Setting up user access policy

User profiles or policies can be defined for a user or a user group. You may create multiple policies depending on the level of access you wish to grant. For example, you may want to set up restricted location-based access for remote users or restrict external users from accessing assets outside their working hours. This section will help you define required user access policies.

The system provides a Default User Access Policy which is applied to all new users added to the system via automated discovery via Active Directory or when added manually. You can update any policy type as a Default Policy.

Understanding policy parameters

The table below provides details about setting up policies for a user or a group of users while logging into the system and accessing functionalities of the system. Policies can be based on a combination of parameters or just individual parameters. At any point, only one policy can be enforced for a user.

Parameter	Description	Configuration
Session	Use this configuration to disable session recordings for users, disable live viewing of sessions, disable session termination, disable live view, disable session metadata, or disable session collaboration with other users. By default, all configurations are enabled for this section.	Session recording Session terminate Live view Enforce MFA For New Session Session metadata Session collaboration
Max session duration	Enabling this feature will set a max session duration limit for all sessions initiated by the user.	Days, Hours, Minutes
Session Banner	This configuration is used to display a message when you take a session	Text
Enforce Access via Jump Server	Can only access the session via Jump Server.
Allow RDP Direct	This checkbox only becomes available if Enforce Access via Jump Server is checked.
Access Request Scope	Use this setting when you would like to restrict the accounts only to mapped accounts when requesting Access via workflow	All Accounts As per Active Mapping As per Active Mapping (Named Accounts)
Enforce rotation after every session	Use this setting to change the password of the account after every session
Exclude User(s)	Select the users you would like to exclude from the policy.	This option is made available when Enforce rotation after every session is checked.
Update Password Scope	Use this setting when you would like to restrict the accounts only to entitled accounts when requesting for password change	Do not allow Allow for named accounts in entitlement Allow for all accounts in entitlement
Upload File Size	Use this setting to specify the file size to be uploaded. To upload a file without any size limit, select the “No Limit” checkbox of the Upload File Size option. If any value is entered in the Upload File Size field, the system will show an error if the file size exceeds the mentioned value.	No Limit Predefined file size
Download File Size	Use this setting to specify the file size to be downloaded. To download the file without any size limit, select the “No Limit” checkbox of the Download File Size option. If any value is entered in the Download File Size field, the system will show an error if the file size exceeds the mentioned value.	No Limit Predefined file size

Adding a new policy

You can add a new policy by navigating to the "Policies" tab on the navigation bar at the top. You can then select 'User Access Policy' from the sidebar. Policies can be based on time-based restrictions, schedule, location, IP Address, session duration, etc.

Editing an existing policy

To edit any existing policy parameters, select the policy name and edit the desired parameter. The system, by default, installs a default policy. This can be toggled to update policy from the User Access Policy Page and update the Default policy flag.

Providing access permissions

You can define clipboard and file-sharing permission based on an access type and user access policy. For example, if you want to allow only internal users to copy files on an RDP session and restrict copy file permission for external, apply respective permissions for each user based on a policy. To apply for access permission for a user policy, follow the steps below:

Navigate to the policy by selecting PAM from the product navigator and select user access policy from the sidebar.
Select the policy on which you want permission and click the Action icon.
Under the Manage Permissions tab, you will be able to view available access types configured in the system.
Under the access permission columns written as Allow File Download, Allow File Upload, Allow Clipboard, and Disable Access for the respective access type.
Click the Save button, and your policy will have those access permissions you checked on.

Setting default policy

You can set the policy as default by clicking on any of the 'Set as Default' options, which will automatically convert it into a default policy.

Viewing linked users

You can check the list of users assigned to a particular policy. This highlight will help you to get a consolidated view of users with the same policy. In addition, you will get information such as the Authentication Type, Department, Manager, and Status of the user.

To view the list of linked users, follow the steps below:

Navigate to the policy by selecting PAM from the product navigator and select the user access policy from the sidebar.
Click on the Action icon option.
Select the Linked Users tab and a list of users linked with the policy will be displayed.

Icon	Title
	Action
	Account