Thank you for choosing ManageEngine's Password Manager Pro to manage your organization's privileged identities. This guide will provide you with the basic information necessary to help you get started.
If you haven’t yet installed Password Manager Pro, follow the steps detailed in the user manual and install it. This guide will help you start the server and connect to the web interface.
After installation, you need to configure certain basic settings. First, configure the mail server so that Password Manager Pro can send emails directly from within the application, without an external mail client. You also need to configure the SMTP server details here. Password Manager Pro users are notified of their account details and password actions only through email, so it’s important that this is set up correctly.
Enter all details including server name, port, sender email id, access URL, and type of authentication. Then save the configuration.
Next, specify how you will connect to the Internet: directly or over a proxy. Configure this setting by going to Admin tab, under Settings > Proxy Server.
You will see two options here:
If your internet connection is over a proxy, configure proxy server settings, such as HTTP proxy server name, proxy port, type of authentication, and the username and password used for the connection.
If you want to replace Password Manager Pro’s logo in the GUI with your company logo, you can do so with a simple setting change. The recommended logo size is 210 x 50 pixels. To effect the change, navigate to the Admin tab and click Rebrand under the Customize section.
After configuring the basic settings, the next step is to create accounts for your users in Password Manager Pro.
There are several ways in which you can add users to Password Manager Pro. Password Manager Pro offers the provision to import users from corporate identity stores such as AD, LDAP or Azure AD through integration. You can also import users in bulk from a CSV or add users manually. For detailed information on adding users, check out the documents listed below:
Since Password Manager Pro serves as the vault for sensitive passwords, it is essential to have a strong authentication mechanism to grant access to the software. Password Manager Pro provides various authentication options and users can choose the ones that suit their environment better. Apart from Password Manager Pro's local authentication, there is provision for leveraging the authentication of external identity stores such as Active Directory/LDAP.
To allow users to login to Password Manager Pro using their AD domain passwords, navigate to Admin > Authentication > Active Directory and enable the active directory authentication option.
Note: This authentication scheme will work only for users who have already been imported to the local database from Active Directory.
To allow users to login to Password Manager Pro using their LDAP directory passwords, navigate to Admin > Authentication > LDAP and enable the LDAP authentication option.
Note: This authentication scheme will work only for users who have already been imported to the local database from LDAP.
To allow users to login to Password Manager Pro using their Azure AD domain passwords, navigate to Admin > Authentication > Azure AD and enable the Azure AD authentication option.
Note: This authentication scheme will work only for users who have already been imported to the local database from Azure AD.
In addition to this, Password Manager Pro also offers the following first level authentication mechanisms:
If you have a smart card authentication system in your environment, you can configure Password Manager Pro to authenticate users with their smart cards and their personal identification number (PIN), bypassing other first factor authentication methods like AD, LDAP or Local Authentication. To turn this setting on, navigate to Admin tab > Authentication > select Smart card / PKI / Certificate in the web interface. For detailed instructions to set up Smart Card authentication, refer to this section of the help documentation.
You can integrate Password Manager Pro with RADIUS server in your environment and leverage the RADIUS authentication for user access, bypassing the local authentication provided by PMP.To turn this setting on, navigate to Admin tab > Authentication > select RADIUS in the web interface. For detailed instructions on RADIUS server integration, refer to this section of the help documentation. documentation.
Password Manager Pro offers support for SAML 2.0, which facilitates integration with Federated Identity Management Solutions for Single Sign-On. PMP acts as the Service Provider (SP) and it integrates with Identity Providers (IdP) using SAML 2.0. The integration involves supplying details about SP to IdP and vice-versa. Once you integrate PMP with an IdP, the users just need to login to the IdP and then, they can automatically login to PMP from the respective identity provider's GUI without having to provide credentials again. To turn this setting on, navigate to Admin tab > Authentication > select SAML Single Sign On in the web interface. For detailed instructions on SAML Single Sign On authentication, refer to this section of the help documentation.
If your organization requires an additional layer of security, you can configure two-factor authentication (TFA) and mandate users to go through two successive stages of authentication before login. Once configured, your users will have to go through two steps:
To turn this setting on, navigate to Admin tab > Authentication > Two-factor Authentication in the web interface
After adding users, you can group them to carry out operations in bulk. For example, you can create a user group for all Windows administrators and then allot passwords in bulk to this particular user group. To create a user group, navigate to the Users tab > User Groups and click on 'Add Group.' You will find detailed information on creating user groups in this section of our help documentation.
Password Manager Pro helps enforce strong password policies at all levels—be it the users’ local authentication passwords or the passwords for managed IT resources. Password Manager Pro comes with a built-in password generator that can generate passwords based on the level of complexity defined in the password policies.
You can specify various conditions including minimum length, mixed characters, numerals, and more, and the generator will create the passwords as required. By default, Password Manager Pro provides three types of policies: low, medium, and strong. You can choose from one of these or create your own custom policy. You can create new password policies from the Admin > Customize > Password Policies section.
You can find detailed instructions on configuring password policies in this section of our help documentation.
The term “resource” refers to all devices and applications whose privileged accounts are to be managed by Password Manager Pro. There are various ways to add your resources to Password Manager Pro:
When uploading resource information via a CSV/Tab separated file, it can be shared in two ways
Normal File: This option can be used to upload a plain text CSV/Tab separated file directly in which the data is saved as either comma or tab separated values.
Password Protected ZIP File: This option can be used if you wish to upload a password protected ZIP folder containing the CSV/Tab separated file. If you choose this file format, you must also provide the password and specify the name of the target CSV/Tab separated file in the 'File Name' field. In case the 'File Name' field is left empty, PMP will automatically import information from the first CSV/Tab separated file that it accessed in the unzipped folder.
You can find detailed information on the above options in the following sections of our help documentation.
After adding resources, you can group them for better organization and easier management. Resources can be grouped either by specifying a set of criteria or by selecting individual resources.
For static groups, resources are to be added and removed manually, as needed. Whereas in case of a dynamic group, i.e. criteria-based, whenever a newly added resource matches the criteria of an existing group, it automatically becomes a part of that group. When a resource is added or deleted from a group, it affects the password access shared through the group. That is, when a particular resource group is shared with users, they can see passwords of only the resources that are part of the group at the time of sharing. To create a resource group(s), navigate to the Groups, click Add Group and then select Dynamic Group or Static Group. You will find detailed instructions for creating resource groups in this section of our documentation.
In a single click, you can share an individual account or all accounts within a resource or a group of resources with any users or user groups. While sharing resources with other users, you can also set varying access privileges:
View Passwords: Users and User groups can only access the passwords.
Modify Passwords: Users and User groups can view and edit passwords of the shared resources. However, this privilege does not allow them access to the 'Resource Actions' section, which restricts users from changing any other attribute of the resource.
Full Access: Users and User groups have complete management of resource / resource group. They can even re-share the resource or password with other users.
You can find detailed information on sharing resources in this section of our documentation.
Note: Password Manager Pro allows users to share passwords without revealing them in plaintext in the GUI. This can be done from Admin > General Settings > Password Retrieval. The checkbox for the option "Allow plain text view of passwords, if auto logon is configured" should not be selected to exercise this option.
After a successful login to Password Manager Pro, users get instant access to the passwords that are owned by them or shared with them. If needed, you can add an extra layer of security by requiring your users to go through request-release approvals. This mechanism follows a well-defined workflow—users get access only upon administrative approval. The password can be released for a limited period of time, at the end of which it will automatically be reset.
To configure access controls, navigate to the Resource tab, select the resources for which you want to configure access controls, and click on Configure Access Control from the Resource Actions drop-down menu.
You can find detailed instructions and use cases for configuring access control workflows in this section of our documentation.
Password Manager Pro helps you reset passwords for a wide range of target systems on demand at any time or automatically at periodic intervals on multiple platforms across physical, virtual, and cloud infrastructures. Password reset can be done in two ways:
|With agents||Agent-based resets come in handy when you have to reset passwords for resources without direct connectivity, such as those in DMZ locations or with firewall restrictions. To accomplish these password resets, Password Manager Pro deploys an agent to the remote host to execute the task. All communication between the agent and the application server is one way and over HTTPS.|
|Without agents||Password Manager Pro directly connects to the target system and changes the password.|
Notifications can be sent to users before and after the remote password reset process. The basic configuration required for remote password reset can be carried out as a part of the resource addition. For already added resources, this can also be carried out by editing the resources. This configuration depends on the type of resource being added. Detailed instructions for configuring remote password reset for different types of resources can be found in this section of our documentation.
You can periodically reset the passwords of remote resources by creating reset schedules. This can be done at the resource group level. Password Manager Pro will assign a strong, unique password to each account belonging to the resource group. To configure periodic password reset, navigate to the Groups tab, Click the "Actions" icon against the required resource group and select Periodic Password Reset from the drop-down.
Detailed information on configuring password reset schedules is available in this section of our documentation.
When any action is performed on a password—be it a password access, modification, or changing the share permission when the password expires or when password policy is violated—notifications are sent to the password owners, those who have access to the passwords, and/or to any other users as desired by the administrators. The Password Action Notification feature helps you achieve this.
These settings can be configured at the resource group level. Navigate to the Groups tab, click on the "Actions" icon against the group for which you need to enable action notifications and select "Configure Notifications" from the drop-down list.
Detailed information on configuring password actions notifications can be found in this section of our documentation.
By configuring automatic login, you can launch a direct connection to websites and applications from within Password Manager Pro’s web interface. This can be done by using native browser extensions.
You can find detailed information for Chrome, Firefox, and IE browser extensions in the following sections of our documentation.
Password Manager Pro allows you to automatically log in to remote target systems directly from its web interface with the Auto-logon gateway option. Auto-logon gateway is useful for launching Windows RDP, VNC, SSH, and SQL sessions. Detailed information on how to use this feature is available in this section of our help documentation.
Various applications require access to databases and other applications frequently to query business-related information. This communication process is usually automated by embedding the application credentials in plain text within configuration files and scripts. While hard-coding credentials makes a technician’s job easier, it’s also an easy launch point for hackers
Password Manager Pro eliminates hard-coded passwords with secure APIs for application-to-application (A-to-A) password management. Password Manager Pro provides password management APIs, through which any business application or script can query and retrieve passwords to connect with other applications or databases. This way, the A-to-A passwords are also subject to security best practices such as periodic password rotation, without needing to make manual updates in multiple places.To configure the APIs, navigate to Admin > Configuration > Password Management API. For detailed instructions on configuring the password management API, refer to this section of our documentation.
The most widely-used API in Password Manager Pro is the REpresentational State Transfer (REST) or the RESTful API.The APIs that belong to this category allow you to add resources, accounts, retrieve passwords, resource/account details and update passwords programmatically.The first step in the process of configuring password management APIs involves creation of API user accounts in Password Manager Pro. For detailed instructions on this, refer to this section of the help documentation.
Password Manager Pro lets you integrate a range of ticketing systems to automatically validate service requests related to privileged access. The integration ensures that users can access authorized privileged passwords only with a valid ticket ID. This integration also extends to the Password Manager Pro workflow, which helps you grant approvals to access requests with automatic validation of corresponding service requests in the ticketing system.
To configure this setting, navigate to Admin tab > Integration > Ticketing System Integration. Detailed instructions on the help desk integration are available in this section of our help documentation.
For uninterrupted password access, Password Manager Pro offers a high-availability architecture that uses redundant Password Manager Pro server and database instances. The high-availability configuration varies according to the back-end database used. The following sections of our help documentation will guide you through the process of establishing high availability.
You can also configure a backup of Password Manager Pro’s database to recover in the event of disasters. Password Manager Pro provides two options to configure database backup:
To configure a data backup, navigate to Admin > Configuration > Database Backup.
You can refer to this section of our documentation for more information.
Password Manager Pro comes with an effective auditing mechanism to record trails for every single action performed by each user. All operations performed by users on the GUI are audited with the timestamp for each operation and the IP address from which the user accessed the application. Auditing in Password Manager Pro can be classified into three types:
The Password Manager Pro audits are quite comprehensive—almost every action is audited. If you only want to audit specific operations, you can specify them based on audit type operation. You can also send notifications to the required recipients whenever a chosen event (audit trail of your choice) occurs.
You can configure each of these audits in the Audit tab on the web interface. More instructions on configuring audits can be found in this section of our documentation.
Information on the entire privileged account management process in your enterprise is presented in the form of comprehensive reports in Password Manager Pro. The status and summaries of different activities such as password inventory, policy compliance, password expiry, user activity, and more are provided in the form of tables and graphs that help IT administrators make well-informed decisions on password management. Password Manager Pro provides reports under several categories and also lets you create your own reports.
To view and configure reports, navigate to the Reports tab in the web interface. You can find detailed instructions in this section of our documentation.
Password Manager Pro provides multiple options for secure offline access and safekeeping of password information.
Typical use case scenarios for this option include:
More information on exporting passwords can be found in this section of our documentation.
The native mobile app is helpful to securely retrieve passwords on the go. The list of supported mobile platforms and detailed instructions for each platform is given below.
To smooth out the process of password management and auto-logon, Password Manager Pro gives you the option of securely synchronizing passwords across browsers through native browser extensions. The extensions will be able to auto fill passwords for websites and web applications and also launch RDP and SSH sessions. In addition, the extensions allow you to view all passwords, resource groups, favorites, and recently used, and provides a search option. Once you deploy an extension, you will be able to perform most password management operations directly from the browser extension, while Password Manager Pro runs in the background. Currently, extensions are available for Chrome, Firefox. and IE.
Password Manager Pro lets you selectively enable or disable various settings based on the specific needs of your organization. You can choose to enforce or disable various policies through these settings. Navigate to Admin > Settings > General Settings to customize your options.
Password Manager Pro has been designed to offer maximum security from the installation of the application to user authentication, data transmission, storage, and throughout the usage workflow. You can review Password Manager Pro’s security specifications here and decide on the appropriate security configurations for your organization.
You can follow certain best practices at all stages—product installation, configuration, setup, and deployment—with a special focus on data security. Refer to the best practices guide for details.
If you face problems getting started with the product or if you are in need of any further assistance, our tech support team is just an email or a phone call away.
Toll-free number: +1-408-454-4014