Deploy PAM quickly in your environment

This guide walks you through the steps to set up Devolutions PAM in your environment quickly, so you can protect privileged accounts, enforce policies, and gain control over sensitive access with minimal configuration time.

  1. Configure a PAM Domain service account.

    An optional step is to create a test account for PAM.

  2. Make sure the Scheduler service is running.

  3. Configure your PAM domain provider in Devolutions Server by going to AdministrationPrivileged accessProviders.

  4. Click Add new PAM provider.

  5. Enter the required configuration and uncheck Add PAM vault.

  6. Click Save.

  7. Set up the Scan configuration (prompted when saving the PAM provider).

  8. Select the OUs where the Privileged account (or test account) is located.

  9. Check Start scan on save under Actions.

  10. Click Save.

  11. Create a check-out policy.

  12. Create a PAM vault.

  13. Import account from the Scan.

  14. Configure an entry to use the PAM account.

Just-in-Time elevation

  1. Add the permission to create user groups to your PAM domain provider account in AD.

  2. Identify the user groups in AD you would like to be available for Just-in-Time elevation.

  3. Edit your PAM domain provider.

  4. Open the JIT privilege elevation tab.

  5. Select the user group identified earlier.

  6. If you would like to limit the JIT access to specific accounts, click Enable Privilege Sets.

  7. Add a prefix to the group name, such as DVLS-JIT-.

  8. Select a location for the temporary groups to be created.

  9. If you have multiple DC, configure a Replication latency to make sure the JIT has time to replicate between all DCs.

  10. Save.

Just-in-Time provisioning

  1. Add the permission to create and delete users to your PAM domain provider account in AD.

  2. Edit your PAM domain provider.

  3. Open the JIT privilege elevation tab.

  4. Select the user group identified earlier.

  5. Select a location for the temporary users to be created.

  6. If you have multiple Domain controllers (DCs), configure Replication latency to give JIT changes enough time to replicate across all DCs.

  7. Click Save.

  8. In your PAM vault , add a new domain user.

  9. Enter the username for the account.

  10. Check the Just-In-Time (JIT) account check box.

  11. Click Save.

See also

Devolutions Forum logo Give us Feedback