PAM Policies

Definition

Privileged Access Management (PAM) policies are a set of guidelines and controls that dictate how privileged access is granted, managed, and audited within an organization.

Soffid allows you to define policies, those policies can be made up of several rules. For each rule, you could select the action to perform when Soffid detects that rule is accomplished.

To use those policies you need to define how policies will be used by each folder in the password vault. For more information, you can visit the Password Vault page.

Screen overview

Standard attributes

Name: name to identify the policy.
Description: a brief description of the policy.
Days to keep recordings: number of days that recordings will be kept.
Priority: allows you to set the priority between the different PAM policies configured. When there are several policies, the policy to be applied is evaluated according to priority and expression.
Expression: this expression is evaluated to determine the priority of the policy to be applied. When there are several policies, the policy to be applied is evaluated according to priority and expression.
Temporary permissions: these permissions will be assigned to the user's account on the target system. The permissions will be maintained for the duration of the session. Once the session is over, the permissions will be revoked. The account must be a managed account.
Modified by: user who modified that rule.
Modified on: the date and time of the update.

When you save the standard attributes of a PAM policy and edit the policy again, the rule list will be shown. Here you can customize the policy depending on the existing rules.

Rule list: show a list of the PAM rules defined. You can check/uncheck the available options. You can choose zero, one, or several:
- Close session: when the rule is met, Soffid will close the session.
- Lock account: when the rule is met, Soffid will lock the account.
- Open issue: when the rule is met, Soffid will open a new issue (*).
- Notify: when the rule is met, Soffid will send a notification about the action.

(*) You can visit the following page for more information about the issues: https://bookstack.soffid.com/books/soffid-3-reference-guide/page/issue-policies and https://bookstack.soffid.com/link/1153#bkmrk-pam-violation

Actions

PAM rules query

Query	Allows you to query PAM policies through different search systems, Quick, Basic and Advanced.
Add or remove columns	Allows you to show and hide columns in the table.
Add new	Allows you to create a new PAM policy. You can choose that option on the hamburger menu or click the add button (+). To add a new PAM policy it will be mandatory to fill in the required fields.
Delete	Allows you to remove one or more PAM policies by selecting one or more records and next clicking the button with the subtraction symbol (-). To perform that action, Soffid will ask you for confirmation, you could confirm or cancel the operation.
Import	Allows you to upload a CSV file with the PAM policies list to add or update PAM policies to Soffid. First, you need to pick up a CSV file, that CSV has to contain a specific configuration. Then you need to check the content to be loaded, it is allowed to choose if you want or not to load a specific attribute. Finally, you need to select the mappings for each column of the CSV file to import the data correctly and click the Import button.
Download CSV file	Allows you to download a CSV file with the PAM policies information.

PAM rules detail

Apply changes	Allows you to create a new configuration PAM policy or to update an existing one. To save the data it will be mandatory to fill in the required fields.
Undo	Allows you to quit without applying any changes made.
Delete	Allows you to delete a PAM policy. To perform that action, Soffid will ask you for confirmation, you could confirm or cancel the operation.

Introduction to Self Service Portal

My tasks

My issues

My applications

My requests

Process Search

My accounts

My OTP devices

My certificates and FIDO tokens

My Profile

Tenants

Plugins

Look & feel

Soffid parameters

User Type

Group Type

Metadata

User backup configure & restore

Configuration wizard

Export settings and objects

Import settings and objects

Authorizations

Authentication

Password policies

Configure PAM session servers

PAM Rules

PAM Policies

Password recovery configuration

OTP settings

XACML Policy Management

XACML PEP configuration

Digital certificates

Recertification policies

Issue policies

Break-glass recovery configuration

Users

Groups

Accounts

Roles

Information systems

Role assignment rules

Segregation of Duties (SoD)

Networks

Hosts

Printers

Mail Domains

Mail List

Application access tree

Password vault

Custom objects

Smart engine settings

Agents

Synchronization servers

Account naming rules

Attribute translation tables

Soffid Objects

Sample scripts

Utility classes

Network discovery

Clear redundant roles

Disable inactive users

Disable inactive accounts

Role mining

Sync server monitoring

Scheduled tasks

Scheduled jobs

Audit

Access logs

Sessions

Console log

Privileged accounts dashboard

Search in PAM recordings

Issues

Search Types

Column Selector

Download CSV file & Import

Bulk actions

Issue Actions

Textual Index

Operation