a password request:

1 Select Approve/Review | Password Request from the main menu.
2 To approve/deny a request on a specific system/account enter the criteria on the Filter tab.
3 Click the Listing tab.
4 Select the request to approve/deny.
5 Click the Details tab.

TPAM 2.5
256
Administrator Guide
 6 If the request selected is part of a multiple request submission then you also see all the other pending
requests that are eligible for your approval.
7 Select the Req. IDs to approve/deny.
8 Click the Conflicts tab to see if any other pending requests for this password overlap with the same
release duration.
9 Click the Approvers tab to see the list of other eligible approvers for this request.
10 Click the Responses tab to see the responses other eligible approvers have made for this request.
11 Enter comments in the Request Response box.
12 Click the Approve Request or Deny Request button.

Revalidate ticket on a request

If the required Ticket System for this account has “provisional validation enabled” in the admin interface, and
the Ticket System is not available for validation at the time the requestor submits the request, you see the
following note on the Request Details tab:

The request can be approved/denied without revalidating the ticket.

To revalidate the ticket:

1 Click the Revalidate Ticket button. The following pop up appears:

2 Click the OK or Cancel button. If TPAM determines that the ticket system is still disabled the status of
the request will remain unchanged.

Deny request after it is approved

Any eligible approver can deny a password request after it has already been approved or auto-approved. Once
denied, the requestor will no longer have access to the password. The requestor receives an email notifying
them that the request was denied

To deny the request:

1 Select Approve/Review | Password Request from the main menu.
2 Enter the search criteria on the Filter tab.
3 Click the Listing tab.
4 Select the request to deny.
5 Click the Details tab.
6 Select the Req. IDs to deny.
7 Enter a reason in the Request Response box.
8 Click the Deny Request button.

TPAM 2.5
257
Administrator Guide
 31
Review a Password Release

• Introduction
• Review status definitions
• On the Password Release for Review listing tab there is a column labeled Review Started. if the value isY,
at least one review comment has been submitted. If the value is N, no review comments have been
submitted.If the value is -(dash) then the review is complete.
• Provisional ticket validation on a password release

Introduction
Accounts can be configured to have review requirements for password releases once the release duration has
expired. Users eligible to review password releases receive email notification to alert them of pending reviews.

Review status definitions

The table below explains the different possible password release review statuses.

Table 82. Password release review statuses

Status Definition
Pending An authorized reviewer is still required to complete the review process.
Completed All the required reviewers have clicked the Complete My Review button.
Overdue A reviewer has not reviewed the password release within the required time period.

On the Password Release for Review listing tab there is a column labeled Review Started. if the value isY, at
least one review comment has been submitted. If the value is N, no review comments have been submitted.If
the value is -(dash) then the review is complete.

Review a password release

To review a password release:
1 Select Review | Password Releases from the main menu.
2 To review a password release for a specific account enter the criteria on the Filter tab.
3 Click the Listing tab.
4 Select the Request ID to review.
5 Click the Reviewers tab to see the list of eligible reviewers. (optional) These are the review
requirements at the time the password request was submitted.

TPAM 2.5
258
Administrator Guide
6 Click the Reviews tab to see any review comments made.

7 Click the Responses tab to see comments that were made when approving this request and comments
made by the requestor if they expired the request early.

8 Click the Details tab. The times displayed on this tab are displayed to the reviewer in their local time, as
configured for their user ID in TPAM.

9 If the password release being reviewed was part of a multi-request, select the Apply Review check box
for the appropriate row.
10 To enter a comment before officially marking the release as reviewed enter a comment in the Review
Comment box and click the Save My Review Comment button. (optional)
Every time a comment is submitted the Reviews Submitted count increases.
11 To mark the review as complete, enter a review comment and click the Complete My Review button.

TPAM 2.5
259
Administrator Guide
Provisional ticket validation on a password
release
If the required ticket system for this account has “provisional validation” enabled in the admin interface and
the ticket system was not available for validation at the time the requestor submitted the request, you see the
following message note on the review details tab:

A reviewer does not have the ability to retroactively check for ticket validation.

TPAM 2.5
260
Administrator Guide
 32
Session Requests

• Introduction
• Request a session
• Email notification
• View submitted session requests
• Cancel/expire a session request

Introduction
Systems that are configured using Privileged Session Manager can be accessed remotely by submitting a session
request. The request will either require approval by one or more TPAM users, or be auto-approved, based on
how the account is configured. The activity during the session will be recorded and can be played back by
authorized users.

Request a session
To request a session:
1 Select Request | Session | Add Request from the main menu.
2 To request a session on a specific system or a specific account enter the criteria on the Filter tab.
3 Click the Accounts tab.

4 Select the check box next to each account to be included in the session request. When selecting multiple
accounts in one request, the request time and release duration will be the same for all accounts
requested.
NOTE: If, through a Group or Collection assignment, the user has multiple Access Policies granting
a REQ permission to the account, the account will be listed multiple times on the Accounts listing
tab. Each row will show the Access Policy, Minimum Approvers, and Maximum Release Duration
associated with it.

5 Click the Details tab.

TPAM 2.5
261
Administrator Guide
6 Complete the following fields:

Table 83. Session Request Management: Details tab options

Field name Description

Request Immediate Select this check box to immediately request the session.
Date/Time Required To conduct a session on a future date and time, enter the date and
time when the session is required. Enter the time in the user’s local
time.
Requested Duration The requested duration is the period of time that access to the
remote system/s is available. Once the request is saved this duration
is added to the requested release date to determine the request
expiration date. This should be taken into consideration when
selecting the request duration. If not approved quickly, the request
duration available to the requestor could be considerably shorter
than that specified. When expired, the session is no longer available
to the requestor. The session is not terminated or interrupted, but
after it has been closed the user can no longer restart it. The default
request duration is always 2 hours, but can be changed by the
requestor.When requesting sessions for multiple accounts together,
the Requested Duration cannot exceed the shortest “Maximum
Duration” for all accounts listed on the request. Also the “Maximum
Duration” is never greater than the “Max Session Duration”
configured by the System Administrator in Global Settings.
NOTE: If you will be conducting a file transfer during the session,
the session duration must include the time that it takes for the file
transfer to complete.
Reason Code Reason codes will appear if they have been configured by the System
Administrator. Reason codes streamline the request process, and
may be optional or required, depending on how they are configured.
Request Reason Used to provide a brief description of the reason for the session
request. May be optional, required or not required, depending on
configuration.
Ticket System May be required, based on configuration. Any boxes on the request
highlighted in red, require a ticket system to be chosen from the
list.
Ticket Number May be required, based on configuration. If the ticket number fails
validation when the request is submitted, then the request is
automatically canceled.

TPAM 2.5
262
Administrator Guide
 7 Click the Save Changes button.
NOTE: If a request is submitted that does not have enough approvers configured to meet the approval
requirements, then the request is not submitted and the following message is presented at the bottom of
the page:

Once the request has been submitted it will reflect one of these statuses:
• Pending Approval - waiting for authorized approver/s to approve the request.
• Active/Approved - the request has been approved and is within the release duration window.
• Approved - the request has been approved but the request date/time is in the future.
• Denied - the request was denied by the approver/s.
• Canceled - the submitted request conflicts with a request that has already been approved for the same
time period or the requestor decides to cancel the request prior to connecting to the remote system.
The request will also be cancelled if the ticket number entered on the request requires validation, and
fails.
• Expired - the release window for the session has passed or the requestor is done conducting the session
and expires the request early.
If a request has a status of Pending Approval, additional accounts can be added up to 15 minutes from the
original expiration date/time for the request.

To add accounts to a request once it has already been submitted:

1 Select Request | Session | Manage Requests from the main menu.
2 Enter filter criteria on the Filter tab.
3 Click the Listing tab.
4 Select the request.
5 Click the Details tab.
6 Click the New Accounts button.
7 Enter filter criteria to find the accounts you want to add.
8 Click the Accounts tab.
9 Select the check box on the Selected column for the accounts you want to add.
10 Click the Details tab.
11 Enter a Ticket System/Ticket Number if required.
12 Click the Save Changes button.

Email notification
Once a session request is submitted, the requestor receives an email notification when the request is approved,
denied, or automatically cancelled as a result of a request conflict.
If a session request is submitted and does not require any approvals, the request is auto-approved and the
requestor can immediately start the session by clicking the Connect button.

TPAM 2.5
263
Administrator Guide
View submitted session requests
To view requests that have been submitted:
1 Select Request | Session | Manage Requests from the main menu.
2 Enter filter criteria on the Filter tab.
3 Click the Listing tab.
4 Select the request.
5 Open the following tabs to view more detailed information about the request.
• Details - Date and time stamps relevant to the life cycle of the request.
• Responses - Request responses from approvers, or responses auto-generated by TPAM for auto-
approved or cancelled requests.
• Approvers - All TPAM users with permissions to approve or deny the request.
• Connect Options - If enabled can be used to change settings such as keyboard language mapping
for the session.

Cancel/expire a session request

A session request can be cancelled by the requestor if the status is Pending Approval. Once approved, a session
request can be expired to immediately end the release duration. Expiring a request early makes the account
available for request for other users and immediately queues the password for a reset (if so configured).

To cancel/expire a session request:

1 Select Request | Session | Manage Requests from the main menu.
2 Enter filter criteria on the Filter tab.
3 Click the Listing tab.
4 Select the request.
5 Click the Details tab.

6 Enter a reason in the Cancel/Expire Reason box.

TPAM 2.5
264
Administrator Guide
7 If the request contains multiple accounts, select the Apply Reason check box next to the applicable
accounts.
8 Click the Save Changes button.

TPAM 2.5
265
Administrator Guide
 33
Approve/Deny Session Request

• Introduction
• Approve/deny session request
• Revalidate ticket on a request
• Deny request after it is approved

Introduction
When a session request is submitted, the associated approver(s) is notified via email of the pending request.
The approver logs on to TPAM to approve/deny the request.

Approve/deny session request

The requested date/time of the request will be displayed to the approver in their local time, as configured for
their user ID in TPAM.

To approve/deny a session request:

1 Select Approve/Review | Session Request from the main menu.
2 To approve/deny a request on a specific system/account enter the criteria on the Filter tab.
3 Click the Listing tab.
4 Select the request to approve/deny.
5 Click the Details tab.

TPAM 2.5
266
Administrator Guide
 6 If the request selected is part of a multiple request submission then you also see all the other pending
requests that are eligible for approval.
7 Select the Req. IDs to approve/deny.
8 Click the Conflicts tab to see if any other pending requests for this session overlap with the same release
duration.
9 Click the Approvers tab to see the list of other eligible approvers for this request.
10 Click the Responses tab to see the responses other eligible approvers have made for this request.
11 Enter comments in the Request Response box.
12 Click the Approve Request or Deny Request button.

Revalidate ticket on a request

If the required Ticket System for this account has “provisional validation enabled” in the admin interface, and
the Ticket System is not available for validation at the time the requestor submits the request, you see the
following note on the Request Details tab:

The request can be approved/denied without revalidating the ticket.

To revalidate the ticket:

1 Click the Revalidate Ticket button. The following pop up appears:

2 Click the OK or Cancel button. If TPAM determines that the ticket system is still disabled the status of
the request will remain unchanged.

Deny request after it is approved

Any eligible approver can deny a session request after it has already been approved or auto-approved. If a live
session is being conducted at the time you decide to deny the request that session is automatically terminated.
The requestor receives an email notifying them that the request was denied.

To deny the request:

1 Select Approve/Review | Session Request from the main menu.
2 Enter the search criteria on the Filter tab.
3 Click the Listing tab.
4 Select the request to deny.
5 Click the Details tab.
6 Select the Req. IDs to deny.
7 Enter a reason in the Request Response box.
8 Click the Deny Request button.

TPAM 2.5
267
Administrator Guide
 34
Start a Remote Session

• Introduction
• Client requirements
• Start a session
• File transfer
• End a session

Introduction
Once a session is approved a user can use TPAM to connect to a remote system This chapter covers the steps for
starting a session and files transfer options during a session.

Client requirements
Java® version 7 update 45 or higher is required to run the session applet. Java® 32 bit is supported, but not
Java® 64 bit.
IMPORTANT: If the recording session reaches the limit set in Max Recording Size global setting (set by the
TPAM System Administrator), the session is automatically terminated. Warning messages will be sent when
the session reaches 60% of the set limit.

Start a session
To start a session:
1 Select Request | Session | Manage Requests from the main menu.
2 Enter filter criteria on the Filter tab.
3 Click the Listing tab.
4 Select the request.
5 Click the Connect Options tab. Connection options are dependent on the platform, proxy type and if a
DPA is assigned to the system. Clear the Use Default Connection Options check box to select different
session connection options. The connection options selected by the user will persist for this user every
time they connect with this account to a session, using the same proxy type. If the proxy type changes
the user will have to save their preferred connection settings again, in order for them to persist.
(optional)

TPAM 2.5
268
Administrator Guide
 Table 84. Session Request Management: Connection Options

Connection option Description

Cache Bitmaps Turning this on may help responsiveness during session over a slow network
connection.
Compression Turn on to control compression of the RDP data stream.
Experience Experience changes default bandwidth performance behavior. Choices are
Default (theming is enabled) or 56Kbps (modem).
Keyboard The keyboard type you want to emulate during the session. Currently the
choices are English (US), French (Swiss), French, Spanish, German, Turkish,
Italian, and Belgian.
Language Sets the language (sometimes referred to as locale) on the target system for
the session. On most operating systems this changes things like the language
used for system menus, alerts, messages, and numeric formats for default
date and time.
Mouse Motion Option to send the mouse motion during the session or not. Not sending the
mouse motion can save bandwidth, although some applications may rely on
receiving mouse motion.
Putty:Background Background color choices of black, green, blue or white.
Putty:Foreground Foreground color choices of grey, black or white.
Putty:Geometry Select a window size of 80 x 24 or 132 x 24.
Screen Updates Screen updates can be sent as bitmaps or left at the default of higher level
drawing operations.
XTerm:Backspace If Ctrl-h is selected, then using the Backspace key during the session, will
perform the same action as Ctrl-h.
XTerm:Del If Ctrl-d is selected, then using the Delete key during the session, will perform
the same action as Ctrl-d.

6 Select the desktop display size for the session. (optional)

NOTE: The window display size selection is not saved, and must be reselected before connecting
each time.

7 Click the Connect button.The remote session is initiated in a new page. All activity performed by the
remote user is logged and recorded. When a session begins, a new window is opened and the Java®
environment is initialized. This step can take up to a minute.

TPAM 2.5
269
Administrator Guide
 8 Click Yes to accept web certificate for the applet. This should only appear the first time you start a
session in PSM.

9 Depending upon the configuration for session authentication for the account one of these scenarios
occurs:
• The session uses auto-logon with a predefined account and its password.
• The password is provided by TPAM but must typed in by the user.
• The password is not stored in TPAM and must be typed in by the user.
NOTE: Sessions to remote systems are also subject to the configuration of the access method at the
remote system. Example: if Windows® RDP or Terminal Services is the connection method then the
configuration for disconnected session time outs, maximum connections, and so on, govern certain session
behavior. In addition, troubleshooting problems with connectivity to these systems should include
examining the configuration of the remote system.

Clipboard transfer between the RDP session and the desktop is available if this option was selected at the
account level on the PSM Details tab. The Clipboard transfer feature allows copy/cut and paste of text between
the remote session and the desktop.

TPAM 2.5
270
Administrator Guide
If the proxy type for the session is SSH, then the client is PuTTY. When connecting to the session a PuTTY
security warning message will be presented to validate the client machine host keys. Clicking the Accept button
will cache the host key so that this message will not be presented again during the session.

Pressing the Ctrl key and right clicking the mouse will bring up the Putty menu. This menu provides options to
copy the scroll back buffer, change fonts, and reconfigure other settings.

On the bottom of the PSM session window you will see the system name, account name, keyboard mapping
chosen, the hot keys menu, session connection status and the size of any data pasted to the clipboard.

File transfer
Depending on how the account is configured there are options to upload files to the remote system and
download files from the managed system during the session. The time out period for file transfers is 10 hours.

To upload a file:
1 Click the File Transfer tab in the session window.

TPAM 2.5
271
Administrator Guide
 2 Click the Select File button to locate the file or directory to transfer. Repeat this step for each file or
directory to upload. As files and/or directories are selected they are displayed in the Selected Files list.
IMPORTANT: There is 20 GB size limit on any files transferred.

3 To remove a file that was selected by mistake use the Remove Selected or the Remove All buttons as
needed. Additionally files and directories may be selected by simply dragging and dropping them on the
Selected Files list.
4 If the Transfer Credentials fields appear on the screen, enter the Account Name and Account Password
required to upload the file.

5 Click the Upload button to start the transfer process. After the transfer is complete a successful or
unsuccessful message will appear at the bottom of the page.
IMPORTANT: The upload process overwrites any existing file(s) if the user has the file system rights to do
so. If the user does not have sufficient rights to an existing file and they attempt to upload a file of the
same name the upload fails.

To download a file:
CAUTION: File downloads can put a big strain on the appliance. If other users start to see
performance problems in TPAM the file download could be the cause.

1 Click the File Transfer tab in the session window.

2 Enter the fully qualified name of the file in the Download File Name box.

3 If the Transfer Credentials fields appear on the screen, enter the Account Name and Account Password
required to upload the file.
4 Click the Download button. After the download is complete a successful or unsuccessful message will
appear at the bottom of the page.

End a session
Once you have completed what you wanted to do on the remote system you can end the session. To end the
session close the session window. A new session can be started until the release duration on the request expires.

TPAM 2.5
272
Administrator Guide
 35
Session Management

• Introduction
• Session playback controls
• Meta data window
• Replay a session log
• Add a bookmark to a session
• View bookmarks/captured events
• Jump to a bookmark
• Jump to an event
• Monitor a live session
• Terminate a session

Introduction
The session management menu provides access to session logs and the ability to playback sessions.

Session playback controls

To manipulate the playback of a session, the controls at the bottom of the session replay window lets the speed
of the playback be changed, ranging from ½ normal speed to 16 times normal speed. Replay may be paused at
any point.

The table below defines the functions and display information on the playback tool bar.

Table 85. Playback tool bar options

Option Description
System Name The name of the remote system where the session was established.
Account Name The name of the remote account used to access the system during the session.

TPAM 2.5
273
Administrator Guide
Table 85. Playback tool bar options

Option Description
Slider Control Displays the current position of playback, and after the session is paused lets a new
position be selected. To reposition session replay, pause the session and position the
slider control to the desired spot. Resume playback using the pause control. The
session playback moves at maximum speed to the desired playback position.
NOTE: The session time position is based on network packet timestamps. This
means that the playback control slider may appear to move in an uneven fashion
depending on the ‘data density’ of each packet, especially for very short recorded
sessions. If for some period time there is a minimal amount of activity followed by a
flurry of dialog openings and keystroke input, this would cause the uneven control
slider movement. Longer session files tend to provide a smoother control slider
movement.
Elapsed Time Time elapsed in the session replay.
Total Session Time Total length of time of the session.
Pause Button When green the session is playing. When red the session is paused. To pause or
resume playback simply click the control.
Loop Button Selecting this button sets the session to replay over and over.
Controls Menu/Select Session play speed in relation to normal speed. For example .5x will play the session
Speed at half normal speed.
Controls If selected this opens a window to display the keystroke log, and tags for events and
Menu/Metadata/Open bookmarks. The keystroke slider at the top of the window can be adjusted so that
Dialog they can see the keystrokes taking place in this window before or after they occur
in the actual session replay window.
Controls Menu/Add If selected allows the user to add a bookmark at a specific point in the session.
Bookmark
Controls Menu/Always on If selected, the meta data dialog window will be displayed in front of the session
Top replay window.

Meta data window

While replaying the session the meta data window can be displayed in another window to view the
keystroke/event log.

To open the meta data window during a session:

1 Click the Replay Session button.
2 Once the session has a status of connected in the replay window, select Controls Menu | MetaData |
Open Dialog.

Keystrokes/events will be displayed in green as they occur during the session replay. Bookmarks are displayed in
red. Slide the keystroke slider to the left to view the keystroke log in advance of the activity occurring in the

TPAM 2.5
274
Administrator Guide
session replay window. If the Clear on Loop check box is selected the keystroke log will be cleared before the
session is replayed each time.

Replay a session log

NOTE: You cannot view the keystroke log when replaying a session unless the access policy that is granting
you permission to replay the session has Allow KSL View selected.

To replay a session log:

1 Select Management | Session Mgmt | Session Logs from the main menu.
2 Enter your search criteria on the filter tab.
3 Click the Listing tab.

4 Select the session log to replay.

5 Click the Replay Session button.
6 Click the File Transfer tab to view details on any files transferred during the session.
7 Click the Captured Events / Bookmarks tab to view details on events captured during the session.
NOTE: If the session log is stored on an archive server there may be a delay while TPAM retrieves the log
from its remote storage location.

The remote access session is displayed and played back in real time. The playback session may be paused and
resumed, moved ahead or back at increased speed, or continuously played at various speeds.
Prior to v2.5.915 a session logs could be “stranded” by closing the browser when a session was recording and
clicking the Terminate button. To fix the problem so the session can be replayed, select the session from the
Listing page and click the Reset Stats button.

Add a bookmark to a session

Requestors, approvers, and reviewers have the ability to add bookmarks to a session log. By adding a bookmark,
the requestor, approver, or reviewer can point something out to another approver or reviewer that they want
them to look at without them having to replay and watch the entire session.

To add a bookmark:
1 Select Management | Session Mgmt | Session Logs from the main menu.
2 Enter your search criteria on the filter tab.
3 Click the Listing tab.
4 Select the session log to replay.
5 Click the Replay Session button.
6 When you get to the point in the session where you want to add a bookmark click the Pause button on
the session playback controls at the bottom of the window.

TPAM 2.5
275
Administrator Guide
 7 Select Controls Menu | Metadata | Add Bookmark.

8 Enter text to label the bookmark and click the OK button.

9 After the bookmark is added the session will resume playback.

View bookmarks/captured events

To view bookmarks and captured events from the session logs listing page:
1 Select Management | Session Mgmt | Session Logs from the main menu.
2 Enter your search criteria on the filter tab.
3 Click the Listing tab.
4 Select the session log.
5 Click the Captured Events, Bookmarks tab. Events are only captured for sessions on an account if the
Capture Events? check box is selected for the account on the PSM details tab.

TPAM 2.5
276
Administrator Guide
Jump to a bookmark
To jump to a bookmark while replaying a session:
1 Select Management | Session Mgmt | Session Logs from the main menu.
2 Enter your search criteria on the filter tab.
3 Click the Listing tab.
4 Select the session log to replay.
5 Click the Replay Session button.
6 On the session playback menu select Controls Menu | Metadata | Open Dialog.

7 Click the Select Bookmark tab.

8 Select the bookmark you want to go to.

9 Click the Jump to Bookmark button.
10 The session replay will go to the bookmark but will continue replay, it will not be paused at the
bookmark.

TPAM 2.5
277
Administrator Guide
Jump to an event
To jump to an event while replaying a session:
1 Select Management | Session Mgmt | Session Logs from the main menu.
2 Enter your search criteria on the filter tab.
3 Click the Listing tab.
4 Select the session log to replay.
5 Click the Replay Session button.
6 On the session playback menu select Controls Menu | Metadata | Open Dialog.

7 Click the Select Event tab.

8 Select the event you want to go to.

9 Click the Jump to Event button.
10 The session replay will go to the event but will continue replay, it will not be paused at the event.

TPAM 2.5
278
Administrator Guide
Monitor a live session
With the appropriate permissions a user can monitor another user’s session. The user running the session has no
indication that their session is being watched.
NOTE: You cannot view the Keystroke Log when monitoring a session.

To monitor a live session:

1 Select Management | Session Mgmt | Session Logs from the main menu.
2 Enter search filter criteria.
3 Click the Listing tab.

4 Select the session to monitor. Live sessions will have a status of Connected.
5 Click the Monitor Session button. The PSM Session Monitor window will open with a view of the live
session.

Terminate a session
An administrator user has the ability to terminate (kill) active sessions. Unless the session request is also
expired or cancelled the user has the ability to restart the session.
CAUTION: Be aware that terminating a session could leave unfinished work on the remote system and
even do potential damage.

To terminate a session:
1 Select Management | Session Mgmt | Manage Sessions from the main menu.
2 On the Active Sessions tab select the session to terminate.

3 Click the Terminate button.

TPAM 2.5
279
Administrator Guide
 36
Review a Session

• Introduction
• Review status definitions
• Review a session
• Provisional ticket validation on a session

Introduction
Accounts can be configured to have review requirements for PSM Sessions once the sessions are expired. Users
eligible to review sessions receive email notification to alert them of pending reviews.

Review status definitions

The table below explains the different possible session review statuses.

Table 86. Session review statuses

Status Definition
Pending Review An authorized reviewer is still required to complete the review process.
Completed All the required reviewers have clicked the Complete My Review button.
Overdue A reviewer has not reviewed the session within the required time period.

On the PSM Sessions for Review listing tab there is a column labeled Review Started. if the value is Y, at least
one review comment has been submitted. If the value is N, no review comments have been submitted.If the
value is -(dash) then the review is complete.

Review a session
To review a session:
1 Select Approve/Review | PSM Session from the main menu.
2 To review a session for a specific account enter the criteria on the Filter tab.
3 Click the Listing tab.
4 Select the session to review.
5 Click the Session Logs tab.

TPAM 2.5
280
Administrator Guide
6 Select a session log to replay.
7 Click the Replay Session button. For details on replaying sessions see Session playback controls.
NOTE: A session review cannot be completed until one of the session logs has been replayed by the
reviewer. TPAM may be configured so that all session logs must be replayed before the review can
be completed.

8 Watch the session and then close the session window.

9 To enter or view any comments about a session log, select a session log on the session logs tab and click
the Comments tab. Enter a comment in the new comment box and click the Save New Comment button
to add a comment. (optional)

These comments do not flag a session as being reviewed, but may be informative to other reviewers.
10 To view information about a file transfer, select a session log on the Session Logs tab and click the File
Transfers tab. (optional)

11 Click the Reviewers tab to see the list of eligible reviewers. (optional) These are the review
requirements at the time the session request was submitted.

TPAM 2.5
281
Administrator Guide
 12 Click the Reviews tab to see any review comments made.

13 Click the Responses tab to see comments that were made when approving this request and comments
made by the requestor if they expired the request early.

14 Click the Details tab. The times displayed on this tab are displayed to the reviewer in their local time, as
configured for their user ID in TPAM.

15 If the session being reviewed was part of a multi-session request, select the Apply Review check box for
the appropriate row.
16 To enter a comment before officially marking the session as reviewed enter a comment in the Review
Comment box and click the Save My Review Comment button. (optional)
Every time a comment is submitted the Reviews Submitted count increases.
17 To mark the review as complete, enter a review comment and click the Complete My Review button.

Provisional ticket validation on a session

If the required Ticket System for this account has “provisional validation enabled” in the admin interface, and
the Ticket System was not available for validation at the time the requestor submitted the request, you see the
following note on the Review Details tab:

TPAM 2.5
282
Administrator Guide
 TPAM 2.5
283
Administrator Guide
 37
File Requests

• Introduction
• Request a file
• Email notification
• View submitted file requests
• Access the file
• Cancel/expire a file request

Introduction
In addition to the secure storage and release capabilities for passwords, TPAM facilitates the same secure
storage and retrieval controls for files. This functionality can be used for many file types, but its intent is to
securely store and control access to public/private key files and certificates.

Request a file
To request a file:
1 Select Request | File | Add Request from the main menu.
2 To request a file on a specific system enter the criteria on the Filter tab.
3 Click the Files tab.

4 Select the file to be included in the request.

NOTE: If, through a Group or Collection assignment, the user has multiple Access Policies granting
a REQ permission on the file, the file will be listed multiple times on the Files tab. Each row will
show the Access Policy, Minimum Approvers, and Maximum Release Duration associated with it.

5 Click the Details tab.

TPAM 2.5
284
Administrator Guide
 6 Complete the following fields:

Table 87. File Request Management: Details tab fields

Field name Description

Request Immediate Select this check box to immediately request the file.
Date/Time Required To have a file released on a future date and time, enter the date and time when
the file is required. Enter the time in the user’s local time.
Requested Duration The requested duration is the period of time that the file is available for release.
Once the request is saved this duration is added to the requested release date to
determine the request expiration date. Valid parameters for release durations are
from 15 minutes to 7 days, in 15 minute increments – however, the effective valid
parameter for the maximum allowable release request duration is the value
configured for maximum release duration at the file level.
Reason Code Reason codes will appear if they have been configured by the System
Administrator. Reason codes streamline the request process, and may be optional
or required, depending on how they are configured.
Request Reason Used to provide a brief description of the reason for the file release. May be
optional, required or not required, depending on configuration.
Ticket System May be required, based on configuration.
Ticket Number May be required, based on configuration. If the ticket number fails validation
when the request is submitted, then the request is automatically canceled.

7 Click the Save Changes button.

NOTE: If a request is submitted that does not have enough approvers configured to meet the approval
requirements, then the request is not submitted and the following message is presented at the bottom of
the page:

Once the request has been submitted it will reflect one of these statuses:
• Pending Approval - waiting for authorized approver/s to approve the request.
• Active/Approved - the request has been approved and is within the release duration window.
• Approved - the request has been approved but the request date/time is in the future.
• Denied - the request was denied by the approver/s.
• Canceled - the submitted request conflicts with a request that has already been approved for the same
time period or the requestor decides to cancel the request prior to accessing the password. The request
will also be cancelled if the ticket number entered on the request requires validation, and fails.
• Expired - the release window for the file has passed or the requestor is done accessing the file and
expires the request early.

TPAM 2.5
285
Administrator Guide
Email notification
Once a file request is submitted, the requestor receives an email notification when the request is approved,
denied, or automatically cancelled as a result of a request conflict.
If a file request is submitted and does not require any approvals, the request is auto-approved by PPM and the
requestor immediately sees this message in the feedback area. The Retrieve button will be enabled.

View submitted file requests

To view requests that have been submitted:
1 Select Request | File | Manage Requests from the main menu.
2 Enter filter criteria on the Filter tab.
3 Click the Listing tab.
4 Select the request.
5 Open the following tabs to view more detailed information about the request.
• Details - Date and time stamps relevant to the life cycle of the request.
• Responses - Request responses from approvers, or responses auto-generated by TPAM for auto-
approved or cancelled requests.
• Approvers - All TPAM users with permissions to approve or deny the request.

Access the file

Once a request is approved to retrieve the file:
1 Select Request | File | Manage Requests from the main menu.
2 Enter filter criteria on the Filter tab.
3 Click the Listing tab.
4 Select the request.
5 Click the Retrieve button.

6 Select to open or save the file.

TPAM 2.5
286
Administrator Guide
Cancel/expire a file request
A file request can be cancelled by the requestor if the status is Pending Approval. Once approved, a password
request can be expired to immediately end the release duration. Expiring a request early makes the file
available for other users to request.

To cancel/expire a file request:

1 Select Request | File | Manage Requests from the main menu.
2 Enter filter criteria on the Filter tab.
3 Click the Listing tab.
4 Select the request.
5 Click the Details tab.

6 Enter a reason in the Expiration Reason box.

7 Click the Save Changes button.

TPAM 2.5
287
Administrator Guide
 38
Approve/Deny File Request

• Introduction
• Approve/deny file request
• Revalidate ticket on a request
• Deny request after it is approved

Introduction
When a file request is submitted, the associated approver(s) is notified via email of the pending request. The
approver logs on to TPAM to approve/deny the request.

Approve/deny file request

The requested date/time of the request will be displayed to the approver in their local time, as configured for
their user ID in TPAM.

To approve/deny a file request:

1 Select Approve/Review | File Request from the main menu.
2 To approve/deny a request on a specific system enter the criteria on the Filter tab.
3 Click the Listing tab.
4 Select the request to approve/deny.
5 Click the Details tab.

6 Click the Conflicts tab to see if any other pending requests for this file overlap with the same release
duration.
7 Click the Approvers tab to see the list of other eligible approvers for this request.
8 Click the Responses tab to see the responses other eligible approvers have made for this request.
9 Enter comments in the Request Response box.

TPAM 2.5
288
Administrator Guide
 10 Click the Approve Request or Deny Request button.

Revalidate ticket on a request

If the required Ticket System for this file has “provisional validation enabled” in the admin interface, and the
Ticket System is not available for validation at the time the requestor submits the request, you see the
following note on the Approval Details tab:

The request can be approved/denied without revalidating the ticket.

To revalidate the ticket:

1 Click the Revalidate Ticket button. The following pop up appears:

2 Click the OK or Cancel button. If TPAM determines that the ticket system is still disabled the status of
the request will remain unchanged.

Deny request after it is approved

Any eligible approver can deny a file request after it has already been approved or auto-approved. Once denied,
the requestor will no longer have access to the file. The requestor receives an email notifying them that the
request was denied

To deny the request:

1 Select Approve/Review | File Request from the main menu.
2 Enter the search criteria on the Filter tab.
3 Click the Listing tab.
4 Select the request to deny.
5 Click the Details tab.
6 Select the Req. IDs to deny.
7 Enter a reason in the Request Response box.
8 Click the Deny Request button.

TPAM 2.5
289
Administrator Guide
 39
On Demand Reports

• Introduction
• Report time zone options
• Run a report
• Report descriptions

Introduction
TPAM has a number of pre-defined reports to aid in system administration, track changes to objects, and
provide a thorough audit trail for managed systems. All reports are accessed via the Reports menu. The reports
can be filtered by criteria that are specific to each report type.

Report time zone options

Time zone filter parameters are included on most of the reports allowing you to view the report data in your
local or server time zone (UTC). These filter parameters only appear if you are configured with a local time
zone. These parameters affect not only the data reported but also the filter dates used to retrieve the data.
NOTE: Access to different reports is based on the user’s permissions. Only TPAM Administrators and
Auditors have access to all reports

For example, the server is at UTC time and the user is in Athens, Greece (UTC +2). When the user enters a date
range of 9/16/2009-9/17/2009 with the local time zone option, the report retrieves transactions that happened
on the server between 9/15/2009 22:00 through 9/17/2009 21:59.

All reports that use the local time zone filter have an extra column indicating the UTC offset that was used to
generate the report. This value is either the current UTC offset of the user. This column will also display in
reports that are exported using Excel or CSV.

Run a report
The following procedure describes the steps to run a report in TPAM.

To run a report:
1 From the Reports menu select the report.
2 On the Report Filter tab enter the filter criteria.

TPAM 2.5
290
Administrator Guide
 3 Click the Report Layout tab. (Optional)
4 Select the appropriate boxes in the Column Visible column to specify the columns to be displayed on the
report.
5 Select the appropriate box in the Sort Column column to specify sort order.
6 Select the Sort Direction.
7 If viewing the report in the TPAM interface, select the Max Rows to display.
IMPORTANT: The Max Rows to Display limits the number of rows that are returned even if the
number of rows that meet the filter criteria is greater than what is selected.

8 To view the report results in TPAM click the Report tab. To adjust the column size of any column on a
report hover the mouse over the column edge while holding down the left mouse button and dragging
the mouse to adjust the width.
9 To view the report results in an Excel or CSV file click the Export to Excel or Export to CSV button.
IMPORTANT: If you expect the report results to be over 64,000 rows you must use the CSV export
option. The Export to Excel option only exports a maximum of 64,000 rows.

10 Open or Save the report file.

Report descriptions
The following table lists the on demand reports available in TPAM.

Table 88. TPAM report descriptions

Report title Description

Activity Report Detailed history of all changes made to TPAM.
ISA User Activity Report Detailed records of all activities performed by users with ISA permissions.
Approver User Activity Detailed records of all activities performed by users with Approver permissions.
Requestor User Activity Detailed records of all activities performed by users with Requestor permissions.
PSM Accounts Inventory Accounts that are PSM enabled.
(PSM Customers only)
Password Aging Managed systems, and the managed accounts that reside on those systems.
Inventory
File Aging Inventory Secure stored files and the systems that manage them.
Release-Reset Reconcile Audit evidence that released passwords have been reset appropriately.
User Entitlement Data to review and audit users’ permissions for systems, accounts, files and
commands on an enterprise scale.
NOTE: It is recommended that Show Only Effective Permissions is selected to
reduce the size of the report.
NOTE: If any of the Expand … options are selected, at least one of the text filters
must be filled in with a non-wildcard value. For very large data sources the
expansion of Collections, Groups, and/or Access Policies can very easily create a
report beyond the retrieval and display capabilities of a web browser. For large data
sets (10’s of thousands of accounts or thousands of large collections to expand) it is
recommended to rely on the Data Extracts for unfiltered versions of the Entitlement
Report.
Failed Logins Failed login attempts to Privileged Account Manager. The data for the report is
refreshed every 15 minutes.
Password Update Password modifications to systems managed by Privileged Password Manager.
Activity

TPAM 2.5
291
Administrator Guide
Table 88. TPAM report descriptions

Report title Description

Password Update Scheduled password changes and the reason for the change.
Schedule
Password Testing The results of automated testing of each managed accounts’ password.
Activity
Password Test Queue Accounts currently queued for password tests.
NOTE: This is a useful report to view when troubleshooting performance related
issues. A high number of queued password tests can impact system response time if
the check agent is running. This report does not provide a mechanism for exporting
data but does provide for deleting passwords from the test queue. So if there is some
known reason why a large group of password tests are failing, such as a network
outage, that group can be filtered out in the report and then deleted. An alternative
would be to just stop the check agent.
Expired Passwords Currently expired passwords, or passwords that will expire within a date range.
Passwords Currently in Defines “in-use” passwords as:
Use • Passwords that have been retrieved by the ISA/CLI/API that have not yet been
reset.
• Passwords that have been requested and retrieved, but have not yet been
reset.
• Password has been manually reset on the Account Details or Password
Management pages, but has not yet been reset by PPM.
• Password has been manually entered on the Account Details page, but has not
yet been reset by PPM.
• Account is created on the TPAM interface or as a result of Batch Import
Accounts and is assigned a password by the user (as opposed to letting the
system generate a random password).
Password Requests Password requests and the details relating to the request. Selecting a row in the
report, and clicking on the Responses, Reviews and Releases tab gives you
additional details on the request.
Password Consecutive Password check and change failures for accounts.
Failures
Auto-Approved Password releases that did not require dual control approval.
Password Releases
Auto-Approved File File releases that did not require dual control approval.
Releases
Password Release Details on password releases, such as request reason, retrieval date and ticket
Activity information.
File Release Activity Details on file releases, such as request reason, retrieval date and ticket
information.
Windows® Domain Managed domain accounts that have dependencies on other systems.
Account Dependencies
Auto Approved Sessions Sessions that were approved, as a result of no approval requirements for sessions on
(PSM customers only) the account.
PSM Session Activity Session details, such as start date, end date, and request reason.
(PSM customers only)
PSM Session Requests Session requests and the details relating to the request. Selecting a row in the
(PSM customer only) report, and clicking on the Responses, Reviews and Releases tab gives you
additional details on the request.

TPAM 2.5
292
Administrator Guide
 40
Network Tools

• Introduction
• The ping utility
• Nslookup utility
• TraceRoute utility
• Telnet test utility
• Display routes

Introduction
To assist the TPAM Administrator with troubleshooting common network related problems, TPAM contains
network tools that are accessible from the tpam interface.

The ping utility

The ping utility can be used to verify connectivity to remote hosts and determine latency. Many of the optional
parameters for the ping command are available. The available command options are listed along with the short
description of each.

To use the ping utility:

1 Select Management | Network Tools | Ping from the menu.

2 Enter the IP or Hostname.

3 Select the options desired.
4 Click the Ping button. The results will be displayed.

TPAM 2.5
293
Administrator Guide
Nslookup utility
Nslookup is a common TCP/IP tool used to test DNS settings and perform similar information gathering using DNS
resolution. The TPAM utility for nslookup will use the DNS server(s) configured to TPAM only. The option to
specify a server is not provided. TPAM Administrators can benefit from the ability to use nslookup to resolve
hostnames to IP addresses and vice versa.

To use Nslookup:
1 Select Management | Network Tools | Nslookup from the menu.

2 Enter the IP address or Hostname to look up.

3 Click the Lookup button.

TraceRoute utility
The traceroute utility is available for examining network routing and connectivity from TPAM to a remote IP
address or hostname. The use of traceroute is often disallowed by firewalls, routers, and other network security
infrastructure – but if allowed, it can be a valuable diagnostic tool.

To use Traceroute:
1 Select Management | Network Tools | TraceRoute from the menu.

2 Enter the IP or Hostname to trace.

3 Select the -d check box. (Optional)
4 Change the default number of hops and timeout wait. (Optional)
5 Click the Trace button.

TPAM 2.5
294
Administrator Guide
Telnet test utility
The Telnet test utility lets a test be performed from the appliance to another system over a specific port. The
tool will test the defined port using telnet functionality to verify the port, whether a connection can be made,
and then immediately close the connection.

To use the Telnet test utility:

1 Select Management | Network Tools | TelnetTest from the menu.

2 Enter the network address, port and timeout period.

3 Click the Trace button.

Display routes
Several tools are available to manage the routing table on TPAM, if the need arises.

To display current routes:

1 Select Management | Network Tools | Show Routes from the menu.

If necessary, TPAM System Administrators have the ability to edit the routes in the config interface.

TPAM 2.5
295
Administrator Guide
 41
CLI Commands

• Introduction
• Command standards
• Commands

Introduction
The TPAM command line interface (CLI) provides a method for authorized users or automated processes to
retrieve information from the TPAM system. Commands must be passed to TPAM via SSH (secure shell) using an
identity key file provided by TPAM. A specific CLI user ID is also required. See Add a CLI user ID for more details
on creating the user ID. CLI user IDs are case sensitive when logging on.
SSH software must be installed on any system before it can be used for TPAM CLI access.
Commands accept parameters in the style of --OptionName option value (two dashes precede the option
name). Existing commands prior to TPAM v2.2.754 still also accept the comma-separated syntax, so existing
scripts do not need to be modified unless you wish to take advantage of new parameters that have been added
to the command in later versions of TPAM.
All commands recognize an option of --Help. This expanded help syntax will show all valid options for each
command, whether the option is required or optional, and a description of the option and allowed values.
NOTE: Many of the CLI commands will not run if the TPAM appliance is in maintenance mode.

Command standards
• Options may be specified in any order in the command
• Option names are not case sensitive, --SystemName and --systemname are equivalent
• When the --Help option is used, no other processing takes place. The help text is printed and the
command terminates.
• Options marked as “optional” are just that – optional. They do not need to be included in the command
line to “save space” for commands that come afterwards.
• Option names may be abbreviated “to uniqueness” for each command. For example if a command
accepts options of --SystemName, --AccountName, and --Description the option names can be
abbreviated to --S, --A, and --D, respectively. However if the options were --AccountName and --
AccountDescription they can only be abbreviated to --AccountN and --AccountD.
• Any option value that contains spaces, e.g., --Description or --RequestNotes, must surround the
description with single or double quotes, depending on your command line shell. It’s also recommended
that you surround the entire command invocation with quotes to prevent the shell from unintentionally
stripping desired quotes from your command. Additionally your shell environment may require escaping
extra quotes within your command. The following is an example using Windows® cmd.exe
[...]"UpdateSystem[...]\"Sytem1[...]\"Description for System1\"[...]

TPAM 2.5
296
Administrator Guide
Commands
AddAccount--options
Adds a new system account. The CLI user must have ISA or Administrator privilege.
Table 89. AddAccount options
Option name
--SystemName
--AccountName
--AccountDN
--AliasAccessOnlyFlag
--AllowISADurationFlag
--AutoFlag
--BlockAutoChangeFlag
--ChangeFrequency
--ChangeTime
--CheckFlag
--ChangeServiceFlag
--ChangeTaskFlag
--Custom[1-6]
--Description
--DomainAccountName
--EnableBeforeReleaseFlag
--EscalationEmail
--EscalationTime
--IgnoreSystemPoliciesFlag
Req/Opt Description
Req System Name. Maximum 30 characters.
Req Account Name. Maximum 30 characters.
Opt The distinguished name of the account on a Novell NDS, LDAP or
LDAPS system.
Opt This option is obsolete. Any value passed in using this option will
be used for the --IgnoreSystemPoliciesFlag option.
Opt Allow the ISA to specify a duration when retrieving a password.
Y/N
Opt Account Password Management type. N=None, Y=Automatic,
M=Manual
Opt THIS OPTION IS OBSOLETE AND WILL BE REM0VED IN A FUTURE
RELEASE. The functionality of this option has been assumed by the
password change profile.
Opt THIS OPTION IS OBSOLETE AND WILL BE REM0VED IN A FUTURE
RELEASE. The functionality of this option has been assumed by the
password change profile.
Opt THIS OPTION IS OBSOLETE AND WILL BE REM0VED IN A FUTURE
RELEASE. The functionality of this option has been assumed by the
password change profile.
Opt THIS OPTION IS OBSOLETE AND WILL BE REM0VED IN A FUTURE
RELEASE. The functionality of this option has been assumed by the
password check profile.
Opt Change the password for Windows® Services started by this
account. Y/N (Windows® platforms only)
Opt Change the password for the Windows® scheduled tasks started by
this account. (Windows® platforms only)
Opt Custom Account Columns, if defined. Use !NULL to clear the value.
Opt Use !NULL to clear the value. Maximum of 255 characters.
Opt For Windows® or BoKS platforms. Enter domainname\accountname
Opt Y/N. If Y, TPAM will disable the account of the remote system until
the password is released or a session started which uses the
password to authenticate. Only applies to Windows® platforms.
Opt If a password post-release review is not completed within the
number of hours in EscalationTime send an email to this address.
Use !NULL to clear the value.
Opt Number of hours after which to send an escalation email if a
password post-release has not been completed. Expressed in
hours. Use 0 (zero) to disable the notification.
Opt Ignore System Policies Flag. Y/N. When set to Y any System-level
Access Policies are ignored, and only Account-level policies are
used for permissions.
TPAM 2.5
297
Administrator Guide
Table 89. AddAccount options

Option name Req/Opt Description

--LockFlag Opt Account Lock Flag. Y/N. Passwords for locked accounts cannot be
retrieved, released, or changed
--MaxReleaseDuration Opt The maximum duration for a password request, expressed in
minutes. The value will be rounded to the nearest 15-minute
increment. Valid values are 1-10080 (7 days).
--MinimumApprovers Opt Minimum number of approvals required for a password release
request. 0 (zero) indicates that all requests are auto-approved.
--NextChangeDate Opt Set the next scheduled change date for this account. The account
will be scheduled for the first available time window based on the
password change profile.
--OverrideAccountability Opt When the Global Setting to Allow Account specific override is
enabled this flag can be turned on at the account level to allow
simultaneous, overlapping password requests to be approved.
When the Global Setting is not enabled this flag is ignored. Y/N
--Password Opt Initial or new password for the account. The password cannot be
changed for auto-managed accounts. Maximum of 128 characters.
--PasswordChangeProfile Opt A profile which controls when the account will have it’s password
changed.
--PasswordCheckProfile Opt A profile which controls when the account will have it’s password
checked.
--PasswordRule Opt Name of the Password Rule used to generate passwords for the
account. The default rule for new accounts is set on the managed
system. You may also specify “Default Password Rule” or another
rule to override this.
--ReleaseNotifyEmail Opt Use !NULL to clear the value.
--ReleaseChangeFlag Opt Change the password after any ISA, CLI, or API release. Y/N
--ReleaseDuration Opt The default duration for an ISA/CLI/API retrieval of a password,
expressed in minutes. The value will be rounded to the nearest
15minute increment. Valid values are 0-10080 (7 days). This is
ignored if ReleaseChangeFlag is N. If 0 is entered the ISA retrieval
of a password will not trigger a post release reset of the password.
--RequireTicketForAPI Opt Require a valid Ticket System & Number for any API password
retrieval on this account. Y/N. Ignored if RequireTicketForRequest
is N.
--RequireTicketForCLI Opt Require a valid Ticket System & Number for any CLI password
retrieval on this account. Y/N. Ignored if RequireTicketForRequest
is N.
--RequireTicketForISA Opt Require a valid Ticket System & Number for any ISA password
retrieval on this account. Y/N. Ignored if RequireTicketForRequest
is N.
--RequireTicketForPSM Opt Require a valid Ticket System & Number for any PSM request on
this account. Y/N.
--RequireTicketForRequest Opt Require a valid Ticket System & Number for any password request
on this account. Y/N
--ResetFlag Opt Reset the password if a regular check finds it to be different than
what's stored in PPM. Y/N This value is ignored if CheckFlag is N.
--RestartServiceFlag Opt Restart Windows® services started by this account, following a
password change. Y/N (Windows® only)
--ReviewCount Opt Number of post-release reviews required after a password release.
0-n

TPAM 2.5
298
Administrator Guide
Table 89. AddAccount options

Option name Req/Opt Description

--ReviewerName
--ReviewerType
--SimulPrivAccReleases
--TicketSystemName
--TicketEmailNotify
--UseSelfFlag
Opt User Name or Group Name of required reviewer. Only valid when
ReviewerType is User or Group.
Opt Type of reviewer. Valid values are: Any (default), Auditor, User,
Group
Opt Number of simultaneous Privileged Access Users who may retrieve
the password. 0-99
Opt When RequireTicketForRequest is Y this is the Ticket System that's
required. Use a value of “!Any” to allow tickets from any valid
ticket system.
Opt Email to notify if a password is retrieved via API, CLI, or ISA
without a ticket number. Ignored when RequireTicketForRequest is
N or ticket is required for all three (API, CLI, and ISA). Use !NULL
to clear the value.
Opt Use the account's current password to change the password. Y/N.
If the functional account is flagged as “non-privileged” at the
system level this value should be set to Y.

AddCollection--options
Creates a new collection. The CLI user must have ISA or administrator privilege.

Table 90. AddCollection options

Option name Req/Opt Description

--CollectionName Req Name of collection.
--Description Opt Collection description. Max of 50 characters.
--PSMDPAAffinity Opt List of DPAs to use for PSM Affinity assignment in the form of
DPAName1/priority;DPAName2/priority. Pass “any” to reset the list and
allow any DPA to be used. Priority must be >=0 to add a DPA. A priority of 0
removes a DPA from the list.

Legacy support:
AddCollection <CollectionName>,<CollectionDescription>

AddCollectionMember--options
Creates a new collection member where the system, account, and or file and collection(s) currently exist. The
CLI user must have administrator privilege or the ISA permission over the collection and system, and or file.

Table 91. AddCollectionMember options

Option name Req/Opt Description

--CollectionName Req Name of collection.
--SystemName Req Name of system to add to collection. If an account or file is being added to
the collection then they must exist on this system. A system cannot be in
the same collection as any of its’ accounts or files.

TPAM 2.5
299
Administrator Guide
Table 91. AddCollectionMember options

Option name Req/Opt Description

--AccountName Opt Name of the account to ad to the collection. If a system or file is being
added to the collection this value must be empty. The account must reside
on --SystemName and cannot be a member of any of the same collections
as the system.
--FileName Opt Name of the file to add to the collection. If a system or account is being
added to the collection this value must be empty. The file must reside on -
-SystemName and cannot be a member of any of the same collections as
the system.

Legacy support:
AddCollectionMember <MemberName>,<CollectionName>

AddGroup--options
Creates a new group. The CLI user must have ISA or administrator privilege.

Table 92. AddGroup options

Option name Req/Opt Description

--GroupName Req Name of the group.
--Description Opt Description of group. Max of 50 characters.

Legacy support:
AddGroup <GroupName>,<GroupDescription>

AddGroupMember--options
Adds an existing user account to one or more existing groups. The CLI user must have administrator privilege.--
GroupID or --GroupName may be passed, but not both.

Table 93. AddGroupMember options

Option name Req/Opt Description

--GroupName Opt Name of the group.
--GroupID Opt Unique identifier assigned to group by TPAM.
--UserName Req Name of user to add to the group. Only basic and administrator user types
can be added to a group. Multiple UserNames can be specified using semi-
colons between names.

Legacy support:
AddGroupMember <UserName>,<GroupName>

AddPwdRequest--options
CLI users can create a password request for themselves as well as other users. Both users (the calling CLI and
the user they're adding for) must have request permissions on the target system. The target user must be a web-
based user, i.e., not a CLI or API user. The CLI User creating the request may later cancel the request, but
cannot approve the request they create.

Table 94. AddPwdRequest options

Option name Req/Opt Description

--SystemName Req System for which the password request is being created.
--AccountName Req Account for which the password request is being created.

TPAM 2.5
300
Administrator Guide
Table 94. AddPwdRequest options

Option name Req/Opt Description

--ForUserName Opt The user you are creating the request for. This parameter should be
omitted if submitting a request for yourself.
--AccessPolicyName Opt An access policy to use for the request. This is only required if the user
has access to the account via more than one policy.
--ReasonCode Opt A reason code for the request. Based on global settings, a reason code
may be required, optional, or not allowed.
--RequestImmediateFlag Opt Use Y to create an immediate request, N to create request with future
date. If N is entered, you must supply the --RequestedReleaseDate
option.
--RequestedReleaseDate Opt Required if RequestImmediate option is N. Must be a valid future date
in the form of MM/DD/YYYY HH:MM (using a 24 hour clock)
NOTE: If the --ForUserName is assigned to a time zone other then
UTC, this value represents the local time for the user.
--ReleaseDuration Opt Duration of the request in minutes. Time is rounded up to the next 15
minute interval. The default is 120 minutes for password requests.
The maximum value set is on the account details.
--RequestNotes Opt Description of the request. Up to 1000 characters. Based on global
settings, a RequestNote may be required, optional, or not allowed.
--TicketNumber Opt A ticket number from the --TicketSystemName. This may be required
based on account settings.
--TicketSystemName Opt The name of the ticket system to use for validation. This may be
required based on account settings.

AddSessionRequest--options
CLI users can create a session request for themselves as well as other users.Both users (the calling CLI and the
user they're adding for) must have request permissions on the target system. The target user must be a web-
based user, i.e., not a CLI or API user. The CLI User creating the request may later cancel the request, but
cannot approve the request they create.

Table 95. AddSessionRequest options

Option name Req/Opt Description

--SystemName Req System for which the session request is being created.
--AccountName Req Account for which the session request is being created.
--ForUserName Opt The user you are creating the request for. This parameter should be
omitted if submitting a request for yourself.
--AccessPolicyName Opt An access policy to use for the request. This is only required if the
user has access to the account via more than one policy.
--CommandName Opt The command name that will be used during the session. If the
command is specified then the --AccessPolicyName must also be
specified and include REQ permissions for you and the user for
whom the request is being created.
--ReasonCode Opt A reason code for the request. Based on global settings, a reason
code may be required, optional, or not allowed.
--RequestImmediateFlag Opt Use Y to create an immediate request, N to create request with
future date. If N is entered, you must supply the --
RequestedReleaseDate option.
--RequestedReleaseDate Opt Required if --RequestImmediate option is N. Must be a valid future
date in the form of MM/DD/YYYY HH:MM (using a 24 hour clock)
NOTE: If the --ForUserName is assigned to a time zone other then
UTC, this value represents the local time for the user.

TPAM 2.5
301
Administrator Guide
Table 95. AddSessionRequest options

Option name Req/Opt Description

--ReleaseDuration Opt Duration of the request in minutes. Time is rounded up to the next
15 minute interval. The default duration is set on the account’s PSM
details page. The maximum value is set on the account details page.
--RequestNotes Opt Description of the request. Up to 1000 characters. Based on global
settings, a RequestNote may be required, optional, or not allowed.
--TicketNumber Opt A ticket number from the --TicketSystemName. This may be
required based on account settings.
--TicketSystemName Opt The name of the ticket system to use for validation. This may be
required based on account settings.

AddSyncPass--options
Allows you to add a synchronized password.

Table 96. AddSyncPass options

Option name Req/Opt Description

--SyncPassName
--AccountLevelCheckProfile
--ChangeFrequency
--ChangeTime
--CheckFlag
--DisableFlag
--Description
--NextChangeDate
--Password
--PasswordChangeProfile
--PasswordCheckProfile
--PasswordRule
--ReleaseNotifyEmail
--ReleaseChangeFlag
Req Name of synchronized password. You must have administrator
privileges.
Opt Y/N. Default value is N. If Y, the synchronized password does not
have a Password Check Profile and the password check schedule is
based on the profile assigned to each member account.
Opt THIS OPTION IS OBSOLETE AND WILL BE REMOVED IN A FUTURE
RELEASE. The functionality of this option has assumed by the
Password Change Profile.
Opt THIS OPTION IS OBSOLETE AND WILL BE REMOVED IN A FUTURE
RELEASE. The functionality of this option has assumed by the
Password Change Profile.
Opt THIS OPTION IS OBSOLETE AND WILL BE REMOVED IN A FUTURE
RELEASE. The functionality of this option has assumed by the
Password Check Profile.
Opt Disable synchronizing subscribed accounts. Y/N
Opt Use !NULL to clear the value. Maximum of 255 characters.
Opt THIS OPTION IS OBSOLETE AND WILL BE REMOVED IN A FUTURE
RELEASE. The functionality of this option has assumed by the
Password Change Profile.
Opt Initial or new password for the account. The password cannot be
changed for auto-managed accounts. Max of 128 characters.
Opt A profile which controls when the account will have it’s password
changed.
Opt A profile which controls when the account will have it’s password
checked.
Opt Name of the Password Rule used to generate passwords for the
account. The default rule for new accounts is set on the managed
system. You may also specify Default Password Rule or another rule
to override this.
Opt Use !NULL to clear the value. This email address receives an email
when the password is released.
Opt Change the password after any ISA, CLI or API release. Y/N

TPAM 2.5
302
Administrator Guide
Table 96. AddSyncPass options

Option name Req/Opt Description

--ReleaseDuration Opt The default duration for an ISA/CLI/API retrieval of a password,
expressed in minutes. The value will be rounded to the nearest 15
minute increment. Valid values are 0-10080 (7 days). If 0 is entered
the ISA retrieval of a password will not trigger a post release reset of
the password. This value is ignored if ReleaseChangeFlag is N.
--ResetFlag Opt THIS OPTION IS OBSOLETE AND WILL BE REMOVED IN A FUTURE
RELEASE. The functionality of this option has assumed by the
Password Check Profile.

AddSyncPwdSub--options
Allows you to add subscribers to a synchronized password.

Table 97. AddSyncPwdSub options

Option name Req/Opt Description

--SyncPassName Req Name of synchronized password. You must have administrator privileges.
--Systemname Req System name of account subscribing.
--AccountName Req Account name subscribing.

AddSystem--options
Creates a new system. The CLI user must have ISA or Administrator privilege.

Table 98. AddSystem options

Option name Req/Opt Description

--SystemName Req System Name. Must be between 2 and 30 characters in length and
consist of only upper or lower case letters, numbers, hyphen,
underscore, period, or US dollar sign ($).
--AllowFuncReqFlag Opt Whether to allow the functional account password to be requested and
released. Y/N. Default N.
--AllowISADurationFlag Opt Allow an ISA to enter a duration when releasing a password in the GUI.
Y/N. Default N.
--AlternateIP Opt Obsolete as of TPAM 2.5.909
--AutoDiscoveryExcludeList Opt List of account names (up to 1,000 characters) separated by semi-
colons which will be ignored when processing the auto-discovery
profile on this system. Use !NULL to clear the value or override the
template’s value.
--AutoDiscoveryProfile Opt Name of auto-discovery profile which will be used to discover
new/deleted accounts on this system. Use !NULL to clear the value or
override the template’s value. Auto-discovery is only valid for
Windows®, *nix, and DBMS platforms.
--AutoDiscoveryTimeout Opt Timeout (in seconds) when discovering accounts on this system. Default
is 300 seconds. If the discovery process times out it will continue to
discover the remaining accounts during the next scheduled run.Use 0
(zero) to set to the default.
--BoksServerOS Opt The OS Name (platform) for a Boks server.
--ChangeFrequency Opt THIS OPTION IS OBSOLETE AND WILL BE REMOVED IN A FUTURE
RELEASE. The functionality of this option has assumed by the Password
Change Profile.

TPAM 2.5
303
Administrator Guide
Table 98. AddSystem options

Option name Req/Opt Description

--ChangeTime Opt THIS OPTION IS OBSOLETE AND WILL BE REMOVED IN A FUTURE
RELEASE. The functionality of this option has assumed by the Password
Change Profile.
--Custom[1-6] Opt Custom system columns, if defined. Use !NULL to clear the value.
--CheckFlag Opt THIS OPTION IS OBSOLETE AND WILL BE REMOVED IN A FUTURE
RELEASE. The functionality of this option has assumed by the Password
Check Profile.
--Description Opt Use !NULL to clear the value. Maximum of 255 characters.
--DomainFuncAccount Opt The domain account to be used as the functional account.
DomainName\AccountName
--DomainName Opt The domain name for Windows®.
--EGPOnlyFlag Opt Setting this value to Yes will disabled *ALL* PPM functionality on this
system and all its accounts and will delete any existing password
history or secure stored files. Y/N.
--EnablePassword Opt Password to use for the “ENABLE” account (Cisco platforms only) or
“EXPERT” account (for CheckPoint SP platforms only).
--EscalationEmail Opt If a password post-release review is not completed within the number
of hours in EscalationTime send and email to this address. Use !NULL to
clear the value.
--EscalationTime Opt Number of hours after which to send an escalation email if a password
post-release has not been completed. Expressed in hours. Use 0 (zero)
to disable the notification.
--FuncAcctCred Opt Password for the account indicated in the FunctionalAccount option.
Use a password of DSS to have the system use system standard keys for
functional account credentials or a password of SPECIFIC to use a
system specific key.
--FuncAcctDN Opt* The distinguished name of the functional account. Required for Novell
NDS, LDAP pr LDAPS systems. Ignored for all others.
--FunctionalAccount Opt Account name of the functional account for the system. This is the
account which will be used to change other passwords on the system.
--LineDef Opt Cisco telnet attribute.
--MaxReleaseDuration Opt The maximum duration for a password request, expressed in minutes.
The value will be rounded to the nearest 15-minute increment. Valid
values are 1-10080 (7 days).
--NetBiosName Opt Required for Windows® AD or SPCW (DC) platforms.
--NetworkAddress Req Network address of the system. May be an IP V4 address or a fully
qualified domain name.
--NonPrivFuncFlag Opt Y/N.
--OracleSIDSN Opt Either the SID or Service Name (as indicated in the OracleType option)
used to connect to the Oracle® system.
--OracleType Opt May be either SID or SERVICE. Only accepted for Oracle® platform.
--PasswordChangeProfile Opt A profile which controls when the account will have it’s password
changed.
--PasswordCheckProfile Opt A profile which controls when the account will have it’s password
checked.
--PasswordRule Opt The name of the Password Rule used to generate random passwords for
this system. Leave empty to use the default password rule for new
Systems. Must use the text “Default Password Rule” to change existing
systems.

TPAM 2.5
304
Administrator Guide
Table 98. AddSystem options

Option name Req/Opt Description

--PlatformName Req Any recognized platform name. Note that certain platforms, once set,
cannot be changed. For custom platform names the platform name is
indicated by “Custom” or “Custom Platform” followed by a forward
slash (/) and the custom platform name.
--PlatSpecificValue Opt A platform specific value, e.g., Linux® Delegation prefix or Windows®
Computer Name. Not all platforms support this value.
--PortNumber Opt Port number used for SSH communication with the system. Default
values are platform specific.
--PPMDPAAffinity Opt List of DPAs to use for PPM affinity in the form
DPAName1/priority;DPAName2/priority. Use Local to reset the list
and only use the appliance for password checks/changes.PPM affinity
cannot be set when adding a system from a template, but after the
system is created the affinity may be changed.
--PSMDPAAffinity Opt List of DPAs to use for PSM affinity in the form
DPAName1/priority;DPAName2/priority. Use Any to allow any DPA to
be used. Priority must be a number greater than zero. PSM affinity
cannot be set when adding a system from a template, but after the
system is created the affinity may be changed.
--PrimaryEmail Opt Primary email contact for this system. Max of 255 characters. Use
!NULL to clear the value.
--ProfileCertType Opt One of the following values:
• N - no thumbprint or certificate. Default
• T - thumbprint only. The SHA1 thumbprint of the certificate
used by the system to notify TPAM of availability for
check/change operations.
• G - generated. TPAM will generate a certificate and record the
thumbprint. This certificate must be installed on the system in
order to call the TPAM notification service.
--ProfileCertThumbprint Opt Thumbprint of certificate. Only used when ProfileCertType is T.
--ProfileCertPassword Opt Optional password on a TPAM generated certificate. This password will
be required to install the certificate on the target system. The
password is NOT stored and cannot be retrieved if forgotten.
--ReleaseChangeFlag Opt THIS OPTION IS OBSOLETE AND WILL BE REMOVED IN A FUTURE
RELEASE.
--ReleaseDuration Opt The default duration for an ISA/CLI/API retrieval of a password,
expressed in minutes. The value will be rounded to the nearest
15minute increment. Valid values are 0-10080. If 0 is entered the ISA
retrieval of a password will not trigger a post release reset of the
password.
--RequireTicketForAPI Opt Require a valid Ticket System & Number for any API password retrieval
on this account. Y/N. Ignored if RequireTicketForRequest is N.
--RequireTicketForCLI Opt Require a valid Ticket System & Number for any CLI password retrieval
on this account. Y/N. Ignored if RequireTicketForRequest is N.
--RequireTicketForISA Opt Require a valid Ticket System & Number for any ISA password retrieval
on this account. Y/N. Ignored if RequireTicketForRequest is N.
--RequireTicketForPSM Opt Require a valid Ticket System & Number for any PSM request on this
account. Y/N.
--RequireTicketForRequest Opt Require a valid Ticket System & Number for any password request on
this account. Y/N

TPAM 2.5
305
Administrator Guide
Table 98. AddSystem options

Option name Req/Opt Description

--ResetFlag Opt RTHIS OPTION IS OBSOLETE AND WILL BE REMOVED IN A FUTURE
RELEASE. The functionality of this option has assumed by the Password
Check Profile.
--SSHAccount Opt The account name to use when communicating with this system via
SSH. This is required when the UseSshFlag is set to Y.
--SSHKey Opt Either “Standard” to use the appliance's system standard keys or
“Specific” to generate a specific key for this system. “Standard” is the
default.
--SSHPort Opt The port number for SSH communication. If not specified a default of
22 is used.
--SystemAutoFlag Opt Whether or not to enable automatic password management for
accounts on this system. Y/N. If set to N the account auto flags may
only be N (none) or M (Manual). Y/N.
--TemplateSystemName Opt The name of a template system. Data from the template system will be
used as defaults for the new system. Template data will be overridden
with data supplied here. System templates may also contain Collection
Membership, Group & User Permissions, and up to 10 accounts, all of
which will be automatically transferred to the new system.
--TicketEmailNotify Opt Email to notify if a password is retrieved via API, CLI, or ISA without a
ticket number. Ignored when RequireTicketForRequest is N or ticket is
required for all three (API, CLI, and ISA). Use !NULL to clear the value.
--TicketSystemName Opt When RequireTicketForRequest is Y this is the Ticket System that's
required. Use a value of “!Any” to allow tickets from any valid ticket
system.
--Timeout Opt The number of seconds TPAM will attempt to communicate with the
system for password checks and changes before issuing a “timed out”
error. Default is 20 seconds.
--UseSslFlag Opt Whether or not to use SSL to communicate with the system. Y/N.
Support for this is platform specific. NOTE: The UseSsl and UseSsh Flags
are mutually exclusive. You may only set one or the other, not both.
--UseSshFlag Opt Whether or not to use SSH to communicate with the system. Y/N.
Support for this is platform specific. NOTE: The UseSsl and UseSsh Flags
are mutually exclusive. You may only set one or the other, not both.

AddUser--options
Creates a new user account. The CLI user must have user administrator or administrator privilege.

Table 99. AddUser options

Option name Req/Opt Description

--UserName Req User Name. Maximum 30 characters.
--LastName Req Maximum of 30 characters.
--FirstName Req Maximum of 30 characters.
--Password Opt Password for new User. Maximum of 128 characters. If not specified a
random password will be generated and must be reset before the user
may log in.
--Email Opt Maximum of 255 characters. Use !NULL to clear.
--Phone Opt Maximum of 30 characters. Use !NULL to clear.
--Mobile Opt Maximum of 30 characters. Use !NULL to clear. Also recognizes the
value --pager for legacy support.

TPAM 2.5
306
Administrator Guide
Table 99. AddUser options

Option name Req/Opt Description

--UserType Opt Basic (default), Admin, Auditor, or UserAdmin
--Disable Opt Whether the user's ID is currently disabled. Y/N. Disabled users
cannot log in to the appliance.
--ExternalAuth Opt Obsolete, replaced with SecondaryAuth
--SecondaryAuth Opt Secondary authentication system used for user login. Valid values are
None (default), SecureID, Safeword, Radius, WinAD, Defender and
LDAP.
--ExternalAuthSystem Opt Obsolete, replaced with SecondaryAuthSystem
--SecondaryAuthSystem Opt Name of the secondary authentication system of the type indicated in
ExternalAuth. Values are defined by the appliance SysAdmin.
--ExternalUserID Opt Obsolete, replaced with SecondaryUserID
--SecondaryUserID Opt* User ID to use for secondary authentication. This is required when
SecondaryAuth is other than None.
--PrimaryAuthExtra Opt The LDAP Primary Authentication Types support an “Extra” user ID.
The User logs in using a shorthand value in the PrimaryAuthID, but the
data in the PrimaryAuthExtra will be used to do the actual
authentication against the external system. Use !NULL to clear.
--PrimaryAuthID Opt* The User ID to use for primary authentication when a non-local
authentication system is used.
--PrimaryAuthType Opt The type of the primary authentication system for this user. Current
values are Local, Certificate, LDAP, WinAD, Radius or Defender. When
Local is used the PrimaryAuthID, PrimaryAuthExtra and
PrimaryAuthSystem values are ignored.
--PrimaryAuthSystem Opt* Name of the defined system to use when the PrimaryAuthType is not
local or certificate. Systems are defined by the appliance System
Administrator.
--CertThumbprint Opt The SHA1 Thumbprint of the user’s certificate. The SHA1 thumbprint
must be exactly 40 characters in length.
--Description Opt Maximum of 255 characters. Use !NULL to clear.
--LogonHoursFlag Opt Indicates whether the LogonHours value represents allowed or
prohibited hours. Valid values are A (allowed), P (permitted) or N (no
restrictions).
--LogonHours Opt A listing of up to 4 hour ranges. Times must be expressed in 24-hour
format in any of the following forms: 7, 07, 700, 0700, 07:00 (all
indicating 07:00 AM). Separate multiple ranges with semi-colons,
07:00-12:00;18:00-23:59 (7AM-12AM and 6PM-11:59PM). If the
LogonHoursFlag value is N this value is ignored.
--LogonDays Opt When Logon Hours are specified you may also specify the days of the
week those hours are effective. Specify days with a string of 7 X's (to
indicate an “on” day) or periods (for an “off” day) to represent the
week from Sunday-Saturday. For example, .XXXXX. is Mon-Fri on, Sun
and Sat off. If LogonHours are specified and LogonDays is left empty
the default is all days “on”, e.g., XXXXXXX.
--MobileAllowedFlag Opt Whether to allow this user to log in to the system from a mobile
device (Blackberry, iPhone, etc.). Y/N.
--LocalTimezone Opt The user's local time zone. You may enter any part of the time zone
name as long as it is unique in the list, e.g., entering Guam will only
find one time zone while entering 02:00 or US will find multiple
entries. A value of “Server” indicates that the user is in the same
time zone as the server and follows the same DST rules.

TPAM 2.5
307
Administrator Guide
Table 99. AddUser options

Option name Req/Opt Description

--DstFlag Opt Obsolete. Users will now automatically adjust DST per the local time
zone which they are assigned.
--Custom1-6 Opt Custom user columns if defined,. Use !NULL to clear the value.
--TemplateUserName Opt The name of a template user. Data from the template user will be
used as defaults for the new user. Template data will be overridden
with data supplied here. User templates may also contain group
membership and system and collection permissions, all of which will
be automatically transferred to the new user. A CLI User may only
utilize Web-Interface templates.

Legacy support:
AddUser
<UserName>,<LastName>,<FirstName>,[EmailAddress],[Phone],[Mobile],[UserType(Basic
default
\Admin\Auditor\UserAdmin)],[InitialPassword],[DisableFl(Y\N)],[SecAuthType(NONE,SAF
EWORD,SECUREID,LDAP,RADUIS,DEFENDER,WINDAD)],[SecAuthUserID],[Description]

Approve--options
Allows password requests to be approved via TPAM CLI. The CLI user ID must be authorized to approve requests
for the system/account in the request. The CLI user cannot approve a password request they have added on
behalf of another user. Successful execution of the approve command will produce no output. This is by design.

Table 100. Approve options

Option name Req/Opt Description

--RequestID Req Password request ID to approve.
--Comment Req The approval comment. Up to 255 characters.

Legacy support:
Approve <request ID>, <comment>

ApproveSessionRequest--options
Allows session requests to be approved via TPAM CLI. The CLI user ID must be authorized to approve session
requests for the system/account in the request. The CLI user cannot approve a session request they have added
on behalf of another user. Successful execution of the approve command will produce no output. This is by
design.

Table 101. ApproveSessionRequest options

Option name Req/Opt Description

--RequestID Req Session request ID to approve.
--Comment Req The approval comment. Up to 255 characters.

Cancel--options
Allows password requests to be cancelled via TPAM CLI.The CLI user ID must be an authorized approver for the
system/account in the request. Successful execution of the cancel command will produce no output. This is by
design.

TPAM 2.5
308
Administrator Guide
Table 102. Cancel options

Option name Req/Opt Description

--RequestID Req Password request ID to cancel.
--Comment Req The cancel comment. Up to 255 characters.

Legacy support:
Cancel <requestid>,<comment>

CancelSessionRequest--options
Allows session requests to be cancelled via TPAM CLI. The CLI user ID must be an authorized approver for the
system/account in the request.

Table 103. CancelSessionRequest options

Option name Req/Opt Description

--RequestID Req Session request ID to approve.
--Comment Req The cancel comment. Up to 255 characters.

Legacy support:
CancelSessionRequest <requestid>,<comment>

ChangeUserPassword--options
Performs a forced reset on a user’s password. The CLI user must have user administrator (for non-privileged
accounts only) or administrator privilege.

Table 104. ChangeUserPassword options

Option name Req/Opt Description

--UserName Req User name to change password for. Cannot be a system administrator user.
--Password Req New user password. If the password contains any spaces the value must be
surrounded by double quotes.

Legacy support:
ChangeUserPassword <UserName>,<Password>

CheckPassword--options
Initiates a password test for the specified system account. The CLI user must have administrator privilege or the
ISA permission over the system.

Table 105. CheckPassword options

Option name Req/Opt Description

--SystemName Req System name of the account to check.
--AccountName Req Account name to check.

Legacy support:
CheckPassword <SystemName>,<AccountName>

ClearKnownHosts--options
Removes the host entry for the system from TPAM’s known hosts file.The CLI user must have PPM ISA or
Administrator privilege.

TPAM 2.5
309
Administrator Guide
Table 106. ClearKnownHosts options

Option name Req/Opt Description

--SystemName Req Name of the system to clear the known hosts.

DeleteAccount--options
Soft deletes the system account. The CLI user must have ISA or Administrator privilege.

Table 107. DeleteAccount options

Option name Req/Opt Description

--SystemName Req System name of the account to delete.
--AccountName Req Account name to delete.

Legacy support:
DeleteAccount <systemname>,<accountname>

DeleteSyncPass--options
Deletes a synchronized password. The CLI user must have administrator privilege.

Table 108. DeleteSyncPass option

Option name Req/Opt Description

--SyncPassName Req Name of synchronized password to delete.

DeleteSystem--options
Soft deletes the named system. The CLI user must have administrator privilege.

Table 109. DeleteSystem option

Option name Req/Opt Description

--SystemName Req System name of the account to delete.

Legacy support:
DeleteSystem <systemname>

DeleteUser--options
Permanently deletes the named user account. The CLI user must have administrator privilege to delete any user,
or user administrator privilege to delete any non-administrator user.

Table 110. DeleteUser option

Option name Req/Opt Description

--UserName Req User name to delete. Cannot be a system administrator user.

Legacy support:
DeleteUser <username>

DropCollection--options
Deletes an existing collection. The CLI user must have ISA or administrator privilege.

TPAM 2.5
310
Administrator Guide
Table 111. DropCollection option

Option name Req/Opt Description

--CollectionName Req Name of collection to delete. Cannot drop collections tied to auto-discovery.

Legacy support:
DropCollection <CollectionName>

DropCollectionMember--options
Removes a system, account or file from one or more collections. The CLI user must have administrator privilege
or the ISA permission over the collection and system.

Table 112. DropCollectionMember options

Option name Req/Opt Description

--CollectionName Req Name of collection. Cannot drop collections tied to auto-discovery.
--SystemName Req Name of system to drop from the collection. If the an account or file name
is being dropped from the collection, this should be the system on which
the account or file resides.
--AccountName Opt Name of account to drop from collection. The account must reside on --
SystemName.
--FileName Opt Name of file to drop from collection. The --FileName must reside on --
SystemName.

Legacy support:
DropCollectionMember <MemberName>,<CollectionName>

DropGroup--options
Deletes an existing group. The CLI user must have ISA or administrator privilege.--GroupID or --GroupName may
be passed, but not both.

Table 113. DropGroup options

Option name Req/Opt Description

--GroupName Opt Name of group. Cannot drop groups tied to auto-discovery.
--GroupID Opt Unique identifier assigned to group by TPAM.

Legacy support:
DropGroup <GroupName>

DropGroupMember--options
Removes an existing user account from one or more groups. The CLI user must have administrator privilege.--
GroupID or --GroupName may be passed, but not both.

Table 114. DropGroupMember options

Option name Req/Opt Description

--GroupName Opt Name of group. Membership in groups tied to auto-discovery cannot be
changed.
--GroupID Opt Unique identifier assigned to group by TPAM.
--UserName Req Name of user to remove from the group.

Legacy support:

TPAM 2.5
311
Administrator Guide
DropGroupMember <UserName>,<GroupName>

DropSyncPwdSub--options
Removes a subscriber from a synchronized password. Must have administrator privileges.

Table 115. DropSyncPwdSub options

Option name Req/Opt Description

--SyncPassName Req Synchronized password name.
--SystemName Req System name of account to unsubscribe.
--AccountName Req Account name to unsubscribe.

ForceReset--options
Forces a password change for the specified system account. The CLI user must have administrator privilege or
ISA permission over the system. The specified system must be auto managed.
Table 116. ForceResetManual options

Option name Req/Opt Description

--SystemName Req Name of system for the account.
--AccountName Req Account name to reset.

ForceResetManual--options
Allows password reset for a manually managed account through the CLI. This command will return a password to
be set manually and a PasswordID to be used by the ManualPasswordReset to indicate the success or failure of
updating the password.

Table 117. ForceResetManual options

Option name Req/Opt Description

--SystemName Req Name of system for the account.
--AccountName Req Account name to reset.

GetPwdRequest--options
Returns the details associated with the specified password request.

Table 118. GetPwdRequest options

Option name Req/Opt Description

--RequestID Req Password request ID.
--IncludeLinked Opt For requests that are part of a multi-account request, Y will return the
details on all linked requests. N will only return information on the specific
request ID. Y is the default value.

Legacy support:
GetPwdRequest <RequestID>

GetSessionRequest--options
Returns the details associated with the specified session request.

TPAM 2.5
312
Administrator Guide
Table 119. GetSessionRequest options

Option name Req/Opt Description

--RequestID Req Session request ID.
--IncludeLinked Opt For requests that are part of a multi-account request, Y will return the
details on all linked requests. N will only return information on the specific
request ID. Y is the default value.

Legacy support:
GetSessionRequest <RequestID>

ListAccounts--options
Lists all defined system accounts. Only systems for which the CLI user has ISA privilege will be listed.
Administrators may list all accounts.

Table 120. ListAccounts options

Option name Req/Opt Description

--AccountName Opt Account name to filter. Use * for wildcard.
--SystemName Opt System name to filter. Use * for wildcard.
--NetworkAddress Opt Network address to filter. Use * for wildcard.
--CollectionName Opt Collection name to filter. User * for wildcard
--Platform Opt Platform name to filter. Use ALL to filter for all platforms. Default is ALL.
Use “Custom/customPlatName” to indicate a custom platform.
--SystemAutoFlag Opt Filter on the auto-management flag on the system. Y = auto-managed, N=
not managed, or ALL, the default.
--AccountAutoFlag Opt Filter on the auto-management flag on the account. Y = auto-managed,
N= not managed, M = manually managed or ALL, the default.
--DualControlFlag Opt All is the default, Y = > 1 approver required, N = zero approvers required.
--SystemCustom1 Opt Filter based on contents of system level custom columns. Ignored if the
appropriate custom column has not been defined in Global Settings.
--SystemCustom2 Opt See --SystemCustom1
--SystemCustom3 Opt See --SystemCustom1
--SystemCustom4 Opt See --SystemCustom1
--SystemCustom6 Opt See --SystemCustom1
--AccountCustom1 Opt Filter based on contents of account level custom columns. Ignored if the
appropriate custom column has not been defined in Global Settings.
--AccountCustom2 Opt See --AccountCustom1
--AccountCustom3 Opt See --AccountCustom1
--AccountCustom4 Opt See --AccountCustom1
--AccountCustom5 Opt See --AccountCustom1
--AccountCustom6 Opt See --AccountCustom1
--PasswordChangeProfile Opt Name of assigned password change profile.
--PasswordCheckProfile Opt Name of assigned password check profile.
--DisableSchedules Opt Filter by disabled password check or change schedule. Allowed values are
ALL (default), Either, Check, Change, Both, or None.
--Sort Opt Sort results by SystemName (default), AccountName, or NextChangeDate.
--MaxRows Opt Maximum number of rows to return. 25 is the default.

Legacy support:

TPAM 2.5
313
Administrator Guide
ListAccounts SystemName (* for wildcard)],AccountName (* for
wildcard)],[NetworkAddress (* for wildcard)],[CollectionName (* for
wildcard)],[Platform (All| (see Supported platform list)) default=All],[SysAutoFl
(All|Y|N) default=All],[AcctAutoFl (All|Y|N|M) default=All],[Dual Control Required
Flag (All|Y|N) default=All],[Sort (SystemName|AccountName|NextChangeDt)
default=SystemName],[MaxRows Default=25]

ListAcctsForPwdRequest--options
Provides a list of accounts that the user can submit a password request for.

Table 121. ListAcctsForPwdRequest options

Option name Req/Opt Description

--AccountName Opt Account name to filter. Use * for wildcard.
--SystemName Opt System name to filter. Use * for wildcard.
--MostRecent Opt Numeric value. Only display the most recently requested number of
accounts.
--SystemCustom1-6 Opt Filter results base on data in any of the custom system fields. Use * for
wildcard. These columns are defined by the system administrator and
will be ignored if a given column is not defined.
--AccountCustom1-6 Opt Filter results base on data in any of the custom account fields. Use * for
wildcard. These columns are defined by the system administrator and
will be ignored if a given column is not defined.
--MaxRows Opt Maximum number of rows to return. 25 is the default.

ListAcctsForSessionRequest--options
Provides a list of accounts that the user can submit a session request for.

Table 122. ListAcctsForSessionRequest options

Option name Req/Opt Description

--AccountName Opt Account name to filter. Use * for wildcard.
--SystemName Opt System name to filter. Use * for wildcard.
--MostRecent Opt Numeric value. Only display the most recently requested number of
accounts.
--SystemCustom1-6 Opt Filter results base on data in any of the custom system fields. Use * for
wildcard. These columns are defined by the system administrator and
will be ignored if a given column is not defined.
--AccountCustom1-6 Opt Filter results base on data in any of the custom account fields. Use * for
wildcard. These columns are defined by the system administrator and
will be ignored if a given column is not defined.
--MaxRows Opt Maximum number of rows to return. 25 is the default.

ListAssignedPolicies--options
Lists access policies assigned to accounts, collections, files, groups, systems or users based on specified filter
criteria. ListAssignedPolicies takes the place of both ListPermissions and ListEGPPermissions.
The output of this command is essentially the same data as the entitlement report. All users will be listed,
along with their effective permissions over any system. The output can potentially be very large. The CLI user
must be an Administrator to return the full list. ISA users will obtain a limited list based upon the scope of their
privilege.
TIP: At least one of the following options must contain a non-wildcard value in order to run this report:
AccessPolicyName, AccountName, CollectionName, FileName, GroupName, SystemName, UserName.

TPAM 2.5
314
Administrator Guide
Table 123. ListAssignedPolicies options

Option name Req/Opt Description

--AccessPolicyName Opt* Access policy names to include in the listing. User * for wildcard. If the
policy name includes spaces the string must be quoted appropriately.
--AccountName Opt* Account name to filter. Use * for wildcard.
--AllorEffectiveFlag Opt A = show all policies affecting each entry or E = only the one effective
policy. When all policies are shown the effective policy is indicated.
--CollectionName Opt* Collection name to filter. Use * for wildcard.
--ExpandCollectionFlag Opt Whether to expand the collections to show all member systems,
accounts, and files. Y or N. Default is N.
--ExpandGroupFlag Opt Whether to expand the groups to show all user members. Y or N.
Default is N.
--ExpandPolicyFlag Opt Whether to expand the access policies to show underlying permissions.
When not expanded only the access policy name shows. Y or N. Default
is N.
--FileName Opt* File name to filter. User * for wildcard.
--GroupName Opt* Group name to filter for.User * for wildcard.
--MaxRows Opt Maximum number of rows to return. The default is 25.
--PermissionName Opt Permissions to include in the listing. Multiple types may be included
with a semi-colon between each. Valid types are: DEN, ISA, APR, REQ,
REV, PAC and ALL (default).
--PermissionType Opt Permission types to include in the listing. Multiple types may be
included with a semi-colon between each. Valid types are: Pwd, Sess,
File, Cmd and ALL (default).
--SortOrder Opt Sort results by UserName (default), SystemName, AccountName,
FileName, PolicyName, GroupName or CollectionName.
--SystemName Opt* System name to filter. Use * for wildcard.
--UserName Opt* User name to filter. Use * for wildcard.

ListCollections--options
Lists collections and collection members, specified by collection name or system name.

Table 124. ListCollections options

Option name Req/Opt Description

--CollectionName Opt Collection name to filter. Use * for wildcard.
--SystemName Opt Indicating the system name will return a list of collections that this system
belongs to.
--AccountName Opt Account name for membership to filter. Use * for wildcard. Use ! to find
collections that do not contain any accounts as members.
--FileName Opt File name for membership to filter. Use * for wildcard. Use ! to find
collections that do not have any files as members.

ListCollectionMembership--options
Lists collection system, account, and file name for all collections, specified collections, or specified systems.
The CLI user must have administrator privilege or the ISA permission over the collection and system.

TPAM 2.5
315
Administrator Guide
Table 125. ListCollectionMembership options

Option name Req/Opt Description

--CollectionName Opt Collection name to filter. Use * for wildcard.
--SystemName Opt Indicating the system name will return a list of collections that this system
belongs to.
--AccountName Opt Account name for membership to filter. Use * for wildcard.
--FileName Opt File name for membership to filter. Use * for wildcard.
--MaxRows Opt Maximum number of rows to return. The default is 25.

Legacy support:
ListCollectionMembership [CollectionName (* for wildcard)],[SystemName (* for
wildcard)],[MaxRows Default=25 (0 for unlimited)]

ListDependentSystems--options
Lists status of systems (dependent or not dependent) for a specific account. You must have administrator or PPM
ISA privileges on the system.

Table 126. ListDependentSystems options

Option name Req/Opt Description
--SystemName Req System name.
--AccountName Req Account name.
--DependentStatus Opt Status of dependents to list: Both (default), Dependent, Not Dependent.
--DependentName Opt Filter list of dependents by system name. User * for wildcard.
--MaxRows Opt Maximum number of rows to return. The default is 25.

ListEGPAccounts--options
Lists all accounts that can be PSM enabled. This command has been replaced by ListPSMAccounts. See
ListPSMAccounts--options.

ListGroups--options
Lists groups and group members, specified by group name or member name, or GroupID.

Table 127. ListGroups options

Option name Req/Opt Description

--GroupName Opt Group name to filter. Use * for wildcard.
--GroupID Opt Unique identifier assigned to group by TPAM.
--UserName Opt Indicating the user name will return a list of groups that this user belongs to.
Use a single ! (exclamation point) to find groups with no users assigned.

ListGroupMembership--options
Lists group name and username for all groups, specified groups, or specified users. The CLI user must have
administrator privilege.

Table 128. ListGroupMembership options

Option name Req/Opt Description

--GroupName Opt Group name to filter. Use * for wildcard.
--GroupID Opt Unique identifier assigned to group by TPAM.

TPAM 2.5
316
Administrator Guide
Table 128. ListGroupMembership options

Option name Req/Opt Description

--UserName Opt Use * for a wildcard. Indicating the user name will return a list of groups that
this user belongs to.
--MaxRows Opt Maximum number of rows to return. The default is 25.

Legacy support:
ListGroupMembership [GroupName (* for wildcard)],[UserName (* for
wildcard)],[MaxRows Default=25 (0 for unlimited)]

ListPSMAccounts--options
Lists all accounts that can be PSM enabled.

Table 129. ListPSMAccounts options

Option name Req/Opt Description

--AccountAutoFlag Opt Y = managed, N = not managed, M = manually managed, or ALL
(default).
--AccountEGPFlag Opt This option is obsolete. Any value passed for this option will be used for
--AccountPSMFlag.
--AccountPSMFlag Opt Filter on PSM enabled check box. Y= enabled, N = disabled or ALL
(default).
--AccountName Opt Account name to filter. Use * for wildcard.
--AccountCustom1 Opt Filter based on contents of account level custom columns. Ignored if
the appropriate custom column has not been defined in Global Settings.
--AccountCustom2 Opt See --AccountCustom1
--AccountCustom3 Opt See --AccountCustom1
--AccountCustom4 Opt See --AccountCustom1
--AccountCustom5 Opt See --AccountCustom1
--AccountCustom6 Opt See --AccountCustom1
--CollectionName Opt Collection name to filter. Use * for wildcard.
--DualControlFlag Opt All is the default, Y = 1 or more approvers required, N = zero approvers
required.
--AccountLockFlag Opt Filter on the account locked flag. Y = locked, N = not locked, or ALL
(default).
--NetworkAddress Opt Network address to filter. Use * for wildcard.
--Platform Opt Platform to filter. Use ALL for all platforms. Use
“Custom/custPlatName” to indicate a custom platform.
--SystemAutoFlag Opt Filter on the auto-management flag on the system. Y = auto-managed,
N= not managed, or ALL, the default.
--SystemCustom1 Opt Filter based on contents of system level custom columns. Ignored if the
appropriate custom column has not been defined in Global Settings.
--SystemCustom2 Opt See --SystemCustom1
--SystemCustom3 Opt See --SystemCustom1
--SystemCustom4 Opt See --SystemCustom1
--SystemCustom6 Opt See --SystemCustom1
--SystemEGPFlag Opt This option is obsolete. Any value passed in this option will be used for
--SystemPSMFlag.
--SystemPSMFlag Opt Filter on if the system is enabled for PSM. Y = enabled, N = disabled, or
ALL (default).

TPAM 2.5
317
Administrator Guide
Table 129. ListPSMAccounts options

Option name Req/Opt Description

--SystemName Opt Filter on system name. Use * for wildcard.
--Sort Opt Sort results by SystemName (default) or AccountName.
--SortType Opt Ascending (default) or Descending.
--MaxRows Opt Maximum number of rows to return. The default is 25.

ListReasonCodes
Will list any active reason codes and their description that have been defined in TPAM.

ListRequest--options
Lists basic details about password requests for which the CLI user is an approver or requestor.

Table 130. ListRequest options

Option name Req/Opt Description

--Status Opt Choose from ALL, PENDING, ACTIVE, CURRENT or OPEN (default).
--RequestorName Opt User name of the requestor to filter. Use * for wildcard. Use the name
"User=Myself" to list your own requests, as opposed to requests for
approval.
--AccountName Opt Account name to filter. Use * for wildcard.
--SystemName Opt System name to filter. Use * for wildcard.
--StartDate Opt Start date of requested release date.
--EndDate Opt End date of requested release. To select a single date enter a Start Date
and empty End Date.
--MaxRows Opt Maximum number of rows to return. The default is 25.

Legacy support:
ListRequest[Status(All|Pending|Active|Open|Current)Default=Open],[RequestorName(*
for wildcard)],[AccountName(* for wildcard)], [SystemName(* for
wildcard)],[StartDate (MM/DD/YY)],[EndDate (MM/DD/YY)],[MaxRows Default=25]

ListRequestDetails--options
Lists specific details about password requests for which the CLI user is an approver or requestor, such as
submission date, release duration, expiration date, etc.

Table 131. ListRequestDetails options

Option name Req/Opt Description

--Status Opt Choose from ALL, PENDING, ACTIVE, CURRENT or OPEN (default).
--RequestorName Opt User name of the requestor to filter. Use * for wildcard. Use the name
"User=Myself" to list your own requests as opposed to requests for
approval.
--AccountName Opt Account name to filter. Use * for wildcard.
--SystemName Opt System name to filter. Use * for wildcard.
--StartDate Opt Start date of requested release date.
--EndDate Opt End date of requested release. To select a single date enter a Start Date
and empty End Date.
--MaxRows Opt Maximum number of rows to return. The default is 25.

Legacy support:

TPAM 2.5
318
Administrator Guide
ListRequestDetails [Status(All|Pending|Active|Open|Current)
Default=Open],[RequestorName (* for wildcard)],[AccountName(* for
wildcard)],[SystemName (* for wildcard)],[StartDate (MM/DD/YY)], [EndDate
(MM/DD/YY)],[MaxRows Default=25]

ListSessionRequest--options
Lists basic details about session requests for which the CLI user is an approver or requestor.

Table 132. ListSessionRequest options

Option name Req/Opt Description

--Status Opt Choose from ALL, PENDING, ACTIVE, CURRENT or OPEN (default).
--RequestorName Opt User name of the requestor to filter. Use * for wildcard. Use the name
"User=Myself" to list your own requests as opposed to requests for
approval.
--AccountName Opt Account name to filter. Use * for wildcard.
--SystemName Opt System name to filter. Use * for wildcard.
--StartDate Opt Start date of requested release date.
--EndDate Opt End date of requested release. To select a single date enter a Start Date
and empty End Date.
--MaxRows Opt Maximum number of rows to return. The default is 25.

Legacy support:
ListSessionRequest[Status(All|Pending|Active|Open|Current)Default=Open],[RequestorN
ame(* for wildcard)],[AccountName(* for wildcard)], [SystemName(* for
wildcard)],[StartDate (MM/DD/YY)],[EndDate (MM/DD/YY)],[MaxRows Default=25]

ListSessionRequestDetails--options
Lists specific details about session requests for which the CLI user is an approver or requestor, such as
submission date, release duration, expiration date, etc.

Table 133. ListSessionRequestDetails options

Option name Req/Opt Description

--Status Opt Choose from ALL, PENDING, ACTIVE, CURRENT or OPEN (default).
--RequestorName Opt User name of the requestor to filter. Use * for wildcard. Use the name
"User=Myself" to list your own requests as opposed to requests for
approval.
--AccountName Opt Account name to filter. Use * for wildcard.
--SystemName Opt System name to filter. Use * for wildcard.
--StartDate Opt Start date of requested release date.
--EndDate Opt End date of requested release. To select a single date enter a Start Date
and empty End Date.
--MaxRows Opt Maximum number of rows to return. The default is 25.

Legacy support:
ListSessionRequestDetails[Status(All|Pending|Active|Open|Current)Default=Open],[Req
uestorName(* for wildcard)],[AccountName(* for wildcard)], [SystemName(* for
wildcard)],[StartDate (MM/DD/YY)],[EndDate (MM/DD/YY)],[MaxRows Default=25]

ListSynchronizedPasswords
Lists all synchronized passwords configured in TPAM.

TPAM 2.5
319
Administrator Guide
ListSyncPwdSubscribers--options
List the subscribers of a specific synchronized password. You must have administrator privileges.

Table 134. ListSyncPwdSubscribers option

Option name Req/Opt Description

--SyncPassName Req Synchronized password name.

ListSystems--options
Lists all defined systems. Only systems for which the CLI user has ISA privilege will be listed. Administrators may
list all systems.

Table 135. ListSystems options

Option name Req/Opt Description

--SystemName Opt System name to filter. Use * for wildcard.
--NetworkAddress Opt Network address to filter. Use * for wildcard.
--CollectionName Opt Collection name to filter. Use * for wildcard.
-- Platform Opt Name of platform to filter or ALL (default).Use “Custom/custPlatName”
for a custom platform.
--AutoFlag Opt Filter on the auto-management flag on the system. Y = auto-managed,
N= not managed, or ALL, the default.
--SystemCustom1 Opt Filter based on contents of system level custom columns. Ignored if the
appropriate custom column has not been defined in Global Settings.
--SystemCustom2 Opt See --SystemCustom1
--SystemCustom3 Opt See --SystemCustom1
--SystemCustom4 Opt See --SystemCustom1
--SystemCustom6 Opt See --SystemCustom1
--PasswordChangeProfile Opt Name of the assigned password change profile.
--PasswordCheckProfile Opt Name of the assigned password check profile.
--SortOrder Opt Sort results by SystemName (default), NetworkAddress, or
PlatformName.
--MaxRows Opt Maximum number of rows to return. The default is 25.

Legacy support:
ListSystems <SystemName (* for wildcard),[NetworkAddress (* for
wildcard)],[CollectionName (* for wildcard)],[Platform (All| (see Supported platform
list)) default=All],[SysAutoFl (All|Y|N) default=All],[Sort
(SystemName|NetworkAddress|PlatformName) default=SystemName],[MaxRows Default=25]

ListUsers--options
Lists all non-CLI users defined in TPAM. The CLI user must have administrator or user administrator privilege.

Table 136. ListUsers options

Option name Req/Opt Description

--UserName Opt User name to filter. Use * for wildcard.
--EmailAddress Opt Email address to filter. Use * for wildcard.
--GroupName Opt Group name to filter. Use * for wildcard.
--UserInterface Opt Filter for API, CLI, WEB or ALL (default).
--UserType Opt Filter for BASIC,ADMIN, AUDITOR, USERADMIN, or ALL (default).

TPAM 2.5
320
Administrator Guide
Table 136. ListUsers options

Option name Req/Opt Description

--Status Opt Filter for ENABLED, DISABLED, LOCKED, or ALL (default).
--ExternalAuthType Opt obsolete, replace by --SecondaryAuthType
--SecondaryAuthType Opt Filter for SAFEWORD, SECUREID, LDAP, WINAD, RADUIS, DEFENDER,
NONE, or ALL (default).
--UserCustom1 Opt Filter based on contents of user level custom columns. Ignored if the
appropriate custom column has not been defined in Global Settings.
--UserCustom2 Opt See --UserCustom1
--UserCustom3 Opt See --UserCustom1
--UserCustom4 Opt See --UserCustom1
--UserCustom6 Opt See --UserCustom1
--SortOrder Opt Sort results by UserName (default), FirstName, or LastName.
--MaxRows Opt Maximum number of rows to return. The default is 25.

Legacy support:
ListUsers <UserName (* for wildcard),>[EmailAddress (* for wildcard)],[GroupName (*
for wildcard)],[UserInterface (All|CLI|WEB|API) default=All],[UserType
(All,Basic,Admin,Auditor,UAdmin) default=All],[Status (All|Enabled|Disabled|Locked)
default=All],[SecondaryAuthType (All|SafeWord|SecureID|LDAP|RADIUS|WINAD|DEFENDER
|None) default=All],[Sort (UserName|FirstName|LastName) default=UserName],[MaxRows
Default=25]

ManualPasswordReset--options
Ability to indicate if resetting a password for a manually managed account succeeded or failed.

Table 137. ManualPasswordReset options

Option name Req/Opt Description

--PasswordID Req Password ID returned from ForceResetManual command.
--Status Req Whether the password change/sync worked or not. Success/Fail.

ReportActivity--options
Ability to run the activity report from the CLI.

Table 138. ReportActivity options

Option name Req/Opt Description

--StartDate Opt Start date of activities. Must be a valid date time in the form of
MM/DD/YYYY HH:MM. The time portion is optional. If included it must
be in 24 hour format with a space in between date and time.
--EndDate Opt End date of activity. Must be a valid date time in the form of
MM/DD/YYYY HH:MM. The time portion is optional. If included it must
be in 24 hour format with a space in between date and time. To select a
single date enter the same start and end date. If not dates are provided
the report will cover all dates in the activity log.
--UserName Opt User name to filter for. Use * for wildcard.
--Role Opt ISA, REQ, or APR. If role is not passed all roles will be returned.
--GroupName Opt Filter for user membership in a group. Use * for wildcard.
--Operation Opt Single operation to filter. ALL is the default.

TPAM 2.5
321
Administrator Guide
Table 138. ReportActivity options

Option name Req/Opt Description

--Target Opt Target text to filter. Use * for wildcard.
--ObjectType Opt Object type to filter. Default is ALL.
--Sort Opt Sort options are LogTime (default), UserName, ObjectType, or
Operation.
--Direction Opt Sort direction. ASC (default) or DESC.
--MaxRows Opt Maximum number of rows to return. The default is 25.

Retrieve--options
Provides a mechanism to retrieve a password for a managed system/account. The CLI user ID must be
authorized to retrieve the password, by either having ISA permissions for the account or having an approved
request ID. If a requestor the --RequestID parameter must be used. The optional requirement for dual control
does not apply to CLI releases. The comment is not required.

Table 139. Retrieve options

Option name Req/Opt Description

--SystemName Req* System name. If the caller only has request permissions then the
RequestID parameter must be used instead of the system and account
name.
--AccountName Req* Account name. If the caller only has request permissions then the
RequestID parameter must be used instead of the system and account
name.
--RequestID Req* The requestID must be an approved password release request and the
caller must be the requestor. If the caller has ISA permissions the
system and account name must be supplied instead of the requestID.
--ReasonCode Opt* Reason code for retrieving the password. Based on global settings, a
reason code may be required, optional, or not allowed.
--ReasonText Opt* ISA reason for retrieving the password. Based on global settings, reason
text may be required, optional, or not allowed.
--TicketNumber Opt* Ticket number to validate. Based on account settings, a ticket number
may be required, optional, or not allowed. Parameter ignored when
using RequestID.
--TicketSystemName Opt* Name of ticket system to validate. Based on account settings, a ticket
number may be required, optional, or not allowed. Parameter ignored
when using RequestID.
--TimeRequired Opt Number of minutes to release the password. The default duration is set
at the account level. Ignored when using RequestID.

Legacy support:
Retrieve <systemname>, <accountname>, <TimeRequired(in minutes)>,<comment>

SetAccessPolicy--options
Allows you to add or remove an access policy assignment to an account, collection, file, group, system, or user.
Replaces the old CLI commands of GrantPermission, SetPermission, SetEGPPermission, and RevokePermissions.

Table 140. SetAccessPolicy options

Option name Req/Opt Description

--AccessPolicyName Req Name of access policy to assign.
--Action Req Add or Drop.

TPAM 2.5
322
Administrator Guide
Table 140. SetAccessPolicy options

Option name Req/Opt Description

--AccountName Opt Account affected by the assignment. If account is specified then --
SystemName must also be specified. The value must be empty if
CollectionName is specified.
--CollectionName Opt Collection affected by the assignment. If this value is provided, then
SystemName, AccountName and FileName must not be provided.
--FileName Opt File name affected by the assignment. SystemName must also be
provided.
--GroupName Opt Group name affected by the assignment. Either UserName or Group
must be specified, but not both. Global groups cannot have their
permissions altered.
--SystemName Opt System name affected by the assignment or the system name for the
account or file provided.
--UserName Opt User name affected by the assignment. Either user or group must be
specified, but not both. Auditor, cache, useradmin, and sysadmin users
cannot be assigned permissions.

SSHKey--options
Retrieves or regenerates system and PSM specific keys. Also can retrieve system standard keys.

Table 141. SSHKey options

Option name Req/Opt Description

--KeyFormat Opt Format of the SSH key output - OpenSSH (default) or SecSSH.
--StandardKey Req* Name of the system standard key to export. You must pass either --
StandardKey name OR --SystemName / --AccountName.
--SystemName Req* Name of managed system to retrieve or regenerate keys for. The system
must have Use System Specific Key selected for connections. When
retrieving the system’s key do not pass a value for --AccountName.
--AccountName Req* The name of the managed account to retrieve a PSM specific DSS key.
The PSM session authentication must have Use Specific Key selected.
The --SystemName must be included when specifying --AccountName.
--Regenerate Opt Y/N (default is N). Regenerate the system key or account key before
retrieving. The system or PSM account must already be set to use a
specific key before calling this.
NOTE: A standard key cannot be regenerated! Regenerating a key will
immediately make the old key unusable. The new key will have to be
put in place before being able to access the system again.

SyncPassForceReset--options
Forces the reset of a synchronized password, changing it in priority order.You must have administrator
privileges.

Table 142. SyncPassForceReset options

Option name Req/Opt Description

--SyncPassName Req Name of synchronized password to reset.
--NewPassword Opt Password to set as the new password.

TestSystem--options
Initiates a system test. The CLI user must have administrator privilege or the ISA permission over the system.

TPAM 2.5
323
Administrator Guide
Table 143. TestSystem option

Option name Req/Opt Description

--SystemName Req Name of system to test.

Legacy support:
TestSystem <SystemName>

UnlockUser--options
Unlocks a currently locked user account. The CLI user must have ISA, User Administrator or Administrator
privilege.

Table 144. UnlockUser option

Option name Req/Opt Description

--UserName Req Name of user to unlock. Cannot be a system administrator user ID.

Legacy support:
UnlockUser <UserName>

UpdateAccount--options
Modifies an existing account. The CLI user must have ISA or Administrator privilege. You can only update the
password for an account that is not auto-managed.

Table 145. UpdateAccount options

Option name Req/Opt Description

--SystemName
--AccountName
--AliasAccessOnlyFlag
--AllowISADurationFlag
--AutoFlag
--BlockAutoChangeFlag
--ChangeFrequency
--ChangeTime
--CheckFlag
--ChangeServiceFlag
--ChangeTaskFlag
Req System Name. Maximum 30 characters.
Req Account Name. Maximum 30 characters.
Opt This option is obsolete. Any value passed in using this option will
be used for the --IgnoreSystemPoliciesFlag option.
Opt Allow the ISA to specify a duration when retrieving a password.
Y/N
Opt Account Password Management type. N=None, Y=Automatic,
M=Manual
Opt THIS OPTION IS OBSELETE AND WILL BE REMOVED IN A FUTURE
RELEASE. The functionality of the option has been assumed by the
Password Change Profile.
Opt THIS OPTION IS OBSELETE AND WILL BE REMOVED IN A FUTURE
RELEASE. The functionality of the option has been assumed by the
Password Change Profile.
Opt THIS OPTION IS OBSELETE AND WILL BE REMOVED IN A FUTURE
RELEASE. The functionality of the option has been assumed by the
Password Change Profile.
Opt THIS OPTION IS OBSELETE AND WILL BE REMOVED IN A FUTURE
RELEASE. The functionality of the option has been assumed by the
Password Check Profile.
Opt Change the password for Windows® Services started by this
account. Y/N (Windows® platforms only)
Opt Change the password for the Windows® scheduled tasks started by
this account. (Windows® platforms only)

TPAM 2.5
324
Administrator Guide
Table 145. UpdateAccount options

Option name Req/Opt Description

--Custom[1-6] Opt Custom Account Columns, if defined. Use !NULL to clear the
value.
--Description Opt Use !NULL to clear the value. Maximum of 255 characters.
--DomainAccountName Opt For Windows® or BoKS platforms. Enter
domainname\accountname
--EnableBeforeReleaseFlag Opt Y/N. When set to Y, TPAM will disable the account on the remote
system until the password is released or a session started which
requires the password to authenticate. (Windows® platforms only)
--EscalationEmail Opt If a password post-release review is not completed within the
number of hours in EscalationTime send an email to this address.
Use !NULL to clear the value.
--EscalationTime Opt Number of hours after which to send an escalation email if a
password post-release has not been completed. Expressed in
hours. Use 0 (zero) to disable the notification.
--IgnoreSystemPoliciesFlag Opt Ignore System Policies Flag. Y/N. When set to Y any System-level
Access Policies are ignored, and only Account-level policies are
used for permissions.
--LockFlag Opt Account Lock Flag. Y/N. Passwords for locked accounts cannot be
retrieved, released, or changed
--MaxReleaseDuration Opt The maximum duration for a password request, expressed in
minutes. The value will be rounded to the nearest 15-minute
increment. Valid values are 1-10080 (7 days).
--MinimumApprovers Opt Minimum number of approvals required for a password release
request. 0 (zero) indicates that all requests are auto-approved.
--NextChangeDate Opt Set the next scheduled change date for this account. The account
will be scheduled for the first available time window based on the
assigned Password Change Profile.
--OverrideAccountability Opt When the Global Setting to Allow Account specific override is
enabled this flag can be turned on at the account level to allow
simultaneous, overlapping password requests to be approved.
When the Global Setting is not enabled this flag is ignored. Y/N
--Password Opt Initial or new password for the account. The password cannot be
changed for auto-managed accounts. Maximum of 128 characters.
--PasswordChangeProfile Opt A profile which controls when the account will have it’s password
changed.
--PasswordCheckProfile Opt A profile which controls when the account will have it’s password
checked.
--PasswordRule Opt Name of the Password Rule used to generate passwords for the
account. The default rule for new accounts is set on the managed
system. You may also specify “Default Password Rule” or another
rule to override this.
--ReleaseNotifyEmail Opt Use !NULL to clear the value.
--ReleaseChangeFlag Opt Change the password after any ISA, CLI, or API release. Y/N
--ReleaseDuration Opt The default duration for an ISA/CLI/API retrieval of a password,
expressed in minutes. The value will be rounded to the nearest 15
minute increment. Valid values are 0-10080 (7 days). If 0 is
entered the ISA retrieval of a password will not trigger a post
release reset of the password. This is ignored if
ReleaseChangeFlag is N.

TPAM 2.5
325
Administrator Guide
Table 145. UpdateAccount options
Option name
--RequireTicketForAPI
--RequireTicketForCLI
--RequireTicketForISA
--RequireTicketForPSM
--RequireTicketForRequest
--ResetFlag
--RestartServiceFlag
--ReviewCount
--ReviewerName
--ReviewerType
--SimulPrivAccReleases
--TicketSystemName
--TicketEmailNotify
--UseSelfFlag
UpdateCollection--options
Allows you to update the PSM Affinity assignment for a collection.
Table 146. UpdateCollection options
Option name Req/Opt
--CollectionName Req
--Description Opt
--PSMDPAAffinity Opt
Req/Opt Description
Opt Require a valid Ticket System & Number for any API password
retrieval on this account. Y/N. Ignored if RequireTicketForRequest
is N.
Opt Require a valid Ticket System & Number for any CLI password
retrieval on this account. Y/N. Ignored if RequireTicketForRequest
is N.
Opt Require a valid Ticket System & Number for any ISA password
retrieval on this account. Y/N. Ignored if RequireTicketForRequest
is N.
Opt Require a valid Ticket System & Number for any PSM request on
this account. Y/N.
Opt Require a valid Ticket System & Number for any password request
on this account. Y/N
Opt THIS OPTION IS OBSELETE AND WILL BE REMOVED IN A FUTURE
RELEASE. The functionality of the option has been assumed by the
Password Check Profile.
Opt Restart Windows® services started by this account, following a
password change. Y/N (Windows® only)
Opt Number of post-release reviews required after a password
release. 0-n If ReviewCount is zero updates to ReviewerName and
ReviewerType are ignored.
Opt User Name or Group Name of required reviewer. Only valid when
ReviewerType is User or Group.
Opt Type of reviewer. Valid values are: Any (default), Auditor, User,
Group
Opt Number of simultaneous Privileged Access Users who may retrieve
the password. 0-99
Opt When RequireTicketForRequest is Y this is the Ticket System that's
required. Use a value of “!Any” to allow tickets from any valid
ticket system.
Opt Email to notify if a password is retrieved via API, CLI, or ISA
without a ticket number. Ignored when RequireTicketForRequest
is N or ticket is required for all three (API, CLI, and ISA). Use
!NULL to clear the value.
Opt Use the account's current password to change the password. Y/N.
If the functional account is flagged as “non-privileged” at the
system level this value is forced to Y.
Description
Collection name.
Collection description. Max of 50 characters.
List of all DPA’s to use for PSM Affinity in the form of
DPAName1/priority;DPAName2/priority. Pass “Any” to rest the list and
allow any DPA to be used. Priority must be > 0 to add a DPA. A priority
of 0 removes the DPA from the list.
TPAM 2.5
326
Administrator Guide
UpdateDependentSystems--options
Allows you to update the dependent systems assigned to an account. You must have Administrator or PPM ISA
privileges on the system.

Table 147. UpdateDependentSystems options

Option name Req/Opt Description

--SystemName Req System name.
--AccountName Req Account name.
--Assign Opt Semi-colon separated list of systems to assign as dependents. The
dependent must be an auto-managed system with a platform of
Windows® or SPCW, and cannot be the parent system named in the
SystemName parameter. You may specify a list of systems to both assign
and unassign in the same command.
--Unassign Opt Semi-colon separated list of systems to remove as dependents. You may
specify a list of systems to both assign and unassign in the same
command.

UpdateEGPAccount--options
Modifies the PSM details of an existing account. The CLI user must have PPM ISA and PSM ISA or Administrator
privilege. Same parameters as UpdatePSMAccount.

UpdatePSMAccount--options
Replaces the UpdateEGPAccount command.

Table 148. UpdatePSMAccount options

Option name Req/Opt Description

--SystemName Req System Name. Maximum 30 characters.
--AccountName Req Account Name. Maximum 30 characters.
--ClipboardFlag Opt Whether to enable clipboard support to/from host to the session.
Y or N.
--CLIAccountName Opt The account name on the remote TPAM to retrieve. Use !NULL to
clear the value.
--CLIDomainName Opt The AD or Netbios name to use when starting the session. Use
!NULL to clear the value.
--CLISystemName Opt When a TPAMCLIUserName is specified, you may also include an
optional system and account name for retrieval on the remote
TPAM. The CLISystemName, CLIAccountName, and
CLIDomainName values are ignored if the TPAMCLIUserName is not
specified. Use !NULL to clear the value.
--ColorDepth Opt Color depth of the PSM session. Values of 8 or 16 for RDP proxy
type. Values of 0, 1,2, and 3 for VNC proxy type.
--ConnectionProfile Opt Name of the optional custom connection profile to use for
sessions on this account. Connection profiles are tied to specific
proxy types. Use the value Standard to revert to default
connection information.
--ConsoleFlag Opt Y or N.
--DSSKey Opt The DSS key to use for session authentication when the
DSSKeyType is Upload. The key may be up to 4096 characters.
--DSSKeyName Opt Name of specific DSS Key.

TPAM 2.5
327
Administrator Guide
Table 148. UpdatePSMAccount options

Option name Req/Opt Description

--DSSKeyType Opt The source of the DSS key used for session authentication when
PasswordMethod is set to DSSKey. Valid values are:
• Standard - use of any of the standard keys
• Specific - generate and use a specific DSS key for this
account
--DefaultSessionDuration Opt Default value used for duration of a session request, in minutes.
The value will be rounded to the nearest 15 minute increment.
--DomainAccount Opt The Windows® domain account used to authenticate the session
when PasswordMethod is Windows domain account.
--EnableFlag Opt Indicates if this account may be requested for PSM sessions. Y or
N.
--EscalationEmail Opt If a session post-release review is not completed within the
number of hours in EscalationTime send an email to this address.
Use !NULL to clear the value.
--EscalationTime Opt Number of hours after which to send an escalation email if a
session post-release review has not been completed. Expressed in
hours. Use 0 (zero) to disable the notification.
--FileTransAuthMethod Opt Choices are:
• Same - use same credentials as the session
• Prompt - ask for credentials at the time of transfer
--FileTransDownFlag Opt Whether to allow the transfer of files from the session to the
host. Y or N.
--FileTransPath Opt A directory path on the target machine where the transferred file
will be placed. Directory syntax is platform specific.
--FileTransType Opt The file transfer method. Values are platform specific. Values are
as follows:
• DIS - file transfer disabled (default)
• WFC - Windows® file copy
• SCP - secure copy
• FTP - file transfer protocol
• ECP - SCP using PSM functional account.
--FileTransUp Opt Whether to allow the transfer of files from the host to the
session. Y or N.
--MaxSessionCount Opt The maximum number of simultaneous sessions that may be
running for this account. For proxy types that display a password
this value is set to 1 and cannot be changed.
--MinApprovers Opt Minimum number of approvals required for a session request. 0
(zero) indicates that all session requests are auto-approved. If the
proxy type requires the display of a password, this value is
overridden by the PPM release minimum approval value.
--NotifyFrequency Opt If NotifyThreshold is greater than zero this is the frequency at
which PSM expired session emails will be sent.
--NotifyThreshold Opt If greater than zero this indicates the number of minutes after the
expiration of the session request when TPAM should send
notification emails of a still active session. The email notification
will continue until the session is terminated.

TPAM 2.5
328
Administrator Guide
Table 148. UpdatePSMAccount options

Option name Req/Opt Description

--PARCLIUserName or
--TPAMCLIUserName
--PasswordMethod
--PostSessionProfile
--ProxyType
--RecordingRequiredFlag
--ReviewCount
--ReviewerName
--ReviewerType
SessionStartNotifyEmail
Opt The CLI user on another TPAM appliance used to retrieve the
password when the PasswordMethod is Remote TPAM CLI. The CLI
user must already be defined on this appliance and is in the form
of TPAMName/CLIUserName.
Opt Method PSM uses to authenticate sessions to the account. The
option values must be surrounded by quotes because of spaces.
Valid values are:
• “Local TPAM” - use the local TPAM appliance for the
password. (default)
• “Remote TPAM CLI” -use another TPAM appliance for the
password. TPAMCLIUserName must be supplied.
• “DSS Key” - use a DSS Key.
• “Not Stored” - the user will be prompted for the password
when starting the session.
• “Windows Domain Account” - use the account in
DomainAccount for the password.
Opt Name of post session profile to control activities that take place
after the session expires. Use the value Standard to revert to
default processing.
Opt* Type of proxy connection used for the session. Values are platform
dependent. Proxy type is required when changing the EnableFlag
on accounts. Use the entire text as seen on the PSM Details tab in
the TPAM interface.
Opt Whether to require all sessions are recorded. Y or N.
Opt Number of post-release reviews required after a session expires.
Opt User name or group name of required reviewer.
Opt* Type of reviewer. This value is required when ReviewCount is >0.
Valid values are:
• Any (default)
• Auditor
• User
• Group
Opt If populated, an email will be sent any time a session is started on
this account. Use !NULL to clear the value.

UpdateSyncPass--options
Allows you to update a synchronized password.

Table 149. UpdateSyncPass options

Option name Req/Opt Description

--SyncPassName Req Name of synchronized password. You must have administrator
privileges.
--AccountLevelCheckProfile Opt Y/N. Default is N. If Y, then the Synchronized Password does not have
Password Check Profile and the password checks are based on the
password check profile assigned to each member account.
--ChangeFrequency Opt THIS OPTION IS OBSELETE AND WILL BE REMOVED IN A FUTURE RELEASE.
The functionality of the option has been assumed by the Password
Change Profile.

TPAM 2.5
329
Administrator Guide
Table 149. UpdateSyncPass options

Option name Req/Opt Description

--ChangeTime Opt THIS OPTION IS OBSELETE AND WILL BE REMOVED IN A FUTURE RELEASE.
The functionality of the option has been assumed by the Password
Change Profile.
--CheckFlag Opt THIS OPTION IS OBSELETE AND WILL BE REMOVED IN A FUTURE RELEASE.
The functionality of the option has been assumed by the Password Check
Profile.
--DisableFlag Opt Disable synchronizing subscribed accounts. Y/N
--Description Opt Use !NULL to clear the value. Maximum of 255 characters.
--NextChangeDate Opt Sets the next scheduled change date for this account.
--Password Opt Initial or new password for the account. The password cannot be
changed for auto-managed accounts. Max of 128 characters.
--PasswordChangeProfile Opt A profile which controls when the account will have it’s password
changed.
--PasswordCheckProfile Opt* A profile which controls when the account will have it’s password
checked. *Required when AccountLevelCheckProfile is N.
--PasswordRule Opt Name of the Password Rule used to generate passwords for the account.
The default rule for new accounts is set on the managed system. You
may also specify Default Password Rule or another rule to override this.
--ReleaseNotifyEmail Opt Use !NULL to clear the value. This email address receives an email
when the password is released.
--ReleaseChangeFlag Opt THIS OPTION IS OBSELETE AND WILL BE REMOVED IN A FUTURE RELEASE.
The functionality of the option has been assumed by the Password
Change Profile.
--ReleaseDuration Opt The default duration for an ISA/CLI/API retrieval of a password,
expressed in minutes. The value will be rounded to the nearest 15
minute increment. Valid values are 0-10080 (7 days). If 0 is entered the
ISA retrieval of a password will not trigger a post release reset of the
password. This value is ignored if ReleaseChangeFlag is N.
--ResetFlag Opt Reset the password if a regular check finds a mismatch. Y/N. This value
is ignored if CheckFlag is N.

UpdateSystem--options
Modifies an existing system. The CLI user must have ISA or Administrator privilege.

Table 150. UpdateSystem options

Option name Req/Opt Description

--SystemName Req System Name. Must be between 2 and 30 characters in length and
consist of only upper or lower case letters, numbers, hyphen,
underscore, period, or US dollar sign ($).
--NewSystemName Opt New name to apply to system.
--AllowFuncReqFlag Opt Whether to allow the functional account password to be requested and
released. Y/N. Default N.
--AllowISADurationFlag Opt Allow an ISA to enter a duration when releasing a password in the GUI.
Y/N. Default N.
--AlternateIP Opt Obsolete as of TPAM v2.5.909.
--AutoDiscoveryExcludeList Opt List of account names (up to 1,000 characters) separated by semi-
colons which will be ignored when processing the auto-discovery
profile on this system. Use !NULL to clear the value or override the
template’s value.

TPAM 2.5
330
Administrator Guide
Table 150. UpdateSystem options

Option name Req/Opt Description

--AutoDiscoveryProfile Opt Name of auto-discovery profile which will be used to discover
new/deleted accounts on this system. Use !NULL to clear the value or
override the template’s value. Auto-discovery is only valid for
Windows®, *nix, and DBMS platforms.
--AutoDiscoveryTimeout Opt Timeout (in seconds) when discovering accounts on this system.
Default is 300. If the discovery process times out it will continue to
discover accounts at the next scheduled run. Use 0 (zero) to set the
default.
--BoksServerOS Opt The OS Name (platform) for a Boks server.
--ChangeFrequency Opt THIS OPTION IS OBSELETE AND WILL BE REMOVED IN A FUTURE
RELEASE. The functionality of the option has been assumed by the
Password Change Profile.
--ChangeTime Opt THIS OPTION IS OBSELETE AND WILL BE REMOVED IN A FUTURE
RELEASE. The functionality of the option has been assumed by the
Password Change Profile.
--Custom[1-6] Opt Custom system columns, if defined. Use !NULL to clear the value.
--CheckFlag Opt THIS OPTION IS OBSELETE AND WILL BE REMOVED IN A FUTURE
RELEASE. The functionality of the option has been assumed by the
Password Check Profile.
--Description Opt Use !NULL to clear the value. Maximum of 255 characters.
--DomainFuncAccount Opt The domain account to be used as the functional account. Must be in
the form SystemName\AccountName and the account must already be
defined in TPAM. When specified the FunctionalAccount and
FuncAcctCred are ignored.
--DomainName Opt* The domain name for Windows®.*Required for Windows AD systems.
--EGPOnlyFlag Opt Setting this value to Yes will disabled *ALL* PPM functionality on this
system and all its accounts and will delete any existing password
history or secure stored files. Y/N.
--EnablePassword Opt Password to use for the “ENABLE” account (Cisco platforms only) or
“Expert” account (CheckPoint SP platform only).
--EscalationEmail Opt If a password post-release review is not completed within the number
of hours in EscalationTime send and email to this address. Use !NULL
to clear the value.
--EscalationTime Opt Number of hours after which to send an escalation email if a password
post-release has not been completed. Expressed in hours. Use 0 (zero)
to disable the notification.
--FuncAcctCred Opt Password for the account indicated in the FunctionalAccount option.
Use a password of DSS to have the system use system standard keys for
functional account credentials or a password of SPECIFIC to use a
system specific key.
--FuncAcctDN Opt* The distinguished name of the functional account. Required for Novell
NDS, LDAP pr LDAPS systems. Ignored for all others.
--FunctionalAccount Opt Account name of the functional account for the system. This is the
account which will be used to change other passwords on the system.
--LineDef Opt Mainframe and Cisco telnet attribute.
--MaxReleaseDuration Opt The maximum duration for a password request, expressed in minutes.
The value will be rounded to the nearest 15-minute increment. Valid
values are 1-10080 (7 days).
--NetBiosName Opt Required for Windows® AD or SPCW (DC) platforms.

TPAM 2.5
331
Administrator Guide
Table 150. UpdateSystem options

Option name Req/Opt Description

--NetworkAddress Opt Network address of the system. May be an IP V4 address or a fully
qualified domain name.
--NonPrivFuncFlag Opt Y/N. Default is N. Set to Y when the functional account is not
authorized to change passwords.
--OracleSIDSN Opt Either the SID or Service Name (as indicated in the OracleType option)
used to connect to the Oracle® system.
--OracleType Opt May be either SID or SN. Only accepted for Oracle® platform.
--PasswordChangeProfile Opt A profile which controls when the account will have it’s password
changed.
--PasswordCheckProfile Opt* A profile which controls when the account will have it’s password
checked. *Required when AccountLevelCheckProfile is N.
--PasswordRule Opt The name of the Password Rule used to generate random passwords for
this system. Leave empty to use the default password rule for new
Systems. Must use the text “Default Password Rule” to change existing
systems.
--PlatformName Opt Any recognized platform name. Note that certain platforms, once set,
cannot be changed. For custom platform names the platform name is
indicated by “Custom” or “Custom Platform” followed by a forward
slash (/) and the custom platform name.
--PlatSpecificValue Opt A platform specific value, e.g., Linux® Delegation prefix or Windows®
Computer Name. Not all platforms support this value.
--PortNumber Opt Port number used for SSH communication with the system. Default
values are platform specific.
--PPMDPAAffinity Opt List of DPAs to use for PPM affinity in the form
DPAName1/priority;DPAName2/priority. Use Local to reset the list
and only use the appliance for password checks/changes. Use a
priority of 0 (zero) to remove a DPA from the list. PPM affinity cannot
be set when adding a system from a template, but after the system is
created the affinity may be changed.
--PSMDPAAffinity Opt List of DPAs to use for PSM affinity in the form
DPAName1/priority;DPAName2/priority. Use Any to allow any DPA to
be used. Priority must be a number greater than zero. Use a priority of
0 (zero) to remove a DPA from the list. PSM affinity cannot be set when
adding a system from a template, but after the system is created the
affinity may be changed.
--PrimaryEmail Opt Primary email contact for this system. Max of 255 characters. Use
!NULL to clear the value.
--ProfileCertType Opt One of the following values:
• N - no thumbprint or certificate. Default
• T- Thumbprint only. The SHA1 thumbprint of the certificate
used by the system to notify TPAM of availability for check and
change operations.
• G- Generated. TPAM will generate a certificate and record the
thumbprint. This certificate must be installed on the system in
order to call the TPAM notifier service.
--ProfileCertThumbprint Opt Thumbprint of certificate. Only used if ProfileCertType is T.
--ReleaseChangeFlag Opt THIS OPTION IS OBSELETE AND WILL BE REMOVED IN A FUTURE
RELEASE. The functionality of the option has been assumed by the
Release Duration Value.

TPAM 2.5
332
Administrator Guide
Table 150. UpdateSystem options

Option name Req/Opt Description

--ReleaseDuration Opt The default duration for an ISA/CLI/API retrieval of a password,
expressed in minutes. The value will be rounded to the nearest
15minute increment. Valid values are 0-10080. If 0 is entered the ISA
retrieval of a password will not trigger a post release reset of the
password.
--RequireTicketForAPI Opt Require a valid Ticket System & Number for any API password retrieval
on this account. Y/N. Ignored if RequireTicketForRequest is N.
--RequireTicketForCLI Opt Require a valid Ticket System & Number for any CLI password retrieval
on this account. Y/N. Ignored if RequireTicketForRequest is N.
--RequireTicketForISA Opt Require a valid Ticket System & Number for any ISA password retrieval
on this account. Y/N. Ignored if RequireTicketForRequest is N.
--RequireTicketForRequest Opt Require a valid Ticket System & Number for any password request on
this account. Y/N
--RequireTicketForPSM Opt Require a valid Ticket System & Number for any PSM request on this
account. Y/N.
--ResetFlag Opt THIS OPTION IS OBSELETE AND WILL BE REMOVED IN A FUTURE
RELEASE. The functionality of the option has been assumed by the
Password Change Profile.
--SSHAccount Opt The account name to use when communicating with this system via
SSH. This is required when the UseSshFlag is set to Y.
--SSHKey Opt Either “Standard” to use the appliance's system standard keys or
“Specific” to generate a specific key for this system. “Standard” is the
default.
--SSHPort Opt The port number for SSH communication. If not specified a default of
22 is used.
--SystemAutoFlag Opt Whether or not to enable automatic password management for
accounts on this system. Y/N. If set to N the account auto flags may
only be N (none) or M (Manual). Y/N.
--TicketEmailNotify Opt Email to notify if a password is retrieved via API, CLI, or ISA without a
ticket number. Ignored when RequireTicketForRequest is N or ticket is
required for all three (API, CLI, and ISA). Use !NULL to clear the value.
--TicketSystemName Opt When RequireTicketForRequest is Y this is the Ticket System that's
required. Use a value of “!Any” to allow tickets from any valid ticket
system.
--Timeout Opt The number of seconds TPAM will attempt to communicate with the
system for password checks and changes before issuing a “timed out”
error. Default is 20 seconds.
--UseSslFlag Opt Whether or not to use SSL to communicate with the system. Y/N.
Support for this is platform specific. NOTE: The UseSsl and UseSsh
Flags are mutually exclusive. You may only set one or the other, not
both.
--UseSshFlag Opt Whether or not to use SSH to communicate with the system. Y/N.
Support for this is platform specific. NOTE: The UseSsl and UseSsh
Flags are mutually exclusive. You may only set one or the other, not
both.

UpdateUser--options
Modifies an existing user account. The CLI user must have user administrator or administrator privilege.

TPAM 2.5
333
Administrator Guide
Table 151. UpdateUser options

Option name Req/Opt Description

--UserName Opt User Name. Maximum 30 characters.
--LastName Opt Maximum of 30 characters.
--FirstName Req Maximum of 30 characters.
--Email Opt Maximum of 255 characters. Use !NULL to clear.
--Phone Opt Maximum of 30 characters. Use !NULL to clear.
--Mobile Opt Maximum of 30 characters. Use !NULL to clear. Also recognizes the
value --pager for legacy support.
--UserType Opt Basic (default), Admin, Auditor, or UserAdmin
--Disable Opt Whether the user's ID is currently disabled. Y/N. Disabled users cannot
log in to the appliance.
--ExternalAuth Opt Obsolete, replaced with SecondaryAuth
--SecondaryAuth Opt Secondary authentication system used for user login. Valid values are
None (default), SecureID, Safeword, Radius, WinAD, Defender and
LDAP.
--ExternalAuthSystem Opt Obsolete, replaced with SecondaryAuthSystem
--SecondaryAuthSystem Opt Name of the secondary authentication system of the type indicated in
ExternalAuth. Values are defined by the appliance SysAdmin.
--ExternalUserID Opt Obsolete, replaced with SecondaryUserID
--SecondaryUserID Opt* User ID to use for secondary authentication. This is required when
SecondaryAuth is other than None.
--PrimaryAuthExtra Opt The LDAP Primary Authentication Types support an “Extra” UserID. The
User logs in using a shorthand value in the PrimaryAuthID, but the data
in the PrimaryAuthExtra will be used to do the actual authentication
against the external system. Use !NULL to clear.
--PrimaryAuthID Opt* The User ID to use for primary authentication when a non-local
authentication system is used.
--PrimaryAuthType Opt The type of the primary authentication system for this user. Current
values are Local, Certificate, LDAP, WinAD, Radius or Defender. When
Local is used the PrimaryAuthID, PrimaryAuthExtra and
PrimaryAuthSystem values are ignored.
--PrimaryAuthSystem Opt* Name of the defined system to use when the PrimaryAuthType is not
local. Systems are defined by the appliance System Administrator.
--CertThumbprint Opt The SHA1 or SHA256 thumbprint of the user’s certificate. SHA1
thumbprints must be 64 characters. Both should consist of only
numbers and the letters A-F. This value is ignored unless the
PrimaryAuthType is Certificate.
--Description Opt Maximum of 255 characters. Use !NULL to clear.
--LogonHoursFlag Opt Indicates whether the LogonHours value represents allowed or
prohibited hours. Valid values are A, P, or N (no restrictions).
--LogonHours Opt A listing of up to 4 hour ranges. Times must be expressed in 24-hour
format in any of the following forms: 7, 07, 700, 0700, 07:00 (all
indicating 07:00 AM). Separate multiple ranges with semi-colons,
07:00-12:00;18:00-23:59 (7AM-12AM and 6PM-11:59PM). If the
LogonHoursFlag value is N this value is ignored.

TPAM 2.5
334
Administrator Guide
Table 151. UpdateUser options

Option name Req/Opt Description

--LogonDays Opt When Logon Hours are specified you may also specify the days of the
week those hours are effective. Specify days with a string of 7 X's (to
indicate an “on” day) or periods (for an “off” day) to represent the
week from Sunday-Saturday. For example, .XXXXX. is Mon-Fri on, Sun
and Sat off. If LogonHours are specified and LogonDays is left empty
the default is all days “on”, e.g., XXXXXXX.
--MobileAllowedFlag Opt Whether to allow this user to log in to the system from a mobile device
(Blackberry, iPhone, etc.). Y/N.
--LocalTimezone Opt The user's local time zone. You may enter any part of the time zone
name as long as it is unique in the list, e.g., entering Guam will only
find one time zone while entering 02:00 or US will find multiple
entries. A value of “Server” indicates that the user is in the same time
zone as the server and follows the same DST rules.
--DstFlag Opt Obsolete. Users will now automatically adjust DST per the local time
zone which they are assigned.
--Custom1 Opt Custom user columns, if defined. Use !NULL to clear the value when
updating.
--Custom2 Opt see --Custom1
--Custom3 Opt see --Custom1
--Custom4 Opt see --Custom1
--Custom5 Opt see --Custom1
--Custom6 Opt see --Custom1

Legacy support:
UpdateUser
<UserName>,[LastName],[FirstName],[EmailAddress],[Phone],[Mobile],[UserType
(Basic|Admin|Auditor|UserAdmin)],[DisableFl(Y|N)],[SecAuthType(NONE,SAFEWORD,SECURE
ID,LDAP,RADIUS,DEFENDER WINAD)],[SecAuthUserID],[Description]

UserSSHKey--options
Regenerate or retrieve a key for yourself or others. Must be an Administrator.
IMPORTANT: If regenerating your own key make sure not to overwrite the old key file before the command
has completed.

IMPORTANT: Regenerating a user’s key will immediately make their old key invalid. The user will have to
put this new key in place before being able to access TPAM again.

Table 152. UserSSHKey options

Option name Req/Opt Description

--UserName Opt User name to retrieve. If no user name is supplied your own user name will
be used. If retrieving or regenerating a key for a user other than yourself
the user must be key based with NOTPAM web access.
--KeyType Opt The DSS key to retrieve. Must be CLI or API. The default is the key type of
the calling interface.
--PassPhrase Opt Only allowed when regenerating a CLI key. Passphrase must be at least 5
characters long and may be up to 128 characters and contain anything
except double quote characters (").
--Regenerate Opt Regenerate the key before retrieving. Users without web access must
retrieve and regenerate their own keys. Y/N. Default is N.

TPAM 2.5
335
Administrator Guide
 42
Application Programming Interface (API)

• Introduction
• C++ library
• .NET library
• PERL library
• Java® library
• C++ examples
• .NET examples (C#)

Introduction
The TPAM Application Programming Interface (API) allows client applications, via an SSH (Secure Shell)
connection to the TPAM appliance, to perform many of the operations provided in the TPAM User Interface.
The operations supported by the TPAM API are identical to the operations provided by the TPAM Command Line
Interface (CLI). See CLI Commands for details on the TPAM CLI.
The TPAM API is available in several programming languages to allow customers to use their choice of
programming languages when working with the API. Details for using the API in each programming language are
provided in later sections of this document.
As mentioned above, the operations are invoked on the TPAM appliance via an SSH connection. An identity file
key created by TPAM and a user ID with API key based authentication selected are required for the API to be
able to establish the SSH connection.The necessary SSH client software is included with the TPAM API library,
except for non-Windows® installations of the Perl version of the TPAM. In this case, the client machine must
have SSH software installed and available in the directory path.

C++ library
The TPAM API C++ library is provided as a static library. It is distributed with several other libraries that are
required by the TPAM API C++ library.
The main class of the library is ApiClient. This class provides the SSH connection to TPAM and provides the
method used to execute the various operations on TPAM.
Additionally, there are several categories of classes that will be used by application code using the C++ library.
Most classes fall into the category of business objects, commands, results, or exceptions.
See C++ examples for examples of using the C++ library.

Class APIClient
Class ApiClient is used to create the SSH connection to TPAM and execute the various commands provided by the
library. This main class contains only a few functions.

TPAM 2.5
336
Administrator Guide
Table 153. Class APIClient functions

Method Description Parameters

constructor Constructor for the class.
connect This method initiates the SSH
connection to TPAM.
sendCommand This method invokes the requested
operation on TPAM and processes the
response. The response attributes are
available via the appropriate “result”
class described below.
disconnect This method disconnects the SSH
session.
• String Host - IP address of TPAM appliance
• String keyFileName - local path to identity
key file created by and downloaded from
TPAM
• String userName - user name of API user ID
defined in TPAM
None
An object of type “command” class as discussed
below
None

Business object classes

The business object classes describe the entities in TPAM that can be queried or manipulated in some manner
via the TPAM API.

Table 154. C++ Library: Business object classes

Class Description
Account This class contains the attributes of an account.
Alias This class contains the attributes of an alias.
CollectionMembership This class contains the attributes of a collection membership.
EDMZSystem This class contains the attributes of a system.
EgpAccount This class contains the attributes of a EGP account.
GroupMembership This class contains the attributes of a group membership.
Permission This class contains the attributes of a permission.
Policy This class contains the attributes of an access policy.
PsmAccount This class contains the attributes of a PSM account.
PwdRequest This class contains the attributes of a password request. It is based on the Request
class.
Request This class contains the attributes common to a password or session request.
SessionRequest This class contains the attributes of a session request. It is based on the Request
class.
SynchronizedPassword This class contains the attributes of a synchronized password.
SyncPwdSubscriber This class contains the attributes of a synchronized password subscriber.
User This class contains the attributes of a user.

Command classes
Each “command” class implements a single operation that can be performed on TPAM. The constructor for each
class accepts the mandatory data that is required by TPAM to execute the operation.

TPAM 2.5
337
Administrator Guide
Some operations have optional values that may be specified. Several of the add and update operations allow
optional attributes of the business object being added or updated to be set. The list operations allow optional
selection criteria to be specified in order to narrow the results returned by TPAM. See Setting operational values
for operations for details.
An instance of one of these “command” classes is passed to method sendCommand of class ApiClient to have
the operation carried out on TPAM. After execution, a “result” class can be queried for details of the outcome
of the operation. This result class is accessed via method getResult() of the “command” class. In the case of
commands that query data from TPAM, if the result indicates success, the retrieved data will be available within
the “command” class after execution of the operation on TPAM.

Table 155. C++ Library: Command classes

Result class detailing

Class Method used to access retrieved data
execution outcome
AddAccountCommand IDResult N/A
AddCollectionCommand Result N/A
AddCollectionMemberCommand Result N/A
AddGroupCommand Result N/A
AddGroupMemberCommand Result N/A
AddPwdRequestCommand IDResult N/A
AddSessionRequestCommand IDResult N/A
AddSyncPassCommand Result N/A
AddSyncPwdSubCommand Result N/A
AddSystemCommand IDResult N/A
AddUserCommand IDResult N/A
ApproveCommand Result N/A
ApproveSessionRequestCommand Result N/A
CancelCommand Result N/A
CancelSessionRequestCommand Result N/A
ChangeUserPasswordCommand Result N/A
CheckPasswordCommand Result N/A
ClearKnownHostsCommand Result N/A
DeleteAccountCommand Result N/A
DeleteSyncPassCommand Result N/A
DeleteSystemCommand Result N/A
DeleteUserCommand Result N/A
DropCollectionCommand Result N/A
DropCollectionMemberCommand Result N/A
DropGroupCommand Result N/A
DropGroupMemberCommand Result N/A
DropSyncPwdSubCommand Result N/A
ForceResetCommand Result N/A
ForceResetManualCommand IDResult getID() returns the password ID.
getMessage() returns the password.
GetPwdRequestCommand ListResult getPwdRequest() returns a single
PwdRequest object
GetSessionRequestCommand ListResult getSessionRequest() returns a single
SessionRequest object
GrantPermissionCommand Result N/A

TPAM 2.5
338
Administrator Guide
Table 155. C++ Library: Command classes
Class
ListAccountsCommand
ListAcctsForPwdRequestCommand
ListAcctsforSessionRequestCommand
ListAssignedPoliciesCommand
ListCollectionMembershipCommand
ListCollectionsCommand
ListDependentSystemsCommand
ListEgpAccountsCommand
ListEgpPermissionsCommand
ListGroupMembershipCommand
ListGroupsCommand
ListPsmAccountsCommand
ListReasonCodesCommand
ListRequestCommand
ListRequestDetailsCommand
ListSessionRequestCommand
ListSessionRequestDetailsCommand
ListSynchronizedPasswordCommand
ListSyncPwdSubscribersCommand
ListSystemsCommand
ListUsersCommand
ManualPasswordResetCommand
ReportActivityCommand
Result class detailing
Method used to access retrieved data
execution outcome
ListResult getAccountList() returns a vector of
Account objects
ListResult getAccountList() returns a vector of
Account objects
ListResult getAccountList() returns a vector of
Account objects
ListResult getAssignedPoliciesList returns a
vector of Policy objects
ListResult getCollectionMembershipList() returns
a vector of CollectionMembership
objects
ListResult getCollectionList() returns a vector of
Collection objects
ListResult getDependentSystemsList() returns a
vector of DependentSystem objects
ListResult getEgpAccountList() returns a vector
of EgpAccount objects
ListReult getPermissionsList() returns a vector
of Permission objects
ListResult getMembershipList() returns a vector
of GroupMembership objects
ListResult getGroupList() returns a vector of
Group objects
ListResult getPSMAccountList() returns a vector
of PsmAccount objects
ListResult getReasonCodeList() returns a vector
of ReasonCode objects
ListResult getRequestList() returns a vector of
Request objects
ListResult getRequestDetailsList() returns a
vector of Request objects
ListResult getSessionRequestList() returns a
vector of SessionRequest objects
ListResult getSessionRequestDetailsList() returns
a vector of SessionRequest objects
ListResult getSynchronizedPasswordsList()
returns a vector of
SynchronizedPassword objects
ListResult getSyncPwdSubscribers() returns a
vector of SyncPwdSubscriber objects
ListResult getSystemList() returns a vector of
EDMZSAystem objects
ListResult getUserList() returns a vector of User
objects
Result N/A
ListResult getActivities() returns a vector of
Activity objects
TPAM 2.5
339
Administrator Guide
Table 155. C++ Library: Command classes
Result class detailing
Class Method used to access retrieved data
execution outcome
RetrieveCommand Result getPassword() returns the password as
a string
RetrieveWithTicketCommand Result getPassword() returns the password as
a string
SetAccessPolicyCommand Result N/A
SshKeyCommand Result getMessage() method of Result
contains returned SSH key
SyncPassForceResetCommand Result N/A
TestSystemCommand Result N/A
UnlockUserCommand Result N/A
UpdateAccountCommand IDResult N/A
UpdateAccountTicketCommand IDResult N/A
UpdateCollectionCommand Result N/A
UpdateDependentSystemsCommand Result N/A
UpdateEgpAccountCommand IDResult N/A
UpdatePsmAccountCommand IDResult N/A
UpdateSyncPassCommand Result N/A
UpdateSystemCommand IDResult N/A
UpdateSystemTicketCommand IDResult N/A
UpdateUserCommand IDResult N/A
UserSshKeyCommand Result getMessage() method of Result
contains returned SSH key

Setting operational values for operations

Add and update “command” classes that allow optional values to be set contain an instance of the
corresponding business object. Mandatory values specified in the “command” class constructor are populated in
the business object. The optional values can be set by obtaining a reference to the business object from the
“command” class, and setting the desired attributes of the business object.
For example, when adding a new system, the constructor for class AddSystemCommand requires parameters
specifying the system name, network address, and platform name. These values are populated in the
EDMZSystem object contained within the AddSystemCommand object. To set optional attributes, obtain a
reference to this EDMZSystem object by calling method getSystem() on the AddSystemCommand object, and
then call the desired setter methods of the EDMZSystem object. This is demonstrated in the example code
provided in C++ examples.
The add and update “command” classes that contain these business objects that allow setting of optional values
are shown in the following table.

Table 156. Command classes

Class Method used to get business object reference

AddAccountCommand getAccount()
UpdateAccountCommand
AddCollectionMemberCommand getCollectionMembership()
AddGroupMemberCommand getGroupMembership

TPAM 2.5
340
Administrator Guide
Table 156. Command classes

Class Method used to get business object reference

AddSystemCommand getSystem()
UpdateSystemCommand
AddUserCommand getUser()
UpdateUserCommand

Selection criteria for the list operations are specified by using the setter methods of the “command” classes
that perform the list operations. See the example code provided in C++ examples.

Results classes
The “result” classes detail the result of the execution of operations on TPAM.

Table 157. C++ Library: Results classes

Class Attributes
Result Integer return code: zero indicates successful execution of command, non-zero indicates
failure.
String message: a message returned by TPAM with brief information about the execution of
command.
IDResult Integer return code: see Result class for description.
String message: see Result class for description.
Integer ID: on successful command execution, this box shows the row number of the
modified database record.
ListResult Integer return code: see Result class for description.
String message: see Result class for description.
Integer row count: on successful list operations, this value tells how many entries have
been returned by TPAM. Query the appropriate attribute of the "command" class to access
the data returned by TPAM.

Exception classes
The C++ TPAM API Library will throw exceptions under error conditions. Each exception contains a message
describing the failure.

Table 158. C++ Library: Exception classes

Class Description
ParseException This exception will be thrown if there is a failure while parsing a response from TPAM.
SshException This exception will be thrown if there is a problem with the SSH connection being used
to communicate TPAM.
ValidationException This exception will be thrown if validation fails on any data prior to sending that data to
TPAM for processing. Note that most data validation is done by TPAM itself. Under this
scenario, if invalid data is passed to TPAM, ValidationException is not raised. Instead,
the result from execution of the command on TPAM will indicate a failure and the result
message details the failure reason.

TPAM 2.5
341
Administrator Guide
.NET library
The TPAM API .NET library is provided as a Windows® DLL file. It is distributed alongside the TPAM API C++
Library.
The main class of the library is ApiClientWrapper. This class provides the SSH connection to TPAM and methods
to execute all available operations on TPAM.
Additionally, there are several categories of classes that will be used by application code using the .NET library.
These classes fall into the categories of business objects, filters, and results.
See .NET examples (C#) for examples of using the .NET library.

Class ApiClient wrapper

Class ApiClientWrapper is used to create the SSH connection to TPAM, and it provides methods to implement the
various operations available in the library.
Methods in ApiClientWrapper will throw an ApplicationException on error. A message describing the failure is
included in the exception.

Table 159. ApiClientWrapper methods

Method Parameters Returns

constructor System::String^ host: IP address of TPAM appliance. N/A
System:: String^ keyFileName: local path to identity key
file created and downloaded from TPAM.
System:: String^ userName: user name of "API" defined
user in TPAM.
connect (initiate the SSH None Void
connection to TPAM)
disconnect (disconnect the SSH None Void
session)
setCommandTimeout (sets the time int Void
out for execution of a command
over SSH)
addAccount Account^ account IDResult
addCollection System::String^ collectionName Result
System::String^ description
addCollectiom System::String^ collectionName Result
AddCollectionParms^parms
addCollectionMember System::String^ description
System::String^ collectionName
AddCollectionMemberParms^ parms
addGroup System::String^ groupName Result
System::String^ description
addGroupMember System::String^ userName Result
System::String^ groupName
addGroupMember System::String^ username Result
int groupID

TPAM 2.5
342
Administrator Guide
Table 159. ApiClientWrapper methods

Method Parameters Returns

addPwdRequest System::String^ systemName IDResult
System::String^ accountName
System::String^ forUserName
System::String^ requestNotes
AddPwdRequestParms^ parms
addSessionRequest System::String^ systemName IDResult
System::String^ accountName
System::String^f orUserName
System::String^ requestNotes
AddSessionRequestParms^ parms
addSyncPass System::String^ syncPassName Result
AddSyncPassParms^ parms
addSyncPwdSub System::String^ syncPassName Result
System::String^ systemName
System::String^ AccountName
addSystem EDMZSystem^ system IDResult
addUser User^ user IDResult
approve int requestID Result
System::String^ comment
approveSessionRequest int requestID Result
System::String^ comment
cancel int requestID Result
System::String^ comment
cancelSessionRequest int requestID Result
System::String^ comment
changeUserPassword System::String^ userName Result
System::String^ password
checkPassword System::String^ systemName Result
System::String^ accountName
clearKnownHosts System::String^systemName Result
deleteAccount System::String^ systemName Result
System::String^ accountName
deleteSyncPass System::String^ syncPassName Result
deleteSystem System::String^ systemName Result
deleteUser System::String^ userName Result
dropCollection System::String^ collectionName Result
dropCollectionMember System::String^ systemName Result
System::String^ collectionName
dropGroup System::String^ groupName Result
dropGroup int groupID Result
dropGroupMember System::String^ userName Result
System::String^ groupName

TPAM 2.5
343
Administrator Guide
Table 159. ApiClientWrapper methods

Method Parameters Returns

dropGroupMember System::String^ userName Result
int groupID
dropSyncPwdSub System::String^ SyncPassName Result
System::String^ systemName
System::String^ accountName
forceReset System::String^ systemName Result
System::String^ accountName
forceResetManaul System::String^ systemName IDResult
System::String^ accountName
getPwdRequest System::String^ accountName ListResult
[System::RunTime::InteropServices::Out] PwdRequest^
%request
getSessionRequest int requestID ListResult
[System::RunTime::InteropServices::Out]
SessionRequest^ %sessionRequest
grantPermission System::String^ permName Result
UserOrGroup userOrGroupChoice (possible values are
USER or GROUP)
System::String^ userOrGroupName
SystemOrCollection systemOrCollectionChoice (possible
values are SYSTEM or COLLECTION)
System::String^ systemOrCollectionName
listAccount AccountFilter^ filter ListResult
[System::RunTime::InteropServices::Out]
array<Account^>^% accounts
listAcctsForPwdRequest AcctForPwdRequestFilter^ filter ListResult
[System::RunTime::InteropServices::Out]
array<AccountForPwdRequest^>^% accounts
listAcctsforSessionRequest AcctForSessionRequestFilter^ filter ListResult
[System::RunTime::InteropServices::Out]
array<AccountForSessionRequest^>^% accounts
listAssignedPolicies PolicyFilter^ filter ListResult
[System::RunTime::InteropServices::Out]
array<Policy^>^% policies
listCollectionMembership System::String^ collectionName ListResult
System::String^ systemName
int maxRows
[System::RunTime::InteropServices::Out]
array<CollectionMembership^>^% membership
listCollectionMembership CollectionMembershipFilter^ filter ListResult
[System::RunTime::InteropServices::Out]
array<CollectionMembership^>^%membership
listCollections CollectionFilter^ filter ListResult
[System::RunTime::InteropServices::Out]
array<Collection^>^% collections

TPAM 2.5
344
Administrator Guide
Table 159. ApiClientWrapper methods
Method
listDependentSystems
listEgpAccounts
listPermissions
listEgpPermissions
listGroups
listGroupMembership
listPsmAccounts
listReasonCodes
listRequest
listRequestDetails
listSessionRequest
listSessionRequestDetails
listSynchronizedPassword
listSyncPwdSubscribers
listSystems
Parameters Returns
System::String^ systemName ListResult
System::String^ accountName
DependentSystemFilter^ filter
[System::RunTime::InteropServices::Out]
array<DependentSystem^>^%dependentSystems
EgpAccountFilter^filter ListResult
[System::RunTime::InteropServices::Out]
array<EgpAccount^>^% egpAccounts
PermissionFilter^ filter ListResult
[System::RunTime::InteropServices::Out]
array<Permission^>^% permissions
GroupFilter^ filter ListResult
[System::RunTime::InteropServices::Out]
array<Group^>^% groups
System::String^ groupName ListResult
System::String^ userName
int maxRows
[System::RunTime::InteropServices::Out]
array<GroupMembership^>^% membership
PsmAccoutFilter^ filter ListResult
[System::RunTime::InteropServices::Out]
array<PsmAccount^>^% psmAccounts
[System::RunTime::InteropServices::Out] ListResult
array<ReasonCode^>^% reasonCodes
RequestFilter^ filter ListResult
[System::RunTime::InteropServices::Out]
array<Request^>^% requests
RequestFilter^ filter ListResult
[System::RunTime::InteropServices::Out]
array<Request^>^% requests
SessionRequestFilter^ ilter ListResult
[System::RunTime::InteropServices::Out]
array<SessionRequest^>^% sessionRequests
SessionRequestFilter^ filter ListResult
[System::RunTime::InteropServices::Out]
array<SessionRequest^>^% sessionRequests
[System::RunTime::InteropServices::Out] ListResult
array<SynchronizedPassword^>^%
synchronizedPasswords
System::String^ SyncPassName ListResult
[System::RunTime::InteropServices::Out]
array<SyncPwdSubscriber^>^% syncPwdSubscribers
SystemFilter^ filter ListResult
[System::RunTime::InteropServices::Out]
array<EDMZSystem^>^% systems
TPAM 2.5
345
Administrator Guide
Table 159. ApiClientWrapper methods

Method Parameters Returns

listUsers UserFilter^ filter ListResult
[System::RunTime::InteropServices::Out]
array<User^>^% users
manualPasswordReset System::String^ passwordID Result
System::String^ status
reportActivity System::String^ accountName ListResult
[System::RunTime::InteropServices::Out]
array<Activity^>^% activities
retrieve System::String^ systemName Result
System::String^ accountName
int timeRequired
System::String^ comment
retrieve (v2.3+) System::String^ systemName Result
System::String^ accountName
System::String^ comment
RetrieveParms^ parms
retrieve(v2.3+) System::String^ systemName Result
System::String^ accountName
RetrieveParms^ parms
retrieveWithTicket System::String^ systemName Result
System::String^ accountName
int timeRequired
System::String^ ticketSystemName
System::String^ ticketNumber
System::String^ comment
setAccessPolicy System::String^ accessPolicyName Result
System::String^ action
SetAccessPolicyParms^ parms
sshKey SshKeyParms^parms Result
syncPassForceReset System::String^ syncPassName Result
System::String^ newPassword
testSystem System::String ^systemName Result
unlockUser System::String^ userName Result
updateAccount Account^ account IDResult
updateAccountTicket System::String^ systemName IDResultl
System::String^ accountNamet
System::String^ ticketSystemName
eDMZ::ParAPI::Flag RequireTicketForRequest
eDMZ::ParAPI::Flag RequireTicketForISA
eDMZ::ParAPI::Flag RequireTicketForCLI
eDMZ::ParAPI::Flag RequireTicketForAPI
System::String^ ticketEmailNotify

TPAM 2.5
346
Administrator Guide
Table 159. ApiClientWrapper methods

Method Parameters Returns

updateCollection System::String^collectionName Result
UpdateCollectionParms^ parms
updateDependentSystems System::String^ systemName Result
System::String^ accountName
UpdateDependentSystemsParms^ parms
updateEgpAccount System::String^ systemName IDResult
System::String^ accountName
UpdateEgpAccountParms^ parms
updatePsmAccount System::String^ systemName IDResult
System::String^ accountName
UpdatePsmAccountParms^ parms
updateSyncPass System::String^ syncPassName Result
UpdateSyncPassParms^ parms
updateSystem EDMZSystem^ system IDResult
updateSystemTicket System::String^ systemName IDResult
System::String^ ticketSystemName
eDMZ::ParAPI::Flag RequireTicketForRequest
eDMZ::ParAPI::Flag RequireTicketForISA
eDMZ::ParAPI::Flag RequireTicketForCLI
eDMZ::ParAPI::Flag RequireTicketForAPI
System::String^ ticketEmailNotify
updateUser User^ user IDResult
userSshKey UserSshKeyParms^ parms Result

Business object classes

The business object classes describe the entities in TPAM that can be queried or manipulated in some manner
via the TPAM API.

Table 160. .Net Library: Business object classes

Class Description
Account This class contains the attributes of an account.
AcctForPwdRequest This class contains the attributes of an account that is available for password request.
AcctforSessionRequest This class contains the attributes of an account that is available for session request.
Activity This class contains the attributes of an entry in the activity report.
Collection This class contains the attributes of a collection.
CollectionMembership This class contains the attributes of a collection membership.
DependentSystem This class contains the attributes of a dependent system.
EDMZSystem This class contains the attributes of a system.
EgpAccount This class contains the attributes of an Egp account.
Group This class contains the attributes of a group.
GroupMembership This class contains the attributes of a group membership.
Policy This class contains the attributes of an access policy.

TPAM 2.5
347
Administrator Guide
Table 160. .Net Library: Business object classes

Class Description
PsmAccount This class contains the attributes of a PSM account.
PwdRequest This class contains the attributes of a password request. It is based on the Request
class.
ReasonCode This class contains the attributes of a reason code.
Request This class contains the attributes common to a password or session request.
SessionRequest This class contains the attributes of a session request. It is based on the Request class.
SynchronizedPassword This class contains the attributes of a synchronized password.
SyncPwdSubscriber This class contains the attributes of a synchronized password subscriber.
User This class contains the attributes of a user.

Filter classes
The “filter” classes are used to specify selection criteria for data being requested from TPAM.

Table 161. .Net Library: Filter classes

Class Description
AccountFilter Provides selection criteria for ListAccounts
AcctForPwdRequestFilter Provides selection criteria for listAccountsForPwdRequest
AcctforSessionRequestFilter Provides selection criteria for listAccountsForSessionRequest
ActivityFilter Provides selection criteria for reportActivity
CollectionFilter Provides selection criteria for listCollections
CollectionMembershipFilter Provides selection criteria for listCollectionMembership
DependentSystemFilter Provides selection criteria for listDependentSystems
EgpAccountFilter Provides selection criteria for listEgpAccounts
GroupFilter Provides selection criteria for listGroups
PolicyFilter Provides selection criteria for listAssignedPolicies
PsmAccountFilter Provides selection criteria for listPSMAccounts
RequestFilter Provides selection criteria for listRequestDetails
SessionRequestFilter Provides selection criteria for listSessionRequestDetails
SystemFilter Provides selection criteria for listSystems
UserFilter Provides selection criteria for listUsers

Parms classes
The “parms” classes are used to specify optional parameters for various methods implemented in
ApiClientWrapper.

Table 162. .Net Library: Parms classes

Class
AddCollectionMemberParms
AddCollectionParms
AddPwdRequestParms
AddSessionRequestParms
AddSyncPassParms
Description
Allows setting of optional parameters for addCollectionMember method
Allows setting of optional parameters for addCollection method
Allows setting of optional parameters for addPwdRequest method
Allows setting of optional parameters for addSessionRequest method
Allows setting of optional parameters for addSyncPass method

TPAM 2.5
348
Administrator Guide
Table 162. .Net Library: Parms classes

Class
DropCollectionMemberParms
RetrieveParms
SetAccessPolicyParms
SshKeyParms
UpdateCollectionParms
UpdateDependentSystemParms
UpdateEgpAccountParms
UpdatePsmAccountParms
UpdateSyncPassParms
UserSshKeyParms
Description
Allows setting of optional parameters for dropCollectionMember method
Allows setting of optional parameters for the retrieve method
Allows setting of optional parameters for the setAccessPolicy method
Allows setting of optional parameters for sshKey method
Allows setting of optional parameters for updateCollection method
Allows setting of optional parameters for updateDependentSystems method
Allows setting of optional parameters for updateEgpAccount method
Allows setting of optional parameters for updatePsmAccount method
Allows setting of optional parameters for updateSyncPass method
Allows setting of optional parameters for userSshKey method

Results classes
The “result” classes detail the result of the execution of operations on TPAM.

Table 163. .Net Library: Results classes

Class Attributes
Result Integer return code: zero indicates successful execution of command, non-zero indicates
failure.
String message: a message returned by TPAM with brief information about the execution of
command.
IDResult Integer return code: see Result class for description.
String message: see Result class for description.
Integer ID: on successful command execution, this box shows the row number of the modified
database record.
ListResult Integer return code: see Result class for description.
String message: see Result class for description.
Integer row count: on successful list operations, this value tells how many entries have been
returned by TPAM.
Array of Objects: array containing "row count" elements, with each element being an object of
type described under business objects as requested by the operation.
NOTE: This array is used internally by the API. It simply refers to the data being returned as an
OUT parameter of list operations. It is suggested that applications using the API use the OUT
parameters instead of this array.

PERL library
Documentation for the TPAM API Perl library is available in PERL POD format. This can be downloaded from the
customer portal at https://hq01.e-dmzsecurity.com/edmzcust.

Java® library
Documentation for the TPAM API Java® library is available in Javadoc format. This can be downloaded from the
customer portal at https://hq01.e-dmzsecurity.com/edmzcust.

TPAM 2.5
349
Administrator Guide
C++ examples
The following examples have minimal error checking for simplicity.
void addSystem(ApiClient& client)
{
// Add a dummy system.
AddSystemCommand asc("testsys", "147.148.149.150", "AS400");

// Set some attributes of the system being added.

asc.getSystem().setSystemAutoFl(Flag::FLAG_N);
asc.getSystem().setDescription("Description for testsys");

// Execute the operation on TPAM.

client.sendCommand(asc);

// Check the outcome of the operation.

IDResult* idresult = asc.getResult();
cout << "addSystem: rc = " << idresult->getReturnCode()
<< " message = " << idresult->getMessage() << endl;
}
void addAccount(ApiClient& client)
{
// Add a dummy account.
AddAccountCommand aac("testsys", "testacct");

// Set an attribute of the account being added.

aac.getAccount().setDescription("Description for testacct");

// Execute the operation on TPAM.

client.sendCommand(aac);

// Check the outcome of the operation.

IDResult* idresult = aac.getResult();
cout << "addAccount: rc = " << idresult->getReturnCode()
<< " message = " << idresult->getMessage() << endl;
}

void updateAccount(ApiClient& client)

{
// Update the account password.
UpdateAccountCommand uac("testsys", "testacct");
uac.getAccount().setPassword("a1b2c3d4e5");

// Execute the operation on TPAM.

client.sendCommand(uac);

// Check the outcome of the operation.

IDResult* idresult = uac.getResult();
cout << "updateAccount: rc = " << idresult->getReturnCode()
<< " message = " << idresult->getMessage() << endl;
}

void retrieve(ApiClient& client)

{
// Get the password for testsys/testacct.
RetrieveCommand rc("testsys", "testacct", 30, "This is my comment");

// Execute the operation on TPAM.

client.sendCommand(rc);

TPAM 2.5
350
Administrator Guide
 Result* result = rc.getResult();
if (result->getReturnCode() == 0)
{
cout << "retrieve: The password is " << rc.getPassword() << endl;
}
else
{
cout << "Failed retrieving password: " << result->getMessage() << endl;
}
}

void listAccounts(ApiClient& client)

{
// List the accounts, but set filters to see only testsys/testacct.
ListAccountsCommand lac;
lac.setSystemName("testsys");
lac.setAccountName("testacct");

// Execute the operation on TPAM.

client.sendCommand(lac);

ListResult* listresult = lac.getResult();

// Since we set filters for just testsys/testacct,

// there should be just 1 entry returned.
if ((listresult->getReturnCode() == 0) &&
(listresult->getRowCount() == 1))
{
cout << "listAccounts: The description for testsys/testacct is "
<< lac.getAccountList().at(0).getDescription() << endl;
}
else
{
cout << "Unexpected result for listAccounts: "
<< listresult->getMessage() << endl;
}
}

void listSystems(ApiClient& client)

{
// We'll list all defined systems.
ListSystemsCommand lsc;

// Execute the operation on TPAM.

client.sendCommand(lsc);

ListResult* listresult = lsc.getResult();

if (listresult->getReturnCode() == 0)
{
for (int i=0; i<listresult->getRowCount(); i++)
{
cout << "listSystems: System name: "
<< lsc.getSystemList().at(i).getSystemName() << endl;
}
}
}

void deleteAccount(ApiClient& client)

{
// Delete the account.
DeleteAccountCommand dac("testsys", "testacct");

TPAM 2.5
351
Administrator Guide
 // Execute the operation on TPAM.
client.sendCommand(dac);

// Check the outcome of the operation.

Result* result = dac.getResult();
cout << "deleteAccount: rc = " << result->getReturnCode()
<< " message = " << result->getMessage() << endl;
}

void deleteSystem(ApiClient& client)

{
// Delete the system.
DeleteSystemCommand dsc("testsys");

// Execute the operation on TPAM.

client.sendCommand(dsc);

// Check the outcome of the operation.

Result* result = dsc.getResult();
cout << "deleteSystem: rc = " << result->getReturnCode()
<< " message = " << result->getMessage() << endl;
}

void getPwdRequest(ApiClient& client)

{
GetPwdRequestCommand gprc(9);

// Execute the operation on TPAM.

client.sendCommand(gprc);

ListResult* listresult = gprc.getResult();

// This operation always returns just 1 entry.
if ((listresult->getReturnCode() == 0) &&
(listresult->getRowCount() == 1))
{
cout << "getPwdRequest: Status of request "
<< gprc.getPwdRequest().getRequestID()
<< " is "
<< gprc.getPwdRequest().getRequestStatus() << endl;
}
else
{
cout << "Unexpected result for getPwdRequest: "
<< listresult->getMessage() << endl;
}
}

int main()
{
ApiClient client("192.168.70.3", "C:/keys/parapiuser.txt", "parapiuser");
try
{
client.connect();
try
{
addSystem(client);
addAccount(client);
updateAccount(client);
retrieve(client);

TPAM 2.5
352
Administrator Guide
 listAccounts(client);
listSystems(client);
deleteAccount(client);
deleteSystem(client);
getPwdRequest(client);
}
catch (ValidationException& vex)
{
cout << "ValidationException: " << vex.toString() << endl;
}
catch (ParseException& pex)
{
cout << "ParseException: " << pex.toString() << endl;
}

// Call disconnect() on the ApiClient after commands have completed.

client.disconnect();
}
catch (SshException& sshex)
{
cout << "SshException: " << sshex.toString() << endl;
}
}

.NET examples (C#)

The following examples have minimal error checking for simplicity.
static void addSystem(ApiClientWrapper client)
{
// Add a dummy system.
EDMZSystem edmzsys = new EDMZSystem();
edmzsys.systemName = "testsys";
edmzsys.networkAddress = "147.148.149.150";
edmzsys.platformName = "AS400";
edmzsys.systemAutoFl = Flag.N;
edmzsys.description = "Description of testsys";

// Execute the operation on TPAM.

IDResult idresult = client.addSystem(edmzsys);

// Check the outcome of the operation.

Console.WriteLine("addSystem: rc = {0}, message = {1}",
idresult.returnCode, idresult.message);
}

static void addAccount(ApiClientWrapper client)

{
// Add a dummy account.
Account account = new Account();
account.systemName = "testsys";
account.accountName = "testacct";
account.description = "Description for testacct";

// Execute the operation on TPAM.

IDResult idresult = client.addAccount(account);

// Check the outcome of the operation.

Console.WriteLine("addAccount: rc = {0}, message = {1}",

TPAM 2.5
353
Administrator Guide
 idresult.returnCode, idresult.message);
}

static void updateAccount(ApiClientWrapper client)

{
Account account = new Account();
account.systemName = "testsys";
account.accountName = "testacct";
account.password = "a1b2c3d4e5";

// Execute the operation on TPAM.

IDResult idresult = client.updateAccount(account);

// Check the outcome of the operation.

Console.WriteLine("updateAccount: rc = {0}, message = {1}",
idresult.returnCode, idresult.message);
}

static void retrieve(ApiClientWrapper client)

{
Result result = client.retrieve(
"testsys", "testacct", 30, "This is my comment");

if (result.returnCode == 0)
{
// If returnCode indicates success, the message is the password.
Console.WriteLine("retrieve: The password is {0}",
result.message);
}
else
{
// If returnCode indicates failure,
// the message is an actual message.
Console.WriteLine("Failed retrieving password: {0}",
result.message);
}
}

static void listAccounts(ApiClientWrapper client)

{
// List the accounts, but set filters to see only testsys/testacct.
AccountFilter af = new AccountFilter();
af.systemName = "testsys";
af.accountName = "testacct";

// Execute the operation on TPAM.

Account[] accounts = null;
ListResult lr = client.listAccounts(af, out accounts);

// Since we set filters for just testsys/testacct,

// there should be just 1 entry returned.
if ((lr.returnCode == 0) && (lr.rowCount == 1))
{
Console.WriteLine(
"listAccounts: The description for testsys/testacct is {0}",
accounts[0].description);
}
else
{
Console.WriteLine("Unexpected result for listAccounts: {0}",
lr.message);

TPAM 2.5
354
Administrator Guide
 }
}

static void listSystems(ApiClientWrapper client)

{
// We'll list all defined systems.
EDMZSystem[] systems = null;
ListResult lr = client.listSystems(null, out systems);

if (lr.returnCode == 0)
{
for (int i = 0; i < lr.rowCount; i++)
{
Console.WriteLine("listSystems: System name: {0}",
systems[i].systemName);
}
}
}

static void deleteAccount(ApiClientWrapper client)

{
// Delete the account.
Result result = client.deleteAccount("testsys", "testacct");

// Check the outcome of the operation.

Console.WriteLine("deleteAccount: rc = {0}, message = {1}",
result.returnCode, result.message);
}

static void deleteSystem(ApiClientWrapper client)

{
// Delete the system.
Result result = client.deleteSystem("testsys");

// Check the outcome of the operation.

Console.WriteLine("deleteSystem: rc = {0}, message = {1}",
result.returnCode, result.message);
}

static void getPwdRequest(ApiClientWrapper client)

{
PwdRequest request;
ListResult lr = client.getPwdRequest(9, out request);

if (lr.returnCode == 0)
{
Console.WriteLine(
"getPwdRequest: Status of request {0} is {1}",
request.requestID,
request.requestStatus);
}
else
{
Console.WriteLine("Unexpected result for getPwdRequest: {0}",
lr.message);
}
}

static void Main(string[] args)

{
ApiClientWrapper client = new ApiClientWrapper(

TPAM 2.5
355
Administrator Guide
 "192.168.70.3",
"C:\\keys\\parapiuser.txt",
"parapiuser");

try
{
client.connect();

addSystem(client);
addAccount(client);
updateAccount(client);
retrieve(client);
listAccounts(client);
listSystems(client);
deleteAccount(client);
deleteSystem(client);
getPwdRequest(client);
}
catch (ApplicationException aex)
{
Console.WriteLine("Exception: {0}", aex.Message);
}
finally
{
client.disconnect();
}
}

TPAM 2.5
356
Administrator Guide
 43
Configuration for Capturing Events on
Windows® Systems

• Introduction
• General j-Interop requirements
• Summary of common problems
• Firewall related problems
• Explicitly opening DCOM ports
• Dynamically opening DCOM ports
• Remote registry related problems
• Local security policy related problems
• User account control (UAC) related problems
• Registry key related problems
• Operating systems
• Windows® event requirements

Introduction
TPAM provides the ability to capture events during PSM sessions to certain platforms. J-Interop is used on DPAs
to help capture events on Windows® systems. Special configuration may be required on Windows® systems in
order for j-Interop to work. In addition to setting up the Windows® system so that j-Interop works correctly,
certain Windows® events must be generated in order for the event capture code to determine when sessions
start and stop.

This chapter describes configuration that may be necessary to enable event capture on Windows® systems.
These are general directions, so buttons, dialog boxes, etc. discussed here may be slightly different than those
encountered on the various Windows®operating systems.

General j-Interop requirements

In order for j-Interop to communicate with a remote Windows® system there are a number of requirements that
have to be met.
• Running "Remote Registry" service
• Prevent the firewall from blocking the j-Interop traffic

• Prevent the Windows® User Account Control (UAC) from interfering

• Configure other permissions

TPAM 2.5
357
Administrator Guide
Depending on which version of Windows® you are using, different steps have to be taken or have to be taken
differently.

Summary of common problems

Table 164. Common problems

Remote
Operating Local security User account Registry key
Firewall registry
system permissions control (UAC) permissions
service
Windows® XP Action No Changes Action Required N/A No Changes
Required Needed Needed
Windows® Vista Action Action No Changes Needed Action Required No Changes
Required Required Needed
Windows® 7 Action Action No Changes Needed Action Required Action Required
Required Required
Windows® No Changes No Changes No Changes Needed N/A No Changes
Server 2003 Needed Needed Needed

Window®s Action No Changes No Changes Needed Action Required No Changes

Server 2008 Required Needed Needed

Window®s Action No Changes No Changes Needed Action Required Action Required

Server 2008 R2 Required Needed
and later

Firewall related problems

The firewall of the Windows® system may block j-Interop communication. The following ports have to be
available:
• TCP 135: General RPC Port (When doing asynchronous RPC call the service listening on this port will tell
the client on which port the component servicing his request will be waiting on)
• UDP 137: NetBIOS Name Resolution
• UDP 138: NetBIOS Datagram Service
• TCP 139: NetBIOS Session Service
• TCP 445: SMB
• TCP ???: When doing asynchronous RPC calls the remote host dllhost.exe starts a "server" dealing with the
request. The port this service listens on can be dynamic, and therefore tricky to configure. See the
following articles for more details:

• Service overview and network port requirements for Windows® -

http://support.microsoft.com/kb/832017
• How to configure RPC dynamic port allocation to work with firewalls -
http://support.microsoft.com/kb/154596
• WMI troubleshooting - http://msdn.microsoft.com/en-
us/library/windows/desktop/aa394603%28v=vs.85%29.aspx
In order to open the DCOM ports there are two options:
• Explicitly open DCOM ports
• Dynamically open DCOM ports

TPAM 2.5
358
Administrator Guide
Explicitly opening DCOM ports
If you want to control which ports DCOM may open, you can limit the port range by using dcomcnfg. This makes
it possible to explicitly open ports for DCOM communication. Otherwise the DCOM system will use any free port.

To explicitly open the ports:

1 Start dcomcnfg.
2 Right click Component Services | Computers | My Computer and select Properties.
3 Click the Default Protocols tab.
4 Select Connection-oriented TCP/IP and click Properties.
5 By clicking on the Add... button you can add one (or multiple) ranges of ports. Don't set this range too
small. You should probably configure at least 20-40 ports for DCOM.
6 Click the OK button to close all dialog boxes.
7 You will have to reboot in order for these changes to take effect.

For the first 5 entries all Windows® versions already have predefined rules that can be activated:

• TCP 135: Windows® Management Instrumentation (DCOM-In)

• UDP 137: File and Printer Sharing (NB-Name-In)
• UDP 138: File and Printer Sharing (NB-Datagram-In)
• TCP 139: File and Printer Sharing (NB-Session-In)
• TCP 445: File and Printer Sharing (SMB-In)
In order to make asynchronous requests (with fixed or dynamic ports) you have to add rules to the firewall
configuration manually. This is where most tutorials on the web recommend adding a port based rule opening a
range of ports. Not all versions of Windows® allow you to define a port range in a firewall rule (actually only
Windows®Server 2008 R2 and newer server OSs and Windows® 7 and newer client OSs support providing a port
range). Without the port range capability, you would have to define numerous individual rules.
You can however add ports from the command line. So start a command line (cmd) as Administrator and
using the following command you could add a port range by calling the "add one port" in a for loop:
FOR /L %I IN (9000,1,9099) DO netsh firewall add portopening TCP %I "DCOM dynamic
Port %I"
As a result, your firewall configuration will be populated with 100 new entries that all have about the same
name.

Dynamically opening DCOM ports

Alternatively, you could allow a program to open ports. Asynchronous calls are opened by a program called
dllhost.exe. You can create a program-based rule that opens all ports created by dllhost.exe or one of its' child
processes. For this simply add the program: %SystemRoot%\System32\dllhost.exe as the target program. If you
use this method, then you don't have to define a port range for DCOM at all.

Remote registry related problems

In order for j-Interop to be able to connect to the remote system, the Remote Registry service has to be running
on the remote Windows® system. Usually this service is running on all Windows® systems except Windows® Vista
and Windows® 7. If you set the service to be started Automatic, then the service will also start automatically
the next time the system boots.

TPAM 2.5
359
Administrator Guide
Local security policy related problems
This seems to be a problem that is related only to Windows® XP systems. Even if this configuration option is
present in all Windows® operating systems, only with Windows® XP is it configured in a way that prevents j-
Interop from working correctly.
The security policy Network access: Sharing and security model for local accounts is set to: Guest only: local
users authenticate as Guest per default. This has to be changed to Classic: local users authenticate as
themselves. If this is set to Guest only, all remotely logged-in users have only guest permissions on the target
system.

User account control (UAC) related

problems
Starting with Windows® Vista and Windows® Server 2008, Microsoft introduced User Account Control (UAC). In
order to prevent unwanted modifications, Microsoft introduced UAC which separates the Admin Account login
from actual Admin tasks. In order to actually perform an Admin task, the operating system now requests
permission by displaying a popup.
This behavior breaks most functionality that j-Interop would execute, since with a non-interactive session there
is no way to display and click a button in a popup, therefore the operating system dispatches a "permission
denied" failure. There are a few options to make it possible to connect.
• Use the built in local Administrator account for the functional account (Not a domain Admin account,
only the built in one works - you may have to enable this account first and set a password for it)
• Turn off UAC entirely
• Change the local security policy to disable Admin Approval Mode for administrators

Activating the local administrator account

To activate the local admin account:
1 Start lusrmgr.msc
2 Select Local Users and Groups | Users.
3 Right-Click the Administrator account and select Properties.
4 Clear the Account is disabled check box.
5 Save with OK
6 Right-Click the Administrator account again and select Set Password...
7 Confirm the warning
8 Enter the new password twice
9 Set/Change the password with OK

Turn off the UAC

To turn off UAC:
1 Refer to Microsoft documentation for how to turn off UAC for the Windows® system.
2 Turn off UAC.
TPAM 2.5
360
Administrator Guide
 3 Reboot to activate UAC changes.

Disable admin approval mode for administrators

To disable admin approval mode for administrators:
1 Start secpol.msc
2 Select Security Settings | Local Policies | Security Options.
3 Right-click the list entry User Account Control: run all administrators in Admin Approval mode and
select Properties.
4 Select Disabled.
5 Confirm with OK.
6 Reboot the machine for the change to take effect.

Registry key related problems

In order to be able to use an OLE/COM component remotely, an AppID key has to be added in that object's
registry entry. J-Interop will attempt to add the registry entry if it does not already exist. However, starting
with Windows® 7 and Window® Server 2008 R2 the registry key has the TrustedInstaller set as owner and only
that user has full access. When j-Interop tries to add the AppID key, Windows® reports an error back to j-
Interop.
There are several ways to solve this problem:
• Give the functional account (j-Interop user) full permissions to the key
• Manually add the AppID to the
• OLE object's registry, thereby doing manually what j-Interop intends to do automatically
In order for event capture to work, access to the following object is required:
• WBEM Scripting
• Locator: HKCR/CLSID/{76A64158-CB41-11D1-8B02-00600806D9B6}
More information on this is found in the j-Interop FAQ: http://www.j-interop.org/faq.html#A6

Give functional account full permissions to key

In order to perform the change, you have do the following for the above key.:
1 Execute regedit in order to start the registry editor
2 Select the key (using the search helps)
3 Right-click the key and select Permissions...
4 Currently only the owner is allowed to change the permissions and currently this owner is the
TrustedInstaller user. Therefore we have to change the ownership first. In order to do so, click
Advanced.
5 Click the Owner tab.(in some releases this is not a tab, so find the mechanism used to change the
owner)
6 Select Administrators
7 Click OK

TPAM 2.5
361
Administrator Guide
 8 In order to make the ownership change effective, you have to commit the changes by clicking on OK first
and then reopening the Permissions dialog
9 In the reopened Permissions dialog, add or select the user or group you want to access the system under
and select the check box for allowing Full Control.
10 Click OK
11 Right-click the key a third time and select Permissions...
12 Click Advanced
13 Select the Owner tab. (In some releases this is not a tab, so find the mechanism used to change the
owner.)
14 Enter the following username (you can't select it from any list) NT Service\TrustedInstaller.
15 Click OK as necessary to exit
NOTE: After the first session is started, and j-Interop has created these registry entries, it is safe to reset
the permissions back to original values.

Manually add the AppID to the OLE object’s registry

To manually add the AppID:
1 Search for the OLE object's registry entry (HKCR/CLSID/{76A64158-CB41-11D1-8B02-00600806D9B6})
2 Create a new "String Value" in this entry
• AppID (REG_SZ): Set the Data field to {76A64158-CB41-11D1-8B02-00600806D9B6}
3 After this add a new key to HKCR/AppID (HKCR/AppID/{76A64158-CB41-11D1-8B02-00600806D9B6})
4 Inside this new key, simply add two new String Values:
• (Default) (REG_SZ): (The parentheses are required) - You can set the Data field to a name
describing the object or just leave it blank.
• DllSurrogate (REG_SZ): (The Data field can be left blank)

Operating systems
The following sections describe changes that may be required for each Windows® operating system to support j-
Interop.

Windows® XP
All Microsoft client operating systems starting with Windows® XP SP2 and later were shipped with a firewall.
This is blocking almost all inbound traffic. See Firewall related problems for more information.

After the firewall is configured on Windows® XP systems some Local Security Policy settings have to be changed,
or j-Interop will not be able to connect. See Local security policy related problems for more information on how
to resolve that problem.
Now the system should be accessible.

TPAM 2.5
362
Administrator Guide
Windows® Vista
Starting with Windows® Vista the client operating systems have the Remote Registry Service disabled per
default. Therefore check see Remote registry related problems for how to fix this.

As with Windows® XP the firewall has to be configured.See Firewall related problems for more information.

Also, Windows® Vista introduced the User Account Control (UAC). See User account control (UAC) related
problems for details.
Now the system should be accessible.

Windows® 7
In order to have Windows® 7 accessible the same steps have to be done as with Windows® Vista: configure the
firewall, start the Remote Registry service and configure the User Account Control (UAC).
There were also some changes with permissions in the Registry. These are preventing j-Interop from functioning
correctly. See the Registry key related problems.
Now the system should be accessible.

Windows® Server 2003

It appears that no changes are needed for j-Interop to work with Windows® Server 2003.

Windows® Server 2008

Windows® Server 2008 was the first Microsoft Server operating system to be shipped with a firewall, so this has
to be configured prior to be able to connect to it. See the chapter Firewall related problems for more
information.
It was also the first server product that included User Account Control (UAC) so this is interfering too. See the
chapter User account control (UAC) related problems for more information.
After resolving the firewall and UAC problems, connections work without any problems.

Windows® Server 2008 R2 and later

Windows® Server 2008 R2 is configured almost identically to Windows® 2008, so please follow the firewall and
UAC configuration guide of that system.
One difference however is how the User Account Control is disabled. Instead of a check box in this case there is
a slider. In order to turn off the UAC, just drag the Slider to the bottom. After rebooting UAC should be disabled.
The biggest differences are small changes in the permissions of the systems registry. See the chapter on Registry
key related problems.

After these changes the connection should work with Windows® Server 2008 R2 and later operating systems.

TPAM 2.5
363
Administrator Guide
Windows® event requirements
The event capture code must be able to track the beginning and end of a specific Windows® login session. This
is accomplished by monitoring specific Windows® logon and logoff events, Therefore, events indicating
successful logon or reconnect and logoff or disconnect must be generated by the Windows® system. The IDs of
the specific events required to be generated by the Windows® system and where to configure generation of the
events are as follows.

Table 165. Windows® XP/Server 2003 events

Operation Windows® XP / Server 2003 event ID Security path policy

Logon 528 - A user successfully logged on to a computer. Audit Policy - Audit logon events
Logoff 538 - THe logoff process was completed for a user. Audit Policy - Audit logon events
Logoff 551 - A user initiated the logoff process. Audit Policy - Audit logon events
Reconnect 682 - A user has reconnected to a disconnected terminal Audit Policy - Audit logon events
server session.
Disconnect 683 - A user disconnected a terminal server session Audit Policy - Audit logon events
without logging off.

Table 166. Windows® Vista/Server 2008 and later events

Operation Windows® Vista / Server 2008 and later Security path policy
event ID
Logon 4624 - An account was successfully logged on. Advanced Audit Policy Configuration -
Logon/Logoff - Audit Logon
Logoff 4634 - An account was logged off. Advanced Audit Policy Configuration -
Logon/Logoff - Audit Logoff
Logoff 4647 - User initiated logoff. Advanced Audit Policy Configuration -
Logon/Logoff - Audit Logon
Reconnect 4778 - A session was reconnected to a Advanced Audit Policy Configuration -
Windows® station. Logon/Logoff - Audit Other Logon/Logoff
events
Disconnect 4779 - A session was disconnected from a Advanced Audit Policy Configuration -
Windows® station. Logon/Logoff - Audit Other Logon/Logoff
events

TPAM 2.5
364
Administrator Guide
 44
Appliance Specifications

Table 167. Application specifications

Standard TPAM
Feature/
Standard DPA Enterprise TPAM
Spec
Standard cache
Processor 1 E5-2400 Intel® Xeon® processor family 2 E5-2400 Intel® Xeon® processor family
# of Processors 1 2
# of Cores per Quad Quad
Processor
L2/L3 Cache 10 MB 10 MB
Chipset ®
Intel C600 series Intel® C600 series
DIMMs DDR3 R-DIMMs DDR3 R-DIMMs
RAM 4 GB 8 GB
HD Bays 4 x 3.5 Hot Plug 4 x 3.5 Hot Plug
HD Types SATA/SAS/SSD SAS add-in controller
Internal HD PERC H310 Integrated RAID Controller PERC H710P Integrated RAID Controller, 1 GB
Controller NV Cache
Disk 2 x 500 GB 4 x 300 GB SAS
Availability ECC Memory, Hot-swap HDD; Redundant Hot-swap HDD; Redundant PSU; Memory
PSU, TPM mirroring, TPM
I/O Slots 1 x PCIe x 16 1 x PCIe x16; half height, half length
RAID RAID 1 Mirrored RAID10
NIC/LOM 2x GbE LOM 2x GbE LOM
DRAC iDRAC7 Enterprise iDRAC7 Enterprise
USB 2 front/2 rear/2 internal 2 front/2 rear/2 internal
Power Supplies/ Redundant, 350W, Auto Ranging Redundant, 550W, Auto Ranging (100V~240V),
Details (100V~240V), ACPI compatible ACPI compliant
Fans 3 Non-redundant, non-hot swappable 4 Non-redundant, non-hot-swappable
Chassis 1U rack 1U rack
Dimension 42.8 x 434.0 x 677.3 (mm) (w/o bezel) 42.8 x 434.0 x 607 (mm) (w/o ear, w/o bezel)
(HxWxD) 1.68 x 17.08 x 26.66 (in) 1.68 x 17.08 x 23.9 (in)

Weight Max: 42.55 lbs (19.3Kg) Max: 43.87 lbs (19.9Kg)

Misc. Intrusion switch detects when cover is Intrusion switch detects when cover is
opened, Hype-threading(8 threads), opened, simultaneous multi-threading, status
128x20 LCD LCD module

TPAM 2.5
365
Administrator Guide
Table 167. Application specifications

Standard TPAM
Feature/
Standard DPA Enterprise TPAM
Spec
Standard cache
Operating Temp 10° to 35°C 10° to 35°C
Regulatory Class A: Australia/ N.Z. - AMCA or C-Tick Class A: Australia/ N.Z. - AMCA or C-Tick
Certifications Canada - SCC, IES Canada - SCC, IES
Additional country European Union - CE European Union - CE
certification
Germany - TUV Germany - TUV
available upon
request United States - FCC, NRTL United States - FCC, NRTL

TPAM 2.5
366
Administrator Guide
 About Dell

Dell listens to customers and delivers worldwide innovative technology, business solutions and services they
trust and value. For more information, visit www.software.dell.com.

Contacting Dell
Technical Support:
Online Support
Product Questions and Sales:
(800) 306-9329
Email:
[email protected]

Technical Support Resources

Technical support is available to customers who have purchased Dell software with a valid maintenance
contract and to customers who have trial versions. To access the Support Portal, go to
https://software.dell.com/support/.
The Support Portal provides self-help tools you can use to solve problems quickly and independently, 24 hours a
day, 365 days a year. In addition, the portal provides direct access to product support engineers through an
online Service Request system.
The site enables you to:
• Create, update, and manage Service Requests (cases)
• View Knowledge Base articles
• Obtain product notifications
• Download software. For trial software, go to Trial Downloads.
• View how-to videos
• Engage in community discussions
• Chat with a support engineer

TPAM 2.5
367
Administrator Guide