Configure User Groups

To combine users with similar attributes, define a user group. User groups allow for more manageable changes. Each user can be a member of one or more user groups. User group settings override the same individual user setting.
To combine users with similar attributes, define a user group. User groups allow for more manageable changes. Each user can be a member of one or more user groups. User group settings override the same individual user setting.
The following sections describe user group types and how to configure groups:
User Group Types
  • Access User Groups
    Access User Groups are static collections of Users. Some User attributes, such as (Access) Roles and Access Time, can be assigned at the group level.
  • Credential Manager Credential Groups
    Credential Manager credential groups are dynamically determined. User groups are based on a Credential Manager role and a Target or Request Group of the current set of users. Create these credential groups by navigating to 
    Manage Credential Groups
    Credential Groups
  • Local Groups
    Local groups are a collection of local users.
Do not confuse Access user groups with Credential Manager credential groups. User groups and roles are specified in two distinct locations, one for general use and one specifically for Credential Manager.
Use the UI Template to Create a Group
To create a user group consisting of local users, use the UI template. The instructions for each part of the template are explained.
Basic Info Configuration
Follow these steps:
  1. Log in as an appropriate administrator.
  2. Select 
    Manage User Groups
    A User Group is necessarily restricted to a single Authentication scheme.
  3. Select 
     to create a local or SAML group.
    For RADIUS, TACACS+, and LDAP groups, see the relevant instructions.
  4. Complete the fields in the
     Basic Info
     tab. Note the following information:
    • Group Name: 
      Double-byte characters are allowed.
    • Applet Recording Warning:
       Set this option to 
       to display a notification that an applet (such as SSH or RDP) session is being recorded. (This option is ignored for TCP/UDP and RDP service sessions.) For example, when a user who is a member of the group opens an SSH applet console, the following warning appears in the title bar of the window and in the first line of console: "
      Warning you are being monitored
      The related 
      Show Recording Warning
       setting on the 
      Global Settings
       tab is ignored for applet sessions that are made by users who are a member of any group for which 
      Applet Recording Warning
       is enabled. The global 
      Show Recording Warning 
      setting applies for all applet sessions that are made by users who are not members of any group and for 
       TCP/UDP and RDP service sessions.
If a user group is imported from an LDAP directory, the Group Name has the following format:
  • From Active Directory: 
     + "@" + 
    LDAP_domain. The LDAP_Domain 
    is the base DN in the 
    Bind Credentials
     field of the LDAP Domain configuration (
  • From other LDAP directory servers, such as OpenLDAP: 
Also, the 
 field has the format: "LDAP Group" + 
 + "from" + 
Administration Configuration
The Administration section is where you specify the user authentication method
Follow these steps
  1. Select Administration.
  2. In the Authentication field, select an option from the drop-down list. The available options depend on which type of group is being created (Local, RADIUS, or imported LDAP).
    If you select SAML as an authentication method, the user authenticates by a SAML assertion. The SAML attribute depends on the user provisioning source:
    For Active Directory:
    •  Distinguished Name 
    • User Principal Name 
    • SAM Account Name 
    LDAP directory like OpenLDAP or other: 
    • Distinguished Name 
    • Unique Attribute 
    If Authentication method is Local, RADIUS, or PKI:  
    • User Name
  3. If the user is accessing the server from the CA PAM Client, enter a range of IP addresses that are permitted to log in. Delimit each address with either a space, comma, semicolon, or newline. Example:,
    IP address formats permitted include:
    • Single IP:
    • CIDR:
    • Range:
    If this field is empty, no IP address restrictions are applied. The user definition overrides the User Group definition. If no user policy is defined but that User is a member of multiple groups with different rules, the group permissions are additive (less restrictive).
    If your 
    CA PAM
     server sits behind a networking device, such as a proxy, load balancer, or router, ensure that the device prevents against IP spoofing of the X-Forwarded-For HTTP header.
Define Roles for a User Group
Multiple roles can be assigned per group. The standard user is the default role.
To assign the roles of Global Administrator, Operational Administrator, or Password Manager, apply these roles to the individual user record for each user in the group.
Follow these steps:
  1. From the 
    Add User
     screen, select 
  2. Expand the 
     list using the plus sign.
    The Standard User is the default preassigned role. This role allows device access.
  3. Select the plus sign to the right and a new line displays prompting you to specify a role.
  4. Select in the field 
    Please specify a role
     and an arrow for a pull-down list becomes available.
    The list shows all currently defined roles and a set of predefined roles. Note the following information:
    • Privileged Access Manager
       administrator specifies one or more roles using the Available Roles drop-down list. The user can also inherit roles from Groups in which the user is a member.
    • If an access role has the Password Manager permission, this role can access the Credential Manager controls from the 
      You must specify a Credential Manager credential group to determine the scope of menu access.
Do not assign any user solely the role Password Manager. That role does not contain sufficient privileges for access. Keep the Standard User role and then add the Password Manager role so the user has password management privileges.
Specify Time Periods for Group Login
To configure time-based access restrictions when users in a group can log in to the server, select the 
Access Times
Follow these steps:
  1. Add an entry to the
     access times table.
  2. Specify the days and times for the access entry. the 
     table cells to display a drop-down list of times.
  3. Select 
     to save your entries.
Add Users to Groups
After the group is configured, add users.
Follow these steps:
  1. Select the check box next to any user you want to add to the group.
  2. Select the right arrow to move the groups to the Selected Users list.
    For Imported LDAP groups, users cannot be added or removed. Modify user records in the source LDAP directory.
  3. Select 
User groups are not available for Active Directory or other directory users. Instead, users should be grouped in the directory and the attribute that is read by 
Privileged Access Manager
. Setting policies for directory users is done at the group level.
Temporarily Elevate User Privileges
To elevate the privileges of a user temporarily, add them to a user group that has the additional privileges for as long as necessary. When the user no longer needs the elevated, simply remove them from that user group.
Create a RADIUS or TACACS+ Group
You can create a user group that is imported from a RADIUS or TACACS+ server.  For the RADIUS or TACACS+ buttons to become active, first configure the RADIUS or TACACS+ server for access to 
Privileged Access Manager
. See RADIUS or TACACS+ for instructions on configuring RADIUS connectivity. 
 Follow these steps:
  1. Open a template by clicking the relevant button:
    • Create RADIUS Group
    • Create TACACS+ Group
  2. Complete each section of the template. The instructions are similar to creating a local user group.
    To locate users in a RADIUS or TACACS+ group, each
    group name you specify must match a corresponding group name or ID on the RADIUS or TACACS+ server. 
    Privileged Access Manager
     uses the configured grouping to manage users.
     must match a corresponding group on the RADIUS or TACACS+ server. All the privileges that users maintain are derived from their group. Only users with a local account or whose group matches the group name in the UI is granted access. Contact the RADIUS or TACACS+ server administrator for the group name.
    If a RADIUS group is provisioned but the user does not exist, a shadow RADIUS user is created. The shadow user is not visible in the user management screen or the user list.
Import an LDAP Group
For information about importing an LDAP Group, see Import LDAP User Groups.
Edit from the Manage Policies Page
An administrator can edit a user group record by invoking it directly from the Manage Policies page.
  1. Open the Policy, 
    Manage Policies
  2. Populate the 
    User (Group)
     field with a record name.
  3. Double-click the name to display its editing template in a shadow box window.
  4. When finished, select  
     (or Cancel) to return to the 
    Manage Policies
SAML SSO with Juniper SA Using RADIUS Authentication
See Network Configuration, SSO, Juniper Networks, Configure 
Privileged Access Manager
 for SAML SSO with Juniper SA using RADIUS Authentication.
For information about importing an LDAP Group, see Import LDAP User Groups