Device Groups Properties
Some Kron PAM features are managed via Device Groups. The features are activated by defining the device group properties.
Property Key | Definition |
addDeviceSshKeyToUserSelection | This property only applies to devices imported from AWS (Amazon Web Services). If the value is set as true, connecting to devices with an SSH key is offered as a connection option. This property can be used when the following conditions are set:
|
addManualLoginToUserSelection | This property applies to SSH/TELNET and RDP/VNC proxies in the Session Manager module. The default value is false. When the value is set as true, the user can manually enter the device username and password at the start of the session. |
addSessionUserToUserSelection | This property only applies to SSH/TELNET and RDP/VNC proxies in the Session Manager module. When the addSessionUserToUserSelection property is set as true on a device group, users can connect to target devices in the device group using their username to log in to Kron PAM. |
approvalRequiredForConnection | This property only applies to SSH and RDP proxies in the Session Manager module. When its value set as true, managerial approval is requested via email for users to connect to devices in the device group. |
globalEnablePassword | This property only applies to the TACACS+ Access Manager module. Bot/script users need to use a common password to switch to enable mode in scripts. The globalEnablePassword property allows the definition of aΒ common password for a device group, to be used when the enabled password is prompted. |
globalPassword | It is the password of the globalUsername. The password to be used when connecting to all devices covered by the device group. |
globalSecretKey | This property only applies to the TACACS+ Access Manager module. The secret key to be used when authenticating all devices covered by the device group to TACACS+ servers. It is a mandatory property when using the TACACS+ Access Manager. |
globalSshKey | This property only applies to SSH proxies in the Session Manager module. If connecting to the device with an SSH Key is preferred, globalSshKey should be defined for the Device Group. |
globalSshKeyPassphrase | This property only applies to SSH proxies in the Session Manager module. If the device to be connected to has an SSH passphrase, globalSshKeyPassphrase should be defined for the Device Group. |
globalUsername | The username is to be used when connecting to all devices covered by the device group. This username must be pre-defined as a user on all devices in the device group. |
sapmMailList | The sapmMailList is notified when the following situations occur in SAPM: β’ When a user retrieves a password for an SAPM account included in the device group. β’ If an error occurs during the password reset of an SAPM account included in the device group. β’ If the password cannot be verified while checking the password of an SAPM account included in the device group. β’ If a new user is detected on a device that has an SAPM account included in the device group |
showInDeviceTree | This property is used along with the useAsRoleGroup property. When its value is set as false, the device group cannot be seen in the device inventory screen. Once devices are authorized with the main device group, this property can be set for the device group. After that, users cannot see this device group in their device inventory. Users with the same authorization level as the device group, defined by the group role, can still only see the other device groups. |
tag.DiscoverInterfaceType | When importing devices from cloud platforms, the Management IP is set according to the values of the defined property. Possible values are public and private. The default value is private. |
useAsRoleGroup | Some devices can be defined in multiple device groups. In this situation, device authorization can be defined in one device group. The useAsRoleGroup device group property value must be set as true for the device group in which authorizations are managed with policy enforcement, such as black key/white key. |
useSudoForLinuxAuditReport | This property only applies to Linux Audit Report feature. The default value is false. If the globalusername defined on the Device Group is sudo user and the sudo command execution is required to get report details, the property must be defined as true on the Device Group. |
addAssignedCredentialToUserSelection | The default value is false. When the value is set as true, the users can use their assigned credentials in the target device. For more details, please refer to chapter Assigned Credentialsο»Ώο»Ώ |
sessionDurationLimitMinute | User session duration can be limited. |
reasonRequiredForConnection | When the value is set as true, a comment/reason field appears when users try to connect to the devices in the device group. The text entered here will appear in the session logs, managerial approval emails and notifications (if enabled). |
ο»Ώ