Applications
An Application is third-party software for automation and task execution. When launched, an application requests authentication using account credentials. Typically, this data is stored unencrypted in scripts or configuration files, increasing the risk of interception by third parties.
To enhance security, use the method of automatic credential retrieval — Application to Application Password Management (AAPM). In this case, passwords and SSH keys of accounts are stored in Axidian Privilege and requested by the application only at the moment of task execution. This allows controlling access to credentials, avoiding their storage in an open format, and automatically updating them.
To configure AAPM operation:
- Add the application to Axidian Privilege and configure authentication.
- Grant permission and select those accounts whose passwords or SSH keys are required for AAPM operation..
- Verify the application's operation and retrieve credentials using:
- the console utility Pam.Tools.Aapm;
- API requests.
An AAPM license is required to work with applications.
Application profile
For each application, the following are displayed:
- Administrators — a list of users who can view the application's credentials.
- Permissions — a list of granted permissions to use account credential data.
- Events — records of operations related to the application.
Add application
To improve security, it is recommended to create an application for a specific task and control the permissions granted.
- Go to the Applications section in the admin console.
- Click Add.
- Fill in the Name and Description fields and click Save.
Authentication
Before starting work in Axidian Privilege, applications and users are authenticated in the IdP.
The following authentication methods are supported for applications:
- Password — mandatory and automatically generated when adding an application to PAM. In the admin console, the password cannot be viewed but can be reset. The application administrator can view the password in the user console.
- IP address — set additionally if verification of the IP address from which the token request originates is required.
- Certificate — set additionally if verification of the client certificate fingerprint is required.
Add permission
Permissions allow the application to use passwords or SSH keys of Axidian Privilege accounts.
To grant a permission:
- Open the application profile.
- Click Add permission.
- Select the organizational unit and click Next.
- Select one or several accounts whose credentials are needed and click Next.
- Configure Time Restrictions nd click Next.
- Configure Permission Parameters and click Next.
- Fill in the Description field and click Next.
- Verify the data and click Create.
Reset password
When adding an application, Axidian Privilege assigns it a random password. In the admin console, this password cannot be viewed, but it can be reset and a new one set. Follow these steps:
- Go to the application profile and click Reset password.
- In the window that appears, specify a reason to reset the application password.
- Click Reset.
After the old password is reset, Axidian Privilege will generate a new one.
Add or remove an administrator
Administrators can view application passwords in the user console.
To add an administrator:
- Open the application profile and go to the Administrators tab.
- Click Add Administrator.
- Select one or more users and click OK.
- Confirm the action and click Add.
To remove an administrator:
- Open the application profile and go to the Administrators tab.
- Select one or more users and click Remove.
- Confirm the action and click Remove.
Remove application
After removing application, it will no longer be able to receive passwords or SSH keys from Axidian Privilege user records.
To remove the application:
- Go to the application profile.
- Click Delete and confirm the action.
To delete multiple applications, select the required applications in the Applications section and click Remove.