Setting Global Security Options

As a user with the System Administrator role, you can set security and maintenance options that apply globally to the all of the systems, domains, or databases you add to the Privileged Access Service. Most of these settings are the same as described in the following topics:

• Setting System‑specific Policies
• Setting System‑specific Advanced Options
• Setting Domain-specific Advanced Options
• Setting Database-specific Advanced Options

After you set a global security option, that setting becomes the default used for all systems, domains, and databases unless you explicitly set a system-specific, domain-specific, or database-specific option to override it.

Fore more information about global security options that cannot be set for individual systems, domains, or databases, see:

• Updating the SSH Gateway Banner
• Downloading the SSH Master Key File
• Password Profiles
• Allow Permanent workflow requests for password checkouts
• Allow Permanent Workflow Requests for Login
• Enable Periodic SSH Key Cleanup at Specified Interval (days)
• Enable Periodic SSH Key Cleanup at Specified Interval (days)
• Require Secure Communication Method for Remote (RDP) Connections
• Viewing All System Admin Sets
• Configuring Cloud Directory Lookup Priority

Updating the SSH Gateway Banner

If you enable SSH gateway for a connector, remote sessions display a default welcome message to authorized users when they log on using a native SSH client. You can review or modify the message displayed by selecting Settings > Resources > Security Settings and selecting the Enable Custom Banner option.

If you disable the SSH gateway for a connector, the message is not displayed.

To restore the default gateway banner, select Resources> Security Settings > Enable Custom Banner, then remove the custom banner text.

For more information about using remote client programs to connect to target systems, domains, or databases, see Configuring remote client operations and settings.

Password Profiles

In addition, you can use the global security settings to identify the default password complexity profile you want to use or create a new one for each type of system, domain, or database account you add to the Privileged Access Service. For example:

The default password profile provided for each type of system, domain, or database will only include the appropriate supported special characters. If you clone a profile or change the profile mapping to create custom password profiles, you should be aware that some special characters might not be supported on a given system, domain, or database and should not be used in the password.

To Set Global Security Options

1. In the Admin Portal, click Settings, then click Resources to display the settings available for Privileged Access Service.

2. Click Security Settings.

3. Select the specific policies you want to use as global policies.

   For more information about these policies, see the information pop-up help or the descriptions of the advanced options for systems, domains, or databases.

4. Click Save.

Allow Permanent workflow requests for password checkouts

Uncheck to disable or check to enable the ability to request permanent permission for the user to check out a password.

Allow Permanent Workflow Requests for Login

Uncheck to disable or check to enable the ability to request permanent permission for the user to login.

Enable Periodic SSH Key Cleanup at Specified Interval (days)

Specifies whether retired SSH keys should be deleted periodically. Uncheck to disable or check to enable the ability to allow periodic SSH key cleanup.

Enable Periodic SSH Key Rotation at Specified Interval (days)

Specifies whether managed SSH key should be rotated periodically. Uncheck to disable or check to enable the ability to allow periodic SSH key rotation. Leave unchecked to not allow periodic SSH key rotation.

Require Secure Communication Method for Remote (RDP) Connections

Check or enable to require SSL or client negotiation to secure communication between clients and RD session host servers. Native RDP encryption may be used for communications between the client and RD Session Host server when client negotiated. The RD Session Host server is not authenticated when this occurs.

We do not recommended disabling this function.

Configuring Cloud Directory Lookup Priority

For Windows systems that are joined to Active Directory and have the Delinea Client installed, you can make sure that the service looks for UPNs in the cloud directory only by specifying a comma-separated list of domain suffixes in the field entitled as follows: Use the cloud directory to look for users based on UPNs that match the following domain suffixes (Windows only). This setting is available in Settings > Resources > Security > Security Settings.

If this list is empty or a UPN suffix doesn't match any suffixes in this list, the service looks for the UPN in Active Directory first; if the user isn't in Active Directory, the service then looks for the UPN in the cloud directory.

For example, if the affected uses are alex@acme.com and joe@foo.com, then you would enter "acme.com, foo.com" in this field.