Create or Edit Users that Can Log in to the Server

As an Administrator, follow these procedures to create or edit Users. Create and modify user records using a template or a CSV file. For LDAP or RADIUS groups, you can only modify existing user records.
As an Administrator, follow these procedures to create or edit Users. Create and modify user records using a template or a CSV file. For LDAP or RADIUS groups, you can only modify existing user records.
Review the following ways to managing users:
Add a User Account Using the Template
Create a user account using a template in the UI. The configurable characteristics for each user include:
  • Basic profile information
  • User authentication methods and the status of the user account
  • Roles that define user privileges
  • Time restrictions for user login
  • User group membership
  • API Keys
If you are updating an existing user account, a
Manage Policy
button is available. Select this button to navigate to the Policy page, but changes already made to the user record are lost. Populate the User(Group) field there with the current user name.
Specify Basic Information
Provide user name and contact information in the
Basic Info
Follow these steps:
  1. Log in to the UI.
  2. Select
    Manage Users
  3. Select
    to create a user.
    A user account template appears in the list window.
  4. Complete the fields in the
    Basic Info
    section. Required settings are indicated by a red asterisk. Note the following information about some of the fields:
    • User Name - Accepts alphanumeric characters, a dash, an underscore, and spaces. For AWS users, a user name can be from 2 through 32 characters long because of restrictions on federated users within AWS.
    • Password - The user password
    • RDP User Name - The RDP applet uses this name as credentials for access to a remote Windows device.
    • Mainframe Display Name - The AS/400 applets TN5250 and TN5250SSL use this name.
Configure Administration Settings for the User Record
The Administration tab contains information indicating how a user authenticates and the status of that user account.
Follow these steps:
  1. Select an authentication method for the user from the menu in the Authentication field:
    • Local:
      Local user accounts are hosted in the
    • RADIUS:
      User authenticates to a RADIUS server. The user enters credentials that are provisioned by the RADIUS server. This option is available only if a RADIUS server is configured (see
      3rd party
      ). If a RADIUS User is provisioned through LDAP, that user authenticates against a RADIUS server.
    • RSA:
      Authentication with an RSA SecurID. Users log in with a name and passcode
      The passcode is a combination of the personal identification number and the current readout from the SecurID device. For example, if your PIN is 3425 and the current readout from your SecurID device is 866329, the passcode is: 3425866329
    • Smartcard/PKI
      - User authenticates with a Smartcard.
      checks the user certificate against an OCSP server, or a Certificate Revocation List (CRL). The first time that a Smartcard user accesses the server, the Designated Name, and User account is registered. The User name appears in the
      Approve CAC User
      tab. This user must be approved before device access can be assigned.
      To use Smartcard authentication, set the Smartcard parameters in the
      Security, Access, PKI Options
  2. Configure the deactivation and termination settings for the user account.
  3. If you select the
    Terminate Session on Account Expiration
    check box, a user login and all current sessions are terminated at the expiration date/time or the account violation limit is exceeded. If a user account is deactivated while that user is logged in, the session is terminated.
  4. Specify email accounts to receive notices when the configured user logs in. The
    Email on Login
    field triggers an email to a specific administrator. The
    Email Self on Login
    field triggers an email to the address in the Basic Info section of the user record.
  5. If the user is accessing
    Privileged Access Manager
    from the
    Client, enter a range of IP addresses permitted to log in. Delimiters that are permitted include the space, comma, semicolon, newline. Example:,
    IP address formats permitted include:
    • Single IP:
    • CIDR:
    • Range:
    If this field is empty, no IP address restrictions are applied. The user definition overrides the User Group definition. If no user policy is defined but that User is a member of multiple groups with different rules, the group permissions are additive (less restrictive).
    If your
    server sits behind a networking device, such as a proxy, load balancer, or router, ensure that the device prevents against IP spoofing of the X-Forwarded-For HTTP header.
Assign Access Roles to the User
An access role is a collection of access-defined privileges. To perform access operations, each user must be assigned one or more roles.
Before you can assign roles to a user, the roles must be defined in the
Manage Roles
list. To define roles, see User Roles.
Follow these steps:
  1. On the
    user screen, select the
  2. If necessary, expand the Roles list by selecting the plus sign to the left of the Roles table.
    "Standard User" is the default preassigned role. This role allows device access.
    The user can also inherit roles from Groups of which they are a member.
  3. Do the following steps for each role that you want to assign:
    1. Select the plus sign to the right, as highlighted in the following screenshot:
    2. Select the
      Please specify a role
      field that appears, then select the caret symbol (highlighted in the following screenshot) to open a pull-down list of available roles.
    3. Select a role from the list to assign it.
      If a role (for example Device/Group Manager or Policy Manager) requires you to specify the User Groups, Device Groups, or both, over which the role has control, corresponding entries appear below the role, as shown in the following screen capture:
      Screen capture of a user role with User Groups and Device Groups entries
      To specify such groups, use one of the following options:
      • Select the plus (
        ) icon to the right of the entry to specify a required group.
      • Select the
        [Please specify a group]
        entry that appears to open the
        User Groups
        Device Groups
        selection dialog (as appropriate), as shown in the following screen capture:
        Screen capture of the User Groups selector dialog
      • Select
        All Users
        to include all user groups, start typing In the
        User Groups
        field, or select the magnifying glass icon to open a dialog with comprehensive search options.
        You can only select one user or device group at a time. To specify additional groups, use the
        option to the right of
        User Groups
        Device Groups
        entry, as required.
      After you have selected a group using any method, select
      to save it.
To provide a user with access to Credential Manager functions, add the
Password Manager
role (or any role with the Manage Credentials privilege).
Each user with Credential Manager access must also be assigned one or more predefined
Credential Manager groups
to determine the credential management functions they can access. For more information, see Add Credential Manager Roles and Groups.
Specify Login Time Periods
You can configure time-based access restrictions that determine when a user can log in to the server, select the
Access Times
Follow these steps:
  1. From the UI, select
    Users, Manage Users
  2. Add or modify an existing user entry.
  3. Select the
    Access Times
  4. Select the plus sign then specify the days when to allow access.
  5. In the
    table columns, select the drop-down list to display a list of times. Access times are specified in UTC.
  6. Select
    to save your entries.
Add Users to Groups Including Credential Manager Groups
Before a user can become a member of a user group, that group must be set up. Set up user groups by selecting
Manage Users, Manage User Groups.
After the group is configured, add users.
Follow these steps:
  1. Open the User record.
  2. Select one of the appropriate Group tabs:
    • Groups
      for any role except those roles with credential manager privileges
    • Credential Manager Groups
      for any role with password manager privileges. If the user role does not have password manager privileges, the Credential Manager Groups window is unavailable.
  3. To add the user to one or more groups, select the checkbox for each group.
  4. Select the right arrow to move the groups to the Selected Groups list.
  5. Select
User groups are not available for Active Directory or other directory users. Instead, users should be grouped in the directory and the attribute that is read by
Privileged Access Manager
. Setting policies for directory users is done at the group level.
Permit Access to the ExternalAPI
The ExternalAPI is a REST API that provides programmatic control over most functions that are related to provisioning and managing access. The ExternalAPI uses HTTP basic authentication with API keys for user authentication. The keys are secured using HTTPS. Authorization is provided by associating API keys with the same roles that restrict what can be accessed using the standard web interface.
Follow these steps:
  1. Select
    API Keys
  2. Assign a name for the key. The name is also available to this user. This option allows you to store keys continuously for this user, but activate or deactivate the keys as desired.
  3. To make a key the active key, select the
  4. Select one or more roles whose privileges determine functions this user and credentials can control. Only assign a role if you are using the key.
    If the user has inherited roles from a user group, clicking Inherited Roles identifies them.
Edit User Records in LDAP or RADIUS Groups
These user records are created through features in the
Manage Groups
page. However, portions of their records can be edited on the
Manage Users
Note these characteristics:
  • The user is already assigned (the copy of) the LDAP group it was imported from (see
  • No fields that are imported from LDAP or RADIUS can be edited.
  • You can edit certain assigned fields, including:
    • Keyboard Layout
    • RDP Username
    • Mainframe Display Name
    • Account Status
    • Terminate Session Upon Deactivation
    • Email on Login
    • Email Self on Login
    • Available Roles
    • The Access Time fields
    • Available Groups (the associated LDAP group cannot be removed).
Edit User Records from a Policy
An administrator can edit a user record directly from the Manage Policies page.
  1. Open the
    Manage Policies
  2. Select
  3. Populate the User (or Group) field with a record name.
  4. Select
    Manage User
    to open the User record.
  5. Open the User record.
  6. When finished, select
    Manage Policy
    to return to the Manage Policies page.
For more information, see: