Managing security settings
From the Security tab of the Global Settings > System Variables page, you can define the following default security settings of your system:
Create Default System Administrator
The value in this field defines if system authentication is used for logon. If the value set is
|Account Locking Attempts||The value in this field defines the number of failed sign-in attempts that will lock an administrator account. You can choose a value between 1 and 20.|
|Account Automatically Unlocked (min)||The value in this field defines the time in minutes beyond which an administrator account will be unlocked without any manual intervention. You can choose a value between 1 and 60.|
Display Hidden Devices in the Topology Graph
This parameter defines, if users without read access rights to the master or relays can view their devices in the topology graph. By default this option is set to
Maintain Administrators at Directory Server Synchronization
This parameter defines if administrators are also removed from synchronized groups during resynchronization. Normally, if an administrator is removed from his AD group it will also be removed from his CM group during the next synchronization. However, if the capabilities or access rights of this administrator are transferred via the administrator group, this might cause a number of problems, if the administrator in question is assigned as a populator for groups for example, causing the groups to "depopulate" and if operational rules are assigned to this group, they will be unassigned from the devices of the group.
Disable all administrators that are not a member of any group at a directory server synchronization
As administrators might have functionalities that are to be transferred to other administrators when they are deleted, such as being a populator, it is not possible to automatically delete administrators if they no longer belong to any group. This option allows however, to disable the administrators that are not a member of any administrator group to distinguish them. By default this option is deactivated.
Allow Object Assignments to Unknown Device
If this option is activated devices unknown to the BCM database can be assigned to the available objects, that is, operational rules, transfer windows, and so on. In this case the unknown device displays the Assigned Objects node in addition to the Inventory and Events nodes. After the device becomes known to the database it will synchronize all assigned objects and thus be operational automatically. By default this option is not activated.
Block Access to MyApps
This option deactivates the access to the application kiosk MyApps of the browser agent interface. If it is activated neither user nor administrator can access this page.
Authorize Deprecation of Relays
Check this box to allow the deprecation of relays even though it still is the parent to other devices. In this case the relay will be moved to Lost and Found from where it can be deleted and its former children will be removed from the Topology view but they can still be displayed via their device groups.
Request System Credentials for Windows Remote Access
Check this box to force the use of credentials when directly accessing Windows devices. In this case you is required to enter your credentials when accessing the target device via the Direct Access or Remote Control functionality.
Request System Credentials for Linux Remote Access
Check this box to force the use of credentials when directly accessing Linux devices. In this case you is required to enter your credentials when accessing the target device via the Direct Access or Remote Control functionality.
Request System Credentials for Mac OS Remote Access
Check this box to force the use of credentials when directly accessing MAC OS devices. In this case you is required to enter your credentials when accessing the target device via the Direct Access or Remote Control functionality.
Remote Access Acknowledgement Timeout (sec)
This parameter defines the timeout in seconds after within which the remote user can allow remote access request to an administrator. If the timeout is reached the administrator is informed that the remote user did not respond within the time allowed for the direct access or remote control request.If the value is set to zero, the timeout functionality is disabled.
|Lock the new installed agent services||Check this box to lock the newly installed agent services.|
|Service Unlock Password||Enter the service unlock password.|
Defines the security level used by the BCM agents. The following options are available:
Starting from BCM version 12.7 and later— Activates AES encryption instead of the legacy bespoke cryptography, which is no longer considered safe. When changing this for existing deployments, asset discovery scans and SCAP jobs will not be compatible with BCM agents earlier than version 12.7.
Before BCM version 12.7 — Use the legacy bespoke cryptography.