Adding New Users
Note: User Addition can be done only by the Administrators.
From the Users tab, administrators can
- View all the existing PMP users
- Create new users
- Edit the access role of the user
- Enable two-factor authentication
- When RSA SecurID is used as the second authentication factor, you need to ensure that the user name in RSA Authentication Manager and the corresponding one in PMP are same. In case, for the already existing RSA users, if the user name in PMP and in RSA Authentication Manager are different, you can do a mapping of names in PMP instead of editing the name in RSA. This can be done from here through "RSA SecurID UserName". (Assume the scenario that in PMP you have imported a user from Active Directory, who has the username (say) ADVENTNET\rob in PMP. In RSA Authentication Manager, assume that the username is recorded as 'rob'. In normal case, there will be mismatch of usernames between PMP and RSA Authentication Manager. To avoid that, you can do a mapping in PMP - ADVENTNET\rob will be mapped to rob).
New users can be added in five ways
- Adding users manually
- Importing users from Active Directory
- Importing users from LDAP
- Importing from AzureID
- Importing users list from a CSV file
By default, PMP stores all user data in the MySQL database and performs authentication using database lookups. When you integrate AD/LDAP as the authentication system, the default authentication of PMP would be replaced by AD or LDAP to authenticate a user's identity. At any point of time, only one mode of authentication could be employed in PMP.
Adding Users Manually
- Click "Add User" button in "Admin >> Users" tab
- In the "Add User" UI that opens up, enter the 'First Name' and 'Last Name' of the user to be added against the respective text fields. These entries are mandatory
- Enter the desired login name against the text filed "User Name". This entry is also mandatory and it should be unique
- Enter the E-Mail id of the user. It is to this id, the login password for that user will be mailed
- Select an appropriate access level - Administrator/Password Administrator/Password Auditor/Password User/Custom Roles
- If you are adding a user as "Administrator" or "Password Administrator" or any of your custom roles that are permitted to posses Super-Administrator privileges, you can specify the 'Access Scope'. If you select the option, "Passwords Owned and Shared", the user with any of the above-mentioned roles will be able to view the passwords owned by them and those shared to them by others. You can choose to make any of these roles a Super-Administrator by selecting the option "All passwords in the system." When you do so, this user will be able to access all passwords in PMP without any restriction.
- Select the required password policy. Based on this policy, login password will be generated and sent to the user
- Enter the department to which the user belongs (optional)
- Enter the location of the user. This would be helpful for future reference (optional)
- Click "Save". The required user with desired access restriction has been created
Denying Super-Administrator Creation by Administrators
Super-Administrators in PMP get the privilege to view all the passwords stored in the system. Organizations generally wish to keep the super-administrator role as a break-glass account for emergency access to passwords. At present, any administrator can change the role of another administrator (not himself) as super-administrator
PMP now provides the option to deny administrators from creating super-administrators. This can be done by any super-administrator from Admin >> Super Administrator >> Deny Administrators from Creating Super Administrators.
The Best Practice Approach
If your organization requires super-administrator only as a break-glass account, the following would be the best practice approach:
- Create a new administrator account in PMP
- Designate the new account as the Super-Administrator
- The new super-administrator will login and enforce the above option of denying other administrators from creating super-administrators
- The login credentials of this super-administrator will be sealed and kept in a safe to be opened only for emergency access
- Once you enforce this option, no more super-administrators could be created by administrators
- The existing super-administrators (other than the break-glass account), if any, will not get affected. They will continue to have super-admin access as usual
- The existing super-administrators and the break-glass super-admin accounts will have the privilege to create new super-admins