System Admin Guide

Imprivata Vendor Privileged Access Management (VPAM) has two high-level types of users: Server Owners and Vendors. Server Owners are the user type that obtains a VPAM license and aim to receive support from external companies. Vendors are external companies that provide support to Server Owners.

Server Owners are further divided into VPAM users and System Administrators (admins, for short.) VPAM users have access to a lot of features, such as the Applications admins assign for them, their Services, and the Reports feature. On the other hand, System Admins have access to the features described in this guide.

This guide is intended for System Admins to enable them to manage their VPAM server.

Feature List

System Admins have access to manage following features:

  • Users: Manage the System Admin team members.

  • Services: Configure built-in and custom services for your applications.

  • Vault or Credentials: Manage your credentials and your vendors' credentials.
    From version 25.1+, the section is updated as a Vault for the server.

  • Roles: Manage the user types in your server.

  • Settings: Manage your server's settings.

  • History: View the server's session activity.

  • Admin Log: View all activities, events, and notifications of your server.

Users

Users or User Management displays the User List in your VPAM server. These are your organization users, not vendors' accounts. Each registry shows the User ID, name, User Status, and User Type.

The User Status refers to the following:

User Status Description
Logged In The User is currently logged-in.
Authorizing The User has entered their login and password, but has not entered the Authorization Key sent to their email. Hover over status to display the Email Authorization Key.
Registered

The User has an Active account; their email address has been confirmed.
Deleted The User's account has been deleted.
Disabled The User's account has been disabled.
Unregistered

The User has not yet confirmed their email address.

Your VPAM server has two built-in User Types: Standard User and System Admin. Standard User has access to applications, their services, and the reports feature; while the System Admin has access to the features in this System Admin Guide.

Additionally, you can create custom roles according to your needs. Read the Roles section for more information.

As System Admin, you can add new users to your VPAM servers, and view and edit users. When you add a new User, they receive a registration email to the email address you provide. Users must follow the link in the email to verify their email address and choose their own password to complete the registration process.

To add a user to your VPAM server, click New or Add New User at the top of the User List page. Complete the registration form. Use the following table to understand each attribute in the registration form:

Section Attribute Description Required
User Information User ID Set a unique name for your users in your server. Yes
User is an Administrator

Check this box to give this user System Admin privileges.

If you check this box, other configuration may not apply.

 No
Credential Category Select the credential provider for this user. No
Name Type the name of your user. Yes
Authentication Provider Use this option to activate the SSO feature from an Active Directory provider.

No
Email Type your user's email. Ensure you validate their email domain. Yes
Department Select your user's department. No
Phone Add a phone number for your user.

No
Alternate Phone Add an additional phone number for your user. No
Account will not be disabled Defines if the user is not included in the automatic search for expired accounts. No

User Groups

(not available when you set user as Administrator)

Add your user to all the User Groups they belong.

Read the User Groups section for more information

Yes

Roles

(not available when you set user as Administrator)

 Select the Role of your user. Yes
NOTE:
The Add New User form does not have fields for a password. After adding the user, they will receive a registration email with a link to verify their email address and instructions for settings their own password.

After you’ve entered the user details, click Save. The errors you may receive from this form are:

Error message

Solution
User ID must have at least 4 characters (user) The User ID must be between 4 and 24 characters long.
The user ID you have entered belongs to another user Another User Account has already defined this User ID.
Name is required Name cannot be blank, and can be up to 128 characters.
Valid email address required Email cannot be blank, and can be up to 128 characters.
The email you have entered belongs to another user Another User account has already defined this email address.
At least one User Group is required Ensure a check mark appears next to at least one User Group.
At least one Role is required Ensure a check mark appears next to at least one Role.

To view a User, click the User's name from the User List. From the View User page, you can Edit their profile.

To edit a User's details, click Edit from the View User page. From the Edit User page, Admin Users can:

  • Disable a User, which resets the user's password.

  • Remove Admin User access.

  • Modify the Credential Category.

  • Change the Authentication Provider.

  • Change the Department.

System Admins have the ability to remove any User from the system. To delete a User:

  1. Click Delete from the Edit User page.

  2. Click OK to the confirmation dialog to remove the User.

To preserve historical session details, deleting a user does not completely remove the user's information from the system. Deleted accounts can't be used, and do not display by default in user lists.

System Admins have the option of viewing deleted users by using either the Show Deleted option on the User List page or by including deleted users in a search from Search Users.

When viewing a deleted account, admins can Undelete or Erase the user.

Undeleting a user marks their account as Unregistered, which requires a new password from the System Admin or the user.

Erasing a user effectively deletes the account and its connection history.

User Groups

All Users in your server must be part of at least one User Group. User Groups are groups of users that can access one or more Applications. Only a System Admin may add new User Groups or edit the Applications that a User Group can access. Open the User Group page by clicking User Groups from the User or User Management menu.

The User Groups List contains all the User Groups in your server. The list includes their:

  • Name and Description: Defined when the User Group is created.

  • Applications: Describes the number of applications the User Group can access.

  • Users: Indicates the number of Users in this User Group.
    Users may belong to more than one User Group.

As an admin, you can add a new User Groups, and view or edit a User Group.

NOTE:
If you are not a System Admin user, you can only access Users in your User Groups.

To add a New User Group click Add New User Group. Complete the new user group form to create a new user group.

Enter Name and Description for the User Group. You can optionally select the Applications that Users in this group have access to.

The errors you may receive from this form are:

Error message Reason
Gatekeeper Group Name is required Namecannot be blank, and can be up to 128 characters.
Description is required Descriptioncannot be blank, and can be up to 255 characters.
The Gatekeeper Group name you have entered is already in use Another Gatekeeper Group is already using this name.

To view a User Group, click its name on the User Group List.

From the User Group Details page, you can edit the User Group.

Only System Admins and Group Admins may edit User Groups.

  • System Admins can modify the Applications that a User Group can access, as well as its name and description.

  • Group Admins can change the name and description for a User Group.

Services

TIP:
Read the Services documentation for standard users before navigating configurations available for System Admins.

The Services top menu opens the Service List of your server. The services in this list are considered Available Services.

Available Services enables System Admins to customize the list of Services that Users can choose from the Services drop-down when adding a service to an Application.

From the Service List you can view, edit, add, and delete available services for your users.

To add a new Available Service, click Add New Service from the main Available Services page. Complete the new service form using the following table to define your new service:

Attribute Description
Service Name Provide a unique name to your new service.
Description Change the description of the service.
Port Modify the port that the service uses.
Default Local Port Specify the port that the service uses by default.
Required Local Port Specify if the service requires a local port on your customer's server.
Port Type Describe the type of port the service uses.
Protocol Specify the protocol for the service connection.
Score Determine the order of the Service in the Service list. Higher scores appear closer to the top.
Hidden Specify if the service is hidden for Standard Users.

When you are done entering the Service details, click Save.

To view an Available Service, click View.The Service details opens.

To modify an available service, click Edit from the service's View page. The Edit Service page opens. Modify the attributes using the following table:

Attribute Description
Description Change the description of the service.
Port Modify the port that the service uses.
Default Local Port Specify the port that the service uses by default.
Required Local Port Specify if the service requires a local port on your customer's server.
Port Type Describe the type of port the service uses.
Protocol Specify the protocol for the service connection.
Score Determine the order of the Service in the Service list. Higher scores appear closer to the top.
Hidden Specify if the service is hidden for Standard Users.

To delete an Available Service, first click View next to the service from the main Available Services list, then click Edit. This displays Delete for that service. Click Delete and click OK to the confirmation pop-up.

Service Profiles

Service Profiles enables System Admins to customize the default set of Services that Applications provide. Services are applied to an Application's configuration the moment you add a new Application.

To view the defined service profiles, click Service Profiles from the Services top menu. A list of the Service Profiles displays.

The Default Service Profiles are marked with a red bullet point. This is the Service Profile that is sorted to the top of the list of Service Profiles when adding a new Application.

To add a new Service Profile, click New. The New Service Profile form displays. Complete the form using the following list:

  • Name: Required and may be up to 32 characters long.

  • Description: Required and may be up to 128 characters long.

  • Copy Services From: Provides a list of previously defined Service Profiles. The VPAM server ships with an initial set of Service Profiles. All Service Profiles start out as copies of these initial Service Profiles. Service Profiles provide built-in services.

Enter a name, choose the existing Service Profile most like the one you are creating, and click Save. This opens View Service Profile for your new profile, where you can add, edit, remove, or disable services.

To view a Service Profile, click View. You'll see the details for that Service Profile.

Notice that viewing a Service Profile is almost exactly like editing a service. Notable differences from editing regular services are:

  • There is no Add New Host. All services are for the Application host only.

  • You cannot delete a built-in service, you can only disable it.

  • There is no Host Description or Alias associated with a Service Profile.

  • There is no Save & New when adding a Service to a Profile (only Save).

Apart from the above exceptions, adding services to a Service Profile is like Adding a Service.

Click Add New Service to open the Add Service form for the currently selected Service Profile.

NOTE:
For more information about the description of the fields in this form, see Adding a Service.

If the displayed Service Profile is not the default Service Profile, you can click Set as Default to make this Service Profile the default profile option for new Applications.

Editing a Service Profile allows you to change the Name or Description of the profile. To edit a Service Profile:

  1. Click Edit on View. This opens the Edit Service Profile form.

  2. Make the required changes to the name or description of the profile

  3. Click Save.

To delete an Available Service:

  1. Click Delete from Edit.

  2. Click OK to the confirmation dialog, this opens the list of Service Profiles.

Roles

The Roles menu enables you to view, edit, and define User Types and the permissions they have in your server.

To view all the available roles in your server, click the Roles top menu. The View Roles list displays. The list contains the name of the role and its description. From this page you can Add a New Role. To edit, clone, or delete roles, you must open the View a Role page. Click View to open the View a Role page.

To add a new role, click Add a New Role from the View Roles list page. This opens the New Role form. Complete the Name and Description. Read each permission carefully to provide granular permission to your new role.

When you finish adding permissions to your new role, click Save.

IMPORTANT:
Some permissions enable you to add the permission only to a specific Department. By selecting the department on the permission, you grant access only to the department you select. Read the Departments section of this guide to learn more.

To prevent you from creating a new role from scratch, you can clone an existing role and then edit the role to provide or remove permissions. To clone a role, open the View a Role page for the role you want to clone and click Clone.

The new role opens. Click Edit to modify the role's name, description, and permissions. Read each permission carefully to provide granular permissions to the role.

To edit a role, open the View a Role page for the role you want to edit. Modify the description and permissions. Remember to read each permission carefully to provide granular permissions to the role you are editing.

To delete a role, open the View a Role page, click Edit, and select Delete.

Departments

Departments in your VPAM server function as a way to provide access and permissions hierarchy for user groups. Your VPAM server has the default GLOBALdepartment from which you can create sub-departments to organize your server as you see fit.