Osirium PAM Administrators guide
This guide will help you navigate your way round the Admin Interface of Osirium PAM, help you with the configuration of your system and the setup and management of privileged access.
This section covers:
Overview
Osirium PAM is a privileged user management system that allows you to implement a least-privilege user model when granting user access to devices and device tasks across your infrastructure.
It provides an easy to use Admin Interface for administrators, allowing you to quickly configure and manage user privileges.
Osirium PAM ensures users never need to know the password of privileged account credentials of devices, enabling secure access and eliminating the risk posed through shared privileged account credentials.
Osirium PAM also provides a comprehensive audit trail, including session recording, allowing you to review and analyse end-to-end accountability of your users access and knowing who did what, when and where. Along with our behaviour analytics reporting feature, user access can be adjusted and improved, ensuring a least-privilege model can be easily implemented.
With the introduction of the cluster feature servers can now be configured to work together and provide load balancing, greater scalability, increased availability and resilience and simplified management. For information on clustering click here.
Admin Interface
The Admin Interface is a web based interface used for the management of Osirium PAM. It allows you to configure and manage users, devices and privileged access as well as monitor, audit and review user access.
Only authorised administrators will have full access to the interface functionality and administrative tasks. An authorised administrator is a user who has the Owner or Admin role access level.
During the initial configuration phase of the PAM Server setup, a Primary SuperAdmin user account was created and given a password. This user is locally authenticated and is initially used to log on to Osirium PAM and access the Admin Interface.
Use the Primary SuperAdmin account to create personalised user accounts, then log off from Osirium PAM and log back in using your personal account created.
Warning
The Primary SuperAdmin account should NOT be used by users to manage Osirium PAM, as it won't give individual user accountability and auditing.
The Admin Interface is divided into the following areas:
| Area | Description |
|---|---|
| Left-hand menu | Provides links to various areas of the interface. Clicking on a menu option opens the relevant page in the workspace area. |
| Workspace | This is the main area were you can find management tasks and view existing entries. |
Configuring your Osirium PAM
Before you start adding users, devices and configuring profiles to enable privileged access to users, you will need to setup the PAM Server configuration settings. The system configuration settings can be found on the following pages:
-
Device parameters: PAM Server device parameters are those that are configured during the installation process. Changes to the device parameters can be made on the Osirium Server > Configuration tab. These are unique to each server.
-
System configuration: The System configuration page is divided into a number of tabs with different configuration settings which can be applied to your server.
Osirium PAM access levels
It is important to first work out what level of access will be required for those who will be managing and configuring the system, to those who will monitoring information and analysing data.
By understanding the Osirium PAM role-based access levels available, the permissions each of the roles will give and what operations the permissions will allow, you can apply a least privileged model when granting access. For further details of configuring roles in Osirium PAM see Managing roles.
Use the following defined device access levels to assign users the appropriate permission:
| Application | Section | Action | Owner | Admin | Auditor | Reporter | User |
|---|---|---|---|---|---|---|---|
| PAM Server Console |
Trouble- shooting |
Shutdown | Yes | ||||
| Reboot | Yes | ||||||
| System Status | Yes | ||||||
| Restart Services | Yes | ||||||
| Restart Queues | Yes | ||||||
| Purge Queues | Yes | ||||||
| Restart RDP | Yes | ||||||
| Reset Support Password | Yes | ||||||
| Unlock Support Account | Yes | ||||||
| Clear notifications | Yes | ||||||
| Change IP Address | Yes | ||||||
| Admin Interface | Manage | Manage users | r/w | r/w | r/o | ||
| Manage user groups | r/w | r/w | r/o | ||||
| Manage devices | r/w | r/w | r/o | ||||
| Manage Active Directory | r/w | r/w | r/o | ||||
| Manage static vaults | r/w | r/w | r/o | ||||
| Manage accounts | r/w | r/w | r/o | ||||
| Generate Breakglass | Yes | ||||||
| Reveal Credentials | Yes | ||||||
| Manage account mappings | r/w | r/w | r/o | ||||
| Manage profiles | r/w | r/w | r/o | ||||
| Manage schedules | r/w | r/w | r/o | ||||
| Manage files | r/w | r/w | r/o | r/o | |||
| Manage MAP servers | r/w | r/w | r/o | ||||
| Reporting | Device access | r/w | r/w | r/o | r/o | ||
| Playback session recordings | Yes | Yes | Yes | ||||
| Export session recordings | Yes | Yes | Yes | ||||
| Shadow live sessions | Yes | Yes | Yes | ||||
| Access requests | r/w | r/w | r/o | ||||
| Change tickets | r/w | r/w | r/o | ||||
| User rights audit | r/w | r/w | r/o | ||||
| Tasks | r/w | r/w | r/o | r/o | |||
| Inventory | r/w | r/w | r/o | r/o | |||
| Management | r/w | r/w | r/o | r/o | |||
| Analytics | r/w | r/w | r/o | ||||
| Behaviour Analytics | r/o | r/o | r/o | ||||
| System | System queue | r/w | r/w | r/o | |||
| System configuration | r/w | r/w | r/o | ||||
| Configure Osirium Support account | Yes | ||||||
| Roles | r/w | r/w | r/o | ||||
| API applications | r/w | r/w | r/o | ||||
| Template library | r/w | r/w | r/o | ||||
| Email subscriptions | r/w | r/w | r/o | ||||
| Configure meta-columns | r/w | r/w | r/o | ||||
| Logs | r/w | r/w | r/o | ||||
| Personal | My Devices | r/o | r/o | ||||
| My accounts | r/o | r/o | |||||
| My tasks | r/o | r/o | |||||
| My files | r/o | r/o | |||||
| Change password | r/w | r/w |
Resetting interface preferences
Interface preferences are stored per user. Clicking on Reset Interface, which can be found at the bottom of the left-hand menu, will clear any preferences that have been applied.
The following will be reset:
- System Queue Auto-refresh (15s) will be unchecked.
- Table column widths.
- ‘Don’t ask me again’ checkboxes will be unchecked.
- Any open tabs will be closed.
- Filters applied to tables.
- ‘Do not show this page again’ checkbox will be unchecked for the Welcome to Osirium PAM page.
Common interface functions
When navigating your way round the Admin Interface take note of the following functions that will be useful to know.
- Context menu
- Inline editing
- Refresh button
- CSV download
- Filtering
- Checkboxes
- Customise table views
- Internal links
- Downloading a file using Shared Drive
- Uploading a file using Shared Drive
Context menu
Context menu and options are available when you right-click a table row. Available options within a context menu will vary depending on the page you are on. Listed below are some of the more common options you will find:
| Icon | Description |
|---|---|
 Show |
Navigates to the named page relating to your selection where you can view and manage the configuration of an individual record. |
 Select all |
Enables you to highlight all the entries in the table. |
 Multi-row edit |
Multiple entries can be selected and columns updated to the same entered setting. |
 Change password(s) |
Change the password set for locally authenticated users only. |
 Unlock |
Accounts that have been locked can be unlocked for use. |
 Unprovision |
Removes any links associated with the user/device and then deletes the entry. |
| Edit |
The inline editing functionality allows you to update the details within the row. |
| Multi-row Edit |
Allows you to highlight a number of rows and multi-edit common fields within the Multi-row editor window. |
 Delete |
Allows you to right-click and remove the user, device, or profile from the current configuration. |
| View log | Opens up the Log viewer window and displays the log information for the selected entry. |
Inline editing
The inline editing functionality allows you to update details on the manage pages.
To edit an individual entry click on found at the end of a row. Once updated, click on 
.
To update multiple entries, highlight a number of rows, then right-click
and select from the context menu. Update the entries within the Multiple-row editor window and click SAVE CHANGES. Changes will be applied to all selected rows.
Note
Fields available for editing will vary depending on whether you have selected an individual entry or multiple entries.
Refresh button
When you open a page, the data on the page is refreshed to ensure it is up-to-date. You can manually refresh the page at anytime by clicking the REFRESH button.
Some pages also have an Auto-refresh checkbox that when checked, refreshes the page periodically.
CSV download
Data on a page can be downloaded to file using the DOWNLOAD button. If a filter has been applied on the page, then only the filtered data will be downloaded.
Filtering
To quickly find an entry, use the search filters that can be found above a table. Searches can be conducted on individual or multiple columns.
To clear a search filter, click on the 
within the search field.
Checkboxes
The following describes the behaviour of the checkboxes when filtering.
| Checkbox | Behaviour |
|---|---|
 |
The filter will contain all lines that have the checkbox checked. |
 |
The filter will contain all lines that have the checkbox unchecked |
 |
Mean there is no filter set. |
Customise table views
You can customise the appearance of tables by dragging and dropping the table columns or by using the drop down options available within a column.
The options available are:
| Header | Description |
|---|---|
| Sort Ascending | Sorts in alphanumeric (A-Z) order. |
| Sort Descending | Sorts in descending alphanumeric (Z-A) order. |
| Configure Sort... | Allows you to add multiple sort levels. |
| Columns | Table columns can be shown or hidden from view. |
| Filter using | A number of conditions can be applied to narrow your search. |
| Group by | Group by allows the data to be grouped based on the column selected. Grouped folders are created which can be expanded to reveal the list. NOTE The group by feature can not be used on pages with over 1000 records. |
Note
Table customisations do not persist across web browser sessions.
Internal links
Data highlighted in blue is an internal link that will navigate you to the associated named page.
Downloading a file using Shared Drive
The Shared drive mechanism allows you to download files from your session (Admin Interface, Device session or Task execution) onto your local machine.
Note
If your session isn't being Session Recorded then this mechanism won't apply, clicking on download in this instance will download the file directly to your local machine.
This example shows how to download a file from the Manage files page.
-
Click Files in the left-hand menu.
-
On the Manage files page click
for the entry you want to download.
-
You will be notified when the download has started and when it has been completed.
-
Now click on the
icon located in the top right hand corner.
-
The Shared Drive window will open. You will see the downloaded file within the Shared Drive window. Click the file to download to your local machine.
Uploading a file using Shared Drive
The Shared drive mechanism allows you to upload files from your session (Admin Interface, Device session or Task execution) onto your local machine.
Note
If your session isn't being Session Recorded then this mechanism won't apply, clicking on download in this instance will download the file directly to your local machine.
-
Within the Admin Interface window, click on the
icon located in the top right hand corner. The Shared Drive window will open.
-
Within the Shared Drive window click on the Upload your files
. The Upload your files window will open.
-
Either drag and drop the file(s) from your local machine to the Upload your files window or use the
button to open your local machine File Explorer window and select the files to be uploaded.
-
Once the file has been successfully uploaded it will be available in the Shared Drive folder on the Admin Interface.
-
The file will now be available from the Choose file window.
Supporting documentation
Other documentation relating to Osirium PAM includes:
The following can be found on our Support portal.
-
Osirium PAM Release Notes: covers new features, enhancements and bug fixes in relation to the latest release.
-
PAM Server: latest version download links and any pre or post installation requirements.
-
MAP Server: latest version download link.
-
PAM UI Server: latest version download link.
-
Latest Template Bundle: the template bundle is not release dependant so check the Support portal for the latest downloadable bundle.
The following Osirium PAM documentation can be found on our website.
-
Getting started guide: overview of the Osirium PAM components.
-
Installation guide: step-by-step instructions for installing each component and additional information relating to a cluster installation.
-
Upgrading guide: step-by-step instructions for upgrading each of the components.
-
Admin guide: step by step instructions on how to configure and manage privileged access.
-
User guide : step by step instructions on how to navigate and use the UI.
-
Template guide: reference guide to editing existing and the creation of new knowledge templates.