PAM vaults are one of the key features of Devolutions Hub's privileged access management module. They are secure vaults that allow you to manage all your different privileged accounts.
Create a PAM vault
Creating a PAM vault via the Devolutions Hub web interface is not that much different from creating a regular vault. In Administration – Vaults, click on Add (+), then Add PAM vault as shown in the image below.
Alternatively, you can also create a PAM vault via the Navigation pane's vault selector by clicking on the ellipsis button and selecting Add PAM vault.
PAM vault setup
Either way, you are now presented with the setup window for your PAM vault.
Start by entering a Name for your PAM vault (mandatory) and a Description (optional). Then, set its visibility:
- Default: Refers to the system-wide vault visibility set in Administration – Configuration & Security – System Settings – Vault.
- Private: A private PAM vault is not visible to users that do not have access to it. Thus, vault access requests cannot be performed. You can only access it by invitation.
- Public: A public vault is visible to all users of the data source, even to those who do not have access to it. A user can request access to the public vault.
For more information on vault access and visibility, visit Vault access in Devolutions Hub Business.
In the Password Settings, choose whether to use the provider's password template or select a custom one.
If you use a custom template, make sure it follows the provider's password policies.
Under Permissions, you can see an overview of your roles and permissions and edit them.
Make sure to give the right permissions to your users so they can use the privileged accounts you will later be adding to the PAM vault.
We recommend the Privileged operator role, as it contains the minimum permissions required to be able to use and access privileged account entries, namely View vault, Connect (Execute), View password, and View sensitive. The difference between the Privileged operator and Operator roles is that the latter does not include the View password permission, which is necessary to be able to use the privileged accounts.
Alternatively, you can assign a specific role at the privileged account entry level and just give access to the vault itself.
When you click Add at the bottom of the settings, the new PAM vault will be created. You can find it in Administration – Vaults. The number of PAM vaults is also displayed at the top.
You can access all your vaults via the vault selector in the Navigation pane.
The next step is to add privileged accounts to your new PAM vault. Visit Privileged accounts for more information.