Skip to content

Osirium PAM Administrators guide

This guide will help you navigate your way round the Admin Interface of Osirium PAM, help you with the configuration of your system and the setup and management of privileged access.

This section covers:


Osirium PAM is a privileged user management system that allows you to implement a least-privilege user model when granting user access to devices and device tasks across your infrastructure.

It provides an easy to use Admin Interface for administrators, allowing you to quickly configure and manage user privileges.

Osirium PAM ensures users never need to know the password of privileged account credentials of devices, enabling secure access and eliminating the risk posed through shared privileged account credentials.

Also provides a comprehensive audit trail, including session recording, allowing you to review and analyse end-to-end accountability of your users access and knowing who did what, when and where. Along with our behaviour analytics reporting feature, user access can be adjusted and improved, ensuring a least-privilege model can be easily implemented.

With the introduction of the cluster feature servers can now be configured to work together and provide load balancing, greater scalability, increased availability and resilience and simplified management.

Accessing the Admin Interface

The Admin Interface is accessed through the PAM UI. Only authorised administrators will have full access to the interface functionality and administrative tasks. An authorised administrator is a user who has the Role: Superadmin access level.

For more information about the PAM UI click here.

Superadmin Interface

If this is a new PAM Server, and it is the first time you are logging on, then you will need the primary superadmin account details to start creating user accounts.

During the initial configuration phase of the PAM Server setup, a primary superadmin user account was created and given a password. This user is locally authenticated and is used to log on to Osirium PAM and access the Admin Interface.

Use the primary superadmin account to create personalised user accounts, then log off from Osirium PAM and log back in using your personal account created.


The primary superadmin account should NOT be used by users to manage PAM Server, as it won't give individual user accountability and auditing.

With the introduction of the cluster feature PAM Servers can now be configured to work together and provide load balancing, greater scalability, increased availability and resilience and simplified management.

Configuring your Osirium PAM

Before you start adding users, devices and configuring profiles to enable privileged access to users, you will need to setup the PAM Server configuration settings. The system configuration options can be found on the following pages:

  • Device parameters: PAM Server device parameters are those that are configured during the installation process. Changes to the device parameters can be made on the Osirium Server > Configuration tab. These are unique to each server within a standalone or clustered configuration.

  • System configuration: The System configuration page is divided into a number of tabs with different configuration settings which can be applied to your server.

    If you have a clustered configuration, then these will have to be configured on a per node basis. The configuration settings will be saved locally in the database and not replicated across nodes or synchronised up to the master database. There are however a couple of exceptions to note:

    • Fingerprints: The approval status of a fingerprint can only be changed on the leader node as the data is replicated. But the Connection fingerprint enforcement behaviour setting is node specific.

    • PAM Server local password policy: Any local password change requests made from either the UI or Admin Interface for a user logged onto a follower node will be passed onto the leader node. Only the password policy configured on the leader node will be used to verify and approve the new password being set. Any local password policy configured on a follower node will be ignored.

For information on clustering click here.

Osirium PAM access levels

It is important to first work out what level of access will be required for those who will be managing and configuring the system, to those who will monitoring information and analysing data.

By understanding the Osirium PAM role-based access levels available, the permissions each of the roles will give and what operations the permissions will allow, you can apply a least privileged model when granting access.

Use the following defined device access levels to assign users permission:

Application Section Action SuperAdmin Auditor Reporter User
PAM Server Console Troubleshooting Shutdown Yes
Reboot Yes
System Status Yes
Restart Services Yes
Restart Queues Yes
Purge Queues Yes
Restart RDP Yes
Restart Support Password Yes
Unlock Support Password Yes
Clear notifications Yes
Change IP Address Yes
Admin Interface Manage Manage users r/w r/o
Manage user groups r/w r/o
Manage devices r/w r/o
Manage Active Directory r/w r/o
Manage static vaults r/w r/o
Manage accounts r/w r/o
Manage account mappings r/w r/o
Manage profiles r/w r/o
Manage schedules r/w r/o
Manage files r/w r/o r/o
Manage MAP servers r/w r/o
Personal Approval Requests r/w r/w r/w r/w
Reporting Device access r/w r/o r/o
Change tickets r/w r/o
User rights audit r/w r/o
Tasks r/w r/o r/o
Inventory r/w r/o r/o
Management r/w r/o r/o
Analytics r/w r/o
Behaviour Analytics r/o r/o
System System queue r/w r/o
System configuration r/w r/o
API applications r/w r/o
Template library r/w r/o
Email subscriptions r/w r/o
Logs r/w r/o
Inventory r/w r/o
Personal My devices r/o r/o
My accounts r/o r/o
My tasks r/o r/o
My files r/o r/o
Approval Requests r/w r/w r/w r/w
Change password r/o r/o

Interface layout

The Admin Interface is divided into the following main areas:

Area Description
Left-hand menu Provides links to various areas of the interface. Clicking on a menu option opens the relevant workspace in the main window.
Workspace This is the main part of the window.
Tabs Are located above the workspace and opened when you click on a link in the left-hand menu. Tabs provide easy navigation between multiple opened pages.

Resetting interface preferences

Interface preferences are stored per user. Clicking on Reset interface, which can be found at the bottom of the left-hand menu, will clear any references which have been applied.

The following will be reset:

  • System Queue Auto-refresh (10s) will be unchecked.
  • Table column widths.
  • ‘Don’t ask me again’ checkbox will be unchecked.
  • Any open tabs will be closed.
  • Filters applied to tables.
  • ‘Do not show this page again’ checkbox will be unchecked for the Getting started page.

Common interface functions

When navigating your way round the Admin Interface take note of the following functions that will be useful to know.

Context menu

Context menu and options are available when you right-click a table row. Available options within a context menu will vary depending on the page you are on. Listed below are some of the more common options you will find:

Icon Description
Show and Show linked Navigates to the named page relating to your selection where you can view and manage the configuration of an individual record.
For example:
Show named user page Named user page.
Show named device page Named device page.
Show named profile pageNamed profile page.
Select all Select all Enables you to highlight all the entries in the table. Once highlighted you can:
Edit pencil Multi-row edit.
Password Change password(s).
Delete Record will be unprovision and deleted.
Edit pencil Edit The inline editing functionality allows you to update the details within the row.
Edit pencil Multi-row Edit Allows you to highlight a number of rows and multi-edit common fields within the Multi-row editor window.
DeleteRemove from Allows you to right-click and remove the user, device, or profile from the current configuration.
View log Opens up the Log viewer window and displays the log information for the selected entry.

Inline editing

The inline editing functionality allows you to update details on the manage pages.

To edit an individual entry click on the Edit pencil icon at the end of each row or right-click and select Edit pencil icon from the context menu.

Once updated, click on the Save icon at the end of the row.

To update multiple entries, highlight a number of rows, then right-click and select Edit pencil icon from the context menu. Update the Multiple-row editor window and click Save changes. Changes will be applied to all selected rows.


Fields available for editing will vary depending on whether you have selected an individual entry or multiple entries.


Multi-row editor

Refresh button

Each time you switch between tabs in the interface, the workspace data is refreshed to ensure it is up-to-date.

You can manually refresh sections of the workspace by clicking the Refresh buttons.

Refresh button

The Home page and System queue page also have an Auto-refresh checkbox that, when checked, refreshes the page periodically after a set number of seconds.

Auto Refresh button

CSV download

The download button enables you to export all the data on the page into a CSV file format. If a filter has been applied on the page, then only the filtered data will be downloaded to the CSV file.

Download button


To quickly find an entry, many of the tables have search filters above the titles of each column.

Search filters

For example, to filter on the Manage users page:

  1. Click on the Manage users page in the left-hand menu.

  2. Within the Manage users window, click in the search field above the Name column.

  3. Type in your search criteria. As you start typing your search criteria, the data will automatically start to update. Only the entries which match your search criteria will be displayed in the table.

  4. To narrow your search further, use multiple search fields. Other search options include tickboxes, dropdown list boxes and calendar date selectors.

    In this example, we have used the following to narrow our search:

Column header Search criteria
Name Typed ‘L’ to search for all names that contain an ‘L’.
Checked box Tick the checkbox.
This will narrow down the list further to only include names containing an 'L' and the account is enabled.
Dropdown list box Click the Sort descending down arrow to reveal the list box options and select Local.
The search will now be narrowed down to all enabled users with the name containing an ‘L’ and are locally authenticated.

Example search filter


To clear a search filter, click on the Grey cross icon, which appears when you click within a search field.


The following describes the behaviour seen when clicking on the checkboxes during filtering.

Checkbox Behaviour
Checked box When the checkbox is checked, the filter will contain all lines that have the checkbox checked.
Unchecked box When the checkbox is unchecked and has a black outline, the filter will contain all lines that have the checkbox unchecked
Neutral box When the checkbox is grey, it means there is no filter set.

Customise table views

You can customise the appearance of most tables by dragging and dropping the table columns or by using the column drop down options.

The options available are:

Header Description
Sort Ascending Sorts in alphanumeric (A-Z) order.
Sort Descending Sorts in descending alphanumeric (Z-A) order.
Columns Table columns can be shown or hidden from view.
Group by Group by allows the data to be grouped based on the column selected. Group folders are created which can be expanded to reveal the list.
NOTE The group by feature can not be used on pages with over 1000 records.


Table customisations do not persist across web browser sessions.

Configure sort

The configure sort option allows you to prioritise the order of the columns when sorting is applied.

To configure a sort on a table:

  1. Right-click on a table heading OR left-click on the heading and then click on the Sort descending.

    Table context menu

  2. Click Configure sort….

    Configure sort

  3. Within the Sort window, you will see the default sort which has been configured. Click the Plus icon Add level button to add a new sort entry.

    Example Configure sort

  4. Click the Save icon to save the entry.

  5. Once you have added all your levels, you can use the Sort ascending or Sort descending to change the order of the search. The entry in the list must be highlighted in order to change the level.

  6. Click Apply to save and update the table.

    The columns will contain a number in the heading to indicate the order they are being sorted.

Data highlighted in blue and underlined is a link that will navigate you to the relevant page.

For example:

  1. Click on the Manage users page in the left-hand menu.

  2. Within the Manage users window, click on a name in the list, which you will see is highlighted in blue and underlined.

  3. The User details page opens up in a new tab and you are navigated to the page.

Plus icon

The Plus icon icon next to headings in the left-hand menu is a shortcut. When clicked the associated manage page is opened and a new window to add the object selected.

For example, clicking on the Plus icon next to Users, will give the following tab and new window.

New user plus

Downloading a file

The following instructions allow you to download a file from the Admin Interface to your local machine.

  1. Within the Admin Interface window, click the required download icon. The file download status notifications will be displayed.

    File download notification

  2. Now click on the Shared Drive icon icon located in the top right hand corner.

    Shared drive banner

  3. The Shared Drive window will open. You will see the file copied to the Shared Drive folder is listed within the Shared Drive window.

    Shared Drive folder download

  4. To download the file to your local machine simply click on the file within the Shared Drive window. The file will be downloaded by the browser.

Uploading a file

The following instructions allow you to upload a file from your local machine to the Admin Interface.

  1. Within the Admin Interface window, click on the Shared Drive icon icon located in the top right hand corner. The Shared Drive window will open.

    Shared drive window

  2. Within the Shared Drive window click on the Upload files icon Upload Files icon. The Upload your files window will open.

    Upload your files window

  3. Either drag and drop the file(s) from your local machine to the Upload your files window or use the Plus button to open your local machine File Explorer window and select the files to be uploaded.

    File upload window with File Explorer

  4. Once the file has been successfully uploaded it will be available in the Shared Drive folder on the Admin Interface.

    Uploaded file


To stop a file during an upload or to remove the file click on the tick next to the file.

Supporting documentation

Other documentation relating to Osirium PAM includes:

The following can be found on our Support portal.

  • Osirium PAM Release Notes: covers new features, enhancements and bug fixes in relation to the latest release.

  • PAM Server: latest version download links and any pre or post installation requirements.

  • MAP Server: latest version download link.

  • PAM UI Server: latest version download link.

  • Latest Template Bundle: The template bundle is not release dependant so check here for latest downloable bundle.

The following can be found on our website on the Documentation page.

  • Osirium PAM Installation: installation, upgrade and clustering instructions for the PAM Server, MAP Server and PAM UI Server.

  • Admin Interface : step by step instructions on how to configure and manage Osirium PAM.

  • User Interface : step by step instructions on how to navigate and use the UI.