Users

There are two types of users in Axidian Privilege 3.2:

• users from the directory service;
• internal users.

For users from the directory service, the Directory value is specified in the Source field. For internal users, the PAM value is specified in the Source field.

By default, the page displays 15 users. At the bottom of the page there is a paginator to view the remaining users. If there are fewer than 15 users, they are placed on one page and paginator is not displayed.

You can change the default number of users on a page in the configuration file.

Windows	C:\inetpub\wwwroot\pam\mc\assets\config\config.prod.json
Linux	/etc/axidian/axidian-pam/mc/config.prod.json

A maximum number of users that can be viewed is 1000. On the page with the 1000th user, you will see a message saying that more users cannot be loaded.

Search

Search is located in the Users section

Quick Search

Enter your First Name, Last Name, Phone Number or Email in whole or in part in the search bar.

Extended Search

Click Extended Search and enter one or more criteria: First Name, Last Name, Phone Number or Email in whole or in part.

info

There is no search by login.

Removed Users Search

1. Open the Users section and click Extended Search.
2. Select Deleted for the State parameter.
3. Click Search.

User Profile

The profile displays the data of an Active Directory user:

• Username — the name used to login to the system.
• Path — LDAP.
• Email — email address.
• Phone — user phone number.
• Policy — user-specific session policy.
• Photo — user photo from Active Directory (thumbnailPhoto attribute).

Permissions

The user permissions are displayed in the Permissions tab.

The following data is displayed for every permission:

• # — permission number.
• Users — the Active Directory user, the permission is given to. 
• Resources — the resources that RDP, SSH or web session can be started at under the account specified in the permission. Next to the resource name there is the privileged account that is used to access the resource.
• Permission status icons — A status tooltip will be displayed on mouse hover.

Sessions

All active and finished sessions of the user are available in the Sessions tab.

The following data is displayed for every session:

• User — An Active Directory directory user, which initiated the session.
• Account — Privileged account, which is used to open the RDP, SSH or Web session.
• Resource — The resource on which the RDP, SSH or Web session was opened on behalf of the privileged account.
• Connection address — The actual address used to open the session.
• Duration — The duration of the session.
• Connection — Remote Connection Type (RDP, SSH, User connection types)
• Connected to Axidian Privilege — Date and time when the session was opened.
• Finished — Date and time when the session was finished.
• State — Displays the current state of the session (active, finished or aborted).

To view detailed information about the session, you must click on it. To show all sessions for this user, click Show all.

Authenticators

This tab displays information about password and second factor, as well as SSH keys that allow users to connect to SSH Proxy without a password.

Password

• Last password change is the date and time the password was changed in the Axidian PAM database. The field is only displayed for internal users.
• Password expiration is the number of days, hours, or minutes remaining until the next password change. The field is only displayed for internal users.

2FA

• Require the second factor: when Enabled or Default value is selected, the second factor is required for authentication in the system. If you select Disabled , the user will not be prompted for the second factor.
• Authenticator State: indicates, whether the authenticator factor is registered or not. Not enrolled value indicates an unregistered authenticator. When a user logs in to the Administrator Console or User Console for the first time, a page opens with authenticator registering instructions. After registration, the Enrolled value is displayed.

Supported key encryption algorithms:

• rsa-sha2-256
• rsa-sha2-512
• ecdsa-sha2-nistp256
• ecdsa-sha2-nistp384
• ecdsa-sha2-nistp521
• ssh-ed25519

SSH keys

SSH keys allow users to connect to SSH Proxy without a password. A maximum of 10 SSH keys can be added per user. The keys must be unique within the user. The same key can be used by several users.

Enable or disable the use of keys:
Configuration → User Authentication → SSH Key Authentication.

caution

To add a key to a user, the administrator must have the User.ManageSshAuthorizedKeys privilege.

You can add an SSH key in two ways:

• manually: paste the copied string containing the encryption algorithm and the key;
• attach the X.509 certificate file.

Key in text format

1. Open the user's profile.
2. Go to the Authenticators tab.
3. Click Add.
4. Paste the key in OpenSSH format into the Public key field. The key string must contain the encryption algorithm and the key. Optionally, the string may contain a comment, such as a username and a host. Example: ssh-ed25519 AAAAC3... user@host.
5. Optionally enter a Description.
6. Click Add.

X.509 Certificate

1. Open the user's profile.

2. Go to the Authenticators tab.

3. Click Add.

4. Click Upload certificate.

5. Check the validity of the certificate dates. To do this, run one of the commands, depending on the OS used:

   Command for Windows

   certutil -verify -urlfetch "yourfilename.crt"
   Command for Linux

   openssl x509 -in "yourfilename.crt" -text -noout

   Make sure that the period in which the key connection is planned falls within the date interval between NotBefore and NotAfter.

6. Upload the file in the X.509 Certificate field.

   caution

   Loading the certificate that contains the certificate chain is not supported.

   Please note that there is no automatic validation of the certificate dates. If the certificate has expired or is not yet valid, the key will be loaded and the session with such a key will open.

7. Optionally edit the Description.

8. Click Add.

To remove an SSH key:

caution

SSH key cannot be restored once removed.

1. Open the user's profile.
2. Go to the Authenticators tab.
3. Select one or more keys.
4. Click Remove.

When you remove an SSH key, the session opened with this key is not terminated.

info

If the same key is added to more than one user, keep in mind that removing a key from one user will not remove the same key from other users.

Events

The user events are displayed in the Events tab.

The following data is displayed for every event:

• Creation time — date and time when the event was created.
• Code — is the event code.
• Event — is the event description.
• Component — is the Axidian Privilege component that generated the event.
• Initiator — is the account that initiated the event generation.

To view detailed information about the event, you must click on it. To show all events for this user, click Show all.