Skip to main content

Commonly Used PAM Advanced Features

The PAM system contains many features. Some of the Advanced features are documented here.

For additional support email pamsupport@osu.edu

Available Password Changers

The following account types support automatic password changing

  • Active Directory
  • E-directory (LDAP)
  • Carmen Local Account (instructure.com)
  • Code42 (CrashPlan)
  • Linux account
  • Linux accounts using SSH
  • Linux SSH keys
  • AWS Redshift user
  • Security Center (Tenable)
  • SQL users
  • Windows Local user

Additional password changers are available but not active. Contact pamsupport@osu.edu to enquire about additional password changers.

Custom Password changers can easily be written for many applications with REST APIs. To create a custom password changer see the documentation and examples at https://code.osu.edu/pam/code

Available Dependency Scripts

Dependency Scripts run immediately after a password rotation, and are used to update the password on a client system or configuration item.

  • GitLab Environment Variable (Code.OSU.EDU)
  • IIS Application Pool
  • Remote File
  • Scheduled Task
  • SSH Key
  • Windows Service
  • Trigger Remote Powershell Script

Account Checkout

Account Checkout ensures a secret is only accessed by one user at a time. This feature is generally refereed to as break-glass access. Account Checkout can be used to protect highly privileged accounts or prevent password sharing. Checkout is typically enforced via secret policy. The default checkout policy turns on: auto-change, checkout, requires comment, and sets a default check-out duration. The Checkout duration can be custom configured.

After expiration of the checkout duration, or after forced check-in, the password will be expired and a remote password change will be queued as configured in Configure Remote Password Changing.

  1. Navigate to your service’s folder on the left side of the screen and expand it.
  2. All available accounts will be shown in the middle of the screen now.
    Optional Step:
    a. Click on the Settings icon if you’d like to add “Checked Out” as a column so you can easily see which accounts are checked out.

    Settings icon highlighted to add Checked Out as a column


    b. Check “Checked Out” and click Save to add it as a column.

    Checked out selected in the displayed columns menu
  3. Click on the display name of the available account you want to check out.

    Display name in the third column highlighted
  4. Click the Checkout button.

    Checkout button
  5. Click the Enter Comment button, and enter a reason for checkout.

    Enter Comment window
  6. Click the Eye icon to unmask the password.

    Basic Information screen with the hide unhide toggle button highlighted
  7. Once the customer is finished, click Check-in or allow the checkout duration to expire when finished with the secret.

    Check in duration or check in option

Comment Required on View

Users can be required to enter a comment before viewing or editing a secret. This feature is most frequently used with Account Checkout.

Secret Access Approval

Users can be required to obtain Access Approval from a manager or other user before accessing a secret.

Email Notifications

Users can receive email notifications for Secret View, Secret Change or Heartbeat failure.

These settings can be enabled for a specific secret on secret's Settings tab, or for all secrets a user has access to in User Preferences.

Email notifications window, edit button is in the upper right hand corner

Import Secrets

Secret Server discontinued support for import of secrets in bulk. Instead users can utilize Secret Server's REST API to create secrets in bulk. To successfully create secrets via the API, the user must have the “Edit” permission on the destination folder(s).

A sample PowerShell script is available at https://code.osu.edu/pam/code/-/blob/master/Powershell_Examples/Upload-SecretsByTemplate.ps1

To use this script:

  1. Create a secret of the same template type in the folder you plan on importing to.
  2. Use Invoke-RestMethod -Method Get -URI "

    URL/api/v1/secrets/URL/api/v1/secrets/URL/api/v1/secrets/

    SID" to get the sample secret's data model.

  3. Edit the post body to match the secret field values.
  4. Create a CSV containing secrets to import with the columns: Name, FolderId, SiteId, and one column for each field in items.
  5. Set values for $TemplateID, $CSVPath, and $URL.
  6. Run Script.

If you are not comfortable using this process, please contact pamsupport@osu.edu for assistance.

Users wanting to use a different scripting language can find the REST Documentation in the help menu at the top right of any Secret Server page.

Web Password Filler

The Web Password Filler allows access to your secrets directly in the plugin. The extension automatically identifies the existence of credential fields and will automatically populate them based on existing Secrets, as well as identifying manual entry of new credentials in a web page, offering to save them as a secret.

You can download the Web Password Filler directly from your browser's extension store using the links below.

Chrome

Firefox

After installing the extension, configure the following settings within the Secret Server extension:

When prompted, login using your OSU Name.# and password, then complete two-factor authentication.

Secret Launcher

Secret Launchers allow a user to launch an RDP or SSH session without exposing the credential to the user. Custom launchers are available. Contact pamsupport@osu.edu for additional information on creating custom launchers.

Session Recording

Session Recording is advanced feature using RDP and SSH launchers. When configured, user sessions can be recorded when launched through a secret launcher.

Links to Additional Resources

For additional support email pamsupport@osu.edu

Additional Vendor Documentation

Additional vendor documentation is available at: https://docs.delinea.com/online-help/secret-server/start.htm To request access for private articles please contact PAMsupport@osu.edu

Vendor Provided Code Examples

Thycotic provides some code examples on their github here: https://github.com/thycotic

OSU Provided Code Examples

OSU specific code examples are collected here: https://code.osu.edu/pam/code Please feel free to merge your additional code examples to that repo.

Managed PAM Script Repo

Managed scripts including Password Change and heartbeat scripts can be found here: https://code.osu.edu/pam/managed-scripts To review or submit your own password changer please use the fork/merge process in that repo.