4.3.4. Global Console Global Settings

The Global Console supports its own Global Settings dialog, not to be confused with the Site-specific Global Settings available in the Web Client. The Global Settings feature is visible and enabled only for Administrator users.

For example, the Global Settings dialog enables specifying customer-specific URLs for documentation and Planet web page links; which are available to the user from the Web Client and from the Global Console. Changing these links is useful in cases where IRM is run on customer-controlled equipment and those machines do not have access to the internet, or if the customer simply wants to supply a different or additional set of documentation links for their users.

The Global Settings feature is accessed by clicking on the first (gear) icon on the top-right corner of the Global Console page -

, which opens the following pop-up dialog:

The dialog displays different parameters and settings, with similar ones grouped together. Each group of Global Settings is explained in more detail as a separate point below.

External Links

This group shows a data grid listing all External Links by their Title and URL string. The user can edit both fields directly (inline), or simply delete the link by clicking on the trashcan button.

Clicking on the "+" button simply creates a new empty row, after which the Title and the URL string can be entered directly:

Clicking on the Reset button resets all external links to the default ones:

The user is asked to confirm this action before proceeding:

The following group - Security Settings, enables specifying different security-related settings, such as password length and lifetime, absolute and idle timeout values, and similar. Detailed explanation of each setting is broken into several following points.

Security Settings - part 1

The Audit Log Level setting controls the verbosity of the IRM Audit Log. The Audit Log captures all significant user activity and basic HTTP traffic info for requests made to the IRM server by externally-running components, including the IRM Web Client. Depending on the selected level, the audit log will contain more or less information about the traffic between IRM components running on the same machine, or separate machines.

With the Show Standard DOD Notice feature enabled, after a successful login, the banner below is displayed as a modal dialog and must be acknowledged before the user can do anything else. This option is off (unchecked) by default.

The Enable User Activity Log option defaults to true. If set to true (checked), the User Activity Log is enabled. This log contains a subset of Audit Log information and is available within the Global Console for Admin users. If the user needs to save CPU cycles, or user activity logging is not needed, clicking on this checkbox disables it.

Security Settings - part 2

Minimum Password Length is the minimal number of characters that a user password can consist of. The Minimum Password Length defaults to 8.

Note that there are additional minimum requirements that apply and are not configurable.

Those include all of the following, as shown in the screenshot below:

1 upper-case character
1 lower-case character
1 numeric character
1 special character

The user is prompted by the application about these requirements via the warning message above.

The Password Lifetime is the number of days the password is valid; in other words, passwords older than this must be updated.

The Bad Login Lock Count specifies the number of invalid logon attempts after which that user account gets locked and can no longer be used to log in. The default value is 5. To unlock, the user needs to click on the Forgot your password? button under the login form:

‚This redirects the user to another page containing a single text form for entering the email and the Email Link button for sending the email:

Shortly after, the user receives an email with further instructions and link for resetting password.

The Password Change Interval is the amount of time (in hours) that must pass before the password can be changed again. By default, this value is 0, which means a password can be changed by the user only once in a 24-hour period. If the user attempts to change the password again, an appropriate warning message will be displayed, as shown below. This feature makes it much harder for password guessing attacks to succeed.

The No Repeat Password Count is the number of the recently used passwords that cannot be reused when changing a password. The default value is 0, which means no restriction. However, if this value was 5, for example, that would mean that when a password change is attempted, none of the last 5 passwords could be reused.

Security Settings - part 3

The Auto Logoff Absolute Timeout sets the absolute amount of time after which the user is automatically logged out, regardless of whether the app is idle or not. This time is applied for all classes of Users and the default value is set to 3, which is also the lowest allowed value.

The Auto Logoff Idle Timeouts specify the amount of idle time (in minutes) after which the user is automatically logged out. There is one for each class of Users and the default value for all classes is set to 4 hours.

Alert Point Total and Alert Point Contributions

Every Active Alert contributes "points" to a global alert total, according to its priority, with (by default) 3 points for a High priority Alert, 2 for a Medium and 1 for a Low. The points are added then up for all Active Alerts, giving the Alert Point Total value. If this total is over certain threshold values, a progression of effects are applied to the Alert icon when it is displayed, much like the round Statistics icon blinks and changes color depending on what is happening with the server.

The following are the default threshold values for the Alert point total:

< 3 => steady black (Lowest)
3-4 => steady orange (Low)
5-6 => steady red (Medium)
7-10 => slowly blinking red (High)
15+ => rapidly blinking red (Highest)

The name in () is the name of a given threshold. Each threshold has semantics associated with it, like the special display effect mentioned above.

Since the number of concurrent Alerts that can be expected is a function of several customer-specific items, such as:

the number of active integrations
how Trigger Actions have been configured
how much data is being stored in IRM
how many people are using IRM
etc.

IRM enables both Alert Point Totals and Alert Point Contributions for each Alert priority to be set in Global Settings as tuning parameters.

Additional notification emails

The Additional notification emails is a list of emails for sending notifications when certain Admin operations are done (in addition to notifying the Admin users).

The + button automatically adds a new blank row in the list:

The trashcan button removes the corresponding row entry from this list:

Apply STIG Settings

When clicked, this button does all of the following:

Sets Audit Log Level to High
Turns on Show Standard DOD Notice
Turns on Enable User Activity Log
Sets Minimum Password Length to 15
Sets Password Lifetime to 60
Sets Bad Login Lock Count to 3
Sets Auto Logoff settings for Admin to 10
Sets Auto Logoff settings for all non-Admin user classes to 15

Click on this button is equivalent to going through the individual settings and setting them as indicated above, whether or not they were already set that way. To make the changes take effect, it is still necessary for the user to press the Save button.

NOTE: This button is provided simply as a convenience to help configure IRM in the way necessary to comply with U.S. government STIG requirements when used by certain customers. The net effect is to enhance security-related restrictions. Customers who do not need to comply with STIGs may find these settings inconvenient, and therefore the use of this option is not recommended for those who don't need STIG compliance.