Managing user operations
In a typical enterprise environment, user information and attributes need to be updated continuously and their updated status must be maintained efficiently. This chapter provides help with managing user management operations. It includes:
Disabling a user account
If you want to disable or deactivate a user, follow the below-mentioned procedure:
Navigate to Manage → Users.
Search or select the user within the user list from the user tab.
Browse the user details and uncheck the active mark check.
Changing a user account password
Follow any one of the methods to change the user account password.
Method 1:
Navigate to the "Manage" section and click on the Asset Management option.
Click on the 'action' icon below having a column name Account.
A new form will appear where you can add account and edit the existing account.
Now, click on one of the existing account names to change its password.
Change the password and click on the button "Change Password", your password will be changed.
Description | Representation |
---|---|
Action |
Method 2:
Navigate to the "Manage" section and click on to the Account option.
Select "+New Account" from the drop-down menu.
Choose the asset category and asset type for which you wish to see the accounts created.
Click on the hostname of which you want to change the password from the list in front of you.
Change the password and click on the button "Change Password". Your password will be changed.
Changing user status
A Sectona PAM user's status can be one of the following:
Pending Approval - User must be approved by a user to be enabled in the system.
Active - The user can authenticate and access functions of the system.
Disabled - The user is not permitted to use the system and log on is denied. This status is enabled based on Dormancy threshold settings configured in the User authentication policy. For more information, refer section here.
Dormant - The user is not permitted to use the system and log on is denied. User account status is Inactive when the account is manually disabled by the administrator of the solution.
Locked - The user is not permitted to use the system and log on is denied. This status is enabled based on Account lockout threshold settings in user authentication settings. For more information, refer to the section here.
To change the status of an account, refer below procedure:
Navigate to Manage → Users.
Select the user you wish to update.
Click on the status link of the users.
View the Status Change and modify the status as Active or Inactive.
Adding user-specific account alias
In case named user accounts have multiple privileged accounts without any standard naming convention, User Aliases can be added for each user to define user profiles. For example, username John (active director authenticated) has multiple privileged accounts like jhn12 (for administration), 1823jhn (for job management), you can define an alias for user John listing all usernames or type of username he frequently accesses. Follow the steps listed below for adding user aliases:
Navigate to Manage → Users.
Select the user you wish to add an alias to.
Click on the 'action' icon and then click on Configure User Alias.
Provide alias name and click on Add and then it is added to the user list.
Click on Save.
Description | Representation |
---|---|
Action |
Adding security to sessions taken by the user
When a user accesses an asset using a particular account, the recording of that session is visible under Session → Session View.
To add security to those sessions in regards to, which session recording should be visible to a user, the following ways can be used:
Adding security using User Groups
Navigate to Manage → Users.
Click on the 'action' button and select Security Settings.
Tick the Session View Restricted To checkbox.
Click on the Specific User Groups radio button and select the User Group from drop-down menu.
Click on Save.
Description | Representation |
---|---|
Action |
Under this configuration, the users belonging to the selected user group will be able to view the session recordings under Session → Session View.
Adding security using Account Groups
Navigate to Manage → Users.
Click on the 'action' button and select Security Settings.
Tick the Session View Restricted To checkbox.
Click on the Specific Account Groups radio button and select the Account Group from drop-down menu.
Click on Save.
Description | Representation |
---|---|
Action |
Under this configuration, the user with accounts belonging to the selected account group will be able to view the session recordings under Session → Session View.
Adding session timeout for user
Navigate to Manage → Users.
Click on the action button and select Security Settings.
Untick the Global checkbox under Session Lockout and select a session timeout value from the drop-down menu.
Click on Save.
Under this configuration, the session taken by the user will be terminated after the specified session lockout value.
The global value for Session Timeout is under System → System Defaults → User Session Lockout (Minutes).
Adding security using Thin Client
Navigate to Manage → Users.
Click on the action button and select Security Settings.
Tick the Allow Access via Thin Client checkbox.
Click on the Allow Only From Specific Clients checkbox and mention the keys of the client machine in the text field.
Click on Save.
Under this configuration, the user will be able to take sessions only from the machines whose keys are specified in the settings.
To get the key to your client machine, follow the below steps:
Login to PAM → Click on User Profile → Settings → Download Utilities → Click on Thin Client ID.
A window will display the key of your client machine for 15 seconds. To copy the key, click on the Copy to Clipboard button.
Resetting the multifactor authentication of user
To reset multifactor authentication for a user, click on the action icon of the user and click on Reset Multifactor. On the reset multifactor window, choose the appropriate authentication type applied on the user and click on Reset.