This article provides answers to the most frequently asked questions about accessing and using the Privileged Access Management (PAM) software, as well as common issues that you may encounter when using PAM. Please contact IT Services if you have questions or need technical support for an issue that is not covered in this article or the PAM Operations FAQ.
Select a topic to learn more about privileged access management and its implementation at UChicago.
You will need a Secure Shell (SSH) client to connect to Unix-like hosts through PAM and a remote desktop client (RDP) to connect to Windows hosts through PAM.
You can download the latest copy of PuTTY that includes an SSH binary file or get the standalone SSH file from the same website, or obtain the built-in SSH client in PowerShell for Windows.
Microsoft has a Windows RDP remote desktop client for Mac if you need an RDP client for Windows machines on Mac.
Fill out the PAM service request form.
Yes, although the workflow will be different. Instead of going to a bastion host such as jump.uchicago.edu, you will sign into PAM with your CNetID and password and then choose your systems from a list. Alternatively, you can use SSH, or RDP direct connect which will also ask for your CNetID and password to connect to your systems.
Visit square.uchicago.edu to log into the BeyondTrust Password Safe Portal. You will be prompted for a username and password. Please enter your CNetID and password and complete two-factor authentication if prompted.
Refresh the page or try navigating back to square.uchicago.edu in a new browser window.
Please follow the directions in the Auto-Launch PuTTY Registry File section of BeyondTrust's Configure SSH and RDP Connections help document, then restart your computer before trying again. If the issue persists, contact IT Services.
You may not have any privileged accounts assigned to you. Check with your systems administrator to see if you are assigned to the systems appropriately.
Please be sure you are connected to the University's Virtual Private Network (cVPN) before attempting to connect to systems assigned to you. If the issue persists, please contact IT Services.
You can grant a user access to PAM by adding them to the proper Grouper assignment group. If you do not have access to Grouper, please contact the Identity Access Management (IDM) team for assistance.
You can make changes using the Privileged Access Management Support form.
You may visit BeyondTrust's Password Safe Guides for technical assistance.
In most cases, this error message is due to your password containing a "plus sign" (+). If this is the case, please change your password via MyAccount (myaccount.uchicago.edu). (Note: A permanent solution is being sought.) If this is not the case, please contact IT Services for troubleshooting.
Your recorded sessions are held for one year.
No. PAM only allows specified account passwords to be managed; however, those privileged accounts may have the ability to make those changes.
No. By default, no one has access to your onboarded systems. It is only after the managed accounts are assigned that groups get access to specific systems.
You can utilize your existing access controls to see who has access to your system and devices. Alternatively, you may ask the Identity Access Management (IAM) team about what role-based accounts are in use on your systems according to groups. You may also check the Grouper group you are a member of for PAM to see which individuals have access to the systems assigned.
You will also utilize your existing system logging to monitor activity. If replays are required from PAM, they can be requested or viewed in the web portal.
This is because you did not "check out" the session in time. Sessions must be started within 30 seconds of checkout, otherwise, you will get this message. To resolve this, go back to your requests and select open session again.
PAM requires internet access to function and connect to systems. If you have direct console access, this should be utilized until your internet access is restored to the affected system.
PAM will be unavailable until the service is back up. Please contact IT Services if an unexpected outage occurs.