ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

Defining a new local user in PAM

book

Article ID: 187182

calendar_today

Updated On:

Products

CA Privileged Access Manager (PAM)

Issue/Introduction

How can I define a new user manually in PAM?

Environment

3.3.2

Resolution

It is most common for users to import users from AD\LDAP.  There may be a need to create users manually for testing or local use. 

Define a new user
Users are people who can login to CA PAM
*  Created users
*  Imported users from CSV file
*  LDAP Users imported from AD\LDAP
*  RADIUS or PKI Users (added to PAM at first login)
Roles assigned to the user is inherited from the groups assignment



Users can also be assigned roles individually.
In the "Groups" area you can see the groups the user is a member of and manually add group membership (seen in Groups tab above)
User groups allow for common sets of users to inherit the same roles, authentication methods, and other variables.
Modification of the roles for the group will change the role of all members.  Groups can also be users when creating access policies instead of creating a policy for each individual user
A role is a predefined set of privileges in its functional area.  PAM has many pre-defined roles that satisfy most requirements, however, custom roles may also be created using built-in granular privileges.  Standard Users are the common role assigned to general users accessing devices.  
All of the members of the group are listed in the Users area of the User Group form.  

Create a user and user groups
1.  Users\Manage Users\ Click ADD
2.  Add user info (TestUser)
3.  Click ROLES, (will be a member of standard)
4.  Click OK
5.  TestUser will appear
We will now create a User Group for our team/department
6.  \Users\Manage User Groups
7.  Click ADD
8.  Enter group name (TestGroup)
Add the Global Administrator role and remove any others
9.  Click Roles tab
10.  Click the +
11.  Fom the dropdown of the new role, select "Global Administrator"
12.  Click the X next to Standard User to remove this other role.
13.  Click Users tab
14.  Select "TestUser" and the >> arrow to select the user.
15.  Click OK
16.  \Users\Manage Users
17.  Select "TestUser"
18.  Select Roles tab and "View Inherited roles"
19.  Notice the Global Administrator role inherited from the group role assignment.



20.  Click Groups
21.  The group membership is Testgroup
You can now launch PAM client and login with TestUser
22.  As TestUser, Click the \Access link (top left).  No access policies are available to this TestUser


More information on this topic can be found in the PAM documentation:

https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-privileged-access-management/privileged-access-manager/3-3/reference/import-and-export-data-for-provisioning/user-groups-and-users.html

Attachments