Skip to content

Osirium PAM Administrators guide

This guide will help you navigate your way round the Admin Interface of Osirium PAM, help you with the configuration of your system and the setup and management of privileged access.

This section covers:

Overview

Osirium PAM is a privileged user management system that allows you to implement a least-privilege user model when granting user access to devices and device tasks across your infrastructure.

It provides an easy to use Admin Interface for administrators, allowing you to quickly configure and manage user privileges.

Osirium PAM ensures users never need to know the password of privileged account credentials of devices, enabling secure access and eliminating the risk posed through shared privileged account credentials.

Also provides a comprehensive audit trail, including session recording, allowing you to review and analyse end-to-end accountability of your users access and knowing who did what, when and where. Along with our behaviour analytics reporting feature, user access can be adjusted and improved, ensuring a least-privilege model can be easily implemented.

With the introduction of the cluster feature servers can now be configured to work together and provide load balancing, greater scalability, increased availability and resilience and simplified management.

Admin Interface

The Admin Interface is a web based interface for SuperAdmins for the management of Osirium PAM. It allows you to configure and manage users, devices and privileged access as well as monitor, audit and review user access

Accessing the Admin Interface

The Admin Interface can be accessed in the following ways:

  • Through the PAM UI using the Devices tool.
  • Through the PAM UI using the Admin Interface button.
  • Directly by appending /admin to the server URL. For example https://<pam_server_ipaddress>/admin.

For more information about the differences when accessing the Admin Interface click here.

Note

If you accessed the Admin Interface through the PAM UI using the Devices tool the Shared Drive mechanism is used for uploading and downloading files. The other methods use the standard File Explorer window.

Only authorised administrators will have full access to the interface functionality and administrative tasks. An authorised administrator is a user who has the Role: Superadmin access level.

For more information about the PAM UI click here.

Superadmin Interface

If this is a new PAM Server, and it is the first time you are logging on, then you will need the primary superadmin account details to start creating user accounts.

During the initial configuration phase of the PAM Server setup, a primary superadmin user account was created and given a password. This user is locally authenticated and is used to log on to Osirium PAM and access the Admin Interface.

Use the primary superadmin account to create personalised user accounts, then log off from Osirium PAM and log back in using your personal account created.

Note

The primary superadmin account should NOT be used by users to manage PAM Server, as it won't give individual user accountability and auditing.

With the introduction of the cluster feature PAM Servers can now be configured to work together and provide load balancing, greater scalability, increased availability and resilience and simplified management.

Interface layout

The Admin Interface is divided into the following areas:

Area Description
Left-hand menu Provides links to various areas of the interface. Clicking on a menu option opens the relevant page in the workspace area.
Workspace This is the main area were you can find management tasks and view existing entries.

Configuring your Osirium PAM

Before you start adding users, devices and configuring profiles to enable privileged access to users, you will need to setup the PAM Server configuration settings. The system configuration options can be found on the following pages:

  • Device parameters: PAM Server device parameters are those that are configured during the installation process. Changes to the device parameters can be made on the Osirium Server > Configuration tab. These are unique to each server within a standalone or clustered configuration.

  • System configuration: The System configuration page is divided into a number of tabs with different configuration settings which can be applied to your server.

    If you have a clustered configuration, then these will have to be configured on a per node basis. The configuration settings will be saved locally in the database and not replicated across nodes or synchronised up to the master database. There are however a couple of exceptions to note:

    • Fingerprints: The approval status of a fingerprint can only be changed on the leader node as the data is replicated. But the Connection fingerprint enforcement behaviour setting is node specific.

    • PAM Server local password policy: Any local password change requests made from either the UI or Admin Interface for a user logged onto a follower node will be passed onto the leader node. Only the password policy configured on the leader node will be used to verify and approve the new password being set. Any local password policy configured on a follower node will be ignored.

For information on clustering click here.

Osirium PAM access levels

It is important to first work out what level of access will be required for those who will be managing and configuring the system, to those who will monitoring information and analysing data.

By understanding the Osirium PAM role-based access levels available, the permissions each of the roles will give and what operations the permissions will allow, you can apply a least privileged model when granting access.

Use the following defined device access levels to assign users permission:

Application Section Action SuperAdmin Auditor Reporter User
PAM Server Console Troubleshooting Shutdown Yes
Reboot Yes
System Status Yes
Restart Services Yes
Restart Queues Yes
Purge Queues Yes
Restart RDP Yes
Restart Support Password Yes
Unlock Support Password Yes
Clear notifications Yes
Change IP Address Yes
Admin Interface Manage Manage users r/w r/o
Manage user groups r/w r/o
Manage devices r/w r/o
Manage Active Directory r/w r/o
Manage static vaults r/w r/o
Manage accounts r/w r/o
Manage account mappings r/w r/o
Manage profiles r/w r/o
Manage schedules r/w r/o
Manage files r/w r/w r/w
Manage MAP servers r/w r/o
Reporting Device access r/w r/o r/o
Change tickets r/w r/o
User rights audit r/w r/o
Tasks r/w r/o r/o
Inventory r/w r/o r/o
Management r/w r/o r/o
Analytics r/w r/o
Behaviour Analytics r/o r/o
System System queue r/w r/o
System configuration r/w r/o
API applications r/w r/o
Template library r/w r/o
Email subscriptions r/w r/o
Configure meta-columns r/w r/o
Logs r/w r/o
Personal My Devices r/o r/o
My accounts r/o r/o
My tasks r/o r/o
My files r/o r/o
Change password r/w r/w

Resetting interface preferences

Interface preferences are stored per user. Clicking on Reset Interface, which can be found at the bottom of the left-hand menu, will clear any preferences that have been applied.

The following will be reset:

  • System Queue Auto-refresh (15s) will be unchecked.
  • Table column widths.
  • ‘Don’t ask me again’ checkbox will be unchecked.
  • Any open tabs will be closed.
  • Filters applied to tables.
  • ‘Do not show this page again’ checkbox will be unchecked for the Welcome to Osirium PAM page.

Common interface functions

When navigating your way round the Admin Interface take note of the following functions that will be useful to know.

Context menu

Context menu and options are available when you right-click a table row. Available options within a context menu will vary depending on the page you are on. Listed below are some of the more common options you will find:

Icon Description
Show Show Navigates to the named page relating to your selection where you can view and manage the configuration of an individual record.
Select all Select all Enables you to highlight all the entries in the table.
Edit pencil Multi-row edit Multiple entries can be selected and columns updated to the same setting entered.
Change Passwords Change password(s) Can change the password set for locally authenticated users only.
Unlock Unlock Accounts that have been locked can be unlocked for use.
Remove Unprovision Removes any links associated with the user/device and then deletes the entry.
Edit pencil Edit The inline editing functionality allows you to update the details within the row.
Edit pencil Multi-row Edit Allows you to highlight a number of rows and multi-edit common fields within the Multi-row editor window.
Delete Delete Allows you to right-click and remove the user, device, or profile from the current configuration.
View log Opens up the Log viewer window and displays the log information for the selected entry.

Inline editing

The inline editing functionality allows you to update details on the manage pages.

To edit an individual entry click on Edit pencil. Once updated, click on Save.

To update multiple entries, highlight a number of rows, then right-click and select Edit pencil from the context menu. Update the Multiple-row editor window and click SAVE CHANGES. Changes will be applied to all selected rows.

Note

Fields available for editing will vary depending on whether you have selected an individual entry or multiple entries.

Example:

Multi-row editor

Refresh button

When you open a page, the data on the opened page is refreshed to ensure it is up-to-date.

You can manually refresh by clicking the REFRESH button.

Refresh button

Some pages also have an Auto-refresh checkbox that when checked, refreshes the page periodically.

Auto Refresh button

CSV download

Data on a page can be downloaded to file. If a filter has been applied on the page, then only the filtered data will be downloaded.

CSV Download

Log Download

Filtering

To quickly find an entry, many of the tables have search filters above the titles of each column.

Search filters

For example, to filter on the Manage users page:

  1. Click on the Manage users page in the left-hand menu.

  2. Within the Manage users window, click in the search field above the Name column.

  3. Type in your search criteria. As you start typing your search criteria, the data will automatically start to update. Only the entries which match your search criteria will be displayed in the table.

  4. To narrow your search further, use multiple search fields. Other search options include tickboxes, dropdown list boxes and calendar date selectors.

    In this example, we have used the following to narrow our search:

Column header Search criteria
Name Typed ‘L’ to search for all names that contain an ‘L’.
Enabled Tick the checkbox Checked.
This will narrow down the list further to now include names containing an 'L' and enabled accounts only.
Auth type Click the Sort descending down arrow to reveal the list box options and select Local.
The search will now be narrowed down to all enabled users with the name containing an ‘L’ and that are locally authenticated.

Note

To clear a search filter, click on Close which appears when you click within a search field.

Checkboxes

The following describes the behaviour seen when clicking on the checkboxes during filtering.

Checkbox Behaviour
Checked When the checkbox is checked, the filter will contain all lines that have the checkbox checked.
Unchecked When the checkbox is unchecked and has a black outline, the filter will contain all lines that have the checkbox unchecked
Neutral box When the checkbox is grey, it means there is no filter set.

Customise table views

You can customise the appearance of most tables by dragging and dropping the table columns or by using the column drop down options.

The options available are:

Header Description
Sort Ascending Sorts in alphanumeric (A-Z) order.
Sort Descending Sorts in descending alphanumeric (Z-A) order.
Columns Table columns can be shown or hidden from view.
Group by Group by allows the data to be grouped based on the column selected. Group folders are created which can be expanded to reveal the list.
NOTE The group by feature can not be used on pages with over 1000 records.

Note

Table customisations do not persist across web browser sessions.

Configure sort

The configure sort option allows you to prioritise the order of the columns when sorting is applied.

To configure a sort on a table:

  1. Click the Sort descending down arrow to reveal the table sort options.

    Table context menu

  2. Click Configure sort….

    Configure sort

  3. Within the Sort window, you will see the default sort which has been configured. Click Add ADD LEVEL to add a new sort entry to you list.

  4. Configure the new sort by level.

  5. Click Save to save the entry.

  6. Once you have added all your levels, you can use the Sort ascending or Sort descending to change the order of the search. The entry in the list must be highlighted in order to change the level.

  7. Click APPLY to save and update the table.

    The table heading will contain a number to indicate the sort order.

Data highlighted in blue is a link that will navigate you to the named page.

For example:

  1. Click Users in the left-hand menu.

  2. Within the Manage users window, click on a name which is highlighted in blue.

  3. The Named user page will open.

Downloading a file using Shared Drive

Within the Admin Interface there are a number of pages that will allow you to download:

  • Table contents to a CSV file.
  • Device files created from executed tasks.
  • Osirium PAM log files.

Note

If you accessed the Admin Interface via the PAM UI the Shared Drive mechanism is used for downloading and transferring the file to your local machine.

This example shows how to download a file from the Manage files page.

  1. Click Files in the left-hand menu.

  2. On the Manage files page click Download for the entry you want to download.

    Download

  3. You will be notified when the downloaded has started and when it has been completed.

    Download confirmation

    A Downloads tab will also open to show you the download file and status.

    Downloads tab

  4. Now click on the Shared Drive icon icon located in the top right hand corner.

    Shared drive banner

  5. The Shared Drive window will open. You will see the downloaded file within the Shared Drive window.

    Shared Drive folder download

  6. To download the file to your local machine simply click on the file listed. The file will be downloaded by the browser.

Uploading a file using Shared Drive

Within the Admin Interface there are a number of pages that will require a file to be uploaded:

  • Product licence.
  • Template library.
  • Bulk import files.

Note

If you accessed the Admin Interface via the PAM UI the Shared Drive mechanism is used for uploading the file to Osirium PAM.

  1. Within the Admin Interface window, click on the Shared Drive icon icon located in the top right hand corner. The Shared Drive window will open.

    Shared drive window

  2. Within the Shared Drive window click on the Upload your files Plus . The Upload your files window will open.

    Upload your files window

  3. Either drag and drop the file(s) from your local machine to the Upload your files window or use the Plus button to open your local machine File Explorer window and select the files to be uploaded.

    File upload window with File Explorer

  4. Once the file has been successfully uploaded it will be available in the Shared Drive folder on the Admin Interface.

    Uploaded file

    Note

    To stop a file during an upload or to remove the file click on the tick next to the file.

  5. The file will now be available from the Choose file window.

    Choose file

Supporting documentation

Other documentation relating to Osirium PAM includes:

The following can be found on our Support portal.

  • Osirium PAM Release Notes: covers new features, enhancements and bug fixes in relation to the latest release.

  • PAM Server: latest version download links and any pre or post installation requirements.

  • MAP Server: latest version download link.

  • PAM UI Server: latest version download link.

  • Latest Template Bundle: The template bundle is not release dependant so check here for latest downloable bundle.

The following Osirium PAM documentation can be found on our website.

  • Getting started guide: Overview of the Osirium PAM components.

  • Installation guide: step-by-step instructions for installing each component and additional information relating to a cluster installation.

  • Upgrading guide: step-by-step instructions for a upgrading each of the components.

  • Admin Interface: step by step instructions on how to configure and manage privileged access.

  • User guide : step by step instructions on how to navigate and use the UI.

  • Template guide: reference guide to editing existing and creation of new knowledge templates.