Import LDAP User Groups for JIT Provisioning

Learn how to import LDAP user groups that contain the MSSQL users and groups that require Just in Time (JIT) provisioning.
This topic describes how to import LDAP user groups that contain the MSSQL users and groups that require JIT provisioning.
Follow these steps:
  1. Connect to PAM using the PAM client.
  2. Navigate to
    Users
    ,
    Manage User Groups
    ,
    Import LDAP Groups
    . The LDAP Browser opens.
  3. Select
    File
    ,
    Connect
    .
  4. In the
    Connect to LDAP Domain
    dialog that opens,
    select the LDAP domain that you configured to communicate with your LDAP domain server and select
    OK
    .
  5. Locate and expand the
    Users
    folder from the LDAP tree in the
    left pane.
  6. Locate and select the checkbox beside each user group that you want to import.
  7. (Optional) Review the device groups that are selected for import:
    1. Select
      PAM Groups
      ,
      Manage selected groups to register with the PAM appliance
      .
      The list of the Distinguished Names for all selected groups displays.
    2. Select and edit any group DN, or remove it from the staging list.
  8. Select
    PAM Groups
    ,
    Register selected groups with the PAM appliance
    . A window opens displaying a list of the staged groups from which you can monitor progress, and can display any messages that are associated with the actions.
    Note
    : When you import a group, all the users that are members of that group are imported into PAM automatically.
  9. Select
    Register Groups
    in the lower-left corner. PAM imports the groups in the order that they are listed. The browser provides feedback and cancellation options throughout the process
  10. When the import is complete and verified, close the LDAP browser.
  11. In the PAM UI, navigate to
    Users
    ,
    Manage User Groups
    , and confirm that the imported user groups appear.
  12. Navigate to
    Users
    ,
    Manage Users
    , and confirm that the users in the imported user groups appear on the page.
  13. Update the definition of each imported user to define an
    RDP User Name
    that specifies the LDAP domain name and the user name specified in the user information using the following format:
    LDAP_Domain
    \
    SAM_Account_Name
    For example: JITDOMAIN\joe
    Note
    : If you have imported a large number of users, we recommend that you use the External API to automate the RDP User Name update for those users.
  14. Assign appropriate PAM roles to each user and group based on your organizational requirements.