5.9. Displaying the privileges of users and user groups

PSM version 3.2 and later provides an interface to query the user-rights and privileges of individual users and user groups. To display the privileges of a user or usergroup, navigate to AAA > Permission Query, enter the name of the user or group into the respective field, then click Filter. Note that:

  • It is not possible to filter on both the username and the group at the same time.

  • Partial matches are also displayed.

  • Usergroups can be local usergroups, userlists, or LDAP usergroups.

Web interface permissions. For usergroups accessing the PSM web interface, a table is displayed that lists the pages of the PSM web interface that the user or usergroup can access. The following information is displayed:

  • Page: The name of the page or group of pages, for example, Basic Settings.

  • Element: If a group has access only to a section of a page, the name of the element is listed here. For example, a particular Channel Policy.

  • Group: The name of the usergroup.

  • Permission: The type of access that the user or usergroup has to the page: read or read and write/perform.

Figure 5.15. AAA > Permission Query — Displaying web interface permissions

AAA > Permission Query — Displaying web interface permissions

Connection permissions. To review which servers a user or usergroup can access, PSM collects the main information about the connections the user or group is permitted to use. The following information is displayed.

Note

To display the usergroups that can access a specific Connection Policy, open the Connection Policy, then select Show connection permissions > Show on the Connections page.

Figure 5.16. AAA > Connection permissions — Displaying connection permissions

AAA > Connection permissions — Displaying connection permissions
  • Gateway group: Lists the group memberships required to access the connection. Group memberships can be restricted at the following places:

    • Connection > Gateway authentication > Groups

    • Channel Policies > Gateway group

    • Policies > Usermapping Policies > Groups

  • Source:

    Source IP: The IP address of the client.

  • To:

    Destination IP: The IP address of the server as requested by the client.

  • To port:

    Destination port: The port number of the server as requested by the client.

  • Target:

    Server IP: The IP address of the server connected by PSM.

  • Target port:

    Server port: The port number of the server connected by PSM.

  • Remote user:

    Username on server: The username used to log in to the remote server. This username can differ from the client-side username if usermapping is used in the connection. For details on usermapping, see Procedure 18.1, Configuring usermapping policies.

  • Remote group: The group that can access the destination server, as set in the Usermapping Policy (if any).

  • Protocol:

    Protocol: The protocol used in the connection (Citrix ICA, HTTP, RDP, SSH, Telnet, or VNC).

  • Connection:

    Connection policy ID: The identifier of the connection policy.

  • Authorizer:

    Four-eyes authorizer: The username of the user who authorized the session. Available only if 4-eyes authorization is required for the channel. For details on 4-eyes authorization, see Section 18.3, Configuring 4-eyes authorization.

  • Auth type: The authentication method used in the client-side connection during gateway authentication.

  • Channel: The type of the channel, for example, session-shell.

  • Time: The name of the Time Policy used in the connection.

  • LDAP: The name of the LDAP Server used in the connection (if any).

  • Credential store: The name of the Credential Store used in the connection (if any).

  • Audit: Indicates if the connection is recorded into audit trails.

Usergroup memberships. When searching for users, the table displays the group memberships of the matching users. When searching for usergroups, the table displays the members of the matching groups. The following information is displayed:

  • User: The username of the user.

  • Group: The name of the usergroup or userlist.

  • Exception: Usernames that are denied in case of default-deny userlists managed locally on PSM.

Figure 5.17. AAA > Connection permissions — Displaying usergroup and userlist memberships

AAA > Connection permissions — Displaying usergroup and userlist memberships