The section is intended to work with user directory of Active Directory.

By default, the page displays 15 users.

You can change the default number of users on a page in  the configuration file.

At the bottom of the page there is a paginator to view the remaining users. If there are fewer than 15 users, they are placed on one page and paginator is not displayed.

A maximum number of users that can be viewed is 1000. On the page with the 1000th user, you will see a message saying that more users cannot be loaded.

Search

Search is located in the Users section

Quick Search

Enter your First NameLast NamePhone Number or Email in whole or in part in the search bar.

Extended Search

Click Extended Search and enter one or more criteria: First NameLast NamePhone Number or Email in whole or in part.

User Profile

The profile displays the data of an Active Directory user:

  • Username — the name used to login to the system.

  • Path — LDAP.

  • Email — email address.

  • Phone — user phone number.

  • Policy — user-specific session policy.

  • Photo — user photo from Active Directory (thumbnailPhoto attribute).



Permissions

The user permissions are displayed in the Permissions tab.

The following data is displayed for every permission:

  • #permission number.
  • Users — the Active Directory user, the permission is given to. 
  • Resources — the resources that RDP, SSH or web session can be started at under the account specified in the permission. Next to the resource name there is the privileged account that is used to access the resource.
  • Permission status icons — A status tooltip will be displayed on mouse hover.

User Groups

All groups in which user is a member will be listed here.

Sessions

All active and finished sessions of the user are available in the Sessions tab.

The following data is displayed for every session:

  • User — An Active Directory directory user, which initiated the session.
  • Account — Privileged account, which is used to open the RDP, SSH or Web session.
  • Organizational unit — the organizational unit which contains resource of the session
  • Resource — The resource on which the RDP, SSH or Web session was opened on behalf of the privileged account.
  • Connection address — The actual address used to open the session.
  • Duration — The duration of the session.
  • Connection — Remote Connection Type (RDP, SSH, User connection types)
  • Connected to Axidian Privilege — Date and time when the session was opened.
  • Finished — Date and time when the session was finished.
  • State — Displays the current state of the session (active, finished or aborted).

To view detailed information about the session, you must click on it. To show all sessions for this user, click Show all.

Authenticators

The user authenticators and corresponding settings are displayed in the Authenticators tab. You can change the 2fa requirement setting here to enable, disable or use defaults. To change requirement setting:

  • Open the user profile and go to the Authenticators tab.
  • Click the penicon and select the appropriate option.

Events

The user events are displayed in the Events tab.

The following data is displayed for every event:

  • Creation time — date and time when the event was created.

  • Code — is the event code.

  • Event — is the event description.

  • Component — is the Axidian Privilege component that generated the event.

  • Initiator — is the account that initiated the event generation.

To view detailed information about the event, you must click on it. To show all events for this user, click Show all.

Resetting User Authenticator

  1. Open the user profile and go to the Authenticators tab.
  2. Click  to the right of the required authenticator.

Disabling User Authenticator

  1. Open the user profile and go to the Authenticators tab.
  2. Click the penicon to the right of the Require second factor and select the appropriate option:- Defaultsecond factor is required.
    - Enabled — second factor is required.
    - Disabledsecond factor is not required.

Blocking a User

This feature helps PAM administrator to quickly close user’s access to the resources. At the same time, there is no need to change resources and accounts.

A blocked user is unable to:

  • open sessions
  • view, set and change account password
  • access authentication data of AAPM applications

At the moment a user is blocked, all active sessions are closed.

Block a user if you notice suspicious actions from them. This allows you to quickly close user’s access to the resources until the circumstances are clarified. You can unblock a user as quickly as block them.

To block a user:

  1. Go to the Users section.
  2. Open the user's profile.
  3. Click Block.
  4. In the pop-up window, click Block.

Do not use this feature to close access to former employees. They will still be able to authenticate to the user console and the administrator console (if access was available). When employees leave, remove users from Active Directory.

Unblocking a User

To unblock a user:

  1. Go to the Users section.
  2. Open the user's profile.
  3. Click Unblock.
  4. In the pop-up window, click Unblock.

Setting a Policy for a User

  1. Open the user's profile.
  2. Click to add or change a policy.