PIAM Admin Guide

This document serves as a comprehensive resource for administrators and IT personnel responsible for implementing and managing CI Privileged Access Management solutions within their organizations.

CI PAM Administration

Below is the login screen of the CI PAM solution.

The connection history screen displays a table of the most recent connections, including the user that used that connection, the time the connection began, how long the connection was used, and whether a corresponding recording is available for viewing:

You can also Download the connection history in a CSV file if required. Click on ‘View’ to view the recorded session of the corresponding connection.

Click Users within the list of settings sections to navigate to the user management screen. Here you can add new users, edit the properties and privileges of existing users, and view the times that each user last logged in.

To add a new user, click the New User button. This takes you to a screen where you are allowed to enter the details of the new user, such as the password and username. Note that, unless you specify otherwise, the new user will have no access to any existing connections, nor any administrative privileges, and you need to manually set the user’s password before they log in.

To edit a user, just click on the user you wish to edit. You will be taken to a screen which allows you to change the user’s password, expire their password (such that it must be changed at the next login), add, or remove administrative permissions, and add or remove read access to specific connections, sharing profiles, or groups.

Click Groups within the list of Settings sections. It takes you to the User Group Management screen. Here you can add new groups, and edit the properties and privileges of existing groups.

To add a new group, click the “New Group” button. This will take you to a screen where you will be allowed to enter the details of the new group, including membership and any permissions that members of the group should have.

To edit a group, click on the group you wish to edit. You will be taken to a screen which allows you to modify membership, add or remove administrative permissions, and add or remove read access to specific connections, sharing profiles, or connection groups. You can also filter the groups by specifying search terms within the “Filter” field. Connection groups will be filtered by name and connections will be filtered by name or protocol.

Managing the group membership of groups is more complex than that of users, as groups may contain both users and groups, with permissions from parent groups possibly being inherited. Parent groups, member groups, and member users can all be managed identically to the group memberships of users, with a corresponding section dedicated to each within the user group editor:

To add a new connection or connection group, click the “New Connection” or “New Group” button, or the “New Connection” or “New Group” placeholders which appear when you expand an existing connection group. These options will take you to a screen where you will be allowed to enter the details of the new object, such as its location, parameters, and name. This name should be descriptive but must also be unique concerning other objects in the same location.

Once you click “Save”, the new object will be added, but will initially only be usable by administrators and your current user. To grant another user access to the new connection or connection group, you must edit that user or a user group that the user is a member of, checking the box corresponding to the connection or connection group you created.

Editing connections, sharing profiles, and connection groups work identically to edit a user. Click on the object you wish to edit, and you will be taken to a screen which allows you to edit it. The screen will display all object properties, including its usage history, if applicable.

If you have the delete permission on the object, you will also see a “Delete” button. Clicking this button will permanently delete the object being edited.

Connection groups can be either “organizational” or “balancing”. Each group can contain any number of other connections or groups, but the semantics of the group change depending on the type.

An organizational group behaves exactly as a folder or directory in a file system. It simply contains connections and other groups but provides no other behaviour. Clicking on an organizational group within a connection list will expand the group, revealing its contents.

A balancing group behaves as a connection. It dynamically balances load across the connections it contains, choosing the connection with the few active users. Unlike organizational groups, clicking on a balancing group causes a new connection to be opened. The actual underlying connection used depends on which connection has the least load at the time the group was clicked, and whether session affinity is enabled on that group.

Enabling session affinity for a balancing group ensures that users are consistently routed to the same underlying connections until they log out of CIPAM. The load-balancing behaviour of the balancing group will apply only for the first time a particular user connects to the group. If your users may lose their desktop state if they are routed to a different underlying connection, this option should be enabled.

The ability to share a connection is governed by “sharing profiles”. Suppose a sharing profile is created for a connection. In that case, users with access to both that connection and that sharing profile will be able to share the connection with other users by generating connection-sharing links, even if those users do not otherwise have user accounts within CIPAM.

Unlike connections and groups, there is no “New Sharing Profile” button. Sharing profiles are created by clicking the “New Sharing Profile” placeholders which appear when connections are expanded. Just as expanding a connection group reveals the connections or groups therein, expanding a connection reveals the sharing profiles associated with that connection. This holds true with both the list of connections in the connection management screen and the list of connections in the user editor.

Creating or editing a sharing profile is virtually identical to creating or editing a connection, with the exception that not all connection parameters are available:

The CIPAM web application includes support for playing back recordings from the history screen in the administration interface, but that support cannot automatically know where those recordings are stored nor how they are named. The extension documented here provides exactly that missing piece, allowing the web application to find recordings on disk so long as they are named appropriately and stored in a specific location. 

If such a recording is found, it is available to any user who can view the history entry. The availability of a recording is displayed as a “View” link in the “Logs” column of the history table: