Available Fields for Additional Functionality

Custom Fields Added to Record Types for Enhanced Functionality.

This article lists all the custom fields that can be added to specific Record Types to enable additional functionality in PAM.

Note that these fields cannot be used with all record types, so please be sure to read the description of each before adding them to your PAM instance.

Please see our Creating New Fields for information about how to create fields in PAM record types.

AD Query

  • Description: Used to define a standard LDAP query against the host in order to execute tasks against the query results. More information can be found in our Host Queries for Mass Script Execution article.

  • Field Type: String

  • Name: ADQuery

  • Display Name: AD Query

  • Example: (&(objectclass=computer)(objectcategory=computer)(cn=DEV*))

Agent Forwarding (SSH)

  • Description: Can be added to Unix Host with Key, Unix Host with Private Key or inherited record types to enable connecting to the destination server through one or more bastion hosts using the same set of public and private key pair managed in the system vault.

  • Field Type: Checkbox

  • Name: AgentForwarding

  • Display Name: Agent Forwarding

  • Example: Enabled/Checked to enable SSH Agent Forwarding on this record.

Allowed Hosts

  • Description: Allowed Hosts field used with the comma-separated list of white-listed hosts or host:port combinations. The field white lists Forward SSH Tunnel destinations for SSH records restricting access outside of the white listed hosts. The field also white lists HTTP Proxy destination to inject credentials for SSO-based WEB Portals.

  • Field Type: Text

  • Name: AllowedHosts

  • Display Name: Allowed Hosts

Allowed Resolved Hosts

  • Description: Allowed Resolved Hosts field used with the comma-separated list of white-listed hosts, IPs, or IP-range (from-to or IP/bits) combinations. The field white lists user provided destination when connecting to records defined with empty hosts restricting access to all targets outside of the specified access rules.

  • Field Type: Text

  • Name: AllowedResolvedHosts

  • Display Name: Allowed Resolved Hosts

Audio

  • Description: Default system deployment disables audio for WEB RDP Sessions unless enabled globally using system parameter xtam.session.web.audio=true. Record level parameter Audio allows record owners to enable or to disable audio in WEB RDP Sessions for individual records or all records in the record type.

  • Field Type: Choice

  • Name: Audio

  • Display Name: Audio

  • Values: Enabled, Disabled

Clipboard Transfer Control

  • Description: Used to overwrite the global Session Clipboard Transfer parameter (Administration > Settings > Parameters > Session Clipboard Transfer) on individual records.

  • Field Type: Choice

  • Name: ClipboardTransfer

  • Display Name: Clipboard Transfer Control

  • Values: Use Global, Enabled, Disabled

  • Example: Use Global or no selection to use the globally defined configuration for sessions connected with this record, Enabled to overwrite the globally defined configuration and allow Clipboard Transfers for sessions connected with this record or Disabled to overwrite the globally defined configuration and disallow Clipboard Transfers for sessions connected with this record.

Command

  • Description: Can be added to a SSH based record type to execute a specific command upon login. Used in conjunction with the Command Password field to authenticate the command. More information can be found in our Automatic Command Execution During SSH Login article.

  • Field Type: String

  • Name: Command

  • Display Name: Remote Command

  • Example: mysql -u admin -p -h 10.0.0.33 Master to connect using the MySQL client.

Command Password

  • Description: If the Command field above requires a password, enter this password to authorize that command.

  • Field Type: String

  • Name: CommandPassword

  • Display Name: Command Password

  • Secured: Enabled/Checked

  • Example: The password for -u admin in the previous Command field.

Connection

  • Description: Used to define a complete connection string for Oracle RDBMS connections.

  • Field Type: String

  • Name: Connection

  • Display Name: Connection

  • Example: host:1521:SID

Console

  • Description: Used to connect to the RDP console session (Windows Server 2003) in case a record has the Console field set to true (checked)

  • Field Type: Checkbox

  • Name: Console

  • Display Name: Console

  • Example: Enabled/Checked to connect to the RDP console session.

Enable Level

  • Description: Used to define the Enable level when switching to Cisco’s Enable mode after login.

  • Field Type: Number

  • Name: EnableLevel

  • Display Name: Enable Level

  • Example: 15

Enable Password

  • Description: Used to define the Enable password when switching to Cisco’s Enable mode after login.

  • Field Type: String

  • Name: EnablePassword

  • Display Name: Enable Password

  • Secured: Enabled/Checked

  • Example: yourPassword

Enabled

  • Description: Used to define which Remote Application Host record is enabled for operations.

  • Field Type: Checkbox

  • Name: Enabled

  • Display Name: Enabled

  • Example: Enabled/Checked to enable for operations, Disable/Unchecked to disable for operations.

Enable WinRM SSL

  • Description: Used to enable SSL connection for WinRM script execution on Windows computers.

  • Field Type: Checkbox

  • Name: EnabledSSL

  • Display Name: Enabled SSL

  • Example: Checked to enable, Uncheck to disable

Exclusive Session

  • Description: Used to designate certain records for exclusive access instead of enforcing exclusive access globally.

  • Field Type: Choice

  • Name: ExclusiveSession

  • Display Name: Exclusive Session

  • Example: Enabled/Disabled, Use Global

File Transfer Control

  • Description: Used to overwrite the global Session File Transfer parameter (Administration > Settings > Parameters > Session File Transfer) on individual records.

  • Field Type: Choice

  • Name: FileTransfer

  • Display Name: File Transfer Control

  • Values: Use Global, Enabled, Disabled

  • Example: Use Global or no selection to use the globally defined configuration for sessions connected with this record, Enabled to overwrite the globally defined configuration and allow File Transfers for sessions connected with this record or Disabled to overwrite the globally defined configuration and disallow File Transfers for sessions connected with this record.

File Transfer Disabled

  • Description: Used to disable a request for the file transfer protocol (SFTP) during Unix sessions.

  • Field Type: Checkbox

  • Name: FileTransferDisabled

  • Display Name: File Transfer Disabled

  • Example: Enabled/Checked to disable request for SFTP.

Filter

  • Description: Used to define a comma-separated list of record types served by the specific Remote Application Host record.

  • Field Type: String

  • Name: Filter

  • Display Name: Filter

  • Example: MySQL Workbench, MS SQL Studio to enable only these record types to operate with this Remote Application Host.

Font Smoothing

  • Description: Used, on a record level, to enable nice font rendering during Windows connections at the expense of the increased network traffic. Font Smoothing can also be enabled on a global or user preference level, but this configuration will take precedence over those settings.

  • Field Type: Choice

  • Name: FontSmoothing

  • Display Name: Font Smoothing

  • Values: enabled, disabled

  • Example: enabled to force font smoothing, disabled to allow for the global or user preference setting to be used.

Glyph Caching

  • Description: In addition to screen regions, RDP maintains caches of frequently used symbols or fonts, collectively known as "glyphs." Certain known bugs in RDP implementations can cause performance issues with this enabled (old versions such as Windows Server 2008 is a usual example). Setting this parameter to Disabled will disable that glyph caching in the WEB RDP session for this record.

  • Field Type: Choice

  • Name: GlyphCaching

  • Display Name: Glyph Caching

  • Values: Enabled, Disabled

Host Name DNS

  • Description: Used to verify a remote Windows host name match with the host name on the record before executing any script on the remote computer in order to detect mis-configured or attacked name resolution service. Checking the field disables the option to verify host for the specific record.

  • Field Type: Checkbox

  • Name: HostNameDNS

  • Display Name: Host Name DNS

  • Example: Unchecked to enable, Checked to disable.

Hosts

  • Description: Hosts field used with the comma-separated list of white-listed hosts or host:port combinations. When the list of allowed hosts is defined for the record, Connect action prompts for the host selection to resolve the host to connect with the credentials on record. The option facilitates an account-centric approach to manage domain accounts shared among multiple destination endpoints.

  • Field Type: Text

  • Name: Hosts

  • Display Name: Hosts

Key Size

  • Description: Used to specify the size of the key generated for Unix public key rotation.

  • Field Type: Choice

  • Name: KeySize

  • Display Name: Key Size

  • Values: 1024, 2048, 4096, 8192

  • Example: 4096

Minimum Password Age

  • Description: Used to define Minimum Password Age in days to make the system to shift scheduled date of Password Reset job when it is executed before endpoint system allows to change the password. Note that this field still allows execution of the password set job using shadow account to force rotate the password.

  • Field Type: Number

  • Name: MinPasswordAge

  • Display Name: Minimum Password Age

Override Session Manager

  • Description: Used with the value orap://session-manager-host:port to override default session manager detected from the proximity groups configuration. For example, use the value orap://localhost:4822 to indicate local session manager should be used when connecting to this record using Oracle SQL Proxy protocol but still use default proximity groups configuration for other protocols.

  • Field Type: String

  • Name: OverrideSessionManager

  • Display Name: Override Session Manager

  • Values: orap://session-manager-host:port

Password Attribute

  • Description: Used to a configure custom password attribute to support password reset for non-OpenLDAP compliant user directories. Use this custom field PasswordAttribute in a LDAP Server record type to define the LDAP password attribute relevant to this specific user directory server. More information can be found in our OpenLDAP Automated Password Reset article.

  • Field Type: String

  • Name: PasswordAttribute

  • Display Name: Password Attribute

  • Example: Your non-OpenLDAP password attribute value other than the expected userPassword

Platform

  • Description: Used to define the Remote Application Host platform; Windows RDS or TSPlus.

  • Field Type: Choice

  • Name: Platform

  • Display Name: Platform

  • Values: Windows RDS, TSPlus

  • Example: Windows RDS

Prologue

  • Description: Used to send a sequence into the remote device at the start of the connection.

    Optionally, use the following placeholders in the Prologue field to pass session metadata to the endpoint servers:

    {USER} - User on record

    {PASSWORD} - Password on record

    {LOGIN} - Current system user accessing the endpoint server through the session

    {SESSION} - Artificial Connection ID to correlate with the system Sessions report

    {VNCPASSWORD} - VNC password if {PASSWORD} is used to unlock screen saver in VNC sessions

  • Field Type: String

  • Name: Prologue

  • Display Name: Prologue

  • Example: dbaccess life to execute this command to access an Informix database immediately after a successful connection.

Remote App

  • Description: Used to name of the remote application to start on the remote RDS Server.

  • Field Type: String

  • Name: RemoteApp

  • Display Name: Remote App

Remote App Arguments

  • Description: Used to name optional parameters of the remote application provided by Remote field.

  • Field Type: String

  • Name: RemoteAppArgs

  • Display Name: Remote App Arguments

Remote App Directory

  • Description: Used to initial folder to launch remote application provided by RemoteApp field.

  • Field Type: String

  • Name: RemoteAppDir

  • Display Name: Remote App Directory

Resize On Connect Delay

  • Description: Used to disable a screen resize and keeps the initial default screen size.

  • Field Type: String

  • Name: ResizeOnConnectDelay

  • Display Name: Resize On Connect Delay

  • Example: -1 to disable the resize.

Screen Size

  • Description: Used to control the screen size for SSH and Telnet sessions target blocked graphical applications on the remote Unix systems that require fixed screen size for their optimal performance. It defines the target screen resolution and is provided in the format WIDTHxHEIGHT in pixels for sizes larger than 320x200 or in COLSxROWS in characters for the sizes smaller than 320x200.

  • Field Type: String

  • Name: ScreenSize

  • Display Name: Screen Size

  • Example: 1024x768 in pixels or 80x24 in characters.

Self Check Status

  • Description: Used to enable the Check Status task to validate the record credentials when the task is configured with a Shadow Account. When enabled, Check Status will validate the record credentials when a Shadow Account is present, but it does require that these record credentials have permission on the host to execute the script.

  • Field Type: Checkbox

  • Name: SelfCheckStatus

  • Display Name: Self Check Status

  • Example: Checked to enable, Uncheck to disable

Service

  • Description: Service or SID name for Oracle RDBMS connections used in combination with Host and Port to build a connection string. Service parameter not started with / or : is treated as a service. Service parameter may start with / to be treated as a service. Service parameter may start with : to be treated as an SID.

  • Field Type: String

  • Name: Service

  • Display Name: Service

  • Example: xtam

Service Port

  • Description: This parameter defines a custom port for password reset and job execution for the Windows Remote PowerShell strategy using WinRM protocol by specifying the port number in the record type. Default port value is 5985.

  • Field Type: Number

  • Name: ServicePort

  • Display Name: Service Port

  • Example: 1234

SFTP

  • Description: Defines the protocol type to transfer files to and from the WEB RDP session. The default method to transfer files is to use the RDP Drive Redirection feature of the RDP protocol. With the SFTP field enabled, the WEB RDP session uses SFTP protocol to transfer files. The SFTP file transfer will use the same user and password as defined in the record.

    • Note that for the SFTP option to work the remote server has to have SFTP server deployed and configured.

  • Field Type: Choice

  • Name: SFTP

  • Display Name: SFTP

  • Values: Enabled, Disabled

SSH Channels

  • Description: Overrides system wide channels configuration available in SSH Proxy using global parameter SSH Proxy Allowed Channels on the record level.

    • Supported channels are:

    shell - Allow shell connection

    exec - Allow remote command execution including scp transfer

    sftp - Allow file transfer using SFTP protocol

    tunnel - Allow SSH tunnels over SSH Proxy

    There are two scenarios to override channel settings:

    1. List channels allowed for current record. This will allow only shell and exec channels to open: shell, exec
    2. Use system defaults but add or remove specific channel. This will use setting from system parameter but allow sftp and deny tunnel channels.

  • Field Type: String

  • Name: SshChannels

  • Display Name: SSH Channels

  • Example: +sftp,-tunnel

SSH Connector Type

  • Description: Used to overwrite global SSH Connector Type parameter to allow to switch between default (Jsch Connector) and extended (SSHD Connector) provider to execute all SSH and Interactive SSH jobs in the system. SSHD Connector provider includes extended cryptography algorithms to support job execution on a different set of devices.

  • Field Type: Choice

  • Name: SSHConnectorType

  • Display Name: SSH Connector Type

  • Values: Jsch Connector, SSHD Connector

Telnet Login Prompt Detection Regular Expression

  • Description: Used to customize login prompt expected during Telnet authentication. Telnet protocol does not specify authentication procedure. While PAM support many typical authentication procedures, there is an option to customize expected login and password prompts for untypical implementations using UserRegex and PasswordRegex fields.

  • Field Type: String

  • Name: UserRegex

  • Display Name: User Regex

  • Example: (.*)username$

Telnet Password Prompt Detection Regular Expression

  • Description: Used to customize password prompt expected during Telnet authentication. Telnet protocol does not specify authentication procedure. While PAM support many typical authentication procedures, there is an option to customize expected login and password prompts for untypical implementations using UserRegex and PasswordRegex fields.

  • Field Type: String

  • Name: PasswordRegex

  • Display Name: Password Regex

  • Example: (.*)secret(.*)

Terminal

  • Description: This parameter sets the terminal emulator type string that is passed to the SSH server. This parameter is optional and if not specified, “linux” is used as the terminal emulator type by default. Examples of terminal strings include VT52, VT100, VT220, VT320, xterm and ANSI.

  • Field Type: String or Choice

  • Name: Terminal

  • Display Name: Terminal

  • Values: enter a list of terminal emulator strings that can be selected by record creator or editors.

  • Example: VT100

Traffic Interceptor Hints

  • Description: Used to define a non-standard port(s) for use with capturing SQL traffic when an PAM SSH Tunnel is being used. The hint is a comma-, space- or semicolon-separated list of protocols and ports that should be recorded.

  • Field Type: String

  • Name: TrafficIntercepterHints or TrafficInterceptorHints

  • Display Name: Traffic Intercepter Hints or Traffic Interceptor Hints

  • Example: mssql:1444 mysql:3333

Transport Security

  • Description: Used to select a specific transport security level for RDP connections.

  • Field Type: Choice

  • Name: TransportSecurity

  • Display Name: Transport Security

  • Values: rdp, nla, tls, any

  • Example: Select tls from the Transport Security dropdown menu to establish the RDP connection using tls.

Trust WinRM Server certificate

  • Description: Disable check of remote WinRM server certificate when executing PowerShell scripts over secure channel using EnableSSL option

  • Field Type: Checkbox

  • Name: TrustCertificate

  • Display Name: Trust Certificate

  • Example: Checked to enable, Uncheck to disable

Trust WinRM Server host

  • Description: Disable check of remote WinRM server host match when executing PowerShell scripts over secure channel using EnableSSL option

  • Field Type: Checkbox

  • Name: TrustHost

  • Display Name: Trust Host

  • Example: Checked to enable, Uncheck to disable

VNC Password

  • Description: Used to define a VNC Host password to enable referencing an unlock user password or the OS user from the other record. PAM is able to unlock the user session using the account password on the record to present high trust login to the actual user desktop through the VNC protocol

  • Field Type: String

  • Name: VNCPassword

  • Display Name: VNC Password

  • Secured: Enabled/Checked

  • Example: yourVNCpassword

Windows Theme (RDP in-browser sessions)

  • Description: Used to define whether the Windows Theme of the destination server will be enabled during in-browser sessions. Windows Theme is disabled by default for performance considerations.

  • Field Type: Choice

  • Name: Theming

  • Display Name: Theming

  • Values: Disabled, Enabled

  • Example: Enabled

Windows Wallpaper (RDP in-browser sessions)

  • Description: Used to define whether the Windows Wallpaper of the destination server will be displayed during in-browser sessions. Windows Wallpaper is disabled by default for performance considerations.

  • Field Type: Choice

  • Name: Wallpaper

  • Display Name: Wallpaper

  • Values: Disabled, Enabled

  • Example: Enabled