Skip to main content
Version: Axidian Privilege 3.2

Operations on Users

This section describes the operations that can be performed on users.

Editing

  1. Open the user's profile.
  2. Click to the right of the parameter to set or edit it.

Selecting a Policy

  1. Open the user's profile.
  2. Click to the right of the Policy parameter to add or change a policy.

Creating a Permission

  1. Open the user's profile.
  2. Click Add permission.
  3. Select one or several resources, a group of resources or an ad hoc resource. Click Next.
  4. Select an Account. Click Next.
  5. Optionally set time restrictions. Click Next.
  6. Optionally set permission parameters. Click Next.
  7. Optionally enter a Description. Click Next.
  8. Check the selected data for permission and click Create.

Adding to a Group

  1. Open the user's profile and go to the User Groups tab.
  2. Click Add User Groups.
  3. Select one or several groups.
  4. Click OK and then click Add.

Removing from a Group

  1. Open the user's profile and go to the User Groups tab.
  2. Select one or several groups.
  3. Click Remove.
  4. In the pop-up window, click Remove.

Password Reset

caution

This operation is only applicable for internal users.

  1. Open the internal user's profile.
  2. Click Reset password.
  3. Select one of the options: Set a password manually or Generate.
  4. If you selected Set a password manually, set the password.
  5. Pass the password to the user. After closing the form, it will be impossible to find out the password.
  6. Optionally disable the Require password change on first login option.
  7. Optionally disable the Abort all active sessions and log out option.
  8. Click Save.

Password Change Request

caution

This operation is only applicable for internal users.

  1. Open the internal user's profile.
  2. Click Reset password.
  3. Select Request Password Change.
  4. Optionally disable the Abort all active sessions and log out option.
  5. Click Save.

Resetting an Authenticator

  1. Open the user profile and go to the Authenticators tab.
  2. Click  to the right of the required authenticator.

Disabling an Authenticator

  1. Open the user profile and go to the Authenticators tab.
  2. Click  to the right of the Require second factor and select the appropriate option:
    • Default — second factor is required;
    • Enabled — second factor is required;
    • Disabled — second factor is not required.

Blocking

This feature helps PAM administrator to quickly close user’s access to the resources. At the same time, there is no need to change resources and accounts.

A blocked user is unable to:

  • open sessions;
  • view, set and change account password;
  • access authentication data of AAPM applications.

At the moment a user is blocked, all active sessions are terminated.

caution

Block a user if you notice suspicious actions from them. This allows you to quickly close user’s access to the resources until the circumstances are clarified. You can unblock a user as quickly as block them.

To block a user:

  1. Go to the Users section.
  2. Open the user's profile.
  3. Click Block.
  4. In the pop-up window, click Block.
caution

Do not use this feature to close access to former employees. They will still be able to authenticate to the user console and the administrator console. When employees leave, remove users from directory service.

Unblocking a User

To unblock a user:

  1. Go to the Users section.
  2. Open the user's profile.
  3. Click Unblock.
  4. In the pop-up window, click Unblock.

Removing

caution

This operation is only applicable for internal users.

The user cannot be restored after deletion.

It is not possible to remove yourself and the first role administrator.

  1. Open the internal user's profile.
  2. Click Remove.
  3. Read the information in the pop-up window and click Remove.

Consequences of user deletion:

  • The user loses access to the PAM and cannot authenticate.
  • All active sessions end.
  • All granted permissions are revoked.
  • The user is excluded from all user groups in which the user is a member.
  • The user is excluded from the scope of the policy in which the user is a member.
  • The login of the deleted user changes: the suffix _deleted and a randomly generated string are added to the login. This allows to avoid errors when creating new users whose username matches the username of the previously deleted user.

Removed users no longer appear in the Users section, but they can be viewed using extended search.