How Notification and Blocking Messages Appear to the End User

This topic describes how Warning Notifications and Blocking Messages that were configured by security administrators in the ITM On-Prem (ObserveIT) Web Console are viewed by the end user. These messages appear on the screen after a risky activity has occurred and an alert was generated.

Note the following:

  • Messages might be displayed more than once if the user action is repeated (depending on the alert frequency settings).

  • By default, every time a message is displayed, a predefined sound will be played. If required, this feature can be disabled (see Defining Settings for Rules).

  • Optionally, a company logo or an image can be configured to be displayed with each Warning Notification (on Windows) or Blocking Message. For details, see Defining Settings for Rules.

  • Multiple Blocking Messages are displayed one after the other chronologically (according to the time of arrival on the Agent).

  • In the case of multiple Warning Notifications, only the most recent notification is displayed.

  • Web Console alerts appear for all matches (both Warning Notifications and Blocking Messages).

How Warning Notifications are Experienced by the Windows or Mac End User

Warning notifications appear at the bottom right corner of the user's screen; if there is no user interaction, the notifications automatically disappear from the screen after a few seconds (as defined in the Settings tab), so there is no impact on productivity. On Windows and Mac systems, depending on the configuration, the warning notification might include an option to add a comment explaining your actions and/or open a link to view a security related policy. If configured, a company logo or image can also be displayed with each message.

The following screenshot provides an example of a warning notification:

If the notification has more than 3 lines of text, a Read more... hyperlink is displayed which you can click to read the full text of the message.

In the above example, you can click a link to view the company policy (ITM On-Prem (ObserveIT) security policy) and/or enter a comment.

When clicking Add my comment (or the Read more... hyperlink if relevant) an enlarged window opens, enabling you to enter a comment explaining your actions.

To close the window, click the Submit button.

If the warning notification is configured not to display a link to the organization's policy or provide user feedback, the message will be displayed without the company link or Add my comment options, as shown in the following example:

How Warning Notifications are Experienced by the Unix/Linux End User

On Unix/Linux systems, the real-time warning notification text is written directly to the terminal output. You cannot acknowledge nor respond to it with feedback, and cannot link to a security policy. You can see the security/policy violation message and can keep on with your work.

The following screenshot provides an example of how a warning notification appears to a Unix end user:

To clear the text message, simply press Ctrl+L (^L).

How Blocking Messages are Experienced by the End User

Blocking Messages can be configured on Windows and Mac operating systems.

As opposed to Warning Notifications, Blocking Messages, which open after a user has performed a risky activity, block the screen with a message forcing you to stop what you are currently doing and respond to the message before you can continue your work. Depending on the configuration, you might be required to acknowledge the message and/or provide feedback explaining your actions. Optionally, you can open a link to view a security related policy (if configured).

Note that you might receive repeated blocking messages for the same risky activity if you repeat it (depending on the configured alert frequency).

Following is an example of a Blocking Message:

In the above example, you can click the ITM On-Prem (ObserveIT) hyperlink to change the link's text to a message; the company policy will open after you click the Submit/Close button. In addition, you must select I acknowledge and enter comments in the text field, before clicking the Submit button to close the message.

The Submit button will appear disabled until you select I acknowledge (if configured) and enter your comments (if configured as mandatory).

If a link to the organization's policy is configured, but neither user acknowledgement nor user feedback are requested, the message will look like this:

In the above example, you can click the link to view the company policy. To close the message, you must click the Close button.

If neither a link to the organization's policy nor user acknowledgement or request for user feedback are configured, the message will look like this:

In this case, all you can do is close the message by clicking the Close button.