18.3.1. Procedure – Configuring four-eyes authorization

Purpose: 

To require four-eyes authorization for a connection, complete the following steps.

Steps: 

  1. Navigate to the Connections page of the traffic (for example to SSH Control > Connections), and select the connection policy to modify.

  2. Figure 18.5. <Protocol name> Control > Connections > Access Control — Configuring four-eyes authorization

    <Protocol name> Control > Connections > Access Control — Configuring four-eyes authorization

    Navigate to Access Control and click .

  3. Enter the name of the usergroup whose members are permitted to authorize the sessions of the connection policy into the Authorizer field. This group must exist on the AAA > Group Management page. For details on creating and managing usergroups, see Section 5.7, Managing user rights and usergroups.

    Warning

    Usernames, the names of user lists, and the names of usergroups are case sensitive.

  4. By default, the authorizer can authorize any session of the connection policy.

    If the authorizer is permitted to authorize only the sessions of a certain usergroup, select Subject > Only, and enter the name of the userlist whose sessions the authorizer can authorize. If you use four-eyes authorization without gateway authentication, you can specify an LDAP group instead of a userlist.

    Warning

    Usernames, the names of user lists, and the names of usergroups are case sensitive.

    Warning

    If gateway authentication and four-eyes authorization is used together in a connection policy, the usergroup of the gateway username must be specified, not the group of the remote username. The specified group must be a local or LDAP group.

  5. Set the permissions of the usergroup set in the Authorizer field.

    • If the Authorizer group can authorize (that is, enable) and audit (that is, monitor in real-time and download the audit trails) the sessions, select Permission > Audit&Authorize.

    • If the Authorizer group can only authorize (that is, enable) the sessions, select Permission > Authorize.

      Note

      This option is not valid for HTTP connections.

    • If the Authorizer group can only audit (that is, monitor in real-time and download the audit trails) the sessions, select Permission > Audit.

    Note

    If the Subject > Only field is set, the auditor can only monitor the sessions of the specified usergroup. However, if Subject > Only field is set, the Auditor cannot access the Search page. To avoid this problem, add another Access Control rule for the Authorizer without setting the Subject field.

    The admin user of PSM can audit and authorize every connection.

  6. To ensure that the client and the authorizer use different IP addresses and thus prevent self-authorization, enable Require different IP. If this is enabled, and the client and the authorizer do not have different IP addresses, it disables all actions for the connection and the four-eyes authorization, until they have different IP addresses.

  7. To ensure that the client and the authorizer use different usernames and thus prevent self-authorization, enable Require different Username. If this is enabled, and the client and the authorizer do not have different usernames, it disables all actions for the connection and the four-eyes authorization, until they have different usernames.

  8. Repeat steps 2-6 to add other authorizers or usergroups if needed.

  9. Click .

  10. Navigate to the Channel Policies page of the traffic (for example to SSH Control > Channel Policies), and select the channel policy used in the connection.

    Figure 18.6. <Protocol name> Control > Channel Policies — Configuring four-eyes authorization in the channel policy

    <Protocol name> Control > Channel Policies — Configuring four-eyes authorization in the channel policy
  11. Enable the Four-eyes option for the channels which should be accessed only using four-eyes authorization.

    Note

    If a connection uses secondary channels that require four-eyes authorization — for example, a Remote Desktop connection allows a Drawing channel but requires four-eyes authorization for a Disk redirection channel — the connection is locked until the authorizer accepts the channel on the Four-Eyes page of PSM, or the four-eyes request times out. During this time, the client application can become nonresponsive, for example, display the graphical desktop but not react to mouse clicks.

    Note

    In Citrix ICA connections, four-eyes authorization is required before the user logs in to the destination server. To request four-eyes authorization only after the log in, when the server-side username is already known, select the Perform 4 eyes after user login option.

  12. Click . After that, users accessing connections using the modified channel policy must be authorized as described in Procedure 18.3.2, Performing four-eyes authorization on PSM.

  13. Optional step: If you want to provide a limited PSM web interface to your users that can be used only for gateway authentication and 4-eyes authorization, set up a dedicated user-only web login address. For details, see Procedure 4.3.1, Configuring user and administrator login addresses.