Configuring Pairing Requests

ITM On-Prem (ObserveIT) keeps track of authorized user login IDs and their client machines by "pairing" the domain name/login name of the user with the client computer from which the user logged in.

If a user logs in to a server from a client that is not paired to the user, the user is notified by email that a suspicious login occurred using the user's credentials. If the email notification indicates that the login was initiated by the user, the user can ignore the email, or submit a "pairing request" to the administrator, which in effect says "I do not want to receive emails when I connect from this client. Please approve this user-client pairing." If the pairing request is approved by the administrator, after receiving a confirmation email that the request was approved, the user will no longer receive emails about activity for this specific user-client pairing. If the administrator rejects the pairing request, the user receives a confirmation email that the request was rejected, and will continue to receive email notifications about this user-client activity. In addition, a new "pairing request" event is added to the Events table with a "Not Approved" status (see System Events).

Creating Pairing Requests

Users can create as many pairing requests as required.

An administrator can manually define and approve user-client pairs without waiting for pairing requests. For example, if the IT administrator knows that the user OBSERVEIT\danny’s desktop is "OITDANNY", he can pair this user-client before Danny receives any email notifications.

To create a new pairing request

1. Navigate to Configuration > Security & Privacy > Identity Theft Detection.

2. Click the Pairing Requests tab.

   

3. In the Add User-Client Pair section, click Add.

   

4. (Mandatory) Specify the following information about the new pairing request:

   • Domain Name: The domain name of the user.

   • Login Name: The login name of the user.

   • Client Name: The client computer to which the user is allowed to log in.

   • Expiration Date: The date after which the approved pairing request will no longer be valid. Options are: 3 months, 1 year, 3 years, or Never.

5. Click Save.

   The new user-client pairing request is added to the Approved User-Client Pairs list.

   You can filter the Approved User-Client Pairs list in order to retrieve requests from specific domains, logins, and/or clients. To search for specific approved pairs, specify your search criteria in the fields provided above the list, and click Search.

Approving and Rejecting Pending Requests

If a user logs in to a server from a client that is not paired to the user (that is, it does not appear in the Approved User-Client Pairs list), a pairing request is created. The pairing request will appear in the Pending Requests list. The ITM On-Prem (ObserveIT) administrator can approve or reject the pending request.

If there is no indication of suspicious login activity, the administrator will approve the request (and it will appear in the Approved User-Client Pairs list). If the login event is suspicious (that is, identity theft is suspected), the administrator receives an email reporting the suspicious login event, and will reject the pairing request.

To approve a pending request

• In the Pending Requests list, select the pairing request, and click Approve.

  After receiving a confirmation email that the request was approved, the user will no longer receive emails about activity for this specific user-client pairing.

To reject a pending request

• In the Pending Requests list, select the pairing request, and click Reject.

  After receiving a confirmation email that the request was rejected, the user will continue to receive email notifications about this user-client activity.

  You can filter the Pending Requests list in order to retrieve requests from specific domains, logins, and/or clients. To search for specific pending requests, specify your search criteria in the fields provided above the list, and click Search.