Identify Users that Can Log in to the Server

As an Administrator, follow these procedures to create or edit Users. Create and modify user records using a template or a CSV file. For LDAP or RADIUS groups, you can only modify existing user records.
As an Administrator, follow these procedures to create or edit Users. Create and modify user records using a template or a CSV file. For LDAP or RADIUS groups, you can only modify existing user records.
Review the following ways to managing users:
Add a User Account Using the Template
Create a user account using a template in the UI. The configurable characteristics for each user include:
  • Basic profile information
  • User authentication methods and the status of the user account
  • Roles that define user privileges
  • Time restrictions for user login
  • User group membership
  • API Keys
If you are updating an existing user account, a
 Manage Policy
 button is available. Select this button to navigate to the Policy page, but changes already made to the user record are lost. Populate the User(Group) field there with the current user name. 
Specify Basic Information
Provide user name and contact information in the 
Basic Info
Follow these steps:
  1. Log in to the UI.
  2. Select 
    Manage Users
  3. Select 
     to create a user.
    A user account template appears in the list window. 
  4. Complete the fields in the 
    Basic Info
     section. Required settings are indicated by a red asterisk. Note the following information about some of the fields:
    • User Name - Accepts alphanumeric characters, a dash, an underscore, and spaces. For AWS users, a user name can be from 2 through 32 characters long because of restrictions on federated users within AWS.
    • Password - The user password
    • RDP User Name - The RDP applet uses this name as credentials for access to a remote Windows device.
    • Mainframe Display Name - The AS/400 applets TN5250 and TN5250SSL use this name. 
Configure Administration Settings for the User Record
The Administration tab contains information indicating how a user authenticates and the status of that user account.
Follow these steps:
  1. Select an authentication method for the user from the menu in the Authentication field:
    • Local:
       Local user accounts are hosted in the 
    • RADIUS:
       User authenticates to a RADIUS server. The user enters credentials that are provisioned by the RADIUS server. This option is available only if a RADIUS server is configured (see 
       3rd party
      ). If a RADIUS User is provisioned through LDAP, that user authenticates against a RADIUS server.
    • RSA:
       Authentication with an RSA SecurID. Users log in with a name and passcode
      The passcode is a combination of the personal identification number and the current readout from the SecurID device. For example, if your PIN is 3425 and the current readout from your SecurID device is 866329, the passcode is: 3425866329
    • Smartcard/PKI
       - User authenticates with a Smartcard. 
       checks the user certificate against an OCSP server, or a Certificate Revocation List (CRL). The first time that a Smartcard user accesses the server, the Designated Name, and User account is registered. The User name appears in the 
      Approve CAC User
       tab. This user must be approved before device access can be assigned.
      To use Smartcard authentication, set the Smartcard parameters in the 
      Security, Access, PKI Options
  2. Configure the deactivation and termination settings for the user account.
  3. If you select the
     Terminate Session on Account Expiration
     check box, a user login and all current sessions are terminated at the expiration date/time or the account violation limit is exceeded. If a user account is deactivated while that user is logged in, the session is terminated.
  4. Specify email accounts to receive notices when the configured user logs in. The 
    Email on Login
     field triggers an email to a specific administrator. The 
    Email Self on Login
     field triggers an email to the address in the Basic Info section of the user record.
  5. If the user is accessing 
    Privileged Access Manager
     from the 
    Client, enter a range of IP addresses permitted to log in. Delimiters that are permitted include the space, comma, semicolon, newline. Example:,
    IP address formats permitted include:
    • Single IP:
    • CIDR:
    • Range:
    If this field is empty, no IP address restrictions are applied. The user definition overrides the User Group definition. If no user policy is defined but that User is a member of multiple groups with different rules, the group permissions are additive (less restrictive).
    If your
    server sits behind a networking device, such as a proxy, load balancer, or router, ensure that the device prevents against IP spoofing of the X-Forwarded-For HTTP header.
Assign Access Roles to the User
An access role is a collection of access-defined privileges. To perform access operations, each user must be assigned one or more roles.
Before you can assign roles to a user, the roles must be defined in the 
Manage Roles
 list. To define roles, see User Roles.
Follow these steps:
  1. On the 
    user screen, select the
  2. If necessary, expand the Roles list by selecting the plus sign to the left of the Roles table.
    "Standard User" is the default preassigned role. This role allows device access.
    The user can also inherit roles from Groups of which they are a member.
  3. Do the following steps for each role that you want to assign:
    1. Select the plus sign to the right, as highlighted in the following screen shot:
    2. Select the 
      Please specify a role
       field that appears, then select the caret symbol (highlighted in the following screen shot) to open a pull-down list of available roles.
    3. Select a role from the list to assign it. 
To provide a user with access to Credential Manager functions, add the 
Password Manager
 role (or any role with the Manage Credentials privilege).
Do not assign any user 
 the Password Manager role. That role does not contain sufficient privileges for access. Keep the Standard User role and then add the Password Manager role so the user has Credential Manager privileges.
Each user with Credential Manager access must also be assigned one or more predefined 
Credential Manager groups
 to determine the credential management functions they can access. For more information, see Add Credential Manager Roles and Groups.
Specify Login Time Periods
You can configure time-based access restrictions that determine when a user can log in to the server, select the 
Access Times
Follow these steps:
  1. From the UI, select 
    Users, Mange Users
  2. Add or modify an existing user entry.
  3. Select the 
    Access Times
  4. Select the plus sign then specify the days when to allow access. 
  5. In the 
     table columns, select the drop-down list to display a list of times. Access times are specified in UTC.
  6. Select 
     to save your entries.
Add Users to Groups Including Credential Manager Groups
Before a user can become a member of a user group, that group must be set up. Set up user groups by selecting 
Manage Users, Manage User Groups.
 After the group is configured, add users. 
Follow these steps:
  1. Open the User record.
  2. Select one of the appropriate Group tabs:
    • Groups
       for any role except those roles with credential manager privileges
    • Credential Manager Groups
       for any role with password manager privileges. If the user role does not have password manager privileges, the Credential Manager Groups window is unavailable.
  3. To add the user to one or more groups, select the check box for each group.
  4. Select the right arrow to move the groups to the Selected Groups list.
  5. Select 
User groups are not available for Active Directory or other directory users. Instead, users should be grouped in the directory and the attribute that is read by 
Privileged Access Manager
. Setting policies for directory users is done at the group level.
Permit Access to the ExternalAPI
The ExternalAPI is a REST API that provides programmatic control over most functions that are related to provisioning and managing access. The ExternalAPI uses HTTP basic authentication with API keys for user authentication. The keys are secured using HTTPS. Authorization is provided by associating API keys with the same roles that restrict what can be accessed using the standard web interface.
Follow these steps:
  1. Select 
    API Keys
  2. Assign a name for the key. The name is also available to this user. This option allows you to store keys continuously for this user, but activate or deactivate the keys as desired.
  3. To make a key the active key, select the 
     check box.
  4. Select one or more roles whose privileges determine functions this user and credentials can control. Only assign a role if your are using the key.
    If the user has inherited roles from a user group, clicking Inherited Roles identifies them.
Edit User Records in LDAP or RADIUS Groups
These user records are created through features in the 
Manage Groups
 page. However, portions of their records can be edited on the 
Manage Users
Note these characteristics:
  • The user is already assigned (the copy of) the LDAP group it was imported from (see 
  • No fields that are imported from LDAP or RADIUS can be edited.
  • You can edit certain assigned fields, including:
    • Keyboard Layout
    • RDP Username
    • Mainframe Display Name
    • Account Status
    • Terminate Session Upon Deactivation
    • Email on Login
    • Email Self on Login
    • Available Roles
    • The Access Time fields
    • Available Groups (the associated LDAP group cannot be removed).
Edit User Records from a Policy
An administrator can edit a user record directly from the Manage Policies page.
  1. Open the 
    Manage Policies
  2. Select 
  3. Populate the User (or Group) field with a record name.
  4. Select 
    Manage User
     to open the User record.
  5. Open the User record.
  6. When finished, select 
    Manage Policy 
    to return to the Manage Policies page.