System Admin Guide

Imprivata Customer Privileged Access Management (CPAM) considers two initial User Types: Vendors and Customers. Vendors acquire a CPAM license and provide support services. Customers receive access to a CPAM server and receive support services from vendors.

Vendors are further divided into CPAM users and System Administrators (admins, for short). CPAM users have access to the features described in the Vendors Guide, while System Admins obtain access to the features described in this guide.

CPAM System Admins are often the main contact between a company and Imprivata, as they acquire the CPAM license and manage the CPAM server.

This guide is intended for System Admins to enable them to manage their CPAM server.

System Admin Tab

The System Admin is the only user type with access to the System Admin tab. This tab contains a top menu with the features that the System Admin can view and modify. The features in the System Admin tab are:

  • My Account: View your profile.

  • Users: View the users and user groups.

  • History: View the server's session activity.

  • Services: Manage the built-in and custom services.

  • Roles: Manage the user types.

  • Settings: Manage all your server's settings.

  • Credentials: Manage your credentials and your customer's credentials.

  • Admin Log: View all activities and events in your server.

My Account

My Account contains information about your user account. Including your user information, Gatekeeper access, and preferences.

When you click Edit at the top of the User Information section, you are able to:

  • Modify your User Information.

  • Switch Credentials Categories.
    Read the Credentials Documentation for more information.

  • Change your Department.

  • Modify your User Preferences.

Use the following table to understand the User Preferences you can modify:

User Preference Description
Amount of Favorite Hosts to remember Sets the number of registries that appear in the Remote Support tab.
Default screen size for RDP connections

Sets the resolution of the shared desktop when you connect to a session.

Read the Sessions Documentation for more information.

Use all monitors for RDP connections

*Overrides Default screen size for RDP

 Enables you to view all of your customer's monitors during a session. By checking this option, the default screen size setting is disabled.
Enable microphone for RDP connections Enables you to activate your microphone during a session.
Color Depth for RDP connections *32bpp only supported from a Windows computer Sets the color depth for the shared desktop during a session.
Drive Sharing preference for RDP connections Defines if you want to share your local drive during sessions.
Remote Printing preferences for RDP connections Defines if you want to be able to print from your user's server during a session.
Use seamless mode for ICA connections Sets the seamless mode for ICA connections.
Read the Sessions Documentation for more information.
Default screen size for ICA connections Sets the resolution of the shared desktop when using ICA connections.
Desktop Sharing Connection Quality Sets the quality of the desktop when connecting to a Windows session.
Connection method preference Sets a default session type (Connection Manager or Java Web Start.) The system follows this setting only when connecting to a Windows or MacOS server.
Only use 127.0.0.1 as a local interface Sets 127.0.0.1 to create sessions when a Security/Antivirus Software blocks connections to local interfaces.
IP Connect Mode

Sets the default setting for IP Connect sessions. The system follows this setting only when connecting to a Windows server.
Disable Hostname Mapping Disables the mapping of the hostname.
SCM Connect Mode Describes the connection method for the Connection Manager (SSH or Tunneling.) Only change it when your customer's privacy settings require you to use a specific connection method.

Users

The Users menu displays the User List in your CPAM server. These are your organization users, not customers' accounts. Each registry shows the User ID, name, User Status, and User Type.

The User Status refers to the following:

User Status Description
Logged In The User is currently logged-in.
Authorizing The User has entered their login and password, but has not entered the Authorization Key sent to their email. Hover over status to display the Email Authorization Key.
Registered The User has an Active account; their email address has been confirmed.
Deleted The User's account has been deleted.
Disabled The User's account has been disabled.
Unregistered The User has not yet confirmed their email address.

Your CPAM server has two built-in User Types: Standard User and System Admin. Standard User has access to all the features in the Vendors Guide, while the System Admin has access to the features in this System Admin Guide.

Additionally, you can create custom roles according to your needs. Read the Roles section of this document for more information.

As System Admin, you can add new users to your CPAM servers, and view and edit users. When you add a new User, they receive a registration email to the email address you provide. Users must follow the link in the email to verify their email address and choose their own password to complete the registration process.

To add a user to your CPAM server, click New at the top of the User List page. Complete the registration form. Use the following table to understand each attribute in the registration form:

Section Attribute Description Required
User Information User ID Set a unique name for your user in your CPAM server. Yes
User is an Administrator

Check this box to give this user System Admin privileges.

If you check this box, other configurations may not apply.

 No
Credential Category Select the credential provider for this user. No
Name Type the name of your user. Yes
Authentication Provider Use this option to activate the SSO feature from an Active Directory provider. No
Email Type your user's email. Ensure you validate their email domain. Yes
Department

Select your user's department.

 No
Phone Add a phone number for your user. No
Alternate Phone Add an additional phone number for your user. No
Account will not be disabled Defines if the user is not included in the automatic search for expired accounts. No

User Groups

(not available when you set user as Administrator)

Add your user to all the User Groups they belong.

Read the User Groups section of this document for more information.

 Yes

Roles

(not available when you set user as Administrator)

 Select the Role for your user. Yes
NOTE:

The Add New User form does not have fields for a password. After adding the user, they will receive a registration email with a link to verify their email address and instructions for setting their own password.

Once you’ve entered the user details, click Save. The errors you may receive from this form are:

Error message

Solution
User ID must have at least 4 characters (user) The User ID must be between 4 and 24 characters long.
The user ID you have entered belongs to another user Another User Account has already defined this User ID.
Name is required Name cannot be blank, and can be up to 128 characters.
Valid email address required Email cannot be blank, and can be up to 128 characters.
The email you have entered belongs to another user Another User account has already defined this email address.
At least one User Group is required Ensure a check mark appears next to at least one User Group.
At least one Role is required Ensure a check mark appears next to at least one Role.

To view a User click View form the User list. From the View User page, you can Edit their profile.

To edit a User's details, click Edit from the View User page. From the Edit User page, Admin Users can:

  • Disable a User, which resets the user's password.

  • Remove Admin User access.

  • Modify the Credential Category.

  • Change the Authentication Provider.

  • Change the Department.

System Admins have the ability to remove any User from the system. To delete a User:

  1. Click Delete from the Edit User page.

  2. Click OK to the confirmation dialog to remove the User.

To preserve historical session details, deleting a user does not completely remove the user's information from the system. Deleted accounts can't be used, and do not display by default in user lists.

System Admins have the option of viewing deleted users by using either the Show Deleted option on the User List page or by including deleted users in a search from Search Users.

When viewing a deleted account, admins can Undelete or Erase the user.

Undeleting a user marks their account as Unregistered, which requires a new password from the System Admin or the user.

Erasing a user effectively deletes the account and its connection history.

User Groups

All Users on your CPAM server must be part of at least one User Group. User Groups are groups of users that can access one or more Gatekeeper Groups. Only a System Admin may add new User Groups or edit the Gatekeeper Groups that a User Group can access.

You can open the List User Groups page in two ways:

  • From the System Admin tab, hover the Users top menu, and click List User Groups.

  • Click User Groups from any Admin top menu on any other tab.

The List User Groups page contains all the User Groups in your CPAM server. The list includes their:

  • Name and Description: Defined when the User Group is created.

  • Type: Describes the type of connections and sessions the User Group can create.

  • Gatekeeper Groups: Indicates the number of Gatekeeper Groups that this User Group may access.

    Users: Indicates the number of Users in this User Group. Users may belong to more than one User Group.

  • View: Opens the View User Group page.

NOTE:

If you are not a System Admin user, you can only access Users in your User Groups.

From the List User Groups page, you can add a new user group, view, or edit a user group.

To add a New User Group click Add New User Group. Complete the new user group form to create a new user group.

Enter Name and Description for the User Group. You can optionally select any number of Gatekeeper Groups. Users in this group have access to Gatekeepers in the selected Gatekeeper Groups.

Read the Gatekeeper Groups section of this page for more information.

The errors you may receive from this form are:

Error message Reason
Gatekeeper Group Name is required Name cannot be blank, and can be up to 128 characters.
Description is required Description cannot be blank, and can be up to 255 characters.
The Gatekeeper Group name you have entered is already in use Another Gatekeeper Group is already using this name.

Click View from the User Groups list to open the View User Group page.

The Gatekeeper Groups accessible to Users in this group appear below the list of Users.

Only System Admins and Group Admins may edit User Groups.

  • System Admins can modify the accessible Gatekeeper Groups for a User Group in addition to changing the name and description.

  • Group Admins can change the name and description for a User Group.

Only System Admin Users have the ability to remove a User Group from the system. You can only delete empty User Groups. If a User Group contains Users, you must first remove the Users by editing the User Group.

To delete an empty User Group, click Delete from the Edit User Group page. A confirmation pop-up opens. Click OK to confirm the deletion.

Gatekeeper Groups

Each Customer's Gatekeeper in your CPAM server belongs to a Gatekeeper Group. User Groups are given access to any number of Gatekeeper Groups, providing the Users access to those Gatekeepers. To view the configured Gatekeeper Groups, click on Gatekeeper Groups from the Admin top menu of the Remote Support tab.

System-level Admin users see all of the Gatekeeper Groups on the system. Non-admin users see only the Gatekeeper Groups that they can access through their User Groups. The View Gatekeeper Group page contains the following information:

  • Name displays the defined name for the Gatekeeper Group.

  • Description displays the defined description for the Gatekeeper Group.

  • Gatekeepers displays the number of Gatekeepers that are members of the Gatekeeper Group.

  1. Click Add New Gatekeeper Group on Gatekeeper Groups. The New Gatekeeper Group form opens.

  2. Enter a Name and Description for the new Gatekeeper Group. The Connection Form option opens if your CPAM server has been configured to accept data from your bug tracking system, support ticket system, or CRM server.

  3. Choose the Connection Form that applies to all Gatekeepers in this group, or None if no Connection Form is desired.

  4. Select the box next to the name of each User Group that is allowed to access the Gatekeepers in this group.

The errors you may receive from this form are:

Error message Reason
Gatekeeper Group Name is required Name cannot be blank, and can be up to 128 characters.
Description is required Description cannot be blank, and can be up to 255 characters.
The Gatekeeper Group name you have entered is already in use Another Gatekeeper Group is already using this name.

Click View from the Gatekeeper Groups list to view the details for a single Gatekeeper Group, including the User Groups that have access to the group, and the list of member Gatekeeper.

This page enables you to see the User Groups with access to the specific Gatekeeper Group and the Gatekeepers that belong to the group. To change the User Groups that can access this group, click Edit on this page.

To edit a Gatekeeper Group's name, description, Connection Form, or to change the User Groups that can access Gatekeepers in the Gatekeeper Group, click Edit from Gatekeeper Group's View. Only System Admins can edit a Gatekeeper Group. The Edit Gatekeeper Group page opens.

In this page you can modify the group's name, description, and which User Groups have access. Click Save.

NOTE:

Removing user group access takes effect immediately upon save, and disconnects any users that are affected.

Only a System Admin can delete Gatekeeper Groups.

NOTE:

A Gatekeeper Group must be empty to be removed, so first remove or re-assign Gatekeepers in the group to be deleted to a different Gatekeeper Group.

  1. Click Edit for the Gatekeeper Group.

  2. Click Delete at the top of the page. Delete not appear if the Gatekeeper Group contains Gatekeepers.

  3. Click OK on the delete confirmation pop-up to confirm the deletion.

  4. The Gatekeeper Groups list no longer includes the deleted group.

Services

TIP:
Read Services for Standard Users before navigating configurations available for System Admins.

The Services top menu open the Service List of your CPAM server. The services in this list are considered Available Services.

Available Services enables System Admins to customize the list of Services that Users can choose from the Services drop-down when adding a service to their Gatekeeper.

From the Service List you can view, edit, add, and delete available services for your users.

To add a new Available Service, click Add New Service from the main Available Services page. Complete the new service form using the following table to define your new service:

Attribute Description
Service Name Provide a unique name to your new service.
Description Change the description of the service.
Port Modify the port that the service uses.
Default Local Port Specify the port that the service uses by default.
Required Local Port Specify if the service requires a local port on your customer's server.
Port Type Describe the type of port the service uses.
Protocol Specify the protocol for the service connection.
Score Determine the order of the Service in the Service list. Higher scores appear closer to the top.
Hidden Specify if the service is hidden for Standard Users.

When you are done entering the Service details, click Save.

To view an Available Service, click View.The Service details opens.

To modify an available service, click Edit from the service's View page. The Edit Service page opens. Modify the attributes using the following table:

Attribute Description
Description Change the description of the service.
Port Modify the port that the service uses.
Default Local Port Specify the port that the service uses by default.
Required Local Port Specify if the service requires a local port on your customer's server.
Port Type Describe the type of port the service uses.
Protocol Specify the protocol for the service connection.
Score Determine the order of the Service in the Service list. Higher scores appear closer to the top.
Hidden Specify if the service is hidden for Standard Users.

To delete an Available Service, first click View next to the service from the main Available Services list, then click Edit. This displays Delete for that service. Click Delete and click OK to the confirmation pop-up.

Service Profiles

Service Profiles enables System Admins to customize the default set of Services that Gatekeepers provide. Services are applied to a Gatekeeper's configuration the moment you add a new Gatekeeper.

To view the defined service profiles, click Service Profiles from the Services top menu in the System Admin tab. A list of the Service Profiles displays.

The Default Service Profiles are marked with a red bullet point. This is the Service Profile that is sorted to the top of the list of Service Profiles when adding a new Customer or Gatekeeper.

To add a new Service Profile, click New.The New Service Profile form displays. Complete the form using the following list:

  • Name: Required and may be up to 32 characters long.

  • Description: Optional and may be up to 128 characters long.

  • Copy Services From: Provides a list of previously defined Gatekeeper Service Profiles. The CPAM server ships with an initial set of Gatekeeper Service Profiles. All Gatekeeper Service Profiles start out as copies of these initial Service Profiles. Gatekeeper Service Profiles provide built-in services.

    Enter a name, choose the existing Service Profile most like the one you are creating, and click Save. This opens View Service Profile for your new profile, where you can add, edit, remove, or disable services.

To view a Service Profile, click View. You'll see the details for that Service Profile.

Notice that viewing a Service Profile is almost exactly like editing a service. Notable differences from editing regular Gatekeeper services are:

  • There is no Add New Host. All services are for the Gatekeeper host only.

  • You cannot delete a built-in service, you can only disable it.

  • There is no Host Description or Alias associated with a Service Profile.

  • There is no Save & New when adding a Service to a Profile (only Save).

Apart from the above exceptions, adding services to a Service Profile is like Adding a Service.

Click Add New Service to open the Add Service form for the currently selected Service Profile.

NOTE:

For more information about the description of the fields in this form, see Adding a Service.

If the displayed Service Profile is not the default Service Profile, you can click Set as Default to make this Service Profile the default profile option for new Gatekeepers.

Editing a Service Profile allows you to change the Name or Description of the profile. To edit a Service Profile:

  1. Click Edit on View. This opens the Edit Service Profile form.

  2. Make the required changes to the name or description of the profile

  3. Click Save.

  1. Click Delete from Edit.

  2. Click OK to the confirmation dialog, this opens the list of Service Profiles.

Roles

The Roles top menu enables you to view, edit, and define User Types and the permissions they have in your CPAM server.

To view all the available roles in your CPAM server, click the Roles top menu. The View Roles list displays. The list contains the name of the role and its description. From this page you can Add a New Role. To edit, clone, or delete roles, you must open the View a Role page. Click View to open the View a Role page.

To add a new role, click Add a New Role from the View Roles list page. This opens the New Role form. Complete the Name and Description. Read each permission carefully to provide granular permission to your new role.

When you finish adding permissions to your new role, click Save.

IMPORTANT:
Some permissions enable you to add the permission only to a specific Department. By selecting the department on the permission, you grant access only to the department you select. Read the Departments section of this guide to learn more.

To prevent you from creating a new role from scratch, you can clone an existing role and then edit the role to provide or remove permissions. To clone a role, open the View a Role page for the role you want to clone and click Clone.

The new role opens. Click Edit to modify the role's name, description, and permissions. Read each permission carefully to provide granular permissions to the role.

To edit a role, open the View a Role page for the role you want to edit. Modify the description and permissions. Remember to read each permission carefully to provide granular permissions to the role you are editing.

To delete a role, open the View a Role page, click Edit, and select Delete.

Departments

Departments in your CPAM server function as a way to provide access and permissions hierarchy for user groups, gatekeeper groups, and customers. Your CPAM server has the default GLOBALdepartment from which you can create sub-departments to organize your server as you see fit.