4 Starting and Using the Oracle Privileged Account Manager Console

This chapter describes how to start and work with Oracle Privileged Account Manager's web user interface, known as the Console.

This chapter includes the following sections:

Note:

You can also manage Oracle Privileged Account Manager from the command line or by using Oracle Privileged Account Manager's RESTful interface.

4.1 Before You Begin

This chapter assumes that you have finished configuring Oracle Privileged Account Manager as described in Chapter 3, "Getting Started with Managing Oracle Privileged Account Manager."

4.2 Invoking Oracle Privileged Account Manager's Web-Based Console

You can access Oracle Privileged Account Manager's Console by opening a browser window and entering the following URL:

http://managedserver_host:managedserver_port/oinav/opam

When the Oracle Privileged Account Manager page displays with the Sign In screen, log in with the appropriate administrator or end user credentials.

Note:

If you prefer using Oracle Privileged Account Manager's command line tool or Oracle Privileged Account Manager's RESTful interface, refer to Appendix A, "Working with the Command Line Tool" or Appendix B, "Working with Oracle Privileged Account Manager's RESTful Interface" (respectively) for detailed information about using those interfaces.

4.3 Navigating Oracle Privileged Account Manager's Console

When you log in to Oracle Privileged Account Manager, the Console displays.

Access to certain features in the Console is based on your administration role (Admin Role) and credentials. For example, Figure 4-1 shows all of the features available in Oracle Privileged Account Manager. However, the Administration, Reports, and Configuration accordions, described later in this section, are not available to end users or to users with the Security Administrator role.

Figure 4-1 Oracle Privileged Account Manager Console (Full Privileges View)

Figure of Console when logged-in with full Admin privileges

Figure 4-2 shows the Console when you log in as a Self-Service user with no administrator privileges.

Figure 4-2 Oracle Privileged Account Manager Console (Self-Service View)

Screenshot of Console when logged-in as a Self-Service user

Note:

Refer to Section 2.3, "Understanding Oracle Privileged Account Manager Authorization" for more information about Admin Roles.

This section provides a high-level overview of the Oracle Privileged Account Manager Console. The topics in this section include:

Tip:

Hover your mouse over elements in the Oracle Privileged Account Manager interface (such as parameter fields or information icons Sample information icon) to see helpful prompts.

4.3.1 Working with the Home Accordion

The Home accordion contains the following nodes:

  • My Accounts: Select this node to access the My Accounts page where you can search, view, open, and check out accounts where you are a grantee.

  • My Checkouts: Select this node to access the My Checkouts page where you can view your checked out accounts, view the password for those accounts, and check in your checked out accounts.

    You must check out a privileged account to use it. Oracle Privileged Account Manager enables you to check out an account as a password or as a session. Refer to Section 8.5, "Checking Out Privileged Accounts" for more information.

Clicking either node opens a new page on the right side of the Console. Use these pages to manage your accounts.

Note:

  • The My Accounts page is displayed by default when any user logs in, regardless of privileges.

  • For detailed information about working with the My Accounts page or with the My Checkouts page, refer to Section 12, "Working with Self-Service."

4.3.2 Working with the Administration Accordion

Based on your Admin Role and credentials, the Administration accordion contains some or all of the following nodes:

  • Accounts: Select to open the Accounts page, where you can search, open, add, and remove accounts.

  • Targets: Select to open the Targets page, where you can search, open, add, and remove targets.

  • Password Policies: Select to open the Password Policies page, where you can search, open, create, and delete Password Policies.

  • Usage Policies: Select to open the Usage Policies page, where you can search, open, create, and delete Usage Policies.

  • User Grantees: Select to open the User Grantees page, where you can search, open, and view information about individual user grantees.

  • Group Grantees: Select to open the Group Grantees page, where you can search, open, and view information about a group of grantees.

Clicking any of these nodes opens a new page on the right side of the Console. Use these pages to configure and manage Oracle Privileged Account Manager.

Note:

4.3.3 Working with the Reports Accordion

Based on your Admin Role and credentials, the Reports accordion contains some or all of the following nodes:

  • Deployment Reports: Select to open the Deployment Reports page, where you can view information about how targets and privileged accounts are currently deployed.

  • Usage Reports: Select to open the Usage Reports page, where you can view information about how privileged accounts are being used in your deployment.

  • Failure Reports: Select to open the Failure Reports page, where you can view information about the current state of target and account failures.

  • Checkout History: Select to open the Checkout History page, where you can search for and review information about account checkouts.

Note:

For detailed information about these Reports, refer to Chapter 13, "Working with Reports."

4.3.4 Working with the Configuration Accordion

Based on your Admin Role and credentials, the Configuration accordion contains some or all of the following nodes, which represent the common global configuration properties that apply to all Oracle Privileged Account Manager servers in a cluster:

Note:

Refer to Section 5.3.3, "Managing the Oracle Privileged Session Manager Properties" for more information.

4.3.5 Working with the Search Portlet

Use Oracle Privileged Account Manager's Search portlet to search for accounts, targets, policies, users, groups, and plug-ins.

You configure searches by using one or more of the parameters displayed in the portlet. The availability of different search parameters depends on the type of search you are going to perform. For example, Figure 4-3 shows the Search Accounts portlet that you use to search for privileged accounts.

Figure 4-3 Example Search Portlet

Figure showing an example OPAM Search Portlet

The following table describes the different search parameters and for which search types they are available:

Table 4-1 Search Portlet Parameters

Parameter Name Description Search Type

Account Name

Enter one or more letters of the account name.

Accounts, My Accounts, Checkout History

Target Name

Enter one or more letters of the target name.

Accounts, My Accounts, Targets, Users, Groups, Checkout History

Target Type

Select All to search all target types or limit the search to only ldap, unix, database, or lockbox target types.

Accounts, My Accounts, Targets

Domain

Enter one or more letters of the domain name.

Accounts, My Accounts, Targets

Description

Enter one or more letters of the account, target, or plug-in description.

Accounts, My Accounts, Plug-in Configuration

Host Name

Enter one or more letters of the host name on which to search.

Targets

Policy Name

Enter one or more letters of the policy name.

Password Policies, Usage Policies

Policy Status

Select All to search all policies or limit the search to only Active or only Disabled policies.

Password Policies, Usage Policies

User Name

Enter one or more letters of the user name.

User Grantees, Checkout History

Group Name

Enter one or more letters of the group name.

Group Grantees

Start Date and End Date

Use the Calendar/Time icon Calendar/Time icon to specify a date range and time in which to search.

Checkout History

Pattern

Enter one or more characters of a string in the recording of a checkout event. For example, sync:x:5:0:sync:/sbin:/bin/sync

Checkout History

Query Size

Use the counter to limit how many query results are returned.

Checkout History

Name

Enter one or more letters of plug-in name.

Plug-in Configuration

Resource Type

Select All to search all resource types or limit the search to only account, only server, or only target resource types.

Plug-in Configuration

Status

Select All to search all plug-in statuses or limit the search to only Active or only Disabled plug-ins.

Plug-in Configuration

Timing

Select All to search all plug-in timings or limit the search to only pre timing plug-ins or only post timing plug-ins.

Plug-in Configuration

Operation

Select All to search all plug-in operations or limit the search to only add, autocheckin, checkin, checkout, passwordcycle, remove, resetpassword, retrieve, sessioncheckout, showpassword, showpassordhistory, test, or update operations.

Plug-in Configuration

The Search Portlet also supports the use of wildcards, as follows:

  • Use the percentage symbol (%) to search for character strings of any length. You can also use multiple wildcards in the same search string. For example,

    • If you enter person%, then the results might include person1, person_2, and person1234.

    • If you enter %person%, then the results might include dsperson, hrperson1, and hrperson2.

  • Use an underscore symbol (_) to search for a single character. You can also use multiple wildcards in the same search string. For example,

    • If you enter person_, then the results might include person1, person2, and persons.

    • If you enter o_m_, then the results might include oam1, oem1, oem2, oem3, and oim1.

The general steps for performing a search are as follows:

  1. Select the appropriate node in the Home, Administration, Reports, or Configuration accordion.

    For example, to search for an account, select Accounts.

  2. When the Search portlet displays, configure a search as follows:

    • To search for all available results, such as all accounts, do not specify any search parameters in the portlet.

    • To refine your search, use one or more of the search parameters described in Table 4-1.

      For example, to see a list of the privileged accounts on a particular LDAP target, enter one or more letters of the target's name in the Target Name field and select ldap from Target Type menu.

  3. Click Search.

    The results are displayed in the Search Results table.

    Note:

    You can use the View menu, located above the Search Results table, to manage how the search results are displayed in the table. Refer to Table 4-2 in Section 4.3.6, "Working with a Search Results Table" for more information.

  4. To perform another search, click Reset.

4.3.6 Working with a Search Results Table

You can use the drop-down menus and icons located along the top of the different Search Results tables to perform various tasks.

Figure 4-4 Example Search Results Table

Example Search Results table

The following table describes these menus and icons:

Note:

The availability of these features will change, based on your Admin Role (privileges) and what type of search was performed. Refer to Section 2.3.1, "Administration Role Types" for more information.

Table 4-2 Search Results Table Features

Feature Name Search Type Description

Actions

All

Click this menu and select an action to perform.

Note: The options on this menu duplicate the task icons displayed above the table.

View

All

Click this menu and select one of the following options to control how columns are displayed in the Search Results table:

  • Columns > Show All: Displays all columns in the table.

  • Columns > Column Name: Click a column name to display or hide that column in the table. The columns are displayed (checked) by default.

  • Columns > Manage Columns: Provides a dialog that enables you to display or hide columns.

  • Reorder Columns: Select this option and the Reorder Columns dialog displays. Use this dialog to select the columns and shift their order in the table.

Open

All

Click to open the selected account, target, policy, user grantee, group grantee, or plug-in configuration.

Password Check Out

My Accounts

Select a row in the Search Results table and click this option to check out the account's password.

Session Check Out

My Accounts

Select a row in the Search Results table and click this option to check out a session.

Refresh

My Accounts, My Checkouts, Accounts, Checkout History, Plug-in Configuration

Click to re-display (refresh) the Search Results.

Check In

My Checkouts only

Click to check in the selected checked-out account. Refer to Section 8.6, "Checking In Privileged Accounts" for more information.

Show Password

My Checkouts, Accounts, Targets

Click to open the Show Current Password dialog where you can view the current password information about a selected account or target service target.

  • For Accounts, this dialog lists the current Account Name and Password.

  • For Targets, this dialog lists the current Target Name, Service Account Name, Current Password, and Password Change Time.

Password History

Accounts, Targets

Click to open the Show Password History dialog where you can view the password history for an account or a target.

  • For Accounts, this dialog lists the current Account Name, Password, and Modification Time (date and time).

  • For Targets, this dialog lists the Target Name, Passwords, and Modification Time (date and time).

Status

Accounts only

Click this menu and select one of the following options to limit which account results are displayed in the table:

  • All: Lists all accounts on the target.

  • Checked-in Accounts: Lists only those accounts that are currently checked-in.

  • Checked-out Accounts: Lists only those accounts that are currently checked-out.

Add

Accounts, Targets

Click to add a new account or a new target to the Oracle Privileged Account Manager repository.

Remove

Accounts, Targets

Click to remove the selected account or target from the Oracle Privileged Account Manager repository.

Reset Password

Accounts, Targets

Click to open the Reset Password dialog where you can manually reset the password for a selected account or target service account.

  • For Accounts, this dialog lists the current Account Name and Target Name. Type a password in the New Password field ti create a new password for the account.

  • For Targets, this dialog lists the current Target Name and Service Account Name. You can either type a password in the New Password field or enable the Generate password automatically checkbox to automatically generate a new password.

Force Check In

Accounts only

Click to check in privileged accounts that have been checked-out by other users.

Create Password Policy

Password Policies only

Click to create a Password Policy. Refer to Section 9.2.4, "Creating a Password Policy" for more information.

Create Usage Policy

Usage Policies only

Click to create a Usage Policy. Refer to Section 9.3.4, "Creating a Usage Policy" for more information.

Delete

Password Policies, Usage Policies, Plug-in Configuration

Click to delete a selected policy from the Oracle Privileged Account Manager repository.

Create

Plug-in Configuration

Click to create a plug-in configuration. Refer to Section 11.3, "Creating a Plug-In Configuration" for more information.

Recording

Checkout History

Click to view a recording, in transcript format, of the actions taken during an account checkout.