Configure Policies to Provision User Access to Devices and Applications

To configure the product to provision privileged access to devices and applications, you configure the following objects:
To configure the product to provision privileged access to devices and applications, you configure the following objects:
  • Devices
     – Represent physical devices and IP-addressable applications.
  • Users
     – Represent individuals who can log in to
    Privileged Access Manager
  • Policies
     – Define the relationships between users (or 
    user groups
    ) and 
    evices (or 
    ), specifying what actions each user is permitted to do with each device.
In simplest terms, policies determine what Device access options appear on the 
 screen of each logged in user and whether their sessions are recorded.
Access Policy
PAM Access Policy
This article describes these objects in more detail.
object is a
Privileged Access Manager
-managed, IP-addressable network node that is the potential access 
 of a user. For example, a Windows or Linux system. You manage Devices from the 
Manage Devices
 screen in the UI.
When creating or importing devices, verify that the 
 Device Type option is selected, or the device is not available in access policy selection lists.
Password Management
 device types are related to credential management. For more information, see Protect Privileged Account Credentials.
Access Types
For each device, you specify one or more of the following 
access types
 to determine the ways in which it can be accessed:
  • Access Methods
    Prepackaged applets that provide standard connectivity
  • Services
    : Configure services to extend the types of access beyond the predefined Access Methods to provide custom access to:
    • TCP/UDP Services
    • RDP Applications
Access types that are configured at the device level determine all the possible access options available when configuring a policy involving that device. The access type or types that are presented to a 
 are specified in the corresponding access policy.
Access Methods
Access Methods are standard prepackaged Java communications applets that run in the CA PAM Client or a supported browser. Access Methods are available for VNC, TELNET, SSH, RDP, and serial connections. Access methods are predefined with standard ports and available to assign to devices out-of-the-box. To modify the default ports or disable Access Methods go to 
Global Settings
Access Methods
TCP/UDP Services
Configure TCP/UDP Services to define custom access to known ports and to specific applications. These services may include fat client applications such as SQL query frontends, mainframe clients, or any proprietary application that uses a TCP or UDP connection. Web portals and web applications are also configured as Services.
Privileged Access Manager
includes several preconfigured SFTP/FTP Services that support common SFTP/FTP servers including OpenSSH‐derived Linux, AIX, Solaris SFTP, and Microsoft IIS implementations.
Configure other TCP/UDP Services (from 
TCP/UDP Services
) before configuring device definitions that require them.
RDP Applications
Define RDP Applications to provide access to RemoteApps – single target-hosted 
applications that are published
 through RDP protocol – instead of allowing access to the entire desktop.
Configure RDP Applications (from 
RDP Applications
) before configuring device definitions that require them.
Device Groups
For ease of administration, devices can be added and managed in groups. Devices in a 
device group
 are those which share common access methods and functionality, such as IIS Web Servers or UNIX and Linux variants. When using device groups, the concept of 
takes precedence: So, when selecting the access types available to a group, access types that are unavailable at the device level are not available at the group level. In other words, the most restrictive policy is used when a conflict arises.
When choosing Access Methods and Services for device groups, include 
 possible access methods and services for 
 devices in the group.
 is a person who can log in to
. To simplify management, organize users in 
user groups
 for simplified management. Use
 to determine the permissions that a user has within
Privileged Access Manager
. User groups follow an inheritance model and roles can be assigned to groups and users.
Credential Manager has its own set of roles and user groups, separate from the roles and user groups defined for access.
User Groups
User groups
allow common sets of users to inherit the same role, authentication method, and other variables. User groups thus simplify management: a modification to the role for the group changes the role of all members. Groups can also be used when creating 
access policies
 instead of creating a policy for each individual user.
A role is a predefined set of privileges in a functional area.
has many predefined roles that satisfy most requirements. You can also create custom roles using built-in granular privileges. 
Standard user
 is the common role that is assigned to general users accessing devices. For a complete list of user roles, see User Roles.
User Configuration Methods
You can create local user accounts manually or you can import them from CSV files. Users can also be imported from and synchronized with an LDAP user store such as Active Directory. When configured for RADIUS or PKI, users are added when they 
first login 
production deployments use LDAP or RADIUS for authentication.
A policy is a set of permissions that is granted to a
user or user group to access the interface of a
device or device group. For connections using the SSH and RDP access methods, you can even configure transparent (automated) login. Simply put, a policy defines the relationship between a 
and a 
results in an access link or links appearing on the Access page of that user.
For example, the following screenshot shows the Access page for a user for whom a policy assigns the SSH Access Method to a device named UNIX-AUX.
A policy also optionally specifies whether to record all or some of the actions a user performs while accessing a device. Recording can be enabled based on the specified Access Type. 
Command line 
 apply to SSH/Telnet and Mainframe sessions. Graphical recording is available for RDP connection and web portal types.
You can create policies manually or can import them from a CSV file.
Use Credential Manager to configure Policies with automated login.
More Information
To configure policies to provision user access to devices and applications, do the following procedures in the order shown: