Configure Users

Each person accessing resources through 
PAM
 must have a user account.
capam32
Each person accessing resources through 
PAM
 must have a user account.
user 
represents a login account with a specific set of privileges to perform actions on the appliance. Every login account constitutes a user. Users are displayed, defined, and managed through the 
Users
 menu in the UI.
When referring to users managed by the appliance, the user is a managed object or account. This user is distinct from the actual person ("user") who uses the managed account.
 
 
2
 
 
Privileges and Roles
Each user must be represented by at least one 
role
 attribute. A role is a set of access privileges. Each privilege allows the user to perform certain functions on the appliance.
A set of predefined roles is provided with the basic installation. These user types include:
  •  
    End Users
     
    An end user is a managed user who primarily accesses managed devices and views a password of a managed target account. This user has a predefined role of Standard User, which is assigned by default when the User template is used to create an account. All end-user activity is performed on the Access page (which is unlabeled). These Users have no access to the Admin menu.
    The privileges of a Standard User are 
    not
     a subset of all other predefined roles. There are administrator roles that do not allow access or password viewing.
  •  
    Administrators
     
    An 
    administrator
     is a user who can exercise privileges beyond Standard User privileges. As a result, an administrator sees a full or partial Admin menu, or has access to the Config menu.
  •  
    super 
    and
     config administrators
     
    Two administrator accounts, 
    config 
    and 
    super
    ,
     
    are predefined on the appliance. These two administrators have certain special privileges and characteristics to perform initial configuration and other operations:
    •  
      super
       has a predefined role of Global Administrator. This role appears in the Users list on the Manage Users page.
    •  
      config
       has access only to the Configuration menu, including the Change Password menu. The config user does not appear on the Users list on the Manage Users page.
      The privileges of the config account differ from the privileges that are assigned to the Configuration Administrator role. The config user gains access solely through the /config/ directory. The config user is also the only account with access to the Change Password menu.
    Though you can change the names of the super and config users, we recommend that you leave the names as is. If you do change the names, these two accounts always constitute the two baseline user accounts.
User Groups
 
User Groups 
let you apply user attributes to all members belonging to a group.
 
Privileged Access Manager
 user groups are distinct from Credential Manager user groups.
Configuring User Accounts
User accounts can be created in two ways:
  • Individually using the UI
  • Imported from a CSV file, which contains a set of user records. When users are imported from a CSV file, these users are automatically established as a group.
More Information
For more information, see the following articles: