PAM360 MSP Edition - Getting Started

ManageEngine PAM360 is also available in MSP edition, which has been specially designed taking into consideration the requirements of the Managed Service Providers. If you are an MSP wishing to manage the administrative passwords of your clients separately from a single management console or offer password management services to them, you can leverage the MSP edition.

Passwords can be securely shared between MSP administrators and their respective customers, making sure that users only get access to the passwords they own or ones that are shared with them. The solution offers the flexibility to entrust the control of the password vault to the MSP administrator, the end user or both, as desired.

The MSP edition also follows the basic password entitlement model of PAM360 which means, at any time, one will be able to view only the passwords that are owned and shared. As MSP admin, while you will be able to view the names of the organizations you manage, you will be able to view the data pertaining to all your customers only if you add their resources or if they share the resources with you. Your customers will be able to view the data belonging to their organization only.

This document walks you through the following topics:

  1. Prerequisites
  2. Installation Steps
  3. Silent Install

    3.1 In Windows

    3.2 In Linux

  4. Adding Users
  5. Adding Organizations

    5.1 Adding Client Organizations

    5.2 Adding Organizations Manually

    5.3 Importing Organizations from CSV

    5.4 Replicating Settings Across Client Orgs

  6. Granting Privilege to Manage Organizations
  7. MSPOrg

    7.1 Frequently Asked Questions

1. Prerequisites

  1. For testing the MSP edition, you need to deploy a separate machine. If you try to install the MSP edition in the same machine where PAM360 is running, it will uninstall the existing PAM360 instance.
  2. Download and install the ManageEngine_PAM360_MSP.exe

2. Installation Steps

Click here for detailed steps.

3. Silent Install

A silent install is used to install an application without the need to interact with the UI. This type of installation is helpful for applications with limited installation steps. Before commencing the silent install, certain parameters such as Name, EmailId, Path, etc., are automatically set or manually entered. Execute the commands as instructed below to install the application automatically.

3.1 Steps to Silent Install PAM360 in Windows Server

3.1.1 Primary Server

  1. Download the file ManageEngine_PAM360_MSP_64bit.exe.
  2. Download the installation file WindowsPrimaryMSP.iss.
  3. Open WindowsPrimaryMSP.iss file in Notepad and edit Name, MailId, Phone, Company, Country, and save.
  4. Move WindowsPrimaryMSP.iss file to C:\Windows\.
  5. Open Command Prompt as an administrator and navigate to the ManageEngine_PAM360_MSP_64bit.exe file location.
  6. Execute the command: 

    ManageEngine_PAM360_MSP_64bit.exe -a -s -f1"C:\Windows\WindowsPrimaryMSP.iss" -f2"C:\Windows\WindowsPrimaryMSP.log"

PAM360 will get installed, and the service will start automatically.

3.1.2 Secondary Server

  1. Download the file ManageEngine_PAM360_MSP_64bit.exe.
  2. Download the installation file WindowsSecondaryMSP.iss.
  3. Move WindowsSecondaryMSP.iss file to C:\Windows\.
  4. Open Command Prompt as administrator and navigate to the ManageEngine_PAM360_MSP_64bit.exe file location.
  5. Execute the command: 

    ManageEngine_PAM360_MSP_64bit.exe -a -s -f1"C:\Windows\WindowsSecondaryMSP.iss" -f2"C:\Windows\WindowsSecondaryMSP.log

PAM360 will get installed, and the service will start automatically.

3.1.3 Steps to Uninstall PAM360 in Windows Server

  1. Download the uninstallation file WindowsUninstallMSP.iss.
  2. Move WindowsUninstallMSP.iss file to C:\Windows\.
  3. Open Command Prompt as administrator and navigate to the ManageEngine_PAM360_MSP_64bit.exe file location.
  4. Execute the command:

    ManageEngine_PAM360_MSP_64bit.exe -a -s -f1"C:\Windows\WindowsUninstallMSP.iss" -f2"C:\Windows\WindowsUninstallMSP.log"

PAM360 will get uninstalled.

3.2 Steps to Silent Install PAM360 in Linux Server

3.2.1 Primary Server

  1. Download the file ManageEngine_PAM360_MSP_64bit.bin for Linux.
  2. Download the installation file LinuxPrimaryMSP.txt.
  3. Open LinuxPrimaryMSP.txt in notepad.
  4. Mention the user installation directory's path (USER_INSTALL_DIR) and file overwrite's (-fileOverwrite_) path.
  5. Save and move LinuxPrimaryMSP.txt to home directory.
  6. Open the Console and navigate to ManageEngine_PAM360_MSP_64bit.bin file location 
  7. Execute the command:

    chmod a+x ManageEngine_PAM360_MSP_64bit.bin

  8. Execute the command: 

    ./ManageEngine_PAM360_MSP_64bit.bin -i silent -f /home/LinuxPrimaryMSP.txt

PAM360 will get installed.

3.2.2 Secondary Server

  1. Download the file ManageEngine_PAM360_MSP_64bit.bin for Linux.
  2. Download the installation file LinuxSecondaryMSP.txt.
  3. Open LinuxSecondaryMSP.txt in notepad.
  4. Mention the user installation directory's path (USER_INSTALL_DIR) and file overwrite's (-fileOverwrite_) path.
  5. Save and move LinuxSecondaryMSP.txt to home directory.
  6. Open the console and navigate toManageEngine_PAM360_MSP_64bit.bin file location 
  7. Execute the command:

    chmod a+x ManageEngine_PAM360_MSP_64bit.bin

  8. Execute the command: 

    ./ManageEngine_PAM360_MSP_64bit.bin -i silent -f /home/LinuxSecondaryMSP.txt

PAM360 will get installed.

4. Adding Users (MSP org)

The MSP administration process starts with User Management. The first step is to add users to your MSP organization. You should designate one administrator as Account Manager™ for each of your clients. Proceed with adding users.

5. Adding Organizations

5.1 Adding Client Organizations

After adding users, you need to add your client organizations. Navigate to Admin >> Organizations section and you will find an icon named Organizations. The organizations to be managed by the MSP should be registered with PAM360 here.

You can manually add the client organizations one-by-one or import all the organizations in bulk from a CSV file.

5.2 Adding Organizations Manually

  1. Navigate to Admin >> Organizations.

  2. Click Add Organization.


  3. In the pop-up form that opens,
    1. Specify a name for the organization being added.
    2. Display Name:The name with which you wish to identify the organization being added.
      • Only alphanumeric characters without empty spaces are allowed here.
      • The name should be a single word.
      • The name that you enter here will appear in the drop-down at the top right hand side of PAM360 GU.I
      • In addition, the display name will appear in PAM360 login URL.

      (For example, if you assign xyz as the display name, the login URL for the organization will be https://:/xyz).

    3. Account Manager: You can designate any administrator at your end (MSP) as the Account Manager for the organization being added. As the name indicates, the account manager will be the point of contact for the organization being managed and will have privileges to add and manage resources on behalf of the organization. The Account Manager with the role Admin in PAM360 will be able to manage the users of the organization too. You can designate only one account manager per organization being managed. The same administrator can be made the account manager for multiple client organizations.
    4. Fill-in other details like Department, Location etc. as required and click Save.

5.3 Importing Organizations from CSV

You can import multiple organizations from a CSV file using the import wizard. The CSV should have entries regarding organization name, display name and other details in comma separated form. The entry for each organization should be in a new line. All the lines in the CSV file should be consistent and have the same number of fields. CSV files having extensions .txt and .csv are allowed.

To import organizations,

  1. Navigate to Admin >> Organizations >> Import Organization.

  2. In the pop-up form that opens,
    1. Choose the file format.
    2. Browse and select the CSV file containing the organizations.
    3. Click Next.
    4. In the pop-up form that opens, you can choose which fields in the CSV file maps to the corresponding attribute of the Organization.
    5. Click Finish.

The result of every line imported will be logged as an audit record.

5.4 Replicating Settings Across Client Orgs

PAM360 allows MSP admins to replicate resource/user group structure and the settings across all managed client organizations.

To set this up, follow the steps:

  1. Navigate to Admin >> Organizations >> Replicate Settings Across Client Orgs.
  2. Select the required options using the checkboxes.
  3. Click Save to save changes.

Listed below are some group structure and/or settings that can be applied to all client orgs as they are present in the MSP org.

  1. User groups across all client orgs.
  2. User group settings across all client orgs.
  3. Resource groups across all client orgs.
  4. Resource group to user group share settings across all client orgs.
  5. Replicate the resource/account level additional fields across all client orgs.
  6. User roles across all client orgs Overwrite/Rename (Append - MSP at the last).
  7. Resource types across all client orgs.
  8. Password policies across all client orgs.
  9. Audit operation type settings across all client orgs.
  10. Audit purge settings across all client orgs.


6. Granting Privilege to Manage Organizations

  • Apart from designating an administrator as Account Manager, you have the option to grant Manage Organization privilege to any other member of your MSP org. When you grant this permission to an administrator, he will have admin privileges on the client org. Similarly, if the permission is granted to a password administrator or to a password user, they will have the respective privileges.
  • For security reasons, PAM360 enforces approval process for managing an organization. That means, while any administrator at the MSP can initiate manage permission to a user, it has to be approved by some other administrator at the MSP org. One who initiates the request and the one for whom the request is being initiated cannot approve. A third administrator has to approve. This is to ensure that no administrator is able to acquire manage permission for himself or grant that privilege to anyone else without the approval of another admin. This essentially means that the MSP org should have a minimum of three administrators to carry out this process.
  • For example, assume the scenario when Admin wants to provide manage permission to Admin for the organization ABC. In this case, both Admin A (the proposer) and Admin B (the admin designate) cannot approve. Another admin, say, Admin will have to approve.

To grant manage permission for an organization,

  1. Log in to your MSP account and navigate to the Users tab.
  2. Click the User Actions icon against the desired user and select Manage Organization from the dropdown.

  3. In the pop-up form that opens,
    1. Select the required client organization and move it to right using the arrows.
    2. Select the name of the approver and click Save.

The user will gain manage privilege once the approval is done. Alternatively, you can also grant manage permission from Organizations page by clicking the Actions icon against the desired organization and selecting Manage Organization from the dropdown.

7. MSPOrg (The default org)

By default, one organization named MSPOrg will be available. This default org is basically your organization (MSP's organization). The passwords that you add here will pertain to your own organization and not that of your clients.

7.1 Frequently Asked Questions

7.1.1 How to Manage Password for Client Organizations?

Once the organization is added, you will see the list of organizations being managed by you (i.e for which you have manage permission or for which you are the account manager) on the top band of the PAM360 GUI.

Select the required organization and proceed with resource addition. You can then share the passwords with your clients. On the other hand, if you are providing Password Management Service, you will ask your client to add passwords themselves.

7.1.2 How to access any specific client org?

You can access your MSP org as usual by accessing the URL https://<PAM360-Host-Name>:8282/. You can select the required client organization from the top band of the PAM360 GUI.

7.1.3 How do your clients access PAM360?

After creating an organization, you clients can connect to their organization and view/manage passwords by typing the URL as explained below:

https://<Host Name:<port>/<Name of the org>

For instance, assume that the name of the organization of your client is abc and PAM360 is running on the host pam360host, then the URL to connect to an organization will be: https://pam360host:8282/abc.

For information on how to perform various password management features, refer to the respective sections of the help documentation.

7.1.4 How to delete a client organization?

You can be eligible to delete a client organization in PAM360 only if you are an MSPOrg administrator. Additionally, you should also have any of the following privileges:

  1. Be the Account Manager of the client organization you want to delete.
  2. Hold Manage Organization permission for the client organization you want to delete.

To delete an organization,

  1. Navigate to Admin >> Organizations.

  2. Locate the client organization that you want to delete, click on Actions icons beside it, and select Delete Organization from the drop down menu.

  3. Click Ok to confirm deletion. Note that deleting a client organization will also delete all resources and users added under it.
Top