Records
A record, sometimes referred to as a secret, is an asset stored within PAM that contains sensitive information that is shared between users, whose access and use is audited.
Records are built from Record Types that define the type of asset that is being managed.
Records can be organized by Containers (folder or vaults) that allows for easier management using inheritance and reporting.
Create a New Record
From within your desired container, click the Add Record button and select the Record Type to use from the dropdown menu list.
The chosen Record Type will contain all the relevant fields for the creation of your new Record.
If you cannot decide which to choose or one that fits your requirements is not present, talk with your System Administrator about creating a Custom Record Type.
NOTE: The ability to create new records is provided by the permissions that have been granted to your account. If you do not have the Add Record button, then you lack the permission required to create new records. Talk with your PAM System Administrator for more information.
Create New Record Page
On the new Record page, you will be presented with a list of fields to populate. These fields are generated based on the current configuration of the Record Type.
Populate all the fields as you require and click the Save or Save and Return button to complete the record creation.
Both the Name and Description fields will be visible and searchable from the Records List page, so it is recommended to use relevant, non-sensitive values.
Viewing a Record
To view any record, you simply need to locate it within one of your accessible views (All Records, Shared With Me, Favorites or Search results) and either click on the Record Name or chose the option View from the record’s Action menu (…).
If a record is linked, then the path of each linked instance of this record will appear as clickable hyperlinks below its description in the Record List view.
When viewing a record, the following information and options may be available based on the level of permission that you have been granted to this record and the operations that have been enabled on it:
Breadcrumb Path |
Displays the full path location of this object. If the object has multiple parents, then it will have a breadcrumb path for each linked parent. |
Go to Parent |
Navigates back to the parent container. If multiple parents, select the parent to navigate back. The record’s breadcrumb will also display the path of each parent container that you may also click on to navigate to a different location. |
Connect |
Creates a secure remote session to this managed asset or endpoint. |
Execute |
Executes the selected task that has been configured with an on-demand policy event. |
Unlock/Lock
|
Unlocks the secured fields enabling you to Show or Copy to Clipboard the secured value. After unlock, this button becomes a Lock option to return the value to its locked and masked state. |
Audit Log |
Displays the audit events specific to this record including Timestamps, Users, IP Addresses and Events. |
Change History |
Displays the history of changes that have been made to the values of this record. |
Sessions |
Displays all the secure remote sessions, both Active and Completed, that have been established with this record. Also provides access to Session Video Recordings, Events, Join, Terminate and Recording Export or Download options. |
Job History |
Displays all the Jobs or Tasks that have been executed with this record, including details, timestamps and users. |
Grant |
Provides the option to Grant Access to this record using an existing Workflow Template and Binding. |
Manage |
Provides a menu of options to manage this record including Command Control Policies, Formula, Permissions, Tasks, Workflows and Archive state. |
Edit |
Switches the record into Edit mode so that the record values can be modified. |
Subscribe to Alerts
|
Allows the user to subscribe to alerts for this record. |
Add/Remove Favorite / |
Adds or Removes this record from the user’s Favorites list. |
Anonymous Link
|
Generate an anonymous link associated to this record. |
Request <Name>
|
If you are bound by a workflow template, your Connect, Execute or Edit buttons will be shown with a Request label. You must first request and gain approval before you can access these options. |
Split View
To comply with specific security policies, maintain regulatory compliance and enforce segregation of duty, it may become a business requirement to ensure that no single user has access to the entire secret or password string within a record.
Some refer to this functionality as the “Two-person rule” because it requires one user to retrieve the first part of a password and a second user to retrieve the remainder, thus requiring two people to reconstruct the full password string.
When this Split View feature is enabled, the Unlock option will either reveal the first part of the record’s password or the second part, based on the system’s configuration.
This prevents a single user from ever being able to Unlock the complete password for a record.
If you see only half of the password when you click Unlock, then your System Administrator has enabled this feature.
Speak with your System Administrator for assistance if you need to retrieve the other half of the password.
Editing a Record
When you wish to make changes to an existing record’s values, you first need to switch the record to Edit Mode.
You can switch to Edit Mode by either first viewing the record and then clicking the record’s Edit button or you can select the Edit option from the Records List page by opening the record’s Action menu (…).
All changes made to the record values will be captured to the record’s Change History, including timestamp, user and changed values.
Additionally, an Edit event will be logged to the record’s Audit Log.
When you are finished with the modifications, click either the Save or Save and Return button to save your changes.
Sharing a Record
Records can be shared with other users that have access to the system. To share a record with another user(s) or group, click the Share button for this record on the Record List page or select the Permissions option located in the record’s Action menu (…).
Additionally, if you are already viewing the record you wish to share, click the Manage > Permissions option to open its sharing or permissions page.
Before you share a record or container, it is recommended to understand its current inheritance.
Records can either have inherited permissions or unique permissions.
NOTE: Permissions are configured by default to inherit from the object’s parent container. When sharing a record, you will either need to share the parent container so that through inheritance this record is also shared (along with all other child objects in the parent container) or you can break inheritance and create unique sharing permissions for an individual record.
Both scenarios are equally supported, but you should consult with your object Owner or PAM System Administrator for guidance and recommendations.
Records with inherited permissions (example shown below) means that the permissions associated to this object originate from its parent.
This means if you want to share a record with inherited permissions, then you must share its parent object.
Modifying permissions on a parent object will then affect all other objects that inherit permissions from it as well.
When viewing the permissions of an object with inherited permissions, the button Make Unique will be visible and you will see the inherited from <Parent> text in the header.
Clicking this Make Unique button will break the permission inheritance of this object to its parent and create a unique permission list that can be modified as needed.
Records with unique permissions or broken inheritance (example shown below) means that the permissions associated to this object do not originate from a parent and are unique to this object.
This means if you want to share a record with unique permissions, then you can do so without affecting the permissions of any other object.
When viewing the permissions of an object with unique permissions, the button Inherit from Parent will be visible.
Clicking this Inherit from Parent button will remove all unique permissions and reestablish inheritance from this object’s parent.
Access the object’s permissions page by using the Share button or Manage > Permissions option.
Click the Grant Permissions button to open the dialog.
In the Principal field, enter the user(s) or group(s) that you wish to share with and then click the Add button. You may also use the Search button to locate your principal.
Configure the object permissions that you wish to grant to the selected principal(s).
Finally, click the Select button to complete the sharing or granting process.
Access the object’s permissions page by using the Manage > Permissions option.
Locate the Principal from the list that you want to edit their permissions and click the Edit button in the Actions column.
In the Grant Access dialog, confirm the principal is correct and then modify their permissions as required.
Finally, click the Select button to complete the edit process.
To Revoke existing permissions to the selected object:
Access the object’s permissions page by using the Manage > Permissions option.
Select the Principal that you wish to revoke permissions from the list by checking their box and click the Revoke Permission button.
Confirm your action to revoke the selected permissions in the confirmation dialog.
For ongoing maintenance and auditing, the Access Report button will generate a list of all users, unwound from any group membership, as well as their Permissions to this object.
This report is helpful when determining how a user gained access to an object and with what level of permission.
Deleting a Record
Records can be deleted only from the Record List view. Locate the record you wish to delete from within its Parent Container, open the record’s Action menu and select the Delete option.
Confirm your operation in the confirmation dialog by clicking the Delete button (or Cancel to not delete) to complete the process.
You can delete a container using the same method as described with a record; however, a container that contains child objects cannot be deleted.
You must first delete all child objects before you can delete this parent container.
Managing a Record
The Manage menu options allow for advanced configuration of the record.
By default, these configurations inherit from their parent so in order to make changes you will either need to update the parent or break inheritance to this record and make updates as required (using the Make Unique button).
Command Controls | Defines all the command control policies that are associated to this record. |
Formula | Defines the password complexity formula that will be used when generating passwords. |
Permissions | Defines the users and groups that have permissions to this record. |
Tasks | Defines all the tasks that are associated to this record. |
Workflows | Defines all the workflow bindings that are associated to this record. |
Archive/Restore Records
A record that has been switched to the Archive state is one where some of the functionality has been limited (Tasks, Connection and Editing) but the record itself remains in its current location with its current configuration and logs.
For details, please read our Object Archiving article.
To place a record in an Archived state, choose the Archive option located in the Manage menu. Records in an archived state will appear visually different from non-archived records.
To restore a record from an Archived state, choose the Restore option located in the Manage menu.
Working with Multiple Records (Bulk Actions)
The Bulk Actions menu allows you to perform a single action against all your selected records. To use the Bulk Actions menu, first select one or more records using each one’s checkbox and then open the Bulk Actions menu and chose your intended operation.
Depending on your selection, the operation may generate a form that needs to be populated, it may generate a confirmation dialog before executing the operation, or the action may automatically be executed.
Your permissions are verified against each record before the operation itself is executed.
For example, if you select two records, one record that you have permissions to delete and a second which you do not, and choose the Bulk Actions > Delete option, the system will verify your permissions and only delete the one record for which you have permissions to delete.
At the conclusion of any Bulk Action, a status report will be generated to show the results for each selected record.
Clipboard Actions (Copy, Cut, Paste, Link)
You can rearrange or reorganize both your Records and Folders (Vaults cannot be used with Clipboard actions) using standard clipboard actions like Copy, Cut, Paste and Link.
These clipboard actions can be performed with a single record or folder or can be done in bulk using the Bulk Actions menu options.
Copy | Use Copy to add the selected object(s) to your session’s clipboard to be copied (duplicated to a new location). |
Cut | Use Cut to add the selected object(s) to your session’s clipboard to be moved to a new location (deleted from the current location). |
Paste | Use Paste to paste your clipboard object(s) to this current parent container. Paste will create a duplicate copy of the original object(s) or it will move (cut) the original object(s) to this new location. Objects created using Paste will inherit permissions from its new parent; any unique permissions will be lost. |
Link | Use Link to create a linked object of the original in this new location. Linked records allow you to have the same object appear in multiple locations. Deleting a linked record will only delete the selected instance, leaving the remaining linked records in place. Deleting the last link will trigger deletion of the object. Objects created using Link will retain the inherited permissions from their original parent or their unique permissions as configured. |
TIP: You must have permissions to the object in both the original and new locations to successfully complete clipboard actions.
Note: There is the difference between Copy/Paste and Cut/Paste:
Cut action moves the object to a new location (it is deleted from the current location).
Copy action just copies the object (it is duplicated to a new location).
Copy/Paste - the object won’t inherit any properties from the previous one.
If PAM User performing Copy/Paste actions, it is creating a new object,
If PAM User performing Cut/Paste actions, it is moving the same objects, but these are moved to a different location.
Finding Objects
All non-Personal Vault records and containers are stored in the same All Records or Root Folder within Access Manager.
Depending on which is most convenient for you, locating specific records can be done easily with any of the following methods:
You can navigate through the container hierarchy to find your record by Name or Description.
You can use the Search records… bar to find your record by Name, Description or other indexed field values. You may also save your custom search query to your Searches menu for later access by using the Add/Remove Favorites button.
You can add your most frequently used records or containers to your Favorites list to easily organize them in your left navigation menu.