This Advanced screen displays a list of all administrators (Admins) with rights on this PK Endpoint Manager (PEM) site.
From this screen, you can:
- Add Admins
- Change Admin Settings
- Enable API or RevokeAPI
- Delete Admins
When you add an admin, you must assign a role. Each role designates a set of permissions to complete tasks on PEM.
|Can access PK Endpoint Manager, including the Reporting and Event Logs. Cannot change settings or policy.|
|Sys Admin||Can change settings in the Basics and Advanced pages, with approval from another Sys Admin. Can create a policy and set the "scope" - the users and groups who will be ruled by that policy.|
|Security Admin||Can change the parameters in the policy except the scope. Cannot create new policies. If a security admin is assigned to a policy, then the Sys Admin cannot change that policy.|
|Super Sys Admin||Can change any setting, create and chance any policy. Can approve own actions.|
For more information on this API: Admin API
|EnableAPI||When clicked, an API key is generated and displayed once.|
|RevokeAPI||Used to revoke the current in use API Key for an admin.|
You can set up a separate Multi-Factor Authentication account for Admins.
Admin MFA Setup
When you are logged in with your Admin account, click MFA in the upper right corner. You'll see the MFA Setup Options page.
Click Setup MFA. You’ll be asked to open your mobile device and scan a QR code to send to your Authenticator. You can also type the secret code directly into the Authenticator. Enter the code generated by the Authenticator into the MFA Code box. You should then name the device that you are Pairing with. Save to confirm the TOTP setup.
Linking Admin Account to User Account
After setting up your Admin account, you may link the Admin MFA credential to a user account. Return to the MFA Setup Options page and click Link to an End User Account. Enter the username and password for the account you want to link to, and you’ll be asked to generate another Authenticator code. Click Login.
Unlinking a User Account: If you don’t want your user account connected to the Admin account, Go to Advanced > Admins and Edit the local user to unlink. Check Unlink MFA and click Save. This action must be approved by another admin.
Linking to a Common Admin Account
Instead of each admin linking MFA to their own user account, your admin team can choose to create an Admin account called Auth, for example, and then have each admin link to the Auth user, using the same process described in the previous section.
PK Endpoint Manager needs at least one Sys Admin to manage accounts. The first system administrator account created during the installation (described in the Installation and Setup Guide) holds the role of Super Sys Admin. We recommend creating a new, less powerful Sys Admin for day-to-day tasks. From the Advanced tab, go to Admins.
Admins can be created from:
- Domain Users: Individual Active Directory users with accounts connected to PK Protect.
- Domain Groups: You can assign an entire Active Directory Group as Admins.
- Local Users: If you want an admin that can access PEM without an Active Directory account, you can assign a username or email address with a password.
Changing an Admin's Settings
To change an existing Admin's password or role:
- Go to Advanced > Admins. The Admins page appears with the current list of Admins.
- Click Edit for the Admin's settings.
- You can replace a Domain User's email address, or the Domain Group attached to this Role. Delete the existing email address or group name. Add the new address/group.
You can also use the drop-down menu to change the Role of this Admin.
- Click Save.
Deleting an Admin
To delete an Admin from the database:
- Go to Advanced > Admins. The Admins page appears with the list of Admins.
- Click Delete for the Admin you want to remove.
- Click Confirm - Delete.
Unless you hold the Super Sys Admin role, another admin must confirm the deletion.