Skip to content

Managing user groups

This section describes how Osirium PAM user groups are created and managed within the Admin Interface, covering the following:

What are user groups?

A user group creates a container that can then be used to associate users with profiles and users with roles. Profiles are used to manage access a user has to devices, roles are used to manage the level of access a user has to the Admin Interface.

Working with groups instead of with individual users allows you to simplify the process of giving members of a group, organisation, team, department etc, the same privilege levels required to perform a job role.

User groups minimises the risk of missing people off the access list as well as making it easier to update or quickly remove access if it is no longer required for the group.

User groups are created and managed via the Manage user groups page. The process of creating a user group and then associating users is as follows:

  1. Create a user group container with a preferred user source and a name to help identify the group.

    • The source selected will determine the user list presented for association:

      • Local: will allow you to select and add users with any auth type.

      • Active Directory: will synchronise the users belonging to the Active Directory Global Security Group.

  2. Associate users (local or Active Directory): For local source user groups, select the users from the list presented.

    For an Active Directory source user group, users will be automatically synchronised from Active Directory. Active Directory users that are currently not listed within the Manage users page will be created.

    Active Directory users can't be updated or deleted from within Osirium PAM. Updates to user groups at the Active Directory level need to be synchronised with Osirium PAM in order for changes to be reflected.

  3. Manage device access: If the user group will be used to manage device access you must associate profiles by either selecting the profiles that already exist or create a new profile with the access privileges required for the user group. Adding a profile to the user group will give all the users in the user group access to the devices and tasks listed in the profile with the access level stated. User groups can be added to multiple profiles.

  4. Manage Admin Interface access: If the user group will be used to manage access to the Admin Interface you must associate roles by adding the user group to the desired role. Adding the user group to a role will give all the users in the user group access to the Admin Interface with the selected access level. For further details see Managing roles.

How to create a new user group

Creating a user group creates a container that can then be used to associate users and profiles and users and roles.

  1. In the left-hand menu click User groups.

  2. Click the Plus NEW USER GROUP button on the Manage user groups page.

  3. Fill in the following details:

    Heading Description
    Source Select the source of the users.
    Name Enter a display name that will be used to identify the user group. When using an Active Directory source:

    The name must match that of a Global Security Group that exists on Active Directory.

    Notes Add any additional information that maybe relevant or useful to manage the user group.
    CB unchecked Enabled If the checkbox is CB checked then the user group is enabled.

    When added to a profile, the users within the group will be given permission to the devices.

    NOTE If an Active Directory user group is created in a disabled state, the users will not be synchronised until the group is enabled.

  4. Click SAVE. The user group container is created. If you selected an Active Directory source, a Note window is displayed.

    AD Sync note

How to add users to a user group

The steps to add users to a user group will depend upon the source of the users:

Add users to a local source user group

  1. On the Manage user groups page, click the name of the desired user group.

  2. On the User group detail page, click the MANAGE button to the right of Associated users.

  3. The Manager: users window opens, select the checkboxes for the users to be added to the group.

  4. Click SAVE CHANGES. The users are added to the user group.

Synchronise users from an Active Directory Global Security Group

The first time you create a user group with an Active Directory Account source, the users will be automatically synchronised. To check for updates to the user group you can use the Synchronise button. Any changes that have been made to the Active Directory Global Security Group will be updated in Osirium PAM.

How to add user groups to profiles

  1. On the Manage user groups page, click the name of the desired user group.

  2. On the Named user group detail page, click the MANAGE button to the right of Associated profiles.

  3. Within the Manager: profiles window, select the checkboxes for the profiles to be added to the group.

  4. Click SAVE CHANGES. The Profile user update task will be executed.

    The profile will be updated to include the user group. All users listed in the user group will be given the same privileged access levels configured within the profile.

How to add user groups to a role

  1. In the left-hand menu click Roles.

  2. On the Role page, click the name of the desired role.

  3. On the Role detail page, click the MANAGE button to the right of Associated groups.

  4. The Manager: user groups window opens, select the checkboxes for the user groups to be added to the role.

  5. Click SAVE CHANGES. The user groups are added to the role and members of the user group will be granted the associated role access.

Bulk importing

If you have a number of user groups to create you can use the csv template and then import your user group list. This is a more effective and quicker way of creating multiple user groups as well as adding membership to user groups.

A bulk import can be used to create new user groups or add/update existing user group memberships (associated users and associated profiles).

Bulk importing user groups

To bulk import multiple user groups:

  1. Select the User groups from the left-hand menu.

  2. On the Manage user groups page, click Bulk import icon BULK IMPORT and select Import user groups from the menu.

  3. Within the Import from CSV window, click DOWNLOAD CSV TEMPLATE.

    If the PAM Server Browser (HTTP) tool is being session recorded, then you will need to use the Shared Drive mechanism for downloading files. For further details see Downloading a file using Shared Drive.

  4. Open the user_groups_[date].csv file. You will see an example given to follow the inputs required.

    User CSV template

  5. Add in your user groups to be imported as follows:

    Column heading Description
    Is Active Directory group? Enter TRUE for an Active Directory Global Security Group or FALSE to select from the Osirium PAM list of users.
    Name Enter a display name that will be used to identify the user group. When using an Active Directory source:

    The name must match that of a Global Security Group that exists on Active Directory.

    Notes Add any additional information that may be useful.
    Enabled Enter TRUE to enable the user group when created.

    Enter FALSE to disable the user group when created.

    NOTE Disabling a user group will dynamically revoke any permissions allocated through profiles.

    For example:

    User bulk import example

  6. Save the csv file once updated.

  7. Now within the Import from CSV window, click Choose File.

    If the PAM Server Browser (HTTP) tool is being session recorded, then you will need to use the Shared Drive mechanism for uploading files. For further details see Uploading a file using Shared Drive.

  8. Click IMPORT.

  9. The entries in the CSV file are added and visible in the Bulk import user groups window.

  10. Before you click IMPORT note the following.

    • To import all the user groups listed, click the Select All SELECT ALL.

    • To import only a selection of user groups from the list, hold the SHIFT key and select all the groups you want to import from your bulk import list.

    • Errors will be highlighted with an Exclamation.

    • If warnings are not fixed then you will get an error when you click IMPORT.

    • You can select the Skip rows with errors to ignore the rows with errors and import all the others.

    • You can update any user group settings by clicking on the Edit at the end of each row.

    • If there are no errors highlighted then all user groups will be imported in the list.

    • To disable a user group when created, click Edit at the end of the row and deselect the Enabled checkbox.

  11. Click IMPORT.

  12. Within the Question window, click YES if you are happy to proceed with the bulk import.

    Import question window

  13. Within the Action queue window, the user groups will be imported and queued for creation. If you have a lot of users in your bulk import then you can choose to Continue in the background or if the imports have been completed, click DONE.

    The Manage user groups page will automatically be updated. User data will be synchronised for any users groups with a source of Active Directory. If the user doesn't exist in Osirium PAM it will be created. All associated users within the Active Directory Global Security Group will be listed.

Bulk importing user groups membership

You can use the exported user group csv file to associate users to existing user group containers but there are some limitations:

  • You can't associate profiles.

  • The Bulk import > Import user groups membership > Download CSV template is not currently available.

  • Don't use for user groups with a source of Active Directory.

The following method can be used to bulk import user associations to user groups:

  1. Within the Manage user groups page, click on CSV Export EXPORT.

  2. Select Export user groups membership.

    If the PAM Server Browser (HTTP) tool is being session recorded, then you will need to use the Shared Drive mechanism for downloading files. For further details see Downloading a file using Shared Drive.

  3. Open the user_groups_member_[date].csv file. The file will contain all the user groups with a local and Active Directory source and their associated users.

  4. Update the csv file as follows:

    • Remove all user groups with an account source of Active Directory as they can only be synchronised.

    • To associate users to existing user groups enter the following information into the csv file.

    Column heading Description
    User group Enter the user group name that already exists.
    User Enter the Name of the user as listed on the Manage users page. Users with Auth type other than Active Directory can be added to a local source user group.

    Note

    DO NOT enter multiple names in a field. To add multiple users to the same user group create a new row for each user group.
    If you remove an existing associated user from the bulk import template and then import, the removed user will be be deleted from the associated users list.

  5. Save the csv file.

  6. Now within the Import from CSV window, click Choose File.

    If the PAM Server Browser (HTTP) tool is being session recorded, then you will need to use the Shared Drive mechanism for uploading files. For further details see Uploading a file using Shared Drive.

  7. Click IMPORT.

  8. The entries in the CSV file are added and displayed in the Bulk import user group membership window.

  9. Before you click IMPORT note the following.

    • To import all the user groups listed, click the Select All SELECT ALL.

    • To import only a selection of user group memberships from the list, hold the SHIFT key and select all the groups you want to import from your bulk import list.

    • Errors will be highlighted with a Exclamation.

    • If warnings are not fixed then you will get an error when you click IMPORT.

    • You can select the Skip rows with errors to ignore the rows with errors and import all the others.

    • You can update any row by clicking on the Edit at the end of each row.

    • If there are no errors highlighted then all entries will be imported in the list.

  10. Click IMPORT.

  11. Within the Question window, click YES if you are happy to proceed with the bulk import of the memberships.

  12. Within the Action queue window, the user group memberships will be imported and queued for creation. If you have a lot of user group memberships in your bulk import then you can choose to Continue in the background or if the imports have been completed, click Done..

    The Manage user groups page will be automatically updated.

Editing a user group

See the Common Interface functions section for inline editing.

Deleting a user group

Deleting a user group will:

  • The user group will be permanently removed from the database.
  • The user group will be removed from all profiles and roles associated to the user group.
  • Users access levels will be revoked for all devices and device tasks within the profiles associated with the deleted user group.
  • Users access levels will be revoked for the Admin Interface within the roles associated with the deleted user group.
  • User account will not be deleted from Osirium PAM.