Skip to content

Osirium PAM Administrators guide

This guide will help you navigate your way round the Admin Interface of Osirium PAM, help you with the configuration of your system and the setup and management of privileged access.

This section covers:

Overview

Osirium PAM is a privileged user management system that allows you to implement a least-privilege user model when granting user access to devices and device tasks across your infrastructure.

It provides an easy to use Admin Interface for administrators, allowing you to quickly configure and manage user privileges.

Osirium PAM ensures users never need to know the password of privileged account credentials of devices, enabling secure access and eliminating the risk posed through shared privileged account credentials.

Osirium PAM also provides a comprehensive audit trail, including session recording, allowing you to review and analyse end-to-end accountability of your users access and knowing who did what, when and where. Along with our behaviour analytics reporting feature, user access can be adjusted and improved, ensuring a least-privilege model can be easily implemented.

With the introduction of the High Availability (HA) feature servers can now be configured as a primary and secondary pair and provide increased availability and resilience. For information on HA click here.

Admin Interface

The Admin Interface is a web based interface used for the management of Osirium PAM. It allows you to configure and manage users, devices and privileged access as well as monitor, audit and review user access.

Only authorised administrators will have full access to the interface functionality and administrative tasks. An authorised administrator is a user who has the Owner or Admin role access level.

During the initial configuration phase of the PAM Server setup, a SuperAdmin user account was created and given a password. This user is locally authenticated and is initially used to log on to Osirium PAM and access the Admin Interface.

Use the SuperAdmin account to create personalised user accounts, then log off from Osirium PAM and log back in using your personal account created.

Warning

The SuperAdmin account should NOT be used by users to manage Osirium PAM, as it won't give individual user accountability and auditing.

The Admin Interface is divided into the following areas:

Area Description
Left-hand menu Provides links to various areas of the interface. Clicking on a menu option opens the relevant page in the workspace area.
Workspace This is the main area were you can find management tasks and view existing entries.

Configuring your Osirium PAM

Before you start adding users, devices and configuring profiles to enable privileged access to users, you will need to setup the PAM Server configuration settings. The system configuration settings can be found on the following pages:

  • Device parameters: PAM Server device parameters are those that are configured during the installation process. Changes to the device parameters can be made on the Osirium Server > Configuration tab. These are unique to each server.

  • System configuration: Is divided into a number of tabs with different configuration settings which can be applied to your server.

Osirium PAM access levels

It is important to first work out what level of access will be required for those who will be managing and configuring the system, to those who will monitoring information and analysing data.

By understanding the Osirium PAM role-based access levels available, the permissions each of the roles will give and what operations the permissions will allow, you can apply a least privileged model when granting access. For further details of configuring roles in Osirium PAM see Managing roles.

Use the following defined device access levels to assign users the appropriate permission:

Application Section Action Owner Admin Auditor
Management Interface Configure HA Yes
PAM
Server
Console
Trouble-
shooting
Shutdown Yes
Reboot Yes
System Status Yes
Restart Services Yes
Restart Queues Yes
Purge Queues Yes
Restart RDP Yes
Reset Support Password Yes
Unlock Support Account Yes
Clear notifications Yes
Change IP Address Yes
Admin Interface Manage Manage users r/w r/w r/o
Manage user groups r/w r/w r/o
Manage devices r/w r/w r/o
Manage Active Directory r/w r/w r/o
Manage static vaults r/w r/w r/o
Manage accounts r/w r/w r/o
Generate Breakglass Yes
Reveal Credentials Yes
Manage account mappings r/w r/w r/o
Manage profiles r/w r/w r/o
Manage schedules r/w r/w r/o
Manage files r/w r/w r/o
Manage MAP servers r/w r/w r/o
Reporting Device access r/w r/w r/o
Playback session recordings Yes Yes Yes
Export session recordings Yes Yes
Shadow live sessions Yes Yes Yes
Access requests r/w r/w r/o
Change tickets r/w r/w r/o
User rights audit r/w r/w r/o
Tasks r/w r/w r/o
Inventory r/w r/w r/o
Management r/w r/w r/o
Analytics r/w r/w r/o
Behaviour Analytics r/o r/o r/o
System System queue r/w r/w r/o
System configuration r/w r/w r/o
Configure Osirium Support account Yes
Roles r/w r/w r/o
API applications r/w r/w r/o
Template library r/w r/w r/o
Email subscriptions r/w r/w r/o
Configure meta-columns r/w r/w r/o
Logs r/w r/w r/o

Resetting interface preferences

Interface preferences are stored per user. Clicking on Reset Interface, which can be found at the bottom of the left-hand menu, will clear any preferences that have been applied.

The following will be reset:

  • System Queue Auto-refresh (15s) will be unchecked.
  • Table column widths.
  • ‘Don’t ask me again’ checkboxes will be unchecked.
  • Filters applied to tables.
  • ‘Do not show this page again’ checkbox will be unchecked for the Welcome to Osirium PAM page.

Common interface functions

When navigating your way round the Admin Interface take note of the following functions that will be useful to know.

Context menu

Context menu and options are available when you right-click a table row. Available options within a context menu will vary depending on the page you are on. Listed below are some of the more common options you will find:

Icon Description
Show Show Navigates to the named page relating to your selection where you can view and manage the configuration of an individual record.
Select all Select all Enables you to highlight all the entries in the table.
Change Passwords Change password(s) Change the password set for locally authenticated users only.
Unlock Unlock Accounts that have been locked can be unlocked for use.
Remove Unprovision Removes any links associated with the user/device and then deletes the entry.
Edit pencil Edit The inline editing functionality allows you to update the details within the row.
Edit pencil Multi-row Edit Allows you to highlight a number of rows and multi-edit common fields within the Multi-row editor window.
Delete Delete Allows you to right-click and remove the user, device, or profile from the current configuration.
View log Opens up the Log viewer window and displays the log information for the selected entry.

Inline editing

The inline editing functionality allows you to update details on the manage pages.

To edit an individual entry click on Edit pencil found at the end of a row. Once updated, click on Save.

To update multiple entries, highlight a number of rows, then right-click and select Edit pencil from the context menu. Update the entries within the Multiple-row editor window and click SAVE CHANGES. Changes will be applied to all selected rows.

Note

Fields available for editing will vary depending on whether you have selected an individual entry or multiple entries.

Refresh button

When you open a page, the data on the page is refreshed to ensure it is up-to-date. You can manually refresh the page at anytime by clicking the REFRESH button.

Some pages also have an Auto-refresh checkbox that when checked, refreshes the page periodically.

Clear configuration settings

To remove settings configured on the System configuration tabs, you should use the Set to 'None' icon which can be located at the end of a row.

Using the Set to 'None' icon will remove all values configured for the selected row.

For example:

Set to 'None'

CSV download

Data on a page can be downloaded to file using the DOWNLOAD button. If a filter has been applied on the page, then only the filtered data will be downloaded.

Filtering

To quickly find an entry, use the search filters that can be found above a table. Searches can be conducted on individual or multiple columns.

To clear a search filter, click on the Close within the search field.

Checkboxes

The following describes the behaviour of the checkboxes when filtering.

Checkbox Behaviour
Checked The filter will contain all lines that have the checkbox checked.
Unchecked The filter will contain all lines that have the checkbox unchecked
Neutral box Means there is no filter set.

Customise table views

You can customise the appearance of tables by dragging and dropping the table columns or by using the drop down options available within a column.

The options available are:

Header Description
Sort Ascending Sorts in alphanumeric (A-Z) order.
Sort Descending Sorts in descending alphanumeric (Z-A) order.
Configure Sort... Allows you to add multiple sort levels.
Columns Table columns can be shown or hidden from view.
Filter using A number of conditions can be applied to narrow your search.
Group by Group by allows the data to be grouped based on the column selected. Grouped folders are created which can be expanded to reveal the list.
NOTE The group by feature can not be used on pages with over 1000 records.

Note

Table customisations do not persist across web browser sessions.

Data highlighted in blue is an internal link that will navigate you to the associated named page.

Downloading a file

The way you download a file from the Admin Interface will vary depending on whether or not your Admin Interface is being Session Recorded. If your Admin Interface is being recorded you will see a red recording icon in the top left-hand corner of the Admin Interface.

Therefore, select one of the following based on your setup to be navigated to the correct steps:

Download a file from the Admin Interface that is being recorded

When your session is being recorded, you will need to use the Shared Drive window to download your file to your local machine.

This example shows how to download a file from the Manage files page using the Shared Drive window.

  1. Click Files in the left-hand menu.

  2. On the Manage files page click Download for the entry you want to download.

    Download

  3. You will be notified when the download has started and when it has been completed.

    Download confirmation

  4. Now click on the Shared Drive icon icon located in the top right hand corner.

    Shared drive banner

  5. The Shared Drive window will open. You will see the downloaded file within the Shared Drive window. Click the file to download to your local machine.

    Shared Drive folder download

Download a file from the Admin Interface that is NOT being recorded

When your session is NOT being recorded, you can download directly to your local machine.

This example shows how to download a file from the Manage files page directly to your local machine.

  1. Click Files in the left-hand menu.

  2. On the Manage files page click Download for the entry you want to download.

    Download

  3. Depending on how your browser is set up, the file will either be downloaded to your local machine or you will be prompted to select a location to save the file.

Uploading a file

The way you upload a file from the Admin Interface will vary depending on whether or not your Admin Interface is being Session Recorded. If your Admin Interface is being recorded you will see a red recording icon in the top left-hand corner of the Admin Interface.

Therefore, select one of the following based on your setup to be navigated to the correct steps:

Upload a file from the Admin Interface that is being recorded

When your session is being recorded, you will need to use the Shared Drive window to upload your file to the PAM Server.

This example shows how to upload a licence on the System configuration > Licencing using the Shared Drive window.

Note

For a file to be uploaded the appliances internal disk must have sufficient free space available.

  1. Within the Admin Interface window, click on the Shared Drive icon icon located in the top right hand corner. The Shared Drive window will open.

    Shared drive window

  2. Within the Shared Drive window, either drag and drop the file(s) from your local machine to the Upload your files section of the Shared Drive window or use the Plus button to open your local machine File Explorer window and select the files to be uploaded.

    Upload your files window

    File upload window with File Explorer

  3. Once the file has been successfully uploaded it will be available in the Shared Drive folder on the Admin Interface.

    Uploaded file

  4. Close the Shared Drive.

  5. Click System configuration in the left-hand menu and select the Licencing tab.

  6. On the Product licencing page click the LOAD NEW LICENCE button.

  7. Within the UPLOAD LICENCE window, click Chose File. The uploaded file will now be available on the Choose file window.

    Choose file

  8. Select the file and click Open.

  9. Within the Upload licence window, click UPLOAD.

Upload a file from the Admin Interface that is NOT being recorded

When your session is NOT being recorded, you can upload directly from your local machine to the PAM Server.

This example shows how to upload a licence on the System configuration > Licencing page directly from your local machine.

  1. Click System configuration in the left-hand menu and select the Licencing tab.

  2. On the Product licencing page click the LOAD NEW LICENCE button.

    Download

  3. Depending on how your browser is set up, the file will either be downloaded to your local machine or you will be prompted to select a location to save the file.

Supporting documentation

Other documentation relating to Osirium PAM includes:

The following can be found on our Support portal.

  • Osirium PAM Release Notes: covers new features, enhancements and bug fixes in relation to the latest release.

  • PAM Server: latest version download links and any pre or post installation requirements.

  • MAP Server: latest version download link.

  • PAM UI Server: latest version download link.

  • Latest Template Bundle: the template bundle is not release dependant so check the Support portal for the latest downloadable bundle.

The following Osirium PAM documentation can be found on our website.

  • Getting started guide: overview of the Osirium PAM components.

  • Installation guide: step-by-step instructions for installing each component.

  • Upgrading guide: step-by-step instructions for upgrading each of the components.

  • High Availability guide: overview of HA and step-by-step instructions for creating and upgrading an HA Pair.

  • Management Interface guide: step-by-step instructions for managing an HA Pair.

  • Admin guide: step-by-step instructions on how to configure and manage privileged access.

  • User guide : step-by-step instructions on how to navigate and use the UI.

  • Template guide: reference guide to editing existing and the creation of new knowledge templates.