Osirium PAM Administrators guide
This guide will help you navigate your way round the Admin Interface of Osirium PAM, help you with the configuration of your system and the setup and management of privileged access.
This section covers:
Overview
Osirium PAM is a privileged user management system that allows you to implement a least-privilege user model when granting user access to devices and device tasks across your infrastructure.
It provides an easy to use Admin Interface for administrators, allowing you to quickly configure and manage user privileges.
Osirium PAM ensures users never need to know the password of privileged account credentials of devices, enabling secure access and eliminating the risk posed through shared privileged account credentials.
Osirium PAM also provides a comprehensive audit trail, including session recording, allowing you to review and analyse end-to-end accountability of your users access and knowing who did what, when and where. Along with our behaviour analytics reporting feature, user access can be adjusted and improved, ensuring a least-privilege model can be easily implemented.
With the introduction of the High Availability (HA) feature servers can now be configured as a primary and secondary pair and provide increased availability and resilience. For information on HA click here.
Admin Interface
The Admin Interface is a web based interface used for the management of Osirium PAM. It allows you to configure and manage users, devices and privileged access as well as monitor, audit and review user access.
Only authorised administrators will have full access to the interface functionality and administrative tasks. An authorised administrator is a user who has the Owner or Admin role access level.
During the initial configuration phase of the PAM Server setup, a SuperAdmin user account was created and given a password. This user is locally authenticated and is initially used to log on to Osirium PAM and access the Admin Interface.
Use the SuperAdmin account to create personalised user accounts, then log off from Osirium PAM and log back in using your personal account created.
Warning
The SuperAdmin account should NOT be used by users to manage Osirium PAM, as it won't give individual user accountability and auditing.
The Admin Interface is divided into the following areas:
Area | Description |
---|---|
Left-hand menu | Provides links to various areas of the interface. Clicking on a menu option opens the relevant page in the workspace area. |
Workspace | This is the main area were you can find management tasks and view existing entries. |
Configuring your Osirium PAM
Before you start adding users, devices and configuring profiles to enable privileged access to users, you will need to setup the PAM Server configuration settings. The system configuration settings can be found on the following pages:
-
Device parameters: PAM Server device parameters are those that are configured during the installation process. Changes to the device parameters can be made on the Osirium Server > Configuration tab. These are unique to each server.
-
System configuration: The System configuration page is divided into a number of tabs with different configuration settings which can be applied to your server.
Osirium PAM access levels
It is important to first work out what level of access will be required for those who will be managing and configuring the system, to those who will monitoring information and analysing data.
By understanding the Osirium PAM role-based access levels available, the permissions each of the roles will give and what operations the permissions will allow, you can apply a least privileged model when granting access. For further details of configuring roles in Osirium PAM see Managing roles.
Use the following defined device access levels to assign users the appropriate permission:
Application | Section | Action | Owner | Admin | Auditor | Reporter | User |
---|---|---|---|---|---|---|---|
Management Interface | Configure HA | Yes | |||||
PAM Server Console |
Trouble- shooting |
Shutdown | Yes | ||||
Reboot | Yes | ||||||
System Status | Yes | ||||||
Restart Services | Yes | ||||||
Restart Queues | Yes | ||||||
Purge Queues | Yes | ||||||
Restart RDP | Yes | ||||||
Reset Support Password | Yes | ||||||
Unlock Support Account | Yes | ||||||
Clear notifications | Yes | ||||||
Change IP Address | Yes | ||||||
Admin Interface | Manage | Manage users | r/w | r/w | r/o | ||
Manage user groups | r/w | r/w | r/o | ||||
Manage devices | r/w | r/w | r/o | ||||
Manage Active Directory | r/w | r/w | r/o | ||||
Manage static vaults | r/w | r/w | r/o | ||||
Manage accounts | r/w | r/w | r/o | ||||
Generate Breakglass | Yes | ||||||
Reveal Credentials | Yes | ||||||
Manage account mappings | r/w | r/w | r/o | ||||
Manage profiles | r/w | r/w | r/o | ||||
Manage schedules | r/w | r/w | r/o | ||||
Manage files | r/w | r/w | r/o | r/o | |||
Manage MAP servers | r/w | r/w | r/o | ||||
Reporting | Device access | r/w | r/w | r/o | r/o | ||
Playback session recordings | Yes | Yes | Yes | ||||
Export session recordings | Yes | Yes | Yes | ||||
Shadow live sessions | Yes | Yes | Yes | ||||
Access requests | r/w | r/w | r/o | ||||
Change tickets | r/w | r/w | r/o | ||||
User rights audit | r/w | r/w | r/o | ||||
Tasks | r/w | r/w | r/o | r/o | |||
Inventory | r/w | r/w | r/o | r/o | |||
Management | r/w | r/w | r/o | r/o | |||
Analytics | r/w | r/w | r/o | ||||
Behaviour Analytics | r/o | r/o | r/o | ||||
System | System queue | r/w | r/w | r/o | |||
System configuration | r/w | r/w | r/o | ||||
Configure Osirium Support account | Yes | ||||||
Roles | r/w | r/w | r/o | ||||
API applications | r/w | r/w | r/o | ||||
Template library | r/w | r/w | r/o | ||||
Email subscriptions | r/w | r/w | r/o | ||||
Configure meta-columns | r/w | r/w | r/o | ||||
Logs | r/w | r/w | r/o | ||||
Personal | My Devices | r/o | r/o | ||||
My accounts | r/o | r/o | |||||
My tasks | r/o | r/o | |||||
My files | r/o | r/o | |||||
Change password | r/w | r/w |
Resetting interface preferences
Interface preferences are stored per user. Clicking on Reset Interface
, which can be found at the bottom of the left-hand menu, will clear any preferences that have been applied.
The following will be reset:
- System Queue Auto-refresh (15s) will be unchecked.
- Table column widths.
- ‘Don’t ask me again’ checkboxes will be unchecked.
- Filters applied to tables.
- ‘Do not show this page again’ checkbox will be unchecked for the Welcome to Osirium PAM page.
Common interface functions
When navigating your way round the Admin Interface take note of the following functions that will be useful to know.
- Context menu
- Inline editing
- Refresh button
- CSV download
- Filtering
- Checkboxes
- Customise table views
- Internal links
- Downloading a file
- Uploading a file
Context menu
Context menu and options are available when you right-click a table row. Available options within a context menu will vary depending on the page you are on. Listed below are some of the more common options you will find:
Icon | Description |
---|---|
Show | Navigates to the named page relating to your selection where you can view and manage the configuration of an individual record. |
Select all | Enables you to highlight all the entries in the table. |
Change password(s) | Change the password set for locally authenticated users only. |
Unlock | Accounts that have been locked can be unlocked for use. |
Unprovision | Removes any links associated with the user/device and then deletes the entry. |
Edit | The inline editing functionality allows you to update the details within the row. |
Multi-row Edit | Allows you to highlight a number of rows and multi-edit common fields within the Multi-row editor window. |
Delete | Allows you to right-click and remove the user, device, or profile from the current configuration. |
View log | Opens up the Log viewer window and displays the log information for the selected entry. |
Inline editing
The inline editing functionality allows you to update details on the manage pages.
To edit an individual entry click on found at the end of a row. Once updated, click on .
To update multiple entries, highlight a number of rows, then right-click
and select from the context menu. Update the entries within the Multiple-row editor window and click SAVE CHANGES
. Changes will be applied to all selected rows.
Note
Fields available for editing will vary depending on whether you have selected an individual entry or multiple entries.
Refresh button
When you open a page, the data on the page is refreshed to ensure it is up-to-date. You can manually refresh the page at anytime by clicking the REFRESH
button.
Some pages also have an Auto-refresh
checkbox that when checked, refreshes the page periodically.
CSV download
Data on a page can be downloaded to file using the DOWNLOAD
button. If a filter has been applied on the page, then only the filtered data will be downloaded.
Filtering
To quickly find an entry, use the search filters that can be found above a table. Searches can be conducted on individual or multiple columns.
To clear a search filter, click on the within the search field.
Checkboxes
The following describes the behaviour of the checkboxes when filtering.
Checkbox | Behaviour |
---|---|
The filter will contain all lines that have the checkbox checked. | |
The filter will contain all lines that have the checkbox unchecked | |
Means there is no filter set. |
Customise table views
You can customise the appearance of tables by dragging and dropping the table columns or by using the drop down options available within a column.
The options available are:
Header | Description |
---|---|
Sort Ascending | Sorts in alphanumeric (A-Z) order. |
Sort Descending | Sorts in descending alphanumeric (Z-A) order. |
Configure Sort... | Allows you to add multiple sort levels. |
Columns | Table columns can be shown or hidden from view. |
Filter using | A number of conditions can be applied to narrow your search. |
Group by | Group by allows the data to be grouped based on the column selected. Grouped folders are created which can be expanded to reveal the list. NOTE The group by feature can not be used on pages with over 1000 records. |
Note
Table customisations do not persist across web browser sessions.
Internal links
Data highlighted in blue is an internal link that will navigate you to the associated named page.
Downloading a file
The way you download a file from the Admin Interface will vary depending on whether or not your Admin Interface is being Session Recorded. If your Admin Interface is being recorded you will see a red recording icon in the top left-hand corner of the Admin Interface.
Therefore, select one of the following based on your setup to be navigated to the correct steps:
- Download a file from the Admin Interface that is being recorded
- Download a file from the Admin Interface that is NOT being recorded
Download a file from the Admin Interface that is being recorded
When your session is being recorded, you will need to use the Shared Drive window to download your file to your local machine.
This example shows how to download a file from the Manage files page using the Shared Drive window.
-
Click Files in the left-hand menu.
-
On the Manage files page click for the entry you want to download.
-
You will be notified when the download has started and when it has been completed.
-
Now click on the icon located in the top right hand corner.
-
The Shared Drive window will open. You will see the downloaded file within the Shared Drive window. Click the file to download to your local machine.
Download a file from the Admin Interface that is NOT being recorded
When your session is NOT being recorded, you can download directly to your local machine.
This example shows how to download a file from the Manage files page directly to your local machine.
-
Click Files in the left-hand menu.
-
On the Manage files page click for the entry you want to download.
-
Depending on how your browser is set up, the file will either be downloaded to your local machine or you will be prompted to select a location to save the file.
Uploading a file
The way you upload a file from the Admin Interface will vary depending on whether or not your Admin Interface is being Session Recorded. If your Admin Interface is being recorded you will see a red recording icon in the top left-hand corner of the Admin Interface.
Therefore, select one of the following based on your setup to be navigated to the correct steps:
- Upload a file from the Admin Interface that is being recorded
- Upload a file from the Admin Interface that is NOT being recorded
Upload a file from the Admin Interface that is being recorded
When your session is being recorded, you will need to use the Shared Drive window to upload your file to the PAM Server.
This example shows how to upload a licence on the System configuration > Licencing using the Shared Drive window.
Note
For a file to be uploaded the appliances internal disk must have sufficient free space available.
-
Within the Admin Interface window, click on the icon located in the top right hand corner. The Shared Drive window will open.
-
Within the Shared Drive window, either drag and drop the file(s) from your local machine to the Upload your files section of the Shared Drive window or use the button to open your local machine File Explorer window and select the files to be uploaded.
-
Once the file has been successfully uploaded it will be available in the Shared Drive folder on the Admin Interface.
-
Close the Shared Drive.
-
Click System configuration in the left-hand menu and select the Licencing tab.
-
On the Product licencing page click the
LOAD NEW LICENCE
button. -
Within the UPLOAD LICENCE window, click
Chose File
. The uploaded file will now be available on the Choose file window. -
Select the file and click
Open
. -
Within the Upload licence window, click
UPLOAD
.
Upload a file from the Admin Interface that is NOT being recorded
When your session is NOT being recorded, you can upload directly from your local machine to the PAM Server.
This example shows how to upload a licence on the System configuration > Licencing page directly from your local machine.
-
Click System configuration in the left-hand menu and select the Licencing tab.
-
On the Product licencing page click the
LOAD NEW LICENCE
button. -
Depending on how your browser is set up, the file will either be downloaded to your local machine or you will be prompted to select a location to save the file.
Supporting documentation
Other documentation relating to Osirium PAM includes:
The following can be found on our Support portal.
-
Osirium PAM Release Notes: covers new features, enhancements and bug fixes in relation to the latest release.
-
PAM Server: latest version download links and any pre or post installation requirements.
-
MAP Server: latest version download link.
-
PAM UI Server: latest version download link.
-
Latest Template Bundle: the template bundle is not release dependant so check the Support portal for the latest downloadable bundle.
The following Osirium PAM documentation can be found on our website.
-
Getting started guide: overview of the Osirium PAM components.
-
Installation guide: step-by-step instructions for installing each component and additional information relating to a HA configuration.
-
Upgrading guide: step-by-step instructions for upgrading each of the components.
-
Admin guide: step by step instructions on how to configure and manage privileged access.
-
User guide : step by step instructions on how to navigate and use the UI.
-
Template guide: reference guide to editing existing and the creation of new knowledge templates.