Skip to content

Managing users

This section describes how Osirium PAM users are created and managed within the Admin Interface, covering the following:

Manage users

Osirium PAM user accounts are used to login to the UI from which they can gain access to:

  • The Admin Interface.
  • Device management tools.
  • Run device tasks.


Privileges to devices are granted through Creating a New Profile.

We recommend using personal user accounts, not shared accounts, as these will allow you to easily monitor an individual's activity and review their privileged access.

User access basic

Users can be created and authenticated in a number of ways so consider the following options before starting.

  • Local: A local user is one whose username and password are created by Osirium PAM. When the local user logs onto the UI, the user will be checked against the list that exists on the internal database and its password verified.

To enhance security and implement a strong authentication policy for local user authentication, configure a password policy via Osirium PAM Local Password Policy.

  • External authentication: Using external authentication allows you to use an existing users (username/password). Once setup, Osirium PAM will consult with the external Account source to verify the user logon before logging the user onto the UI. Auth types

The following settings are required to implement an external authentication method:

  • RADIUS Before this authentication method can be used, the network settings to allow Osirium PAM to communicate with the RADIUS server need to be configured. Osirium PAM RADIUS configuration can be configured on the RADIUS Configuration.

    When creating the user in Osirium PAM, the username that exists on the RADIUS server must match the one being created.

  • Active Directory Before Active Directory can be used as your preferred user authentication method, you must ensure the following:

    • LDAPS must be enabled on the Active Directory. LDAPS will ensure that usernames/passwords and other information communicated between the PAM Server and the Active Directory will be kept confidential and secure.

    • An Active Directory must also be provisioned before users can be authenticated against it. See Adding an Active Directory.

    • Synchronise Active Directory users using User group synchronisation. See User Groups.

  • Multi-factor authentication: can be enabled, meaning that the user will have to provide a password as well as a token code when logging onto the UI. The options for multi-factor authentication include:

    • Local then RADIUS: The user will first have to enter a local user password followed by the RADIUS token.

    • Active Directory then RADIUS: The user will first have to enter their Active Directory password followed by the RADIUS token.

Manage users page

The Manage users page allows you to manage user accounts. To view the Manage users page click Users in the left-hand menu. The Manage users page lists all the users and provides a high level overview of the accounts.


If you have SailPoint IdentityIQ, then it can be integrated with Osirium PAM and used to create users. See SailPoint IdentityIQ Integration Configuration.

Manage users table

The following table describes the user states.


The state of the user account will not be filtered to the external authentication if you are using one.

Icon Description
Enabled user icon User/Reporter

Enabled SuperAdmin icon SuperAdmin
Enabled user account. All new user accounts will default to the Osirium PAM user role when created. This allows the user to logon to the UI and gives them access to the Admin Interface.

When a user is given Osirium PAM SuperAdmin role access through a profile, the user icon will change from blue to gold. SuperAdmins have full access to the Admin Interface.

Disabled user icon User/Reporter

Disabled SuperAdmin icon SuperAdmin
Disabled user account. A user is disabled when the user account expires.

When an account is disabled, the user is unable to log onto the client to manage devices and run tasks.

Enabled locked user icon Locked User

Disabled locked user icon User/Reporter

Enabled locked SuperAdmin icon Disabled locked SuperAdmin icon SuperAdmin

The local account is locked if it exceeds the parameters set out in the Osirium PAM Local Password Policy.

The user will be unlocked if:
- There is an unlock time specified in the password policy.
- The user account is enabled by a superadmin.

Creating users

Users can be:

  • Created as local users.
  • Bulk imported.
  • Cloned from existing users.
  • Synchronised through Active Directory user groups and automatically created.
  • Created with an external RADIUS account source.

Creating a user

A user must exist before it can be given access to devices.

To create a new user:

  1. Either click on the Plus icon icon next to Users in the left-hand menu or click on the Plus icon New user button on the Manage users page. Either way, a New user window will open.

    New user window

  2. Fill in the following details to create a new user:

    Field name Description
    Name: Internal display name of the user which will be seen when adding users to profiles, looking at reports, auditing activity and viewing the system queue.
    Username: Will be used to authenticate the user when logging onto the UI, single sign-onto devices and run tasks.

    If using external authentication, ensure the username is identical to the existing account.

    If using Active Directory external authentication, then it would be quicker to synchronise Active Directory users from users groups, than to create them. See How to Create a New User Group.

    New password: Only required if creating a local user. Enter a password.

    To apply a password policy see Osirium PAM Local Password Policy

    Password again: Confirm the password entered above.
    Checked box icon Enabled Default is enabled. Allows the user to log onto the UI.

    Uncheck the tickbox to disable the new user account. Disabling a user account means that the user will be unable to log onto the UI to manage Osirium PAM, devices and run tasks. The user can still be added to profiles.

    Expires Represents the date/time the user account will be disabled. Default expiry will be set to Never.

    NOTE If using external authentication, this does not mean the account will be disabled on the account source. It will only disable the user's ability to log into Osirium PAM.

    Email A valid email address is required to send notifications through email subscriptions. See Managing Email Subscriptions.
    Auth type Default will be set to Local.
    Other authentication types available are:
    Auth types
    RADIUS only: username must match the username that already exists on the RADIUS server. You do not need to enter a password as the existing RADIUS user's password will be used for authentication.

    Active Directory: rather than creating individual Active Directory users, you can add an Active Directory user group and synchronise the users. Synchronising Active Directory user groups allows Osirium PAM to automatically create the Active Directory users. See User Groups.

    Alternatively, to create a single user, ensure the username matches the Active Directory username. You do not need to enter a password as the existing Active Directory user password will be used for authentication.

    Local then RADIUS: multi-factor authentication required. Locally authenticated Osirium PAM users will need to enter their Osirium PAM user password as well as a RADIUS token when logging in to the UI.

    Active Directory then RADIUS: multi-factor authentication required. Active Directory users will need to enter their Active Directory passwords as well as an Active Directory token when logging in to the UI.

    Meta-cols Meta-columns allow you to attach many kinds of information against each user. If meta-columns exist then select the required meta-column entry. To create meta-columns, see Configure Meta-Info.


    Name/Username can’t have the same name as an existing user. UTF-8 characters are supported in the name/username.

    Below is an example of a completed new user window:
    Complete new user window

  3. Click Save.

    • The Create Osirium PAM user task will be queued for creation.

    • Check the System queue page for progress.

    • Refresh the Manage users page to update the user status icon.

Bulk import users

Multiple users can be bulk imported using the bulk import template.


If you intend to use meta-columns then they should be added prior to downloading the bulk import CSV template. See Configure Meta-info.

To download and upload the bulk import template:

  1. Click Users in the left-hand menu.

  2. On the Manage users page, click on the Bulk import button.

  3. Within the Import from CSV window, click Download csv template. For further details on how to download a file see Downloading a file.

    User Import from CSV window

  4. Open the template and populate it with the required user information.

  5. Save the file.

  6. Go back to the Import from CSV window, within the Admin Interface.

  7. Click Choose file to locate and select the completed updated bulk import template file. For further details on how to upload a file see Uploading a file.

  8. Click Import.

  9. The users within the imported CSV file will be listed in the Bulk import users window. Review the imported data and fix any issues.

    Bulk import users window

    • Errors will be highlighted with a Close icon icon. If these errors are not fixed then that user will not be imported.

    • You can update any user settings by clicking on the Edit pencil icon at the end of each row.

    • If there are no errors highlighted (i.e. no users highlighted in blue with the Close icon icon) then all users will be imported in the list.

    • To import only a selection of users from the list, hold the SHIFT key and select all the users you want to import from your bulk import list.

    • To edit the password for a user, highlight the user and click the Apply pass button.

    • To disable a user, deselect the Enabled button.

  10. Click Import.

  11. If you have only selected a number of users within the Bulk Import users window then click Yes to proceed.

    Bulk import users confirm window

  12. Within the Action queue window, users will be imported and queued for creation. Click Done to close the window.

    The Manage users page will automatically be updated and list the imported users.

Cloning a user

Cloning an existing user allows you to:

  • Create a new user who inherits the same user account settings.

  • Add the new user to all the same profiles.

  • Provide access to the same tasks and devices with the same access levels.

To clone an existing user:

  1. Right-click on an existing user.

  2. Click the Clone user icon clone button.

  3. Within the Cloning window, you will be prompted to enter the details for the new user to be created.

    User clone window

  4. Update the details for the new user. See Creating a User.

  5. Click Proceed.

  6. Within the Question window, click Yes:

    • The Clone user task will be queued for creation.

    • The ProfilesUserUpdate task will be run to add the new user to the same profiles as the cloned user.

    • The new user appears on the Manage users page.


    If necessary, click the Refresh button to manually update the Manage users page.

Editing a user

See the Common Interface Functions section for inline editing.

Unprovision a user

Unprovisioning a user deletes the user's account from Osirium PAM and deletes any personalised user accounts created on any devices they have permission to access.

Once deleted, the user cannot be reinstated. The user would have to be recreated as a new user and reconfigured.


If this is an Active Directory user account which still belongs to an Active Directory user group, then the unprovisioned account will be recreated in Osirium PAM when an audit is triggered.

To unprovision a user:

  1. On the Manage users page, right click on a user and then click Delete icon Unprovision.

  2. Within the Question window, click Yes if you are sure you want to delete the user.

  3. During the unprovisioning:

    • The user will no longer be able to logon to the UI and single sign-onto devices.

    • If the user is logged onto the UI, they will be logged out and any open device sessions disconnected. Any further attempts to login will fail.

    • The user account will be removed from all profiles.

    • The user's personalised accounts on any devices will be deleted.

    • The user account will be deleted from Osirium PAM.

    • The user will be removed from all user groups.

    To unprovision multiple users, highlight a number of users, then right-click and click Delete icon Unprovision. Click Yes.

User detail page

The User detail page provides you with a summary of the user and allows you to administer the user account and access.

To view the User detail page, click on a name within the Name column which is a link to the User detail page. Alternatively, highlight a user and right click for the context menu. Within the context menu select Close icon and you will be navigated to the User detail page.

User detail page


Lists all the profiles the user belongs to and allows you to manage the profiles. Profiles determine what devices and access levels the user has been given.

To add the user to an existing profile:

  1. To the right of Profiles, click the Manage button.

    User profiles screenshot

  2. Within the Manager: profiles window, select the checkboxes to the left of the profiles you want the user to be included in.

    User profile manager window

  3. Click Save changes.

    • Depending on how the device is managed, Osirium PAM may create a personalised user account on the device. See Managing Devices.

    • The device access will be dynamically updated on the user’s UI.

    • The device access section on the User detail page will be updated to reflect the profile added.

User groups

Lists all the user groups the user belongs to. User groups can be added to profiles so groups of users can be easily given access to the same devices and tasks.

To add a user to a user group:

  1. To the right of User groups, click the Manage button.

    User group manage

  2. Within the Manager: user groups window, select the checkboxes to the left of the user groups you want the user to be included in.

    User Groups manager window

  3. Click Save changes. The user is added to the group. If the user group is in a profile, then the user will be given access to the devices and tasks in that profile.

Device access

Lists all the devices the user has been granted permission to access.

User device access screenshot

The following table describes the Device Access table:

Header Description
Expansion icon Click the arrow to reveal more information.
Device Name of the device the user has been given access to.
Via Indicates if the user has been added directly to the profile or via a user group.
Access Roles Indicates the role(s) granted to the user on the device. A personalised user account will have been created on the device for the user with the specified device access token. This account will be used by Osirium PAM to single sign-on the user.
Accounts If an account is listed, Osirium PAM uses a known account to single sign-on the user to the device. The user will not have a personalised account on the device.
Patterns If a pattern is listed then the user account will be mapped to an existing account on the device using the pattern stated. This mapping will be used when the users single sign-on to the device.
Recorded If checked, the user's session on that device will be recorded.
Last Connection Date and time the device was last accessed by the user.


User role based access to the Admin Interface is default for all users created and can’t be removed or be seen within a profile.