Directory (User directory)

Active Directory users cannot use privileged accounts unless these users are members of user Directory. You can use a container or organization unit (OU) as the Directory. Indeed PAM supports multiple domains and can work with users of different Active Directory domains.

Users (Target users)

These are Active Directory users that are members of container or Organization Unit defined as User directory. Permissions to use privileged accounts can be given to such users only.

Accounts (Access accounts, or Privileged accounts)

Accounts of Windows OS, * nix OS, DBMS, Active Directory, web applications or client applications on behalf of which sessions will be opened in controlled systems.

Resources (Target resources)

Computers based on Windows or * nix OS, as well as various DBMSs, web applications or client applications are resources. The listed objects can be added to Indeed PAM, and used to open a session.

Active Directory Domains

The Active Directory contains the accounts of ordinary employees, privileged accounts and domain computers. Indeed PAM provides the Domains as a separate type of objects for managing domain accounts and automatically adding domain computers to the system.

Data storage

For data storage Indeed PAM can use different DBMS::

  • Microsoft SQL Server
  • PostgreSQL
  • PostgreSQL Pro

Service connection

Service connection might be used for the following operations with resources and domains:

  1. Checking a connection to a resource or domain
  2. Synchronization of local or domain accounts
  3. Synchronization of security groups of local or domain accounts
  4. Checking of account password
  5. Changing of account password
  6. Synchronization of OS and DBMS versions
  7. Synchronization of domain computers

Service connections are supported for the following resources:

  • Windows
  • *nix
  • Microsoft SQL Server
  • PostgreSQL
  • MySQL
  • OracleDB

Service operations are performed under the following account types:

  1. For Windows resources, you can use: 
    • Local account with administrator privileges
    • Active Directory account with local administrator privileges
  2. For *nix resources, you can use:
    • Local account with privilege to execute SUDO command
  3. For Active Directory domains, you can use:
    • Domain account with permission to reset passwords

User connection

A user connection must be configured for each of the resources. This connection determines how a domain or local account connects to the resource. A resource can have only one user connection of a type configured:

  • RDP – connection to resource via RDP
  • SSH – connection to resource via SSH
  • Client – connection to a web resource or to a client application

Permissions

Permissions are used to manage privileged access. Any Active Directory user can be given a permission to start RDP, SSH or Web session at the Target resource under a local or domain account.

A permission contains:

  • User the Active Directory user, for which permission is issued.
  • Account local or domain account used by Active Directory user to start a session at the resource.
  • Resource – a resource where a session will be started as the local or domain Access account.

Permission cannot be modified while used. Revoked permissions cannot be restored.

Access account states

  • Pending () – an account would have Pending state if added to Indeed PAM using synchronization with resource or domain. This happens because the Indeed PAM database contains no password for the account. As a result, the account is not managed by Indeed PAM and cannot be a part of permission.
  • Managed – the account has password in Indeed PAM database. Therefore, the account is managed by Indeed PAM and can be a part of permission.
  • Ignored () – an account can be switched to Ignored if it has Pending or Managed state. In this case, the account is stored without password and is not managed by Indeed PAM. The account cannot be a part of permission. Moreover, all permissions it was used in are revoked.
  • Blocked () – an account can be switched to Blocked if it has Managed status. In this situation, the account cannot be a part of permission. And all permissions it was used in are suspended.
  • Removed () – an account can be switched to Removed status from any other one. A removed account is not managed by Indeed PAM and is hidden from the common list. All permissions it was used in are revoked. A removed account can be restored and switched to Managed status if required.

Resource states

  • Stand by means that the resource is added to Indeed PAM
  • Blocked () – means that resource has been blocked and, it cannot be a part of permission. All permissions it was used in are suspended.
  • Removed () – a resource can be switched to Removed state from any other one. Removed resources are hidden from the common list. A removed resource can be restored and switched to Stand by state if required.

Domain states

  • Stand by means that the Domain is added to Indeed PAM.
  • Removed () – a domain can be switched to Removed state. Removed domains are hidden from the common list. A removed domain can be restored and switched to Stand by status if required.

Session states

  • Active - if the user has permission to access the target resource from the specified account, which are not blocked and the permission is not revoked, then the server creates a session that becomes active.
  • Finished - the session ends when the user ends the session with the target resource, for example, terminating the remote access session to the server, closing the window of the working application or web page.
  • Aborted - the session becomes aborted when the PAM administrator forcibly terminates the active user session.

Policies

A policy is a set of settings that is propagated to multiple system objects. A single object can be assigned only one policy of the certain type.

  • Account policiesare propagated to accounts and apply to resources and domains.
  • Session policies are propagated to sessions and apply to accounts.

  • No labels