Nested Resource Groups

PAM360 provides an option to maintain resource groups in hierarchical structure, i.e. tree view. For example, assume that your organization contains some departments/sections in the following hierarchy. You can group the resources belonging to the respective sections and create sub-groups as required.

This document discusses about the following topics:

  1. View Nested Resource Groups
  2. Components of Nested Resource Group
  3. Constructing Nested Resource Groups
  4. Guidelines on Nested Resource Group Construction for Admins and Password Admins

1. View Nested Resource Group

To view the hierarchical order of the resource groups as well the resources that are part of the respective group,

  1. Navigate to the Resources tab.
  2. On the left hand side, the resource groups are displayed in tree view. Select the required resource group.
  3. All the resources belonging to that group will also be displayed.

  4. Important Notes:

      1. Every administrator and password administrator can create their own tree with the resource groups they own and manage.
      2. When you create a nested resource group, by default, the name of the root node of the tree will have your login name. For example, if you are logging into PAM360 as "admin", the name of the root node will be Admin's Group. If you want to have a different name for the root node, you can edit it.
      3. Nested Resource Groups are purely for navigational convenience only. You can just view the passwords belonging to the respective resource groups directly. The sub-groups created under an already existing group will not inherit sharing and other configurations like scheduled password reset, password action notification and other events from their parents.

2. Components of Nested Resource Group

Nested Group Tree, depicted on the left-hand side of the Resources tab under the title, Password Explorer, has the following components:

  1. All My Passwords
  2. Owned and Managed
  3. Favorites
  4. Recently Accessed
  5. Nested Resource Group Tree

2.1 All My Passwords

All the passwords that are owned by you and the ones shared with you will be displayed. If you own resources or some resources had been shared with you, those resources will be displayed.

To view this,

  • Navigate to Resources >> Password Explorer >> All My Passwords.

Important Note: The resources and passwords that are individually shared and not through groups, which are also not part of any of the shared resource groups, will not be found under the tree. They will be listed only under All My Passwords.

2.2 Owned and Managed

All the passwords that are owned by you and the ones shared with you with 'Full Access' permission will be displayed. Those passwords shared to you without Full access (view passwords or modify passwords ) permission will not be displayed.

To view this,

  • Navigate to Resources >> Password Explorer >> Owned and Managed.

2.3 Favorites

PAM360 provides the option to retrieve your favorite passwords with ease. You need not have to search for the resources to locate your favorite passwords. Right near the name of all the accounts, you will find a greyed out 'star' icon. When you click the star, it will be highlighted and the respective password will be marked as your favorite password. At any point of time, you may remove any password from the 'favorites' list by unmarking the star icon.

To view this,

  • Navigate to Resources >> Password Explorer >> Favorites.

Important Note: Assume that you have marked a password that was shared by an admin with you as favorite. Later, the admin revokes the share permission for that particular password. Now, when you click the 'My Favorite Passwords' link, you will see the resource still listed there. However, if you try to retrieve the password, you will not be permitted to view the password. Also, the resource would be removed from the 'Favorites'. By default, you will land up in 'Favorites' section only.

2.4 Recently Accessed

The passwords that were accessed by you most recently will be displayed under this section to facilitate easy access to a recently used password. The recently accessed passwords will be shown on top of other available passwords.

To view this,

  • Navigate to Resources >> Password Explorer >> Recently Accessed.

2.5 Nested Resource Group Tree

This tree consists of the following components:

  1. Resource group tree created by you. In this tree, all the resource groups and sub-groups owned by you will be depicted. As mentioned above, by default, the root node of your tree will be named as - 's Group. If you want, you can edit the name of the root node to make it more meaningful or to make it reflect your organizational structure. For example, if you are a Database Administrator, you can name the root node as "Database Passwords". Click here to know how to edit/rename the root node. You can click on any desired group or sub-group to view the resources and passwords therein.
  2. Resource group trees shared with you by other admins. Only the groups that the other admins has shared with you will appear in the tree under his/her root node. For example, if an admin has created a tree with 10 groups but had shared only 3 groups with you, you will only see those 3 groups under his/her tree.

Notes:

  • The resources and passwords that are individually shared and not through groups, which are also not part of any of the shared resource groups, will not be found under the tree. They will listed under All My Passwords only.
  • Super administrators will see the entire tree of all other administrators and password administrators under their 'Password Explorer' in the 'Resources' tab.
  • Password users will not be able to create nested resource groups, but they can see the groups that have been shared with them in tree form.

3. Constructing Nested Resource Groups

3.1 Add Dynamic Group

  1. Navigate to the Groups tab.
  2. Click Add Group and select Dynamic Group.
  3. In the pop-up form that opens,
    1. Enter the Group Name.
    2. Provide a Description for the group. It will be helpful for future reference.
    3. Select a Password Policy for the group.
    4. Nested Groups: If you want to make the resource group being added as the sub-group of an already existing resource group, select the required group from the drop-down against the field Sub Group of. The group selected by you will become the parent group for the resource group being added.
    5. Specify the exact criteria, based on which you want to create the group. Here, you have many options to choose from:
    6. You can search for resources based on resource name, resource type, resource description and user accounts.
    7. Also, you can filter the search in fine-grained manner based on the criteria such as contains, does not contain, equals, not equal, starts with and ends with.
    8. Once you specify the criteria, click Search if you want to view the list of resources that will become part of this group.
    9. Click Add to add your resource group.
  4. A dynamic group has been created successfully.

3.2 Add Static Group

  1. Navigate to the Groups tab.
  2. Click Add Group and select Static Group.
  3. In the pop-up form that appears,
    1. Enter the Group Name.
    2. Provide a Description for the group. It will be helpful for future reference.
    3. Select a Password Policy for the group. If you select 'Strong' (say), it would be applicable to all the members of this resource group.
    4. Nested Groups: If you want to make the new resource group a sub-group, i.e. add it under an already existing resource group, select the required group from the drop-down against the field Sub Group of. The group selected by you will become the parent group for the resource group being added.
    5. Click Save & Proceed.
    6. In the pop-up form that opens, locate desired resources and click Add to group against them.
    7. Click OK.
  4. A static group has been created successfully.

4. Guidelines on Nested Resource Group Construction for Admins and Password Admins

Though the nested resource groups are mainly intended for navigational convenience, by properly creating the tree, you can leverage a lot of benefits, mainly ease of use.

Assume that you are a Database Administrator responsible for managing the passwords of various databases. In this case, you can construct the resource group tree as explained below:

  • By default, the root node of your resource group tree will have your login name.
  • Rename it as Database Passwords.
  • Create a resource group for each database that you own - say, My SQL Passwords, MS SQL Passwords, Oracle Passwords, Sybase Passwords etc.
  • All these resource groups could be made as the sub-groups of the root node - Database Passwords.

Once you do this, you will see your resource group tree in the Resources tab of PAM360 web-interface:

4.1 Allowing administrators to manipulate the nested resource group explorer tree

PAM360 offers provision to allow admin users to manipulate the entire explorer tree structure as they wish. Through a configuration setting in "General Settings", PAM360 administrator can enable this option. Once this is enabled, PAM360 creates an organization wide, global explorer tree structure containing the names of resource groups under a root node. Any administrator in PAM360 would be able to create/edit the explorer tree structure of resource groups. The tree structure will be accessible to all admins, password admins and end users. Admins and password admins can add their resource groups anywhere into the global tree and the whole structure will be available for view to all the end users.

This feature allows depicting resource groups of your organization in the form of a global tree for easy access, identification and navigation. Users can view the resource groups in the same structure as that of the internal grouping structure in your organization. Externally the tree structure depiction will be the same for all the members of the organization (that means all the users will see the entire structure). But, the users will be allowed to view only the resources that are owned by them and the ones shared with them. The resource groups that are not related to them will be shown as empty sub-nodes (without any resources inside) in the explorer tree.

4.1.1 How to enable this option?

  1. Navigate to Admin >> Settings >> General Settings.
  2. Select the option Password Retrieval.
  3. Select the checkbox Allow all admin users to manipulate the entire explorer tree.
  4. Click Save.

4.1.2 How to manipulate the tree structure?

  1. Navigate to the Resources or Connections tab.
  2. You will see the resource groups of your organization as a tree structure under a root node.
  3. Just right-click the name of any node or sub-node to edit, modify or delete. You can manipulate the structure in any manner you want. The delete operation here just deletes the particular structure in the tree. It does not delete the resource.
Top