Osirium PAM Administrators guide
This guide will help you navigate your way round the Admin Interface of Osirium PAM, help you with the configuration of your system and the setup and management of privileged access.
This section covers:
Osirium PAM is a privileged user management system that allows you to implement a least-privilege user model when granting user access to devices and device tasks across your infrastructure.
It provides an easy to use Admin Interface for administrators, allowing you to quickly configure and manage user privileges.
Osirium PAM ensures users never need to know the password of privileged account credentials of devices, enabling secure access and eliminating the risk posed through shared privileged account credentials.
Also provides a comprehensive audit trail, including session recording, allowing you to review and analyse end-to-end accountability of your users access and knowing who did what, when and where. Along with our behaviour analytics reporting feature, user access can be adjusted and improved, ensuring a least-privilege model can be easily implemented.
With the introduction of the cluster feature servers can now be configured to work together and provide load balancing, greater scalability, increased availability and resilience and simplified management.
Accessing the Admin Interface
The Admin Interface is accessed through the PAM UI. Only authorised administrators will have full access to the interface functionality and administrative tasks. An authorised administrator is a user who has the Role: Superadmin access level.
For more information about the PAM UI click here.
If this is a new PAM Server, and it is the first time you are logging on, then you will need the primary superadmin account details to start creating user accounts.
During the initial configuration phase of the PAM Server setup, a primary superadmin user account was created and given a password. This user is locally authenticated and is used to log on to Osirium PAM and access the Admin Interface.
Use the primary superadmin account to create personalised user accounts, then log off from Osirium PAM and log back in using your personal account created.
The primary superadmin account should NOT be used by users to manage PAM Server, as it won't give individual user accountability and auditing.
With the introduction of the cluster feature PAM Servers can now be configured to work together and provide load balancing, greater scalability, increased availability and resilience and simplified management.
Configuring your Osirium PAM
Before you start adding users, devices and configuring profiles to enable privileged access to users, you will need to setup the PAM Server configuration settings. The system configuration options can be found on the following pages:
Device parameters: PAM Server device parameters are those that are configured during the installation process. Changes to the device parameters can be made on the Osirium Server > Configuration tab. These are unique to each server within a standalone or clustered configuration.
System configuration: The System configuration page is divided into a number of tabs with different configuration settings which can be applied to your server.
If you have a clustered configuration, then these will have to be configured on a per node basis. The configuration settings will be saved locally in the database and not replicated across nodes or synchronised up to the master database. There are however a couple of exceptions to note:
Fingerprints: The approval status of a fingerprint can only be changed on the leader node as the data is replicated. But the Connection fingerprint enforcement behaviour setting is node specific.
PAM Server local password policy: Any local password change requests made from either the UI or Admin Interface for a user logged onto a follower node will be passed onto the leader node. Only the password policy configured on the leader node will be used to verify and approve the new password being set. Any local password policy configured on a follower node will be ignored.
For information on clustering click here.
Osirium PAM access levels
It is important to first work out what level of access will be required for those who will be managing and configuring the system, to those who will monitoring information and analysing data.
By understanding the Osirium PAM role-based access levels available, the permissions each of the roles will give and what operations the permissions will allow, you can apply a least privileged model when granting access.
Use the following defined device access levels to assign users permission:
|PAM Server Console||Troubleshooting||Shutdown||Yes|
|Restart Support Password||Yes|
|Unlock Support Password||Yes|
|Change IP Address||Yes|
|Admin Interface||Manage||Manage users||r/w||r/o|
|Manage user groups||r/w||r/o|
|Manage Active Directory||r/w||r/o|
|Manage static vaults||r/w||r/o|
|Manage account mappings||r/w||r/o|
|Manage MAP servers||r/w||r/o|
|User rights audit||r/w||r/o|
The Admin Interface is divided into the following main areas:
|Left-hand menu||Provides links to various areas of the interface. Clicking on a menu option opens the relevant workspace in the main window.|
|Workspace||This is the main part of the window.|
|Tabs||Are located above the workspace and opened when you click on a link in the left-hand menu. Tabs provide easy navigation between multiple opened pages.|
Resetting interface preferences
Interface preferences are stored per user. Clicking on
Reset interface, which can be found at the bottom of the left-hand menu, will clear any references which have been applied.
The following will be reset:
- System Queue Auto-refresh (10s) will be unchecked.
- Table column widths.
- ‘Don’t ask me again’ checkbox will be unchecked.
- Any open tabs will be closed.
- Filters applied to tables.
- ‘Do not show this page again’ checkbox will be unchecked for the Getting started page.
Common interface functions
When navigating your way round the Admin Interface take note of the following functions that will be useful to know.
- Context menu
- Inline editing
- Refresh button
- CSV download
- Customise table views
- Configure sort
- Plus icon
- Downloading a file
- Uploading a file
Context menu and options are available when you right-click a table row. Available options within a context menu will vary depending on the page you are on. Listed below are some of the more common options you will find:
|Show and Show linked||Navigates to the named page relating to your selection where you can view and manage the configuration of an individual record.
Named user page.
Named device page.
Named profile page.
|Select all||Enables you to highlight all the entries in the table. Once highlighted you can:
Record will be unprovision and deleted.
|Edit||The inline editing functionality allows you to update the details within the row.|
|Multi-row Edit||Allows you to highlight a number of rows and multi-edit common fields within the Multi-row editor window.|
|Remove from||Allows you to right-click and remove the user, device, or profile from the current configuration.|
|View log||Opens up the Log viewer window and displays the log information for the selected entry.|
The inline editing functionality allows you to update details on the manage pages.
To edit an individual entry click on the icon at the end of each row or right-click and select icon from the context menu.
Once updated, click on the icon at the end of the row.
To update multiple entries, highlight a number of rows, then right-click
and select icon from the context menu. Update the Multiple-row editor window and click
Save changes. Changes will be applied to all selected rows.
Fields available for editing will vary depending on whether you have selected an individual entry or multiple entries.
Each time you switch between tabs in the interface, the workspace data is refreshed to ensure it is up-to-date.
You can manually refresh sections of the workspace by clicking the
The Home page and System queue page also have an
Auto-refresh checkbox that, when checked, refreshes the page periodically after a set number of seconds.
The download button enables you to export all the data on the page into a CSV file format. If a filter has been applied on the page, then only the filtered data will be downloaded to the CSV file.
To quickly find an entry, many of the tables have search filters above the titles of each column.
For example, to filter on the Manage users page:
Click on the Manage users page in the left-hand menu.
Within the Manage users window, click in the search field above the Name column.
Type in your search criteria. As you start typing your search criteria, the data will automatically start to update. Only the entries which match your search criteria will be displayed in the table.
To narrow your search further, use multiple search fields. Other search options include tickboxes, dropdown list boxes and calendar date selectors.
In this example, we have used the following to narrow our search:
|Column header||Search criteria|
|Name||Typed ‘L’ to search for all names that contain an ‘L’.|
|Tick the checkbox.
This will narrow down the list further to only include names containing an 'L' and the account is enabled.
|Dropdown list box||Click the down arrow to reveal the list box options and select
The search will now be narrowed down to all enabled users with the name containing an ‘L’ and are locally authenticated.
To clear a search filter, click on the icon, which appears when you click within a search field.
The following describes the behaviour seen when clicking on the checkboxes during filtering.
|When the checkbox is checked, the filter will contain all lines that have the checkbox checked.|
|When the checkbox is unchecked and has a black outline, the filter will contain all lines that have the checkbox unchecked|
|When the checkbox is grey, it means there is no filter set.|
Customise table views
You can customise the appearance of most tables by dragging and dropping the table columns or by using the column drop down options.
The options available are:
|Sort Ascending||Sorts in alphanumeric (A-Z) order.|
|Sort Descending||Sorts in descending alphanumeric (Z-A) order.|
|Columns||Table columns can be shown or hidden from view.|
|Group by||Group by allows the data to be grouped based on the column selected. Group folders are created which can be expanded to reveal the list.
NOTE The group by feature can not be used on pages with over 1000 records.
Table customisations do not persist across web browser sessions.
The configure sort option allows you to prioritise the order of the columns when sorting is applied.
To configure a sort on a table:
Right-click on a table heading OR left-click on the heading and then click on the .
Within the Sort window, you will see the default sort which has been configured. Click the
Add levelbutton to add a new sort entry.
Click the icon to save the entry.
Once you have added all your levels, you can use the or to change the order of the search. The entry in the list must be highlighted in order to change the level.
Applyto save and update the table.
The columns will contain a number in the heading to indicate the order they are being sorted.
Data highlighted in blue and underlined is a link that will navigate you to the relevant page.
Click on the Manage users page in the left-hand menu.
Within the Manage users window, click on a name in the list, which you will see is highlighted in blue and underlined.
The User details page opens up in a new tab and you are navigated to the page.
The icon next to headings in the left-hand menu is a shortcut. When clicked the associated manage page is opened and a new window to add the object selected.
For example, clicking on the next to Users, will give the following tab and new window.
Downloading a file
The following instructions allow you to download a file from the Admin Interface to your local machine.
Within the Admin Interface window, click the required download icon. The file download status notifications will be displayed.
Now click on the icon located in the top right hand corner.
The Shared Drive window will open. You will see the file copied to the Shared Drive folder is listed within the Shared Drive window.
To download the file to your local machine simply click on the file within the Shared Drive window. The file will be downloaded by the browser.
Uploading a file
The following instructions allow you to upload a file from your local machine to the Admin Interface.
Within the Admin Interface window, click on the icon located in the top right hand corner. The Shared Drive window will open.
Within the Shared Drive window click on the Upload Files icon. The Upload your files window will open.
Either drag and drop the file(s) from your local machine to the Upload your files window or use the button to open your local machine File Explorer window and select the files to be uploaded.
Once the file has been successfully uploaded it will be available in the Shared Drive folder on the Admin Interface.
To stop a file during an upload or to remove the file click on the tick next to the file.
Other documentation relating to Osirium PAM includes:
The following can be found on our Support portal.
Osirium PAM Release Notes: covers new features, enhancements and bug fixes in relation to the latest release.
PAM Server: latest version download links and any pre or post installation requirements.
MAP Server: latest version download link.
PAM UI Server: latest version download link.
Latest Template Bundle: The template bundle is not release dependant so check here for latest downloable bundle.
The following can be found on our website on the Documentation page.
Osirium PAM Installation: installation, upgrade and clustering instructions for the PAM Server, MAP Server and PAM UI Server.
Admin Interface : step by step instructions on how to configure and manage Osirium PAM.
User Interface : step by step instructions on how to navigate and use the UI.