Managing Resource Groups
In PAM360, resources can be efficiently managed by organizing them into groups. These groups can be created by either defining specific criteria, such as for Dynamic Resource Groups, or by manually selecting individual resources, as in Static Resource Groups. For dynamic groups, any newly added resource that meets the specified criteria is automatically included.
Administrators can share the resource groups they create with other users or user groups. Changes to the group, such as adding or removing resources, directly affect password access shared through the group. Users with access to a shared resource group can only view the passwords of resources that are currently part of that group.
This document discusses the following topics:
- Adding a Dynamic Resource Group
- Adding a Static Resource Group
- Managing Resource Groups
3.1 Viewing Resource Group
3.2 Checking Password Consistency
3.3 Deleting a Resource Group
3.4 Generating Reports
1. Adding a Dynamic Resource Group
To add a dynamic resource group in PAM360, navigate to Groups >> Add Group >> Dynamic Group. In the window that opens,
- Enter a unique name in the Group Name field.
- Provide a clear description in the Description field for future reference.
- Choose an appropriate Password Policy for the group. The selected password policy will be applied for password allocation during periodic password reset of the accounts in the resource group.
- To make the new resource group a subgroup of an existing one, select the parent group from the Subgroup Of dropdown. The selected group will become the parent of the new group.
- If needed, tick the Allow password retrieval and other operations without the ticket ID checkbox. This allows access to or retrieval of passwords for accounts within this resource group without requiring a ticket ID. Ensure that the ticketing system configuration is enabled before selecting this option.
(For builds prior to 7200)
- Use the available filters to specify the criteria for the group.
- Upon specifying the required criteria, click Search to view the list of available resources that will become part of this group.
- Click Save to create the resource group with the defined criteria.
(For builds from 7200)
- Click Save & Proceed to define the criteria for the dynamic group.
- In the next window, create criteria using the available conditions/subsets and the AND | OR operators for dynamic resource management within the group. If you have existing criteria templates, you can apply them by selecting from the template field and clicking Apply.
- After specifying the criteria, click Search to view the resources that will be included in the group based on the defined conditions.
- Click Save to finalize the creation of the resource group with the specified criteria.
Whenever a resource is added to PAM360 or modified, and if it falls under the created criteria of the dynamic group, it will get added to the respective resource group.
For builds applicable from 7200, below are a few scenarios for creating criteria effectively for associating the required resources:
Scenario 1
A system administrator in an organization needs to create a resource group that includes only the Windows resources from the Marketing department and the Linux resources from the Development department. This will enable the administrator to efficiently manage and execute operations across these resources with a single click.
However, the challenge lies in the fact that both departments manage both Windows and Linux resources, and the resources are subject to frequent changes—being added or removed monthly due to departmental policies and restrictions.
To streamline this process and minimize the manual effort required each month, the dynamic resource group feature in PAM360 can be leveraged. By creating a dynamic group with specific criteria as shown below, the system administrator can automatically include the relevant resources, ensuring the group remains up-to-date with minimal intervention.
Scenario 2
An IT administrator in an organization needs to perform maintenance, apply security policies, or audit configurations on a specific set of Linux resources created with DNS name starting with "pc01" and "dc23" and ends with ".abccorp.com".
The challenge is to efficiently locate and group these resources, as they may serve different functions and need to be managed accordingly. However, the administrator finds that the Linux resources that need to be grouped are created with a resource name "CV-1" in mixed order. Despite searching and organizing the Linux resources that fall under this criteria, the administrator can utilize the dynamic resource group feature to automate the process.
By creating a dynamic group with the criteria specified in the image below, the administrator can automatically include the relevant Linux resources. This approach ensures that the resource group remains accurate and up-to-date, simplifying ongoing management tasks and reducing the need for periodic manual intervention.
2. Adding a Static Resource Group
To add a static resource group in PAM360, navigate to Groups >> Add Group >> Static Group. In the window that opens,
- Enter a unique name in the Group Name field.
- Provide a clear description in the Description field for future reference.
- Choose an appropriate Password Policy for the static resource group.
- Choose an Access Policy for the static group.
- To make the new resource group a subgroup of an existing one, select the parent group from the Subgroup Of dropdown. The selected resource group will become the parent of the new static resource group.
- If needed, tick the Allow password retrieval and other operations without ticket ID checkbox. This allows access to or retrieval of passwords for accounts within this resource group without requiring a ticket ID. Ensure that the ticketing system configuration is enabled before selecting this option.
- Click Save & Proceed.
- In the dialog box that opens, add the desired resources to the created static resource group.
3. Managing Resource Groups
3.1 Viewing Resource Group
Navigate to the Resources tab. The resource groups will be displayed in a tree view on the left pane. Here, you will be able to view the resources and their passwords belonging to a particular resource group by clicking on the group's name.
Navigate to the Groups tab and click Show Tree View to view the resource groups in a hierarchical order.
3.2 Checking Password Consistency
To verify if all passwords within a resource group are synchronized with the target devices, click the Actions dropdown next to the desired group name. You will see two options:
- Find Out-of-Sync Passwords
- Periodic Integrity Check
3.2.1 Finding Out-of-Sync Passwords
Select this option to immediately check if the passwords stored in PAM360 match those on the target devices. This is a one-time operation. To initiate the check, click the Start Now button.
3.2.2 Periodic Integrity Check
In the Periodic Integrity Check window, you can set how often the check should be performed:
- Once: Perform the integrity check without scheduling further checks.
- Day(s)/Monthly: Specify the interval in days or months between scheduled integrity checks.
Select the date from which the schedule should start and the start time for each periodic check. To remove any previously saved schedules, choose Never.
Once your preferences are set, click Schedule to create the periodic integrity check schedule.
3.3 Deleting a Resource Group
To delete a resource group, go to the Groups tab, select the desired group, and click Delete Groups at the top of the list view.
3.4 Generating Reports
To generate reports such as Password Inventory, Policy Compliance, Password Expiry, or Password Out of Sync for a resource group:
- Navigate to the Groups tab and select the resource group from the list.
- Click the Generate Report button at the top of the list view.
- Choose the required report from the drop-down list to generate it.
For more information about reports in PAM360, click here.