- Created by Pavel Golubnichiy, last modified on Oct 07, 2021
You are viewing an old version of this page. View the current version.
Compare with Current View Page History
« Previous Version 2 Next »
Active Directory
Indeed PAM interacts with end users through an account that will read directory users and their attributes.
Account to use with user directory
- Run the Active Directory Users and Computers snap-in
- Open the context menu of organizational unit or container
- Select Create - User item from the menu
- Specify the user name, say, IPAMManager
- Fill in the mandatory fields and complete the account creation
Alternatively, you can use an existing account.
Account for service operations in Active Directory
- Start the Active Directory Users and Computers snap-in
- Open the context menu of the Container or Organization Unit
- Select Create - User item
- Enter the name, for example, IPAMADServiceOps
- Fill in the required fields and complete the creation of the account
- Open the context menu of the container, organizational unit, or domain root and select the Properties item
- Go to the Security tab
- Click Add
- Select IPAMADServiceOps account and click Ок
- Click Advanced
- Select IPAMADServiceOps and click Edit
- For the field Applies to: set value Descendant User objects
- In the Permissions: section check Reset password
- Save all changes
Alternatively, you can use an existing account.
Storage of media files and shadow copies
File storages are necessary for aggregation and long-term storage of videos, screenshots and files transferred in sessions.
File storage account
A domain account is required to work with file storage, recommended to use the already created IPAMStorageOps account.
Create and configure file storage
- Log in to the server, which will act as a file storage
- reate folders, for example MediaData, ShadowCopy, Screencasts
- Right click on the folder you created, select the item Share with > Specific people
- Enter the username, for example IPAMStorageOps and click Add
- In the "Permission level" column, click the Read value next to the IPAMStorageOps user and select Read/Write from the menu.
- Finish by clicking Share
Data storage
Indeed PAM uses Microsoft SQL Server or PostgreSQL Pro to store data. The following components require databases:
- IPAMCore - Indeed PAM Core component database is used to store Indeed PAM privileged accounts, resources, permissions, and other service data
- IPAMJobs - The Indeed PAM Core component database is used to store scheduled jobs
- IPAMIdp - Indeed PAM IdP component database is used to store authenticators of Indeed PAM users and administrators
- ILS - The Indeed Log Server component database is used to store the Indeed PAM event
Database creation
- Run Microsoft SQL Management Studio (SSMS) and connect to Microsoft SQL Server instance
- Open the context menu of Databases item
- Select the New Database item
- Specify a database name, for example IPAMCore, IPAMJobs, IPAMIdP, ILS
- Click ОK
- Launch pgAdmin and connect to the PostgreSQL Pro server
- Open the context menu of the Databases item
- Select Create, Database
- Specify a database name, for example: IPAMCore, IPAMJobs, IPAMIdP, ILS
- Click Save
Creating a service account to work with data storage
- Start Microsoft SQL Management Studio (SSMS) and connect to the Microsoft SQL Server instance
- Expand the Security item
- Open the context menu of Logins item
- Select the Create login item
- Enter the name, for example IPAMSQLServiceOps
- Select SQL Server authentication item and fill in the required fields
- Switch to User Mapping item
- Check IPAMCore, IPAMTasks, IPAMIdP and ILS databases
- Check database roles db_owner, db_datareader and db_datawriter
- Click ОK
- Launch pgAdmin and connect to the PostgreSQL Pro server
- Open the context menu of the Login/Group Roles item
- Select Create, Login/Group Role
- Specify a Name, for example IPAMSQLServiceOps
- Go to Definition tab, enter the new password for account
- Go to Privileges tab, check Yes for Can Login? and Superuser? items
- Click Save, repeat for the rest of the databases.
The grants db_owner for Microsoft SQL Server and Superuser for PostgreSQL are required only for the first access to the database.
- No labels