Kron PAM’s Role-Based Management Concept
Kron PAM’s role-based management (user/device/policy) concept is based on realms. Each definition (users, devices, policies) is gathered in groups. The realms connect these groups to each other, and by doing that, users can connect to devices by using the policies.
Each concept is explained below. This document addresses these concepts in detail and explains them through step-by-step instructions in the following sections.
User Group: User groups consist of individual users. Before creating user groups, you need to create the users. A user can be a member of more than one group.
Device Group: Device groups consist of devices. Users can add devices before or after creating device groups. However, if users create the device groups beforehand, they can add the new devices to their respective groups. Devices that are added to the system before creating a device group are categorized under the Unassigned Devices in the User Inventory pane. To assign the device to a device group, right-click on the device in the Device Inventory and click Assign Group. Then choose the appropriate Device Group and click the Assign Group button. A device can be in more than one device group if all connection credentials are the same with every device in the group. Device Realm: Device Realms bind User Groups and Device Groups. You can choose more than one user group or device group. All devices under the same realm are reachable by all users defined in the realm. Policy Group: Policies are only necessary to make SSH connections. RDP connections don’t use policies. The most used policies are white key and black key policies. The black key policy restricts running defined commands while the white key policy permits running defined commands. Policy groups can consist of more than one policy. If there are black and white key policies together in the group, black key policies have higher priority over white key policies. Policy Realm: Policy Realms bind Policy Groups with Device Realms which creates a connection between users and devices with the connected policies.