Access to PAM may occur during the provisioning of certain accounts, such as, Service Accounts, Privileged Accounts, and accounts for specific applications. For information on any of these types of accounts see Provisioned Accounts.
There are a number of other use cases for PAM that may include shared folders for departments or teams and advanced automation. To request additional information or onboarding, please contact the PAM support team at PAMSupport@osu.edu.
Users, Departments, RMEs
User onboarding begins with the creation of a top level folder, and an access management plan. PAM is designed to allow distributed access management, so that the Department, Risk Management Entities (RME), or team, can make their own access management decisions.
To begin onboarding, contact PAMSupport@osu.edu and ask to schedule Access Manager Training. During Access Manager Training, we will discuss how to create folders, provision users, and assign user roles. Additionally, we will cover the basic functionality of using PAM, including when to leverage Secret Server or Hashicorp Vault for automated secret access.
Directories, Applications, Managed Accounts
Directories such as Active Directory or LDAP compatible directories, and applications with local authentication stores are onboarded with the same process.
The general process will be:
- Establish a Secret Server remote password changer.
- Create a Privileged Password Changing Account.
- Create a "Canary" monitoring account
- Enroll secrets.
For more details contact the PAM support team at PAMSupport@osu.edu
Account Management
PAM Account Management is the process of enrolling privileged and service accounts in PAM, and enabling password changing. Once secrets are configured, users will utilize PAM as the account's password changing portal. This process will include configuring the authentication store, configuring the password changer, and creating secrets. Additionally, the PAM team and service team will need to adjust procedures and documentation to provide a satisfactory experience for all customers.
Accounts in scope may be Service Accounts, Individual (named) accounts with privileged access, or Administrator Accounts. The PAM team and Service team will collaborate to configure the desired setting and outcome for the project, and communicate these changes to the customers.
NOTE: This process is similar for any authentication store, but can be customized as necessary.
Preliminary and Planning Work
- Determine type of secret to be created, password policy, and expiration.
- Develop custom password changer if necessary.
Configure Authentication source for PAM password changing.
a. Set/update password policy.
b. Create Privileged Password Changing Account.
c. Create "Canary" account for heartbeat and password change testing and monitoring.
d. Configure Firewalls as necessary.
- Pick secret's final location
- Individual work folder
- Managed folder
- Shared folder
NOTE: If possible, the authentication store should enforce, "user cannot change password" and should not disable or hard-lock the accounts. Once accounts are managed by PAM, passwords should not be set directly by admins or users.
Communication and Documentation
- Service team communicates new password changing procedures to customers through standard process.
- Service team updates KBs and user documentation as necessary.
- PAM team will add account type to PAM support site Provisioned Accounts article.
- Service Team creates/updates password expiration notification to users as necessary.
- Service team creates/updates new account and secret creation notification to users as necessary.
Secret Creation
- Service Team provides report/list of existing accounts with name, password last set date, and account owner to PAM team.
- PAM team compares service account list to PAM secrets.
- Create new secrets for accounts that do not exist.
- Update or correct existing secrets as needed.
- (optional) Set password future expiration on secrets.
- PAM team moves existing secrets and creates folders as necessary for account owners.
- PAM team configures “secret transfer” folder for creation of new Secrets.
- Service team utilizes secret transfer to create and distribute new secrets as new accounts are created.
- (optional) PAM team works with Service Team to automate new secret creation process.