Integrating PAM360 with ManageEngine ADManager Plus
This document discusses the process of integrating PAM360 with ManageEngine ADManager Plus. At the end of this document, you will have learned the following:
- Key benefits of Integration
- How does the Integration Work?
- Prerequisites for Performing the Integration
- Steps to Configure the Integration
- Steps to Map Accounts to ADManager Plus Security Groups
- Troubleshooting Tips
1. Key Benefits of Integration
ManageEngine PAM360 integrates with ManageEngine ADManager Plus, a management and reporting solution that allows IT Administrators and Technicians to manage Active Directory objects and groups and generate reports.
The PAM360-ADManager Plus integration allows you to perform timely elevation and delegation of domain users in the Active Directory (AD) security groups through the ADManager Plus server. By leveraging the ADManager Plus integration, enforce access control for PAM360 users on domain accounts and provide just-in-time privilege elevation for the domain accounts . You can also add and remove accounts from the AD security groups right from the PAM360 interface. Once the integration is complete, all the security groups from the active directory server will be available in PAM360.
Read more about AD groups management in ADManager Plus here.
2. How does the Integration Work?
PAM360 sources data from ADManager Plus via its API and using the server details of ADManager Plus. The AD security groups listed in ADManager Plus will be consolidated and listed in PAM360. The AD domain users imported into PAM360 can be given controlled access to the security groups populated from ADManager Plus.
Before commencing the integration, verify if all of the below prerequisites are satisfied:
- PAM360 supports connection via HTTPS only, hence it is mandatory to import a valid SSL certificate in the server. Follow the steps given here to import a certificate in the server.
- The common name of the certificate must match the host name of the active ADMP server.
- At least one authorized admin in PAM360 must be a valid technician in ADMP.
4. Steps to Configure the Integration
You can perform all the configurations related to the PAM360-ADManager Plus integration from the PAM360 portal. To configure the integration, provide the host name and port details of the machine where ADManager Plus is installed. Once you have entered all the required details and saved the configuration, PAM360 will try to set up a connection with ADManager Plus. After the successful connection, the domain details will be retrieved from ADManager Plus and saved in the PAM360 database, and the integration will be established.
- Navigate to Admin >> Integration >> ManageEngine. You will see a consolidated view of all ManageEngine products integrated with PAM360.
- In the page displayed, you will see the ADManager Plus block with any of the below options based on whether you have disabled or enabled the integration, respectively:
Only the users with the ManageEngine Integration role will see the ManageEngine option under Integration.
Buttons and Definitions:
Sl. No: Button Definition
You will see this option if the integration is disabled. Click this button to enter required details of the ADManager Plus server and enable integration.
You will see this option if the integration is enabled. Click this button to update the ADManager Plus host name and port details.
You will see this option if the integration is enabled. Click this button to disable the integration.
- Click Enable and configure the following details:
- Enter the ADManager Plus host name.
- Enter the port of the ADManager Plus server.
- Click Enable to save the settings.
- Now, access the ADManager Plus web console, navigate to Admin -> Integrations -> PAM360, enable the checkbox Enable tight integration with PAM360 and save the settings.
The PAM360 - ADManager Plus integration is enabled now. Proceed with mapping of domain accounts to the AD security groups.
5. Steps to Map Accounts to ADManager Plus Security Groups
Once the PAM360-ADManager Plus integration is complete, follow the below steps to perform policy configuration. The Policy Configuration option lets you elevate domain accounts to security groups just in time (AD security groups already exist in the Domain Controller and by extension, in the ADManager Plus also.)
- Navigate to Resources >> Add Resource to add the AD Domain Controller as a resource in PAM360.
- Click Resource Actions beside the required resource and click Configure Access Control.
- In the Approval Administrators tab, ensure that at least one of the Authorized Administrators listed here is a valid technician in ADManager Plus also. This is to facilitate approval of access requests to the selected resource(s) once the policy configuration changes are applied.
- In the Policy Configuration tab, click Select to list all the AD groups available in ADManager Plus.
- Choose the groups to which you want to add the resource to and click Save. You can view the chosen groups under the Selected Groups box.
- Select the Elevate accounts to the security groups option and click Save and Activate.
Now when the resource is shared to a user with Password User/Password Auditor capabilities, they can request for password access or elevation. This request can be approved/rejected by any admin in the Authorized Administrator list as long as their user role satisfies the following criteria:
- The user designated to perform privilege elevation must have an Administrator role in PAM360 (i.e., any one of the following user roles: Privileged Administrator, Administrator, and Password Administrator), and in ADManager Plus, they must have a user role with any of the following permissions: modify users and modify groups. However, the users who receive privilege elevation in PAM360 need not have any special permissions in ADManager Plus. Click here to learn more about user roles in PAM360.
- Direct changes made to the group configuration in ADManager Plus will override the changes made in PAM360.
- A domain account is elevated to the System Admin security group through PAM360 policy configuration.
- A user connects to a shared server using the domain account.
- Through the defined access control and policy configuration in PAM360, the normal domain account is automatically elevated just-in-time to the security group System Admin and gets assigned with the required privilege.
- However, during this time, if the domain account elevation is removed from the security group in ADManager Plus, then the privilege will be removed in PAM360 immediately.
- To perform the Group Membership Automation operations in this integration, you must be using the Professional edition of ADManager Plus, as the Group Automation functionality is supported only in that edition.
6. Troubleshooting Tips
- Check if the certificates are properly imported.
- Check the connectivity between the two machines; connectivity should be bi-directional.
- If the groups are not displayed under Access Control >> Policy Configuration, check for the domain name field in PAM360 Windows Domain Controller resource.