Skip to content

Managing users

This section describes how Osirium PAM users are created and managed within the Admin Interface, covering the following:

Manage users

Osirium PAM user accounts are used to login to the UI from which they can gain access to:

  • The Admin Interface.
  • Device management tools.
  • Run device tasks.

Note

Privileges to devices are granted through Creating a New Profile.

We recommend using personal user accounts, not shared accounts, as these will allow you to easily monitor an individual's activity and review their privileged access.

Device Access

Users can be created and authenticated in a number of ways so consider the following options before starting.

  • Local: A local user is one whose username and password are created by Osirium PAM. When the local user logs onto the UI, the user will be checked against the list that exists on the internal database and its password verified.

To enhance security and implement a strong authentication policy for local user authentication, configure a password policy. See PAM Server Local Password Policy.

  • External authentication: Using external authentication allows you to use an existing users (username/password). Once setup, Osirium PAM will consult with the external Account source to verify the user logon before logging the user onto the UI.

    Auth types

The following settings are required to implement an external authentication method:

  • RADIUS Before this authentication method can be used, the network settings to allow Osirium PAM to communicate with the RADIUS server need to be configured. Osirium PAM RADIUS configuration can be configured on the RADIUS Configuration.

    When creating the user in Osirium PAM, the username that exists on the RADIUS server must match the one being created.

  • Active Directory Before Active Directory can be used as your preferred user authentication method, you must ensure the following:

    • LDAPS must be enabled on the Active Directory. LDAPS will ensure that usernames/passwords and other information communicated between the PAM Server and the Active Directory will be kept confidential and secure.

    • An Active Directory must also be provisioned before users can be authenticated against it. See Adding an Active Directory.

    • Synchronise Active Directory users using User group synchronisation. See User Groups.

  • Multi-factor authentication: can be enabled, meaning that the user will have to provide a password as well as a token code when logging onto the UI. The options for multi-factor authentication include:

    • Local then RADIUS: The user will first have to enter a local user password followed by the RADIUS token.

    • Active Directory then RADIUS: The user will first have to enter their Active Directory password followed by the RADIUS token.

Manage users page

The Manage users page allows you to manage user accounts. To view the Manage users page click Users in the left-hand menu. The Manage users page lists all the users and provides a high level overview of the accounts.

Note

If you have SailPoint IdentityIQ, then it can be integrated with Osirium PAM and used to create users. See SailPoint IdentityIQ Integration Configuration.

Manage users

The following table describes the user states.

Note

The state of the user account will not be filtered to the external authentication if you are using one.

Icon Description
Enabled user User/Reporter

Enabled SuperAdmin SuperAdmin
Enabled user account. All new user accounts will default to the Osirium PAM user role when created. This allows the user to logon to the UI and gives them access to the Admin Interface.

When a user is given Osirium PAM SuperAdmin role access through a profile, the user icon will change from blue to gold. SuperAdmins have full access to the Admin Interface.

Disabled user icon User/Reporter

Disabled SuperAdmin SuperAdmin
Disabled user account. A user is disabled when the user account expires.

When an account is disabled, the user is unable to log onto the client to manage devices and run tasks.

Enabled locked user icon Locked User

Disabled locked user icon User/Reporter

Enabled locked SuperAdmin icon Disabled locked SuperAdmin icon SuperAdmin

The local account is locked if it exceeds the parameters set out in the PAM Server Local Password Policy.

The user will be unlocked if:
- There is an unlock time specified in the password policy.
- The user account is enabled by a superadmin.

Creating users

Users can be:

  • Created as local users.
  • Bulk imported.
  • Cloned from existing users.
  • Synchronised through Active Directory user groups and automatically created.
  • Created with an external RADIUS account source.

A user must exist before it can be given access to devices.

To create a new user:

  1. Click the Plus NEW USER button on the Manage users page.

    New user window

  2. Fill in the following details to create a new user:

    Field name Description
    Name: Internal display name of the user which will be seen when adding users to profiles, looking at reports, auditing activity and viewing the system queue.
    Username: Will be used to authenticate the user when logging onto the UI, single sign-onto devices and run tasks.

    If using external authentication, ensure the username is identical to the existing account.

    If using Active Directory external authentication, then it would be quicker to synchronise Active Directory users from users groups, than to create them. See How to Create a New User Group.

    New password: Only required if creating a local user. Enter a password.

    To apply a password policy see PAM Server Local Password Policy.

    Password again: Confirm the password entered above.
    Checked box icon Enabled Default is enabled. Allows the user to log onto the UI.

    Uncheck the tickbox to disable the new user account. Disabling a user account means that the user will be unable to log onto the UI to manage Osirium PAM, devices and run tasks. The user can still be added to profiles.

    Expires Represents the date/time the user account will be disabled. Default expiry will be set to Never.

    NOTE If using external authentication, this does not mean the account will be disabled on the account source. It will only disable the user's ability to log into Osirium PAM.

    Email A valid email address is required to send notifications through email subscriptions. See Managing Email Subscriptions.
    Auth type Default will be set to Local.
    Other authentication types available are:
    Auth types
    RADIUS only: username must match the username that already exists on the RADIUS server. You do not need to enter a password as the existing RADIUS user's password will be used for authentication.

    Active Directory: rather than creating individual Active Directory users, you can add an Active Directory user group and synchronise the users. Synchronising Active Directory user groups allows Osirium PAM to automatically create the Active Directory users. See User Groups.

    Alternatively, to create a single user, ensure the username matches the Active Directory username. You do not need to enter a password as the existing Active Directory user password will be used for authentication.

    Local then RADIUS: multi-factor authentication required. Locally authenticated Osirium PAM users will need to enter their Osirium PAM user password as well as a RADIUS token when logging in to the UI.

    Active Directory then RADIUS: multi-factor authentication required. Active Directory users will need to enter their Active Directory passwords as well as an Active Directory token when logging in to the UI.

    Meta-info Meta-columns allow you to attach many kinds of information against each user. If meta-columns exist then select the required meta-column entry. To create meta-columns, see Configure Meta-Info.

    Note

    Name/Username can’t have the same name as an existing user. UTF-8 characters are supported in the name/username.

    Below is an example of a completed new user window:
    Complete new user window

  3. Click SAVE.

    • The Create Osirium PAM user task will be queued for creation.

    • Check the System queue page for progress.

    • Refresh the Manage users page to update the user status icon.

Bulk importing

Multiple users can be bulk imported using the bulk import template.

Note

If you intend to use meta-columns then they should be added prior to downloading the bulk import CSV template. See Configure Meta-info.

To download and upload the bulk import template:

  1. Select the Users from the left-hand menu.

  2. On the Manage users page, click Bulk import icon BULK IMPORT.

  3. Within the Import from CSV window, click DOWNLOAD CSV TEMPLATE.

    If you accessed the Admin Interface via the PAM UI Device tool you will need to use the Shared Drive mechanism for downloading files. For further details see Downloading a file using Shared Drive.

  4. Open the users_[date].csv file. You will see an example given to follow the inputs required.

    User CSV template

  5. Add in your users to be imported as follows:

    Column name Description
    Name: Enter a name which will be used as the internal display name and seen when adding users to profiles, looking at reports, auditing activity and viewing the system queue.
    Username: Will be used to authenticate the user when logging onto the UI, single sign-onto devices and run tasks.

    If using external authentication, ensure the username is identical to the existing account.

    If using Active Directory external authentication, then it would be quicker to synchronise Active Directory users by adding users groups. See How to Create a New User Group.

    Enabled Enter True to enable the user account once created, allowing the user to log onto the UI or False to disable the user account once created, which means the user will be unable to log onto the UI but can still be added to profiles.
    Expires The timestamp is entered as date/time/timezone that represents when the user account will be disabled and unable to log onto the UI. The timestamp can be entered as follows:

    - to write UTC times then use z, for example: 2020-10-08T08:35:20Z.

    - if you are writing non-UTC then use the timezone suffix, for example: 2020-10-08T08:35:20+00:00.

    - If left blank, then the expiry with default to Never expire.

    NOTE If using external authentication, this does not mean the account will be disabled on the account source. It will only disable the user's ability to log into Osirium PAM.

    Email This can be left blank but to use send notifications then a valid email will be required.

    NOTE Additional configuration is required to setup email notification, see SMTP configuration and Managing Email Subscriptions.

    Auth type Enter the method that will be used to authenticate the user into PAM. This will depend on your setup. Options available are as follows:


    Auth types

    Local: user will be authenticated and its password managed by Osirium PAM.

    RADIUS: External authentication. The username must match the username that already exists on the RADIUS Server. You do not need to enter a password as the users existing RADIUS password will be used to authenticate the user into Osirium PAM.

    Active Directory: External authentication. If you are using an Active Directory as your User Authentication Service then we recommend using User groups to sync and create your existing Active Directory users in Osirium PAM. See User Groups.

    Alternatively, to bulk import, ensure the username matches the Active Directory username. You do not need to enter a password as the existing Active Directory user password will be used for authentication.

    Local then RADIUS: multi-factor authentication. Here the user will be locally authenticated by Osirium PAM and need to enter their Osirium PAM user password as well as a RADIUS token when logging in to the UI.

    Active Directory then RADIUS: multi-factor authentication. Here Active Directory users will need to enter their Active Directory passwords as well as an RADIUS token when logging in to the UI.

    Password: Only enter the password if using an Auth type of Local or Local with RADIUS. Enter the password that will be assigned to the user. To apply a password policy to ensure a strong password is used when creating and bulk importing local users, see PAM Server local password policy.
    Meta-info If you want to use meta-columns then it is best to configure them before downloading your bulk import template. Meta-columns allow you to attach additional information against each user. To create meta-columns, see Configure Meta-Info.

    Note

    Name/Username can’t have the same name as an existing user.

    UTF-8 characters are supported in the name/username.

    For example:

    User bulk import example

  6. Save the csv file once updated.

  7. If you accessed the Admin Interface via the PAM UI Device tool you will need to use the Shared Drive mechanism for uploading files. For further details see Uploading a file using Shared Drive.

  8. Now within the Import from CSV window, click Choose File.

  9. Select the uploaded users bulk import file and click OPEN.

  10. Click IMPORT.

  11. The entries in the CSV file are added and visible in the Bulk import users window.

    Imported csv file

  12. Before you click IMPORT note the following.

    • To import all the users listed, click the Select All SELECT ALL.

    • To import only a selection of users from the list, hold the SHIFT key and select all the users you want to import from your bulk import list.

    • Errors will be highlighted with a warning icon.

      Import warning

    • If warnings are not fixed then you will get an error when you click IMPORT. You can select the Skip rows with errors to ignore the entires with errors and import all the others.

      Import warning window

    • You can select the Skip rows with errors to ignore the rows with errors and import all the others.

      Skip rows with errors

    • You can update any user settings by clicking on the Edit at the end of each row.

    • If there are no errors highlighted then all users will be imported in the list.

    • To make an edit to the users password, highlight the user and click APPLY PASS.

    • To disable a user when created, click Edit at the end of the row and deselect the Enabled checkbox.

  13. Click IMPORT.

  14. Within the Question window, click YES if you are happy to proceed with the bulk import.

    Import question window

  15. Within the Action queue window, users will be imported and queued for creation. If you have a lot of users in your bulk import then you can choose to Continue in the background or if the imports have been completed, click Done..

    The Manage users page will automatically be updated.

Cloning a user

Cloning an existing user allows you to:

  • Create a new user who inherits the same user account settings.

  • Adds the new user to all the same profiles as the cloned user.

  • Provides access to the same tasks and devices with the same access levels.

To clone a user:

  1. Right-click the user on the Manage users table that you want to clone.

  2. Select Clone Clone.

  3. Within the Cloning [user name] window, you will be prompted to enter the details for the new user to be created.

    User clone window

  4. Fill in the following details to create a new user:

    Field name Description
    Name: Internal display name of the user which will be seen when adding users to profiles, looking at reports, auditing activity and viewing the system queue.
    Username: Will be used to authenticate the user when logging onto the UI, single sign-onto devices and run tasks.

    If using external authentication, ensure the username is identical to the existing account.

    New password: Only required if creating a local user. Enter a password.

    To apply a password policy see PAM Server Local Password Policy.

    Password again: Confirm the password entered above.
    Checked box icon Enabled Leave as per cloned user.
    Expires Leave as per cloned user.
    Email A valid email address is required to send notifications through email subscriptions. See Managing Email Subscriptions.
    Auth type Leave as per cloned user.
    Meta-info Leave as per cloned user.

    Note

    Name/Username can’t have the same name as an existing user. UTF-8 characters are supported in the name/username.

  5. Click PROCEED.

  6. Within the Question window, click YES to proceed with creating the user.

    • The Clone user task will be run.

    • The Profiles user update task will be run to add the user to the same profiles as the cloned user.

    • The cloned user will appears on the Manage users page.

    Note

    If necessary, click the Refresh button to manually update the Manage users page.

Editing a user

See the Common Interface Functions section for inline editing.

Unprovision a user

Unprovisioning a user deletes the user's account from Osirium PAM and deletes any personalised user accounts created on any devices they have permission to access.

Once deleted, the user cannot be reinstated. The user would have to be recreated as a new user and reconfigured.

Note

If this is an Active Directory user account which still belongs to an Active Directory user group, then the unprovisioned account will be recreated in Osirium PAM when an audit is triggered.

To unprovision a user:

  1. On the Manage users page, right click on a user and then click Remove Unprovision.

  2. Within the Question window, click YES if you are sure you want to unprovision the user.

  3. During the unprovisioning:

    • The user will no longer be able to logon to the UI and single sign-onto devices.

    • If the user is logged onto the UI, they will be logged out and any open device sessions disconnected. Any further attempts to login will fail.

    • The user account will be removed from all profiles.

    • The user's personalised accounts on any devices will be deleted.

    • The user will be removed from all user groups.

    • The user account will be deleted from Osirium PAM.

    To unprovision multiple users, highlight a number of users, then right-click and click Remove Unprovision. Click YES.

Named user page

A detailed summary of an individual user can be found on the Named user page. This page can be used to view the users access as well as manage the user.

The Named user page can be accessed by clicking on the users name on the Manage users page.

User detail page

Within the Named user page you can view and manage the following:

  • Users details: Clicking on Edit will allow you to update all the users details except the username field.

  • Profiles: Overview of the profiles the user has been added to and which gives them their access levels to device. To add/remove profiles click on MANAGE. This list does not include the profiles which the user belongs if they have been added through a user group.

    User Profiles Manager

  • User groups: Overview of the user groups the user belongs to. To find out which profiles the user group has been added to, click the user group name to be navigate to the Named user group page.

    Named user group

    To add/remove user groups, click on the MANAGE.

    User Group Manager

  • Device access: provides a list of all the devices a user has been granted access to and the permission level assigned. The information presented includes the following:

    Header Description
    Arrow closed Click the arrow to reveal more information.
    Device Name of the device the user has access to.
    Via Name of the profile or user group the user has been granted access through.
    Access roles List the access level the user will have when connecting to the device. Available access levels may include:
    Configured within a template:
    - Role: the available device access levels Osirium PAM uses when creating personalised accounts on the device.
    - Account: Managed and Known accounts that exist on the device are used to single sign-on to the device.

    Configured within the Admin Interface:
    - Mapping: a predefined account mappings is used to map the users username to an existing account on the device or account source (local accounts, Active Directory, Static vault).
    - Always ask: User will be prompted for a username/password when connecting to the device.
    - Pass-through: The username/password used to login into Osirium PAM is used to single sign-on to the device.
    Accounts If an account is listed, this is the account that Osirium PAM will use to single sign-on the user to the device.
    Mappings If the name of an account mapping is listed then the users username will be mapped to an existing account on the device using a mapped account created in the account mapping matrix.
    Recorded If checked, the user session on that device will be recorded.
    Last Connection Date and time the device was last accessed by the user.

Note

User role based access to the Admin Interface is default for all users created and can’t be removed or be seen within a profile.