HomeDocumentationAPI Reference
Log In

PrivX Settings

Scope NameSection NameProperty NameProperty Description
AUTHdbconn_max_idletimeMaximum amount of time a connection may be idle. Set 0 to keep the idle connections open from lazily closed.
AUTHdbconn_max_lifetimeMaximum amount of time a connection may be reused. Set 0 to reuse the connection forever.
AUTHdbmax_idle_connsMaximum number of idle database connections. Set 0 to lazily remove all idle connections.
AUTHdbmax_open_connsMaximum number of open connections to the database. Set 0 to use unlimited number of open connections.
AUTHloginratelimitenable_username_limitWhen enabled, login attempts are limited per username + IP pair.
AUTHloginratelimitusername_attempts_burst_sizeMaximum number of failed logins per user + IP pair.
AUTHloginratelimitusername_attempts_per_minuteMaximum number of login attempts per user + IP pair per minute.
AUTHloginratelimitenable_subnet_limitWhen enabled, login attempts are limited per IP subnet.
AUTHloginratelimitsubnet_attempts_burst_sizeMaximum number of failed logins per subnet.
AUTHloginratelimitsubnet_attempts_per_minuteMaximum number of login attempts per subnet per minute.
AUTHloginratelimitremoteip_white_listWhitelist of remote IP addresses.
AUTHloginmethodswebauthn_enabledEnable passkey login and credential registration.
AUTHloginmethodssso_enabledEnable user to log in using single sign-on (SSO).
AUTHauditeventsskip_event_idsComma-separated list of audit-event codes or code ranges, e.g. 1,10,20-30. Specified audit events are not saved to PrivX database, but only logged to syslog.
AUTHORIZERdbconn_max_idletimeMaximum amount of time a connection may be idle. Set 0 to keep the idle connections open from lazily closed.
AUTHORIZERdbconn_max_lifetimeMaximum amount of time a connection may be reused. Set 0 to reuse the connection forever.
AUTHORIZERdbmax_idle_connsMaximum number of idle database connections. Set 0 to lazily remove all idle connections.
AUTHORIZERdbmax_open_connsMaximum number of open connections to the database. Set 0 to use unlimited number of open connections.
AUTHORIZERcertificate_templatesssh_cert_templates
AUTHORIZERauditeventsskip_event_idsComma-separated list of audit-event codes or code ranges, e.g. 1,10,20-30. Specified audit events are not saved to PrivX database, but only logged to syslog.
CONNECTION-MANAGERdbconn_max_idletimeMaximum amount of time a connection may be idle. Set 0 to keep the idle connections open from lazily closed.
CONNECTION-MANAGERdbconn_max_lifetimeMaximum amount of time a connection may be reused. Set 0 to reuse the connection forever.
CONNECTION-MANAGERdbmax_idle_connsMaximum number of idle database connections. Set 0 to lazily remove all idle connections.
CONNECTION-MANAGERdbmax_open_connsMaximum number of open connections to the database. Set 0 to use unlimited number of open connections.
CONNECTION-MANAGERhousekeepinghousekeeping_intervalInterval for connection status housekeeping, in minutes.
CONNECTION-MANAGERhousekeepinghousekeeping_conn_meta_retentionRetention period for connection metadata, in days. Set to -1 to disable metadata removal.
CONNECTION-MANAGERhousekeepinghousekeeping_interval_for_trailsInterval for trail housekeeping, in hours.
CONNECTION-MANAGERhousekeepinghousekeeping_enable_integrity_checkerEnable to verify the integrity of recorded trails during housekeeping.
CONNECTION-MANAGERhousekeepinghousekeeping_integrity_checker_use_checksumEnable to use SHA-256 checksums when verifying integrity of recorded trails.
CONNECTION-MANAGERauditeventsskip_event_idsComma-separated list of audit-event codes or code ranges, e.g. 1,10,20-30. Specified audit events are not saved to PrivX database, but only logged to syslog.
GLOBALaudittimeout_when_no_connmgrSet to 0 to disable timeout and keep connections open.
GLOBALauditdata_folderFolder for audit trail data.
GLOBALaudittrail_expirySet to -1 to disable trail removal.
GLOBALaudittransferred_files_expirySet to -1 to disable downloaded/uploaded file removal.
GLOBALauditfile_timestamp_obfuscationEnable trail file and directory timestamp obfuscation.
GLOBALldapconnectionsldap_connection_timeoutThe duration in seconds before the LDAP query connection should timeout.
GLOBALldapconnectionsldap_retry_attemptsThe number of times to retry if the LDAP query connection times out.
GLOBALldapconnectionsenable_ldap_custom_root_certificatesSpecify if PrivX should use custom root certificates.
GLOBALldapconnectionsenable_ldap_system_roots_cert_poolSpecify if PrivX should use the system certificates pool.
GLOBALldapconnectionsldap_root_ca_pemSpecify a custom root certificate in PEM format, which will be added to the certificate pool for LDAP connections. Note that the custom root certificates setting must be enabled to use this.
GLOBALdisclaimerprivx_disclaimer
GLOBALapplication_switcherprivx_app_switcher_links_ukmEnter the URL of the Universal SSH Key Manager web UI.
GLOBALrdp_commonhost_certificate_trust_anchorsSpecify RDP host certificate trust anchor PEM certificates.
GLOBALrdp_commonallow_plaintext_vnc
GLOBALssh_commonaudit_enabledEnable sending SSH events to audit log.
GLOBALssh_commonevents_to_auditSupported SSH event types to audit.
GLOBALicapicap_for_ssh_proxyConfigure whether PrivX performs virus scanning for transferred files.
GLOBALicapicap_for_ssh_mitmConfigure whether PrivX performs virus scanning for transferred files via native SSH.
GLOBALicapicap_for_rdp_proxyConfigure whether PrivX performs virus scanning for transferred files for RDP and Web Access Gateways.
GLOBALicapicap_server_hostnameHostname for ICAP proxy server.
GLOBALicapicap_server_portPort number for ICAP proxy server.
GLOBALicapicap_respmod_urlSend a response modification with http request headers, using this url.
GLOBALicapicap_reqmod_urlSend a request modification instead of response modification, using this url.
GLOBALicapicap_preview_lengthMaximum preview data size in bytes. Set to 0 to disable preview.
GLOBALicapicap_service_nameOptional ICAP service name.
GLOBALlive_monitoringenable_live_ssh
GLOBALlive_monitoringenable_live_rdp
GLOBALlive_monitoringenable_live_vnc
GLOBALlive_monitoringenable_live_web
GLOBALinvalidated_session_cachecache_sizeSet a positive size for the invalidated session cache. The size determines the number of invalidated sessions that it can hold before eviction.
GLOBALwatermarkinghost_heading
GLOBALwatermarkinghost_watermark
DB-PROXYdbconn_max_idletimeMaximum amount of time a connection may be idle. Set 0 to keep the idle connections open from lazily closed.
DB-PROXYdbconn_max_lifetimeMaximum amount of time a connection may be reused. Set 0 to reuse the connection forever.
DB-PROXYdbmax_idle_connsMaximum number of idle database connections. Set 0 to lazily remove all idle connections.
DB-PROXYdbmax_open_connsMaximum number of open connections to the database. Set 0 to use unlimited number of open connections.
DB-PROXYdbproxy_internalreauthorization_interval_secReauthorization interval, in seconds.
DB-PROXYcertificateskey_typeThe Database Proxy server's key pair used to generate dynamic tls certificate for database connections.
DB-PROXYcertificatesrsa_key_sizeRSA Key Size (Bits)
DB-PROXYcertificatesecdsa_key_sizeECDSA Key Size (Bits)
DB-PROXYcertificatescache_sizeCache size of dynamically generated tls certificates.
DB-PROXYhost_trust_anchorshost_certificate_trust_anchorsSpecify host certificate trust anchor PEM certificates.
DB-PROXYauditeventsskip_event_idsComma-separated list of audit-event codes or code ranges, e.g. 1,10,20-30. Specified audit events are not saved to PrivX database, but only logged to syslog.
EXTENDER-SERVICEdbconn_max_idletimeMaximum amount of time a connection may be idle. Set 0 to keep the idle connections open from lazily closed.
EXTENDER-SERVICEdbconn_max_lifetimeMaximum amount of time a connection may be reused. Set 0 to reuse the connection forever.
EXTENDER-SERVICEdbmax_idle_connsMaximum number of idle database connections. Set 0 to lazily remove all idle connections.
EXTENDER-SERVICEdbmax_open_connsMaximum number of open connections to the database. Set 0 to use unlimited number of open connections.
EXTENDER-SERVICEservicelistener_address_modeListener address resolution mode.
EXTENDER-SERVICEservicelistener_addressesList of IP addresses or IP subnet CIDRs used for resolving extender listener addresses.
EXTENDER-SERVICEservicelistener_port_minPort range start for extender listeners.
EXTENDER-SERVICEservicelistener_port_maxPort range end for extender listeners.
EXTENDER-SERVICEservicews_keepalive_interval_secWebSocket keepalive interval, in seconds.
EXTENDER-SERVICEauditeventsskip_event_idsComma-separated list of audit-event codes or code ranges, e.g. 1,10,20-30. Specified audit events are not saved to PrivX database, but only logged to syslog.
HOST-STOREdbconn_max_idletimeMaximum amount of time a connection may be idle. Set 0 to keep the idle connections open from lazily closed.
HOST-STOREdbconn_max_lifetimeMaximum amount of time a connection may be reused. Set 0 to reuse the connection forever.
HOST-STOREdbmax_idle_connsMaximum number of idle database connections. Set 0 to lazily remove all idle connections.
HOST-STOREdbmax_open_connsMaximum number of open connections to the database. Set 0 to use unlimited number of open connections.
HOST-STOREhealth-check-optionsservice_health_checks_enabledConfigure whether PrivX performs network connectivity health checks for services.
HOST-STOREhealth-check-optionsservice_health_check_waitInterval between health check runs, in seconds.
HOST-STOREhealth-check-optionsservice_health_check_max_requests_per_secondMaximum service health check requests per second per worker.
HOST-STOREhealth-check-optionsservice_health_check_max_workersMaximum concurrent service health requests.
HOST-STOREhost-house-keepinghost_housekeeping_run_intervalInterval between housekeeping runs, in hours. Housekeeping expunges deleted hosts from the database once hosts have been deleted for longer than the configured expunction delay. Set to 0 to disable housekeeping.
HOST-STOREhost-house-keepinghosts_deleted_ageThe delay (in hours) between when a host has been deleted to when it will be permanently removed.
HOST-STOREinitial-host-service-options-sshshell
HOST-STOREinitial-host-service-options-sshfile_transfer
HOST-STOREinitial-host-service-options-sshexec
HOST-STOREinitial-host-service-options-sshtunnels
HOST-STOREinitial-host-service-options-sshx11
HOST-STOREinitial-host-service-options-sshother
HOST-STOREinitial-host-service-options-rdpfile_transfer
HOST-STOREinitial-host-service-options-rdpaudio
HOST-STOREinitial-host-service-options-rdpclipboard
HOST-STOREinitial-host-service-options-vncfile_transfer
HOST-STOREinitial-host-service-options-vncclipboard
HOST-STOREinitial-host-service-options-webfile_transfer
HOST-STOREinitial-host-service-options-webaudio
HOST-STOREinitial-host-service-options-webclipboard
HOST-STOREauditeventsskip_event_idsComma-separated list of audit-event codes or code ranges, e.g. 1,10,20-30. Specified audit events are not saved to PrivX database, but only logged to syslog.
LICENSE-MANAGERdbconn_max_idletimeMaximum amount of time a connection may be idle. Set 0 to keep the idle connections open from lazily closed.
LICENSE-MANAGERdbconn_max_lifetimeMaximum amount of time a connection may be reused. Set 0 to reuse the connection forever.
LICENSE-MANAGERdbmax_idle_connsMaximum number of idle database connections. Set 0 to lazily remove all idle connections.
LICENSE-MANAGERdbmax_open_connsMaximum number of open connections to the database. Set 0 to use unlimited number of open connections.
LICENSE-MANAGERauditeventsskip_event_idsComma-separated list of audit-event codes or code ranges, e.g. 1,10,20-30. Specified audit events are not saved to PrivX database, but only logged to syslog.
MONITOR-SERVICEdbconn_max_idletimeMaximum amount of time a connection may be idle. Set 0 to keep the idle connections open from lazily closed.
MONITOR-SERVICEdbconn_max_lifetimeMaximum amount of time a connection may be reused. Set 0 to reuse the connection forever.
MONITOR-SERVICEdbmax_idle_connsMaximum number of idle database connections. Set 0 to lazily remove all idle connections.
MONITOR-SERVICEdbmax_open_connsMaximum number of open connections to the database. Set 0 to use unlimited number of open connections.
MONITOR-SERVICEhousekeepinghousekeeping_intervalInterval between housekeeping runs, in hours. Set to 0 to disable housekeeping.
MONITOR-SERVICEhousekeepingdata_retention_periodNumber of days that audit events must be kept in the database. Set to -1 to disable audit event removal.
MONITOR-SERVICEhousekeepingstatus_check_intervalInterval between status checks, in seconds. Set to 0 to disable checks.
MONITOR-SERVICEhousekeepingsystem_health_check_intervalInterval between system health check, in hours. Set to 0 to disable checks.
MONITOR-SERVICEhousekeepingcache_db_expiry_intervalInterval for removing expired keys from the database cache, in seconds. Set to 0 to disable database cache removal.
MONITOR-SERVICEhousekeepingexternal_component_low_storage_warning_thresholdExternal component low disk space warning threshold, in GB. Set to 0 to disable external component low disk space warning.
MONITOR-SERVICEhousekeepingstatus_expunction_delayThe delay (in hours) before an inactive component's status permanently removed when housekeeping runs.
MONITOR-SERVICEauditeventsskip_event_idsComma-separated list of audit-event codes or code ranges, e.g. 1,10,20-30. Specified audit events are not saved to PrivX database, but only logged to syslog.
NETWORK-ACCESS-MANAGERdbconn_max_idletimeMaximum amount of time a connection may be idle. Set 0 to keep the idle connections open from lazily closed.
NETWORK-ACCESS-MANAGERdbconn_max_lifetimeMaximum amount of time a connection may be reused. Set 0 to reuse the connection forever.
NETWORK-ACCESS-MANAGERdbmax_idle_connsMaximum number of idle database connections. Set 0 to lazily remove all idle connections.
NETWORK-ACCESS-MANAGERdbmax_open_connsMaximum number of open connections to the database. Set 0 to use unlimited number of open connections.
NETWORK-ACCESS-MANAGERservicehousekeeping_interval_secInterval between housekeeping runs, in minutes, for removing dead sessions from PrivX router.
NETWORK-ACCESS-MANAGERservicerouter_session_removal_max_retriesMaximum number retries for PrivX router session removal.
NETWORK-ACCESS-MANAGERservicereauthorization_interval_secReauthorization interval, in seconds.
NETWORK-ACCESS-MANAGERserviceconnection_message_timeout_secTimeout interval (seconds) for connection message reply. Default: 5 seconds.
NETWORK-ACCESS-MANAGERservicemetadata_update_interval_secInterval for metadata updates to connection manager (seconds)
NETWORK-ACCESS-MANAGERservicetimeout_when_no_connmgr_minTimeout for network target sessions when no connection to connection manager (minutes)
NETWORK-ACCESS-MANAGERserviceextender_connect_timeout_secConnect timeout for extender target connections (seconds)
NETWORK-ACCESS-MANAGERrouterrouters
NETWORK-ACCESS-MANAGERauditeventsskip_event_idsComma-separated list of audit-event codes or code ranges, e.g. 1,10,20-30. Specified audit events are not saved to PrivX database, but only logged to syslog.
RDP-MITMdbconn_max_idletimeMaximum amount of time a connection may be idle. Set 0 to keep the idle connections open from lazily closed.
RDP-MITMdbconn_max_lifetimeMaximum amount of time a connection may be reused. Set 0 to reuse the connection forever.
RDP-MITMdbmax_idle_connsMaximum number of idle database connections. Set 0 to lazily remove all idle connections.
RDP-MITMdbmax_open_connsMaximum number of open connections to the database. Set 0 to use unlimited number of open connections.
RDP-MITMrdp_mitmrdp_public_addressesRDP Bastion public addresses.
RDP-MITMrdp_mitmreauthorization_interval_secReauthorization interval, in seconds.
RDP-MITMrdp_mitmextender_enabledEnable to allow remote PrivX Extender client connections for tunneling RDP traffic inside VPC networks.
RDP-MITMrdp_mitmallow_role_ip_restrictionsEnable to enforce role context IP limitation checks.
RDP-MITMrdp_mitmffmpeg_parametersVideo encoding parameters to be passed to FFmpeg library.
RDP-MITMrdp_mitmvideo_generator_workersNumber of workers that encode video simultaneously.
RDP-MITMrdp_mitmvideo_generator_temp_directoryDirectory where temporary video files are generated before stored as part of trail.
RDP-MITMrdp_mitmconnection_message_timeout_secTimeout interval (seconds) for connection message reply. Default: 5 seconds.
RDP-MITMcertificatesrenewal_period_monthsCertificate renewal period in months.
RDP-MITMcertificatesrenewal_period_daysCertificate renewal period in days.
RDP-MITMcertificatesupdate_automaticallyConfigure whether certificates should be updated automatically.
RDP-MITMauditeventsskip_event_idsComma-separated list of audit-event codes or code ranges, e.g. 1,10,20-30. Specified audit events are not saved to PrivX database, but only logged to syslog.
RDP-PROXYdbconn_max_idletimeMaximum amount of time a connection may be idle. Set 0 to keep the idle connections open from lazily closed.
RDP-PROXYdbconn_max_lifetimeMaximum amount of time a connection may be reused. Set 0 to reuse the connection forever.
RDP-PROXYdbmax_idle_connsMaximum number of idle database connections. Set 0 to lazily remove all idle connections.
RDP-PROXYdbmax_open_connsMaximum number of open connections to the database. Set 0 to use unlimited number of open connections.
RDP-PROXYrdp_proxyreauthorization_interval_secReauthorization interval, in seconds.
RDP-PROXYrdp_proxyextender_enabledEnable to allow remote PrivX Extender client connections for tunneling RDP traffic inside VPC networks.
RDP-PROXYrdp_proxyweb_proxy_enabledEnable to allow remote web proxy (Squid) to authorize web connections via PrivX web proxy server.
RDP-PROXYrdp_proxysmartcard_authentication_enabledConfigure whether RDP smart card authentication is enabled.
RDP-PROXYrdp_proxysmartcard_status_workaround_disabledDisable RDP smart card login failure workaround.
RDP-PROXYrdp_proxyallow_connect_to_local_addressesAllow target connections to local interface addresses.
RDP-PROXYrdp_proxyallow_connect_to_loopbackAllow target connections to loopback addresses.
RDP-PROXYrdp_proxyenable_wallpaperEnable desktop wallpaper for target hosts. Disabling this makes screen updates faster.
RDP-PROXYrdp_proxyenable_font_smoothingEnable font smoothing. Enabling this usually improves the text quality.
RDP-PROXYrdp_proxyshare_dirRDP shared directory.
RDP-PROXYrdp_proxytarget_blacklistA comma separated list of IP addresses or subnets (CIDR) of prohibited RDP targets.
RDP-PROXYrdp_proxyconnectivity_test_timeoutConnection timeout while check a target is reachable, in seconds.
RDP-PROXYrdp_proxyws_keepalive_interval_secWebSocket keepalive interval, in seconds.
RDP-PROXYrdp_proxyconnection_message_timeout_secTimeout interval (seconds) for connection message reply. Default: 5 seconds.
RDP-PROXYcertificatesrenewal_period_monthsCertificate renewal period in months.
RDP-PROXYcertificatesrenewal_period_daysCertificate renewal period in days.
RDP-PROXYcertificatesupdate_automaticallyConfigure whether certificates should be updated automatically.
RDP-PROXYauditeventsskip_event_idsComma-separated list of audit-event codes or code ranges, e.g. 1,10,20-30. Specified audit events are not saved to PrivX database, but only logged to syslog.
ROLE-STOREdbconn_max_idletimeMaximum amount of time a connection may be idle. Set 0 to keep the idle connections open from lazily closed.
ROLE-STOREdbconn_max_lifetimeMaximum amount of time a connection may be reused. Set 0 to reuse the connection forever.
ROLE-STOREdbmax_idle_connsMaximum number of idle database connections. Set 0 to lazily remove all idle connections.
ROLE-STOREdbmax_open_connsMaximum number of open connections to the database. Set 0 to use unlimited number of open connections.
ROLE-STOREauthorizedkeysexpired_purge_interval_hoursExpired authorized keys purge interval in hours. Set to 0 to disable automatic deletion of expired authorized keys.
ROLE-STOREauthorizedkeysmax_validity_daysAuthorized key maximum validity period length in days. Valid values are 1-7300 days.
ROLE-STOREauthorizedkeysmin_rsa_key_sizeMinimum key size in bits for ssh-rsa keys.
ROLE-STOREauthorizedkeyssupported_key_typesSpecify the supported authorized key types for logging in to PrivX with user specific authorized keys.
ROLE-STOREawsenabledSpecify whether AWS support is enabled.
ROLE-STOREawsdefault_regionDefault AWS region to use for API access.
ROLE-STOREawsenable_assume_roleEnable assume-role temporary session credentials. These credentials can be used to give PrivX users temporary access to AWS API via AWS CLI or scripting.
ROLE-STOREawsassume_role_default_ttlExpiration time in seconds for assume-role temporary credentials. AWS service limits are minimum 900 (15 min), maximum 43200 (12 hours). Values above 3600 seconds require modifying the AWS target role config or token grants will fail.
ROLE-STOREawsenable_federated_tokensEnable federation token access. These credentials can be used to give SSH PrivX users temporary access to AWS API via AWS roles. If both assume-role and federated role tokens are enabled, assume-role will be used.
ROLE-STOREawsfederated_tokens_default_ttlExpiration time in seconds for federated tokens. AWS service limits are minimum 900 (15 min), maximum 129600 (36 hours).
ROLE-STOREawsmax_aws_rolesMaximum number of AWS role to fetch. This restriction is applied after role path or role name filtering is done.
ROLE-STOREcachingenableSpecify whether caching of user role memberships, rule evaluation results, user settings and AWS role descriptions is enabled. Additionally, it is used to define the size of cache used for storing deleted roles. Disabling the setting is not recommended.
ROLE-STOREcachingtypeCache type. Local caching uses an in-memory LRU cache. Cache type "Local" is recommended for security reasons.
ROLE-STOREcachingrule_evaluation_cache_enabledSpecify whether role rule evaluation results should be cached. Enabling this setting is recommended.
ROLE-STOREcachingmax_entriesMaximum entries in the local LRU cache. If cache exceeds this size, the least recently used entries are purged. The minimum size of cache should be greater than the number of active PrivX users + total PrivX role rule count.
ROLE-STOREcachingsync_interval_secondsLocal cache periodic synchronization interval in seconds. Should be a relatively small value (default is 60 seconds). Set to 0 to disable synchronization. This setting should be enabled in HA environments.
ROLE-STOREcachingttlCache TTL in seconds. Should be set to a relatively small value (few minutes). However setting this too low (e.g less than 3 seconds) might cause synchronization issues when running multiple instances of the same service.
ROLE-STOREcachinguser_cache_refresh_ttlCache TTL for user caching in seconds. If user data in the user cache has been refreshed more recently than the User Cache TTL setting, then it won't be reloaded from the user directory. Value of 0 disables the cache. Note that disabling the cache forces fetching user data from the user directory every time user roles are resolved. Disabling the setting is NOT recommended.
ROLE-STOREcachingdeleted_roles_cache_sizeSize of the cache that stores deleted roles in memory. Minimum value is 1000 and maximum value is 10000000 (10M). Default value is 1000000 (1M)
ROLE-STOREdirectoryblacklisted_host_tag_prefixesWhen the "Import host instance tags from the directory" setting is enabled for a host directory, all host tags will be imported to PrivX except tags starting with these prefixes.
ROLE-STOREhousekeepingscim_role_housekeeping_intervalInterval between housekeeping runs, in minutes, for clearing up unused roles created by SCIM directories. Set to 0 to disable housekeeping.
ROLE-STOREhousekeepingusers_active_intervalInterval where user is considered as active from last login. If the user is not logged in in this interval, the user will be considered as inactive. Therefore, house-keeping will be applied to this user (it includes deleting usersettings, user explicit role mappings, authorized keys, OIDC user data). Note that this behavior is not applied for Local users and API-Clients.
ROLE-STOREldapenable_nested_groupsEnable nested groups for role mappings. Enables LDAP_MATCHING_RULE_IN_CHAIN (1.2.840.113556.1.4.1941) filter for role queries against user directories. This option affects only role mappings. AD directory settings are not affected by this setting.
ROLE-STOREldapdefault_cache_ttlDefault LDAP cache TTL in seconds. Used if no TTL is specified for an LDAP directory. If you have many users or very slow LDAP servers, set the TTL to a higher value.
ROLE-STOREldappaging_sizeLDAP query pagination size. The default maximum for Active Directory is 1000. Use as high of a value as possible for maximum performance.
ROLE-STOREldapattributesSpecifies which attributes to fetch from LDAP for caching. Leaving this empty will fetch all attributes for LDAP objects. Filtering out unused attributes will make the memory consumption smaller and improve query times. Note that only the specified attributes can be used for LDAP query filters and role source rules. The recommended attributes filter is: objectClass cn dn distinguishedName whenCreated whenChanged name userPrincipalName givenName company departmentNumber mail email mobile sAMAccountName uid memberOf entryDN displayName userAccountControl groupType servicePrincipalName objectCategory objectGUID objectSID
ROLE-STOREldapdefault_user_filterDefault pre-filter to use when searching users. Not required, but allows using shorter LDAP search strings. Use this to filter out non-user objects. Directory level user filters override this default setting. Leaving user filter empty increases memory consumption. The recommended attributed filter is:
((objectClass=user)(objectClass=person)(objectClass=inetOrgPerson))
ROLE-STOREldapglobal_ad_user_filterAutomatically append this filter to Active Directory requests when fetching users or mapping roles. The recommended AD user filter to filter out disabled users, is: (!userAccountControl:1.2.840.113556.1.4.803:=2)
ROLE-STOREscanningfirst_host_scanning_delayHost scanning delay after starting the service, in seconds.
ROLE-STOREscanningfirst_role_scanning_delayAWS role scanning delay after starting the service, in seconds.
ROLE-STOREscanninghost_scanning_frequencyDefault interval between host scanning runs, in seconds.
ROLE-STOREscanningrole_member_count_update_frequencyFrequency for resolving granted membership counts for roles, in seconds.
ROLE-STOREscimmax_resultsMax Results page size for SCIM get requests.
ROLE-STOREprincipal_keysadd_on_role_creationWhen True, Principal keys get created at the time of role creation. Defaults to False
ROLE-STOREauditeventsskip_event_idsComma-separated list of audit-event codes or code ranges, e.g. 1,10,20-30. Specified audit events are not saved to PrivX database, but only logged to syslog.
SSH-MITMdbconn_max_idletimeMaximum amount of time a connection may be idle. Set 0 to keep the idle connections open from lazily closed.
SSH-MITMdbconn_max_lifetimeMaximum amount of time a connection may be reused. Set 0 to reuse the connection forever.
SSH-MITMdbmax_idle_connsMaximum number of idle database connections. Set 0 to lazily remove all idle connections.
SSH-MITMdbmax_open_connsMaximum number of open connections to the database. Set 0 to use unlimited number of open connections.
SSH-MITMssh_mitmssh_public_addressesSSH Bastion public addresses.
SSH-MITMssh_mitmreauthorization_interval_secReauthorization interval, in seconds.
SSH-MITMssh_mitmextender_enabledEnable to allow remote PrivX Extender client connections for tunneling SSH traffic inside VPC networks.
SSH-MITMssh_mitmallow_role_ip_restrictionsEnable to enforce role context IP limitation checks.
SSH-MITMssh_mitmallow_connect_to_local_addressesAllow target connections to local interface addresses.
SSH-MITMssh_mitmallow_connect_to_loopbackAllow target connections to loopback addresses.
SSH-MITMssh_mitmhostkey_algorithmsSupported hostkey algorithms.
SSH-MITMssh_mitmtarget_blacklistA comma separated list of IP addresses or subnets (CIDR) of prohibited SSH targets.
SSH-MITMssh_mitmmetadata_update_interval_secInterval for metadata updates to connection manager, in seconds.
SSH-MITMssh_mitmws_keepalive_interval_secWebSocket keepalive interval, in seconds.
SSH-MITMssh_mitmexec_connection_idle_timeout_secSSH exec connection idle timeout, in seconds.
SSH-MITMssh_mitmconnection_message_timeout_secTimeout interval (seconds) for connection message reply. Default: 5 seconds.
SSH-MITMauditeventsskip_event_idsComma-separated list of audit-event codes or code ranges, e.g. 1,10,20-30. Specified audit events are not saved to PrivX database, but only logged to syslog.
SSH-PROXYdbconn_max_idletimeMaximum amount of time a connection may be idle. Set 0 to keep the idle connections open from lazily closed.
SSH-PROXYdbconn_max_lifetimeMaximum amount of time a connection may be reused. Set 0 to reuse the connection forever.
SSH-PROXYdbmax_idle_connsMaximum number of idle database connections. Set 0 to lazily remove all idle connections.
SSH-PROXYdbmax_open_connsMaximum number of open connections to the database. Set 0 to use unlimited number of open connections.
SSH-PROXYssh_proxyreauthorization_interval_secReauthorization interval, in seconds.
SSH-PROXYssh_proxyextender_enabledEnable to allow remote PrivX Extender client connections for tunneling SSH traffic inside VPC networks.
SSH-PROXYssh_proxyforwarder_enabledEnable to allow forwarding of SSH connections from the PrivX agent.
SSH-PROXYssh_proxyallow_connect_to_local_addressesAllow target connections to local interface addresses.
SSH-PROXYssh_proxyallow_connect_to_loopbackAllow target connections to loopback addresses.
SSH-PROXYssh_proxytarget_blacklistA comma separated list of IP addresses or subnets (CIDR) of prohibited SSH targets.
SSH-PROXYssh_proxymetadata_update_interval_secInterval for metadata updates to connection manager, in seconds.
SSH-PROXYssh_proxyssh_keepalive_interval_secTarget ssh connection keepalive interval, in seconds.
SSH-PROXYssh_proxyws_keepalive_interval_secWebSocket keepalive interval, in seconds.
SSH-PROXYssh_proxyconnection_message_timeout_secTimeout interval (seconds) for connection message reply. Default: 5 seconds.
SSH-PROXYauditeventsskip_event_idsComma-separated list of audit-event codes or code ranges, e.g. 1,10,20-30. Specified audit events are not saved to PrivX database, but only logged to syslog.
TRAIL-INDEXdbconn_max_idletimeMaximum amount of time a connection may be idle. Set 0 to keep the idle connections open from lazily closed.
TRAIL-INDEXdbconn_max_lifetimeMaximum amount of time a connection may be reused. Set 0 to reuse the connection forever.
TRAIL-INDEXdbmax_idle_connsMaximum number of idle database connections. Set 0 to lazily remove all idle connections.
TRAIL-INDEXdbmax_open_connsMaximum number of open connections to the database. Set 0 to use unlimited number of open connections.
TRAIL-INDEXhousekeepinghousekeeping_intervalInterval between housekeeping runs, in minutes, for clearing up expired audit trail files. Set to 0 to disable housekeeping.
TRAIL-INDEXworkersno_of_workersMaximum audit trail indexing concurrency.
TRAIL-INDEXauditeventsskip_event_idsComma-separated list of audit-event codes or code ranges, e.g. 1,10,20-30. Specified audit events are not saved to PrivX database, but only logged to syslog.
USER-STOREdbconn_max_idletimeMaximum amount of time a connection may be idle. Set 0 to keep the idle connections open from lazily closed.
USER-STOREdbconn_max_lifetimeMaximum amount of time a connection may be reused. Set 0 to reuse the connection forever.
USER-STOREdbmax_idle_connsMaximum number of idle database connections. Set 0 to lazily remove all idle connections.
USER-STOREdbmax_open_connsMaximum number of open connections to the database. Set 0 to use unlimited number of open connections.
USER-STOREauditeventsskip_event_idsComma-separated list of audit-event codes or code ranges, e.g. 1,10,20-30. Specified audit events are not saved to PrivX database, but only logged to syslog.
VAULTdbconn_max_idletimeMaximum amount of time a connection may be idle. Set 0 to keep the idle connections open from lazily closed.
VAULTdbconn_max_lifetimeMaximum amount of time a connection may be reused. Set 0 to reuse the connection forever.
VAULTdbmax_idle_connsMaximum number of idle database connections. Set 0 to lazily remove all idle connections.
VAULTdbmax_open_connsMaximum number of open connections to the database. Set 0 to use unlimited number of open connections.
VAULTsecretsschemasSpecify secret schemas in JSON format as an array of schema objects, as shown in the example.
VAULTauditeventsskip_event_idsComma-separated list of audit-event codes or code ranges, e.g. 1,10,20-30. Specified audit events are not saved to PrivX database, but only logged to syslog.
WORKFLOW-ENGINEdbconn_max_idletimeMaximum amount of time a connection may be idle. Set 0 to keep the idle connections open from lazily closed.
WORKFLOW-ENGINEdbconn_max_lifetimeMaximum amount of time a connection may be reused. Set 0 to reuse the connection forever.
WORKFLOW-ENGINEdbmax_idle_connsMaximum number of idle database connections. Set 0 to lazily remove all idle connections.
WORKFLOW-ENGINEdbmax_open_connsMaximum number of open connections to the database. Set 0 to use unlimited number of open connections.
WORKFLOW-ENGINEauditeventsskip_event_idsComma-separated list of audit-event codes or code ranges, e.g. 1,10,20-30. Specified audit events are not saved to PrivX database, but only logged to syslog.
SECRETS-MANAGERwinrmwinrm_host_certificate_trust_anchorsSpecify WinRM host certificate trust anchor PEM certificates.