Configure User Groups

To combine users with similar attributes, define a user group. User groups allow for more manageable changes. Each user can be a member of one or more user groups. User group settings override the same individual user setting.
To combine users with similar attributes, define a user group. User groups allow for more manageable changes. Each user can be a member of one or more user groups. User group settings override the same individual user setting.
The following sections describe user group types and how to configure groups:
User Group Types
  • Access User Groups
    Access User Groups are static collections of Users. Some User attributes, such as (Access) Roles and Access Time, can be assigned at the group level.
  • Credential Manager User Groups
    Credential Manager user groups are dynamically determined. User groups are based on a Credential Manager role and a Target or Request Group of the current set of users. Create these User Groups by navigating to
    Manage Passwords
    User Groups.
  • Local Groups
    Local groups are a collection of local users.
Do not confuse Access user groups with Credential Manager user groups. User groups and roles are specified in two distinct locations, one for general use and one specifically for Credential Managers
Use the UI Template to Create a Group
To create a user group consisting of local users, use the UI template. The instructions for each part of the template are explained.
Basic Info Configuration
Follow these steps:
  1. Log in as an appropriate administrator.
  2. Select
    Manage User Groups
    A User Group is necessarily restricted to a single Authentication scheme.
  3. Select 
    to create a local or SAML group.
    For RADIUS, TACACS+, and LDAP groups, see the relevant instructions.
  4. Complete the fields in the
    Basic Info
    tab. Note the following information:
    • Group Name:
      Double-byte characters are allowed.
    • Applet Recording Warning:
      Set this option to
      to display a notification that an applet (such as SSH or RDP) session is being recorded. (This option is ignored for TCP/UDP and RDP service sessions.) For example, when a user who is a member of the group opens an SSH applet console, the following warning appears in the title bar of the window and in the first line of console: "
      Warning you are being monitored
      The related
      Show Recording Warning
      setting on the
      Global Settings
      tab is ignored for applet sessions that are made by users who are a member of any group for which
      Applet Recording Warning
      is enabled. The global
      Show Recording Warning
      setting applies for all applet sessions that are made by users who are not members of any group and for
      TCP/UDP and RDP service sessions.
If a user group is imported from an LDAP directory, the Group Name has the following format:
  • From Active Directory: LDAPsourceGroupName + "@" +
    LDAP_domain. The LDAP_Domain
    is the base DN in the
    Bind Credentials
    field of the LDAP Domain configuration (
  • From other LDAP directory servers, such as OpenLDAP: LDAPsourceGroupName
Also, the
field has the format: "LDAP Group" + LDAPsourceGroupName + "from" + LDAPsourceDistinUIshedName
Administration Configuration
The Administration section is where you specify the user authentication method
Follow these steps
  1. Select the
  2. In the
    field, select an option from the drop-down list. The available options depend on which type of group is being created (Local, RADIUS, or imported LDAP).
    If you select SAML as an authentication method, the user authenticates by a SAML assertion. The SAML attribute depends on the user provisioning source:
    For Active Directory:
    • Distinguished Name
    • User Principal Name
    • SAM Account Name
    LDAP directory like OpenLDAP or other:
    • Distinguished Name
    • Unique Attribute
    If Authentication method is Local, RADIUS, or PKI:
    • User Name
  3. If the user is accessing the server from the PAM Client, enter a range of IP addresses that are permitted to log in. Delimit each address with either a space, comma, semicolon, or newline. Example:,
    IP address formats permitted include:
    • Single IP:
    • CIDR:
    • Range:
    If this field is empty, no IP address restrictions are applied. The user definition overrides the User Group definition. If no user policy is defined but that User is a member of multiple groups with different rules, the group permissions are additive (less restrictive).
    If your
    server sits behind a networking device, such as a proxy, load balancer, or router, ensure that the device prevents against IP spoofing of the X-Forwarded-For HTTP header.
Define Roles for a User Group
Multiple roles can be assigned per group. The standard user is the default role.
Follow these steps:
  1. From the
    Add Group
    screen, select
  2. Expand the
    list using the plus sign.
    The Standard User is the default preassigned role. This role allows device access.
  3. Select the plus sign to the right and a new line displays prompting you to specify a role.
  4. Select the
    Please specify a role
    field. Select the arrow for a pull-down list that becomes available.
    The list shows all currently defined roles and a set of predefined roles.
    • Specify a role using the
      Available Roles
      drop-down list.
    • If an access role has the Credential Manager permission, this role can provide access to the Credential Manager menu from the Policy, Manage Passwords selection. You must specify a Credential Manager user group to determine the scope of menu access. Use the expansion pane Credential Manager Groups.
    • If a role (for example Device/Group Manager or Policy Manager) requires you to specify the User Groups, Device Groups, or both, over which the role has control, corresponding entries appear below the role, as shown in the following screen capture:
      Select the plus (
      ) icon to the right of the entry to specify a required group. Select the
      [Please specify a group]
      entry that appears to open the
      User Groups
      Device Groups
      selection dialog (as appropriate), as shown in the following screen capture:
      Screen capture of the User Groups selector dialog
      All Users
      to include all user groups, start typing In the
      User Groups
      field, or select the magnifying glass icon to open a dialog with comprehensive search options.
      You can only select one user or device group at a time. To specify additional groups, use the
      option to the right of
      User Groups
      Device Groups
      entry, as required.
      After you have selected a group using any method, select
      to save it.
Credential Manager Role Inheritance
The ability to map Credential Manager User Groups to Access Manager User groups enables role inheritance rather than assigning a Credential Manager Role for each user.
Follow these steps:
  1. Go to
    Manage User Groups.
  2. Select
    Update User Groups.
  3. Select the
    Credential Manager Groups
Assign a Credential Manager group to an Access Manager group that has a role with the 'Manage Credentials' privilege. You are not limited to the set of preconfigured roles in PAM for either Credential Manager or Device Manager. You can customize the permissions for a role to ensure the lease privilege is maintained (a user can view credentials but not make changes to the account in firecall users)Three roles included with PAM that contain the Manage Password Privilege are Global Administrator, Operational Administrator, and Password Manager.
If you attempt to do a Save and select OK without adding a Credential Manager group, an error occurs with the following message:
"Roles with the Manage Credential privilege must have at least one Password Authority group to manage."
When upgrading to PAM 3.4 from an earlier version, no changes are mode to Access Manager users, usergroups, role, or Credential Manager groups or roles.
PAM users not explicitly assigned any assigned
Credential Manager Group
always become default members of the
Credential Manager Group
(CMGroup) named
Standard Users
. The
Standard Users CMGroup
has the
role with the
View Account Password
privilege. So, any member of
Standard Users
can view all target account passwords. This remains true even when the user might have inherited a CMGroup other than
Standard Users
, such as by means of a
Session Manager User Group (SMGroup)
The only way to prevent the user from viewing the target account password in this case is to explicitly assign the user the
Session Manager Role
with the
Manage Passwords
privilege; for example, assign the
Password Manager
role, and then add the user to a CMGroup (such as
Base Users
) that does not have
View Account Password
privilege. This removes the user from the
Standard Users
CM group. The user, therefore, no longer has the
View Account Password
Specify Time Periods for Group Login
To configure time-based access restrictions when users in a group can log in to the server, select the
Access Times
Follow these steps:
  1. Add an entry to the
    access times table.
  2. Specify the days and times for the access entry. the
    table cells to display a drop-down list of times.
  3. Select
    to save your entries.
Add Users to Groups
After the group is configured, add users.
Follow these steps:
  1. Select the check box next to any user you want to add to the group.
  2. Select the right arrow to move the groups to the Selected Users list.
    For Imported LDAP groups, users cannot be added or removed. Modify user records in the source LDAP directory.
  3. Select
User groups are not available for Active Directory or other directory users. Instead, users should be grouped in the directory and the attribute that is read by
Privileged Access Manager
. Setting policies for directory users is done at the group level.
Elevate User Privileges Temporarily
To elevate the privileges of a user temporarily, add them to a user group that has the additional privileges for as long as necessary. When the user no longer needs the elevated, simply remove them from that user group.
Create a RADIUS or TACACS+ Group
You can create a user group that is imported from a RADIUS or TACACS+ server.  For the RADIUS or TACACS+ buttons to become active, first configure the RADIUS or TACACS+ server for access to
Privileged Access Manager
. See RADIUS or TACACS+ for instructions on configuring RADIUS connectivity.
Follow these steps:
  1. Open a template by clicking the relevant button:
    • Create RADIUS Group
    • Create TACACS+ Group
  2. Complete each section of the template. The instructions are similar to creating a local user group.
    To locate users in a RADIUS or TACACS+ group, each
    group name you specify must match a corresponding group name or ID on the RADIUS or TACACS+ server.
    Privileged Access Manager
    uses the configured grouping to manage users.
    The GroupID must match a corresponding group on the RADIUS or TACACS+ server. All the privileges that users maintain are derived from their group. Only users with a local account or whose group matches the group name in the UI is granted access. Contact the RADIUS or TACACS+ server administrator for the group name.
    If a RADIUS group is provisioned but the user does not exist, a shadow RADIUS user is created. The shadow user is not visible in the user management screen or the user list.
Import an LDAP Group
For information about importing an LDAP Group, see Import LDAP User Groups.
Edit from the Manage Policies Page
An administrator can edit a user group record by invoking it directly from the Manage Policies page.
  1. Open the Policy,
    Manage Policies
  2. Populate the
    User (Group)
    field with a record name.
  3. Double-click the name to display its editing template in a shadow box window.
  4. When finished, select 
    (or Cancel) to return to the
    Manage Policies
SAML SSO with Juniper SA Using RADIUS Authentication
See Network Configuration, SSO, Juniper Networks, Configure
Privileged Access Manager
for SAML SSO with Juniper SA using RADIUS Authentication.
For information about importing an LDAP Group, see Import LDAP User Groups.