This chapter describes how PxM users are created and managed within the Web Management Interface, covering the following:
3.2.1. Manage users
PxM user accounts are used to login to the PxM Client from which they can gain access to:
- The Web Management Interface.
- Device management tools.
- Run device tasks.
Privileges to devices are granted through profiles.
We recommend using personal user accounts, not shared accounts, as these will allow you to easily monitor an individual’s activity and review their privileged access.
Users can be created and authenticated in a number of ways so consider the following options before starting.
Local: A local user is one whose username and password are created by PxM and stored on the PxM Virtual Appliance itself. When the local user logs onto the PxM client, the user will be checked against the list that exists on the internal virtual appliance database and its password verified.
To enhance security and implement a strong authentication policy for local user authentication, configure a password policy via the System settings page.
External authentication: Using external authentication allows you to use an existing users (username/password). Once setup, the PxM will consult with the external Account source to verify the user logon before logging the user onto the PxM Client.
The following settings are required to implement an external authentication method:
RADIUS Before this authentication method can be used, the network settings to allow PxM to communicate with the RADIUS server need to be configured. The PxM Platform RADIUS configuration can be configured on the Network settings page.
When creating the user in PxM, the username that exists on the RADIUS server must match the one being created.
Active Directory Before Active Directory can be used as your preferred user authentication method, you must ensure the following:
- LDAPS must be enabled on the Active Directory. LDAPS will ensure that usernames/passwords and other information communicated between the PxM Virtual Appliance and the Active Directory will be kept confidential and secure.
- An Active Directory must also be provisioned in PxM before users can be authenticated against it. See Adding an Active Directory.
- Synchronise Active Directory users using User group synchronisation. See What are user groups?.
Multi-factor authentication: can be enabled, meaning that the PxM user will have to provide a password as well as a token code when logging onto the PxM Client. The options for multi-factor authentication include:
- Local then RADIUS: the PxM user will first have to enter a local user password followed by the RADIUS token.
- Active Directory then RADIUS: the PxM user will first have to enter their Active Directory password followed by the RADIUS token.
3.2.2. Manage users page
The Manage users page allows you to manage user accounts. To view the Manage users page click Users in the left-hand menu. The Manage users page lists all the users and provides a high level overview of the accounts.
If you have SailPoint IdentityIQ, then it can be integrated with PxM and used to create PxM users. See SailPoint IdentityIQ integration configuration.
The following table describes the user states.
The state of the user account in PxM will not be filtered to the external authentication if you are using one.
Enabled user account. All new user accounts will default to the PxM user role when created. This allows the user to logon to the PxM Client and gives them access to the Web Management Interface.
When a user is given PxM SuperAdmin role access through a profile, the user icon will change from blue to gold. SuperAdmins have full access to the Web Management Interface.
Disabled user account. A user is disabled when the user account expires.
When an account is disabled, the user is unable to log onto the client to manage devices and run tasks.
The local account is locked if it exceeds the parameters set out in the password policy.
The user will be unlocked if:
3.2.3. Creating users
Users can be:
- Created as local users.
- Bulk imported.
- Cloned from existing users.
- Synchronised through Active Directory user groups and automatically created in PxM.
- Created with an external RADIUS account source.
3.2.4. Creating a user
A user must exist in PxM before it can be given access to devices.
Either click on the icon next to Users in the left-hand menu or click on the New user button on the Manage users page. Either way, a New user window will open.
Fill in the following details to create a new user:
Field name Description Name: Internal display name of the user which will be seen when adding users to profiles, looking at reports, auditing activity and viewing the system queue. Username:
Will be used to authenticate the user when logging onto the PxM Client, single sign-on to devices and run tasks.
If using external authentication, ensure the username is identical to the existing account.
If using Active Directory external authentication, then it would be quicker to synchronise Active Directory users from users groups, then to create them. See How to create a new user group.
Only required if creating a local user. Enter a password.
To apply a password policy.
Password again: Confirm the password entered above. Enabled
Default is enabled. Allows the user to log onto the client.
Uncheck the tickbox to disable the new user account. Disabling a user account means that the user will be unable to log onto the client to manage PxM, devices and run tasks. The user can still be added to profiles.
Represents the date/time the user account will be disabled in PxM. Default expiry will be set to Never.
If using external authentication, this does not mean the account will be disabled on the account source. It will only disable the user’s ability to log into PxM.
A valid email address is required to send notifications through email subscriptions. See Email subscriptions. Auth type
Default will be set to Local.
Other authentication types available are:
RADIUS only: username must match the username that already exists on the RADIUS server. Don’t need to enter a password as the existing RADIUS user’s password will be used in the PxM Client login window to authenicate them into PxM.
Active Directory: rather than creating indiviudal Active Directory users, you can add an Active Directory user group and synchronise the users. Synchronising Active Directory user groups allows PxM to automatically create the Active Directory users. See What are user groups?.
Alternatively, to create a single user, ensure the username matches the Active Directory username. You don’t need to enter a password as the existing Active Directory user password will be used in the PxM Client login window to authenicate them into PxM.
Local the RADIUS: multi-factor authentication required. Locally authenticated PxM users will need to enter their PxM user password as well as a RADIUS token when logging in to the PxM Client.
Active Directory then RADIUS: multi-factor authentication required. Active Directory users will need to enter their Active Directory passwords as well as an Active Directory token when logging in to the PxM Client.
Meta-cols Meta-columns allow you to attach many kinds of information against each user. If meta-columns exist then select the required meta-column entry. To create meta-columns, see Configure meta-info.
Name/Username can’t have the same name as an existing PxM user.
UTF-8 characters are supported in the name/username.
- The Create PxM Platform user task will be queued for creation.
- Check the System queue page for progress.
- Refresh the Manage users page to update the user status icon.
3.2.5. Bulk import users
Multiple users can be bulk imported using the bulk import template.
If you intend to use meta-columns then they should be added prior to downloading the bulk import CSV template. See Configure meta-info.
To download and upload the bulk import template:
Click Users in the left-hand menu.
On the Manage users page, click on the Bulk import button.
Within the Import from CSV window, click Download csv template.
Open the template and populate it with the required user information.
Save the file.
Go back to the Import from CSV window, within the Web Management Interface.
Click Choose file to locate and select the completed updated bulk import template file.
The users within the imported CSV file will be listed in the Bulk import users window. Review the imported data and fix any issues.
- Errors will be highlighted with a icon. If these errors are not fixed then that user will not be imported.
- You can update any user settings by clicking on the icon at the end of each row.
- If there are no errors highlighted (i.e. no users highlighted in blue with the icon) then all users will be imported in the list.
- To import only a selection of users from the list, hold the SHIFT key and select all the users you want to import from your bulk import list.
- To edit the password for a user, highlight the user and click the Apply pass button.
- To disable a user from PxM, deselect the Enabled button.
If you have only selected a number of users within the Bulk Import users window then click Yes to proceed.
Within the Action queue window, users will be imported and queued for creation. Click Done to close the window.
The Manage users page will automatically be updated and list the imported users.
3.2.6. Cloning a user
Cloning an existing user allows you to:
- Create a new user who inherits the same user account settings.
- Add the new user to all the same profiles.
- Provide access to the same tasks and devices with the same access levels.
To clone an existing user:
Right-click on an existing user.
Within the Cloning window, you will be prompted to enter the details for the new user to be created.
Update the details for the new user. See Creating users.
Within the Question window, click Yes:
- The Clone user task will be queued for creation.
- The ProfilesUserUpdate task will be run to add the new user to the same profiles as the cloned user.
- The new user appears on the Manage users page.
If necessary, click the Refresh button to manually update the Manage users page.
3.2.7. Editing a User
See the General usage section for inline editing.
3.2.8. Unprovision a user
Unprovisioning a user deletes the user’s account from PxM and deletes any personalised user accounts created on any devices they have permission to access.
Once deleted, the user cannot be reinstated. The user would have to be recreated as a new user and reconfigured.
If this is an Active Directory user account which still belongs to an Active Directory user group, then the unprovisioned account will be recreated in PxM when an audit is triggered.
To unprovision a user:
On the Manage users page, right-click on a user and then click Unprovision.
Within the Question window, click Yes if you are sure you want to delete the user.
During the unprovisioning:
- The user will no longer be able to logon to the client and single sign-on to devices.
- If the user is logged onto the client, they will be logged out and any open device sessions disconnected. Any further attempts to login will fail.
- The user account will be removed from all profiles.
- The user’s personalised accounts on any devices will be deleted.
- The user account will be deleted from PxM.
- The user will be removed from all user groups.
To unprovision multiple users, highlight a number of users, then right-click and click Unprovision. Click Yes.
3.2.9. User detail page
The User detail page provides you with a summary of the user and allows you to administer the user account and access.
To view the User detail page, click on a name within the Name column which is a link to the User detail page. Alternatively, highlight a user and right-click for the context menu. Within the context menu select Show and you will be navigated to the User detail page.
Lists all the profiles the user belongs to and allows you to manage the profiles. Profiles determine what devices and access levels the user has been given.
To add the user to an existing profile:
To the right of PROFILES, click the Manage button.
Within the Manager: profiles window, select the checkboxes to the left of the profiles you want the user to be included in.
Click Save changes.
- Depending on how the device is managed, PxM may create a personalised user account on the device. See Manage devices
- The device access will be dynamically updated on the user’s PxM Client.
- The device access section on the User detail page will be updated to reflect the profile added.
USER GROUPS section
Lists all the user groups the user belongs to. User groups can be added to profiles so groups of users can be easily given access to the same devices and tasks.
To add a user to a user group:
To the right of USER GROUPS, click the Manage button.
Within the Manager: user groups window, select the checkboxes to the left of the user groups you want the user to be included in.
Click Save changes. The user is added to the group. If the user group is in a profile, then the user will be given access to the devices and tasks in that profile.
DEVICE ACCESS section
Lists all the devices the user has been granted permission to access.
The following table describes the Device Access table:
|Click the arrow to reveal more information.|
|Device||Name of the device the user has been given access to.|
|Via||Indicates if the user has been added directly to the profile or via a user group.|
|Access roles||Indicates the role(s) granted to the user on the device. A personalised user account will have been created on the device for the user with the specified device access token. This account will be used by PxM to single sign-on the user.|
|Accounts||If an account is listed, PxM uses a known account to single sign-on the user to the device. The user will not have a personalised account on the device.|
|Patterns||If a pattern is listed then the user account will be mapped to an existing account on the device using the pattern stated. This mapping will be used when the users single sign-on on to the device.|
|Recorded||If checked, the user’s session on that device will be recorded.|
|Last connection||Date and time the device was last accessed by the user.|
User role based access to the Web Management Interface is default for all users created and can’t be removed or be seen within a profile.