Managing PAM360 User Accounts

This document provides a comprehensive guidance on managing the user accounts within your PAM360 environment.

Roles Required to Perform this Operation

• Privileged Administrator
• Administrator
• Any custom role with 'Edit', 'Change User Roles', and 'Delete' enabled operations accordingly

You will learn the following with respect to managing users in this document:

1. Editing the PAM360 User Account
2. Modifying REST API and SDK Access
3. Modifying Mobile Application and Browser Extension Access
4. Deleting the PAM360 User Account
   

   4.1 Restoring Users from Trash

   4.2 Deleting an Administrator User Account

   4.3 Handling User Accounts Deleted from Active Directory/Microsoft Entra ID/LDAP Directories

5. Managing Notification Email Addresses in PAM360

1. Editing the PAM360 User Account

User with the provided privilege can modify various details for existing users such as their role, email address, access level, password policy, department, and Two Factor Authentication (2FA), etc. To do so,

1. Navigate to the Users tab.
2. Click on the User Actions icon next to the desired user and select Edit User from the drop-down menu.
3. In the window that appears, edit the desired fields as required and click Save to imply the changes.

To know more about each user field, refer to the add user help documentation for details. Add Users Manually - Builds Preceding 6700 | Builds Following 6700

2. Modifying REST API and SDK Access

You can also modify the REST API and SDK user access from the Users tab, instead editing into a user account.

1. From the Users tab, select the REST and Application Access option under User Actions beside the relevant user. In the dialogue-box that opens, enable/disable the relevant access, regenerate the Authentication Token, update the Access Validity, etc, as required.
2. To enable or disable the REST API access in bulk, navigate to More Actions >> Configure >> REST API Access. Select the required usernames and click on Disable at the top of the user list. Similarly, you can also Enable REST API access from here.
3. To enable or disable the SDK access in bulk, navigate to More Actions >> Configure >> SDK Access. Select the required usernames and click on Disable at the top of the user list. Similarly, you can also Enable SDK access from here.
4. You can also invalidate an Authentication Token of a user by selecting Invalidate Authentication Token under the User Actions beside the relevant user.

3. Modifying Mobile Application and Browser Extension Access

To modify the mobile application access for the users,

1. Navigate to the Users >> More Actions >> Mobile Application Access.
2. In the dialog box that opens, use the toggle button beside the respective user to modify the access permissions.
3. To enable or disable the mobile application access in bulk, select the required usernames and click the Disable or Enable button at the top pane accordingly.

To modify the browser extension access for the users,

1. Navigate to Users >> More Actions >> Browser Extension Access.
2. In the dialog box that opens, use the toggle button beside the respective user to modify the access permissions.
3. To enable or disable the browser extension access in bulk, select the required usernames and click on the Disable or Enable button at the top pane accordingly.

4. Deleting the PAM360 User Account

Users with the provided operation can delete users from PAM360 who are no longer necessary for the organization. To remove a user from PAM360,

1. Navigate to the Users tab.
2. To delete an individual user, click the User Actions icon against the desired user and select Delete User from the drop-down list. To delete the users in bulk, select the users and click the Delete Users button from the top pane.
3. In the pop-up window that opens, you will have two options:
1. Delete: Select this option to delete the user permanently from the PAM360.
2. Move To Trash: Use this option to transfer users to Trash without permanent deletion. Users in the Trash can be restored until PAM360 encryption keys are rotated. After key rotation, users in Trash and associated credentials will be permanently removed from the PAM360 repository.

Note: Users imported from AD, Microsoft Entra ID, and LDAP directories cannot be moved to Trash.

Notes: The below notes apply for both permanent deletion and deletion from trash.

• PAM360 will allow users to be deleted only if the user/users do not own any resource. If the user owns any resource, then you need to transfer the ownership of all the resources to some other user with an administrator-type role.
• The currently logged in user will not be allowed to delete themselves.

4.1 Restoring Users from Trash

To restore a user account that has been moved to Trash, go to the Users tab and click on the Trash icon located at the top right corner. A list of users in the Trash will appear in a pop-up box, allowing you to select and restore the desired users.

Since PAM360 requires that the resources owned by a user be transferred to another user before deletion, there will be no loss of enterprise data. However, all personal data stored by the user will be permanently deleted. The audit trails will comprehensively record all such changes and deletions. The audit trails documenting the user's activities will remain intact in the database even after the user is deleted. Audit trails relevant to the deleted users will not be erased.

4.2 Deleting an Administrator User Account

Before proceeding to delete an administrator user account, check for any resources owned by the user. If exist, the resources should be transferred to another user with an administrator-type role by the resource owner by following the below steps,

1. Navigate to the Users tab.
2. Select all the resources and click Transfer Ownership by navigating to Resource Actions >> Manage.
3. In the pop-up that opens, select the user with the administrator-type role for whom the resources to be transferred and click Save.

Note: The logged in administrator cannot delete their own user account from PAM360.

Upon successful ownership transfer, the administrator user account can be deleted from the PAM360 by another administrator.

4.3 Handling User Accounts Deleted from Active Directory/Microsoft Entra ID/LDAP Directories

Whenever a user account is deleted directly at the user directory from which it was imported to PAM360 i.e. from Active Directory, Microsoft Entra ID or LDAP directory, PAM360 identifies those deleted user accounts at the time of next synchronization schedule. The identified user accounts are then subsequently disabled in PAM360 and held as locked accounts.

After disabling the user accounts, PAM360 informs the administrators or users with user management privileges via email as well as an alert notification within the product. Clicking the alert notification will open a dialog box as shown below:

The administrator can review the locked accounts and then choose to delete those user accounts permanently from PAM360 by clicking the Delete button. Further, the administrator can also review the locked accounts directly using the user filter provided in the Users page and can delete the disabled accounts individually or in bulk.

On the other hand, to activate the accounts,

1. Navigate to Users >> More Actions >> Lock Users.
2. In the dialog box that opens, use the toggle button beside the respective user to unlock the user accounts.
   
3. To unlock the user accounts in bulk, select the required usernames and click on the Unlock button at the top pane to restore the disabled user accounts.

5. Managing Notification Email Addresses in PAM360

PAM360 allows you to configure generic email addresses as recipients of notification emails for scheduled tasks' completion statuses and license expiry alerts. You can keep track of all such external email addresses being used in PAM360 and also delete them if needed. Additionally, the email addresses of users captured in the User Sessions audit can also be managed using this provision, in the event of those users being removed from PAM360.

To view the list of notification email addresses,

1. Navigate to Admin >> Manage >> Notification Email IDs.
2. In the dialog box that opens, you will find the email addresses listed under four different sections - Schedules, License Expiry Notifications, SSH/SSL Notifications, and User Sessions Audit, if there are any.
3. Review the listed email addresses under each section, select the one that you want to delete, and click Delete.