Symantec Privileged Access Management

 View Only
Expand all | Collapse all

Domain users with Devices

  • 1.  Domain users with Devices

    Posted Mar 22, 2023 10:38 AM

    Hi Team,

    I hope you all are doing well,

    How to connect the domain users to the devices,

    The customer is asking if any one of the domain users will log in to the PAM he should click the assigned listed device and it will open automatically,

     
    but here the thing when the user clicks any one of the devices it prompts the credentials popup list, which should not come 

    we have created a policy for a user group to the device group, so when the user tries to open the RDP device then he can see all other users' credentials,


    could you please give me a clear document for each domain user with multiple devices and his own credentials to use to log in to the PAM client and for device sessions without choosing the credentials.?



  • 2.  RE: Domain users with Devices

    Broadcom Employee
    Posted Mar 23, 2023 12:51 AM

    Hello Puru,

    I would recommend that you break this into smaller parts and then check.

    1. Assign one device to a domain under the policies and also associate only one target account for login to the target device
    2.  Login with the LDAP user credentials into CA PAM3.
    3.  After login, you will be able to list the devices that are available for the LDAP user
    4. Establish the connection to the target device, since you have only one Target Account, the automatic login should be initiated and the connection to the Target Deive should be established.

    Once this is successful, add the policy for accessing the devices that are part of the device group, 

    Thanks,
    Reatesh. 




  • 3.  RE: Domain users with Devices

    Posted Mar 23, 2023 10:22 AM

    Hi Reatesh,

    Thank you for the response,

    whatever you suggest that I have completed in my environment and it is working as expected,

    Also, few of the questions I have, please suggest moving forward,

    Assign one device to a domain under the policies and also associate only one target account for login to the target device

    in this method, if 10 users will access the same devices then the target accounts will be the same for all 10 users, so here how will be the device performance?

    ------------------------------ 

    1), The target account and user account will be the same account, or both are different?

    2). if the LDAP users will be considered as user and target accounts then I should create each policy for each user right ..?

    3). If we are importing the target accounts from AD using credentials discovery,  it is asking for the password of all target accounts, so is there any way to import the target account with passwords?

    Thanks & Regards,

    Purushothaman. A




  • 4.  RE: Domain users with Devices

    Broadcom Employee
    Posted Mar 23, 2023 11:30 PM

    Hello Puru,

    Please look at the explanation and the sample shared by Joseph Fry, if you need further assistance, then please feel free to open a support ticket for further investigation.

    Thanks,
    Reatesh.




  • 5.  RE: Domain users with Devices

    Broadcom Employee
    Posted Mar 24, 2023 06:46 PM

    Concering your question about importing AD target accounts with passwords, that's impossible. AD stores hashes of passwords, not the passwords themselves, and the process of converting a password to a hash is not meant to be reversible for security and privacy reasons. It would be very unsettling to have a way to get the passwords of all users out of AD. PAM by the way does the same with local user accounts, see KB 123064.




  • 6.  RE: Domain users with Devices

    Posted Mar 27, 2023 09:40 AM

    Hi Reatesh,

    Thank you for your response.

    I have tried as per ur suggestion and it is working as expected.

    Also, I have a few questions please suggest to move forward.

    Assign one device to a domain under the policies and also associate only one target account for login to the target device

    in this method, if 10 users will access the same devices then the target accounts will be the same for all 10 users, so here how will be the device performance?

    -----------------

    1. The target account and user account will be the same, or both are different?
    2. if the LDAP users will be considered as target accounts then I should create each policy for each user right ..?
    3. If we are importing the target accounts from AD using credentials discovery,  it is asking for the password of all target accounts, so is there any way to import the target account with passwords?

    Thanks & Regards,




  • 7.  RE: Domain users with Devices

    Posted Mar 27, 2023 09:40 AM

    Hi Reatesh,

    Thank you for your response.

    I have tried as per ur suggestion and it is working as expected.

    Also, I have a few questions please suggest to move forward.

    Assign one device to a domain under the policies and also associate only one target account for login to the target device

    in this method, if 10 users will access the same devices then the target accounts will be the same for all 10 users, so here how will be the device performance?

    -----------------

    1. The target account and user account will be the same, or both are different?
    2. if the LDAP users will be considered as target accounts then I should create each policy for each user right ..?
    3. If we are importing the target accounts from AD using credentials discovery,  it is asking for the password of all target accounts, so is there any way to import the target account with passwords?


    Thanks & Regards,




  • 8.  RE: Domain users with Devices

    Broadcom Employee
    Posted Mar 27, 2023 10:21 AM

    This is just a copy of questions raised last week, and we responded to them already.




  • 9.  RE: Domain users with Devices

    Broadcom Employee
    Posted Mar 23, 2023 10:16 AM

    PAM has no concept of "users' credentials".  A target account can be used by any user that has a policy that grants them access to it.

    If each user must login with a unique credential then each user must have a unique policy.

    Simply replace your User Group <> Device Group policy, with individual User <> Device Group policies, one per user.

    We often suggest that our customers consider a "Role Based" approach.  For example, you may have a MSSQL cluster that needs 2 roles (database admins & system admins).  You create two Active Directory accounts, 'sqldbadmin' & 'sqlsysadmin', and create the PAM target accounts for them.  Then you can use User Group <> Device Group policies in PAM such that your "Database Admins" user group logs in using 'sqldbadmin' and your System Admins group logs in using 'sqlsysadmin'.  All attribution is provided by PAM logs and recordings.  This is also more secure because role based accounts are scoped to a single system, so if sqldbadmin is compromised, it cannot be used to access any other systems; while a user's account may have access to many systems and could cause far greater damage if compromised.




  • 10.  RE: Domain users with Devices

    Posted Mar 30, 2023 10:13 AM

    Hi Team,

    Really thank you very much, now I got a clear picture of the PAM access method.

    Thanks & Regards,




  • 11.  RE: Domain users with Devices

    Posted Mar 30, 2023 10:13 AM

    Hi Team,

    Really thank you very much, now I got a clear picture of the PAM access method.

    Thanks & Regards,