Creating a user

Warning

Data model objects: safes, users, servers, accounts and listeners are replicated within the cluster and object instances must not be added on each node. In case the replication mechanism fails to copy objects to other nodes, contact technical support department.

Warning

Creating a User object for MySQL connections, please note that the MySQL server caching_sha2_password plugin isn’t supported by Fudo PAM. Supportable MySQL plugins by Fudo PAM are mysql_native_password and mysql_old_password. Server plugin should be set to mysql_native_password in /etc/mysql/mysql.conf.d/mysqld.cnf and a User object is created with mysql_native_password plugin.

  1. Click + icon next to the Users tab of the Management sub-section,
../../_images/5-1-add-user-from-menu.png

or

  1. Select Management > Users and then click Add.
../../_images/5-1-add-new-user.png

Note

Fudo PAM enables creating users based on the existing definitions. Click desired user to access its configuration parameters and click Copy user to create a new object based on the selected definition.

../../_images/5-1-copy-user.png
  1. Enter user login.

Note

  • While there can be more than one user with the same username, the login and domain combination must be unique.
  • The Login field is not case sensitive.
  1. Enter Fudo domain.

Note

  • With the Fudo domain specified, the user will have to include it when logging into the administration panel or when establishing monitored connections.
  • Default domain allows for a discretion - user can either include the domain or leave it out.
  1. Select the Blocked option to prevent user from accessing servers and resources monitored by Fudo PAM.
  1. Define account’s validity period.
  2. Select user’s role, which will determine the access rights.

Note

Access rights restrictions also apply to API interface access.

Role Access rights
user
  • Connecting to servers through assigned safes.
  • Loggin to the User Portal (requires adding the user to the portal safe).
  • Fetching servers’ passwords (requires additional access right).
   
service
  • Accessing SNMP information.
   
operator
  • Logging in to the administration panel.
  • Browsing objects: servers, users, safes, accounts, to which the user has been assigned sufficient access permisions.
  • Blocking/unblocking objects: servers, users, safes, listeners, accounts, to which the user has been assigned sufficient access permisions.
  • Generating reports on demand and subscribing to periodic reports.
  • Managing email notifications.
  • Viewing live and archived sessions involving objects (user, safe, account, server), to which the user has been assigned sufficient access permissions.
  • Converting sessions and downloading converted content involving objects (user, safe, account, server), to which the user has been assigned sufficient access permissions.
  • Available dashboard widgets: concurrent sessions, suspicious sessions, account alerts, active users, cluster status, concurrent sessions chart.
   
admin
  • Logging in to the administration panel.
  • Managing objects: servers, users, safes, listeners, accounts, to which the user has been assigned sufficient access permisions.
  • Blocking/unblocking objects: servers, users, safes, listeners, accounts, to which the user has been assigned sufficient access permisions.
  • Generating reports on demand and subscribing to periodic reports.
  • Activating/deactivating email notifications.
  • Viewing live and archived sessions involving objects (user, safe, account, server), to which the user has been assigned management privileges.
  • Converting sessions and downloading converted content involving objects (user, safe, account, server), to which the user has been assigned sufficient access permissions.
  • Managing policies.
  • Available dashboard widgets: concurrent sessions, suspicious sessions, account alerts, active users, cluster status, concurrent sessions chart.
   
superadmin
  • Full access rights to objects management.
  • Full access rights to system configuration options.
  • Available dashboard widgets: concurrent sessions, suspicious sessions, account alerts, active users, cluster status, concurrent sessions chart, license, system events log.
  1. Select user’s preferred language in Fudo PAM administration panel.
  2. Grant access to safes.

Note

  • Drag and drop safe objects to change the order in safes are processed upon establishing connection.
  • Click safe to define time access policy.
  • Click Reveal password option to enable displaying password on User Portal (Access Gateway).
../../_images/5-1-time-access-policy-modal.png
  1. Enter user’s full name.
  2. Enter user’s email address.
  3. Enter user’s organizational unit.
  4. Enter user’s phone number.
  5. Provide user’s Active Directory domain.

Note

If there are two users with the same login, one of which has the domain configured the same as the default domain, and the other does not have the domain defined, Fudo PAM will report authentication problem as it cannot determine which user is trying to connect.

../../_images/5-1-create-user-step1.png ../../_images/5-1-create-user-step2.png
  1. Enter LDAP service BaseDN parameter.

Note

  • LDAP base is necessary for authenticating the user using the Active Directory service.
  • E.g. for example.com domain, the LDAP base parameter value should be dc=example,dc=com.
  1. In the Permissions section, select users allowed to manage this user object and in case of operators/administrators, assign management privileges to selected data model objects.

Note

Granting a user access to certain session requires assigning management priviliges to: server, account, user and safe objects that were used in the given connection.

  1. In the Authentication section, select the Authentication failures option to block the user automatically after exceeding the number of failed login attempts.

Note

The authentication failures counter is enabled only if the Authentication failures option is set in Settings > System in the User authentication and sessions section.

../../_images/5-1-system-settings-auth.png
../../_images/5-1-create-user-step3.png
  1. Select the Enforce static password complexity option to force static passwords to conform to specified settings.

Note

Password complexity is defined in Settings > System in the Users authentication and sessions section.

  1. Select authentication type.
  • Select External authentication from the Type drop-down list.
  • Select external authentication source from the External authentication source drop-down list.

Note

Refer to External authentication topic for more information on external authentication sources.

Certificate

  • Provide Subject that complies with the RFC 2253 or RFC 4514 requirements.

Note

Additionally, the CA certificate is required to be uploaded in the Settings > System tab. For more info about authentication with certificate, refer to the Certificate-based authentication scheme topic.

DUO

  • From a First factor drop-down list choose Static password or External authentication (AD or LDAP).
  • Input DUO username.
  • Input DUO user id.

Note

For more info about DUO authentication configuration, refer to the DUO authentication definition topic.

Password

  • Select Password from the Type drop-down list.
  • Type password in the Password field.
  • Repeat password in the Repeat password field.
  • Select Required password change on next login to have the user change the password on next login attempt.

Note

If you select the Required password change on next login option, the user will not be able to access servers directly (bypassing the User Portal) using native protocols clients. The user will have to change the password using the User Portal (Access Gateway).

SSH key

  • Select SSH key from the Type drop-down list.
  • Click i icon and browse the file system to find the public SSH key used for verifying user’s identity.

One-time password

Warning

One-time passwords are used for implementing AAPM use case scenarios.

  • Select One-time password from the Type drop-down list.

SMS

  • Input a phone number in the Phone input field in the General section above.
  • From a First factor drop-down list choose Static password or External authentication (AD or LDAP).

Note

For more info about SMS authentication configuration, refer to the SMS authentication definition topic.

OATH

Refer to the Two-factor OATH authentication with Google Authenticator page.


  1. Click Add authentication method to define more authentication methods.

Note

When processing user authentication requests, Fudo PAM verifies login credentials against defined authentication methods in order in which those methods have been defined.

  1. In the Access gateway and AAPM permitted addresses, click i and define IP address used by the User Portal (Access Gateway) and the AAPM to communicate with Fudo PAM.
  2. Click Save.

Related topics: