7.9. Profiles

This chapter describes how PxM profiles are created and managed within the Web Management Interface. The following topics are included in this chapter:

7.9.1. Manage profiles

Within PxM, profiles provide role-based management controls and link together a group of devices, tools, tasks, users and user groups.

A profile is like a job description. It specifies which access tools can be used to administer a device and which tasks can be run on the device. Any user that is linked to a given profile will be able to perform the tasks and access the devices.

If a profile is disabled, the permissions in that particular profile will be ignored when PxM calculates a user’s access permission for a given device.

Note

Unless a PxM user belongs to at least one profile with tool/task and device, when they log onto the PxM Client they won’t have access to any devices, tools or tasks. By default all users will have access to the Web Management Interface with limited functionality.

To view the Manage profiles page, click Profiles in the left-hand menu. The Manage profiles page lists all the profiles that have been created to manage device access.

WebUI Manage profiles table

The PxM profile states include:

Icon Description
Unprovisioning icon Deleting a profile removes the user’s access to the devices and deletes any PxM user accounts that have been created on the device.
Disabled profile icon The profile is disabled. Users can logon to the client but will be unable to access any devices, unless they are granted permission through another profile.
Enabled profile icon The profile is enabled. Users can access the devices through the client, single sign-on to devices and execute tasks.
Enabled SuperAdmin profile icon If a user is added to this profile, they will be given SuperAdmin access rights to PxM.

Profile context menu options

A number of context menu options are available when you highlight a profile and then right-click. Some of the more common options are described in the General usage section.

Icon Description
Delete icon Delete Deleting a profile removes the user’s access to the devices and deletes any personalised PxM user accounts that have been created on the device.

7.9.2. Default profiles

A number of profiles are created by default when PxM is installed. The profiles contain common tasks that might be used to manage devices on a scheduled basis.

Profile Name Description
Device Audit Contains a daily scheduled Device Audit task. When a device is added to this profile, the task will run against the device to update information, i.e. Device Parameters, Inventory, Manage accounts.
Device Backup

Contains a weekly scheduled Backup task. When a device is added to this profile, the devices backup task is run. The devices backup file will be available on the Manage files page for download.

See Manage files.

Device Password Regeneration Contains a weekly scheduled Regenerate Account Passwords for devices attached to profile task which will update the Fully managed and Managed accounts for all devices.
Osirium Super Admins

Contains the Osirium Server with SuperAdmin access level. When users are added to this profile, they become PxM SuperAdmins and are given full access to the Web Management Interface, Browser (HTTP) Tool, and the ability to run a number of tasks against the PxM Virtual Appliance.

WebUI Profile Osirium Server tasks


7.9.3. Creating a new profile

When you click on the Plus iconNew profile button on the Manage profiles page, a New profile window opens.

WebUI New profile window

Fill in the following details:

Note

The options available within the New profile window will depend on the type of PxM Platform licence you have purchased.

Heading Description
Name: Is the display name that will be given to the profile.
Checked box iconEnabled Default is enabled. Allows users to access the device tools and tasks.
Enable window:

Default is set to Always which means that the users are not restricted to when they can access the devices.

You can select the times you want the users to have access to the device. At all other times the devices will be greyed out in the PxM Client.

See Configuring Enable window.

Unchecked box iconSession Recording

If the tickbox is checked, it indicates that the user’s session will be recorded by PxM.

See Configuring Privileged Session Recorder.

Unchecked box iconChange ticket required If the tickbox is checked, it indicates that the user might be asked to enter a change ticket before accessing a tool/task.
Configure Meta-info

Allows you to attach many kinds of information against each profile.

See Configure meta-info.


7.9.3.1. Configuring Enable window

Time windows are used to select time slots to limit when users can access devices. Access can be restricted to multiple windows in 30-minute increments throughout the working day.

Users who have been granted access are presented with a countdown of the time left to complete their job and, optionally, how long to wait until the next window opens.

This feature can be useful for:

  • 3rd party access: when you want to control when the device is accessed and for what period of time. It ensures that the device can’t be accessed during any other time than the time slots alloted for any work to be carried out.
  • Out-of-hours access: allowing you to ensure that devices are not accessed during operational periods to avoid issues or unnecessary delays.
  • Critical usage times/busy peak periods can also be disabled so devices cannot be accessed or managed during these periods.

By default, the Enable window is set to Always. This means that the users in the profile are not restricted to when they can access the devices.

To set time slots:

  1. Within the Manage profiles page, click a profile.

  2. Within the Profile detail page, click the Edit pencil icon icon. This will allow you to edit the profile information.

    WebUI Profile detail screenshot

  3. Click the Popup editor icon icon below the Enable window column. The Edit value window will open.

    WebUI Edit time window

  4. Within the Edit value window you can:

    Action Description
    Enable time window iconEnable all By default all times are Enabled. If some have been disabled and you want to quickly re-enable them, click this button.
    Disable time window iconDisable all This button will remove the enabled times. Disabling all the times for each day will mean that the devices will not be accessible at any time.
    Time zone: Select the time zone relevant to your location.
  5. To restrict user access to devices within a set time period, click Disable all. Then highlight the timelines for when the devices can be accessed. This is useful for when you have 3rd parties accessing systems and you want to restrict their access or create maintenance windows.

    WebUI Partial time window screenshot

  6. Once you have selected the timeslots, click Apply changes. The Edit value window will close.

  7. Within the Enable window column, the status will now show Partial. This means that the users will only be able to access the devices at the times stated.

    Click the Save icon icon to save the changes to the profile.

    WebUI Profile detail with partial window screenshot

7.9.4. Configuring a Profile

The Profile detail page allows you to configure a profile with Devices, Tools, Tasks, Users and User groups.

To go to the Profile detail page from the Manage profiles page, click a profile Name.

Manage devices

  1. To the right of Devices, click manage. The Manager: devices window appears.

  2. Within the Manager: devices window, tick the checkboxes in the Included column next to each device you want to add.

    Alternatively, hold down the SHIFT key and select multiple devices, then right-click and select Include.

  3. For each device, click the Edit pencil icon icon to the right of the Access level column to grant access levels.

    Depending on your template configurations, the following access levels may be granted from the drop-down:

    • Role: These are the available device access levels PxM can use when creating personalised accounts on the device. If a role is selected, it will apply for every user in the profile.

    • Account: These are Managed and Known accounts that can be used to single sign-on to the device. If an account is selected, it will be available to every user in the profile. No personalised accounts are created.

    • Mapping: These are predefined account mappings that allow PxM user accounts to be linked to existing accounts on a device. See Creating an account mapping.

      WebUI Profile device manager window

  4. Click the Save icon icon to save the access level selected.

  5. Click Save changes to add the devices. The ProfileDeviceUpdate task is run and you return to the Profile detail page.

    WebUI Profile devices table

Manage tools

  1. To the right of Tools, click manage. The Manager: tools window appears.

    Note

    Tools are the applications that are used to access the device, i.e. HTTPS, SSH, RDP, etc. The list of tools can also include any MAP Server hosted tools.

  2. Within the Manager: tools window, tick the checkboxes in the Include column next to each tool you want to add to the profile.

    WebUI Profile tool manager window

    Tools will be automatically filtered based on the available tools for the devices selected.

    The tool icons indicate the following:

    Icon Description
    Unsupported task icon Indicates that the tool is Unsupported by the devices added to the profile.
    Partially supported task icon Indicates that the tool is Partially supported, meaning it is not supported by all the devices added to the profile.
    Supported task icon Indicates that the tool is Fully supported, meaning it is supported by all the devices added to the profile.

    The tools list provides the necessary access connection protocol methods supported by PxM. Access connection protocols supported by devices are defined in a template.

    In addition, there is an internal PxM tool available on all devices called Reveal credentials tool.

  3. For some tools, additional options are available. To check additional options:

    • On the right-hand of the table, click the Edit pencil icon icon. In the Options column, the Click to select options drop-down appears.
    • Click the drop-down.
    • If necessary, select one or more options.
    • Click Save changes.

    WebUI Profile tool options picker

    For example, the Remote Desktop tool has the following options available:

    Option Description
    Allow RDP Drive mapping

    Adding this option enables the Remote Desktop Protocol: File System Virtual Channel Extension.

    This allows the client’s drives to be exposed within the user’s RDP session, allowing users to copy files between the client and the RDP session.

    Allow RDP clipboard

    Adding this option turns on the Remote Desktop Protocol: Clipboard Virtual Channel Extension.

    This allows users the ability to seamlessly transfer data using the copy to clipboard functionality between the client and the RDP session.

    Allow RDP sound

    Adding this option enables the Remote Desktop Protocol: Audio Output Virtual Channel Extension.

    This allows PxM users to hear sounds made within the RDP session on the client’s machine.

  4. When adding MAP server-hosted tools to a profile, one or more MAP server groups must be selected. MAP server groups are listed on the Click to select options drop-down.

    Note

    If one MAP server group is selected, connections to all enabled MAP servers within that group are load-balanced using a round-robin algorithm.

    If more than one MAP server group is selected, connections are load-balanced across each enabled group using a round-robin algorithm and then load-balanced within each group to also round-robin across enabled servers in the group.

    MAP tool connections are presented using Microsoft RDP RemoteApp. These are RDP connections and, therfore, can have their RDP options controlled. If you wish to allow RDP drive mapping, RDP clipboard or RDP sound support to the MAP tools, select the required options in the drop-down.

    Selecting a MAP server group with no active servers results in an error when a MAP tool is launched.

    If you single sign-on using a Remote Desktop tool, you can view the available options in the Remote Desktop Connection window by clicking Details. PxM sets these options based on the profile options selected.

    RDP confirmation window

    Note

    If you single sign-on to Windows Server 2008, the drive mappings will be located in the following location: Networks folder under tsclient

    RDP Drive mapping example

  5. Tick the checkbox to include the option(s) and then click the Save icon icon.

    WebUI Profile tool manager window

  6. Click Save changes. The tools and options are added to the profile and you return to the Profile detail page.

    WebUI Profile tools table

Manage tasks

  1. To the right of Tasks, click manage. The Manager: tasks window appears.

    The Manager: tasks window lists all the tasks available through PxM. The list provided is created from:

    • User tasks: all the tasks that are defined in the uploaded templates. Only tasks defined in a template can be run on the device compatible with the template.

      When a template task is added to a profile along with a device, the user’s PxM Client will be updated with the user tasks.

    • System tasks: are internally performed by PxM and will not be visible on the client.

  2. Tick the checkboxes in the Include column for each task you want to add. Tasks will be automatically filtered based on the available tasks for the devices selected.

  3. Each task can be scheduled to run on a daily, weekly or monthly basis. Schedules must be created before they can be used. See Schedules.

  4. Click on the Edit pencil icon icon to bring up the Schedules drop-down.

    WebUI Profile tasks schedule picker

  5. Select one or more schedules from the drop-down to set on the task.

  6. Click the Save icon icon. The schedules are set.

    WebUI Profile tools manager example

  7. Click Save changes. You return to the Profile details page.

    WebUI Profile tasks table

Manage users

  1. To the right of Users, click manage. The Manager: users window appears.

  2. Within the Manager: users window, tick the checkboxes in the Include column next to each user you want to include.

    Alternatively, hold down the SHIFT key and select multiple users, then right-click and select Include.

    WebUI Profile user manager window

  3. Click Save changes to add the users. The ProfileUserUpdate task is run and you return to the Profile detail page.

    WebUI Profile users table

Manage user groups

  1. To the right of User groups, click manage. The Manager: user groups window appears.

    User groups are an easy and quick way of adding multiple users to the same profiles. See Creating a user group.

  2. Within the Manager: user groups window, tick the checkboxes in the Include column next to each user group you want to include.

    Alternatively, hold down the SHIFT key and select multiple user groups, then right-click and select Include.

    WebUI Profile user groups manager window

  3. Click Save changes to add the user groups. The ProfileUserUpdate task is run and you return to the Profile detail page.

    WebUI Profile detail example

    Note

    If you are using a pattern access level type, the user account audited on the device by PxM must be Known by PxM before it can be used. See Manage accounts to check the account’s state within PxM and change if necessary.

Full scan

Clicking on the Full scan button will do the following:

  • Checks PxM to confirm the users/devices in the profile, to work out which accounts should exit on the device/auth service.
  • If an account is not found, PxM checks if the missing account existed on the device/auth service when it was last audited.
  • If the accounts didn’t exist during the last audit, it will create the accounts.
  • All database links related to the profile will also be checked during the scan.

Note

The Full scan button should only be used in emergencies.

7.9.5. Reveal credentials tool

The Reveal Credentials tool allows PxM users to reveal the device account credentials (passwords and SSH keys) for an individual account.

Credentials can be revealed for Fully managed, Known and Managed accounts only.

Note

Reveal Credentials is NOT available for the Osirium Server.

There are two ways to reveal the credentials of an account:

To reveal credentials through the PxM Client:

  1. Create a new profile, see Creating a new profile or open up an existing profile.

  2. Within the Profile detail page, add a device, add the Reveal Credentials tool and then add users. For more information, see Configuring a Profile.

  3. Open up the PxM Client and login a user that has been added to the profile.

  4. Once you have successfully logged into your PxM Client, locate the device. You will see the Reveal credential tool listed.

    Client Reveal credentials tool

  5. Double-click Reveal Credentials.

  6. Within the Reveal credentials window, click Yes to decrypt the account credentials.

  7. Within the Reveal credentials window, the password can now be revealed for the account by moving the mouse over the password field or by CTRL+C to copy the password.

    WebUI Reveal Credentials

  8. Once you have retrieved the account credentials, click Close.

7.9.6. Bulk importing

Bulk imports allow you to import multiple profiles and profile memberships using CSV templates.

The Import profiles CSV template is used to create a new profile.

The Import profiles membership CSV template is used to update existing and configure profiles memberships.

7.9.6.1. Import profiles

  1. Within the Manage profiles page, click Bulk Import > Import profiles.

    WebUI Profiles Bulk Import

  2. Within the Import from CSV window, click Download CSV template.

    Webui Profiles Bulk Import Profiles window

  3. Open up the file in your preferred CSV editor. An example entry has been give for reference. Enter the required information.

    Heading Description
    Name Enter the name you want the profile to be called. This profile name will be the display name.
    Enabled

    Enter TRUE if you want the profile to be enabled when created. When enabled, the users will be given permission to use the devices set out in the profile.

    If left blank, the profile will be disabled when created.

    Session Recording Enter TRUE to record the user’s session.
    Change ticket required Enter TRUE to indicate that access granted by the profile requires a change ticket to be entered by the user.
    Notes Additional information about the profile.
    Meta-columns

    Enter the meta-column value.

    See Configure meta-info.

    Note

    Columns in your downloaded CSV template file may vary depending on the features licensed.

    Note

    Enable window settings will be defaulted to Always. Meta column settings will be defaulted to the first entry in the list of options available.

    Webui Profiles Bulk Import CSV example

  4. Save the CSV file with the changes.

  5. Within the Web Management Interface Import from CSV window, click Choose file. Choose the saved profiles CSV file.

  6. Click Import. The CSV entries will be listed in the Review import data window. Review the entries and update if necessary, using the Edit pencil icon icon.

    Webui Profiles Bulk Import Review

  7. Click Import. The actions are queued.

  8. Within the Action Queue window, click Done. The new entries are created and can be seen on the Manage profiles page.

    Webui Profiles Bulk Import Entries

    At this stage the profiles are empty and need to be configured before they can be used to grant user access to devices.

7.9.6.2. Import profiles membership

Once a profile has been created you can bulk import memberships.

Memberships are grouped and placed on individual lines as follows, so bear this in mind when you are making updates:

  • Devices and access levels.
  • Tools and tool options.
  • Tasks and task schedules.
  • User.
  • User groups.

  1. Within the Manage profiles page, click the Export button and select Export profiles membership from the menu. A CSV file will be exported, containing a list of existing profiles and their memberships.

  2. Open up the file in your preferred CSV editor.

    Webui Profiles Bulk Import Members CSV

  3. Update, remove, add memberships within the CSV file, as required.

    Note

    If you do not want to make any amendments to a profile membership, then leave as is. Otherwise, if the configuration is removed, it will be deleted during the import process.

    Heading Description
    Profile Name of an existing profile.
    Device

    Internal name given to the device.

    Note

    Device names must match the names on the Manage Devices page.

    Note

    If adding a device, an access level must be entered.

    Access level

    Enter the access level that will be granted to the user when accessing the device.

    The available access levels are dependent on the device. Access levels can be:

    Role: These are the available device access levels PxM can use when creating personalised accounts on the device. The role entered will apply for every PxM user in the profile.

    Account: These are Managed and Known accounts that can be used to single sign-on to the device. If an account is selected it will be available to every user in the profile. No personalised accounts are created.

    Pattern: These are predefined patterns that allow PxM user accounts to be linked to existing accounts on a device. See Creating an account mapping.

    Note

    If adding an access level, it must be associated with a device and available in the device template.

    Tool

    Enter the device access connection protocol name that will be used to access the device, i.e. HTTPS, SSH, RDP.

    Note

    Multiple tools can be entered using a semi-colon separated list.

    Note

    Available device tools for a device can be found on the named device template detail page. See Show template.

    Tool options

    Some tools may have additional options associated with them.

    For example:

    • Remote Desktop may have Allow RDP drive mapping, Allow RDP clipboard and Allow RDP sound.
    • Tools associated with a MAP Server will have MAP server groups listed.

    Note

    If adding a tool option, it must be associated with a tool.

    Task

    The task list available is created with user and system tasks.

    • User tasks: are all the tasks that are defined in templates. Only tasks relevant to the devices in the profile will be usable.
    • System tasks: are internally performed by PxM and will not be visible on the PxM Client.

    Note

    Available tool options for a device can be found on the named device template detail page. See Show template.

    Task schedules

    To run the tasks on a schedule, enter the schedule time.

    Note

    Schedules must be created before they can be used. See Schedules.

    User

    Internal name given to the user. If you want to add multiple users then it is probably easier to create a user group first and then add the user group name, rather than individual names.

    Note

    User names must match the names on the Manage users page.

    User group

    Enter the name of the user group.

    See Manage user groups.

  4. Save the CSV file with the changes.

  5. Within the Manage profiles page, click Bulk Import > Import profiles membership.

    WebUI Profiles Bulk Import

  6. Within the Import from CSV window, click Choose file.

  7. Locate and select the saved profiles membership CSV file.

  8. Click Import. The CSV entries will be listed in the Review import data window. Review the entries and make amendments as necessary.

    Webui Profile Membership Bulk Import Review

  9. Click Import. The Question window opens.

    Webui Profile Bulk Import Profile Membership Warning

    Note

    Take note of the warning.Clicking Yes means the profile membership configurations will be updated as per the CSV file. Memberships no longer listed will be removed and others will be updated/added.

  10. Within the Action queue window, click Done. The profile memberships are updated.


7.9.7. Editing a Profile

See General usage section for inline editing.

7.9.8. Deleting a Profile

Deleting a profile removes the user’s access to the devices and deletes any PxM user account created on the device.

Once deleted the profile cannot be reinstated. The profile would have to be recreated.

To delete:

  1. On the Manage profiles page, right-click on a profile and then click Delete iconDelete within the context menu.

    Note

    If the profile contains devices, a warning appears. Click Continue.

  2. Within the Question window, click Yes.

    During deletion, the profilescan task is run which will:

    • Disconnect users logged onto any of the devices within the profile.
    • Device and Auth Services account update task will be run to remove any accounts on the device.
    • The profile is deleted from the list and cannot be reinstated.

    Note

    Orphaning a device means that the profile being deleted is the only profile that is linked to this device’s highest level of permission. If the device only has ‘read’ and ‘readwrite’ as permissions, then this might mean that no users will have ‘readwrite’ access to manage the device.