Devolutions ForumDevolutions Forum

Allow DVLS administrators to configure PAM without assigning a PAM user license

Allow DVLS administrators to configure PAM without assigning a PAM user license

2 votes

avatar
alexeygolubev

Problem
In the current implementation, visibility and access to the PAM module (Privileged Access) in DVLS / RDM is strictly tied to user-based PAM license assignment.
As a result:

  • If a PAM license exists on the server but is not assigned to the admin user, the PAM module is completely hidden
  • Server administrators cannot configure PAM unless they consume a PAM user license
  • This is inconsistent with how other components (DVLS, RDM, Gateway) are administered

This creates unnecessary license consumption for non-consuming administrative accounts.

Current Behavior

  • PAM licenses are user-based
  • Even for configuration-only tasks, the admin must have a PAM license assigned
  • If the license is unassigned, the PAM section disappears entirely from the Administration UI


Expected / Requested Behavior
Allow server administrators to access and configure PAM without requiring a PAM user license, provided that:

  • PAM licenses exist on the server
  • The user has administrative permissions

In other words:

  • License presence enables the PAM module at the server level
  • User permissions control who can configure it
  • License assignment is required only for using PAM features (checkout, sessions), not for configuration


Rationale

  • Administrators commonly use dedicated admin accounts that do not consume services
  • Admin users can already configure:
    • Devolutions Server
    • RDM integrations
    • Devolutions Gateway
    • without holding end-user licenses

Requiring a PAM license solely to make the configuration UI visible is inconsistent and inefficient.

Suggested Implementation Options
One of the following (or similar):

  1. Admin override
    • PAM module visible to users with admin permissions regardless of license assignment
  2. Split permissions
    • “PAM Administration” (no license required)
    • “PAM Usage” (license required)
  3. Read/configure without consume
    • Allow configuration access
    • Block checkout/session actions unless license is assigned

Value

  • Eliminates wasted licenses
  • Aligns PAM behavior with other Devolutions modules
  • Improves admin experience and onboarding
  • Reduces confusion during initial PAM setup


All Comments (1)

avatar
Luc Fauvel

Hi @alexeygolubev,

Thank you for providing this feedback, we'll discuss this internally and we'll post in this thread what our plans are for this feature request soon.

Cheers,

Luc Fauvel