Adding API User Accounts in PAM360
(This procedure is applicable from build 6700)

PAM360 allows you to add API users manually according to the need for access to the available APIs in the PAM360. API user accounts available in PAM360 are:

i. SSH CLI User - API user account for password management APIs in Application-to-Application or Application-to-Database password management.

ii. REST and Application User - API user account for generic PAM360 operations based on the provided user role and access.

While creating the API user accounts, you can attach the API user account to a single endpoint using the hostname (typically a server or a desktop from which the API is used, so that the user accounts are uniquely identified - for example, as user@hostname).

Roles Required to Add Users to PAM360

Any of the below roles is required to add the API user manually in PAM360:

  • Privileged Administrator
  • Administrator
  • Any custom role with 'Manage API Users' enabled operation

1. Creating an API User Account with SSH CLI Access

To create an API user account for accessing PAM360 password management APIs in Application-to-Application or Application-to-Database password management, do the steps that follow:

  1. Navigate to Users >> Users >> Add API User >> SSH CLI User.
  2. Username: Enter here a unique name. This name identifies the API user.
  3. Hostname Validation: Enable this validation to verify user machines from which API calls are invoked. Enabling this feature restricts API invocation from the machines that are not pre-defined in the Host Name field.
  4. Hostname: If you have enabled the Hostname Validation, enter the Hostname of the machine from which the user is allowed to perform the password management operations.
  5. Full Name refers to the name with which the API user would be identified in the external world, such as reports, audit trails, and other places where user activities are traced.
  6. Email: Enter the user's email address where the user will be notified for updates.
  7. Role: Select an appropriate Role for the API user being added - Administrator/Password Administrator/Privileged Administrator/Password User/Custom Roles.
  8. Public Key for SSH CLI Access: Upload here the generated public key of the user machine from where the user accesses the SSH CLI APIs. This public key acts as the preliminary layer of the user verification method in addition to the hostname validation.
  9. Department | Location: Enter the department and the location where the user belongs to. These fields are not mandatory. However, populating valid data in these fields with the correct values will be helpful while searching or grouping the users.
  10. Click Save to create the user account with the above-provided details.
  11. Important Note:
    API user creation is specific to the host from where an application contacts PAM360 for passwords. To use Password Management APIs from more than one host, you need to create as many API users as the number of hosts. Conversely, if you wish to have many users on a single host, then again, you need to create as many API users as needed.

2. Creating a API User Account with REST and SDK Access

To create an API user account for accessing PAM360 REST APIs or SDK via services or applications, do the steps that follow:

Note: PAM360 user granted with web access can later be given REST and SDK access as needed. However, users created via REST and Application User will have no web access to PAM360 permanently. Therefore, we always recommend creating a standard user with REST or SDK access, allowing for future modifications to include web access if necessary.

  1. Navigate to Users >> Users >> Add API User >> REST and Application User.
  2. First Name | Last Name: Enter here the user's first name and last name.
  3. Username: Enter here a unique name. This name identifies the API user.
  4. Email: Enter the user's email address where the user will be notified for any modifications to the account, access, or role.
  5. Role: Select an appropriate role for the user from the drop-down; this will determine the type of role and privilege this user will have in PAM360. Refer to this section to learn more about the user roles available in PAM360.
  6. Scope: By default, users created in PAM360 are assigned the scope of Passwords Owned and Shared. This means they can access passwords owned by them or shared with them by other PAM360 users.
  7. Department | Location: Enter the department and the location where the user belongs to. These fields are not mandatory. However, populating valid data in these fields with the correct values will be helpful while searching or grouping the users.
  8. REST API Access: Enable this option if the user account requires access to the PAM360 REST API.
  9. SDK Access: Enable this option if the user account requires access to the PAM360 API via the PAM360 SDK.
  10. Authentication Token: Generate an Authentication Token from here if providing any of the above access. This token serves as a user validation key for API calls received from other applications or services.
  11. Note: After creating a user account, the user must regenerate their authentication token before accessing PAM360 APIs. This can be done using the authentication token regeneration API or from the User Settings under the My Profile dropdown in the PAM360 user interface. Additionally, whenever the authentication token is regenerated by an administrator, the user is required to regenerate it again before making any API requests in PAM360.

  12. Access Validity: Select a date until which the Authentication Token will remain valid. Exceeding the provided date will invalidate the Authentication Token, requiring the generation of a new token to extend validity for further use of PAM360 REST APIs.

    Note: Starting from build 7200, access validity for authentication tokens must be specified in terms of days. For instance, if the administrator sets the validity period to 90 days, users are required to regenerate their authentication tokens periodically every 90 days to maintain access. Failure to do so will result in token expiration, after which only the administrator can regenerate the tokens on behalf of the user.

  13. Hostname Validation: Enable this validation to verify user machines from which API calls are invoked. Enabling this feature restricts API invocation from the machines that are not pre-defined in the Hostname field.
  14. Hostname: Enter the Hostname of the machine from which the user is allowed to perform REST and Application operations.
  15. Allow Resource Addition for Other Users: Enabling this option permits users to create resources via the API and assign them to other users.

Click Save to add the user account to the PAM360 repository.



Top