Osirium PAM Administrators guide
This guide will help you navigate your way round the Admin Interface of Osirium PAM, help you with the configuration of your system and the setup and management of privileged access.
This section covers:
Osirium PAM is a privileged user management system that allows you to implement a least-privilege user model when granting user access to devices and device tasks across your infrastructure.
It provides an easy to use Admin Interface for administrators, allowing you to quickly configure and manage user privileges.
Osirium PAM ensures users never need to know the password of privileged account credentials of devices, enabling secure access and eliminating the risk posed through shared privileged account credentials.
Also provides a comprehensive audit trail, including session recording, allowing you to review and analyse end-to-end accountability of your users access and knowing who did what, when and where. Along with our behaviour analytics reporting feature, user access can be adjusted and improved, ensuring a least-privilege model can be easily implemented.
With the introduction of the cluster feature servers can now be configured to work together and provide load balancing, greater scalability, increased availability and resilience and simplified management.
The Admin Interface is a web based interface for SuperAdmins for the management of Osirium PAM. It allows you to configure and manage users, devices and privileged access as well as monitor, audit and review user access
Accessing the Admin Interface
The Admin Interface can be accessed in the following ways:
- Through the PAM UI using the Devices tool.
- Through the PAM UI using the
- Directly by appending /admin to the server URL. For example
For more information about the differences when accessing the Admin Interface click here.
If you accessed the Admin Interface through the PAM UI using the Devices tool the Shared Drive mechanism is used for uploading and downloading files. The other methods use the standard File Explorer window.
Only authorised administrators will have full access to the interface functionality and administrative tasks. An authorised administrator is a user who has the Role: Superadmin access level.
For more information about the PAM UI click here.
If this is a new PAM Server, and it is the first time you are logging on, then you will need the primary superadmin account details to start creating user accounts.
During the initial configuration phase of the PAM Server setup, a primary superadmin user account was created and given a password. This user is locally authenticated and is used to log on to Osirium PAM and access the Admin Interface.
Use the primary superadmin account to create personalised user accounts, then log off from Osirium PAM and log back in using your personal account created.
The primary superadmin account should NOT be used by users to manage PAM Server, as it won't give individual user accountability and auditing.
With the introduction of the cluster feature PAM Servers can now be configured to work together and provide load balancing, greater scalability, increased availability and resilience and simplified management.
The Admin Interface is divided into the following areas:
|Left-hand menu||Provides links to various areas of the interface. Clicking on a menu option opens the relevant page in the workspace area.|
|Workspace||This is the main area were you can find management tasks and view existing entries.|
Configuring your Osirium PAM
Before you start adding users, devices and configuring profiles to enable privileged access to users, you will need to setup the PAM Server configuration settings. The system configuration options can be found on the following pages:
Device parameters: PAM Server device parameters are those that are configured during the installation process. Changes to the device parameters can be made on the Osirium Server > Configuration tab. These are unique to each server within a standalone or clustered configuration.
System configuration: The System configuration page is divided into a number of tabs with different configuration settings which can be applied to your server.
If you have a clustered configuration, then these will have to be configured on a per node basis. The configuration settings will be saved locally in the database and not replicated across nodes or synchronised up to the master database. There are however a couple of exceptions to note:
Fingerprints: The approval status of a fingerprint can only be changed on the leader node as the data is replicated. But the Connection fingerprint enforcement behaviour setting is node specific.
PAM Server local password policy: Any local password change requests made from either the UI or Admin Interface for a user logged onto a follower node will be passed onto the leader node. Only the password policy configured on the leader node will be used to verify and approve the new password being set. Any local password policy configured on a follower node will be ignored.
For information on clustering click here.
Osirium PAM access levels
It is important to first work out what level of access will be required for those who will be managing and configuring the system, to those who will monitoring information and analysing data.
By understanding the Osirium PAM role-based access levels available, the permissions each of the roles will give and what operations the permissions will allow, you can apply a least privileged model when granting access.
Use the following defined device access levels to assign users permission:
|PAM Server Console||Troubleshooting||Shutdown||Yes|
|Restart Support Password||Yes|
|Unlock Support Password||Yes|
|Change IP Address||Yes|
|Admin Interface||Manage||Manage users||r/w||r/o|
|Manage user groups||r/w||r/o|
|Manage Active Directory||r/w||r/o|
|Manage static vaults||r/w||r/o|
|Manage account mappings||r/w||r/o|
|Manage MAP servers||r/w||r/o|
|User rights audit||r/w||r/o|
Resetting interface preferences
Interface preferences are stored per user. Clicking on
Reset Interface, which can be found at the bottom of the left-hand menu, will clear any preferences that have been applied.
The following will be reset:
- System Queue Auto-refresh (15s) will be unchecked.
- Table column widths.
- ‘Don’t ask me again’ checkbox will be unchecked.
- Any open tabs will be closed.
- Filters applied to tables.
- ‘Do not show this page again’ checkbox will be unchecked for the Welcome to Osirium PAM page.
Common interface functions
When navigating your way round the Admin Interface take note of the following functions that will be useful to know.
- Context menu
- Inline editing
- Refresh button
- CSV download
- Customise table views
- Configure sort
- Plus icon
- Downloading a file using Shared Drive
- Uploading a file using Shared Drive
Context menu and options are available when you right-click a table row. Available options within a context menu will vary depending on the page you are on. Listed below are some of the more common options you will find:
|Show||Navigates to the named page relating to your selection where you can view and manage the configuration of an individual record.|
|Select all||Enables you to highlight all the entries in the table.|
|Multi-row edit||Multiple entries can be selected and columns updated to the same setting entered.|
|Change password(s)||Can change the password set for locally authenticated users only.|
|Unlock||Accounts that have been locked can be unlocked for use.|
|Unprovision||Removes any links associated with the user/device and then deletes the entry.|
|Edit||The inline editing functionality allows you to update the details within the row.|
|Multi-row Edit||Allows you to highlight a number of rows and multi-edit common fields within the Multi-row editor window.|
|Delete||Allows you to right-click and remove the user, device, or profile from the current configuration.|
|View log||Opens up the Log viewer window and displays the log information for the selected entry.|
The inline editing functionality allows you to update details on the manage pages.
To edit an individual entry click on . Once updated, click on .
To update multiple entries, highlight a number of rows, then right-click
and select from the context menu. Update the Multiple-row editor window and click
SAVE CHANGES. Changes will be applied to all selected rows.
Fields available for editing will vary depending on whether you have selected an individual entry or multiple entries.
When you open a page, the data on the opened page is refreshed to ensure it is up-to-date.
You can manually refresh by clicking the
Some pages also have an
Auto-refresh checkbox that when checked, refreshes the page periodically.
Data on a page can be downloaded to file. If a filter has been applied on the page, then only the filtered data will be downloaded.
To quickly find an entry, many of the tables have search filters above the titles of each column.
For example, to filter on the Manage users page:
Click on the Manage users page in the left-hand menu.
Within the Manage users window, click in the search field above the Name column.
Type in your search criteria. As you start typing your search criteria, the data will automatically start to update. Only the entries which match your search criteria will be displayed in the table.
To narrow your search further, use multiple search fields. Other search options include tickboxes, dropdown list boxes and calendar date selectors.
In this example, we have used the following to narrow our search:
|Column header||Search criteria|
|Name||Typed ‘L’ to search for all names that contain an ‘L’.|
|Enabled||Tick the checkbox .
This will narrow down the list further to now include names containing an 'L' and enabled accounts only.
|Auth type||Click the down arrow to reveal the list box options and select
The search will now be narrowed down to all enabled users with the name containing an ‘L’ and that are locally authenticated.
To clear a search filter, click on which appears when you click within a search field.
The following describes the behaviour seen when clicking on the checkboxes during filtering.
|When the checkbox is checked, the filter will contain all lines that have the checkbox checked.|
|When the checkbox is unchecked and has a black outline, the filter will contain all lines that have the checkbox unchecked|
|When the checkbox is grey, it means there is no filter set.|
Customise table views
You can customise the appearance of most tables by dragging and dropping the table columns or by using the column drop down options.
The options available are:
|Sort Ascending||Sorts in alphanumeric (A-Z) order.|
|Sort Descending||Sorts in descending alphanumeric (Z-A) order.|
|Columns||Table columns can be shown or hidden from view.|
|Group by||Group by allows the data to be grouped based on the column selected. Group folders are created which can be expanded to reveal the list.
NOTE The group by feature can not be used on pages with over 1000 records.
Table customisations do not persist across web browser sessions.
The configure sort option allows you to prioritise the order of the columns when sorting is applied.
To configure a sort on a table:
Click the down arrow to reveal the table sort options.
Within the Sort window, you will see the default sort which has been configured. Click
ADD LEVELto add a new sort entry to you list.
Configure the new sort by level.
Click to save the entry.
Once you have added all your levels, you can use the or to change the order of the search. The entry in the list must be highlighted in order to change the level.
APPLYto save and update the table.
The table heading will contain a number to indicate the sort order.
Data highlighted in blue is a link that will navigate you to the named page.
Click Users in the left-hand menu.
Within the Manage users window, click on a name which is highlighted in blue.
The Named user page will open.
Downloading a file using Shared Drive
Within the Admin Interface there are a number of pages that will allow you to download:
- Table contents to a CSV file.
- Device files created from executed tasks.
- Osirium PAM log files.
If you accessed the Admin Interface via the PAM UI the Shared Drive mechanism is used for downloading and transferring the file to your local machine.
This example shows how to download a file from the Manage files page.
Click Files in the left-hand menu.
On the Manage files page click for the entry you want to download.
You will be notified when the downloaded has started and when it has been completed.
A Downloads tab will also open to show you the download file and status.
Now click on the icon located in the top right hand corner.
The Shared Drive window will open. You will see the downloaded file within the Shared Drive window.
To download the file to your local machine simply click on the file listed. The file will be downloaded by the browser.
Uploading a file using Shared Drive
Within the Admin Interface there are a number of pages that will require a file to be uploaded:
- Product licence.
- Template library.
- Bulk import files.
If you accessed the Admin Interface via the PAM UI the Shared Drive mechanism is used for uploading the file to Osirium PAM.
Within the Admin Interface window, click on the icon located in the top right hand corner. The Shared Drive window will open.
Within the Shared Drive window click on the Upload your files . The Upload your files window will open.
Either drag and drop the file(s) from your local machine to the Upload your files window or use the button to open your local machine File Explorer window and select the files to be uploaded.
Once the file has been successfully uploaded it will be available in the Shared Drive folder on the Admin Interface.
To stop a file during an upload or to remove the file click on the tick next to the file.
The file will now be available from the Choose file window.
Other documentation relating to Osirium PAM includes:
The following can be found on our Support portal.
Osirium PAM Release Notes: covers new features, enhancements and bug fixes in relation to the latest release.
PAM Server: latest version download links and any pre or post installation requirements.
MAP Server: latest version download link.
PAM UI Server: latest version download link.
Latest Template Bundle: The template bundle is not release dependant so check here for latest downloable bundle.
The following Osirium PAM documentation can be found on our website.
Getting started guide: Overview of the Osirium PAM components.
Installation guide: step-by-step instructions for installing each component and additional information relating to a cluster installation.
Upgrading guide: step-by-step instructions for a upgrading each of the components.
Admin Interface: step by step instructions on how to configure and manage privileged access.
User guide : step by step instructions on how to navigate and use the UI.
Template guide: reference guide to editing existing and creation of new knowledge templates.