Previous Topic: Terminal IntegrationNext Topic: Implementation Considerations for Terminal Integration


How Terminal Integration Works

Terminal integration lets you integrate your CA ControlMinder endpoints with SAM to increase security and accountability.

The following process explains how terminal integration works:

  1. A user uses automatic login to check out a privileged account password in CA ControlMinder Enterprise Management.
  2. CA ControlMinder Enterprise Management retrieves the endpoint details from the DMS and sends a pre-login message to the Message Queue. The message contains the name of the privileged account, the name of the user that checked out the account, and the name of the endpoint.
  3. The SAM Agent on the CA ControlMinder endpoint retrieves the pre-login message from the Message Queue.
  4. When a user uses the privileged account to log in to the endpoint, the CA ControlMinder authorization engine checks the local database record for the privileged account and takes the following actions:
    1. The engine checks if the account requires an account checkout prior to login, that is, if a user must use automatic login to log in to the endpoint. One of the following occurs:
      • If an account checkout is required and the SAM Agent has not received a pre-login message for the privileged account, the engine rejects the login attempt.
      • If an account checkout is required and the SAM Agent has received a pre-login message for the privileged account, the engine permits the login if no additional restrictions exist, for example, if no TERMINAL restrictions exist that prevent the login.
      • If an account checkout is not required, the engine permits the login if no additional restrictions exist.
    2. The engine checks if the user's original identity must be used to make authorization decisions. One of the following occurs:
      • If the user's original identity must be used, the engine uses the original user name to evaluate resource access requests and to write audit records.
      • If the user's original identity is not used, the engine uses the privileged account name to evaluate resource access requests and to write audit records.

More information:

Implementation Considerations for Terminal Integration