Navigating the User Interface
The Privileged Access Management (PAM) interface is divided into the following main sections:
TIP: Throughout the software you will notice many interactive Help buttons. If you are curious about what an option or function does, click its Help button for a short description or a link to an online FAQ article for more information.
Navigation menu
The navigation menu along the left side of the interface is the main navigation used for PAM. For ease of use, it is divided into several sections:
User Settings
The top most section that displays the currently logged in user name, their profile picture (displayed only if one is defined in Active Directory or the Local User account) and a dropdown menu of individual user settings.
Records
The location where all records and containers will be organized and accessible by users based on their shared permissions.
All Records
Displays all record and folders that this user has permissions to access. A user with at least the Viewer Record Control will see the object in the All Records view. If the user does not have Viewer, then the object will not appear in this or any view or search performed by them.
The All Records view is also known as the Root Folder or Default Root.
Shared With Me
Displays all records and containers that this user has permissions to access. This differs from the All Records view because it allows the user to see records in a simple flat view, without having to navigate through folders to locate records.
If a user has permission to a record, but not the folder which contains this record, then they could use this Shared With Me view to locate the record. Note that System Administrators do not have a Shared With Me option because they have access to all objects.
Personal Vault
Each user has their own Personal Vault for which they are owners. This allows them to create their own records and folders, maintain full control over each one and share or revoke permissions as needed.
Favorites
Records and Folders that are favorited by a user will appear in this personalized view. Favorites are user profile specific meaning that only objects favorited by the currently logged in user will appear in their own Favorites view.
<Favorite Folders>
When a user favorites a folder, this folder will appear in the Favorites section in addition to being shown within the Records section. This enables the favorited folder to become a quick navigation link to access its content.
Favorite folders appear on the navigation menu in this format <Folder Name>.
Administration
This section is available to System Administrators and Auditors only (see Global Roles) and is used to configure administrative and global settings of PAM. Users without this permission will not be able to see or access this section.
Global Permissions
Defines the users or groups who are granted global access via shared permissions. Users with global permissions will have access to all PAM records or containers regardless of the specific permissions that are configured on each object.
See the Global Permissions section for more information.
Global Roles
Defines the users or groups who are granted system wide access of varying roles.
See the Global Roles section for more information.
Local Users
Location where user accounts can be created and managed within PAM system. These users are stored within PAM only and cannot be used with Active Directory, LDAP or external groups.
See the Local Users section for more information.
Local Groups
Location where groups can be created and managed within PAM system. These groups are stored within PAM only and cannot be used with Active Directory, LDAP or external groups.
See the Local Groups section for more information.
Discovery
Location where activity based Privileged Account and System discovery queries are configured and their results can be viewed.
See the Discovery Query section for more information.
Scripts
The location of all scripts that are stored in PAM that can be used with Task execution. Scripts located in this library can be created, modified and deleted.
See the Scripts Library section for more information.
Record Types
Defines the out of the box and custom Record Types that are available for use in PAM.
See the Record Types section for more information.
Tokens
Displays a list of all generated API tokens with the options to create, disable, expire or delete existing tokens.
See the Authentication Tokens section for more information.
Workflows
The location where approval workflows are created and managed.
See the Workflows section for more information.
Command Control
Displays a list of all Command Control policies with the options to create and manage existing policies.
See the Command Control section for more information.
MFA
The location where PAM logins are configured to require a specific MFA provider for authentication. MFA providers can be assigned to individual users, groups or a default option can be applied globally for all logins including a none option to disable the MFA authentication requirement.
See the MFA Configuration section for more information.
Behavior Profiles
The location where PAM Behavior Profiles are created and managed by System Administrators.
See the Behavior Profiles section for more information.
Settings
The location where the PAM system is configured.
See the Settings and Configuration section for more information.
Updates
Displays the current version of PAM and provides the ability to update to the latest available version.
See the Updates section for more information.
Reports
A series of built-in reports that help to locate objects, find user activity, understand permissions and view audit events throughout the system are provided to PAM System Administrators and Auditors (see Global Roles). Users that lack this permission will not be able to access this section.
These reports have options to Sort, Filter, Search, Refresh, Export, Email and Enable / Disable Columns using their available commands.
Access |
Provides a list of all users (unwound from groups) that have access to the selected object, their level of access and how they have been granted access (Group Membership, Individual ACL, Global Role or Global Permission). |
Audit Log |
Provides a report of audit events captured throughout the PAM solution by all users and activities. Use this report to investigate Audit Events in PAM. |
Bindings |
Provides a list of all users (unwound from groups) that have workflow bindings to the selected object, a summary of their binding configuration and how they are bound (group membership or by direct assignment). |
Custom |
Provides a location to create and view any custom reports that have been generated. These custom reports, written in the HQL querying language, are written and maintained by System Administrators. |
Inventory |
Provides a list of all objects (records and folders) along with their metadata and permissions. Use this report to find objects based on metadata, activity or permissions. |
Job History |
Provides a list of all Jobs or Tasks that have already been executed, along with their details. Use this report to find details about scheduled or previously executed tasks. |
Job Summary |
Provides a list of all Jobs or Tasks that have already been executed, aggregated to illustrate a summary of their results including a number of executions per task per day. The summary can be displayed in a data-table or presented in a line chart. |
Requests |
Provides a list of all Workflow Instances, including those that are active, approved and rejected. Use this report to find any information about Workflow instances and states. |
Sessions |
Provides a list of all Active and Completed remote sessions in PAM. Use this report to investigate session activity and to access video and keystroke recordings. |
Session Events |
Provides a list of all keystrokes, clipboard text and command sequences users entered during any remote session. Use this report to investigate session activity and search for keystroke or command entries throughout all sessions. |
Statistics |
Provides a graphical understanding of various categories of objects throughout the PAM system. Use these reports to understand system usage and various trends over time. |
Subscriptions (Alerts) |
Provides a list of alerts that the users’ of PAM are subscribed to, along with their alert configuration and an option to Unsubscribe them from their selected alert(s). |
Subscriptions (Reports) |
Provides a list of reports that the users’ of PAM are subscribed to, along with their report configuration and an option to Unsubscribe them from their selected report(s). |
Tasks |
Provides a list of all records that have at least one task associated to them, along with each task’s details. |
Users |
Provides a list of all users and groups that have accessed PAM. Use this report to understand user behavior, activity, permissions and IP based locations. |
Workflows |
Provides a list of all PAM workflows along with their templates, bindings and configuration. Use this report to understand where Workflows are deployed and how they are configured. |
Custom Reports |
Provides the ability for System Administrators to create custom PAM reports using the HQL language. |
For an expanded list of reports, their description and available options, please read our Reports article.
Searches
The Searches menu will provide quick access to all default search queries included with PAM and to any custom search queries that you have made a favorite. Any custom created search favorites are only available to the user who created it, they cannot be shared between multiple users or made to be a default system query.
To add a custom search query to your Searches menu:
-
Navigate to any Records page, enter your Search query into the Search records… field and execute the query by clicking the Search button.
-
Once the query is executed, click the Add to Favorites button ().
-
Your custom query will now be visible in your Searches menu.
To remove a custom search query from your Searches menu:
-
Navigate to the Searches menu and click on your custom query that you would like to remove.
-
This will open and execute the selected Search query.
-
Once the query has executed, click the Remove from Favorites button () to remove your custom query.
Management
While much of PAM is configured with Global Settings, there are several options that allows a user to configure PAM options for their personal preference. These personal settings are available to each user in the following locations:
-
In the upper portion of the left navigation menu activated by a dropdown menu.
-
In the lower portion of the left navigation menu located within the Management section.
The following settings are available:
My Sessions
Displays a list of session activity that this user has permissions to access.
My Profile
Displays information about this user’s profile, including account parameters, subscribed notifications and custom user settings.
Profile
Displays your account information.
For PAM user accounts that exist outside of the PAM local user directory, this will be a read only view of your account information as configured in your external user directory (for example, Active Directory).
For PAM local user accounts, this will be an editable view of your account information as configured in the PAM internal user directory. You can update your account information, including profile picture, name, email and password.
Subscriptions
Displays all alerts and notifications that you are currently subscribed to and the ability to subscribe or unsubscribe from additional object notifications.
Anonymous Links
Displays all active anonymous links that you have created.
You may create new anonymous links or expire currently active anonymous links that you have authored from this page.
Preferences
Displays all current user specific profile options for your account in PAM.
Click the Help button () available for each preference option for a description of the parameter.
After you update any preference setting, be sure to click its Save button before exiting the page.
My Alerts
Displays all alerts that have been sent to this user.
My Workflows
Displays all requests that a user has created, the My Requests tab, and all requests that this user must approve or reject, the Requests for Approval tab.
About
Displays the copyright information and the current version number of the PAM system.
Application Toolbar
The PAM application toolbar is located along the top of the interface. It contains these options:
|
A menu option to collapse or expand the navigation menu to provide more a compact view for users with low screen resolutions. |
|
A Search… bar used to search for menu options in the left navigation menu or objects stored in the vault. |
|
An alerts indicator that provides a display of any unread user alerts and used as a quick link to open the user’s My Alerts view. |
|
A logout button used to log out of the current user’s session. After you successfully logout of PAM, be sure to exit or close your web browser. |
Login and Logout
Any user will be able to login to PAM using their account name and password. Depending on the configuration, this account may be the user’s Active Directory login or a Local User created in PAM.
To login to PAM:
-
Open your browser to PAM login page. The default location is https://localhost:6443/xtam but may be different depending on your system. Contact your PAM System Administrator to access for your login page.
-
On the login page or login prompt, enter your account name and password. Click Login to continue.
-
Upon successful login, you will be directed to the PAM home page. If unsuccessful, please try again.
NOTE: If your login authentication requires the use of Multi-Factor Authentication, please refer to our online MFA article for detailed information about your first time use and device registration. If you use SSO, then click for the red SSO button on the login page to be redirected to your SSO sign-in portal. Speak with your PAM System Administrator for additional assistance using your MFA or SSO options.
To logout of PAM:
-
Locate and click the Logout button either in the dropdown menu beneath your login profile or in the application’s toolbar.
-
Once logged out, for security measures, it is recommended to fully close your web browser.
Record List
The Record List is a permission trimmed view of all objects (records, folders and vaults) that the currently logged in user has access to view. Vaults are displayed first, followed by Folders and finally Records in alphabetical order.
The object’s Name, Description, Linked Parent paths, Record ID, Record Type and Host are also displayed in this view.
Additional options are provided by clicking on the object’s Icon to activate its dropdown menu or by clicking the desired option in the list located on the right side of each object.
Connect |
The connect option establishes a remote connection to any record that supports this feature. |
Execute |
The execute option opens a menu that displays a list of tasks that can be executed on this record. |
Quick View |
The quick view option will open a view only display of the selected record. You can use this option to view, copy or unlock record fields, but it cannot be used to manage the record. |
Share |
The share option opens the Grant Access dialog for quick sharing of objects. Using this share button will automatically break inheritance of this object. If you do not want to break inheritance, then open the object and use its Manage > Permission option to configure your sharing. |
Actions |
The action menu opens a set of options that are also available in the object’s Icon dropdown menu on the left side. |
Go to Parent
The Go to Parent option will navigate you to the current object’s parent. If the current record has multiple parents (i.e. linked objects) then the Go to Parent button will generate a dropdown menu for you to choose the desired parent.
Bulk Actions
The Bulk Actions menu provides a list of operations that can performed when one or more objects in the Record List are selected.
Based on your account permissions, the following options may be accessible from the Bulk Actions menu
Select All |
Selects all objects (vaults, folders and records) visible in the current record list view. |
Select Records |
Selects only the records visible in the current record list view. |
Request Access |
Used to submit the same Request Access workflow for the Connect action to all the selected records. |
Request Unlock |
Used to submit the same Request Access workflow for the Unlock action to all the selected records. |
Request Execute |
Used to submit the same Request Access workflow for the Execute action to all the selected records. |
Execute |
Used to bulk execute On-Demand tasks associated to the selected records. |
Share |
Used to bulk share the selected objects. Using this Share option will break permission inheritance on all selected objects. |
Inherit Permissions |
Used to set the permissions of the selected objects to inherit permissions from their parent. |
Inherit Workflows |
Used to set the bindings of the selected objects to inherit workflows from their parent. |
Update |
Used to assign a new Record Type or Reference Record for all selected records. |
Unselect All |
Unselect all the currently selected objects. |
Copy |
Add the selected objects to the clipboard to be copied to a new location. |
Copy Folders |
Add the selected folders, including their sub-folders and permissions, to the clipboard to be copied to a new location. This option does not include records. |
Cut |
Add the selected objects to the clipboard to be moved to a new location. |
Delete |
Deleted the selected objects. |
Manage
The Manage menu provides a list of operations that can be performed within the current container.
Import
Import an existing list of records from a third-party provider using a common CSV format.
Please read our article for additional information about importing records.
Permissions
Grant, Edit or Revoke permissions associated to your current container.
Workflows
Apply, Edit or Remove workflow bindings associated to your current container.
Local Users
Create and Manage local users that are specific to this container.
Not available in the Root Folder, Personal Vaults or if the feature has been globally disabled by a System Administrator.
Local Groups
Create and Manage local groups that are specific to this container.
Not available in the Root Folder, Personal Vaults or if the feature has been globally disabled by a System Administrator.
Tokens
Create and Manage API tokens that are generated specific to this container.
Not available in the Root Folder, Personal Vaults or if the feature has been globally disabled by a System Administrator.
Reports
Generate the selected report containing only the objects that reside within this current container.
Paste
Paste or Paste as a Link your current clipboard object(s) to your current container.
Add Container / Add Folder
Create a new Folder or Vault within your current container.
Please note that Vault containers can only be created in the root All Records view.
Add Record
Create a new Record within your current container based on the Record Type that is selected from the dropdown menu.
Refresh
Refresh the current Record List.
Subscribe to Alerts
Subscribe to alerts associated to your current container.
Add / Remove from Favorites
Creates a link in your Favorites menu to the selected record or container.
Click a second time to remove this object from your Favorites menu.