Permissions allow AD users to open sessions.

To work with permissions, you should have the PERMISSIONS MANAGEMENT privileges (Permission.Create, Permission.Read, Permission.Revoke, Permission.Suspend).


Click Create in the Permissions section.


If you need to grant permission to a User group, then go to the User Groups section, select the group and click Add permission

Organizational Unit

Select OU the resource is located in. This item will not be displayed when a permission is created by the Local administrator of a particular OU.

User

Any AD user that is a member of the User Directory can be used for creating a permission.

  • Enter Name, Surname, Phone number or Email in whole or in part.
  • Select one or more users.

Resource

Any resource added to Indeed Identity PAM can be used for permission.

  • Enter the Resource name or Address (DNS address / IP address) in whole or in part.

  • Select one or more resources.

If more than one resource is selected, domain accounts or a personal user account will be used to access them.

Account

To access the resource, a local, domain or personal user account can be used.

Choosing a Domain or Local Account

  • Enter Account name in whole or in part.
  • Select an account.

Choosing a Personal User Account

  • Click Continue using user account on the Select account page.

Time Restrictions

For permission, you can set the validity period — start date and time, end date and time.

  • Select Begin and End options.

  • Choose a date and time.

If the Begin and End options are not selected, then the permission will be considered permanent.

You can also set Access schedule. It is not possible to use the permission outside the schedule.

  • Check Allow access only option.
  • Set From and To time.

If options From and To are not selected, then the permission will be valid around the clock.


When the permission expires or when the time set in the access schedule expires, the session will be terminated.

Additional Permission Options

Credentials

Indeed Identity PAM allows the user to view the password of privileged accounts that are used in his permissions.

  • Check the Allow user to view account credentials option (can be disabled in the mc, uc and core settings with the allowRevealCredentials option).
  • Finish creating the permission.

Indeed Identity PAM allows the user to change the passwords of privileged accounts that are used in his permissions.

  • Check the Allow change account credentials option.
  • Finish creating the permission.

Connection Source

Indeed Identity PAM allows you to set restrictions on connections to resources. You can specify the network from which a given connection can be used.

If no Network Locations have been added, the only option in the drop-down menu will be No Restrictions. This means that this permission can be used from any device on the network.

Raising Privileges in SSH Sessions

Indeed Identity PAM allows you to set custom permission settings for pamsu.

There are three options:

Managed by policies — access to pamsu will be provided in accordance with the policy selected for the resource for which permission is granted.

Allowed — regardless of policy settings, this permission will provide the access to pamsu.

Denied — regardless of the policy settings in this permission, access to pamsu will be disabled.