In this article, you will learn everything you need to know about the Privilege Accounts and Session Management (PASM) product.
2. How do Privilege Accounts and Session Management (PASM) work?
3. Privilege Accounts and Session Management setup
4. Privilege Accounts and Session Management portal
5. Privilege Accounts and Session Management settings
Privilege Accounts and Session Management (PASM) is a standalone product (running on-prem on an Ubuntu server) that allows IT admins to control the servers of your organization. The product facilitates the management of servers and access by delegating permissions to specific users. Users can connect via RDP or SSH to servers according to their permissions for a specific amount of time. In terms of compliance, PASM records all the connections and events that take place when a user gets access to an endpoint.
HOW DO PRIVILEGE ACCOUNTS AND SESSION MANAGEMENT (PASM) WORK?
Privilege Accounts and Session Management (PASM) needs to run an on Ubuntu endpoint (physical or virtual machine) that is set up in the same network as your servers. Once installed can set up an admin account that will manage everything in PASM. To access the PASM interface, you need to type in your IP Address in a browser and log in with the admin credentials. Once logged in, you get access to the portal and you can set up connections to any of the servers in the organization for any users for a specific interval. The end-users will also get access to the PASM portal to request permissions to connect to a specific server. The requests will be approved by the PASM admin who will be notified about a new request through an alert that is sent to his email address.
PRIVILEGE ACCOUNTS AND SESSION MANAGEMENT setup
Privilege Accounts and Session Management (PASM) is set up on an Ubuntu endpoint by running the following command lines in the Terminal:
sudo apt-get update
sudo apt install docker-compose
sudo sh install.sh
The installer will guide you to set an admin user and password and it will require you to select a settings path (where the settings are saved) and a recordings path (where the recordings are saved). To do that, it is recommended to create a PASM folder where you store your settings and recordings (in the case below, we have created a PASM folder in the user folder, and inside that folder, we have created a settings folder and a recordings folder). When you specify the folders, make sure you specify them with their full path (Example: /home/test/PASM/settings/ or /home/test/PASM/recordings/):
PRIVILEGE ACCOUNTS AND SESSION MANAGEMENT portal
The Privilege Accounts and Session Management (PASM) portal allows the Admin to manage the connections performed in the organization and the end-user to request permissions to connect to a specific server/endpoint to perform their tasks/operations.
To start using Privilege Accounts and Session Management (PASM), the Admin needs to configure Connections to the servers/endpoints where end-users will remote in. From the Admin user account, navigate to Resources -> Connections and click Add connection:
Specify the required details and save the new connection.
The new connection will be displayed first in the Connections list:
From the Connections list, the Admin can add up to 10 connections to his Favorites list by clicking the star icon (next to the Connect button).
In terms of Permissions, the Admin can limit the access to the connection based on a user or a role. To do so, from the Permissions menu, you can add specific users or roles to the Permissions list. For each selection, the Admin can select specific permitted actions. The available actions are:
- Use - allows the user to connect to an endpoint without asking for permissions but does not allow edit or seeing the connection details;
- Request - allows the user to connect to an endpoint only upon request and receiving approval. It does not allow editing or seeing the connection details;
- View - allows the user to see the endpoint and its details but it does not allow him/her to connect or perform any changes;
- Full - allows the user to view or edit the endpoint and its permissions without being able to connect to it. To connect to the endpoint, the Use/Request options are required;
- Expiration date - allows the user to use the granted permission for a specific amount of time. Upon expiration, permissions are revoked. The expiration date uses the server time (UTC).
The end-user can use Privilege Accounts and Session Management (PASM) by logging into the PASM portal and by requesting approval to connect to a pre-defined device. From the Requests section, the end-user needs to click the Request button to request access.
Pending requests will be listed in the same view until the Admin approves them or not.
PRIVILEGE ACCOUNTS AND SESSION MANAGEMENT settings
In the General tab, you can configure miscellaneous settings like seeing and updating the license key, seeing and updating the PASM version when a new version is available on the server, seeing the TLS certificate, and seeing the audit logs retention period.
In the Active Directory tab, you can set AD credentials and the DNS Address and test the connection:
In the Recordings tab, you can configure the settings for the session recordings. You can set the retention interval, the resolution, and the bitrate of the recordings.
In the Azure tab, you can set the Azure credentials that will be used for Azure login. The user must first test the connection, get a positive response and then save the changes.