This section contains settings for Access Control or Command Control engine so that you can use either engines or both of the engines. You also have the option to disable both the engines.
Navigate to Server Settings > Policy Engine from the Privileged Account Manager console.
To disable the Access Control Engine move the slider to the left.
To disable the Command Control Engine move the slider to the left.
NOTE:The Command Control policy engine is enabled by default. If you disable both Access Control and Command Control engines, then no privileged access request is processed by either of the policy engines. Only emergency access requests will be evaluated.
Prior to Privileged Account Manager 4.1, any Windows resource with PAM agent installed on it could be accessed by Direct RDP without any authorizing Command Control rule.
Privileged Account Manager 4.1 onwards, an authorizing Command Control rule or an Access Control permission is mandatory to access any resource.
Therefore, if you have not configured any authorizing Command Control rule or Access Control permission or you have disabled both the policy engines, then you cannot access any Windows resource. In case you have configured the authorizing Command Control rule or Access Control permission, but Command Control manager connection is disrupted, then the Windows resource can be accessed only using TROUBLESHOOT user. For more information, see Section 11.2.7, Direct RDP is Disallowed When Privileged Account Manager Agents are Unable to Reach the Manager.