Directory (User directory)

Active Directory users cannot use privileged accounts unless these users are members of user Directory. You can use a container or organization unit (OU) as the Directory.

Users (Target users)

These are Active Directory users that are members of container or Organization Unit defined as User directory. Permissions to use privileged accounts can be given to such users only.

Accounts (Access accounts)

These are local or domain accounts that are used to start RDP, SSH or web sessions. Active Directory can store both the User directory and Access accounts.

Resources (Target resources)

These are servers, workstations or other equipment used to start RDP, SSH or web sessions at them. The sessions can be started either as local accounts stored at the server, workstation or other equipment or as domain accounts.

Active Directory Domains

Active Directory Domains are used to obtain accounts. Domain accounts are the accounts added to Indeed PAM.

Data storage

Data used by Indeed PAM is placed to data storage. Microsoft SQL Server instance is used as storage. The following components require database:

  • Indeed PAM Core (2 databases)
  • Indeed PAM IdP
  • Indeed Log Server

Service account to use with User directory

This is an Active Directory account that has permissions to read the user properties in the Directory.

Service account to use with data storage

This is an account with read and write permissions to databases. SQL account is used as Service account.

Service account to use with video storage

This is an account with read and write permissions to network storage. Active Directory account is used as Service account.

Service account to use with Domain access accounts

This is a domain account that has permission to reset password of domain Access accounts stored in Active Directory containers or Organizational Units.

Privileged Access accounts security group of Active Directory

Active Directory security group that contains the domain Privileged accounts.

Service account for working with local Access accounts

This is a domain or local account that has local administrator privileges at Windows resource or privileges to execute SUDO command at *nix resource.

User authenticator

This is used to provide for two-factor authentication when user signs in or starts a privileged session.

Service connection

Service connection might be used for the following operations with resources and domains:

  1. Checking a connection to a resource or domain
  2. Synchronization of local or domain accounts
  3. Checking of account password
  4. Changing of account password

Service operations are performed under the following account types:

  1. For Windows resources, you can use: 
    • Local account with administrator privileges
    • Active Directory account with local administrator privileges
  2. For *nix resources, you can use:
    • Local account with privilege to execute SUDO command
  3. For Active Directory domains, you can use:
    • Domain account with permission to reset passwords

User connection

A user connection must be configured for each of the resources. This connection determines how a domain or local account connects to the resource. A resource can have only one user connection of a type configured:

  • RDP – connection to resource via RDP
  • SSH – connection to resource via SSH
  • Web – connection to web-resource via HTTP or HTTPS

Permissions

Permissions are used to manage privileged access. Any Active Directory user can be given a permission to start RDP, SSH or Web session at the Target resource under a local or domain account.

A permission contains:

  • User the Active Directory user, for which permission is issued.
  • Account local or domain account used by Active Directory user to start a session at the resource.
  • Resource – a resource where a session will be started as the local or domain Access account.

Permission cannot be modified while used. Revoked permissions cannot be restored.

Access account states

  • Pending () – an account would have Pending state if added to Indeed PAM using synchronization with resource or domain. This happens because the Indeed PAM database contains no password for the account. As a result, the account is not managed by Indeed PAM and cannot be a part of permission.
  • Managed – the account has password in Indeed PAM database. Therefore, the account is managed by Indeed PAM and can be a part of permission.
  • Ignored () – an account can be switched to Ignored if it has Pending or Managed state. In this case, the account is stored without password and is not managed by Indeed PAM. The account cannot be a part of permission. Moreover, all permissions it was used in are revoked.
  • Blocked () – an account can be switched to Blocked if it has Managed status. In this situation, the account cannot be a part of permission. And all permissions it was used in are suspended.
  • Removed () – an account can be switched to Removed status from any other one. A removed account is not managed by Indeed PAM and is hidden from the common list. All permissions it was used in are revoked. A removed account can be restored and switched to Managed status if required.

Resource states

  • Stand by means that the resource is added to Indeed PAM
  • Blocked () – means that resource has been blocked and, it cannot be a part of permission. All permissions it was used in are suspended.
  • Removed () – a resource can be switched to Removed state from any other one. Removed resources are hidden from the common list. A removed resource can be restored and switched to Stand by state if required.

Domain states

  • Stand by means that the Domain is added to Indeed PAM.
  • Removed () – a domain can be switched to Removed state. Removed domains are hidden from the common list. A removed domain can be restored and switched to Stand by status if required.

Session states

  • Active - if the user has permission to access the target resource from the specified account, which are not blocked and the permission is not revoked, then the server creates a session that becomes active.
  • Finished - the session ends when the user ends the session with the target resource, for example, terminating the remote access session to the server, closing the window of the working application or web page.
  • Aborted - the session becomes aborted when the PAM administrator forcibly terminates the active user session.

Policies

A policy is a set of settings that is propagated to multiple system objects. A single object can be assigned only one policy of the certain type.

  • Account policiesare propagated to accounts and apply to resources and domains.
  • Session policies are propagated to sessions and apply to accounts.

  1. Checking of account password
  • No labels