Resource Operations

Add and Remove Tags

info

If you don't have any tags yet, create them in the Configuration section.

To add tags to a resource:

1. Open the resource's profile.
2. Click plus-icon next to the Tags field.
3. Select tags.
4. Click Next.
5. Check the selected tags.
6. Click Add to finish the operation.

info

Each resource can have a maximum of 50 tags.

To remove the tag from the resource:

1. Open the resource's profile.
2. Click cross-icon next to the tag you need to remove.
3. In the confirmation window, click Remove.

Add permission

1. Open the resource profile.
2. Click Add permission.
3. (Optional) Select an organizational unit and users or a group of users.
4. Select users or a user group and click Next.
5. Select one or more connections and click Next.
6. Select account for user connection:
   • Select account in PAM — the account under which the user opens a session on the resource.
   • Use user account — no account is specified in the permission.
     The user enters their account login and password on the resource. In RDP and SSH sessions, it is possible to log in using the current Axidian Privilege user credentials.
7. Configure Time restrictions and click Next.
8. Configure Permission parameters and click Next.
9. Enter a description and click Next.
10. Check the selected data and click Create.

Remove Connected Entities

It is possible to remove values of the following fields of the resource:

• Policy;
• Service Connection.

caution

When a service connection is removed from a resource, all services associated with it are also removed. Removed services cannot be restored, you can only view them via extended search in the Services section.

To remove a Policy or a Service Connection from a resource, click the trash can icon on the resource page to the right of the desired parameter.

Add User Connection

The function allows you to add one or more user connections available for a given resource.

1. Go to Resource section and open the resource's profile.

2. Click Add on the User connections tab.

3. Select the type of connection.

4. Specify the Connection address parameters:

   • Inherit from the resource — the connection address duplicates the DNS name or IP address of the resource.
   • Enter manually — the connection address is set manually in the format https://app.local:port or https://app.local.

5. (Optional) Enter the port in the Port field.

6. Select the connection type and set the settings depending on the type:

   PostgreSQL or MSSQL

   Fill in the Default database field.
   Choosing a default database does not restrict the user's access to other databases on this resource. The available databases are determined by the rights of the DBMS account specified in the permission.

   SSH

   1. Set SSH key fingerprint:

      • Get from resource — use the SSH key fingerprint from the resource.
      • Enter manually — select the algorithm and enter the fingerprint in SHA256 format.

   2. Specify the login formats for local and domain accounts:

      • Default — the format specified in the connection configuration.

      • Set manually — login formats are set manually.
        Use the required variable %username% and the optional variables %location%, %location-dns%.

        Examples

        Login format for john.smith@pam.local

        %username%@%location-dns%

        Login format for SPACE\john.smith

        %location%\%username%

        Login format for john.smith

        %username%
   RDP

   (Optional) Enable the Run as administrator option.
   The RDP session will open with the /admin parameter. The user will have access to the administrative console and will be able to execute commands that require elevated privileges.

   User connection

   info

   You can add your own custom connection type in the Configuration → User connection section.

   1. (Optional) In the URL field, specify the URL to go to when starting the web session.

   2. (Optional) Enable the Regular expression option if query parameters are dynamically added to the URL when navigating to the specified page.
      In the URL field, specify the regular expression corresponding to the page address.

      Example

      The session opens at https://app.org/mainpage .
      
      When clicking on a link to a URL, the parameters theme and page are dynamically added.
      The page address takes the form https://app.org/mainpage /?theme=dark&page=dashboard.
      
      To go to the desired address, enable the Regular expression option and in the URL field, specify the regular expression corresponding to the page address.
      For example: https://app.org/mainpage *, where the character * replaces additional parameters in the query string.

caution

When adding a custom PostgreSQ connection, make sure to fill in the Default Database field. This is due to a feature of the PostgreSQL database management system: the connection takes place to a specific database, not to the server.

Add an Account

The function allows adding local resource accounts to Axidian Privilege, which can be used to provide access to the resource.

• Click Add account in Resource Profile
• Enter an Account Name and Description

Password and SSH Key

If a service connection of the SSH type is configured for the resource, then when adding an account, it will be possible to generate or manually add not only a password, but also an SSH key. Also, for such accounts it is possible not to set a password, the setup wizard will display an additional item when setting a password — Not set. 

Below we will consider an example of adding *nix account. When adding Windows OS and DBMS accounts, the Not set item will be missing when setting up a password, and there will be no page for generating or manually installing an SSH key.

Password Settings

1. Select one of the options:
   • Generate — the password is created automatically and synchronized with the resource or domain.
   • Set password manually — the password is set manually.
     Enter the password and confirm it.
     To change the account password not only in PAM, but also on the resource or domain, enable the option Change password on resource or Change password on domain.
   • Not set — the account is created without a password, which can be set later during editing.
2. Click Next.

SSH Key Settings

1. Select one of the options:

   • Generate new SSH key — the key is created automatically and synchronized with the resource or domain. Choose a cryptographic algorithm to generate the key: Ed25519 or RSA.

   • Set SSH key manually — the key is set manually. Select the SSH key file and enter its password. RSA keys in OpenSSH and PEM formats are supported, as well as Ed25519 keys in OpenSSH format.
     To create an SSH key and write it to a file, use the PuTTYgen program or one of the commands:

     The RSA key in the OpenSSH format

     ssh-keygen -t rsa -b 4096 -f id_rsa_openssh -C "RSA OpenSSH key"
     The RSA key in the PEM format

     ssh-keygen -t rsa -b 4096 -f id_rsa_pem -C "RSA PEM key" -m PEM
     The Ed25519 key in the OpenSSH format

     ssh-keygen -t ed25519 -f id_ed25519_openssh -C "Ed25519 OpenSSH key"

   • Not set — the account is created without an SSH key, it can be set later during editing.

2. Click Next.

3. Check the data and click Save.

Check the Connection to the Resource

The function allows you to check the network availability of the resource, the correctness of the address, name and password of the service account.

• Click Check connection in the resource page

Synchronization

The function allows you to get the correct resource name, OS or DBMS version, local resource accounts and security groups they belong to. Synchronization is available only for resources with a configured service connection, otherwise the Synchronization function will not be present in the resource. 

• Click Sync on the resource page

note

Accounts that have been added to Axidian Privilege using the Synchronize function will be marked with a  symbol. To continue working with them, you must set or reset their password. A detailed description of the account verification process is described in the article. 

Block

The function allows you to suspend all permissions that use the resource.

• Click Block in the resource profile

note

The resource will be marked with a  symbol. All permissions in which the resource is a contributor will be marked with a symbol.

Remove / Rollback a Resource

Remove a Resource

Before removing a resource, you must remove all accounts that were added from this resource.

caution

When a resource is removed, all services associated with it are also removed. Removed services cannot be restored, you can only view them via extended search in the Services section.

1. Open the resource page.
2. Click Remove.

RollBack Resources

caution

When restoring a resource, the services associated with it are not restored. You will need to add the services again. You can view the information about removed services via extended search in the Services section.

1. Click Extended search in the Resources section.
2. Enter the Resource name or Address (DNS name/IP address) in whole or in part.
3. Select Removed for the State field and click Search.
4. Open the resource page and click Rollback.
5. Enter the reason for the recovery and click Rollback.