To get started with the Privileged Access Management (PAM)features in Devolutions Server, first log in as an administrator in your Devolutions Server. Then, follow the steps below.
Configure PAM settings
- In Devolutions Server, head to Administration – Licenses.
- Add your PAM license using the Add (+) button. When done, the license appears in the license list and the Privileged Access menu appears in the side panel of your Devolutions Server.
- In Administration – Privileged Access – Default settings, configure the settings for the vault visibility, checkout system, credentials brokering, sensitive information access, default checkout times, and synchronizations.
- Next, head to Administration – System Permissions – Modules.
- Configure access to the PAM system for users/admins and manage privileged accounts rights on who can edit the privileged entries. Then, click Save.
Add a PAM provider
In Administration – Privileged Access – Providers, add a provider. The available types are:
- Managed providers: Domain User (AD), Local User (SSH), SQL Server, Windows User, Azure AD User
- Password reset only (unmanaged) providers: MySQL User, Cisco User, Oracle User
- AnyIdentity providers: Windows Accounts, Windows Local Accounts
When adding the provider, make sure to enable the Add PAM vault and Add Scan Configuration options under Actions.
For more information, please refer to Providers.
When you click Save, the Scan Configuration appears.
Add a scan configuration
- Confirm that it is the correct provider, domain name, and domain container (where the accounts are located).
- Make sure the Start Scan on Save option is enabled under Actions.
- Click OK.
For more information, please refer to Scan configurations.
Add a PAM vault
In the PAM vaults section of Administration – Privileged Access, you need to create at least one PAM vault to contain the accounts. You can customize that particular folder's security options if you do not wish it to have the default initial configuration. You can also customize the approvers on the folder directly, which gives you a list of the administrators.
Import accounts from a scan
- In Administration – Privileged Access – Scan Configuration, click on View result next to the scan.
- Select all the accounts you wish to import. Then, click Import Selected Accounts.
- Import them in the vault of your choice. You can also choose whether to reset the password on import or on check-in (recommended). That way, the password is safe the moment the user checks it back in. Once imported, you can click into the vault and manually check the Synchronization Status in the top right of the screen. You will know the accounts are well synchronized when the credentials does not have an Out of sync red warning next to them. You are now ready to use the privileged access management portion of Devolutions Server.