19.1 Configuring AAPM

By using API tokens in the REST API request, users can check out credentials of applications such as databases, LDAP, cloud services, and shared keys.

To enable a user to generate an API token:

  1. Add PAM users to the appropriate user group. For more information, see Enabling Users to Generate API Tokens.

  2. Create a resource for the required application, add credentials for check out, and add appropriate rules for application credential checkout.

    For more information about credential checkout configurations, see the following:

    For more information about how to add a credential, see Contextual Help.

    Using this feature a user can check out multiple credentials for the same application either by directly checking out the application credentials from the user console or checking out credentials using API tokens. As PAM allows multiple credentials checkout for an application, you must have adequate number of credentials in PAM for simultaneous access to the application.

19.1.1 Enabling Users to Generate API Tokens

You can allow PAM users to generate API tokens from the user console by adding them to the API Users group, which is created by default.

To allow LDAP users to generate API tokens, you must first add these users to the Framework User Manager and then continue with the following procedure. For more information about how to add LDAP users to PAM, see LDAP Account Mapping.

To add a user to API Users group:

  1. Click Framework User Manager > API Users.

  2. Click Edit in the Group Information task pane.

  3. In the Members section, select the user whom you want to generate API tokens from the user console.

    You can also add a user to the group by dragging and dropping the user onto the API Users group.

  4. To allow API tokens to skip secondary authentication, select Bypass Secondary Authentication in the Secondary Authentication section.

    For more information about the Framework User Group configuration, see Modifying a Framework User Group.