Automating Privileged Tasks via PAM360

After successfully installing and registering the Bridge server, users with a sufficient user role in PAM360 can create privileged processes for executing tasks on remote machines. These tasks can be initiated on-demand or scheduled for automated execution as needed. PAM360 provides users with the necessary privileges to manage privileged processes through its web interface efficiently. This includes creating and executing processes, scheduling automated tasks, transferring ownership, and performing other administrative actions seamlessly.

By the end of this document, you will gain a detailed understanding of the following key areas:

1. Creating a Privileged Process via PTA
2. Managing Privileged Process
3. Privileged Task Automation Using Schedules
4. Bridge Servers and Bridge Management
5. Privileged Process Audits and Logs
6. Troubleshooting Tips

1. Creating a Privileged Process via PTA

1.1 Creating a Privileged Process

Privileged processes created in PTA are structured workflows consisting of user-defined privileged tasks. When executed, these workflows ensure that privileged tasks are completed in a sequential and secure manner. Follow these steps to create a privileged process:

1. Navigate to Admin >> Workflow Orchestration >> Privileged Task Automation >> Privileged Process.
2. In the Processes tab, click Add at the top menu.
3. In the dialog box that opens, enter a Process Name and Description, then click Next to open the workflow automation interface.
   
4. In the Circuit Builder UI, use the left panel to select privileged tasks (states). Drag and drop the tasks into the workflow chart to define the process flow.
   
5. Configure the necessary settings for each privileged task using the right-side panel, then click Save. Here, you can associate the relevant resource on which the privileged task will be executed, enabling passwordless login directly from the PAM360 interface to seamlessly execute the privileged process.

1.2 Scripts for Privileged Process

PAM360 enables users to create and integrate custom scripts into privileged processes for enhanced automation and control. To create a script, follow these steps:

1. Navigate to Scripts and Bridges >> Scripts and click Add to initiate script creation.
2. In the pop-up window, enter a Name and Description for the script.
   
3. Choose the appropriate Script Type from the drop-down menu.
4. Upload the custom script file by clicking the Upload icon, or manually enter the script in the Content section.
5. Click Save to store the script and make it available for integration into privileged processes.

Refer to this document to know more about the PAM360-supported states and flow controls for automating a privileged task.

2. Managing Privileged Process

Privileged processes created within PAM360 can be effectively managed through the Processes tab. The Actions menu, located beside each privileged process, provides several management options:

1. Preview Process: View the privileged process within the Circuit Builder by selecting this option. While it allows you to examine the process workflow, modifications to tasks or circuit states are not permitted.
2. Edit Process: Modify an existing privileged process by selecting Edit Process from the Actions menu. This option enables you to update circuit states and incorporate new privileged tasks as needed.
3. Edit Process Name: Rename a privileged process and update its description as required.
4. Share Process: Grant access to other users within the organization for executing a privileged process. To do so, select Share Process from the Actions menu, then click Grant under Actions for the designated user.

   Note: To revoke access to a privileged process, select Revoke for the user. This action will also remove the logs of the process from the Audit section.

5. Process Snapshot: View a comprehensive list of accounts and resources associated with the privileged process.
6. Delete Process: Permanently remove a privileged process from PAM360. Note that once deleted, a process cannot be restored.

2.1 Transferring Ownership of a Privileged Process

In scenarios where a user leaves the organization or transitions roles, ownership of a privileged process can be reassigned to another user with equivalent privileges, thus ensuring seamless workflow continuity. Follow these steps to transfer the privileged process ownership:

1. Select the privileged process you own and click Transfer Process Ownership from the top menu.
   
2. In the dialog box that opens, select the new owner and click Transfer to confirm the ownership change.

In addition to the management options mentioned above, users with the Manage Privileged Process privilege assigned to their user role can enable or disable all configured privileged processes as needed. This can be done by toggling the Privileged Task Automation switch located at the bottom-left corner of the interface.

This functionality provides administrators with greater control over privileged task automation, allowing for temporary halts and effortless reactivation when necessary.

With all these capabilities, PAM360 ensures the efficient and secure management of privileged processes within the organization.

3. Privileged Task Automation Using Schedules

PAM360 allows users to schedule privileged processes for automated execution at predefined intervals. Ensure that the privileged process is fully configured before scheduling. Follow the below steps to create a schedule for a privileged process:

1. Navigate to Admin >> Workflow Orchestration >> Privileged Task Automation >> Privileged Process.
2. Go to the Schedules tab and click Add.
3. In the window that appears, select a process from the Process Name dropdown and if necessary, click Add Inputs next to Process Inputs and specify input data as needed.
   
4. Choose a scheduling option: Days or Monthly.
5. Set the required duration and click Enable to activate the schedule.

To modify or delete a schedule, click Edit Schedule or Delete Schedule as required from the Actions menu.

4. Bridge Servers and Bridge Management

A Bridge Server is essential for establishing seamless communication between PAM360, Qntrl, and target endpoints, ensuring the smooth creation and execution of privileged tasks. All Bridge Servers deployed for Privileged Task Automation (PTA) are listed under Scripts and Bridges >> Bridges within the Privileged Automation Task section.

The primary Bridge server, which is installed during the initial PTA registration, will be displayed here by default. If certain endpoints are not directly connected to the PAM360 server, additional supplementary Bridges should be installed on servers with stable network connectivity to ensure uninterrupted automation. These additional Bridges will also be listed in the same section.

To install a new Bridge Server, navigate to the Bridges section, click Download Bridge, and install it on a suitable server within the required domain or network that does not have a direct connection to PAM360.

4.1 Managing Bridges in PAM360

PAM360 allows administrators to configure and manage Bridge Servers for high availability and process continuity within the organization. The following actions can be performed from the Bridges page:

1. Update PAM360 URL: Modify the registered PAM360 URL in all the Bridge Servers by clicking Update PAM360 URL from the top menu. In the dialog box that opens, enter the new URL.
2. Download Bridge: Download and register a Bridge for PTA by selecting Download Bridge. You will be redirected to the Bridge Download page, where installers for Windows and Linux are available.
3. Regenerate API Key: Generate a new API key for retrieving credentials of privileged resources or accounts by selecting Regenerate API Key from the Actions menu next to the Bridge hostname.
4. Upgrade Bridge: Update an existing Bridge to the latest supported version by selecting Upgrade Bridge from the Actions menu. PAM360 currently supports version 2.15.
5. Set as Primary: Designate an active Bridge as the primary server for connecting PAM360 and Qntrl Circuits by selecting Set as Primary from the Actions menu.
6. Allowed Hosts: PAM360 allows Bridge to retrieve passwords only from the host where it is installed. The Allowed Hosts option enables adding additional values, such as IP addresses, DNS names, or fully qualified domain names, to be used if the primary validation fails. To add allowed hosts, go to the Bridges page, select Allowed Hosts from the Actions menu next to the required bridge, enter the necessary hostnames, fully qualified domain names, or IP addresses as comma-separated values in the Hosts field, and click Update.

By effectively managing Bridge Servers, PAM360 ensures the uninterrupted execution of privileged tasks across various network environments.

5. Privileged Process Audits & Logs

PAM360 offers comprehensive auditing and tracking of all privileged processes executed across various resources and accounts, ensuring transparency, security, and compliance. This includes processes initiated directly from PAM360 as well as those triggered via Qntrl Circuits. With real-time logging and detailed execution insights, administrators can effectively monitor privileged activities and enforce security policies.

Viewing PTA Audits: Administrators and auditors can track privileged process activities through dedicated audit logs.

1. Navigate to Audit >> Resources to monitor privileged process executions performed on specific resources and accounts.
2. Access Audit >> Privileged Task Automation to review processes initiated via Qntrl Circuits and executed on target endpoints through the Bridge Server.

   Notes:

   • Password Auditors cannot view the audits of executed privileged processes. However, they can trace the changes that occurred to resources and accounts in PAM360 from the Resources tab under Audits.
   • Super Administrators can only view the owned and shared privileged processes.

Detailed Process Insights: For a more in-depth analysis of privileged process execution, users can perform the following actions from the Audit >> Privileged Task Automation tab:

• View Graph: Displays a graphical representation of the process flow, detailing the execution sequence and dependencies between privileged tasks.
• View Logs: Provides an in-depth log analysis, including the execution timeline, event details, payload data, and parameter values used during the privileged process execution.

By leveraging these audit and logging capabilities, organizations can ensure accountability, security, and compliance in managing privileged tasks across their IT infrastructure.

6. Troubleshooting Tips

The following troubleshooting steps can help resolve common issues encountered while using Privileged Task Automation (PTA) and Bridge Servers in PAM360.

1. How to fix the Bridge installer failure during the installation process in Windows?

If the Bridge installer fails in Windows, you can perform the installation manually by following these steps:

1. Navigate to the C:\Users\<User Profile Name>\AppData\Local\Bridge\bin folder.
2. Open the Command Prompt from this file path.
3. Run the following command to install the Bridge manually: bridge.bat install
4. After installation, start the Bridge using the command: bridge.bat start

2. What to do when the primary Bridge server is down?

If the primary Bridge Server becomes unavailable, users will be unable to access the Circuit Builder of Qntrl Circuits or create new privileged processes via PAM360. To restore functionality, follow these steps:

1. If a secondary Bridge server is available, designate it as the new primary Bridge within PAM360.
2. If no secondary Bridge has been configured, download and install a Bridge on a new Server as detailed here.

Configuring a secondary Bridge ensures seamless failover and business continuity, preventing disruptions in privileged task automation.