UseCase4_UserAccessPolicies - sandersdHES/PAMEmergingTech GitHub Wiki
This use case demonstrates how to:
- Create and configure users in PAM360
- Share only the necessary resources securely
- Define role-based privileges
- Enforce Access Control Policies to protect sensitive credentials
In a secure environment, it's essential to give users only the access they need—nothing more. PAM360 helps organizations achieve this with fine-grained user roles, resource sharing, and approval workflows for accessing privileged data.
We will walk through the process of:
- Creating a basic user
- Assigning roles and permissions
- Sharing resources
- Enforcing approval-based password access via Access Control Policies
-
Navigate to Admin > Users > Add User
-
Fill in the required fields:
- First Name, Last Name, and Username
- Email Address (used for notifications)
-
Select a Role — for this example, use Password User
This role allows:
-
Viewing shared passwords
-
No management or administrative rights
You can also define custom roles if default ones don’t fit your use case. Learn more
-
Scope: Select Passwords Owned and Shared
Choosing All Passwords makes the user a Super Administrator
-
Under Password Setup, select Generate Password
- This sends login credentials to the user's email
-
Leave remaining fields as default and click Add User
-
The new user receives an email with:
- Role description
- Login credentials
By default, the user has no access to resources.
- Go to Resources
- Select the target machines (e.g., Windows and Linux)
- Choose Share > Share Resource
- Grant View Passwords permission only
- Log in as the new user
- The system prompts a password change for security
After login, the user will:
- Be directed to the Resources tab
- See only the machines that were shared
When the user opens a resource:
- Only “View” and “Verify Password” actions are available
- Options like “Change Password” are disabled (greyed out)
To go further and restrict access based on time, approval, or session, enable Access Control Policies.
-
Log in as Administrator
-
Go to the resource and click Resource Actions > Configure Access Control
-
Define Approvers (e.g., Admin account)
-
They will review and approve access requests
-
-
Define Exempt Users (e.g., Admins with auto-access)
-
Configure advanced options as shown in the printscreen
-
(Optional) Skip manual approval for specific time windows
Click Save & Activate
- Log back in as the Password User
- Navigate to a shared resource
- Click Request to request password access
- Now go back and connect with the password user we’ve created previously. If you navigate to the resources and then click on it, notice the password is not visible and replace by a “Request” button
- Fill in a reason and select “Now” for access time
- Admin logs in and sees the request on the dashboard
- Go to Admin > Access Review > Password Access Requests
You will have the list of request password with the field “Process request”
- Click Process Request > Approve and add a reason
- The user will be notified by mail that the password is now accessible, along with approval details
- Go back to previously created user and click on “Check out”. It will prompt you a message telling you that you have 30 minutes and then the password will be revoked back. Click on “Check out” again.
You can now access the machine and see the password.
- Once this is done, click on check-in. If you try to login again, it will fail since you need a new approval to connect to the machine after checking in !
If the admin rejects the request, the user receives a denial email. The password remains inaccessible, but the user can still submit a new request later.
This use case demonstrates how PAM360 allows secure, policy-driven user access by:
- Creating role-limited users
- Sharing only required resources
- Applying approval-based access policies
- Auditing password check-outs and enforcing check-ins
With PAM360, organizations ensure that users access only what they are authorized to, and admins maintain complete control and visibility over privileged operations.