PAM360 MSP Edition - Getting Started19 minutes to read
ManageEngine PAM360 is also available in MSP edition, which has been specially designed taking into consideration the requirements of the Managed Service Providers. If you are an MSP wishing to manage the administrative passwords of your clients separately from a single management console or offer password management services to them, you can leverage the MSP edition. Passwords can be securely shared between MSP administrators and their respective customers, making sure that users only get access to the passwords they own or ones that are shared with them. The solution offers the flexibility to entrust the control of the password vault to the MSP administrator, the end user or both, as desired. The MSP edition also follows the basic password entitlement model of PAM360 which means, at any time, one will be able to view only the passwords that are owned and shared. As MSP admin, while you will be able to view the names of the organizations you manage, you will be able to view the data pertaining to all your customers only if you add their resources or if they share the resources with you. Your customers will be able to view the data belonging to their organization only. Note: As of now, PAM360 is equipped to support up to 900 client organizations. This document walks you through the following topics:
1. Prerequisites
2. Installation StepsClick here for detailed steps. 3. Silent InstallA silent install is used to install an application without the need to interact with the UI. This type of installation is helpful for applications with limited installation steps. Before commencing the silent install, certain parameters such as Name, EmailId, Path, etc., are automatically set or manually entered. Execute the commands as instructed below to install the application automatically. 3.1 Steps to Silent Install PAM360 in Windows Server3.1.1 Primary Server
PAM360 will get installed, and the service will start automatically. 3.1.2 Secondary Server
PAM360 will get installed, and the service will start automatically. 3.1.3 Steps to Uninstall PAM360 in Windows Server
Upon execution, the PAM360 will get uninstalled. 3.2 Steps to Silent Install PAM360 in Linux Server3.2.1 Primary Server
Upon execution, the PAM360 will get installed. 3.2.2 Secondary Server
Upon execution, the PAM360 will get installed. 4. Adding Users (MSP org)The MSP administration process starts with User Management. The first step is to add users to your MSP organization. You should designate one administrator as Account Manager™ for each of your clients. Proceed with adding users. 5. Adding Organizations5.1 Adding Client OrganizationsAfter adding users, you need to add your client organizations. Navigate to Admin >> Organizations section and you will find an icon named Organizations. The organizations to be managed by the MSP should be registered with PAM360 here. You can manually add the client organizations one-by-one or import all the organizations in bulk from a file. 5.2 Adding Organizations Manually
(For example, if you assign xyz as the display name, the login URL for the organization will be https://:/xyz). 5.3 Importing Organizations from a FileYou can import multiple organizations from a file using the import wizard. Click here to view sample files and learn more about file formats supported for importing. Ensure that the entry for each organization is in a new line. Note: Earlier, it was possible to import a .txt file containing comma-separated data, and in step 2, the data would be listed as expected. However, from build 6400 onwards, if the entries are comma-separated, the file format must be .csv. Files with tab-separated values should be saved as .txt or .tsv for importing. To import organizations,
The result of every line imported will be logged as an audit record. 5.4 Replicating Settings Across Client OrgsPAM360 allows MSP admins to replicate resource/user group structure and the settings across all managed client organizations. To set this up, follow the steps:
Listed below are a few replication settings that can be applied to all the client organizations from the MSP organization.
6. Granting Privilege to Manage Organization AccessIn addition to designating an administrator as Account Manager, you can grant access privileges to the client organization to any other member of your MSP organization. An administrator with this permission will be granted admin privileges within the client organization. Similarly, if permission is granted to a password administrator or a password user, they will have their respective privileges. PAM360 requires approval before managing a client organization to ensure greater security. An administrator at the MSP can initiate organization access for a client organization, but they need to be approved by some other administrator at the MSP. It is not possible to approve the request by the one who initiates it or the one for whom it is being initiated. This is to ensure that no administrator can acquire manage permission for themselves or grant that privilege to anyone else without the approval of another administrator. This essentially means that the MSP organization should have a minimum of three administrators to carry out this process. For example, assume the scenario when Admin A wants to provide access to Admin B for organization ABC. In this case, both Admin A (the proposer) and Admin B (the admin designate) cannot approve the access permission. Another admin, say Admin C, will have to approve the client organization request. To mange client organizations at user/user group level, do the steps that follow:
The administrator approves the request by navigating to Admin >> Access Review and selecting User Organization Requests or User Group Organization Requests. Note: The administrator can also perform the approval directly from the notification list at the top pane of the user interface.
You can also generate report for a client organization to know more about the users and user groups managed in it. To do this, navigate to Admin >> Organizations >> Organizations and click the report icon beside the desired client organization. In the window that opens, you will get the list of users and user groups managed at different levels. 7. MSPOrg (The default org)By default, one organization named MSPOrg will be available. This default org is basically your organization (MSP's organization). The passwords that you add here will pertain to your own organization and not that of your clients. 7.1 Frequently Asked Questions7.1.1 How to Manage Password for Client Organizations?Once the organization is added, you will see the list of organizations being managed by you (i.e. for which you have access permission or for which you are the account manager) on the top band of the PAM360 GUI. Select the required organization and proceed with resource addition. You can then share the passwords with your clients. On the other hand, if you are providing Password Management Service, you will ask your client to add passwords themselves. 7.1.2 How to access any specific client org?You can access your MSP org as usual by accessing the URL https://<PAM360-Host-Name>:8282/. You can select the required client organization from the top band of the PAM360 GUI. 7.1.3 How do your clients access PAM360?After creating an organization, you clients can connect to their organization and view/manage passwords by typing the URL as explained below: https://<Host Name:<port>/<Name of the org> For instance, assume that the name of the organization of your client is abc and PAM360 is running on the host pam360host, then the URL to connect to an organization will be: https://pam360host:8282/abc. For information on how to perform various password management features, refer to the respective sections of the help documentation. 7.1.4 How to delete a client organization?You can be eligible to delete a client organization in PAM360 only if you are an MSPOrg administrator. Additionally, you should also have any of the following privileges:
To delete an organization,
| |
[Webinar] Weave privileged access security into your org-wide ITSM workflows. Register now