User Groups

Users can be grouped in PAM360 for easier management. User grouping helps to carry out operations in bulk for all the resources of the group. The resources added to PAM360 can be quickly assigned to a user group instead of choosing each user individually.

  1. Adding User Groups

    1.1 Importing User Groups from Active Directory (AD)

  2. User Group Privileges
  3. 2.1 Exporting Passwords for Offline Access

  4. Managing User Groups

    3.1 Editing a User Group

    3.2 Adding Users to an Existing User Group

    3.3 Deleting a User Group

1. Adding User Groups

To create a new user group and add users to it, follow the below steps:

  1. Navigate to Users >> User groups tab.
  2. Click Add Group.

  1. In the pop-up form that appears, enter a name and description for the user group.
  2. Click Save & Proceed.

  1. Once the user group is added, Add Users window will open up. Here, click Add to Group beside the required users. The changes will take effect as and when you add users.

1.1 Importing User Groups from Active Directory (AD)

  1. You can import specific user groups and organizational units (OUs) from AD and retain the same user group structure in PAM360. Click here for more about importing users from AD.
  2. You can choose to synchronize the user group structure in PAM360 with that of AD's at periodic intervals. Click here for more about AD synchronization schedules.

2. User Group Privileges

Configure user group privileges for groups by following the below steps:

  1. Navigate to Users >> User Groups.
  2. Click the Actions icon beside the required user group and click User Group Privileges.

Note: The setting changes made in the User Group Privileges window is applicable only for the users who are part of the selected user group.

  1. The User Group Privileges in PAM360 are as explained below:
  1. Manage personal passwords: Individual users can manage their personal passwords such as credit card PIN numbers, bank accounts credentials etc in the Personal tab. Unselect this option if you do not wish to allow personal password management for a selected group of PAM360 users. Once disabled, the Personal tab will no longer appear in the PAM360 interface for all the members of selected group.
  2. Export personal passwords: Enable this option to allow users of the group to export the personal passwords that they store in the Personal tab. Unselect this option if you do not wish to allow password export for a particular user group.
  3. Allow plain text view of passwords, if auto logon is configured: Enable this option to allow the user group members to view the passwords of shared resources in plain text when auto logon is configured. If this option is disabled, user group members cannot retrieve the password, however they can still launch remote sessions through auto logon. This restriction applies only to Password Users, Password Auditors and custom user type roles with the same privileges as Password Users and Auditors.
  4. Enforce users to provide reason for password retrieval: Enable this option to prompt users to provide a reason while retrieving a password. This restriction applies only to Password Users, Password Auditors and custom user type roles with the same privileges as Password Users and Auditors.
  5. Allow users to retrieve password without ticket ID: Enable this option to allow users to retrieve a password by clicking the 'password' field without the need to raise a ticket request for the same. This restriction applies only to Password Users, Password Auditors and custom user type roles with the same privileges as Password Users and Auditors. This option is applicable only if ticketing system integration is done in your environment.
  6. To disable options c, d and e for a selection of users, follow the below steps:

    i. Create a new user group.

    ii. Add the selection of users to it.

    iii. Enable or disable the settings for that group alone.

    1. Note: For the options c, d, and e to be enforced for a user group, the settings must be enabled both locally i.e., at a user group level (as explained above) and globally i.e., in the General Settings.

    Case 1: If options are enabled globally under General Settings, then the settings will be applied to all user groups by default. However, you can disable the settings for a particular group via the User Group Privileges window.

    Case 2: If the options are disabled globally under General Settings, then the settings will not be applied to the user groups even if they are enabled locally under User Group Privileges for a particular user group.

    2. Note: These conditions apply only to Password Users, Password Auditors and custom user type roles with the same privileges as Password Users and Auditors.


  7. Mandate ticket ID for password retrieval: Enable this option to prompt users to provide a valid ticket ID to retrieve a password. This option is applicable only if ticketing system integration is done in your environment.
  8. Permit group members to share the Dynamic Resource Groups owned by them with others granting Full Access permission: By default, permission to grant Full Access for dynamic resource groups will be disabled in the User Group Settings window.

    Why is the setting disabled by default?

    1. The option is disabled by default for security reasons as there is a possibility that Administrators can use this setting to gain access to resources that are not owned by them.
    2. If a user is granted access to a dynamic resource group with Full Access permission, then that user will get Full Access to all the resources currently under the group and also any resources that are added in the future based on matching the specified criteria (for example, conditions such as "Resource name contains").
    3. It is recommended that you create a user group containing only Administrators/Password Administrators/Privileged Administrators who require the authorization to grant Full Access permission for their dynamic resource groups with other users.
    4. After creating the group, enable the option Permit group members to share the Dynamic Resource Groups owned by them with others granting Full Access permission under User Group Privileges.
  9. Allow password caching for offline access via mobile: Enable this option to allow saving password cache in the PAM360 mobile application so that users can access the passwords offline.
  10. Enable login to mobile apps with fingerprint authentication: Enable this option to allow users to login to their PAM360 mobile applications using their device's fingerprint authentication.
  11. Allow website auto-fill actions using browser extensions: Enable this option to allow auto filling of login credentials for saved website accounts through the PAM360 browser extensions.
  12. Allow website auto-logon actions using browser extensions: Enable this option to allow users to connect to a remote resource through the auto logon feature using the PAM360 browser extensions.
  13. Disable accounts addition via browser extensions: Disable this option to prevent users from adding accounts to resources through the PAM360 browser extensions. The option to add accounts through browser extension is available only for the Chrome browser. Click here for more on PAM360 browser extensions.

2.1 Exporting Passwords for Offline Access

When a user exports PAM360 resources to a CSV file, by default, password of the accounts are included in plain text. You can disable password export for members of a specific user group by following the below steps:

  1. Navigate to Users >>Groups tab.
  2. Click the Actions icon beside the required group and click Change Offline Access Settings from the drop down.
  3. In the pop-up form that appears, unselect the option Include passwords in plain text in the exported file.
  4. Click Save.

3. Managing User Groups

3.1 Editing a User Group

Follow the below steps to edit an existing user group to add more users or to remove existing users.

  1. Navigate to User Groups tab.
  2. Click the Actions icon beside the required group and click Edit Group Attributes.
  3. In the pop-up form that opens, you can change the group name and description.

3.2 Adding Users to an Existing User Group

  1. To add new users to the group or remove previously added users from the group, click Associate Users icon beside the required group.
  2. Click Add to Group to add a non-member to the group.
  3. Click Remove to remove previously added users from the group.
  4. The changes will take effect as and when you make them.

3.3 Deleting a User Group

When a user group is deleted, the group level settings done for that group will no longer apply for the users who were members of that group. Deleting a user group will not affect the resources stored in PAM360. However, the resources shared to the group will no longer apply. Follow the below steps to delete an existing user group in PAM360:

  1. Navigate to User Groups tab and select the required user group.
  2. Click the Delete Groups button at the top.
  3. In the pop-up form that appears, click OK to confirm.

©2019, ZOHO Corp. All Rights Reserved.

Top