This section describes how Osirium PAM profiles are created and managed within the Admin Interface. The following topics are included in this section:
- Manage profiles
- Default profiles
- Creating a new profile
- Enforcing change tickets
- Just in Time Approval
- Configuring a profile
- Full scan
- Reveal credentials tool
- Update credentials tool
- Bulk importing
- Import profiles membership
- Editing a profile
- Deleting a profile
Within Osirium PAM, profiles provide role-based management controls and link together a group of devices, tools, tasks, users and user groups.
A profile is like a job description. It specifies which access tools can be used to administer a device and which tasks can be run on the device. Any user that is linked to a given profile will be able to perform the tasks and access the devices.
If a profile is disabled, the permissions in that particular profile will be ignored when Osirium PAM calculates a user's access permission for a given device.
Unless a user belongs to at least one profile with a tool/task and device, when they log onto the PAM UI they won’t have access to any devices, tools or tasks. By default all users will have access to the Admin Interface with limited functionality.
To view the Manage profiles page, click
Profiles in the left-hand menu. The Manage profiles page lists all the profiles that have been created to manage device access.
Osirium PAM profile states include:
|Deleting a profile removes the user’s access to the devices and deletes any Osirium PAM user accounts that have been created on the device.|
|The profile is disabled. Users can logon to the UI but will be unable to access any devices, unless they are granted permission through another profile.|
|The profile is enabled. Users can access the devices through the UI, single sign-on to devices and execute tasks.|
|If a user is added to this profile, they will be given SuperAdmin access rights to Osirium PAM.|
Profile context menu options
A number of context menu options are available when you highlight a profile and then right-click. Some of the more common options are described in the Common Interface Functions section.
|Delete||Deleting a profile removes the user’s access to the devices and deletes any personalised Osirium PAM user accounts that have been created on the device.|
A number of profiles are created as default. The profiles contain common tasks that might be used to manage devices on a scheduled basis.
|Device Audit||Contains a daily scheduled Device Audit task. When a device is added to this profile, the task will run against the device to update information, i.e. Device Parameters, Inventory, Manage accounts.|
|Device Backup||Contains a weekly scheduled Backup task. When a device is added to this profile, the devices backup task is run. The devices backup file will be available on the Manage files page for download. See Managing Files.|
|Device Credential Regeneration||Contains a weekly scheduled Regenerate Account Credentials for devices attached to profile task which will update the Fully managed and Managed accounts for all devices.|
|Osirium Super Admins||Contains the PAM Server with SuperAdmin access level. When users are added to this profile, they become Osirium PAM Superadmin and are given full access to the Admin Interface, Browser (HTTP) Tool, and the ability to run a number of tasks against the PAM Server.
Creating a new profile
When you click on the
New profile button on the Manage profiles page, a New profile window opens.
Fill in the following details:
The options available within the New profile window will depend on the type of Osirium PAM licence you have purchased.
|Name||The display name that will be given to the profile.|
|Enabled||Default is enabled. Allows users to access the device tools and tasks.|
|Session Recording||If the tickbox is checked, it indicates that the user's session will be recorded by Osirium PAM.
See Configuring Privileged Session Recorder.
|Change ticket required||If the tickbox is checked, it indicates that the user might be asked to enter a change ticket before accessing a tool/task.|
|Configure Meta-info||Allows you to attach many kinds of information against each profile. See Configure Meta-Info.|
Enforcing change tickets
When the Change ticket required setting is enabled for a profile, a user accessing a device tool/task belonging to the profile through the UI will be requested to enter a change ticket before proceeding.
This allows you to minimise disruption to devices by controlling access and only allowing changes to take place under an approved change ticket which can be tracked and recorded.
See Change Tickets Report.
To record the activity conducted under a change ticket, enable session recording on the profile. See Configuring Privileged Session Recorder.
Validating change tickets through ServiceNow
Osirium PAM can be integrated with ServiceNow allowing change tickets to be validated against an existing ServiceNow configuration management database (CMDB). For information on how to configure Osirium PAM to integrate with ServiceNow see ServiceNow Ticket Integration Configuration.
Just in Time Approval
Approval requests allow just in time privileged access to be implemented, providing time and approval based access activation.
Implementation of approval requests can help reduce the risk of excessive access whilst still providing quick access when and as it is required. It can help control and manage when devices are accessed, and limit access during specific time periods.
Approval requests are controlled through individual profile configurations. When approvers are added to a profile users will be required to submit an approval request through the UI at the time they require access to a device tool/task.
When the user logs onto the UI, the device will be listed but greyed out. To connect to the device they will have to submit a Request Approval which then MUST be approved by one of the listed approvers. Once approved the device will no longer be greyed out and the user is able to connect to the device tool/task within the valid time frame.
Requests waiting approval can be viewed on the UI Requests page. An email notification will also be sent to notify the approvers that there is a approval request pending.
The following describes the process and steps involved in setting up approvers on a profile, how a user submits a request, and how an approver would approve a request:
Create a profile: Firstly a profile needs to be created and devices, tools, tasks and users/user groups need to be configured.
Add approvers to the profile: To enable a profile for Approval requests, approvers (users/user groups) also need to be added. This can be done via the Approvers tab within a named profile page.
Setup email notifications: If you want approvers to be notified via email when an approval request has been submitted, then they must have:
- A valid email configured on their user. See Creating users.
- SMTP must be configured on the PAM Server. See SMTP configuration.
Requesting approval: When a user logs onto the UI the device tool/task that requires an approval request will be greyed out and an icon will be available.
The user will click the icon to open the Request Approval window and submit a request by filling in the required information:
Field Description Valid for (hours) The time limit within which the request needs to be approved and the device tool/task is accessed.
If the request isn't approved within the Valid for (hours) then it will no longer be valid. Another approval request will need to be submitted.
Comment Add a comment to let the approver know why access has been requested.
Approver approves the request: When a request has been submitted by a user, it will be queued for approval. Any approver listed in the profile, would need to log onto the UI and click on Requests. On the Approval Requests page, review the requested approval and click
APPROVE. When a request has been approved it will be removed from the Approval Requests list.
If the request expires before it is approved then it will become invalid and also removed from the Approval Requests list. The user will have to resubmit a new approval request.
Request approved, user can now connect to the device: When a request has been approved successfully, the device tool/task will no longer be greyed out in the user interface. The user can now click on the device tool/task and gain access.
The user is able to access the device tool/task throughout the Valid for (hours) period once approved. If there is an open connection to the device tool/task then the user can continue to access the device, when the device session is closed and the Valid for (hours) has expired then the device will be greyed out. If the Valid for (hours) has expired and there is no open connection to the device tool/task then access will be disabled, and the device tool/task will be greyed out again. If the user requires further access to the device then they will have to resubmit an approval request.
Configuring a profile
The Profile detail page allows you to configure a profile with Devices, Tools, Tasks, Users and User groups.
To go to the Profile detail page, from the Manage profiles page, click a profile Name.
To add devices to a profile:
To the right of Devices, click
add. The Add devices to profile window appears.
If you are adding to an existing profile and want to check if a device has already been added, use the device search window by typing in the name of the device.
Within Select devices, select one or more devices. Access levels that are compatible with all selected devices are listed under Select access level.
Within Select access level, select one or more access levels.
Available access levels can be made up of the following depending on the device selected:
Configured within a template:
Role: the available device access levels Osirium PAM uses when creating personalised accounts on the device. If a role is selected, it applies to every user on the profile.
Account: Managed and Known accounts that can be used to single sign-on to the device. If an account is selected, it will be available to every user on the profile. No personalised accounts are created.
Configured within the Admin Interface:
Mapping: predefined account mappings allow Osirium PAM username to be mapped to existing accounts on a device or within an account source (local accounts, Active Directory, Static vault). See Creating an Account Mapping.
Always ask: Will prompt the user for the username and password they want to use when they initiate the connection.
Pass-through: Allows the username/password to be cached and then used to single sign-on to devices. Osirium PAM username/password must match that of an existing user on the device. See Enable Pass-Through.
Add. The Action notifications window appears.
Acknowledge. The device is added to your devices list.
To remove devices from a profile:
On the Devices table, select a device and click
Remove. The Confirm window appears.
To remove more than one device at a time, hold CTRL and click each necessary device.
OK. The Action notifications window appears.
Acknowledge. The device is removed from your devices list.
To the right of Tools, click
manage. The Manager: tools window appears.
Tools are the applications that are used to access the device, i.e. HTTPS, SSH, RDP, etc. The list of tools can also include any MAP Server hosted tools.
Within the Manager: tools window, tick the checkboxes in the Include column next to each tool you want to add to the profile.
Tools will be automatically filtered based on the available tools for the devices selected.
The tool icons indicate the following:
Icon Description Indicates that the tool is Unsupported by the devices added to the profile. Indicates that the tool is Partially supported, meaning it is not supported by all the devices added to the profile. Indicates that the tool is Fully supported, meaning it is supported by all the devices added to the profile.
The tools list provides the necessary access connection protocol methods supported by Osirium PAM. Access connection protocols supported by devices are defined in a template.
In addition, there is an internal Osirium PAM tool available on all devices called Reveal Credentials Tool.
For some tools, additional options are available. To check additional options:
- On the right-hand of the table, click the icon. In the Options column, the Click to select options drop-down appears.
- Click the drop-down.
- If necessary, select one or more options.
A Remote Desktop tool has the following options available:
Option Description Allow RDP Drive mapping Adding this option enables the Remote Desktop Protocol: File System Virtual Channel Extension.
This allows the client's drives to be exposed within the user's RDP session, allowing users to copy files between the client and the RDP session.
Allow RDP clipboard Adding this option turns on the Remote Desktop Protocol: Clipboard Virtual Channel Extension.
This allows users the ability to seamlessly transfer data using the copy to clipboard functionality between the client and the RDP session.
Allow RDP sound Adding this option enables the Remote Desktop Protocol: Audio Output Virtual Channel Extension.
This allows users to hear sounds made within the RDP session on the client's machine.
Adding MAP tools
When adding MAP hosted tools to a profile, one or more MAP groups must be selected.
If one MAP group is selected, connections to all enabled MAP servers within that group are load-balanced using a round-robin algorithm.
If more than one MAP group is selected, connections are load-balanced across each enabled group using a round-robin algorithm and then load-balanced within each group to also round-robin across enabled servers in the group.
MAP tool connections are presented using Microsoft RDP RemoteApp. These are RDP connections and, therefore, can have their RDP options controlled. If you wish to allow RDP drive mapping, RDP clipboard or RDP sound support to the MAP tools, select the required options in the drop-down.
Selecting a MAP group with no active servers results in an error when a MAP tool is launched.
If you single sign-on using a Remote Desktop tool, you can view the available options in the Remote Desktop Connection window by clicking
Details. Osirium PAM sets these options based on the profile options selected.
If you single sign-on to Windows Server 2008, the drive mappings will be located in the following location:
Networks folder under tsclient.
Tick the checkbox to include the option(s) and then click the icon.
Save changes. The tools and options are added to the profile and you return to the Profile detail page.
To the right of Tasks, click
Manage. The Manager: tasks window appears.
The Manager: tasks window lists all the tasks available through Osirium PAM. The list provided is created from:
User tasks: all the tasks that are defined in the uploaded templates. Only tasks defined in a template can be run on the device compatible with the template.
When a template task is added to a profile along with a device, the user's UI will be updated with the user tasks.
System tasks: are internally performed by Osirium PAM and will not be visible on the PAM UI.
Tick the checkboxes in the Include column for each task you want to add. Tasks will be automatically filtered based on the available tasks for the devices selected.
Each task can be scheduled to run on a daily, weekly or monthly basis. Schedules must be created before they can be used. See Manage Schedules.
Click on the icon to bring up the Schedules drop-down.
Select one or more schedules from the drop-down to set on the task.
Click the icon. The schedules are set.
Save changes. You return to the Profile details page.
To the right of Users, click
Manage. The Manager: users window appears.
Within the Manager: users window, tick the checkboxes in the Include column next to each user you want to include.
Alternatively, hold down the SHIFT key and select multiple users, then right click and select
Save changesto add the users. The ProfileUserUpdate task is run and you return to the Profile detail page.
Manage user groups
To the right of User groups, click
Manage. The Manager: user groups window appears.
User groups are an easy and quick way of adding multiple users to the same profiles.
See How to Associate Users and Profiles to a User Group.
Within the Manager: user groups window, tick the checkboxes in the Include column next to each user group you want to include.
Alternatively, hold down the SHIFT key and select multiple user groups, then right click and select
Save changesto add the user groups. The ProfileUserUpdate task is run and you return to the Profile detail page.
If you are using a pattern access level type, the user account audited on the device by Osirium PAM must be Known by Osirium PAM before it can be used. See Managing Accounts to check the account's state within Osirium PAM and change if necessary.
To add an approval request for each of the devices listed in the profile, click on the Approvers tab.
Users can be added as individuals or a group of users can be added through predefined user groups. User groups are an easy and quick way of adding multiple users to the same profiles. See How to create a new user group.
To add an individual user:
To the right of Approvers, click
manage. The Manager: approvers window appears.
Within the Manager: approvers window, tick the checkboxes in the Include column next to each user you want to include.
Alternatively, hold down the SHIFT key and select multiple users, then right-click and select Include.
Save changesto add the selected users to the profiles approvers list.
To add a user group:
To the right of Approvers Groups, click
manage. The Manager: approver groups window appears.
Within the Manager: approver groups window, tick the checkboxes in the Include column next to each user group you want to include.
Alternatively, hold down the SHIFT key and select multiple user groups, then right-click and select Include.
Click Save changes to add the user groups to add the selected users groups to the profiles approvers list.
Clicking on the
Full scan button will do the following:
Checks Osirium PAM to confirm the users/devices in the profile, to work out which accounts should exit on the device/auth service.
If an account is not found, Osirium PAM checks if the missing account existed on the device/auth service when it was last audited.
If the accounts didn't exist during the last audit, it will create the accounts.
All database links related to the profile will also be checked during the scan.
Full scan button should only be used in emergencies.
Reveal credentials tool
The Reveal Credentials tool allows Osirium PAM users to reveal the device account credentials (passwords and SSH keys) for an individual account.
Credentials can be revealed for Fully managed, Known and Managed accounts only.
Reveal Credentials is NOT available for the Osirium Server.
There are two ways to reveal the credentials of an account:
Through the Manage accounts page. See Troubleshooting Account Passwords.
Through the UI.
To reveal credentials through the UI:
Create a new profile, see Creating a New Profile or open up an existing profile.
Within the Profile detail page, add a device, add the Reveal Credentials tool and then add users. For more information, see Configuring a Profile.
Open up the UI and login as a user that has been added to the profile.
Once you have successfully logged into your UI, select Credentials and locate the device. You will see the Reveal credentials icon displayed.
Click the Reveal Credentials icon.
Within the Reveal Credentials window, click
REVEALto decrypt the account credentials.
Within the Reveal Credentials window, the password can now be revealed for the account by moving the mouse over the password field or by clicking the Copy To Clipboard icon to copy the password.
Once you have retrieved the account credentials, click to close the window.
Update credentials tool
The update credentials tool allows you to update the credentials that Osirium PAM stores for existing accounts.
Stored credentials can be updated for Known accounts only.
The Update Credentials tool cannot be used with the Osirium Server.
To enable the update credentials tool:
Within the Manage profiles page, click a profile name. The Profile detail page appears.
The selected profile musts have associated devices and users. For more information, see Configuring a Profile.
Within the Profile detail page, to the right of Tools, click
Manage. The Manager: tools window appears.
Within the Manager: tools window, select the
Includedcheckbox for Update Credentials.
Save changes. The Update Credentials tool appears on the list of tools on the Profile detail page and is enabled for users associated with the profile.
To use the update credentials tool:
Log in to the PAM UI as a user, select Credentials and locate the device. You will see the Update icon displayed.
Click the Update icon. The Update stored credentials window appears.
The options available on the Update stored credentials window may differ to the screenshot above depending on the authentication method of the profile used.
On the Update Credentials window, click the icon for the necessary account.
Update the stored credentials as required. The following options are available depending on the authentication method of the profile used:
Credentials Details Password Type a new password. Password again Type the new password again to confirm. SSH private key Click the
Show editoricon to upload a new SSH private key.
SSH key passphrase Type a new SSH passphrase.
If available, ensure the checkboxes for the credentials you want to update are selected .
To clear a credential, select the checkbox and leave the field blank.
CONFIRM. The Action queue window appears and the selected stored credentials are updated.
Rather than creating new profiles manually and one at a time, you can create many profiles using a bulk import. To do this, you need to download and populate the appropriate CSV (comma separated values) file.
Bulk import can be used to create new profiles or update existing profile memberships.
Populating the new profile bulk import CSV template file
To create and then populate a new profile you first need to download the CSV template:
Within the Manage profiles page, click
The CSV template contains the required fields and provides examples as a guideline for filling in the fields correctly.
Example profile CSV template:
Example of a profiles CSV template filled in:
|Name||Enter the name you want the profile to be called. This will be the display name.|
|Enabled||Enter TRUE if you want the profile to be enabled when created. When enabled, the users will be given permission to use the devices set out in the profile.
If left blank or set to FALSE, the profile will be disabled when created. No access will be granted to users through this profile.
|Session recording||Enter TRUE to record the users device session.|
|Change ticket required||Enter TRUE if the user will be required to enter a valid change ticket before logging onto a device session and commencing any work on the device.
This is to ensure any planned work to be carried out on a device has been approved through change management.
Change tickets can be integrated with ServiceNow for change ticket validation. See ServiceNow Ticket Integration Configuration
|Notes||Additional information about the profile.|
|Meta-columns||Enter the meta-column value. See Configure Meta-Info.|
- If left blank or set to FALSE the feature will be disabled when the profile is created.
- Columns in your downloaded CSV template file may vary depending on the features licensed.
- Enable window settings will be defaulted to Always.
- Meta column settings will be defaulted to the first entry in the list of options available if one is not specifically stated.
Importing the completed new profile CSV file
Once you have populated and saved the profile CSV file with all the new profiles you want to create, you can import the data into Osirium PAM to create your profile containers.
Within the Manage profiles page, click
Within the Admin Interface, Import from CSV window, click
Choose Fileand locate the saved profiles CSV file. For further details on how to upload a file see Uploading a file.
Import. The CSV entries will be listed in the Review import data window. Review the entries and update if necessary, using the .
Within the Action queue window, click
Done. The profile containers are created and can be seen on the Manage profiles page.
At this stage the profiles are empty and need to be configured before they can be used to grant user access to devices.
Import profiles membership
Once a profile has been created you can bulk import memberships.
Memberships are grouped and placed on individual lines as follows, so bear this in mind when you are making updates. Any removed or updated memberships will be updated when the CSV file is imported back into Osirium PAM.
- Devices and access levels.
- Tools and tool options.
- Tasks and task schedules.
- User groups.
- Approver groups.
To create your memberships CSV file and bulk import them::
Within the Manage profiles page, to export a single profiles membership select the profile, click the
Exportbutton and then select the
Export profiles membershipfrom the menu.
A CSV file will be exported containing the profile memberships. To export all the memberships for all the profiles make sure no profiles are selected before exporting. For further details on how to download a file see Downloading a file.
Open up the file in your preferred CSV editor.
Update, remove and add memberships within the CSV file.
If you do not want to make any amendments to a profile membership, then leave as is. Otherwise, if the configuration is removed, it will be deleted during the import process.
Heading Description Profile Name of an existing profile. Device Internal name given to the device.
NOTE Device names must match the names on the Manage Devices page.
NOTE If adding a device, an access level must be entered.
Access level Enter the access level that will be granted to the user when accessing the device.
The available access levels are dependent on the device. Access levels can be:
Role: These are the available device access levels Osirium PAM can use when creating personalised accounts on the device. The role entered will apply for every Osirium PAM user in the profile.
Account: These are Managed and Known accounts that can be used to single sign-on to the device. If an account is selected it will be available to every user in the profile. No personalised accounts are created.
Pattern: These are predefined patterns that allow Osirium PAM user accounts to be linked to existing accounts on a device. See Creating an Account Mapping.
NOTE If adding an access level, it must be associated with a device and available in the device template.
Pass-through: Allows the PAM UI username/password to be cached and then used to single sign-on to devices. The Osirium PAM username/password must match that of an existing user on the device. See Enable Pass-Through.
Tool Enter the device access connection protocol name that will be used to access the device, i.e. HTTPS, SSH, RDP.
NOTE Multiple tools can be entered using a semi-colon separated list.
NOTE Available device tools for a device can be found on the named device template detail page. See Show Template.
Tool options Some tools may have additional options associated with them.
- Remote Desktop may have Allow RDP drive mapping, Allow RDP clipboard and Allow RDP sound.
- Tools associated with a MAP Server will have MAP server groups listed.
NOTE If adding a tool option, it must be associated with a tool.
Task The task list available is created with user and system tasks.
- User tasks: are all the tasks that are defined in templates. Only tasks relevant to the devices in the profile will be usable.
- System tasks: are internally performed by Osirium PAM and will not be visible on the PAM UI.
NOTE Available tool options for a device can be found on the named device template detail page. See Show Template.
Task schedules To run the tasks on a schedule, enter the schedule time.
NOTE Schedules must be created before they can be used. See Manage Schedules.
User Internal name given to the user. If you want to add multiple users then it is easier to create a user group first and then add the user group name, rather than individual names.
NOTE User names must match the names on the Manage Users page.
User group Enter the name of the user group. See Managing User Groups. Approvers Internal name of the user(s) that will become request approvers for the profile. Approver groups Enter the name of the approvers group that will be given permission to approve requests.
Within the Manage profiles page, click
Bulk Import > Import profiles membership.
Within the Import from CSV window, click
Choose file. For further details on how to upload a file see Uploading a file.
Locate and select the updated csv file.
Import profiles membership. The CSV entries will be listed in the Review import data window. Review the entries and make amendments as necessary.
Import. The Question window opens.
Yesmeans the profile membership configurations will be applied. Memberships no longer listed will be removed and others will be updated/added.
Within the Action queue window, click
Done. The profile memberships are updated.
Editing a profile
See Common Interface Functions section for inline editing.
Deleting a profile
Deleting a profile removes users/user groups access to the devices and deletes any Osirium PAM user accounts created on the device.
Once deleted the profile cannot be reinstated. The profile would have to be recreated.
On the Manage profiles page, right-click on a profile and then click
Deletewithin the context menu.
If the profile contains devices, a warning appears. Click
Within the Question window, click
During deletion, the profilescan task is run which will:
Disconnect users logged onto any of the devices within the profile.
Device and Auth Services account update task will be run to remove any accounts on the device.
The profile is deleted from the list and cannot be reinstated.
Orphaning a device means that the profile being deleted is the only profile that is linked to the devices highest level of permission. If the device only has ‘read’ and ‘readwrite’ as permissions, then this might mean that no users will have ‘read/write’ access to manage the device.