Assigned Credentials
Assigning credentials correlates different Kron PAM users with specific local or Active Directory (AD) users or groups in target systems. It sets up the connection to the target system by matching the Kron PAM users or groups with local or AD users. In Proxy connections, the target device’s credentials are either entered as a global username/password or they can be retrieved from the Password Vault. In either situation, the users use just one local user to connect to the target device, and these credentials are defined for the whole device group. In some cases, different users might need to connect to the same devices with different user accounts. In this case, assigning credentials will let different Kron PAM users connect to target devices with different SAPM accounts. Also, as mentioned above, user groups can be retrieved from Active Directory. Credentials that are kept in SAPM can be assigned to AD user groups, as well as users. If a specific Device or Device Group is selected in the Assigned Credentials definition, the user can use the SAPM account defined in the selected device connection. This process applies to devices for the selected Device or Device Group, or you can use the Apply for All Devices option.
In the example illustrated above, the users are connecting to target devices with and without assigned credentials. In the first diagram, Kron PAM users A, B, and AD user groups use the same local/AD user accounts to connect to the target devices. In the second diagram, assigned credentials were configured between Kron PAM User A and Local/AD User A, and between Kron PAM User B and Local/AD User B, which allowed Kron PAM User A to log in to target devices as Local/AD user A, and Kron PAM User B to log in as Local/AD user B.
Defining the Assigned Credentials allows the use of the defined accounts in Active Directory, LDAP, WinRM, and SMB strategies to connect to different devices. But first, you must configure the local/AD user as a Dynamic Password Controller account to use assigned credentials. See the related sections in this document for configuration details.
To configure assigned credentials:
- Navigate to Users > Assigned Credentials.
- Click the +Add button.
- Choose User or User Group in the User Selection field and indicate User or User Group accordingly.
- Choose the assigned account in the Vault Account section.
- This Assignment can be done to all devices if the user wants to connect to all devices with this Account. Or a device/a device group can be chosen. This configuration is optional.
- To use this assignment; Navigate to Devices > Inventory.
- Click the Edit button of a device group that will connect to the target devices via assigned credentials and select the Edit option.
- Go to section 2. (properties)
- Click the Additional Credentials menu and enable Add Assigned Credential to Credential Selection.
Sections 5 through 7 can also be applied to users or user groups. When editing a user or user group in the Assigned Credentials menu, accounts for the same purpose can be selected.