Automation via ConsoleApp

The ConsoleApp utility allows you to automatically manage Axidian Privilege objects and configure access permissions. For example, you can use the utility to create multiple resources or accounts at once, as well as revoke all unused permissions.

info

All operations performed by the utility are logged in the Events journal.

Authentication

Before using the utility, configure authentication to access Axidian Privilege. ConsoleApp supports the following OAuth 2.0 authentication modes:

• Resource Owner Password Flow (ROPC) — the utility obtains an access token on behalf of a PAM user and sends their credentials to the Axidian Privilege IDP component. All actions performed through the utility are executed on behalf of the PAM user, and the available operations are limited by the privileges of the specified user.
• Client Credentials Flow — the utility authenticates in PAM on its own behalf in Machine-to-Machine (M2M) mode. All actions performed through the utility are executed on behalf of the Console Application service client, and the available operations are limited by the privileges of this client.

Resource Owner Password Flow

info

For ROPC authentication, do not fill in the clientSecret parameter — leave the value empty.

To configure authentication:

1. Navigate to the utility folder and open the appsettings.json configuration file.
2. For the coreUrl parameter, specify the Core component address.
3. For the idpUrl parameter, specify the IdP component address.
4. For the authUsername parameter, specify the PAM user login.
   If the parameter is not specified, the login will be requested when the utility starts.
5. For the authPassword parameter, specify the PAM user password.
   If the parameter is not specified, the password will be requested when the utility starts.

When the utility starts, authentication is performed on behalf of the specified PAM user. If two-factor authentication is configured for the user, the utility will request an OTP code.

Client Credentials Flow

caution

It is not recommended to use this authentication method — all users working with the utility perform operations on behalf of the service client and have the same set of privileges. To differentiate permissions and improve security, use ROPC authentication.

To configure authentication:

1. Navigate to the utility folder and open the appsettings.json configuration file.
2. For the clientSecret parameter, specify the Console Application client secret.

When the utility starts, authentication is performed on behalf of the service client, and the OTP code is not requested.

Where to find the client secret?

Open the IdP component configuration file at:

• Windows: C:\inetpub\wwwroot\idp\appsettings.json
• Linux: /etc/axidian/axidian-pam/idp/appsettings.json

In the IdentitySettings section, the ConsoleAppClientSecret parameter contains the client secret.

Configuration file example

Resource Owner Password Flow

{
  "coreUrl": "https://pam.example.local/core",
  "idpUrl": "https://pam.example.local/idp",
  "clientSecret": "",
  "authUsername": "ConsoleAppUser",
  "authPassword": "#123QwerTy!",
  "skipErrorsInBulkProcessing": true,
  "NLog": {
    "variables": {
      "minLevel": "Trace",
      "dbMinLevel": "Info",
      "maxArchiveFilesPerCategory": 23
    },
    "rules": {
      "1": {
        "logger": "*",
        "minLevel": "Trace",
        "writeTo": "processFile"
      }
    }
  }
}

Client Credentials Flow

{
  "coreUrl": "https://pam.example.local/core",
  "idpUrl": "https://pam.example.local/idp",
  "clientSecret": "NPW8dALzsjzpSGDlTGIEMt5o6sjM8x3sz",
  "authUsername": "",
  "authPassword": "",
  "skipErrorsInBulkProcessing": true,
  "NLog": {
    "variables": {
      "minLevel": "Trace",
      "dbMinLevel": "Info",
      "maxArchiveFilesPerCategory": 23
    },
    "rules": {
      "1": {
        "logger": "*",
        "minLevel": "Trace",
        "writeTo": "processFile"
      }
    }
  }
}

Account operations

Create an account

Single account

To create an account in Axidian Privilege:

1. Navigate to the utility folder.

2. Run the utility with the parameters from the table:

   Windows

   .\Pam.ConsoleApp.exe create-account <parameter> <value>

   Linux

   dotnet ./Pam.ConsoleApp.dll create-account <parameter> <value>
   Parameters

   Parameter	Requirement	Description
   --username	Required	Account name
   --resource or --domain	Required	Account location: --resource — resource name --domain — domain name Specify one of the parameters.
   --password	Optional	Account password
   --description	Optional	Description
   --policy	Optional	Policy to apply to the account
   --key-file	Optional	Path to the SSH key file, for example: .\id_rsa
   --key-passphrase	Optional	SSH key file passphrase

   Command examples

   Windows

   Create an account

   .\Pam.ConsoleApp.exe create-account `
   --username Administrator `
   --resource app01.local `
   --password "Pass123$" `
   --description "Local admin" `
   --policy Default

   Create a domain account

    .\Pam.ConsoleApp.exe create-account --username Administrator --domain dev.local  

   Create an account with an SSH key

    .\Pam.ConsoleApp.exe create-account `
    --username root `
    --resource linux01.local `
    --password "Pass123$" `
    --key-file .\id_rsa `
    --key-passphrase "Passphrase"

   Linux

   Create an account

    dotnet ./Pam.ConsoleApp.dll create-account `
   --username Administrator `
   --resource app01.local `
   --password "Pass123$" `
   --description "Local admin" `
   --policy Default   

   Create a domain account

    dotnet ./Pam.ConsoleApp.dll create-account --username Administrator --domain dev.local  

   Create an account with an SSH key

    dotnet ./Pam.ConsoleApp.dll create-account `
    --username root `
    --resource linux01.local `
    --password "Pass123$" `
    --key-file .\id_rsa `
    --key-passphrase "Passphrase"

Multiple accounts

To create multiple accounts in Axidian Privilege:

1. Create a CSV file using the following template:

   Location type;Location Name;Username;Set password;Password;Description;SSH key file path;SSH key passphrase
   Parameters

   Parameter	Requirement	Description
   Location type	Required	Account type: Local — resource account Domain — domain account
   Location Name	Required	Resource or domain name
   Username	Required	Account name
   Set password	Required	Set a password for the account: true — set a password false — create the account without a password
   Password	Optional	Account password. Specify if Set password is set to true.
   Description	Optional	Description
   SSH key file path	Optional	Path to the SSH key file, for example: .\id_rsa
   SSH key passphrase	Optional	SSH key file passphrase

   CSV file example

   Local;dc.dev.local;root;true;root;Local account;;
   Local;raspberrypi;root;true;root;SSH key example;id_rsa;passphrase
   Domain;dev.local;Administrator;false;;Domain admin;;

2. Navigate to the utility folder and run the command:

   Windows

   .\Pam.ConsoleApp.exe create-accounts-from-file --file <file path>

   Linux

   dotnet ./Pam.ConsoleApp.dll create-accounts-from-file --file <file path>

Delete an account

To delete an account from Axidian Privilege:

1. Navigate to the utility folder.

2. Run the command, specifying the account name or its identifier:

   Windows

   .\Pam.ConsoleApp.exe delete-account --name <account name>

   .\Pam.ConsoleApp.exe delete-account --id <account identifier>

   Linux

   dotnet ./Pam.ConsoleApp.dll delete-account --name <location\account name>

   dotnet ./Pam.ConsoleApp.dll delete-account --id <account identifier>

   The identifier is displayed in the URL in the account profile.

   Command examples

   Windows

   Delete an account by name

   .\Pam.ConsoleApp.exe delete-account --name app01.local\User

   Delete an account by identifier

   .\Pam.ConsoleApp.exe delete-account --id a988f1b0-b871-43fa-a40c-6f4ac75f904c

   Linux

   Delete an account by name

   dotnet ./Pam.ConsoleApp.dll delete-account --name app01.local\Administrator

   Delete an account by identifier

   dotnet ./Pam.ConsoleApp.dll delete-account --id a988f1b0-b871-43fa-a40c-6f4ac75f904c

Resource operations

Create a resource

Single resource

To create a resource in Axidian Privilege:

1. Navigate to the utility folder.

2. Run the utility with the parameters from the table:

   Windows

   .\Pam.ConsoleApp.exe create-resource <parameter> <value>

   Linux

   dotnet ./Pam.ConsoleApp.dll create-resource <parameter> <value>
   Parameters

   Parameter	Requirement	Description
   --name	Required	Resource name
   --description	Optional	Description
   --dns-name or --ip-address	Required	Resource address: --dns-name — DNS name --ip-address — IP address Specify one of the parameters.
   --user-connection-type	Required	User connection type. For more details, see User connection.
   --user-connection-address	Optional	IP address or DNS name of the user connection
   --user-connection-port	Optional	User connection port
   --user-connection-matching-url	Optional	Login page URL for a web resource
   --user-connection-matching-url-is-regex	Optional	Indicates whether the login page URL is a regular expression: true — yes false — no Specify if the UC matching url parameter is set.
   --service-account	Optional	Service account name
   --service-connection-type	Optional	Service connection type. For more details, see Service connection.
   --service-connection-port	Optional	Service connection port
   --service-ssh-template	Optional	SSH connector template name. Specify if the service connection type is SSH.
   --cisco-privilege-mode-password	Optional	Cisco privileged mode password. Specify if the service connection type is Cisco IOS.
   --policy	Optional	Policy to apply to the resource

   Command examples

   Windows

   Create a resource

    .\Pam.ConsoleApp.exe create-resource `
    --name APP01 `
    --description "Application server" `
    --dns-name app01.local `
    --user-connection-type RDP `
    --user-connection-port 3389 `
    --service-account DOMAIN\svc_app `
    --service-connection-type Windows 

   Linux

   Create a resource

    dotnet ./Pam.ConsoleApp.dll create-resource `
    --name APP01 `
    --description "Application server" `
    --dns-name app01.local `
    --user-connection-type RDP `
    --user-connection-port 3389 `
    --service-account DOMAIN\svc_app `
    --service-connection-type Windows 

Multiple resources

To create multiple resources in Axidian Privilege:

1. Create a CSV file using the following template:

   Name;Description;DNS name;IP address;UC type;UC address;UC port;UC matching url;UC matching url is regex;SC account name;SC type;SC SSH template;SC address;SC port;Cisco privilege mode password
   Parameters

   Parameter	Requirement	Description
   Name	Required	Resource name
   Description	Optional	Description
   DNS name or IP address	Required	DNS name or IP address of the resource. Specify one of the parameters.
   UC type	Required	User connection type. For more details, see User connection.
   UC address	Optional	IP address or DNS name of the user connection
   UC port	Optional	User connection port
   UC matching url	Optional	Login page URL for a web resource
   UC matching url is regex	Optional	Indicates whether the login page URL is a regular expression: true — yes false — no Specify if the UC matching url parameter is set.
   SC account name	Optional	Service account name
   SC type	Optional	Service connection type. For more details, see Service connection.
   SC SSH template	Optional	SSH connector template name. Specify if the service connection type is SSH.
   SC address	Optional	IP address or DNS name of the service connection
   SC port	Optional	Service connection port
   Cisco privilege mode password	Optional	Cisco privileged mode password. Specify if the service connection type is Cisco IOS.

   CSV file example

   APP01;Application server;app01.local;;RDP;;;;;DOMAIN\svc_app;Windows;;;;
   WEB01;Corporate website;portal.local;;WebTemplate;https://portal.local/;;https://portal.local/login;FALSE;DOMAIN\svc_web;Windows;;;;
   SSH01;Linux server;;192.168.0.50;SSH;;;;;;;;;;

2. Navigate to the utility folder and run the command:

   .\Pam.ConsoleApp.exe create-resources-from-file --file <file path>

Delete a resource

To delete a resource from Axidian Privilege:

1. Navigate to the utility folder.

2. Run the command, specifying the resource name or its identifier:

   Windows

   .\Pam.ConsoleApp.exe delete-resource --name <resource name>

   .\Pam.ConsoleApp.exe delete-resource --id <resource identifier>

   Linux

   dotnet ./Pam.ConsoleApp.dll delete-resource --name <resource name>

   dotnet ./Pam.ConsoleApp.dll delete-resource --id <resource identifier>

   The identifier is displayed in the URL in the resource profile.

   Command examples

   Windows

   Delete a resource by name

   .\Pam.ConsoleApp.exe delete-resource --name app01.local

   Delete a resource by identifier

   .\Pam.ConsoleApp.exe delete-resource --id a988f1b0-b871-43fa-a40c-6f4ac75f904c

   Linux

   Delete a resource by name

   dotnet ./Pam.ConsoleApp.dll delete-resource --name app01.local

   Delete a resource by identifier

   dotnet ./Pam.ConsoleApp.dll delete-resource --id a988f1b0-b871-43fa-a40c-6f4ac75f904c

Permission operations

Create a permission

Single permission

To create a permission in Axidian Privilege:

1. Navigate to the utility folder.

2. Run the utility with the parameters from the table:

   Windows

   .\Pam.ConsoleApp.exe create-permission <parameter> <value>

   Linux

   dotnet ./Pam.ConsoleApp.dll create-permission <parameter> <value>
   Parameters

   Parameter	Requirement	Description
   --user	Required	PAM user name in UPN format
   --account	Optional	PAM account name for connecting to the resource. If not specified, the user will be prompted to enter the account credentials when starting a session.
   --resources or --resources-group	Required	Resource or resource group name. Specify in the format: <resource name>:<connection type> — for one or more resources <group name> — for a resource group
   --active-from	Optional	Date and time when the permission becomes active. Specify in the format DD.MM.YYYY HH:MM or DD.MM.YYYY.
   --active-to	Optional	Date and time when the permission is suspended. Specify in the format DD.MM.YYYY HH:MM or DD.MM.YYYY.
   --schedule-time-from	Optional	Time when the permission can be used. Specify in the format HH:MM.
   --schedule-time-end	Optional	Time when the permission cannot be used. Specify in the format HH:MM.
   --schedule-time-utc	Optional	Convert the specified access time from the current time zone to UTC: true — use the current time zone false — convert to UTC
   --allow-to-view-creds	Optional	Allow the user to view the credentials of accounts added to the permission: true — allow false — deny
   --allow-to-change-creds	Optional	Allow the user to change the credentials of accounts added to the permission: true — allow false — deny

   Command examples

   Windows

   Create a permission for multiple resources

   .\Pam.ConsoleApp.exe create-permission `
     --user ivanov@domain.local `
     --account DOMAIN\Administrator `
     --resources srv01.local:RDP,srv02.local:SSH

   Create a permission for a resource group

   .\Pam.ConsoleApp.exe create-permission `
     --user ivanov@domain.local `
     --account DOMAIN\Administrator `
     --resources-group PROD-SERVERS

   Create a permission with time restrictions

   .\Pam.ConsoleApp.exe create-permission `
     --user ivanov@domain.local `
     --resources srv01.local:SSH `
     --active-from "01.08.2026 09:00" `
     --active-to "31.08.2026 18:00" `
     --schedule-time-from 08:00 `
     --schedule-time-end 21:59 `
     --schedule-time-utc true `
     --allow-to-view-creds true `
     --allow-to-change-creds true

   Linux

   Create a permission for multiple resources

   dotnet ./Pam.ConsoleApp.dll create-permission `
     --user ivanov@domain.local `
     --account DOMAIN\Administrator `
     --resources srv01.local:RDP,srv02.local:SSH

   Create a permission for a resource group

   dotnet ./Pam.ConsoleApp.dll create-permission `
     --user ivanov@domain.local `
     --account DOMAIN\Administrator `
     --resources-group PROD-SERVERS

   Create a permission with time restrictions

   dotnet ./Pam.ConsoleApp.dll create-permission `
     --user ivanov@domain.local `
     --account resource\Administrator `
     --resources srv01.local:SSH `
     --active-from "01.08.2026 09:00" `
     --active-to "31.08.2026 18:00" `
     --schedule-time-from 08:00 `
     --schedule-time-end 21:59 `
     --schedule-time-utc true `
     --allow-to-view-creds true `
     --allow-to-change-creds true

Multiple permissions

To create multiple permissions in Axidian Privilege:

1. Create a CSV file using the following template:

   UserPrincipalName;AccountName;Resource1[:ConnectionType];Resource2[:ConnectionType];...;ResourceN[:ConnectionType]
   Parameters

   Parameter	Requirement	Description
   UserPrincipalName	Required	PAM user name in UPN format
   AccountName	Required	Account name in the DOMAIN\user format. If not specified, the user will be prompted to enter the account credentials when starting a session.
   Resource[:ConnectionType]	Required	Resource name and user connection type. Multiple resources can be specified. Example: srv01.local:RDP;srv02.local:SSH. If the resource has only one user connection, the connection type can be omitted.

   CSV file example

   ivanov@domain.local;DOMAIN\Administrator;srv01.local:RDP;srv02.local:SSH
   petrov@domain.local;;linux01.local:SSH

2. Navigate to the utility folder and run the command:

   Windows

   .\Pam.ConsoleApp.exe create-permissions-from-file --file <file path>

   Linux

   dotnet ./Pam.ConsoleApp.dll create-permissions-from-file --file <file path>

Revoke a permission

caution

Revoked permissions cannot be restored. If you need to temporarily restrict the use of a permission, suspend it instead.

Single permission

To revoke a permission:

1. Navigate to the utility folder.

2. Run the following command:

   Windows

   Revoke a permission by number

   .\Pam.ConsoleApp.exe revoke-permissions --permissions <permission numbers>

   Revoke a user permission

   .\Pam.ConsoleApp.exe revoke-permissions-by-user <parameter> <value>

   Linux

   Revoke a permission by number

   dotnet ./Pam.ConsoleApp.dll revoke-permissions --permissions <permission numbers>

   Revoke a user permission

   dotnet ./Pam.ConsoleApp.dll revoke-permissions-by-user <parameter> <value>
   Parameters

   Parameter	Requirement	Description
   --user	Required	PAM user name in UPN format
   --account	Optional	Account name
   --resources or --resources-group	Required	Resource or resource group name. Specify one of the parameters.

   Command examples

   Windows

   Revoke user permissions by resources

   .\Pam.ConsoleApp.exe revoke-permissions-by-user `
     --user ivanov@domain.local `
     --account DOMAIN\Administrator `
     --resources srv01.local:RDP,srv02.local:SSH

   Revoke user permissions by resource group

   .\Pam.ConsoleApp.exe revoke-permissions-by-user `
     --user ivanov@domain.local `
     --account DOMAIN\Administrator `
     --resources-group PROD-SERVERS

   Linux

   Revoke permissions for a resource

   dotnet ./Pam.ConsoleApp.dll revoke-permissions-by-user `
     --user ivanov@domain.local `
     --account DOMAIN\Administrator `
     --resources srv01.local:RDP,srv02.local:SSH

   Revoke user permissions for a resource group

   dotnet ./Pam.ConsoleApp.dll revoke-permissions-by-user `
     --user ivanov@domain.local `
     --account DOMAIN\Administrator `
     --resources-group PROD-SERVERS

Multiple permissions

To revoke multiple permissions in Axidian Privilege:

1. Create a CSV file using the following template:

   UserPrincipalName;AccountName;Resource1[:ConnectionType];Resource2[:ConnectionType];...;ResourceN[:ConnectionType]
   Parameters

   Parameter	Requirement	Description
   UserPrincipalName	Required	PAM user name in UPN format
   AccountName	Required	Account name in the DOMAIN\user format. If not specified, the user will be prompted to enter the account credentials when starting a session.
   Resource[:ConnectionType]	Required	Resource name and user connection type. Multiple resources can be specified. Example: srv01.local:RDP;srv02.local:SSH

   CSV file example

   ivanov@domain.local;DOMAIN\Administrator;srv01.local:RDP;srv02.local:SSH
   petrov@domain.local;;linux01.local:SSH

2. Navigate to the utility folder and run the command:

   .\Pam.ConsoleApp.exe revoke-permissions-from-file --file <file path> 

After the command is executed, the specified permissions are set to the Revoked state.

Suspend a permission

An unused permission is a permission that has not been used within the period specified in the Monitoring settings. It is recommended to revoke or suspend such permissions.

To suspend unused permissions:

1. Navigate to the utility folder.

2. Run the following command:

   Windows

   .\Pam.ConsoleApp.exe suspend-unused-permissions

   Linux

   dotnet ./Pam.ConsoleApp.dll suspend-unused-permissions

After the command is executed, all unused permissions are set to the Suspended state.
The permission can be resumed at any time.