Enterprise Administration GuideImplementing Privileged AccountsPUPM Automatic LoginTerminal Integration › How Terminal Integration Works

Previous Topic: Terminal Integration

Next Topic: Implementation Considerations for Terminal Integration
How Terminal Integration Works

Terminal integration lets you integrate your CA Access Control endpoints with PUPM to increase security and accountability.

The following process explains how terminal integration works:

  1. A user uses automatic login to check out a privileged account password in CA Access Control Enterprise Management.
  2. CA Access Control Enterprise Management retrieves the endpoint details from the DMS and sends a pre-login message to the Message Queue. The message contains the name of the privileged account, the name of the user that checked out the account, and the name of the endpoint.
  3. The PUPM Agent on the CA Access Control endpoint retrieves the pre-login message from the Message Queue.
  4. When a user uses the privileged account to log in to the endpoint, the CA Access Control authorization engine checks the local database record for the privileged account and takes the following actions:
    1. The engine checks if the account requires an account checkout prior to login, that is, if a user must use automatic login to log in to the endpoint. One of the following occurs:
      • If an account checkout is required and the PUPM Agent has not received a pre-login message for the privileged account, the engine rejects the login attempt.
      • If an account checkout is required and the PUPM Agent has received a pre-login message for the privileged account, the engine permits the login if no additional restrictions exist, for example, if no TERMINAL restrictions exist that prevent the login.
      • If an account checkout is not required, the engine permits the login if no additional restrictions exist.
    2. The engine checks if the user's original identity must be used to make authorization decisions. One of the following occurs:
      • If the user's original identity must be used, the engine uses the original user name to evaluate resource access requests and to write audit records.
      • If the user's original identity is not used, the engine uses the privileged account name to evaluate resource access requests and to write audit records.

More information:

Configure Terminal Integration

Implementation Considerations for Terminal Integration