Iraje PAM ACM manual version 8

Introduction

Iraje PAM provides Access Control Manager as a module which has all the key settings that allows the PAM admin to manage the Datacenter operations through PAM.

This module is used to perform the key functions of onboarding a user, onboarding a device, mapping a user to a device, giving role based access, enabling the 2nd factor authentication, doing the password rotation and many other capabilities.

This functionality is accessible only to the Group or Super Admins to manage the day to day operations in PAM.

Purpose

Managing and auditing access is essential to information security. Access can and should be granted on a need-to-know basis. With few hundreds of admins, security is more easily maintained by limiting unnecessary access to sensitive information based on each user’s established role within the organization.

When using Access Control Manager, the user will be able to see the groups and connections only if he is mapped to that particular group and has been given access of connection

This manual will help the users get familiar with the Iraje PAM application and how to use it effectively in their environment

Target Audience

Admins Using Iraje PAM.

Getting started with Access Control Manager

To Access ACM, user needs to login into PAM.

Click on ACM (Access Control Manager).

The main purpose of ACM is as follows:

  • User Configuration

  • Group Mapping

  • Connection Configuration

  • Access Control to connections

  • Admin options configuration

  • Logs

Main Menu

The main menu of Access Control Manager is divided into 4 sections as shown below

  • Directory Access

  • Configuration

  • Maintenance

  • Logs

Directory Access

Click on this Directory Access Button to select the group that you want to Enter. This Group is created based on Connection type or Connection falling under departments. These Groups contain Connections as well as Users mapped to the connection.

Configuration

There are 5 buttons in configuration Section

  • Connect

  • Disconnect

  • Refresh

  • Initial Access Control Manager

  • Configure ACM

Connect

The user will recevie OTP via email/SMS or on both when the credentials entered by the user are valid. The user then needs to enter the PIN/OTP in the popup window. The OTP will be sent to the mobile number or the email ID which is registered for that particular user in Iraje PAM.

Disconnect

Disconnect button is the logout button for Iraje PAM Database. By clicking on this button you will be logged out from the session.

Refresh

Refresh Button refreshes all the settings you applied during the session. By clicking on this button you can refresh your connection.

Configure ACM

Configure ACM module is used to perform connection configurations. Various types of connections can be created, updated and deleted in this module. These tasks are only performed by Iraje PAM Admins with the maker-checker process. Minimum two admins are required to perform the maker-checker process.

The buttons at the bottom of the Configure ACM console are used for connection configuration such as creation, modification and deletion.

  • Load Tags

  • New Connection Manager

  • Search

  • New Connection

  • DB Link Manager

  • ACM Password Security Manager

  • Exit

Creating Domain-Child Connection

Steps to create Domain-child connection:

Domain-child Connections are connections where a connection acts as Domain/parent connection for other child connections. The Child connections under a particular domain follow its nature. The Configurations of Domain connections are used by the child connections including credentials.

For Creating new Domain-child connection, follow the same steps as above and then tick on domain access and select domain connection from the dropdown.

Creating Database Connection

Steps to create Database Connection:
  • Click on Configure Access Control Manager

  • In Type select ORACLE/SQL SERVER

  • In Connection type username@servicename:hostname (for eg: vijay@sqlplus:dba)

  • Enter password. Reconfirm password

  • Give the domain access if needed from the domain access

  • Give a privilege (if any other user is there with the same privilege, then use “Create As” to apply the same privileges for this connection

  • Select Department and Location details

  • Click on add.

Creating Thick Client

Steps to add Thick Client:
  • Click on Configure Access Control Manager

  • In Type select TERMINAL-CMD

  • In Connection type ipaddress@username:jobdesc (for eg: 192.100.5.98@sanjay:Tester).

  • Enter password. Reconfirm password

  • Give a privilege (if any other user is there with the same privilege, then use “Create As” to apply the same privileges for this connection)

  • Select Department and Location details

  • Click on add

Creation of URL Connection

Steps to add an http/s [application] connection
  • Click on Configure Access Control Manager

  • In Type select URL(HTTP) or URL(HTTPS)

  • In Connection type ipaddress@username:jobdesc

  • (for eg: 192.100.5.98:80@ajay:EmailRecever)(port # for http side is 80 and for https is 443 by default).

  • Enter password. Reconfirm password

  • Give a privilege (if any other user is there with the same privilege, then use “Create As” to apply the same privileges for this connection)

  • Select Department and Location details

  • Pass a Full URL of side in a URL Column

  • Click on add.

Creating UNIXSSH-KEY Connection

Steps to create UNIXSSH-KEY Connection:

For an admin connection, tick on admin check box. Admin connection is used as IBK user for auto sync password functionality. For a domain connection, tick on domain check box. This domain connection credentials can be used to create new child connections which would be accessed by the same domain credentials.

  • Click on New Connection button below

  • Select type: for example, TERMINAL-UNIXSSHKEY (For key based UNIX connection)

  • Enter connection detail in the connection text-box in below format:

  • ”ipaddress@username:jobdescription” (for eg: 192.100.5.79@karan:tester)

    This format is mandatory as after Single Sign-On this is the URL that will provide the authorize user to access the target device.

  • Enter passphrase in passphrase and Confirm passphrase text-box.

  • Press SSH-KEY Button. Enter the Key in the textbox and save.

  • Give a Domain name

  • Give a privilege

  • (if any other user is there with the same privilege, then use “Create As” to apply the same privileges for this1.Click on Configure Access Control Manager connection)

  • Select Department and Location details

  • Click on add

Various Scenarios for Adding Devices in PAM

Scenario I: To enable/disable OS Access of Devices

As per Scenario I, when OS access is checked, user can double click on connection from ACD and get OS access of that server, where tags are added.

When OS access is unchecked, user will get an error ‘OS access is not authorized’. This feature will help, when we have to give access on particular applications installed on server, and deny accessing the OS

Scenario II: To add New Connection with same credentials as existing one

Connection with the same IP and username should not be allowed to be made in any group.

But, Connection with same IP Address and different Username is allowed, as the Connections are unique based on the target device username.

Description:

We cannot add connections with same IP and username in latest release. For example, in the snapshot a connection is tried to be added as (1.1.1.1@abc:test). It already exists with the same IP and Username. User will get an error as shown below. So the same connection can be created as (1.1.1.1@abc:dev) for a different user

Scenario III: To provide same privileges as existing connection

Selecting a device under ‘Create As (Privileges)’ is granting the same rights to a new connection as the existing selected one. This means, rights of the existing connection will be applied to the new connection chosen under Create As (Privileges). This reduces efforts as well as Time consumption.

Description:

In Connection details, we can select none text box in ‘create as (privileges)’ drop down.

Scenario IV: To provide specific application access on a device remotely

Tags define the only Applications that are to be accessed by users on the target devices. This acts as a thick client connection of the target device.

ACM Password Security Manager

  • Discover ACM

  • Auto Change Password

  • Password Console

  • Configure Password

  • Option

  • Authorize Change Password

  • Report

  • Refresh

  • Close

Discover ACM

In Discover ACM tab, you will see various groups configured in Iraje PAM. We will select one Group (for ex. LTFS_SYSADMIN group). We will then click on Select Connection(s) to retrieve all the connections in that Group. We can also perform Admin Discovery scan on multiple Groups. Just select on the Groups you want the scan to be performed on.

When you retrieve all the connections, you can either select Go which will perform Admin Discovery on all the connections in the selected Group, or either you can select a specific connection and click on Go

When we click on Go, PSEXESVC Service gets invoked and it runs on that selected IP address/es.

PsExec let user execute processes on remote systems without the need to have any kind of client software present on the remote computers. PsExec provides full interactivity for console applications. The program can be used to launch command-prompts and run tools such as ipconfig which otherwise don't have the ability to display information about the remote system. PsExec.exe is present in the PAM Server. It runs from the PAM server to the remote server.

It runs the below command from PAM server to the remote server.

PsExec.exe -u [domain]\[username] -p [password] \\[Machine Name] cmd

Once the PsExec.exe prompt goes, you will see progress bar in Admin Discovery for the connection. Once the progress bar hits 100% or is at full, a prompt will be shown as below. Once you click on OK, you can then fetch the results on Admin Discovery in Dashboard.Go to Admin Discovery in Dashboard

You will see the scan result from Access Control Manager. Below we can see the result. There are 47 Non Configured Admins on IP address we scanned. We can get more details about the Admins by clicking on View Details.

Below we can see Admins Configured in PAM & those who are not configured in PAM

Auto Change Password

Auto Change Password Button invokes the automatic password change for all the devices in the group. This is only performed with permission of the maker-checker admins. This is explained in detail in Auto Change Password Manual

Password Console

Password Console button leads to a tab where the status of Auto Change password is displayed. The status displayed for Auto Change password can be success or fail. Where Green flag indicates success and Red flag indicates fail status for Change password for a device

Configure Password

Configure Password leads us to windows where we can define the password policy for target devices. This includes the password length, number of minimum and maximum numeric and special characters required in password etc. This policy gets applied to the algorithm that sets password of target devices. After saving the password policy setting, on next password change the algorithm sets the password based on password policy defined. This policy can be defined group wise.

Option

This tab is to select the shell for setting passwords for linux devices. Bash and ksh methods are provided for setting password.

Authorize Change Password

Authorize Change Password for the group. The group in which this tab is open only for that group password change is applicable

Report

This Report buttons leads to a word file. This word files displays report of all device passwords logs. It contains date and time for last password change on the device, their expiration date and their sealed/open status.

Refresh

Refresh button refreshes all action performed on the tab. Most importantly it refreshes the sealed and open status for passwords.

Close

Close button closes the ACM Password Security Manager Window.

Maintenance

Maintenance is used to create organizations, groups and users. Users are added to groups as well through these tabs. We also configure alerts, ACP, 2factor Authentication, Email and SMS gateways etc from these tabs.

There are 6 options in maintenance menu:

  • Maintain Organization

  • Maintain Group

  • Maintain User

  • Maintain Group/User

  • Access Control Master

  • Admin Option

Maintain Organization

Here Organizations are created to differentiate the target devices under different Organizations. Multiple groups can be created under an organization. For Example, there is an Data Analysis Organization working as a service provider for a Product based company. So, Organization in Iraje PAM can be defined separately for both Organization and their target devices.

Maintain Group

Groups in Iraje PAM Solution can be created under Organizations or as Independent Groups without Organization. A group in Iraje PAM plays a vital role for separating target devices as well as the users working under these groups. Groups include Connections of target devices as well as users having access to them.

Maintain User

Maintain User leads to a Window where new users are created in Iraje PAM. Users here are created with the maker-checker admin approvals. Their details like full name, email, contact number, company name etc. are inserted here and recorded.

Right click on any user and you will see options like create, reset, reset multiple, drop, etc.

  • Create User:
  • Create will help to create a new user

    After creating user we have do maker-checker process.

    This is maker for the test user like shown in above window, now after this we have to checker for this user. In short we have to give approval to that particular user

  • Reset User:
  • Reset will help to modify the User

  • Reset Multiple:
  • Reset multiple will help to reset multiple user at a time. Here also maker-checker process is needed.

  • Group based Append as
  • Description:
    If we add a user in PAM, and if user wants to give the access of devices of 1 group, User can select particular group and select group user and append the new user with group user with this all Privileges will be assigned to the new user.

  • Drop
  • Drop will delete the user by maker-checker.

  • Approve
  • Approve is a function available with super user for approving a user.

  • Biometrics
  • Biometrics will work only if 2FA are activated for approving for whom this function shall work

A user can be searched with alias name

If only maker part is done for user, user is restricted for Append:

Description:

If user is created by maker and approval is pending by checker. And if we try to append that user, we cannot append that user, because it is not approved

There are various permissions for users which are granted from here with maker-checker admin approval. The permissions are as follows:

  • DLP

  • AD authentication

  • Certificate authentication

  • Lock

  • Google authentication

  • Login start and end date/time

  • Alert

  • IP access

  • 2FA

Maintain User/Group

By clicking on Maintain group/user admin can give a privilege to the user & also map user to specific group.

After doing right click on any username, admin will get 3 options as follows

  • Create

  • Remove

  • Approve/Reject

Maker-checker functionality is used to approve/reject any modification done in the console

Access Control Master

Access Control Master will help in providing connection access to users. It will show user-connection matrix of that particular group. By clicking on this button user will see the below screen. Click on Retrieve Connection(s) to retrieve all the connections in the group.

Select a specific connection where you want to map the user & click on OK

After clicking on OK, you can see the connection details

  • Connection

  • Type

  • Group

  • Notify SMS/Email/Voice

  • Access Reason

  • Monitoring

We can select the users who want to access the connection by clicking once. This step is called Maker. We have to approve this action from other account. That step is called Checker.

After the Checker approves it, the user will have a green tick as below.

On right click of any connection, admin will get following options

  • Command Controller

  • Manage Script (Group)

  • Approve/Reject

Admin Options

Admin Options are the most critical settings for Iraje PAM. Every feature in Iraje PAM Solution is enabled or disabled from here.

This module is further classified as; Authentication Mode, 2Factor Authentication, Connection Access method, Warn Password Expiry, Enable Backup User, Setting for time based access & Show password workflow, Setting Password Expiry days, Setting ACP scheduling period, Configuring Email and SMS gateways for alerts, Version path, Defining PAM server, Number Validation Enforced, Access level, Auto Log Cleanup period and various other tabs are configured here.

There are following main functions in admin option:

Authentication Mode:

This mode is used to define first level of authentication for a user trying to Login on Iraje PAM Dashboard. Active Directory is for login using AD IDs and Database option is used to login using database passwords in special cases, where client do not have AD servers.

2-Factor:

This option is used for enabling 2nd level of authentication, which include OTP one-time password functionality, Biometrics, RSA tokens, Smartcard, Digi-pass OTP and Google Authenticator.

2nd Level of authentication can be defined at various levels. On clicking on ‘Level’ button, you will see the following screen

Connection Access:

This is used for enabling 3rd Level of authentication while accessing connections. It includes RSA tokens & iRSA (Iraje Robust Secure Architecture) which can be enforced on specific groups also.

Alerts

This module is used for configuring gateways for Email and SMS alerts

Alerts will send notification in 3 ways

  • SMS: PAM will send alert/OTP on registered mobile number

  • Email: PAM will send alert/OTP on registered email ID

  • Voice: a phone call will be made to the registered number for configured alerts

The Check-boxes for Warn Password Expiry, Enable Backup User, Allow Password and Connection Request, Setting Password Expiry days, Setting ACP scheduling period are enabled and disabled from here.

Warn Password Expiry:

It warns the users about connection password expiry as per the days specified in Password Expiry text box.

Enable Backup User:

It is a checkbox to enable or disable Backup User on Target Device, which is used to make password in sync using Sync Centre

Allow Password and Connection Request:

It enables or disables the Password and Connection access request tab on ACD (Access Control Directory). ACD tab is accessed by all admins to access their target device. If these are enabled the admins can request password and connection access from ACD Tab.

Password Expiry days

are configured by Iraje PAM Admins which decides the expiry of password in Iraje PAM solution. Therefore after the defined period the passwords can be changed for security.

ACP scheduling

period can be configured here. If this period is reached the ACP (Auto Change Password) is invoked for groups with target devices. ACP is only invoked for groups which are selected for ACP.

BCP

In Iraje, BCP stands for Business Continuity Passwords. This is probably because this module actually provides the passwords for target devices to continue business. This means, if there’s a situation or disaster or some natural calamity where PAM solution is not available & that makes Admins need the target device passwords. This module gives those latest set of passwords to the Organization which are used to decrypt the device passwords which are stored in PAM. As this a critical module, it can only be accessed by using time based validation codes provided by Iraje PAM Solution.

Department & Location

Here the Department/Location are created, modified and deleted for target devices in PAM. While Configuring the Connections, department/location of the device can be defined from this list.

Alerts

Alert button added in admin options to customize alerts. Alert Tab has various Alert types. These alerts are simply enabled by checking the check-boxes of alerts that are needed to be enable. These alerts are sent to the Admins of Iraje PAM Solution whose Email and Contact details are stored

Alerts are explained in detail in Alerts Manual.

There are following options in admin options:

AD Integration

This is for LDAP settings.

iDLP

iDLP stands for Iraje Data Leak Prevention. This module helps in managing copy-paste rights of users on devices accessed from PAM

Schedule Reports

Iraje provides system generated reports which are scheduled for Admins based on a particular period. We can schedule this reports for selective users.

Dashboard Access Control

Dashboard Access Control allows Admins to define user control over dashboard tabs.

OK Button

The OK button saves the setting on Admin Option Tab. The Setting is only saved after it is approved by maker-checker Admins.

Cancel Button

The Cancel Button closes the Admin Option Tab. This also disables the settings of Admin Options if they are not approved by Admin by the maker-checker process.