Users

This section is intended for working with the following types of Axidian Privilege users:

• Users from directory service.
  For such users, the Source field indicates Catalog.
• Internal users.
  For such users, the Source field indicates PAM.

By default, 15 users are displayed. When this number is exceeded, a switcher will appear at the bottom of the page. Only 1000 users are available for viewing. The number of users displayed by default on the page can be changed in the configuration file.

Windows	C:\inetpub\wwwroot\mc\assets\config\config.prod.json
Linux	/etc/axidian/axidian-privilege/mc/config.prod.json

Find a user

Enter a first name, last name, phone number, or email address in the search string and click .

Click Extended search, select one or more filters and click Search.

info

Login search is not supported.

To find removed users:

1. Open the Users section and click Extended search.
2. Select the Deleted value for the State parameter.
3. Click Search.

Create an internal user

Warning

Do not close the window until you have passed the password to the user.

Connection via RDS is not available for internal users.

1. Open the Users section.
2. Click Create.
3. Set the user's login. The login is used to access the user and administrator consoles.
4. Select the option:
   • Set password manually — the password is set manually.
   • Generate — the password will be generated by PAM.
5. Copy the password and pass it to the user.
6. Set the Require password change on first login option.
7. Set the user's Email.
8. Click Optional fields and fill in the fields: First Name, Last Name, Phone, Description.
9. Complete adding the user:
   • Click Create to stay in the Users section.
   • Click Create and open to navigate to the new user's profile.

User profile

For each user, the following is displayed:

• Permissions — list of granted permissions for the user to connect to the resource.
• User groups — list of groups the user belongs to.
• Sessions — list of active, ended, and aborted sessions.
• Authenticators — information about the user's configured authenticators.
• Events — records of operations related to the user.

Edit data in the profile

1. Open the user's profile.
2. Click    next to the parameter to set or edit it.

Select a policy

1. Open the user's profile.
2. Click    next to the Policy parameter.
3. Select a policy from the list and click Select.

Configure authenticator

On the Authenticators tab displays information about the password, second factor, and SSH keys that allow connecting to SSH Proxy without a password.

For an internal PAM user, the date and time of the last password change, as well as the password expiration period, are displayed.

For all users, the authenticator status is displayed. The value Not enrolled indicates an unregistered authenticator. When the user first logs into the administrator console or user console, a page with instructions for registering the authenticator will open. After registration, the value Enrolled is displayed.

Add SSH key

SSH keys allow connecting to SSH Proxy without a password. A maximum of 10 SSH keys can be added to one user. Keys must be unique within a single user, but can be repeated across different users.

Enabling or disabling the use of keys can be done in the Configuration section.

Warning

To add a key to a user, the administrator must have the User.ManageSshAuthorizedKeys privilege.

To add an SSH key:

• paste the copied string containing the encryption algorithm and key;
• attach an X.509 certificate file.

Key in text format

1. Open the user's profile.
2. Go to the Authenticators tab.
3. Click Add.
4. Paste the key in OpenSSH format into the Public key field. The key string must contain the encryption algorithm and the key. Optionally, the string may contain a comment, such as a username and a host. Example: ssh-ed25519 AAAAC3... user@host
5. Optionally enter a Description.
6. Click Add.

X.509 Certificate

1. Open the user's profile.

2. Go to the Authenticators tab.

3. Click Add.

4. Click Upload certificate.

5. Check the validity of the certificate dates. To do this, run one of the commands, depending on the OS used:

   Command for Windows

   certutil -verify -urlfetch "yourfilename.crt"
   Command for Linux

   openssl x509 -in "yourfilename.crt" -text -noout

   Make sure that the period in which the key connection is planned falls within the date interval between NotBefore and NotAfter.

6. Upload the file in the X.509 Certificate field.

   caution

   Loading the certificate that contains the certificate chain is not supported.

   Please note that there is no automatic validation of the certificate dates. If the certificate has expired or is not yet valid, the key will be loaded and the session with such a key will open.

7. Optionally edit the Description.

8. Click Add.

Warning

The key cannot be recovered after deletion.

To delete an SSH key:

1. Open the user's profile.
2. Go to the Authenticators tab.
3. Select one or more keys.
4. Click Remove.

When an SSH key is deleted, a session opened using this key is not terminated.

Note

If the same key is added to multiple users, deleting the key for one user will not result in the deletion of the same key for other users.

Set up authenticator

1. Open the user's profile and go to the Authenticators tab.
2. Click    next to the Require 2FA parameter and select one of the option:
   • Default — by default, the user is required to enter a second factor for authentication in the system.
   • Enabled — the user is required to enter a second factor for authentication in the system.
   • Disabled — the user is not required to enter a second factor for authentication in the system.
3. Click Change.

To reset the authenticator, click    next to the desired authenticator.

Add permission

1. Open the user's profile.
2. Click Add permission.
3. Select the permission parameter:
   • Resources — permission is granted to one or more selected resources.
   • Resource groups — permission is granted to the selected resource group.
   • Ad hoc resources — permission is granted to any resources with the selected connection type, including resources not registered in PAM.
4. Selecting account for user connection:
   • Select account in PAM — service account on behalf of which the user will open a session on the resource.
   • Use user account — the permission will not specify a service account, PAM will request credentials before opening the session.
5. Configure Time restrictions and click Next.
6. Configure Permission parameters and click Next.
7. Enter a description and click Next.
8. Check the selected data and click Create.

Add and remove from group

To add a user to a group:

1. Open the user's profile and go to the User Groups tab.
2. Click Add user group.
3. Select one or more groups and click OK.

To remove a user from a group:

1. Open the user's profile and go to the User Groups tab.
2. Select one or more groups.
3. Click Remove.
4. In the pop-up window, click Remove.

To add multiple users to a group, in the Users section select the required users and click Add to group. Select one or more groups and click OK.

Set, reset, or request password

Warning

Available only for internal users.

1. Open the internal user's profile.
2. Click Reset password.
3. Select one of the checkboxes:
   • Generate — password is created automatically.
   • Set password manually — password is set in manual mode.
   • Request password change — password is requested by PAM upon system login.
4. Provide the password to the user. After closing the form, it will be impossible to retrieve the password.
5. Set the checkbox Require password change on first login.
6. Set the checkbox Terminate all active sessions and log out.
7. Click Save.

To reset the password for multiple users, in the Users section select the required users and click Request password change. You can terminate all active sessions of the selected users.

Block and unblock

Block a user if you need to restrict access to PAM. When blocked, access to the system is completely terminated: authentication in user and administrator consoles is unavailable, and all active sessions are terminated. A user can be unblocked at any time.

To block a user:

1. Go to the Users section.
2. Open the user's profile.
3. Click Block.
4. In the pop-up window, click Block.

To block multiple users, in the Users section select the required users and click Block.

To unblock a user:

1. Go to the Users section.
2. Open the blocked user's profile.
3. Click Unblock.
4. In the pop-up window, click Unblock.

To unlock multiple users, in the Users section, select the locked users and click Unlock.

Delete a user

Warning

This operation is only applicable to internal users.

A deleted user cannot be restored. It is not possible to delete yourself or the first role administrator.

To delete a user:

1. Open the internal user's profile.
2. Click Remove.
3. Read the information in the pop-up window and click Remove.

To delete multiple PAM users, in the Users section, select the required users and click Remove.

Upon user deletion:

• The user will lose access to PAM and will no longer be able to authenticate.
• All active sessions will be terminated.
• All granted permissions will be revoked.
• The user will be removed from all user groups.
• The user will be removed from the scope of the all policies.

Deleted users no longer appear in the Users section, but they can be viewed using extended search.