Anonymous Links

Work with Anonymous Access or Guest Links in Privileged Access Management(PAM) is easy.

Generating Anonymous Links within Privileged Access Management allows a user (“author”) to securely share messages or record details with others without requiring them to sign-in to Privileged Access Management making it possible to share information with guests.

Anonymous Link URLs are generated with a unique, random 32 character ID string and can be opened by anyone who has the link until the link’s expiration policy has been met.

Once this expiration policy is satisfied, the content of the Anonymous Link is permanently destroyed.

 

Anonymous Link URLs will be generated and accessed like below:

Copy 
https://xtam.company.com/xtam/alink/519c43d4-715b-4fff-a583-3afa1d43296e

 

PAM Anonymous Links provide the following benefits over traditional secret sharing through insecure channels like email or instant messaging applications:

  • Immediate, time and/or access based expiration policies available to the author.
  • Permanent destruction of message upon reaching its expiration policy.
  • Dynamic record details that provide up to date values on a read-only HTML page.
  • Audit events to track creation, access and expiration of anonymous links.

 

And of course, please keep these points in mind when determining whether or not to allow Anonymous Links within your PAM deployment:

  • By its design, an Anonymous Link and its message content can be accessed and viewed by anyone who has the link. This means that the message author may intend to send it to only one specific recipient, but this recipient could then forward it along to others. Links are not assigned to specific users or groups as they are built to support guests (users without sign-in authentication).
  • Administrators cannot view, expire or delete any links or messages that have been sent. They can review the Audit Log to determine who generated the message, but they have no control over the link, its message or configuration once it is generated.
  • PAM will need to be available to anyone who wishes to access an anonymous link. Please keep in mind any firewall restrictions or security considerations that may need to be made to allow for external access to PAM. Although recipients are not required to login to PAM, PAM will still need to be externally accessible from the recipient’s location.
  • Since Access Manager logins are not required, the Opened Anonymous Link audit event will attempt to capture the recipient’s IP Address only. If the recipient happens to be an Access Manager user and is already authenticated in their browser, then it will also capture their username.
  • The content of the Anonymous Link will be destroyed and cannot be retrieved after its expiration. Afterwords, navigating to the link will cause an expiration error message.
  • Anonymous Links generated from PAM records are used to share record details which will include sensitive information like passwords. Unlock audit events are generated when record links are opened, so Tasks may be triggered from these activities.

Link for Records

Generating an Anonymous Link for PAM Records.

When generating an anonymous link for a specific PAM record, a link will be generated that will contain the current text values of the record (current as of the time the link is opened) in HTML form; it will not be granting access to the record itself.

  1. Login to PAM as a user with Manager or Owner permissions to the record. Alternatively, global System Administrators can generate links as well.

    2. Note: If the link author’s Record Control permission level is removed or reduced below Manager or they are blocked by an active workflow, then the contents of the record will not be displayed when the link is opened. Instead the body of the message will read “The author of the anonymous link does not have permissions to the shared item” or “This anonymous link is blocked by an active workflow” until their original permissions have been restored or the workflow has been approved.

  2. Open or view the record that you want to generate a link for.

  3. Click the Anonymous Link button:

    FAQ-Anonymous-Links-Link-Button

    Note, if this button is not present than you either do not have the required permission (Record Control: Manager or Owner), you are currently blocked by an active workflow or this feature has been disabled by the System Administrator.

  4. In the Create Anonymous Link form, fill out all the required fields as desired:

    • Message: Enter a message that will be displayed in the body of the link when accessed. The message can be up to 1024 characters long.

    • Expiration in Minutes: Enter a numerical value defined in minutes for the amount of time that the message should be available. The expiration time begins when the link is generated, not when it is first accessed, if ever. The maximum allowed time is 4320 minutes (3 days).

    • Number of Times to Open: Enter a numerical value that defines the total number of times that the link can be accessed before it is expired. This value must be between 1 and a maximum open value of 5.

  5. When the above values are entered, click the Generate button to generate your anonymous link URL.FAQ-Anonymous-Links-Record-Link-Form

  6. Copy the full URL from the read-only Link to Share field to send it to your recipient(s).

  7. You may now click the Close button to exit the Create Anonymous Link form or adjust the values and click Generate again to generate a new link to share.

Once the URL is generated and displayed, the link is active. If you made a mistake, navigate to the Anonymous Links section of your Profile, select this link and click the Expire button. This action will immediately expire your link (destroying its content) so you can generate a new link.

To review the activity associated to your anonymous links, navigate to Management > My Profile > Anonymous Links.

On this page, you will find all your non-expired links and their configuration. From here, you can confirm their expiration time, understand how many times it has been accessed, find the link’s unique URL or immediately expire any active link(s).

FAQ-Anonymous-Links-My-Profile-Options-Record

Expired links are permanently destroyed and will not be visible.

 

FAQ-Anonymous-Links-Record-Link-URL

Anonymous Record Link Content including the Record’s Details

Link with a Generic Message

Generating an Anonymous Link with a Generic Message.

When generating an anonymous link with only a generic message (no association to a specific record), a link will be generated that will contain your generic message in HTML form; it will not be granting access or displaying any information related to an record.

 

  1. Login to PAM with any user. Generic anonymous links that have no association with any records can be created by any authenticated System user.
  2. Navigate to Management > My Profile > Anonymous Links and click the Create button.

    3. Note: If the Anonymous Links section is not visible, then this feature has been disabled by your System Administrator.

  3. In the Create Anonymous Link form, fill out all the required fields as desired:

    • Message: Enter a message that will be displayed in the body of the link when accessed. The message can be up to 1024 characters long.
    • Expiration in Minutes: Enter a numerical value defined in minutes for the amount of time that the message should be available. The expiration time begins when the link is generated, not when it is first accessed, if ever. The maximum allowed time is 4320 minutes (3 days).
    • Number of Times to Open: Enter a numerical value that defines the total number of times that the link can be accessed before it is expired. This value must be between 1 and a maximum open value of 5.

  4. When the above values are entered, click the Generate button to generate your anonymous link URL.

    FAQ-Anonymous-Links-Generic-Link-Form

  5. Copy the full URL from the read-only Link to Share field to send it to your recipient(s).

  6. You may now click the Close button to exit the Create Anonymous Link form or adjust the values and click Generate again to generate a new link to share.

Once the URL is generated and displayed, the link is active. If you made a mistake, navigate to the Anonymous Links section of your System Profile, select this link and click the Expire button. This action will immediately expire your link (destroying its content) so you can generate a new link.

After each new link is generated, it will appear in the Anonymous Link table on this same page.

On this page, you will find all your non-expired links and their configuration.

From here, you can confirm their expiration time, understand how many times it has been accessed, find the link’s unique URL or immediately expire any active link(s).

FAQ-Anonymous-Links-My-Profile-Options

Expired links are permanently destroyed and will not be visible.

 

FAQ-Anonymous-Links-Generic-Link-URL

Anonymous Generic Link Content that only includes the Author’s Message

 

Disable the Link

Disabling the Anonymous Link Feature.

System Administrators can choose to enable or disable the use of Anonymous Links in Privileged Access Management.

Please note that if the Anonymous Links feature is disabled, all currently active links will remain accessible until their expiration policy has been satisfied. Disabling anonymous link does not automatically expire active links.

Login to the System with a System Administrator account.

  1. Navigate to Administration > Settings > Parameters and locate the Anonymous Links parameter.
  2. Select one of the following values:

    • Enabled: Enables Anonymous Links to be generated from Access Manager records and generic messages.

    • Generic: Enables Anonymous Links to be generated from generic messages. Disables the ability to generate Anonymous Links from Access Manager records.

    • Disabled: Disables all Anonymous Link generation in Access Manager.

  3. Click the Save button to complete your configuration change.

Design of the Link

Customizing the Design of the Anonymous Link Content.

The visual design of the Anonymous Link content was meant to match the look of the Access Manager system; however if you wish to make changes, this section will describe the process.

You will need to make changes to the System installation, so please work with your Administrators to gain access to the PAM server with the required permissions.

System does not need to be offline nor does it require a restart in order to modify this layout.

Future system updates will not override any custom changes you make to the layout.

 

  1. Login to PAM host server with an account that has permission to modify the $PAM_HOME directory. You will be copying and modifying one (1) .css file.
  2. Navigate to $PAM_HOME/web/webapps/pam/templates and copy the file anonymousLink.css.
  3. Paste this anonymousLink.css file to $PAM_HOME/content/templates. If the /templates directory does not exist, please create it first and then paste the file into this location.
  4. Customize anonymousLink.css file as desired (it is a standard web style sheet) and save the file when complete. Consult with your Web Designer for assistance when working with the .css file.
  5. Open (or refresh) any valid Anonymous Link URL to review your changes.

Expired or Restricted Link

Expired or Restricted Link Content Examples.

These messages will appear if the content in the link cannot be displayed.

Note that the actual text displayed for each of these conditions can be modified by updating the anonymousLink.css file as described in the prior section of this article.

When a link expires, the following message will appear when it is opened.

FAQ-Anonymous-Links-Expired-Link-URL

When a link’s author no longer has permission to access the record from which the link was generated, the following message will appear when it is opened.

FAQ-Anonymous-Links-Restricted-Permissions-Link-URL

When a link’s author is blocked by a workflow, the following message will appear when it is opened.

FAQ-Anonymous-Links-Workblow-Blocked-Link-URL