Managing profiles
This section describes how Osirium PAM profiles are created and managed within the Admin Interface. The following topics are included in this section:
- Manage profiles
- Default profiles
- Creating a new profile
- Enforcing change tickets
- Approval Requests
- Configuring a profile
- Full scan
- Reveal credentials tool
- Update credentials tool
- Bulk importing
- Editing a profile
- Deleting a profile
Manage profiles
Within Osirium PAM, profiles provide role-based management controls and link together a group of devices, tools, tasks, users and user groups.
A profile is like a job description. It specifies which access tools can be used to administer a device and which tasks can be run on the device. Any user that is linked to a given profile will be able to perform the tasks and access the devices.
If a profile is disabled, the permissions in that particular profile will be ignored when Osirium PAM calculates a user's access permission for a given device.
Note
Unless a user belongs to at least one profile with a tool/task and device, when they log onto the PAM UI they won’t have access to any devices, tools or tasks. By default all users will have access to the Admin Interface with limited functionality.
To view the Manage profiles page, click Profiles
in the left-hand menu. The Manage profiles page lists all the profiles that have been created to manage device access.
Osirium PAM profile states include:
Icon | Description |
---|---|
Deleting a profile removes the user’s access to the devices and deletes any Osirium PAM user accounts that have been created on the device. | |
The profile is disabled. Users can logon to the UI but will be unable to access any devices, unless they are granted permission through another profile. | |
The profile is enabled. Users can access the devices through the UI, single sign-on to devices and execute tasks. |
Profile context menu options
A number of context menu options are available when you highlight a profile and then right-click. Some of the more common options are described in the Common Interface Functions section.
Default profiles
A number of profiles are created as default. The profiles contain common tasks that might be used to manage devices on a scheduled basis.
Profile Name | Description |
---|---|
Device Audit | Contains a daily scheduled Device Audit task. When a device is added to this profile, the task will run against the device to update information, i.e. Device Parameters, Inventory, Manage accounts. |
Device Credential Regeneration | Contains a weekly scheduled Regenerate Account Credentials for devices attached to profile task which will update the Fully managed and Managed accounts for all devices. |
Creating a new profile
When you click on the NEW PROFILE
button on the Manage profiles page, a New profile window opens.
Fill in the following details:
Note
The options available within the New profile window will depend on the type of Osirium PAM licence you have purchased.
Heading | Description |
---|---|
Name | The display name that will be given to the profile. |
Enabled | Default is enabled. Allows users to access the device tools and tasks. |
Session Recording | If the tickbox is checked, it indicates that the user's session will be recorded by Osirium PAM. See Configuring Privileged Session Recorder. |
Change ticket required | If the tickbox is checked, it indicates that the user might be asked to enter a change ticket before accessing a tool/task. |
Configure Meta-info | Allows you to attach many kinds of information against each profile. See Configure Meta-Info. |
Enforcing change tickets
When the Change ticket required setting is enabled for a profile, a user accessing a device tool belonging to the profile through the UI will be requested to enter a change ticket reference before proceeding.
This allows you to minimise disruption to devices by controlling access and only allowing changes to take place under an approved change ticket which can be tracked and recorded.
See Change Tickets Report.
To record the activity conducted under a change ticket, enable session recording on the profile. See Configuring Privileged Session Recorder.
Approval Requests
Approval requests allow scheduled and just in time privileged access to be implemented, providing time and approval based access activation.
Implementation of approval requests can help reduce the risk of excessive access whilst still providing quick access when and as it is required. It can help control and manage when devices are accessed, and limit access during specific time periods.
Approval requests are controlled through individual profile configurations. When approvers are added to a profile, users connecting to the device tool/task will be required to submit an approval request through the UI for the date and time they require the access to start.
When the user logs onto the UI, the device will be listed but greyed out. To connect to the device they will have to submit a Request Approval which then MUST be approved by one of the listed approvers. Once approved the device will no longer be greyed out and the user is able to connect to the device tool/task within the valid time frame.
Requests awaiting approval can be viewed on the UI Manage Approvals page. An email notification will also be sent to notify the approvers that there is an approval request pending.
The following describes the process and steps involved in setting up approvers on a profile, how a user submits a request, and how an approver would approve a request:
Warning
PAM Servers are set to UTC (Coordinated Universal Time) by default. Any changes to this (i.e. setting to a different timezone) will result in unexpected behaviours from the PAM Server.
-
Create a profile: Firstly a profile needs to be created and devices, tools, tasks and users/user groups need to be configured.
-
Add approvers to the profile: To enable a profile for Approval requests, approvers (users/user groups) also need to be added. This can be done via the Approvers tab within a named profile page.
-
Setup email notifications: If you want approvers to be notified via email when an approval request has been submitted, then they must have:
- A valid email configured on their user. See Creating users.
- SMTP must be configured on the PAM Server. See SMTP configuration. -
Requesting approval: When a user logs onto the UI the device tool/task that requires an approval request will be greyed out and an icon will appear when selected.
The user will click the icon to open the Request/Manage Access window and submit a request by filling in the required information:
Field Description Start date The date on which access is required. Start time The time when access is required from. Hours / Minutes The estimated duration required in order to complete the work using the device tool/task. Reason Add a comment to let the approver know why access has been requested. Info
If the request isn't approved before the Start date/time then it will no longer be valid. Another approval request will need to be submitted.
-
Approver approves the request: When a request has been submitted by a user, it will be queued for approval on the Manage Approvals list with a status of Pending. Any approver listed in the profile would need to log onto the UI and click on Manage Approvals. On the Manage Approvals page, review the requested approval and click
APPROVE
. When a request has been approved its status will change to Approved on the Manage Approvals list.If the request is not approved before its requested start date/time, its status will change to Expired on the Manage Approvals list and the user will have to resubmit a new approval request.
-
Request approved, user can now connect to the device: When a request has been approved successfully and the start date/time is reached, the device tool/task will no longer be greyed out in the user interface. The user can now click on the device tool/task and gain access.
The user is able to access the device tool/task throughout the requested duration period once approved. If there is an open connection to the device tool/task then the user can continue to access the device, when the device session is closed and the requested duration has expired then the device will be greyed out.
If the requested duration has expired and there is no open connection to the device tool/task then access will be disabled, and the device tool/task will be greyed out again. If the user requires further access to the device then they will have to resubmit an approval request.
-
Removing access for an approved request: Should you need to remove access for a previously approved request, this can be done by locating the approved request from the Manage Approvals list, clicking the
MORE OPTIONS
button and then clickingREVOKE
.
Note
Approval Requests do not currently support the Reveal Credentials or Update Credentials tasks.
Configuring a profile
The Profile detail page allows you to configure a profile with Devices, Tools, Tasks, Users and User groups.
To go to the Profile detail page, from the Manage profiles page, click a profile Name.
Access tab
Manage devices
To add devices to a profile:
-
To the right of Devices, click
add
. The Add devices to profile window appears.Note
If you are adding to an existing profile and want to check if a device has already been added, use the device search window by typing in the name of the device.
-
Within Select devices, select one or more devices. Access levels that are compatible with all selected devices are listed under Select access level.
-
Within Select access level, select one or more access levels.
Available access levels can be made up of the following depending on the device selected:
Configured within a template:
-
Role: the available device access levels Osirium PAM uses when creating personalised accounts on the device. If a role is selected, it applies to every user on the profile.
-
Account: Managed and Known accounts that can be used to single sign-on to the device. If an account is selected, it will be available to every user on the profile. No personalised accounts are created.
Configured within the Admin Interface:
-
Mapping: predefined account mappings allow Osirium PAM username to be mapped to existing accounts on a device or within an account source (local accounts, Active Directory, Static vault). See Creating an Account Mapping.
-
Always ask: will prompt the user for the username and password they want to use when they initiate the connection.
-
Pass-through: Allows the users password to be cached and then used to sign onto the device. To enable pass-through see here.
Note
Only the following authentication types can be used with pass-through:
- Active Directory: The password is cached.
- Active Directory then RADIUS: only the password is cached (not token).
- Active Directory then TOTP: only the password is cached (not token).
Cached pass-through credentials are saved as case sensitive. To ensure successful pass-through the username/password must match the users pre-existing device account (username/password).
-
-
Click
ADD
. The Action notifications window appears. -
Click
ACKNOWLEDGE
. The device is added to your devices list.
To remove devices from a profile:
-
On the Devices table, select a device and click
remove
. The Confirm window appears.Note
To remove more than one device at a time, hold CTRL and click each necessary device.
-
Click
OK
. The Action notifications window appears. -
Click
ACKNOWLEDGE
. The device is removed from your devices list.
Manage tools
-
To the right of Tools, click
manage
. The Manager: tools window appears.Note
Tools are the applications that are used to access the device, i.e. HTTPS, SSH, RDP, etc. The list of tools can also include any MAP Server hosted tools.
-
Within the Manager: tools window, tick the checkboxes in the Include column next to each tool you want to add to the profile.
Tools will be automatically filtered based on the available tools for the devices selected.
The tool icons indicate the following:
Icon Description Indicates that the tool is Unsupported by the devices added to the profile. Indicates that the tool is Partially supported, meaning it is not supported by all the devices added to the profile. Indicates that the tool is Fully supported, meaning it is supported by all the devices added to the profile. The tools list provides the necessary access connection protocol methods supported by Osirium PAM. Access connection protocols supported by devices are defined in a template.
In addition, there is an internal Osirium PAM tool available on all devices called Reveal Credentials Tool.
-
For some tools, additional options are available. To check additional options:
- On the right-hand of the table, click the icon. In the Options column, the Click to select options drop-down appears.
- Click the drop-down.
- If necessary, select one or more options.
- Click
SAVE CHANGES
.
For example:
A Remote Desktop tool has the following options available:
Option Description Allow RDP Drive mapping & Printer forwarding Adding this option enables the Remote Desktop Protocols: File System Virtual Channel Extension and Printer Forwarding Virtual Extension.
File System Virtual Channel Extension
This allows the client's drives to be exposed within the user's RDP session, allowing users to copy files between the client and the RDP session.Printer Forwarding Virtual Extension
PAM Client: Printing within RDP and MAP native sessions will be forwarded to local printers.
PAM UI: Printing within RDP and MAP sessions will be forwarded to a virtual printer named "Shared Printer on PAM UI" which will download the printout as a PDF in the local browser.Allow RDP clipboard Adding this option turns on the Remote Desktop Protocol: Clipboard Virtual Channel Extension.
This allows users the ability to seamlessly transfer data using the copy to clipboard functionality between the client and the RDP session.
Allow RDP sound Adding this option enables the Remote Desktop Protocol: Audio Output Virtual Channel Extension.
This allows users to hear sounds made within the RDP session on the client's machine.
Adding MAP tools
When adding MAP hosted tools to a profile, one or more MAP groups must be selected.
If one MAP group is selected, connections to all enabled MAP servers within that group are load-balanced using a round-robin algorithm.
If more than one MAP group is selected, connections are load-balanced across each enabled group using a round-robin algorithm and then load-balanced within each group to also round-robin across enabled servers in the group.
MAP tool connections are presented using Microsoft RDP RemoteApp. These are RDP connections and, therefore, can have their RDP options controlled. If you wish to allow RDP drive mapping, RDP clipboard or RDP sound support to the MAP tools, select the required options in the drop-down.
Selecting a MAP group with no active servers results in an error when a MAP tool is launched.
If you single sign-on using a Remote Desktop tool, you can view the available options in the Remote Desktop Connection window by clicking Details
. Osirium PAM sets these options based on the profile options selected.
Note
If you single sign-on to Windows Server 2008, the drive mappings will be located in the following location:
Networks folder under tsclient.
-
Tick the checkbox to include the option(s) and then click the icon.
-
Click
SAVE CHANGES
. The tools and options are added to the profile and you return to the Profile detail page.
Manage tasks
-
To the right of Tasks, click
manage
. The Manager: tasks window appears.The Manager: tasks window lists all the System tasks available through Osirium PAM. System tasks are internally performed by Osirium PAM and will not be visible on the PAM UI.
-
Tick the checkboxes in the Include column for each task you want to add. Tasks will be automatically filtered based on the available tasks for the devices selected.
-
Each task can be scheduled to run on a daily, weekly or monthly basis. Schedules must be created before they can be used. See Manage Schedules.
-
Click on the icon to bring up the Schedules drop-down.
-
Select one or more schedules from the drop-down to set on the task.
-
Click the icon. The schedules are set.
-
Click
SAVE CHANGES
. You return to the Profile details page.
Manage users
-
To the right of Users, click
manage
. The Manager: users window appears. -
Within the Manager: users window, tick the checkboxes in the Include column next to each user you want to include.
Alternatively, hold down the SHIFT key and select multiple users, then right click and select
Include
. -
Click
SAVE CHANGES
to add the users. The ProfileUserUpdate task is run and you return to the Profile detail page.
Manage user groups
-
To the right of User groups, click
manage
. The Manager: user groups window appears.User groups are an easy and quick way of adding multiple users to the same profiles.
See How to Associate Users and Profiles to a User Group. -
Within the Manager: user groups window, tick the checkboxes in the Include column next to each user group you want to include.
Alternatively, hold down the SHIFT key and select multiple user groups, then right click and select
Include
. -
Click
SAVE CHANGES
to add the user groups. The ProfileUserUpdate task is run and you return to the Profile detail page.Note
If you are using a pattern access level type, the user account audited on the device by Osirium PAM must be Known by Osirium PAM before it can be used. See Managing Accounts to check the account's state within Osirium PAM and change if necessary.
Approvers tab
To add an approval request for each of the devices listed in the profile, click on the Approvers tab.
Approvers
Users can be added as individuals or a group of users can be added through predefined user groups. User groups are an easy and quick way of adding multiple users to the same profiles. See How to create a new user group.
To add an individual user:
-
To the right of Approvers, click
manage
. The Manager: approvers window appears. -
Within the Manager: approvers window, tick the checkboxes in the Include column next to each user you want to include.
-
Alternatively, hold down the SHIFT key and select multiple users, then right-click and select Include.
-
Click
SAVE CHANGES
to add the selected users to the profiles approvers list.
Approver groups
To add a user group:
-
To the right of Approvers Groups, click
manage
. The Manager: approver groups window appears. -
Within the Manager: approver groups window, tick the checkboxes in the Include column next to each user group you want to include.
-
Alternatively, hold down the SHIFT key and select multiple user groups, then right-click and select Include.
-
Click
SAVE CHANGES
to add the user groups to add the selected users groups to the profiles approvers list.
Full scan
Clicking on the FULL SCAN
button will do the following:
-
Checks Osirium PAM to confirm the users/devices in the profile, to work out which accounts should exit on the device/auth service.
-
If an account is not found, Osirium PAM checks if the missing account existed on the device/auth service when it was last audited.
-
If the accounts didn't exist during the last audit, it will create the accounts.
-
All database links related to the profile will also be checked during the scan.
Note
The FULL SCAN
button should only be used in emergencies.
Reveal credentials tool
The Reveal Credentials tool allows Osirium PAM users to reveal the device account credentials (passwords and SSH keys) for an individual account.
Credentials can be revealed for Fully managed, Known and Managed accounts only.
Note
Reveal Credentials is NOT available for the Osirium Server.
There are two ways to reveal the credentials of an account:
-
Through the Manage accounts page. See Troubleshooting Account Passwords.
-
Through the UI.
To reveal credentials through the UI:
-
Create a new profile, see Creating a New Profile or open up an existing profile.
-
Within the Profile detail page, add a device, add the Reveal Credentials tool and then add users. For more information, see Configuring a Profile.
-
Open up the UI and login as a user that has been added to the profile.
-
Once you have successfully logged into your UI, within the My Access page locate the device. You will see the Manage credentials task displayed.
-
Click the the Manage credentials task.
-
Within the Manage Credentials window, click
REVEAL
. -
Within the Reveal Credentials window, click
REVEAL
to decrypt the account credentials. -
Within the Reveal Credentials window, the password can now be revealed for the account by clicking the password field or by clicking the Copy To Clipboard icon to copy the password.
-
Once you have retrieved the account credentials, click to close the window.
Update credentials tool
The update credentials tool allows you to update the credentials that Osirium PAM stores for existing accounts.
Stored credentials can be updated for Known accounts only.
Note
The Update Credentials tool cannot be used with the Osirium Server.
To enable the update credentials tool:
-
Within the Manage profiles page, click a profile name. The Profile detail page appears.
Note
The selected profile musts have associated devices and users. For more information, see Configuring a Profile.
-
Within the Profile detail page, to the right of Tools, click
manage
. The Manager: tools window appears. -
Within the Manager: tools window, select the
Included
checkbox for Update Credentials. -
Click
SAVE CHANGES
. The Update Credentials tool appears on the list of tools on the Profile detail page and is enabled for users associated with the profile.
To use the update credentials tool:
-
Log in to the UI as a user, within the My Access page locate the device. You will see the Manage credentials task displayed..
-
Click the the Manage credentials task.
-
Within the Manage Credentials window, click
UPDATE
. -
Click the Update icon. The Update Credentials window appears.
Note
The options available on the Update stored credentials window may differ to the screenshot above depending on the authentication method of the profile used.
-
On the Update Credentials window, click the icon for the necessary account.
-
Update the stored credentials as required. The following options are available depending on the authentication method of the profile used:
Credentials Details Password Type a new password. Password again Type the new password again to confirm. SSH private key Click the Show editor
icon to upload a new SSH private key.SSH key passphrase Type a new SSH passphrase. If available, ensure the checkboxes for the credentials you want to update are selected .
Note
To clear a credential, select the checkbox and leave the field blank.
-
Click
CONFIRM
. The Action queue window appears and the selected stored credentials are updated. -
Click
SUBMIT
.
Bulk importing
Rather than creating new profiles manually and one at a time, you can create many profiles using a bulk import. To do this, you need to download and populate the appropriate CSV (comma separated values) file.
Once the profile container has been created you can use the profile membership CSV template to add/update/delete memberships in profiles. By this we mean devices, tools, tasks, users and user groups.
Import new profiles
To bulk import new profiles:
-
Within the Manage profiles page, click
BULK IMPORT
and then selectImport profiles
from the menu. -
Within the Import from CSV window, click
DOWNLOAD CSV TEMPLATE
. clickDOWNLOAD CSV TEMPLATE
.If the PAM Server Browser (HTTP) tool is being session recorded, then you will need to use the Shared Drive mechanism for downloading files. For further details see Downloading a file using Shared Drive.
The CSV template contains the required fields and provides examples as a guideline for filling in the fields correctly.
Example profile CSV template:
Example of a profiles CSV template filled in:
Required fields
Heading Description Name Enter the name you want the profile to be called. This will be the display name. Enabled Enter TRUE if you want the profile to be enabled when created. When enabled, the users will be given permission to use the devices set out in the profile. If left blank or set to FALSE, the profile will be disabled when created. No access will be granted to users through this profile.
Session recording Enter TRUE to record the users device session. Change ticket required Enter TRUE if the user will be required to enter a valid change ticket before logging onto a device session and commencing any work on the device. This is to ensure any planned work to be carried out on a device has been approved through change management.
Change tickets can be integrated with ServiceNow for change ticket validation. See ServiceNow Ticket Integration Configuration
Notes Additional information about the profile. Meta-columns Enter the meta-column value. See Configure Meta-Info. Note
- If left blank or set to FALSE the feature will be disabled when the profile is created.
- Columns in your downloaded CSV template file may vary depending on the features licensed.
- Enable window settings will be defaulted to Always.
- Meta column settings will be defaulted to the first entry in the list of options available if one is not specifically stated.
-
Now within the Import from CSV window, click
Choose File
.If the PAM Server Browser (HTTP) tool is being session recorded, then you will need to use the Shared Drive mechanism for uploading files. For further details see Uploading a file using Shared Drive.
-
Select the bulk import file.
-
Click
IMPORT
. -
Within the Action queue window, click
DONE
. The profile containers are created and can be seen on the Manage profiles page.
At this stage the profiles are empty and membership needs to be added to grant users access to devices.
Import profiles membership
For existing or new profiles you can add/update/delete membership using a CSV file. Within the CSV file the memberships are grouped and placed on individual lines so bear this in mind when you are making updates. Any memberships changes will be updated when the CSV file is imported back into Osirium PAM.
To bulk import profile membership:
-
Within the Manage profiles page, to export a single profiles membership select the profile, click on
EXPORT
. To export all the memberships for all the profiles make sure no profiles are selected before exporting. -
Select the
Export profiles membership
from the menu.If the PAM Server Browser (HTTP) tool is being session recorded, then you will need to use the Shared Drive mechanism for downloading files. For further details see Downloading a file using Shared Drive.
-
Open up the file in your preferred CSV editor.
-
Update, remove or add memberships within the CSV file.
Note
If you do not want to make any amendments to a profile membership, then leave as is. Otherwise, if the configuration is removed, it will be deleted during the import process.
Heading Description Profile Name of an existing profile. Device Internal name given to the device. NOTE Device names must match the names on the Manage Devices page.
NOTE If adding a device, an access level must be entered.
Access level Enter the access level that will be granted to the user when accessing the device.
The available access levels are dependent on the device. Access levels can be:Role: These are the available device access levels Osirium PAM can use when creating personalised accounts on the device. The role entered will apply for every Osirium PAM user in the profile.
Account: These are Managed and Known accounts that can be used to single sign-on to the device. If an account is selected it will be available to every user in the profile. No personalised accounts are created.
Mapping: predefined account mappings allow Osirium PAM username to be mapped to existing accounts on a device or within an account source (local accounts, Active Directory, Static vault). See Creating an Account Mapping.
Always ask: Will prompt the user for the username and password they want to use when they initiate the connection.
Pass-through: Allows the username/password to be cached and then used to single sign-on to devices. Osirium PAM username/password must match that of an existing user on the device. See Enable Pass-Through.
Tool Enter the device access connection protocol name that will be used to access the device, i.e. HTTPS, SSH, RDP. NOTE Multiple tools can be entered using a semi-colon separated list.
NOTE Available device tools for a device can be found on the named device template detail page. See Show Template.
Tool options Some tools may have additional options associated with them. For example:
- Remote Desktop may have Allow RDP drive mapping, Allow RDP clipboard and Allow RDP sound.
- Tools associated with a MAP Server will have MAP server groups listed.NOTE If adding a tool option, it must be associated with a tool.
Task The task list available is created with system tasks. System tasks are internally performed by Osirium PAM and will not be visible on the PAM UI. NOTE Available tool options for a device can be found on the named device template detail page. See Show Template.
Task schedules To run the tasks on a schedule, enter the schedule time. NOTE Schedules must be created before they can be used. See Manage Schedules.
User Internal name given to the user. If you want to add multiple users then it is easier to create a user group first and then add the user group name, rather than individual names. NOTE User names must match the names on the Manage Users page.
User group Enter the name of the user group. See Managing User Groups. Approvers Internal name of the user(s) that will become request approvers for the profile. Approver groups Enter the name of the approvers group that will be given permission to approve requests. -
Save the csv file.
-
Click
BULK IMPORT
and select Import profiles membership from the menu. -
Click within the Import from CSV window, click
Choose File
.If the PAM Server Browser (HTTP) tool is being session recorded, then you will need to use the Shared Drive mechanism for uploading files. For further details see Uploading a file using Shared Drive.
-
Click
Import profiles membership
. The CSV entries will be listed in the Review import data window. Review the entries and make amendments as necessary. -
Click
IMPORT
. The Question window opens.Note
Clicking
YES
means the profile membership configurations will be applied. Memberships no longer listed will be removed and others will be updated/added. -
Within the Action queue window, click
DONE
. The profile memberships are updated.
Editing a profile
See Common Interface Functions section for inline editing.
Deleting a profile
Deleting a profile removes users/user groups access to the devices and deletes any Osirium PAM user accounts created on the device.
Once deleted the profile cannot be reinstated. The profile would have to be recreated.
To delete:
-
On the Manage profiles page, right-click on a profile and then click
Delete
within the context menu.Note
If the profile contains devices, a warning appears. Click
CONTINUE
. -
Within the Question window, click
YES
.During deletion, the profilescan task is run which will:
-
Disconnect users logged onto any of the devices within the profile.
-
Device and Auth Services account update task will be run to remove any accounts on the device.
-
The profile is deleted from the list and cannot be reinstated.
Note
Orphaning a device means that the profile being deleted is the only profile that is linked to the devices highest level of permission. If the device only has ‘read’ and ‘readwrite’ as permissions, then this might mean that no users will have ‘read/write’ access to manage the device.
-