Enterprise Administration Guide › Configuring SAM Endpoints › Configure Terminal Integration

Configure Terminal Integration

Terminal integration lets you integrate your CA ControlMinder endpoints with SAM to track the activities of users who check out privileged accounts. Terminal integration also lets you specify that a user must use automatic login to log in to a CA ControlMinder endpoint with the privileged account.

Before you configure terminal integration, verify the following:

• The privileged account for which you want to configure terminal integration exists in CA ControlMinder Enterprise Management.
• Terminal integration is enabled on the endpoint, that is, the value of the EnableLogonIntegration configuration setting in the PUPMAgent section is 1.

  Note: Terminal integration is enabled by default when you install CA ControlMinder with the SAM integration feature enabled. If you enable terminal integration but do not configure it, CA ControlMinder does not enforce terminal integration on any accounts.

• Verify that policyfetcher is configured and running on the endpoint.
• (UNIX) CA ControlMinder uses PAM login interception for the login program that is used to connect to the endpoint.

  For example, if users use SSH to connect to the endpoint, verify that CA ControlMinder uses PAM login interception to intercept SSH logins.

  Note: For more information about PAM login interception and the LOGINAPPL class, see the selang Reference Guide.

The following procedure explains how to configure terminal integration for a single privileged account. You can use a policy to configure terminal integration for privileged accounts with the same name on multiple endpoints.

Follow these steps:

1. In CA ControlMinder Endpoint Management, click Users tab, Users subtab, and search for the privileged account for which you want to configure terminal integration.

   Note: For more information about how to manage users in CA ControlMinder Endpoint Management, see the Online Help.

2. Select the privileged account.

   The General tab of the Modify User task page appears.

3. Select one or both of the following options in the Account section:

   Use original identity

   Specifies that CA ControlMinder uses the name of the user who checked out the privileged account, not the privileged account user name, when it writes audit records and makes authorization decisions.

   Requires an account checkout prior to login

   Specifies that a user must use automatic login to log in to the endpoint with this privileged account. Automatic login lets a user check out a password and automatically log in to an endpoint from CA ControlMinder Enterprise Management.

4. Click Save.

   You have enabled and configured terminal integration for the privileged account.

Example: A Policy That Configures Terminal Integration

The following policy configures terminal integration for an account named administrator. The policy specifies that CA ControlMinder uses the original user name when it writes audit records and makes authorization decisions, and that users must use automatic login to log in to the endpoint as administrator:

editusr administrator pupm_flags(use_original_identity)
editusr administrator pupm_flags(required_checkout)

More information:

Terminal Integration

How Terminal Integration Works

Implementation Considerations for Terminal Integration