• State Not Answered
  • Replies 3 replies
  • Subscribers 28 subscribers
  • Views 310 views
  • Users 0 members are here
Options
Related

Session recording can be deactivated?

samuele fochi
5 months ago

Hello,

i have an environment with SPP and SPS joined together (both with the 7.3 version), i want to record the sessions of a group of users and don't record the sessions of another group of users.

Is possible to do this? 

Thank you,

Samuele

  • 0 5 months ago

    Hi Samuele,

    Yes this can be controlled by SPS under the Channel Policies where you can have the first Drawing channel (for example if this is for RDP) configured with either a gateway group (for SPP users) or Remote Group (for target server accounts) and enable record audit trail for these users or accounts, then have a second Drawing channel where you can disable record audit trail and so if user or account does not match the first drawing channel defined groups then will be matched against the second channel policy where recording is disabled.

    Here is the Admin guide section on creating and editing channel policies in SPS: 

    https://support.oneidentity.com/technical-documents/one-identity-safeguard-for-privileged-sessions/7.3/administration-guide/57#TOPIC-2021871

    Different scenario but same idea is explained in this KB article:

    https://support.oneidentity.com/one-identity-safeguard-for-privileged-sessions/kb/4340316/how-do-rules-take-precedence-in-a-channel-policy

    Thanks!

  • 0 2 months ago in reply to Tawfiq.Ahmad

    Hi Tawfiq,

    I also have same requirement, however further question. 

    While using a gateway group (for SPP users) in combine SPP/SPS scenario, does SPS also needs to be configured separate gateway authentication/LDAP server to read group membership?  How does it would identify the group? does SPP also pass the group to SPS, if so would it be the group from "User Groups" from SPP.

  • 0 2 months ago in reply to Deep Jansari

    Hi Deep,

    There are two types of groups that can be used in the Channel policy

    Gateway Group

    Remote Group 

    When using SPP initiated sessions via SPS then the Gateway user is considered the one logged into SPP (SPP User) and therefore SPS does not need to be configured with Gateway authentication but you would need to configure LDAP Server policy for the group lookups to verify if the user is a member of the defined group

    If you wish to restrict based on the target account logging into the target server instead then the managed account would be considered the (Remote User) and therefore the Remote group would be verified against if the remote user is a member or not.

    By default both Gateway and Remote Groups are blank allowing any User or target manager account via the channel since the entitlement and authorization is handled from SPP side but you can restrict the channels further via SPS if required by specifying whether you need to restrict a channel by SPP User (Allowed if its a member of defined Gateway Group) or by target managed account (Allowed if its a member of defined Remote Group)

    Hope this helps!