Device Group Setup
Create Device Groups to group devices that share common access methods and functionality.
Create Device Groups to group devices that share common access methods and functionality. Though any devices can be member of a device group, group functionally similar devices. Before you can add a device to a group, you must first configure a device with Password Management as its device type.
When using device groups, the actiontakes precedence, unless otherwise specified. The service is available at the group level only if it is available at the device level. The most restrictive policy is used when a conflict arises.
The following topics apply to device groups:
Credential Sources for Device Groups
credential sourceis a particular target device or set of devices that stores user credentials. An Active Directory Server is an example of a credential source. If you specify a credential source for a device group,
PAMcan find the credentials that are applicable to devices in that device group.
PAMuses these credentials to enable a user to log in to any device in the group.
Using Multiple Credential Sources
You can assign more than one credential source for a particular device group. If you configure multiple credential sources,
PAMgathers all available credentials from all sources. The appliance then creates a combined list of target accounts for a specific set of users or many users and applications.
A device group does not have to include the credential source device. If you exclude the credential source from the group, you can avoid creating a policy that provides direct access to the credential source. Instead, the group contains only the devices that rely on the credential source for authentication.
Credentials from any target account that is associated with any credential source can be used to access any device group member.
Using Credential Sources in a Policy
When you configure a policy for a device group, all accounts from the multiple credential sources are available for selection. When a user initiates a connection, these administrator-selected options are presented so that the user can select one. You can use all access methods and services that are configured for the devices in a device group with one or more credential sources.
Add or Modify a Device Group
- On theDevices,Manage Device Groupspage, selectAdd.TheAdd Device Groupwindow opens.
- Enter aNameandDescriptionfor the group. Double-byte characters are supported.
- Leave the defaultProvision Type(Local) for all device groups unless you are setting up the group for AWS or Server Control Utility Appliances.
- For AWS, select theAWSProvision Type.AWS groups are actually determined by settings on theConfiguration,3rd Party,AWSpage. AWS device groups act as a container for devices that are created as a result of importing AWS devices. Each device should have a tag Key of "PamGroups" and a Value of "[PAMGroup Name]". Following import, the group cannot be deleted unless the AWS configuration is cleared fromConfiguration,3rd Party,AWSor the group becomes empty. The group is updated according to the schedule in the AWS Configuration.
- For Server Control Utility Appliances, select theUtility Groupprovision type. For more information, see Add Utility Appliance Devices to Utility Groups.
- Optionally, select one or moreCredential Sourcesfrom the available device list.
- Optionally apply tags on theTagstab, if available.
- On theAccess MethodsandServices(to Access Type members) tabs, select Access Methods and Services to enable them for group members.
- On theEnabletab, you can:
- Provide Credentials for 'Always Prompt For Password': If a Windows device has this setting, you can automatically provide obfuscated credentials. See Enable a Password Push for RDP Password Enforcement for details.
- Handle 'Legal Notice' on Logon Screen:Select this option to handle the "Legal Notice" during login. This option only works whenProvide Credentials for 'Always Prompt for Password'is enabled.
- TheServer Controltab only appears for PAM SC devices. This tab has two sections:
When assigning a server control policy on the server control device, it takes some time for the server control device to get this deployment information. All the assigned (queued) polices appear in the assigned table. Once the server control receives this deployment information, the policies appear the Policies Deployed list.
- Policies Assigned: Contains the list of policies assigned on the device.
- Policies Deployed: Contains the list of policies deployed on the device.
- TheUNABtab only appears for UNAB devices. Use this tab to add a UNAB Configuration Token to a device group. See Add a UNAB Config Token to a Device Groupfor more information.
Create an AWS Device Group for Linux/UNIX Devices
In AWS, Linux and UNIX instances use AWS Key Pairs. If all instances in a planned Device Group use the same key pair, group policy can be provisioned to use that key pair for auto-connection.
- Create an AWS Type Device Group.
- Assign AWS instance imported Devices to it, all of which use the same key pair.
- Create a policy with that Device Group.
- From the SSH applet credential pop-up box, select the key pair that is held in common.
This key pair is used for auto-connection for any Device in the group.
Edit a Device Group from the Manage Policies Page
An administrator can edit a Device Group record by invoking it directly from the Manage Policies page.
Follow these steps:
- Open the Policy, Manage Policies page.
- Populate the Device (Group) field with a record name.
- Double-click the name to display its editing template in a shadow box window.
- When finished, select Save (or Cancel) to return to the Manage Policies page.
View the Utility Group Status
Statusbutton provides the specific status on the Utility Groups and the services running within that group. The
Statusbutton is available if you open a Device group whose Provision type is Utility Group, and you have permissions to view its status.
See View Utility Group Status for more information.