This article explains how Active Directory user groups (Security groups) are added to Osirium PAM and the users within the group are synchronised and created in Osirium PAM.
It also provides a number of scenarios as to how the users are managed through this process.
This section provides details on how to populate the bulk import template for:
- Synchronising Active Directory users using Security Groups
- Active Directory and Osirium PAM synchronising scenarios
NOTE It is assumed that an Active Directory service has already been provisioned in Osirium PAM. See Active Directory integration in Osirium PAM.
Synchronise Active Directory users using Security Groups
This section details how to create new Security groups in Active Directory and how then configure Osirium PAM so that users are automatically synchronised.
NOTE: If your Active Directory already contains Security groups that you wish to synchronise in Osirium PAM, skip to step 2.
1. Create Security Group(s) in Active Directory and add users
- Open Active Directory Users and Computers window
- Create a new Security Group
- Add required users to the new Security Group
2. Create User Group in Osirium PAM
- Navigate to User groups
- Click NEW USER GROUP
- Select the source as Active Directory, enter the Name exactly as was entered in step 1 above and click SAVE.
- Members of the Active Directory Security Group will be automatically created in Osirium PAM and added as members of Osirium PAM.
3. Synchronising the Osirium PAM User group
- When the Osirium PAM User group is first created it will be automatically synchronised with the corresponding Active Directory Security Group.
- By default the Osirium PAM User group will be synchronised every 15 minutes. This can be changed by navigating to System configuration > System settings tab and amending the value in the User Group Synchronisation interval (minutes) field.
- If you do not wish to wait for the next scheduled synchronisation, you can manually trigger a synchronisation by navigating to the User groups, opening the required User group and clicking SYNCHRONISE.
Active Directory and Osirium PAM synchronising scenarios
For each of the below scenarios it is explained what will happen to users within Osirium PAM.
NOTE For the below scenarios, the term Security Group refers to a Security Group created in Active Directory. The term User group refers to a User group created in Osirium PAM. Unless stated otherwise, it is assumed that for each Security group there is a corresponding User group of the same name in Osirium PAM.
NOTE With the exception of adding a new Security Group, to see the see the changes described below immediately you will need to manually trigger a resync. See point 3 above of the Synchronise Active Directory users using Security Groups section.
1. New Security Group added
- The User group will be created in Osirium PAM.
- Members of the Security Group will be added to the User group.
- Any members that do not already exist in Osirium PAM will be created.
2. User added to existing Security Group
- New user will be added to the User group.
- If the user does not already exist, they will be created in Osirium PAM.
3. User removed from existing Security Group
- The user will be removed from the User group.
- The user will NOT be removed from Osirium PAM.
4. Security Group removed
- The User group will NOT be removed from Osirium PAM. (But they can be removed manually if required).
- The users that were previously members of the User group will NOT be removed from Osirium PAM.