Devolutions ForumDevolutions Forum

PAM or not to PAM

PAM or not to PAM

avatar
jquintard

Hi there,

I don’t understand how the Devolutions PAM works, or I might be missing something.

For me, PAM involves several actions:

  1. Rotating passwords
  2. Protocol break between client/server (for example, no direct access to the RDP port)
  3. Recording sessions as video
  4. Allowing privileged sessions with a workflow/approval system
  5. Potentially being able to block certain actions or commands on systems


Which of these actions are handled by Devolutions? I believe that for points 2 and 3, it is necessary to go through Devolutions Gateway. Is that correct? My usage is internal only.

I mainly want to use PAM for actions 1 to 3 for the IT Admin team. What I don’t understand now is how to import PAM accounts for individual use. Let me explain :

  • In my Active Directory, I have T0 and T1 OUs (for a tiering model).
  • In T0 and T1, I have admin accounts (e.g., t0.jdoe, t0.bdupont, t1.jdoe, t1.bdupont).
  • These are the privileged accounts.
  • On the Devolution Server, I therefore have a user John Doe and a user Bernard Dupont.
  • On RDM, each of them has T0 resources (AD VMs, routers, etc.) and T1 resources (business VMs, switches, etc.).


How can I ensure that John Doe can only use his own accounts (t0.jdoe on T0 ressources and t1.jdoe on T1 ressources) and not Bernard Dupont’s accounts?

At the moment, he can see all of them.

Jerome

All Comments (1)

avatar
William Alphonso

Hello,

Thank you for reaching out!

You are mostly correct in your understanding of how PAM works in the Devolutions ecosystem. Let me clarify how the different capabilities map to our components.

1. Password rotation
Handled directly by the PAM module in Devolutions Server through PAM Providers (for example the Active Directory provider).

2. Protocol break (no direct RDP/SSH access)
This is achieved using Devolutions Gateway. Instead of connecting directly to the target host, the session is proxied through the Gateway.

3. Session recording
Also handled through Devolutions Gateway, which records sessions when connections are proxied through it.

4. Workflow / approval for privileged access
Handled by Devolutions Server PAM using Just-in-Time access policies and approval workflows.

5. Blocking commands or actions
This is limited. Devolutions does not act as a command-filtering PAM like some specialized security appliances. However, session control and auditing can still be enforced through Gateway and policies.

So for your use case (1–3 internally for IT administrators), the typical architecture is:

  • Devolutions Server + PAM module
  • Devolutions Gateway
  • Remote Desktop Manager (client)



About your main question: restricting admins to their own privileged accounts

Your scenario with tiered accounts (T0 / T1) is a very common one.
When PAM scans Active Directory and imports accounts, they will initially be visible to users who have access to the PAM vault. Visibility is controlled through the Devolutions Server permission model.

To ensure that:

  • John Doe can only use t0.jdoe and t1.jdoe
  • Bernard Dupont can only use t0.bdupont and t1.bdupont

you typically implement this using permissions on the PAM accounts or folders.

For example:

  • Place t0.jdoe and t1.jdoe in a folder assigned to John Doe
  • Place t0.bdupont and t1.bdupont in a folder assigned to Bernard Dupont

Then configure View / Use permissions only for the corresponding user.

Another common approach is to organize PAM accounts in folders based on ownership or tier, then apply permissions to the relevant users or groups.

This ensures each administrator can only see and use their own privileged accounts, even though all accounts exist inside the PAM vault.

If you would like, we can also schedule a short support session to review your PAM configuration and help you implement the permission model for your tiered accounts (T0/T1). Sometimes walking through the initial setup together helps ensure everything is structured correctly from the start.

Best regards,