How to disable non-admin users from accessing a device if session recording is not enabled

Document ID : KB000116841
Last Modified Date : 03/10/2018
Show Technical Document Details
Issue:
In my cluster environment it is mandatory that non administrative users get all their actions recorded. 

To achieve this, I have defined in the policy for a given user and device, the setting to have his activity recorded

User-added image

User-added image

However, in one of my nodes, there is no share configured for Session Recording, even if I have configured the setting to give an error and deny access if recording is not possible
User-added imageUser-added image

However, when I access the devices from this node as the user for which I have defined this policy, I have no problem: there is no access denied and  I can log in normally into the target machine.

Why is this so and what can be done to solve it ?

 
Environment:
CA PAM all versions
Cause:
Since there is no share defined in the External Storage section of the Session Recording setting under Configuration, PAM interprets that this setting is not configured and that no session recording should be enforced for this connection. So it will allow the connection to go through.
Resolution:
The NFS mount will only work in case the NFS settings are defined. The way to do this is to define them, mount the NFS and then dismount it

If what we want to do is to deny the access if there is no mount point defined, we need to do the following:
  1. Choose a provisory external NFS share which we can use (it will just be used to initialize the option, so it need not be dedicated or big)
  2. Mount the NFS in the node
  3. Following mounting the NFS it will be possible to modify the settings in the Session Recording tab
User-added image
  1. Choose all the settings, hit the update and subsequently umount the provisory NFS Share
  2. As a result of this, the settings in the Session Recording tab will be greyed out now it will consider that the option is active for this node. Any attempt at trying to launch a remote access to a device from this node will result in an access denied message