PCS End-to-End Installation and Run Guide

This guide assumes that you already have the Delinea Platform set up for fundamental tasks and that you understand how to use them. See the following topics:

Delinea Platform Integration Center
Discovery for Active Directory users and servers
Setting Up a PRA Engines Site
Installing PRA Engines
Installing the Delinea Connector
Setting up MFA Creating Authentication Profiles
Using Secrets on the Platform (including how to place an account in the Secret Server vault)

Supported Operating Systems

The following operating systems are supported for PCS software.

Supported UNIX/Linux Platforms

Supported Platforms	CPU	Express	DirectControl	DirectAudit	Remark
AlmaLinux 8.5-8.10, 9.0-9.4	x86_64	Yes	Yes	Yes
Alpine Linux 3.17-3.20	X86_64	No	Yes	Yes
Amazon Linux 2 LTS	aarch64	No	Yes	Yes
Amazon Linux 2 LTS	x86_64	No	Yes	Yes
Amazon Linux 2023	x86_64	No	Yes	Yes
CentOS 7.4-7.9	aarch64	No	Yes	Yes
CentOS 7.0-7.9	x86_64	Yes	Yes	Yes
Debian 10.0-10.11, 11.0-11.7, 12.0-12.9	x86_64	Yes	Yes	Yes
Flatcar	x86_64	No	Yes	Yes
HP-UX 11.31 (Trusted and Untrusted)	Itanium	No	Yes	Yes
IBM AIX 7.2, 7.3	ppc	No	Yes	Yes	Note 3
IBM Virtual I/O Server 3.x	ppc	No	Yes	Yes
Oracle Linux 7.4-7.9, 8.0-8.10, 9.0-9.4	aarch64	No	Yes	Yes
Oracle Linux 7.0-7.9, 8.0-8.10, 9.0-9.4	x86_64	Yes	Yes	Yes
Oracle Solaris 10 u8+, 11.3-11.4	SPARC	No	Yes	Yes	Note 2
Oracle Solaris 10 u8+, 11.3-11.4	x86_64	No	Yes	Yes	Note 2
Red Hat Enterprise Linux 8.0-8.10, 9.0-9.4	aarch64	No	Yes	Yes
Red Hat Enterprise Linux 7.0-7.9	ppc64	Yes	Yes	Yes
Red Hat Enterprise Linux 7.1-7.9, 8.0-8.10, 9.0-9.4	ppc64le	Yes	Yes	Yes
Red Hat Enterprise Linux 7.0-7.9, 8.0-8.10, 9.0-9.4	x86_64	Yes	Yes	Yes
Fedora Linux 39, 40	x86_64	Yes	Yes	Yes
Rocky Linux 8.5-8.10, 9.0-9.4	x86_64	Yes	Yes	Yes
SUSE Linux Enterprise 12 SP3+, 15	aarch64	No	Yes	Yes
SUSE Linux Enterprise 12 SP3+, 15	ppc64le	Yes	Yes	Yes
SUSE Linux Enterprise 12 SP3+, 15	x86_64	Yes	Yes	Yes
Ubuntu Linux 20.04, 22.04, 23.10, 24.04	arm64	No	Yes	Yes
Ubuntu Linux 20.04, 22.04, 23.10, 24.04	ppc64el	No	Yes	Yes
Ubuntu Linux 20.04, 22.04, 23.10, 24.04	x86_64	Yes	Yes	Yes

Note 1: Please refer to the Planning and Deployment Guide for features supported on this platform.

Note 2: Starting with Release 2020, we require the OS patch level update 8 or above on Solaris 10.

Note 3: Starting with Release 2021.1, we require the TL1 or above on AIX 7.1.

Note 4: Smart Card doesn’t work on Ubuntu Linux 24.04 with this release due to a GNOME bug (#7562).

Additional Information

You should follow the OS vendors' recommendation to update the necessary patches. Here are the minimum patch requirements for the specific UNIX platforms (CS-45562):

HPUX 11.31
1. PHNE_40225 - Cumulative Console and BSD Pty Patch (it is required for DirectAudit package)
Solaris 10 x86_64
1. 119255-66
2. 127128-11
3. 141445-09
4. 142910-17
Solaris 10 SPARC
1. 119254-66
2. 120011-14
3. 127127-11
4. 142909-17

Supported Windows Platforms

The following 64-bit Windows platforms are supported:

Windows 10 LTSB/LTSC (Note 1)
Windows 11 LTSB/LTSC
Windows Server 2016
Windows Server 2019 LTSC
Windows Server 2022 LTSC
Windows Server 2025

Note:

We support Windows 10 Long Term Servicing Channel (LTSC), or previously called Long Term Servicing Branch (LTSB), editions based on Microsoft's lifecycle factsheet https://docs.microsoft.com/en-us/lifecycle/faq/windows and https://docs.microsoft.com/en-us/windows/release-health/release-information.

Procedure Overview

To set up Privilege Control for Servers to work on the Delinea Platform and your network servers, perform the following tasks:

Step 1: Configure Firewall Ports for PCS

Step 2: Set Up PCS Service Accounts

Step 3: Install the Delinea Connector on Managed Servers

Step 4: Enable IWA Service on Connectors

Step 5: Install the Delinea Platform Engine on Managed Servers

Step 6: Install the Delinea Agent on Managed Servers

Step 7: Run Discovery Scan

Step 8: Check Inventory for Your Added Machines

Step 9: Set Up Authentication Profiles for PCS

Step 10: Set Up PCS Policies

Step 11: Set Up Audit and Session Recording

Step 12: Set Up Use My Account for *nix Systems

Step 13: Test Use My Account

Step 1: Configure Firewall Ports for PCS

To use Privilege Control for Servers, be sure your firewall ports are configured appropriately, as described in Setting Up a Platform Firewall.

Step 2: Set Up PCS Service Accounts

On the Delinea Platform, create a domain service account with roles and permissions that are specific to PCS. This account is called a Command Relay Service Account. The account must be placed in the Secret Server vault to be used for setting up Delinea Platform Engine Management and its Command Relay workload (see Using the Command Relay Workload).

You must create at least one of these accounts, but you can also create more according to best practices for the Secret Server Discovery and Directory Services.

Step 3: Install the Delinea Connector on Managed Servers

The Delinea Directory Connector enables secure communication between the Delinea Platform and AD directories. Install the Delinea Connector on your target servers by following the procedures at Using the Delinea Connector and in these sections:

Step 4: Enable IWA Service on Connectors

Enable Integrated Windows Authentication for PCS by following the procedure at Configuring IWA.

Step 5: Install the Delinea Platform Engine on Managed Servers

Delinea Platform Engine and Engine Management are components of the larger Delinea Platform product, and they are requirements for using Privilege Control for Servers. The Delinea Platform Engine runs two workloads for PCS:

Command Relay
Audit Collector

On the server where the Delinea Platform Engine will be running, along with its Command Relay and Audit Collector workloads, log in as a user with the custom role you created for viewing inventory. Download and install the Delinea Platform Engine on your target servers by following the procedures in Using Engine Management.

Updating the Platform Engine Management Settings

After installing the Delinea Platform Engine on your target servers, adjust the engine management settings.

From the left navigation, select Settings, then Engine Management.
Select the site that you want to update using the vaulted secret you just created.
Click the Settings tab.
Click Edit next to Audit Collector.
Enter the following settings:
- Collector Port: 5063
- Session Recording: enabled
Click Save.
Next to Command Relay, click Edit.
Next to Command Relay Service Account, click Select.
Search for and select the vaulted engine management account you created earlier.
Click Turn off folder inheritance and share secret.
Click Save.

Updating the Platform Engine

The Delinea Platform Engine version 1.2.33.0 or later is required for PCS. You might need to update the software version for your Delinea Platform Engine.

Click Settings, then click Engine Management.
Click the name of the site where your Delinea Platform Engine is installed.
Click the Engines tab.
Look at the Version column.

If the version is not 1.2.33.0 or later, you must update the engine as follows:

In the Engines tab, click the name of the engine.
Click the Workloads tab.
In the Command Relay row, look at the Version column.
If the version is not 1.0.94 or higher, restart the Delinea Platform Engine service on the server that is running the Delinea Platform Engine. Wait for Command Relay to update.
Log in to the server running the Delinea Platform Engine.
Open PowerShell as an administrator.

Copy the following script:


Clear-Host;Write-Host "Uninstalling Delinea Platform Engine"; $ZipFile = "$env:TEMP\DelineaEngineInstaller.zip"; $InstallerFolder = "$env:TEMP\$(New-Guid)"; $ProgramFilesFolder = 'C:\Program Files\Delinea Platform Engine'; $ProgramDataFolder = 'C:\ProgramData\Delinea Platform Engine'; $ProgressPreference = 'Continue'; Write-Host "Downloading latest installer packages. This may take a moment..."; if (Test-Path $ZipFile) { Remove-Item $ZipFile } if (Test-Path $InstallerFolder) { Remove-Item $InstallerFolder -Recurse -Force } $Uri = 'https://enginepoolupdatedev.blob.core.windows.net/shell-installer/555173/win-x64.zip'; if ($PSVersionTable.PSVersion -lt [Version]"6.0") { $ProgressPreference = 'SilentlyContinue' } Invoke-WebRequest $Uri -OutFile $ZipFile; $ProgressPreference = 'Continue'; Expand-Archive $ZipFile $InstallerFolder; Remove-Item $ZipFile;Set-Location -Path $InstallerFolder; ./Delinea.EnginePool.Engine.Installer.exe uninstall --keep-working-directory; if (Test-Path $ProgramFilesFolder) { Remove-Item -Recurse -Force $ProgramFilesFolder; } if (Test-Path $ProgramDataFolder) { Remove-Item -Recurse -Force $ProgramDataFolder; }

Paste the script into PowerShell.
Run the script.

If errors happen during the uninstall, close the PowerShell windows, launch PowerShell again as administrator, and run the uninstall script.
On the Delinea Platform, click Settings, then click Engine Management.
Open the site where the Delinea Platform Engine is installed.
Click the Engines tab.
Click the engine name.
Click Delete Engine.

Step 6: Install the Delinea Agent on Managed Servers

Now that you have installed the Delinea Platform Engine, install the Delinea Agent on your managed servers.

Before running the procedures in this section, we recommend you see the additional content at Agents Reference.

Checking for Agent Installation

To see whether the Delinea Agent is already installed on a given computer, view the computer's information in the Inventory page. See Using Inventories . If the agent is installed, the Client Version field shows a software version number.

Downloading the Agent

To download the agent software:

Log in to your Delinea Platform tenant.
From the left navigation, select Marketplace, then Download Center.
In the Search box, enter Agent.
Find the agent for your operating system.
Click the download icon.
Wait for the package to compile and download.
Copy the download package to the server you want to manage.

Installing the Linux Agent

To install the Delinea Agent on a managed server that is running the Linux operating system, use the steps in this section.

To get more details about the Linux agent, see Agents Reference.

Requirements

Perl (and the following modules: lib, File::Basename, File::Copy, File::Find, File::stat, Getopt::Long, Sys::Hostname and Text::ParseWords)
Forward and Reverse DNS entries for each *nix Server

If you require a different version of *nix agent, visit the following site:
https://<tenant>.delinea.app/view/marketplace/browse/authorization/agent-downloads-grid

You can also update the agent installation script to use the new URL for the agent download.

Steps:

Log in to your Linux server as root user.
Create a folder (for example, delinea-agent) and extract the package that you downloaded in Downloading the Agent:
```
# mkdir delinea-agent
```
```
# tar -xzf rhel6-x86_64.tgz -C delinea-agent/
```
Navigate to the folder that you created in the previous step:
```
# cd delinea-agent/
```

Install the Linux Agent:

# ./agent_setup.sh --domain <domain name>

There are several options you can specify if needed. For more information, display the documentation of agent_setup.sh:
# ./agent_setup.sh --help

Joining to an Active Directory Domain

For the UNIX computers where you have installed the Delinea agent, you need to join them to the Active Directory domain and the Privilege Control zone DelineaZone. To do this, use the adjoin command, either interactively at the command line or in a script. To use this command, you need to have certain privileges, and it must be run with a set of required command-line options. For details, see Joining Linux/UNIX Computers to a Domain and Zone.

Installing the Windows Agent

To install the Delinea Agent on a managed server that is running the Windows operating system, use the steps in this section.

Requirements:

.Net 4.8
Must be joined to the Active Directory domain and zone'/99

Steps:

Log in to the server as domain administrator.
In the File Explorer, right-click the .zip file that you downloaded in Downloading the Agent and select Extract All....
Click Extract.

When extraction is complete, the files appear in a new File Explorer window.

The container package is in Zip format, but the files inside are in TGZ format.
Open the Agent-for-Windows-6... folder.
Launch the agent for Windows 64.
Click Next. The Delinea Agent for Windows Wizard opens.
Click Next.
Accept the terms of the license agreement and click Next.
Keep the default destination folder and click Next.
Click Install.
Select Run Agent Configuration Wizard.
In the Agent Configuration Wizard, click Add Service.
Click Privilege Elevation Service, then click OK.
Select the DelineaZone, then click Next.
Click Yes to add the Domain Admins.
Click Yes to Restart.

Step 7: Run Discovery Scan

To run discovery:

From the left navigation, select Discovery, then Sources.
Click Run Discovery Now.
From the drop-down menu, select Run Discovery Scan.

It might take a minute or two for the Discovery Scan to complete.

Step 8: Check Inventory for Your Added Machines

To verify that your added machines are present:

From the left navigation, select Inventory, then Computers.
On the Computers page, verify that your computers have been added.

Step 9: Set Up Authentication Profiles for PCS

Authentication profiles are required for PCS to function. Follow the concepts and steps in Creating Authentication Profiles.

Be sure to follow these guidelines while setting up authentication profiles for PCS:

Endpoint Login Profiles: Authentication profiles for Endpoint Login policies should not have Challenge 1 set to Password, because the platform will always present a password challenge to the user first.
Local Administrator Privilege Profiles: Profiles for Local Administrator Privilege policies should not have Challenge 1 set to Password, because the platform will always present a password challenge to the user first.
Emergency Access Profiles: You do not need to create any profiles for Emergency Access policies, because their Rule Type is always Allow.

Step 10: Set Up PCS Policies

PCS authentication policies provide users with machine-level (server) permissions for logging in to remote computers and servers managed by Delinea Platform and performing actions on them. By assigning machine-level policies, you can ensure that each asset adheres to compliance standards, maintaining both security and efficiency across your network. For a policy to grant access, all the policy's rules and conditions must be satisfied, and the user must not be denied access by a different policy with the same rules and conditions.

Viewing Policies

From the left navigation, select Policies. The Policies page opens, listing each policy available in your platform environment on a table row, with columns for details including the policy name, state, deployment status, and policy type.

Deployment Status

Deployment Status refers to the deployment of the policy on the target. The status can be Active, Activating, Active - incomplete, Activation Failed, Deactivating, Deactivation Failed, or Inactive. The Activating and Deactivating statuses appear for just a few seconds.

When the policy is not being enforced on one or more targets that are included in the policy, because the Delinea Agent is not installed on the targets, a warning message is displayed in the Deployment Status area. Click the message to get a list of the affected computers.

Creating a Policy

To define a policy, use the following steps.

From the left navigation, select Policies. The Policies page opens, listing each policy available in your platform environment.
Click Create Policy.
On the Create Policy page, click a radio button to select a policy type from among the types listed. A policy type is defined by the events you want to control. Select one of the following:
- Emergency Access: Users who meet the conditions defined in this policy can log in and perform elevation actions when a server can not communicate with the Delinea Platform.
  
  We strongly suggest that you define and enable an Emergency Access policy, at the minimum, to avoid losing access to your Delinea Platform instance.
- Endpoint Login: Users who meet the conditions defined in this policy can log in to any computer where the policy is enabled.
- Local Administrator Privileges: Users who meet the conditions defined in this policy gain administrative privileges on the target agent. The user can run any command as administrator or root. On Windows, the Run with Privilege option is used; on Linux, the dzdo command is used.
- Granular Privilege Elevation:
  
  For users who meet the conditions defined in this policy, administrators can assign elevated permissions so they can run commands on Windows and Unix/Linux servers.
  
  In a standard UNIX shell environment, an ordinary user account can execute a large number of common command-line programs without any special privileges, but one or more administrative accounts, such as root, are required to execute commands that perform privileged operations. If ordinary users need to execute any of the commands requiring administrative privileges, they might have to switch to an administrative account that requires them to know the password for a privileged user, or they might be granted access by configuration settings in a sudoers file. A Granular Privilege Elevation policy makes it easier to grant this sort of access. You can grant certain users permission to execute commands that would otherwise require administrative or root privileges.
Click Select template. A page opens where you can create a new policy. For details about how to fill out this page, see the next few sections.

Policy Details

In the first section of the Create Policy page, specify the basic information about the policy.

Enter a policy name in the Name field.
(Optional) Enter a policy description in the Description field.
Select the box next to Enabled to enable the policy.

Command Groups

(For Granular Privilege Elevation policies only)

A Granular Privilege Elevation policy controls access on Delinea Platform managed computers to all the commands in the command group. In this section of the Create Policy page, choose one or more command groups to specify which commands you want to enable users to run.

Each command group contains a set of command-line programs. Before you can add command groups to a policy, you must first define the commands, then add them to command groups, as described in the next few sections.

Creating Commands

If needed, create one or more new commands. Commands are configured by defining command rights, adding the rights to the appropriate roles, and assigning the roles to different users and groups. Users who have been assigned the appropriate roles can then run privileged commands by invoking the dzdo command.

The most common reason for defining a command right is to grant access to commands that perform privileged operations. For example, you might want to grant users additional privileges to execute specific commands in a standard shell environment that they are not otherwise allowed to execute with the default rights associated with their account.

You can define command access rights to tightly control the specific commands users can execute. You can also refine those rights to only allow specific arguments to be used or to require an executable to be located in a specific directory.

From the left navigation, select Policies, then Commands.
Click Create command and choose the operating system: Linux/Unix or Windows.
Click Create custom command.
Enter a name and (optional) description.

The name is required and must not be more than 63 characters in length or contain any special characters, such as asterisks (*), slashes (\ /), question marks (?), or quotation marks (“).

The rest of the steps depend on whether you are defining a Linux/Unix command or a Windows command.
- For a Linux/Unix command, use steps 5 - 8.
- For a Windows command, use steps 9 - 12.
(Linux/Unix) In Command, give the name of the command as you would enter it at the command line; for example, vi.

You can also use wild cards or a regular expression to specify commands matching a particular pattern.
(Linux/Unix) In Arguments, give any input arguments that the command requires; for example, /etc/ssh/sshd_config to edit the SSH server's config file. Glob pattern matching is used to expand any wildcard expressions. If you do not specify any arguments, the default value of asterisk (*) is used.
(Linux/Unix) In Match path, choose the path where the command can be found:
- Select Standard user path to use the local operating system’s common set of user directories to find the command; for example, /bin, /usr/bin.
- Select Standard system path to use the directories the root user would normally get on the local operating environment to find the command; for example, /sbin, /usr/sbin
- Select System search path to search for the command in a predefined set of locations. The search locations are defined using the dzdo.search_path configuration parameter. If you select System search path and the dzdo.search_path parameter is not defined, the current user’s path is used to search for the command. For example, /sbin, /usr/sbin, /bin, /usr/bin.
- Select Specific path to define a custom set of locations for finding the command specified. You can specify one or more paths, separated by a colon. If you set both Command and Specific path to match all strings (*), any command from any path is allowed.
(Linux/Unix) In Run command as, choose the user role that determines the permissions that will be used to run the command. You can specify a user account or run the command as root. The user account must be present on the endpoint.

In most cases, the local root account is the appropriate account to use, because it allows ordinary users to execute the specified command using root account privileges. However, you can click Add to add other users, groups, or service accounts that can be used to execute the command. Use the format #UID for UID values, %group for group names, or %#GID for GID values.

The account used to execute commands can be an Active Directory user with a UNIX profile in the zone or a local UNIX user account. However, the account used to log on and invoke the command using dzdo must be associated with an Active Directory account.

The role that is set in Run Command As is only applicable to users executing policies under the dzdo command. Users with the Restricted Shell (dzsh defined as their login shell) continue to execute policies as the logged-in user.
(Windows) In Application, give the name of the application runtime file; for example, taskschd.msc.
(Windows) In Arguments, give any input arguments that the application requires; for example, \s. If you do not specify any arguments, the field is left blank.

The use of the asterisk (*) as an argument is not supported. The value /* can be used as an argument, but it does not act as a wildcard. The literal text /* is used.
(Windows) In Match path, choose the path where the command can be found:
- Standard system path
- Specific path; for example, %systemroot%\system32\
(Windows) In Run command as, select one of the following to choose the user or group whose permissions will be used to run the command:
- To use a Windows built-in security group: Choose Built-in group from the dropdown, then choose one of the provided Active Directory security groups. For more information about these groups, see Active Directory security groups in the Microsoft documentation.
- To use an individual user: Choose AD domain user from the dropdown, then click Select a domain user to search for and select a user account. The user account must be present on the endpoint.
- To use an Active Directory security group that is defined in one of the domains accessible to your policy: Choose AD domain group from the dropdown, then click Select a domain group to search for and select an Active Directory domain group.
Click Create command.

The command is saved, and the Commands list page is displayed again. The new command appears in the list.

If needed, repeat these steps to create more commands.

Creating Command Groups

After creating all the commands you need, create command groups.

From the left navigation, select Policies, then Command groups.
Click Create command group.
Enter a name and (optional) description.
Click Assign command.
Click one or more checkboxes next to the commands you want to include in the command group.

If you are not sure which commands to choose, you can click the name of any command to see its details.
Click Create group.

If needed, repeat these steps to create more command groups.

Adding Command Groups to the Policy

After creating all the command groups you need, you are ready to fill out the Command Groups part of the Create Policy page for a Granular Privilege Elevation policy.

Click Add command groups.

The Select Command Groups page shows all the command groups that have been defined.
Click one or more checkboxes next to the command groups you want to include in the policy.

If you are not sure which groups to choose, you can click the name of any group to see which commands it includes.

Modifying Commands and Command Groups

You can edit commands and command groups after creating them and adding them to policies. To do so, display the command or command group and click Edit or Delete.

The Delinea Platform keeps track of changes to commands and command groups. The platform records the modification date and the username of the person who made the change. The platform then updates its display wherever the changed entity is shown.

For example, when a command is modified, the modification date and username are updated and displayed in the following pages:

Commands page, which lists all of the commands
Pages for any command group that contains the command
Pages for any policy that includes a command group where the command is a member

When a command is added to a command group or removed from a command group, the date and username are updated and displayed in the following pages:

Command Groups page, which lists all the command groups
Pages for any policy that includes the command group

When a command is deleted, the date and username are updated and displayed in the following pages:

Pages for any command group that contained the command
Pages for any policy that included a command group where the command was a member

When a command group is deleted, the date and username are updated and displayed in the pages for any policy that included the command group.

Policy Subjects

After filling out the Policy Details section, choose the policy subjects. Subjects are the users and user groups your policy can apply to, based on the template you selected earlier.

Scroll down to the Subjects section to see a list of available subjects.
Click the Add Subjects button.
Select the box next to each AD user and user group you wish to add to the policy.
Click the Update button.

Policy Targets

Targets are the computers and computer groups your policy can apply to. The target is where the Subject can perform an action, based on the template you selected earlier.

Scroll down to the Targets section.

To define the targets, make one of the following choices:
- To add individual computers and computer groups, click Add computers. In the Select Computers dialog, select the box next to each computer and computer group your policy will apply to.
  
  Computers where the Delinea Agent is installed and AD computers where the Delinea Agent is not yet installed can all be selected as policy targets. To see whether a computer has the agent installed, see Checking for Agent Installation.
- To add collections, click Add collections. In the Select Collections dialog, select the box next to one or more collections, then click Add Collections. For more information about collections, see Computer Collections.
Click the Update button.

When you finish defining the policy and you set its status to Enabled, the policy will start to be enforced on the selected targets where the Delinea Agent is installed.

For any target that does not have the Delinea agent installed, a policy that is set to Enabled will start to be enforced whenever the agent is installed and the target is joined to a domain and zone. A message is displayed on the Policy page to let you know when one or more targets that are included in the policy are not being enforced because the agent is not installed. Click the message to get a list of these computers so you can remedy the situation. You can download the list in CSV format.

For more information about installing the agent or determining whether it is already installed on a computer, see Step 6: Install the Delinea Agent on Managed Servers.

Policy Conditions

(Optional) Conditions define when or how the policy should by applied. If a policy has a time range condition, the policy will apply only within that time range. All of the time conditions must be met. Local time, not universal time, is used.

If a policy has no time range condition, the policy will apply at all times.

Scroll down to the Conditions section.
Click Add Condition.
In Condition Type, click inside the Search or pick one box.
Select one of the condition types displayed or enter text to search.

When you have selected a condition type, options appear below Constraint.
Set the constraints for the condition you selected.
To add another condition, click Add Condition again and follow the same procedure.

Policy Controls

Controls are additional requirements the user must meet to fulfill the requirements of the policy. All of the control conditions must be met.

Policy controls can be set in the following ways:

MFA. Requires multi-factor authentication. If you select MFA, a new Search or pick one box appears. Select an Authentication Profile to specify which MFA challenges the user must pass and how much time will elapse before the user is prompted again for authentication. Emergency Access profiles always allow access without MFA, so the option is not shown.
Require Session Recording: Denies access if session recording cannot be performed on the endpoint. For example, session recording is not available if the audit service is not enabled on the endpoint or a session recording process is blocked. Require Session Recording can be assigned as the only control, or in conjunction with MFA. Require Session Recording can be also be applied to local administrator privileges. Emergency Access profiles always allow access without session recording, so the option is not shown.

To define policy controls:

Scroll down to the Controls section.
Select MFA if you want to require multi-factor authentication.

Emergency Access profiles always allow access without MFA, so the option is not shown.
If you selected MFA, a dropdown list box appears. Select an authentication profile.
In Session Recording, select one or both of the following:
- Audit enabled: Select this option to record the user's activity.
- Required: Select this option if you want to deny user access when session recording can not be performed. Audit enabled must also be selected. If the Required option is not selected, but Audit enabled is, the user's activity is audited if possible, but user access is not denied if auditing is not possible.
  
  Emergency Access profiles always allow access without session recording, so the Required option is not shown.
When you have made all the required changes, click Create Policy.
Click Activate to activate the policy.

Enabling IWA on the Default Identity Policy

For PCS to function, IWA must be enabled on the default identity policy.

From the left navigation, select Access, then Identity policies.
Click to open the Default Policy.
Select the Authentication tab.
Scroll to the Other Settings section and click Edit.
Enable IWA connections and the two available IWA options.
Click Save.
Log in to the Delinea Platform as one of the AD users you created.

Step 11: Set Up Audit and Session Recording

To track events on Delinea Platform, you can set up audit logs and session recordings. See Audit.

From the left navigation, select Insights, then Session review.
Log into the server as the administrator, root, or normal AD user.

To Configure on Linux:

Do not skip these steps. The Linux agent requires Direct Audit to be enabled on the Agent when policies have session recording enabled. If you skip these steps, and enable Session Recording in a Granular Privilege Elevation policy for Linux, you could be blocked from logging in to the Linux agent. See Session Recording Stops Linux Agent Login.

Log in as root user.
Enter the following commands:
- dacontrol -i DelineaPlatformAudit
- dacontrol -e
- dainfo

To Configure on Windows:

Log in a Domain Administrator.
Launch Agent Configuration.
Click Add Service.
Select Auditing and Monitoring Service.
Click OK.
On theEnable session capture and replay page, select DelineaPlatformAudit.
Click Next.

Audit and Monitoring configuration is complete.

Viewing Audit Session Recordings

From the left navigation, select Insights, then Session review.

Linux

Run commands as root user.
Run commands as normal AD users.
1. Elevate commands as a normal AD user having the Local Administrator Privileges policy using the dzdo command.

Windows

Run programs as the administrator.
Run commands as a normal AD user.
1. Launch elevated desktop as a normal AD user having the Local Administrator Privileges policy.

Step 12: Set Up Use My Account for *nix Systems

This section describes several different ways to set up Use My Account.

Using Delinea OpenSSH

To automatically set up UMA for *nix systems, run the agent_setup.sh script during the agent installation.

Using OS Stock Version of OpenSSH

The agent_setup.sh script automatically sets up UMA during the agent installation process.

Using Automatic Script for UMA

Navigate to where you downloaded the agent from the Delinea Marketplace.

Run the following script with root permissions:

./uma_setup.sh --install-cakey-file delinea_<tenantname>_date.pub -v

Example:

./uma_setup.sh --install-cakey-file delinea_jwtraining-us_20240125_124856.pub –v

Using Manual Steps

Navigate to and open the folder where you downloaded the agent from the Delinea Marketplace.

The agent is a .pub file in the following format:

delinea_{tenant-name}_{download-date}.pub
Copy the .pub file to the ssh directory.

Example:

cp delinea_{tenant-name}_{download-date}.pub /etc/ssh/users_ca.pub

cp delinea_fishing_20231213_041058.pub /etc/ssh/users_ca.pub
Make a backup copy of the sshd_config file:

cp /etc/ssh/sshd_config /etc/ssh/sshd_config_121323bk
Edit the sshd_config file with the following lines:
- Example command: vi /etc/ssh/sshd_config
- AuthorizedPrincipalsCommand /usr/bin/adquery user -P %u
- AuthorizedPrincipalsCommandUser root
- TrustedUserCAKeys /etc/ssh/users_ca.pub
Restart OpenSSH Service.

Example:

systemctl restart sshd.service

Step 13: Test Use My Account

UMA is only for *nix systems with the agent installed that is joined to the domain and zone.

Log in to the platform as an AD user with permission to log in to the Linux system.
From the left navigation, select Inventory.
Find and the server with the agent installed that is joined to the domain and zone.
Hover your cursor over the row with the target computer, and click the launch icon.
Select Launch with My Account.

When reusing the same tenant for testing and the same SE Lab Template, make sure you delete all AD users from the platform.