Resources

The section is intended for working with resources — objects that need to be accessed on behalf of accounts stored in Axidian Privilege. Resources include Windows and Linux servers, workstations, DBMS, network equipment, websites, or client applications.

Resource profile

The following is displayed for each resource:

• User connections — the list of connections used to establish a connection to the resource.
  For each resource, you can create multiple user connections. This is required when the server hosts multiple applications that require privileged access.
• Permissions — the list of issued permissions for connecting to the resource.
• Local accounts — the list of accounts used to open a session on the resource.
• Resource groups — the list of groups the resource is added to.
• Sessions — the list of active, finished, and aborted sessions on the resource.
• Events — records of operations related to the resource.
• Services — the list of applications that can start automatically when the operating system starts. The tab is displayed if the associated resource has a service connection configured for Windows.

Find resource

Enter the resource name, DNS name, IP address, connection address, or tag in the search bar and click .

Click Extended search, enter one or more queries, and click Search.

Add resource

To connect to a resource, it must be added to Axidian Privilege. This can be done in the following ways:

• Manually in the PAM administrator console.
• Automatically using a CSV file, if you need to add multiple resources at once.

Add manually

1. Go to the Resources section and click Add.

2. Fill in the Resource name field.
   For resources with Windows OS, specify the computer name.

3. Fill in the DNS name and/or IP address field.

4. Enter a description and click Next.

5. Select the user connection type.

6. Select the connection address:

   • Inherit from the resource — the connection address duplicates the DNS name, URL, or IP address of the resource.
   • Enter manually — the connection address is set manually in the format https://app.local:port or https://app.local.

7. Fill in the Port field.

8. Specify additional parameters depending on the selected connection type:

   PostgreSQL or MSSQL

   Fill in the Default database field.
   Choosing a default database does not restrict the user's access to other databases on this resource. The available databases are determined by the rights of the DBMS account specified in the permission.

   SSH

   1. Set SSH key fingerprint:

      • Get from resource — use the SSH key fingerprint from the resource.
      • Enter manually — select the algorithm and enter the fingerprint in SHA256 format.

   2. Specify the login formats for local and domain accounts:

      • Default — the format specified in the connection configuration.

      • Set manually — login formats are set manually.
        Use the required variable %username% and the optional variables %location%, %location-dns%.

        Examples

        Login format for john.smith@pam.local

        %username%@%location-dns%

        Login format for SPACE\john.smith

        %location%\%username%

        Login format for john.smith

        %username%
   RDP

   (Optional) Enable the Run as administrator option.
   The RDP session will open with the /admin parameter. The user will have access to the administrative console and will be able to execute commands that require elevated privileges.

   User connection

   info

   You can add your own custom connection type in the Configuration → User connection section.

   1. (Optional) In the URL field, specify the URL to go to when starting the web session.

   2. (Optional) Enable the Regular expression option if query parameters are dynamically added to the URL when navigating to the specified page.
      In the URL field, specify the regular expression corresponding to the page address.

      Example

      The session opens at https://app.org/mainpage .
      
      When clicking on a link to a URL, the parameters theme and page are dynamically added.
      The page address takes the form https://app.org/mainpage /?theme=dark&page=dashboard.
      
      To go to the desired address, enable the Regular expression option and in the URL field, specify the regular expression corresponding to the page address.
      For example: https://app.org/mainpage *, where the character * replaces additional parameters in the query string.

9. (Optional) Enable the Use connector for service connection option and configure the service connection. On the next step, select the service account.

10. Click Next.

11. Check the entered data and click Save.

Add from file

1. Create a CSV file using the following template:

   Name;Description;DNS name;IP address;UC type;UC address;UC port;UC matching url;UC matching url is regex;SC account name;SC type;SC SSH template;SC address;SC port;Cisco privilege mode password
   Parameters

   Parameter	Requirement	Description
   Name	Required	Resource name
   Description	Optional	Description
   DNS name or IP address	Required	DNS name or IP address of the resource. Specify one of the parameters.
   UC type	Required	User connection type. For more details, see User connection.
   UC address	Optional	IP address or DNS name of the user connection
   UC port	Optional	User connection port
   UC matching url	Optional	Login page URL for a web resource
   UC matching url is regex	Optional	Indicates whether the login page URL is a regular expression: true — yes false — no Specify if the UC matching url parameter is set.
   SC account name	Optional	Service account name
   SC type	Optional	Service connection type. For more details, see Service connection.
   SC SSH template	Optional	SSH connector template name. Specify if the service connection type is SSH.
   SC address	Optional	IP address or DNS name of the service connection
   SC port	Optional	Service connection port
   Cisco privilege mode password	Optional	Cisco privileged mode password. Specify if the service connection type is Cisco IOS.

   CSV file example

   APP01;Application server;app01.local;;RDP;;;;;DOMAIN\svc_app;Windows;;;;
   WEB01;Corporate website;portal.local;;WebTemplate;https://portal.local/;;https://portal.local/login;FALSE;DOMAIN\svc_web;Windows;;;;
   SSH01;Linux server;;192.168.0.50;SSH;;;;;;;;;;

2. In the administrator console, go to the Resources section.

3. Click Add from file.

4. In the window that opens, click Select and upload the CSV file.

5. (Optional) Enable the Add with policy option if a policy needs to be defined for the resources.

6. Click Save

Add resource to group

Groups allow you to organize work in the console. Group resources by the attribute you need, for example by department or connection type.

To add a resource to a group:

1. Open the resource profile and go to the Resource groups tab.
2. Click Add resource group.
3. Select a group and click Next.
4. Select one or more user connections and click Next.
5. Select one or more accounts for user connection and click Next.
6. Check the data and click Add.

Add service

info

The tab is displayed if the resource has a service connection configured for Windows.

Add to PAM the services that run on behalf of accounts managed by PAM. These services will automatically receive the current account password when it is changed through PAM.

To add a service:

1. Open the resource profile and Services tab.
2. Click add Add service.
3. Enter the service name and description.
4. (Optional) Set the Restart the service when the service password is changed option and click Next.
5. Select account for service and click Next.
6. Check the data and click Add.

Select policy

A policy regulates user actions on a resource. For example, you can restrict the use of the clipboard or allow the execution of certain SSH commands.

One resource

To set a policy:

1. Open the resource profile and click next to the Policy parameter.
2. In the window that appears, select a policy and click Select.

Multiple resources

To set a policy for multiple resources:

1. Go to the Resources section and select the resources you need.
2. Click Set policy.
3. Select a policy and click Select.
4. Click Set to confirm the policy selection.

Set organizational unit

One resource

To set an organizational unit:

1. Go to the Resources section and open the resource profile.
2. Click Move.
3. In the window that appears, select an organizational unit and click OK.

Multiple resources

To set an organizational unit for multiple resources:

1. Go to the Resources section and select the resources you need.
2. Click Set organizational unit.
3. Select an organizational unit and click OK.
4. Click Set to confirm the organizational unit selection.

Add and delete tag

Tags help organize work in PAM. If you don't have any tags yet, create them in the Configuration section.

One resource

To add tags to a resource:

1. Open the resource profile and click next to the Tags field.
2. Select one or more tags and click Next.
3. Check the data and click Add.

Multiple resources

To add tags to multiple resources:

1. In the Resources section, select the resources you need and click Add tags.
2. Select one or more tags and click Next.
3. Check the data and click Add.

To delete a tag, in the resource profile click next to the desired tag and confirm the action.

Add user connection

Add a user connection to open sessions over various protocols.

1. Open the resource profile.

2. On the User connections tab, click Add user connection.

3. Select the connection type.

4. Select the connection address:

   • Inherit from the resource — the connection address duplicates the DNS name, URL, or IP address of the resource.
   • Enter manually — the connection address is set manually in the format https://app.local:port or https://app.local.

5. (Optional) Specify the port if it differs from the default port.

6. Specify additional parameters depending on the selected connection type:

   PostgreSQL or MSSQL

   Fill in the Default database field.
   Choosing a default database does not restrict the user's access to other databases on this resource. The available databases are determined by the rights of the DBMS account specified in the permission.

   SSH

   1. Set SSH key fingerprint:

      • Get from resource — use the SSH key fingerprint from the resource.
      • Enter manually — select the algorithm and enter the fingerprint in SHA256 format.

   2. Specify the login formats for local and domain accounts:

      • Default — the format specified in the connection configuration.

      • Set manually — login formats are set manually.
        Use the required variable %username% and the optional variables %location%, %location-dns%.

        Examples

        Login format for john.smith@pam.local

        %username%@%location-dns%

        Login format for SPACE\john.smith

        %location%\%username%

        Login format for john.smith

        %username%
   RDP

   (Optional) Enable the Run as administrator option.
   The RDP session will open with the /admin parameter. The user will have access to the administrative console and will be able to execute commands that require elevated privileges.

   User connection

   info

   You can add your own custom connection type in the Configuration → User connection section.

   1. (Optional) In the URL field, specify the URL to go to when starting the web session.

   2. (Optional) Enable the Regular expression option if query parameters are dynamically added to the URL when navigating to the specified page.
      In the URL field, specify the regular expression corresponding to the page address.

      Example

      The session opens at https://app.org/mainpage .
      
      When clicking on a link to a URL, the parameters theme and page are dynamically added.
      The page address takes the form https://app.org/mainpage /?theme=dark&page=dashboard.
      
      To go to the desired address, enable the Regular expression option and in the URL field, specify the regular expression corresponding to the page address.
      For example: https://app.org/mainpage *, where the character * replaces additional parameters in the query string.

7. Click Save.

Create permission

Permissions allow users to connect to resources.

To add a permission:

1. Open the resource profile and click Create permission.
2. Select users or a group of users and click Next.
3. Select one or more connections and click Next.
4. Select an account:
   • Select account in PAM — the account on behalf of which the user opens a session on the resource.
   • Use user account — no account is specified in the permission.
     The user enters the account login and password on the resource. In RDP and SSH sessions, it is possible to log in using the current Axidian Privilege user credentials.
5. Configure Time restrictions and click Next.
6. Configure Permission parameters and click Next.
7. Fill in the Description field and click Next.
8. Check the data and click Create.

Add account

Information

When adding an account with a configured SSH connection, you can set a password and an SSH key.
When adding Windows OS and DBMS accounts, you can only set a password.

Add to PAM the local resource accounts that can be used to provide access to the resource.

To add an account to Axidian Privilege:

1. Go to the Local accounts tab and click Add local account.

2. Enter the account name and description and click Next.

3. At the password setup step, select one of the options:

   • Generate random password — the password is created automatically and synchronized with the resource or domain.
   • Set password manually — the password is set manually.
     Enter the password and confirm it.
     To change the account password not only in PAM but also on the resource or domain, enable the Change password on resource or Change password on domain option.
   • Not set — the account is created without a password, which can be set later during editing.

4. Click Next.

5. At the SSH key setup step, select one of the options:

   • Generate new SSH key — the key is created automatically and synchronized with the resource or domain. Choose a cryptographic algorithm to generate the key: Ed25519 or RSA.

   • Set SSH key manually — the key is set manually. Select the SSH key file and enter its password. RSA keys in OpenSSH and PEM formats are supported, as well as Ed25519 keys in OpenSSH format.
     

     How to generate an SSH key?

     To create an SSH key and write it to a file, use the PuTTYgen program or one of the commands:

     The RSA key in the OpenSSH format

     ssh-keygen -t rsa -b 4096 -f id_rsa_openssh -C "RSA OpenSSH key"

     The RSA key in the PEM format

     ssh-keygen -t rsa -b 4096 -f id_rsa_pem -C "RSA PEM key" -m PEM

     The Ed25519 key in the OpenSSH format

     ssh-keygen -t ed25519 -f id_ed25519_openssh -C "Ed25519 OpenSSH key"

     To change the account SSH key not only in PAM but also on the resource or domain, enable the Change SSH key on resource or Change SSH key on domain option.

   • Not set — the account is created without an SSH key, which can be set later during editing.

6. Click Next.

7. Check the data and click Save

Check connection

The network availability of the resource and the correctness of the address, name, and password of the service account are checked.

To check the availability of a resource, go to its profile and click Check connection.
To check multiple resources, in the Resources section select the resources you need and click Check connection.

Synchronize

Synchronization is available only for resources with a configured service connection and allows you to get:

• the correct resource name, operating system or DBMS version
• local accounts and the security groups they belong to

To synchronize a resource, go to its profile and click Sync.

If new accounts are found during synchronization, they are added to PAM and marked with . To continue working with these accounts, provide PAM with their passwords or reset them to a random value.
For more details, see the Accounts section.

Block

Blocking allows you to suspend all permissions that use this resource. A blocked resource is marked with , and the permissions issued for this resource are marked with .

To block a resource, go to its profile and click Block.

Remove resource

Before deleting a resource, you must delete all accounts that were added from the resource being removed.

caution

When a resource is removed, all services associated with it are also removed. Removed services cannot be restored, you can only view them via extended search in the Services section.

To delete a resource:

1. Open the resource profile.
2. Click Remove.

To remove multiple resources, in the Resources section select the resources you need and click Remove.

Rollback resource

caution

When restoring a resource, the services associated with it are not restored. You will need to add the services again. You can view the information about removed services via extended search in the Services section.

To restore a resource:

1. In the Resources section, click Extended search.
2. Enter the resource name, DNS name, or IP address.
3. In the State field, select Removed and click Search.
4. Open the resource profile and click Rollback.
5. Enter the reset reason and click Rollback.