Organizing Resource Groups with Nested Grouping

PAM360 provides a structured and intuitive approach to managing resource groups by enabling hierarchical organization, commonly referred to as nested grouping. This feature allows administrators to categorize and structure resource groups efficiently, ensuring seamless navigation and streamlined management. In an enterprise environment with multiple departments, domains, or functional sections, resource groups can be structured logically to improve accessibility. Administrators can either: arrange resource groups within a hierarchical node-based format for better organization or create subgroups under existing resource groups to refine the categorization further.

Once the desired nested grouping type is enabled in general settings, they can be accessed as follows:

1. Navigate to the Resources tab.
2. On the left panel, the Password Explorer tree displays the resource groups in PAM360.
3. Select any resource group to view its corresponding resources.
4. From here, the nested grouping of resource groups can be performed.

At the end of this document, you will understand the following topics in detail:

1. Guidelines for Nested Grouping
2. Nested Groups
3. Node-Based Nested Grouping
4. Inheritance-Based Nested Grouping

1. Guidelines for Nested Grouping

Nested grouping for resource groups in PAM360 is primarily designed for navigational convenience and ease of management. However, when structured effectively, they offer significant benefits, including improved usability and streamlined resource group access management.

1.1 Nested Grouping Available in PAM360

Node-Based Nested Grouping: If your primary goal is to establish a hierarchical arrangement of resource groups in the Password Explorer tree for improved navigation, then node-based nested grouping is the ideal choice.

Inheritance-Based Nested Grouping: If your requirement extends beyond hierarchical structuring, including direct creation and inheritance-based sharing of resource groups and subgroups from the Password Explorer tree, then inheritance-based nested grouping is the optimal choice.

1.2 Enabling Nested Grouping for Resource Group Management

PAM360 empowers administrators to create, manage, and customize nested groupings for efficient resource organization. To utilize this feature, the desired nested grouping type must be enabled or verified within the General Settings. To do so, navigate to Admin >> Settings >> General Settings >> Password Retrieval and enable the required nested group setting as follows:

1. Manage nested groups using hierarchical nodes: When enabled, a default root node is created within the Password Explorer tree. Administrators can create sub-nodes as required and manage resource groups within these nodes. This method ensures a well-structured, hierarchical organization for easier navigation and resource management.
   1. Display unshared resource groups to users: Once enabled, all resource groups managed by all administrators of PAM360 will be visible in the Password Explorer tree. However, individual administrators or users will only have access to resources they own or those explicitly shared with them.

   Notes:

   • For builds before 7410, the above settings will be in the name of Allow all admin users to manipulate the entire explorer tree and Show unshared resource groups to all admins.
   • Manage resource groups using inheritance-based grouping and Automatically share sub-groups of corresponding resource groups settings will be available only from build 7410 and above.
2. Manage nested groups using inheritance-based grouping: Enables administrators to create, edit, or delete subgroups directly from the Password Explorer tree. Also, facilitates seamless resource sharing with specific users or user groups.
   1. Automatically share sub-groups of corresponding resource groups: When enabled, the shared resource group will automatically extend its sharing permissions to all associated sub-groups via inheritance. If disabled, only the selected resource group will be shared, excluding its sub-groups.
      

   Notes:

   1. Users with the required administrative privilege can create and manage their own hierarchical nested group structures.
   2. Nested groups created using node-based grouping are solely for navigational ease and do not inherit any PAM360 settings such as password sharing, scheduled password resets, action notifications, etc. from their parent groups.
   3. Nested groups created using inheritance-based grouping can only inherit the password sharing configurations from their parent resource groups when enabled with Automatically share sub-groups of corresponding resource groups in general setting.

By enabling the appropriate nested grouping method, administrators can streamline resource group organization, improve accessibility, and enhance permission management within PAM360.

2. Nested Groups in the Password Explorer Tree

The Password Explorer tree in PAM360 organizes nested groups into two primary components:

2.1 Resource Groups Owned by You

This section displays all nodes, resource groups, and subgroups that you have created and currently manage. You can click on any resource group or subgroup within the tree to view its associated resources and stored passwords.

2.2 Resource Groups Shared with You

When another administrator shares resource groups with you, only the explicitly shared groups will be visible under their respective tree structure. For instance, if an administrator has created ten resource groups but has shared only three, you will see only those three groups in your resource tree.

However, if the Display unshared resource groups to users option is enabled under Manage resource groups using hierarchical nodes in general settings, all resource groups created by administrators in PAM360 will be listed. In this case:

• Unshared resource groups will appear in the tree without any associated resources.
• Shared resource groups will display their corresponding resources and stored passwords.

This structured approach ensures clear visibility and efficient management of nested groups within PAM360.

3. Node-Based Nested Grouping

Node-based nested grouping allows you to organize resource groups into structured hierarchical nodes, making resource management more intuitive. If your primary goal is to establish a hierarchical arrangement of resource groups for improved navigation and management, then node-based nested grouping is the ideal choice. For node-based nested grouping, perform the following steps:

1. Enable the Manage resource groups using hierarchical nodes setting in general settings as mentioned in the earlier section.
2. Navigate to the Password Explorer tree in the Resources tab. Resource groups owned and managed within PAM360 will be listed under the Resource Groups section.
   
3. Right-click over the Resource Groups section, click Add subnode and enter the desired name for the subnode. Similarly, you can also create subnodes for the newly created nodes as required.
4. Utilize the drag-and-drop feature to move the existing resource groups into their respective nodes for nested grouping.
5. When adding new resource groups in the future, simply select the desired subnode from the Subgroup Of dropdown menu to ensure that the new resource group is placed under the correct hierarchical node.

To rename the node name, simply right-click over the node name and click Edit node. To delete a subnode right-click over the node name and click Delete node.

4. Inheritance-Based Nested Grouping

Inheritance-based nested grouping provides a hierarchical method for organizing resource groups, where share permissions for the subgroups can be inherited from the main resource groups. If your requirement extends beyond hierarchical structuring, including direct subgroup creation and inheritance-based sharing of resource groups and subgroups, then inheritance-based nested grouping is the optimal choice. This method facilitates direct management within the Password Explorer Tree, allowing seamless sharing with users and user groups based on:

• Regular Sharing: Share a specific resource group to individual users or user groups.
• Inheritance-Based Sharing: Share a resource group and allow subgroups to inherit access permissions from their parent group.

For inheritance-based nested grouping, perform the following steps:

1. Enable the Manage resource groups using inheritance-based grouping and Automatically share sub-groups of corresponding resource groups settings in general settings as mentioned in the earlier section.
2. Navigate to the Password Explorer tree in the Resources tab. Resource groups owned and managed within PAM360 will be listed under the Resource Groups section.
3. Right-click over the Resource Groups section or the available resource groups, hover to Add Group, and create the required resource group. Similarly, you can create numerous resource groups or subgroups as required directly from the Password Explorer tree.
   
4. To restructure or reposition resource groups, either as main groups or subgroups within existing groups, modify the Subgroup Of field of the resource group using the Edit Group option.
5. Use the Share option and share the required resource groups or subgroups with users or user groups as needed. Use the toggle button on the share page to allow inheritance-based sharing, where permissions flow down from parent resource groups to subgroups.
   

   Note: A share conflict arises when a subgroup is shared with a user or user group at a higher permission level, while its parent resource group is later shared with a lower permission level, with Inherited Group Share enabled. To resolve this conflict, you can choose one of the following solutions: overwrite the subgroup’s permissions to match the parent resource group or ignore the conflicted subgroup’s permissions, maintaining its existing access level.

   
6. When creating new resource groups in the future, leave the Subgroup Of field empty to create it as a main group within the nested structure, or select an existing resource group from the Subgroup Of dropdown menu to add it as a subgroup. This ensures proper placement within the hierarchy, maintaining an organized and structured nested grouping.

To edit the resource group or subgroup, simply right-click over the group and click Edit Group. To delete a resource group or subgroup, right-click over the group name and click Delete Group.