You can use groups to organize and manage users in the Sectona PAM platform. For example, a group can be associated with a particular job function like Windows system administrator and configured so that only users who are members of that group can authenticate to Windows servers. You can change the status of a group to quickly enable or disable multiple user groups based on entitlements at once. Your group memberships in the Sectona PAM platform do not have to be mutually exclusive. Suppose that you have one group allowing Windows Administrator team with all Windows core privileged accounts and another with only view database privileged accounts rights. A Windows team member could be a member of two groups, each associated with one of these group entitlements.

The system provides flexibility for provisioning groups based on static grouping techniques, attributes of the user or Active Directory groupings. The Sectona PAM platform Administrator is responsible for setting up details of all user groups in the system. This section covers details about various grouping techniques and working methods:

Working with static & rule-based user groups

Sectona PAM platform offers many types of groups to manage user entitlement. Choosing the type of group is an important step in planning for using user groups with the Sectona PAM platform.

Group Type

Purpose 

Static Group

Select this option when you want to add user with one-one grouping to a specific group. For example, mapping all database administrators to one group without any common static element.

Attribute-based group

Use attribute groups to automate group formations when users have common parameters like Users' role, Company Information, Department, Email, Username, Manager, etc.

Such a group convention is also recommended to manage fluidic user environments. For example, whenever a user has defined a certain tag like 'Outsourced', users will be added to a specific group and policies are applied based on group entitlements.

Active directory group

Active directory-based user groups allow you to define and assemble dynamic Windows Active Directory user groups. They are based on LDAP search filter expressions applied to user attributes. Such groups can dynamically sync user information with Active Directory Groups.

Creating a static user group

  • Login to the Sectona PAM platform as an administrator user.

  • Navigate to Manage → User Groups.

  • Click "+Add User Group".

  • Group Name: Provide a User Group name. Make sure the group name has to be unique in case you have multiple instances configured.

  • Group Description: Provide a group description (optional).

  • Method: Static Group.

  • By default, all groups are active when created. If you would like to activate this group later simply uncheck the Active checkbox.

  • Click Save.

Adding users to a static group

  • Login to the Sectona PAM platform as an administrator user.

  • Navigate to Manage → User Groups.

  • Click on the action arrow of the static group in which you would like to add existing users.

  • Select 'Linked Users' option, a pop-up will open.

  • Click on the 'Add Users' button → Select the users which you want to add in the group.

  • Click 'Save' button to add the selected use in group.

System allows adding users only to static user groups. Users are added to the attribute-based user groups and active directory groups on a real-time basis and as per sync intervals. However, you can still view currently assigned users for such groups.

Creating an attribute-based user group

  • Login to the Sectona PAM portal as an administrator user.

  • Navigate to Manage → User Groups.

  • Click '+ Add User Group'.

  • Group Name: Provide a User Group name. Make sure the group name has to be unique in case you have multiple instances configured.

  • Group Description: Provide a group description (optional).

  • Method: Attribute-Based Group.

  • Select your desired attribute from the drop-down list.

  • Set operator as per requirement using "=", "!=", and "LIKE" and enter input for the defined attribute.

  • You can also add multiple attributes in one user group by clicking the "+" button.

  • By default, all groups are active when created. If you would like to activate this group later simply, uncheck the Active checkbox.

  • Click Save.

Creating an Active Directory group

  • Login to the Sectona PAM portal as an administrator user.

  • Navigate to Manage → User Groups.

  • Click '+ Add User Group'.

  • Group Name: Provide a User Group name. Make sure the group name has to be unique in case you have multiple instances configured.

  • Group Description: Provide a group description (optional).

  • Method: Active Directory Group.

  • Directory Store: Select the directory store configured in the system.

  • User Groups: click on the Browse button to select the desired group to Sync with the system.

  • Exclude User(s): There may be a scenario in which you want some users not to be a part of this group in the system. You can specify multiple user names in this field by a comma separated format like ‘john.doe, noah', etc to exclude.

  • By default, all groups are active when created, if you would like to activate this group later simply uncheck the Active checkbox.

  • Click Save.

For configuring an Active Directory based group, first a Directory Store must be configured in the system. Refer to the Directory store section.
To enable this function, ‘UserManagementService’ is required be be started, refer to Manage App Services to navigate and start the service.

Viewing currently assigned users to the group

  • Login to the Sectona PAM platform as an administrator user.

  • Navigate to Manage → User Groups.

  • Click on the Action arrow of the desired User Group.

  • Select 'Linked Users' option.

  • A pop-up will open displaying a list of users associated with the group.

Deleting an active group

  • Login to the Sectona PAM platform as an administrator user.

  • Navigate to Manage → User Groups.

  • Click on the desired user group name to delete.

  • Click on the 'Delete' button to delete the group permanently.

Disabling a user group

  • Login to the Sectona PAM platform as an administrator user.

  • Navigate to Manage → User Groups.

  • Click on the desired user group name to disable.

  • Uncheck the Active checkbox to disable the User Group.

Deleting or disabling a User Group will not delete or disable any user from the system. However, the entitlements will be revoked from the users associated with the deleted or disabled user group.