Connecting to a remote Unix or Windows host using Xton Access Manager (XTAM) gateway is simple: find a record describing the remote host, optionally request access and wait for approval. Then perform Connect operation so XTAM will open a session window with the remote host connection. XTAM will use host name as well as user and password on the record to establish the connection. XTAM does not reveal privileged password on the record that allows to share access securely. There are several interesting cases for dynamic credential option when XTAM does additional operations to find a user and a password to connect to a remote host on the record.
Prompt for Credentials.
When a User field on the record left blank, XTAM will prompt the current system user to enter credential to a remote host when connecting. XTAM will optionally record the session, session events, produce audit log, alerts and syslog notifications about the session. Also, access approval workflow can optionally control operation availability.
Prompt for Credentials is a good option to provide controlled access to servers in a datacenter when administrators know credentials to login like in case of using their own credentials or using well known shared accounts such as domain administrator.
Read configuring this option in the following article: Prompt User for Connection Parameters
When a User field on the record contains $forward or $login keyword, XTAM will take login and password of the currently logged in user and use it as credential to connect to a remote server. As usual, XTAM will optionally provide recording, workflow and auditing around this connection event.
Pass-Through Credentials is a good option to provide automated controlled access to servers in a datacenter when administrators use their own credentials to login.
Read configuring this option in the following article: Remote Session Pass-Through Login Credentials
When a User field on the record contains $search:CRITERIA, XTAM will use CRITERIA to search for the records using regular XTAM search. When XTAM finds a single record based on this criteria XTAM will use user and password on this found record during connection.
CRITERIA might contain placeholders such as $login resolving to current user login name.
For example, we created a record with jwilliams credentials. We used email@example.com in the record description. Then, we created a Windows host record and specified $search:$firstname.lastname@example.org into the User field. When user jwilliams connects to this record XTAM will actually use credentials (both user and password) from the record found by email@example.com criteria. If someone else will try to connect to the same record, it will use credentials from a record found by other dynamically built criteria.
Note that XTAM users performing connect operation in Dynamic Credentials scenario should have View and one of the Connect permissions to the record. However, they might have no permissions to the records searched by the User search criteria. This option provides additional security around the actual accounts used to connect to the remote servers.
Dynamic Credentials option is useful in the scenario when different groups of users should connect to remote servers using different shared accounts. Another good use of this option is to support multi-domain scenario when the same accounts exist in multiple domains serving different computers at the datacenter. In this case Dynamic Credentials option allows administrators know their credentials from one of the domains only while using matching accounts from other domains to connect to remote servers.
Read configuring this option in the following article: Remote Session Dynamic Login Credentials