Getting started

To get started with the Privileged Access Management (PAM)features in Devolutions Server, first log in as an administrator in your Devolutions Server. Then, follow the steps below.

Configure PAM settings

  1. In Devolutions Server, head to Administration – Licenses.
  2. Add your PAM license using the Add (+) button. When done, the license appears in the license list and the Privileged Access menu appears in the side panel of your Devolutions Server.
    PAM license
    PAM license
  3. In Administration – Privileged Access – Default settings, configure the settings for the vault visibility, checkout system, credentials brokering, sensitive information access, default checkout times, and synchronizations.
    Administration – Privileged Access – Default settings
    Administration – Privileged Access – Default settings
  4. Next, head to Administration – System Permissions – Modules.
  5. Configure access to the PAM system for users/admins and manage privileged accounts rights on who can edit the privileged entries. Then, click Save.
    Administration – System permissions – Modules – Privileged access
    Administration – System permissions – Modules – Privileged access

Add a PAM provider

In Administration – Privileged Access – Providers, add a provider. The available types are:

  • Managed providers: Domain User (AD), Local User (SSH), SQL Server, Windows User, Azure AD User
  • Password reset only (unmanaged) providers: MySQL User, Cisco User, Oracle User
  • AnyIdentity providers: Windows Accounts, Windows Local Accounts

Managed PAM providers
Managed PAM providers
Password reset only PAM providers
Password reset only PAM providers
AnyIdentity PAM providers
AnyIdentity PAM providers
When adding the provider, make sure to enable the Add PAM vault and Add Scan Configuration options under Actions.
PAM provider configuration
PAM provider configuration

For more information, please refer to Providers.

When you click Save, the Scan Configuration appears.

Add a scan configuration

  1. Confirm that it is the correct provider, domain name, and domain container (where the accounts are located).
  2. Make sure the Start Scan on Save option is enabled under Actions.
  3. Click OK.
    PAM Scan configuration
    PAM Scan configuration

For more information, please refer to Scan configurations.

Add a PAM vault

In the PAM vaults section of Administration – Privileged Access, you need to create at least one PAM vault to contain the accounts. You can customize that particular folder's security options if you do not wish it to have the default initial configuration. You can also customize the approvers on the folder directly, which gives you a list of the administrators.

PAM vaults
PAM vaults

Import accounts from a scan

  1. In Administration – Privileged Access – Scan Configuration, click on View result next to the scan.
    View results
    View results
  2. Select all the accounts you wish to import. Then, click Import Selected Accounts.
    Import selected accounts
    Import selected accounts
  3. Import them in the vault of your choice. You can also choose whether to reset the password on import or on check-in (recommended). That way, the password is safe the moment the user checks it back in.
    Import accounts
    Import accounts
    Once imported, you can click into the vault and manually check the Synchronization Status in the top right of the screen. You will know the accounts are well synchronized when the credentials does not have an Out of sync red warning next to them.
    PAM Account Sync Check
    PAM Account Sync Check
    You are now ready to use the privileged access management portion of Devolutions Server.
Give us Feedback