Skip to main content

Example: Onboard users from an Active Directory target

This example describes how to manage an Active Directory target and onboard accounts to be managed by a team.

Install the components

The following components are required for this example:

  • RefBuild.pam_team_management.

  • Scenario.pam_system_type_vault.

Manage the Corporate AD target system

  1. Click Manage the system > Resources > Target systems > Manually defined .

  2. Select the Corporate AD target system.

  3. Select Automatically create a Privileged Access Manager managed system.

  4. Click Change next to the Address field and enter the domain for your environment.

  5. Click Continue .

  6. Click Update.

  7. Click the Credentials tab.

  8. Enter your target’s credentials.

  9. Click Update.

  10. Click Maintenance > Auto discovery Execute auto discovery.

  11. Click Continue.

  12. Click Privileged access > Managed system policies.

  13. Select the ONBOARDED_ACCOUNTS managed system policy.

  14. Click the Member systems tab.

  15. Click Add new… .

  16. Select the Corporate AD managed system and click Select.

Create and set up a team

Create a team administrator:

  1. Click Manage the system > Policies > User classes .

  2. Select the PAM_TEAM_ADMINS.

  3. Click the Explicit users tab.

  4. Click Select .

  5. Search and select a user.

  6. Click Add.

This user can now log in and create, delete and manage teams.

  1. Log into Front-end (PSF) as the team administrator.

  2. Click Manage Resources.

    The Pre-defined requests page is displayed.

    3488.png

    The team administrator can create, delete and manage teams using these pre-defined requests.

  3. Click Team: Create .

    Bravura Security Fabric displays the team creation wizard

  4. Enter the following information:

    • Team Name: Vault-Management-Team

    • Team Description: Team to manage system vault

    Click Next .

  5. Add six groups. Use the ”More” icon to add more team name fields to the list.

    • Team Trustees Users who can make team management requests.

    • Account Trustees Users who can make account management requests (onboard accounts).

    • Approvers Users who allow or disallow access requests.

    • Auto Approved Users who can check-out access to systems and accounts without making an access request.

    • Requesters Users who can make access requests.

    • Credential_Managers Users who can override or randomize the stored password on a checked-out account.

    • System Trustee Users who can make system management requests (onboard systems).

    3489.png

  6. Click Next and add team descriptions.

    Click Next .

  7. Assign privileges to the team groups:

    • Team Trustees Team trustees

    • Account Trustees Account trustees

    • Approvers Approvers

    • Auto Approved Auto_Approved and requesters

    • Requesters Requesters

    • Credential Managers Requesters and Credential_manager

    • System Trustees System trustees

    The Credential_Manager privilege allows a user to override or randomize the stored password on a checked-out account.

    3490.png

    Click Next .

  8. Set the initial team trustees for the new team. There must be at least one team trustee to create a team.

  9. Click Submit.

    Bravura Security Fabric notifies authorizers to review the request if required.

  10. Click the View request link at the top of the page to view the status of the request.

    Once the request has been approved, the team will be configured.

Add users to the additional groups in the team.

  1. Log into Front-end (PSF) as a team trustee.

  2. From the home page, click Manage Resources.

  3. Click Team: Manage Group Membership .

  4. Select the Vault-Team.

    Click Next .

  5. Select the Account Trustees, Approvers, Auto Approved, Requesters, System Trustees, Vault Trustees, Credential Managers and Team Trustees groups.

    3491.png

    Click Next .

  6. Add members to each team group.

  7. Click Submit.

    Bravura Security Fabric notifies authorizers to review the request if required.

  8. Click the View request link at the top of the page to view the status of the request.

Once submitted and approved, the group’s membership will be updated to include the selected users.

Onboard the Corporate AD system

  1. Log into Front-end (PSF) as a superuser.

  2. Click Manage the system > Privileged access > Managed systems.

  3. Select the Corporate AD managed system.

  4. Enter the name of the team that will manage this system.

    3503.png

  5. Click Update.

Onboard Corporate AD accounts to a team

  1. Log into Front-end (PSF) as the account trustee for the corporate AD team.

  2. Click Manage Resources.

  3. Click Account: Onboard.

  4. Select an account to be managed by the corporate AD team.

    Click Next .

  5. Select the standard policy as the Managed System Policy ID .

  6. Enable View and Copy Password.

    3505.png

    Click Next .

  7. Select the Corporate AD Accounts Team as the account team.

  8. Click Next .

  9. Click Next .

  10. Enable Allow override and randomization of password.

  11. Click Submit.

    Once the request has been approved, trustees of the AD Corporate team can manage accounts on this system.

In this section: