Defining user groups
You can use groups to organize and manage users in the Sectona PAM platform. For example, a group can be associated with a particular job function like Windows system administrator and configured so that only users who are members of that group can authenticate to Windows servers. You can change the status of a group to quickly enable or disable multiple user groups based on entitlements at once. Your group memberships in the Sectona PAM platform do not have to be mutually exclusive. Suppose that you have one group allowing the Windows Administrator team with all Windows core privileged accounts and another with only view database privileged accounts rights. A Windows team member could be a member of two groups associated with one of these group entitlements.
The system provides flexibility for provisioning groups based on static grouping techniques, user attributes, or Active Directory groupings. The Sectona PAM platform Administrator is responsible for setting up details of all user groups in the system. This section covers details about various grouping techniques and working methods:
Working with static & rule-based user groups
Sectona PAM platform offers many types of groups to manage user entitlement. Choosing the type of group is an essential step in planning for using user groups with the Sectona PAM platform.
Group Type | Purpose |
---|---|
Static Group | Select this option when you want to add a user with one-one grouping to a specific group. For example, mapping all database administrators to one group without any common static element. |
Attribute-based group | Use attribute groups to automate group formations when users have common parameters like Users' role, Company Information, Department, Email, Username, Manager, etc. Such a group convention is also recommended to manage fluidic user environments. For example, whenever a user has defined a specific tag like 'Outsourced,' users will be added to a particular group, and policies are applied based on group entitlements. |
Active directory group | Active directory-based user groups allow you to define and assemble dynamic Windows Active Directory user groups. They are based on LDAP search filter expressions applied to user attributes. Such groups can dynamically sync user information with Active Directory Groups. |
Creating a static user group
Login to the Sectona PAM platform as an administrator user.
Navigate to Manage → User Groups.
Click "+Add User Group."
Group Name: Provide a User Group name. Make sure the group name is unique in case multiple instances are configured.
Group Description: Provide a group description (optional).
Method: Static Group.
By default, all groups are active when created. If you want to activate this group later, uncheck the Active checkbox.
Click Save.
Adding users to a static group
Login to the Sectona PAM platform as an administrator user.
Navigate to Manage → User Groups.
Click on the action arrow of the static group where you would like to add existing users.
Select the 'Linked Users' option; a pop-up will open.
Click on the 'Add Users' button → Select the users you want to add to the group.
Click the 'Save' button to add the selected user to the group.
The system allows adding users only to static user groups. Users are added to the attribute-based user groups and active directory groups on a real-time basis and as per sync intervals. However, you can still view currently assigned users for such groups.
Creating an attribute-based user group
Login to the Sectona PAM portal as an administrator user.
Navigate to Manage → User Groups.
Click '+ Add User Group.'
Group Name: Provide a User Group name. Make sure the group name is unique in case multiple instances are configured.
Group Description: Provide a group description (optional).
Method: Attribute-Based Group.
Select your desired attribute from the drop-down list.
Set the operator as per requirement using "=," "!=", and "LIKE" and enter input for the defined attribute.
You can add multiple attributes to one user group by clicking the "+" button.
By default, all groups are active when created. If you want to activate this group later, uncheck the Active checkbox.
Click Save.
Creating an Active Directory group
Login to the Sectona PAM portal as an administrator user.
Navigate to Manage → User Groups.
Click '+ Add User Group.'
Group Name: Provide a User Group name. Make sure the group name is unique in case multiple instances are configured.
Group Description: Provide a group description (optional).
Method: Active Directory Group.
Directory Store: Select the directory store configured in the system.
User Groups: Click the Browse button to select the desired group to Sync with the system.
Exclude User(s): There may be a scenario where you want some users not to be a part of this group in the system. You can specify multiple user names in this field by a comma-separated format like ‘john.doe, noah', etc., to exclude.
By default, all groups are active when created. If you want to activate this group later, simply uncheck the Active checkbox.
Click Save.
First, a Directory Store must be configured in the system to configure an Active Directory based group. Refer to the Directory store section.
To enable this function, ‘UserManagementService’ is required to be started. Refer to Manage App Services to navigate and start the service.
Viewing currently assigned users to the group
Login to the Sectona PAM platform as an administrator user.
Navigate to Manage → User Groups.
Click on the Action arrow of the desired User Group.
Select the 'Linked Users' option.
A pop-up will open, displaying a list of users associated with the group.
Viewing and modifying the status of user groups
You can view and modify the status of user groups. PAM allows you to set the status of user groups as "Active" or "Inactive."
- Login as an admin user.
- Navigate to Manage→ Click on User Groups from the User Management section.
- The status of the account group is visible under the Status column.
- Click the required account group name to modify the status.
- Under the Status section, tick or untick the checkbox to set the status as "Active" or "Inactive."
Deleting an active group
Login to the Sectona PAM platform as an administrator user.
Navigate to Manage → User Groups.
Click on the desired user group name to delete.
Click on the 'Delete' button to delete the group permanently.
Disabling a user group
Login to the Sectona PAM platform as an administrator user.
Navigate to Manage → User Groups.
Click on the desired user group name to disable it.
Uncheck the Active checkbox to disable the User Group.
Deleting or disabling a User Group will not delete or disable any user from the system. However, the entitlements will be revoked from the users associated with the deleted or disabled user group.