Hi all ,
Is there any way to disable video play for specific user groups? or users ? For example I want to disable video play authority for default users. (Or i want to disable video play for 1-2 user)
Hi swiars,
Are you referring to the session recordings ?
Note that only the builtin administrator user can see all the session history.
The normal user or LDAP user can only access their own session histories and recordings.
Regards,
Hi, swiars
I noticed the “(not recording)” in the title only now.
If you are referring to the visibility of the remote screen you can disable the following sessions for a specific UserGroup → TargetGroup pair:
Select a user group from the list then click on “Manage Permissions”
Select the target group and tick the ckeckbox “Enabled?” to handle the policies.
Disable the session modes “Monitor”, “Guidance” and “Active”
Don’t forget to click on “Submit”.
Hi f.pezzotti ,
I am referring about session recordings. I opened a case for this situtation. Normal users can only play their own sessions. It is good for me . But It would be nice if completely disable this setting.
And *trc files are not encrypted on Remote control server. I know that we can restrict this *trc files from non admin server users . And there is an internal conversation continues on Remote Control support side. This conversation is about PCI DSS.
Note that if you don’t set the property search.session.history.auth to A in the server configuration (Edit properties files -> trc.properties) then the users can still search and list all the session performed by any user (but they don’t have access to the detailed information anyway).
If you want to completely disable session recording visibility to normal users you can create a security filter in Liberty as described here:
Add the following feature to the file server.xml:
<feature>appSecurity-2.0</feature>
Put this security constraint into the file /wlp/usr/servers/trcserver/apps/TRCAPP.ear/trc.war/WEB-INF/web.xml
<security-constraint>
<web-resource-collection>
<url-pattern>/playRecording.do</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>admin_role</role-name>
</auth-constraint>
</security-constraint>
<security-role>
<role-name>admin_role</role-name>
</security-role>
Then in the file application.xml you can define the user and the related role as specified in the step 5 of the guide. The user can be defined like this:
<quickStartSecurity userName="admin" userPassword="admin"/>
The role can be binded like this:
<application-bnd>
<security-role name="admin_role">
<user name="admin" />
</security-role>
</application-bnd>
NOTE: Put the appication-bnd section inside the following tag:
<application context-root="/trc" type="ear" id="trcserver" location="TRCAPP.ear"
name="trcserver" autoStart="true" >
Restart the server service upon completion.
In this way only a specific user (defined in the liberty configuration) can access this specific URL. The RC users can see the details of their own sessions but as soon as the link “Play the recording of this session” is clicked an authentication panel is prompted.
NOTE: The user defined here has nothing to do with the users defined in the RC application.
If you want to encrypt the password in the file application.xml you can follow the instructions here:
Basically you need to generate the encrypted password by running the command:
wlp\bin\securityUtility encode
Then copy the encrypted password into the file application.xml and restart the server service.
2 Likes
thank you f.pezotti . I will check security filter later.
Is there any way to encrypt *.trc files which is on the RC Server ? (I mean --> C:\Program Files (x86)\IBM\Tivoli\TRC\server\rc_recording )
Hi swiars,
Unfortunately RC doesn’t support encryption for the recording files. However keep in mind that the files are stored only on the server and only authorized users should have access to such directories/files (otherwise the machine is already compromised). The only way to obtain the recordings for a user who doesn’t have access to the original file is by using the server Web interface and in order to do that the user must be registered and authenticated to play the recordings. Furthermore no files are downloaded or cached when the recordings are played because the content is streamed from the server (all tmp files are removed as soon as the player is closed) and the communication between the RC Player and the server is secured with HTTPS.
I believe that enabling file system encryption (e.g. Windows Bitlocker, Linux LUKS, macOS FileVault etc …) and taking care of both the users who have access to the server machine and the RC server users permission, should be enough.
1 Like