This chapter describes how PxM profiles are created and managed within the Web Management Interface. The following topics are included in this chapter:
7.9.1. Manage profiles
Within PxM, profiles provide role-based management controls and link together a group of devices, tools, tasks, users and user groups.
A profile is like a job description. It specifies which access tools can be used to administer a device and which tasks can be run on the device. Any user that is linked to a given profile will be able to perform the tasks and access the devices.
If a profile is disabled, the permissions in that particular profile will be ignored when PxM calculates a userâs access permission for a given device.
Unless a PxM user belongs to at least one profile with tool/task and device, when they log onto the PxM Client they wonât have access to any devices, tools or tasks. By default all users will have access to the Web Management Interface with limited functionality.
To view the Manage profiles page, click Profiles in the left-hand menu. The Manage profiles page lists all the profiles that have been created to manage device access.
The PxM profile states include:
|Deleting a profile removes the userâs access to the devices and deletes any PxM user accounts that have been created on the device.|
|The profile is disabled. Users can logon to the client but will be unable to access any devices, unless they are granted permission through another profile.|
|The profile is enabled. Users can access the devices through the client, single sign-on to devices and execute tasks.|
|If a user is added to this profile, they will be given SuperAdmin access rights to PxM.|
Profile context menu options
A number of context menu options are available when you highlight a profile and then right-click. Some of the more common options are described in the General usage section.
|Delete||Deleting a profile removes the userâs access to the devices and deletes any personalised PxM user accounts that have been created on the device.|
7.9.2. Default profiles
A number of profiles are created by default when PxM is installed. The profiles contain common tasks that might be used to manage devices on a scheduled basis.
|Device Audit||Contains a daily scheduled Device Audit task. When a device is added to this profile, the task will run against the device to update information, i.e. Device Parameters, Inventory, Manage accounts.|
Contains a weekly scheduled Backup task. When a device is added to this profile, the devices backup task is run. The devices backup file will be available on the Manage files page for download.
See Manage files.
|Device Password Regeneration||Contains a weekly scheduled Regenerate Account Passwords for devices attached to profile task which will update the Fully managed and Managed accounts for all devices.|
|Osirium Super Admins||
Contains the Osirium Server with SuperAdmin access level. When users are added to this profile, they become PxM SuperAdmins and are given full access to the Web Management Interface, Browser (HTTP) Tool, and the ability to run a number of tasks against the PxM Virtual Appliance.
7.9.3. Creating a new profile
When you click on the New profile button on the Manage profiles page, a New profile window opens.
Fill in the following details:
The options available within the New profile window will depend on the type of PxM Platform licence you have purchased.
|Name:||Is the display name that will be given to the profile.|
|Enabled||Default is enabled. Allows users to access the device tools and tasks.|
Default is set to Always which means that the users are not restricted to when they can access the devices.
You can select the times you want the users to have access to the device. At all other times the devices will be greyed out in the PxM Client.
If the tickbox is checked, it indicates that the userâs session will be recorded by PxM.
|Change ticket required||If the tickbox is checked, it indicates that the user might be asked to enter a change ticket before accessing a tool/task.|
Allows you to attach many kinds of information against each profile.
See Configure meta-info.
126.96.36.199. Configuring Enable window
Time windows are used to select time slots to limit when users can access devices. Access can be restricted to multiple windows in 30-minute increments throughout the working day.
Users who have been granted access are presented with a countdown of the time left to complete their job and, optionally, how long to wait until the next window opens.
This feature can be useful for:
- 3rd party access: when you want to control when the device is accessed and for what period of time. It ensures that the device canât be accessed during any other time than the time slots alloted for any work to be carried out.
- Out-of-hours access: allowing you to ensure that devices are not accessed during operational periods to avoid issues or unnecessary delays.
- Critical usage times/busy peak periods can also be disabled so devices cannot be accessed or managed during these periods.
By default, the Enable window is set to Always. This means that the users in the profile are not restricted to when they can access the devices.
To set time slots:
Within the Manage profiles page, click a profile.
Within the Profile detail page, click the icon. This will allow you to edit the profile information.
Click the icon below the Enable window column. The Edit value window will open.
Within the Edit value window you can:
Action Description Enable all By default all times are Enabled. If some have been disabled and you want to quickly re-enable them, click this button. Disable all This button will remove the enabled times. Disabling all the times for each day will mean that the devices will not be accessible at any time. Time zone: Select the time zone relevant to your location.
To restrict user access to devices within a set time period, click Disable all. Then highlight the timelines for when the devices can be accessed. This is useful for when you have 3rd parties accessing systems and you want to restrict their access or create maintenance windows.
Once you have selected the timeslots, click Apply changes. The Edit value window will close.
Within the Enable window column, the status will now show Partial. This means that the users will only be able to access the devices at the times stated.
Click the icon to save the changes to the profile.
7.9.4. Configuring a Profile
The Profile detail page allows you to configure a profile with Devices, Tools, Tasks, Users and User groups.
To go to the Profile detail page from the Manage profiles page, click a profile Name.
To the right of Devices, click manage. The Manager: devices window appears.
Within the Manager: devices window, tick the checkboxes in the Included column next to each device you want to add.
Alternatively, hold down the SHIFT key and select multiple devices, then right-click and select Include.
For each device, click the icon to the right of the Access level column to grant access levels.
Depending on your template configurations, the following access levels may be granted from the drop-down:
Role: These are the available device access levels PxM can use when creating personalised accounts on the device. If a role is selected, it will apply for every user in the profile.
Account: These are Managed and Known accounts that can be used to single sign-on to the device. If an account is selected, it will be available to every user in the profile. No personalised accounts are created.
Mapping: These are predefined account mappings that allow PxM user accounts to be linked to existing accounts on a device. See Creating an account mapping.
Click the icon to save the access level selected.
Click Save changes to add the devices. The ProfileDeviceUpdate task is run and you return to the Profile detail page.
To the right of Tools, click manage. The Manager: tools window appears.
Tools are the applications that are used to access the device, i.e. HTTPS, SSH, RDP, etc. The list of tools can also include any MAP Server hosted tools.
Within the Manager: tools window, tick the checkboxes in the Include column next to each tool you want to add to the profile.
Tools will be automatically filtered based on the available tools for the devices selected.
The tool icons indicate the following:
Icon Description Indicates that the tool is Unsupported by the devices added to the profile. Indicates that the tool is Partially supported, meaning it is not supported by all the devices added to the profile. Indicates that the tool is Fully supported, meaning it is supported by all the devices added to the profile.
The tools list provides the necessary access connection protocol methods supported by PxM. Access connection protocols supported by devices are defined in a template.
In addition, there is an internal PxM tool available on all devices called Reveal credentials tool.
For some tools, additional options are available. To check additional options:
- On the right-hand of the table, click the icon. In the Options column, the Click to select options drop-down appears.
- Click the drop-down.
- If necessary, select one or more options.
- Click Save changes.
For example, the Remote Desktop tool has the following options available:
Option Description Allow RDP Drive mapping
Adding this option enables the Remote Desktop Protocol: File System Virtual Channel Extension.
This allows the clientâs drives to be exposed within the userâs RDP session, allowing users to copy files between the client and the RDP session.
Allow RDP clipboard
Adding this option turns on the Remote Desktop Protocol: Clipboard Virtual Channel Extension.
This allows users the ability to seamlessly transfer data using the copy to clipboard functionality between the client and the RDP session.
Allow RDP sound
Adding this option enables the Remote Desktop Protocol: Audio Output Virtual Channel Extension.
This allows PxM users to hear sounds made within the RDP session on the clientâs machine.
When adding MAP server-hosted tools to a profile, one or more MAP server groups must be selected. MAP server groups are listed on the Click to select options drop-down.
If one MAP server group is selected, connections to all enabled MAP servers within that group are load-balanced using a round-robin algorithm.
If more than one MAP server group is selected, connections are load-balanced across each enabled group using a round-robin algorithm and then load-balanced within each group to also round-robin across enabled servers in the group.
MAP tool connections are presented using Microsoft RDP RemoteApp. These are RDP connections and, therfore, can have their RDP options controlled. If you wish to allow RDP drive mapping, RDP clipboard or RDP sound support to the MAP tools, select the required options in the drop-down.
Selecting a MAP server group with no active servers results in an error when a MAP tool is launched.
If you single sign-on using a Remote Desktop tool, you can view the available options in the Remote Desktop Connection window by clicking Details. PxM sets these options based on the profile options selected.
If you single sign-on to Windows Server 2008, the drive mappings will be located in the following location: Networks folder under tsclient
Tick the checkbox to include the option(s) and then click the icon.
Click Save changes. The tools and options are added to the profile and you return to the Profile detail page.
To the right of Tasks, click manage. The Manager: tasks window appears.
The Manager: tasks window lists all the tasks available through PxM. The list provided is created from:
User tasks: all the tasks that are defined in the uploaded templates. Only tasks defined in a template can be run on the device compatible with the template.
When a template task is added to a profile along with a device, the userâs PxM Client will be updated with the user tasks.
System tasks: are internally performed by PxM and will not be visible on the client.
Tick the checkboxes in the Include column for each task you want to add. Tasks will be automatically filtered based on the available tasks for the devices selected.
Each task can be scheduled to run on a daily, weekly or monthly basis. Schedules must be created before they can be used. See Schedules.
Click on the icon to bring up the Schedules drop-down.
Select one or more schedules from the drop-down to set on the task.
Click the icon. The schedules are set.
Click Save changes. You return to the Profile details page.
To the right of Users, click manage. The Manager: users window appears.
Within the Manager: users window, tick the checkboxes in the Include column next to each user you want to include.
Alternatively, hold down the SHIFT key and select multiple users, then right-click and select Include.
Click Save changes to add the users. The ProfileUserUpdate task is run and you return to the Profile detail page.
Manage user groups
To the right of User groups, click manage. The Manager: user groups window appears.
User groups are an easy and quick way of adding multiple users to the same profiles. See Creating a user group.
Within the Manager: user groups window, tick the checkboxes in the Include column next to each user group you want to include.
Alternatively, hold down the SHIFT key and select multiple user groups, then right-click and select Include.
Click Save changes to add the user groups. The ProfileUserUpdate task is run and you return to the Profile detail page.
If you are using a pattern access level type, the user account audited on the device by PxM must be Known by PxM before it can be used. See Manage accounts to check the accountâs state within PxM and change if necessary.
Clicking on the Full scan button will do the following:
- Checks PxM to confirm the users/devices in the profile, to work out which accounts should exit on the device/auth service.
- If an account is not found, PxM checks if the missing account existed on the device/auth service when it was last audited.
- If the accounts didnât exist during the last audit, it will create the accounts.
- All database links related to the profile will also be checked during the scan.
The Full scan button should only be used in emergencies.
7.9.5. Reveal credentials tool
The Reveal Credentials tool allows PxM users to reveal the device account credentials (passwords and SSH keys) for an individual account.
Credentials can be revealed for Fully managed, Known and Managed accounts only.
Reveal Credentials is NOT available for the Osirium Server.
- There are two ways to reveal the credentials of an account:
- Through the Manage accounts page. See Reveal Credentials.
- Through the PxM Client.
To reveal credentials through the PxM Client:
Create a new profile, see Creating a new profile or open up an existing profile.
Within the Profile detail page, add a device, add the Reveal Credentials tool and then add users. For more information, see Configuring a Profile.
Open up the PxM Client and login a user that has been added to the profile.
Once you have successfully logged into your PxM Client, locate the device. You will see the Reveal credential tool listed.
Double-click Reveal Credentials.
Within the Reveal credentials window, click Yes to decrypt the account credentials.
Within the Reveal credentials window, the password can now be revealed for the account by moving the mouse over the password field or by CTRL+C to copy the password.
Once you have retrieved the account credentials, click Close.
7.9.6. Bulk importing
Bulk imports allow you to import multiple profiles and profile memberships using CSV templates.
The Import profiles CSV template is used to create a new profile.
The Import profiles membership CSV template is used to update existing and configure profiles memberships.
188.8.131.52. Import profiles
Within the Manage profiles page, click Bulk Import > Import profiles.
Within the Import from CSV window, click Download CSV template.
Open up the file in your preferred CSV editor. An example entry has been give for reference. Enter the required information.
Heading Description Name Enter the name you want the profile to be called. This profile name will be the display name. Enabled
Enter TRUE if you want the profile to be enabled when created. When enabled, the users will be given permission to use the devices set out in the profile.
If left blank, the profile will be disabled when created.
Session Recording Enter TRUE to record the userâs session. Change ticket required Enter TRUE to indicate that access granted by the profile requires a change ticket to be entered by the user. Notes Additional information about the profile. Meta-columns
Enter the meta-column value.
See Configure meta-info.
Columns in your downloaded CSV template file may vary depending on the features licensed.
Enable window settings will be defaulted to Always. Meta column settings will be defaulted to the first entry in the list of options available.
Save the CSV file with the changes.
Within the Web Management Interface Import from CSV window, click Choose file. Choose the saved profiles CSV file.
Click Import. The CSV entries will be listed in the Review import data window. Review the entries and update if necessary, using the icon.
Click Import. The actions are queued.
Within the Action Queue window, click Done. The new entries are created and can be seen on the Manage profiles page.
At this stage the profiles are empty and need to be configured before they can be used to grant user access to devices.
184.108.40.206. Import profiles membership
Once a profile has been created you can bulk import memberships.
Memberships are grouped and placed on individual lines as follows, so bear this in mind when you are making updates:
- Devices and access levels.
- Tools and tool options.
- Tasks and task schedules.
- User groups.
Within the Manage profiles page, click the Export button and select Export profiles membership from the menu. A CSV file will be exported, containing a list of existing profiles and their memberships.
Open up the file in your preferred CSV editor.
Update, remove, add memberships within the CSV file, as required.
If you do not want to make any amendments to a profile membership, then leave as is. Otherwise, if the configuration is removed, it will be deleted during the import process.
Heading Description Profile Name of an existing profile. Device
Internal name given to the device.
Device names must match the names on the Manage Devices page.
If adding a device, an access level must be entered.
Enter the access level that will be granted to the user when accessing the device.
The available access levels are dependent on the device. Access levels can be:
Role: These are the available device access levels PxM can use when creating personalised accounts on the device. The role entered will apply for every PxM user in the profile.
Account: These are Managed and Known accounts that can be used to single sign-on to the device. If an account is selected it will be available to every user in the profile. No personalised accounts are created.
Pattern: These are predefined patterns that allow PxM user accounts to be linked to existing accounts on a device. See Creating an account mapping.
If adding an access level, it must be associated with a device and available in the device template.
Enter the device access connection protocol name that will be used to access the device, i.e. HTTPS, SSH, RDP.
Multiple tools can be entered using a semi-colon separated list.
Available device tools for a device can be found on the named device template detail page. See Show template.
Some tools may have additional options associated with them.
- Remote Desktop may have Allow RDP drive mapping, Allow RDP clipboard and Allow RDP sound.
- Tools associated with a MAP Server will have MAP server groups listed.
If adding a tool option, it must be associated with a tool.
The task list available is created with user and system tasks.
- User tasks: are all the tasks that are defined in templates. Only tasks relevant to the devices in the profile will be usable.
- System tasks: are internally performed by PxM and will not be visible on the PxM Client.
Available tool options for a device can be found on the named device template detail page. See Show template.
To run the tasks on a schedule, enter the schedule time.
Schedules must be created before they can be used. See Schedules.
Internal name given to the user. If you want to add multiple users then it is probably easier to create a user group first and then add the user group name, rather than individual names.
User names must match the names on the Manage users page.
Enter the name of the user group.
See Manage user groups.
Save the CSV file with the changes.
Within the Manage profiles page, click Bulk Import > Import profiles membership.
Within the Import from CSV window, click Choose file.
Locate and select the saved profiles membership CSV file.
Click Import. The CSV entries will be listed in the Review import data window. Review the entries and make amendments as necessary.
Click Import. The Question window opens.
Take note of the warning.Clicking Yes means the profile membership configurations will be updated as per the CSV file. Memberships no longer listed will be removed and others will be updated/added.
Within the Action queue window, click Done. The profile memberships are updated.
7.9.7. Editing a Profile
See General usage section for inline editing.
7.9.8. Deleting a Profile
Deleting a profile removes the userâs access to the devices and deletes any PxM user account created on the device.
Once deleted the profile cannot be reinstated. The profile would have to be recreated.
On the Manage profiles page, right-click on a profile and then click Delete within the context menu.
If the profile contains devices, a warning appears. Click Continue.
Within the Question window, click Yes.
During deletion, the profilescan task is run which will:
- Disconnect users logged onto any of the devices within the profile.
- Device and Auth Services account update task will be run to remove any accounts on the device.
- The profile is deleted from the list and cannot be reinstated.
Orphaning a device means that the profile being deleted is the only profile that is linked to this deviceâs highest level of permission. If the device only has âreadâ and âreadwriteâ as permissions, then this might mean that no users will have âreadwriteâ access to manage the device.