Managing Users

You will learn the following with respect to managing users in this document:

Editing Users
Deleting Users
2.1 Restoring Users from Trash

2.2 Deleting the In-built Admin User

2.3 Handling User Accounts Deleted from AD/Microsoft Entra ID/LDAP Directories

2.4 Managing Notification Email Addresses in PAM360

1. Editing Users

You can modify the details such as Email id, Access level, Password policy, Department, Location, etc., of the existing users. Also, you can enable or disable two-factor authentication for any user, at anytime.

Navigate to Users tab.
Click the User Actions icon against the desired user and select Edit User from the drop down list.
In the dialog box that opens, you can edit the following:

Email ID
Access level
Access scope
Password policy
Department
Location

You can also enable or disable Two-factor Authentication for the particular user. In case RSA SecurID is used as the second authentication factor, you need to ensure that the user name in RSA Authentication Manager and the corresponding one in PAM360 are the same. In case, for the already existing RSA users, if the user name in PAM360 and RSA Authentication Manager are different, you can do a mapping of names in PAM360 instead of editing the name in RSA. Mapping can be done from here through RSA SecurID UserName. (Assume the scenario that in PAM360 you have imported a user from Active Directory, who has the username (say) ADVENTNET\rob in PAM360. In RSA Authentication Manager, assume that the username is recorded as rob. In normal case, there will be mismatch of usernames between PAM360 and RSA Authentication Manager. To avoid that, you can do a mapping in PAM360 - ADVENTNET\rob will be mapped to rob).
You can use Access Scope to change an Administrator/Password Administrator/Privileged Administrator into a Super Administrator by choosing the option All Passwords in the system. When you do so, they will be able to access all passwords in PAM360 without any restriction. Conversely, a Super Administrator can be changed to his earlier role of Administrator/Password Administrator/Privileged Administrator by choosing the option Passwords Owned and Shared.

Note: If you are an administrator, you will not be allowed to change your access level or scope because the currently logged in administrator's access level cannot be changed. So, you will have to request another administrator to do the change.

2. Deleting Users

Administrators can remove the users who are no longer required. There are two ways of deleting the users;

Delete - This operation is permanent and cannot be reverted.
Move to Trash - The user accounts moved to Trash can be restored at a later point of time by the administrators.

Steps to Delete a User

Navigate to Users tab.
Click the User Actions icon against the desired user and select Delete user from the drop-down list.
In the pop-up window that opens, you will have two options:
1. Delete: To delete an intended user permanently, select the user name and click on Delete.
2. Move To Trash: This option can be used to move users to Trash without deleting them permanently. Users moved to the Trash will not be removed from PAM360, and they can be restored at any time until the PAM360 encryption keys have been rotated. However, once the key rotation is done, the users in Trash and all associated credentials will be removed from the system.

2.1 Restoring Users from Trash

To restore a user account that has been moved to Trash, navigate to Users tab and click on the Trash box icon at the top right corner.

A list of users in the Trash will open in a pop-up box from which the intended users can be restored.

Since PAM360 will enforce the resources owned by a user to be transferred to another user before the former can be deleted, there will not be any loss of enterprise data. However, all the personal data stored by that user will be deleted once and for all. The audit trails will clearly capture all these changes and deletion. The audit trails depicting the activities of the user will remain unaffected in the database even after deleting the user. Audit trails will not be deleted.

Notes:

PAM360 will allow users to be deleted only if the user/users do not own any resource. If the user owns any resource, then you need to transfer the ownership of all the resources to some other user with administrator-type role.

The currently logged in user will not be allowed to delete themselves.

2.2 Deleting the In-built Admin User

Before proceeding to delete the admin user, check if the admin user owns any resource. If so, the resources should be transferred to another user with administrator-type role.

Navigate to Users tab.
In case the admin owns resources, transfer all those resources to another user by clicking on "User Actions" icon against the admin user and selecting Transfer Ownership from the drop down.
If you have logged in as the admin user who has to be deleted, then you have to request some other administrator to delete your account, because the currently logged-in user cannot delete themselves.
The above procedure holds good for deleting any user with an administrator-type role.

2.3 Handling User Accounts Deleted from AD/Microsoft Entra ID/LDAP Directories

Whenever a user account is deleted directly at the user directory from which it was imported to PAM360 i.e. from AD, Microsoft Entra ID or LDAP directory, PAM360 identifies those deleted user accounts the next time a respective synchronization schedule is run. The identified user accounts are then subsequently disabled in PAM360 and held as locked accounts. Note that PAM360 will identify deleted user accounts only if you have set up synchronization with the respective user directory.
After disabling the user accounts, PAM360 informs the administrators (and users whose roles permit them user management privileges) via email as well as an alert notification within the product. Clicking the alert notification will open a dialog box as shown below:

The administrator can review the disabled accounts and then choose to delete those user accounts permanently from PAM360 by clicking the Delete button in the dialog box above. On the other hand, to activate the accounts,
1. Navigate to Users >> More Actions >> Lock Users.
2. In the new window that opens, you will find the disabled user accounts listed under the Locked Users column. Move the required account to the Active Users column and click Save as shown below:
3. Alternatively, you can also activate individual user accounts by locating the required user, clicking on User Actions icon beside the user, and selecting Unlock User from the drop down menu as shown below:
4. A dialog box will open as shown below:
5. Click Unlock to confirm the action and the disabled user will be restored.

2.4 Managing Notification Email Addresses in PAM360

PAM360 allows you to configure generic email addresses as recipients of notification emails for scheduled tasks' completion statuses and license expiry alerts. You can keep track of all such external email addresses being used in PAM360 and also delete them if needed. Additionally, the email addresses of users captured in the User Sessions audit can also managed using this provision, in the event of those users being removed from PAM360.

To view the list of notification email addresses,

Navigate to Admin >> Manage >> Notification Email IDs.
In the new dialog box that opens, you will find the email addresses listed under four different sections - Schedules, License Expiry Notifications, SSH/SSL Notifications, and User Sessions Audit, if there are any.
Review the listed email addresses under each section, select the one that you want to delete and click Delete.


Managing Users You will learn the following with respect to managing users in this document: Editing Users Deleting Users 2.1 Restoring Users from Trash 2.2 Deleting the In-built Admin User 2.3 Handling User Accounts Deleted from AD/Microsoft Entra ID/LDAP Directories 2.4 Managing Notification Email Addresses in PAM360 1. Editing Users You can modify the details such as Email id, Access level, Password policy, Department, Location, etc., of the existing users. Also, you can enable or disable two-factor authentication for any user, at anytime. Navigate to Users tab. Click the User Actions icon against the desired user and select Edit User from the drop down list. In the dialog box that opens, you can edit the following: Email ID Access level Access scope Password policy Department Location You can also enable or disable Two-factor Authentication for the particular user. In case RSA SecurID is used as the second authentication factor, you need to ensure that the user name in RSA Authentication Manager and the corresponding one in PAM360 are the same. In case, for the already existing RSA users, if the user name in PAM360 and RSA Authentication Manager are different, you can do a mapping of names in PAM360 instead of editing the name in RSA. Mapping can be done from here through RSA SecurID UserName. (Assume the scenario that in PAM360 you have imported a user from Active Directory, who has the username (say) ADVENTNET\rob in PAM360. In RSA Authentication Manager, assume that the username is recorded as rob. In normal case, there will be mismatch of usernames between PAM360 and RSA Authentication Manager. To avoid that, you can do a mapping in PAM360 - ADVENTNET\rob will be mapped to rob). You can use Access Scope to change an Administrator/Password Administrator/Privileged Administrator into a Super Administrator by choosing the option All Passwords in the system. When you do so, they will be able to access all passwords in PAM360 without any restriction. Conversely, a Super Administrator can be changed to his earlier role of Administrator/Password Administrator/Privileged Administrator by choosing the option Passwords Owned and Shared. Note: If you are an administrator, you will not be allowed to change your access level or scope because the currently logged in administrator's access level cannot be changed. So, you will have to request another administrator to do the change. 2. Deleting Users Administrators can remove the users who are no longer required. There are two ways of deleting the users; Delete - This operation is permanent and cannot be reverted. Move to Trash - The user accounts moved to Trash can be restored at a later point of time by the administrators. Steps to Delete a User Navigate to Users tab. Click the User Actions icon against the desired user and select Delete user from the drop-down list. In the pop-up window that opens, you will have two options: Delete: To delete an intended user permanently, select the user name and click on Delete. Move To Trash: This option can be used to move users to Trash without deleting them permanently. Users moved to the Trash will not be removed from PAM360, and they can be restored at any time until the PAM360 encryption keys have been rotated. However, once the key rotation is done, the users in Trash and all associated credentials will be removed from the system. Note: Users imported from AD, Microsoft Entra ID, and LDAP directories cannot be moved to Trash. 2.1 Restoring Users from Trash To restore a user account that has been moved to Trash, navigate to Users tab and click on the Trash box icon at the top right corner. A list of users in the Trash will open in a pop-up box from which the intended users can be restored. Since PAM360 will enforce the resources owned by a user to be transferred to another user before the former can be deleted, there will not be any loss of enterprise data. However, all the personal data stored by that user will be deleted once and for all. The audit trails will clearly capture all these changes and deletion. The audit trails depicting the activities of the user will remain unaffected in the database even after deleting the user. Audit trails will not be deleted. Notes: PAM360 will allow users to be deleted only if the user/users do not own any resource. If the user owns any resource, then you need to transfer the ownership of all the resources to some other user with administrator-type role. The currently logged in user will not be allowed to delete themselves. 2.2 Deleting the In-built Admin User Before proceeding to delete the admin user, check if the admin user owns any resource. If so, the resources should be transferred to another user with administrator-type role. Navigate to Users tab. In case the admin owns resources, transfer all those resources to another user by clicking on "User Actions" icon against the admin user and selecting Transfer Ownership from the drop down. If you have logged in as the admin user who has to be deleted, then you have to request some other administrator to delete your account, because the currently logged-in user cannot delete themselves. The above procedure holds good for deleting any user with an administrator-type role. 2.3 Handling User Accounts Deleted from AD/Microsoft Entra ID/LDAP Directories Whenever a user account is deleted directly at the user directory from which it was imported to PAM360 i.e. from AD, Microsoft Entra ID or LDAP directory, PAM360 identifies those deleted user accounts the next time a respective synchronization schedule is run. The identified user accounts are then subsequently disabled in PAM360 and held as locked accounts. Note that PAM360 will identify deleted user accounts only if you have set up synchronization with the respective user directory. After disabling the user accounts, PAM360 informs the administrators (and users whose roles permit them user management privileges) via email as well as an alert notification within the product. Clicking the alert notification will open a dialog box as shown below: The administrator can review the disabled accounts and then choose to delete those user accounts permanently from PAM360 by clicking the Delete button in the dialog box above. On the other hand, to activate the accounts, Navigate to Users >> More Actions >> Lock Users. In the new window that opens, you will find the disabled user accounts listed under the Locked Users column. Move the required account to the Active Users column and click Save as shown below: Alternatively, you can also activate individual user accounts by locating the required user, clicking on User Actions icon beside the user, and selecting Unlock User from the drop down menu as shown below: A dialog box will open as shown below: Click Unlock to confirm the action and the disabled user will be restored. 2.4 Managing Notification Email Addresses in PAM360 PAM360 allows you to configure generic email addresses as recipients of notification emails for scheduled tasks' completion statuses and license expiry alerts. You can keep track of all such external email addresses being used in PAM360 and also delete them if needed. Additionally, the email addresses of users captured in the User Sessions audit can also managed using this provision, in the event of those users being removed from PAM360. To view the list of notification email addresses, Navigate to Admin >> Manage >> Notification Email IDs. In the new dialog box that opens, you will find the email addresses listed under four different sections - Schedules, License Expiry Notifications, SSH/SSL Notifications, and User Sessions Audit, if there are any. Review the listed email addresses under each section, select the one that you want to delete and click Delete.