Skip to main content


The Admins screen under the identities tab list of all the administrators with access rights on the PEM Administrator. The PEM Administrator instance needs at least one system admin to manage all existing accounts. The system admin created during the installation is assigned a role of Super Sys Admin. For managing day-to-day task, a less powerful system administrator must be created.

The following types of Admins can be created:

  1. Domain Users – You can assign an individual Active Directory (AD) user as admin whose accounts is connected to PEM Administrator.
  2. Domain Groups – You can assign an entire Active Directory group as admins.
  3. Local Users –You want assign admin access to the PEM Administrator without an AD account, by assigning a username or email address with a password.

Admin Roles

When you define an admin, a role must be assigned. Each role designates set of permissions which helps an administrator in completing a task.



Read Only

This role has read only access. They can view information but cannot make any changes in the instance.

Sys Admin

This role can change settings in the Basics and Advanced pages, with approval from another Sys Admin. They can also create policy and set the ‘scopes’ (users and groups) for whom policies are enforced.

Security Admin

This role can change parameters in the policy except the scope. They cannot create new policies. If a security admin is assigned to a policy, then Sys Admin cannot change that policy.

Super Sys Admin

This type of users has read, write, and execute access. They can change, create, or update any settings or policies. They do not require approval of another admin for actions they perform.

Add a Domain User or Domain Group

To add a domain user or domain group in the Admins screen. Follow the below steps:


The steps defined for adding a Domain user is same for Domain Group

  1. Click Add Domain User This opens the Add Domain User screen.
  2. Enter the name or email address of the user you wish to add.
  3. Select the role of the user from the Role drop-down. To know more, refer Admin Roles.
  4. Click Save to make the changes effective else click Cancel.

Add a Local Admin

To add a local administrator, follow the below steps:

  1. Click the Add Local Admin This opens the Add Local Admin screen.
  2. Enter the username or email address of the admin in the Username/Email
  3. Enter the password in the Password Using this password an admin will login to the PEM Administrator. If you are not changing anything except password, then leave this field blank.
  4. Re-enter the same password in the Confirm Password If you are not changing anything except password, then leave this field blank.
  5. Select the role of the admin from the Role drop-down. To know more, refer Admin Roles.
  6. Click Save to make the changes effective else click Cancel.

Following is the description of the columns:




This fields displays the username or email address of the user or domain group.


This field indicates whether an admin is a domain user, local admin or belongs to a specific domain Group. The options are Domain User, Domain Group or Local Admin.


This field indicates the role of an administrator in the PEM Administrator. There are four roles Read-Only, Sys Admin, Security Admin and Super Sys Admin.


This field indicates whether a user or domain group is configured for Multi – Factor Authentication. If user or a group is configured for MFA, then value in this field is set to Yes.


If the admin has been granted access to use the PKWARE API the value for this field is set to Yes

Last API

The value of this field indicates the time the admin last used the PKWARE API. If the value is set to (never), it means an API was never used by the admin.

Last Login

The field displays the timestamp when the admin last logged into the instance.

Following actions can be performed:

  1. Edit - This option allows the admin user or group and their associated admin roles to be edited.
  2. Enable API – Selecting this generates an API Key and grant access to the admin to use the PKWARE API. For more information on this API: Admin API
  3. Revoke API – This will revoke the API key by removing admin’s ability to use the PKWARE API button. For more information on this API: Admin API
  4. Delete – This will delete an admin from the database.

Admin MFA Setup

To configure multi-factor authentication for administrators, log into your Admin account, and click MFA in the upper right corner of the PEM Administrator interface. This will display Multi-Factor Authentication page.

Click Setup MFA. You’ll be asked to open your mobile device and scan a QR code to send to your Authenticator.  You can also type the secret code directly into the Authenticator. Enter the code generated by the Authenticator into the MFA Code box. You should then name the device that you are Pairing with. Save to confirm the TOTP setup.

Linking Admin Account to User Account

After setting up your Admin account, you may link the Admin MFA credential to a user account. Return to the MFA Setup Options page and click Link to an End User Account. Enter the username and password for the account you want to link to, and you’ll be asked to generate another Authenticator code. Click Login.

Unlinking a User Account: If you don’t want your user account connected to the Admin account, Go to Advanced > Admins and Edit the local user to unlink. Check Unlink MFA and click Save. This action must be approved by another admin.

Linking to a Common Admin Account

Instead of each admin linking MFA to their own user account, your admin team can choose to create an Admin account called Auth, for example, and then have each admin link to the Auth user, using the same process described in the previous section.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.