Skip to content

Administrator Manual

Introduction

This manual provides an overview of the Excalibur system from an Administrator's perspective. It covers how to configure and manage the system using the Dashboard, the main web interface.

The Registration and Login instructions are the same as for the User role. For complete details, please refer to the User Manual.

To log in as an Administrator, select the Administrator role in the Role switcher, which is located under Preferences in the top-right corner of the Dashboard.

Figure 1. Select Administrator role in Role switcher

Info

The address where the Excalibur Dashboard is available is determined by your system operator. Other web server settings and access to system components are covered in the Installation and Configuration Guide.

Dashboard - Overview

image

Figure 2. Dashboard overview

In the top-right corner, System Administrators will see a tenant switcher, which allows them to move between different tenants. Other users will only see the tenant they are assigned to.

image

Figure 3. Switching tenants

The navigation side panel provides access to the system's main functionalities. The sections available depend on your user role.

Users with the Administrator role have access to comprehensive tools for managing system operations:

  • Management
  • Network
  • SAML
  • Security
  • Insights
  • Settings

image

image

image

Figure 4. Navigation side panel

The system is designed to ensure that each user has the appropriate level of access, promoting both security and efficiency.

Management

Management - Users

This section allows Administrators to manage users and user groups within the Excalibur system.

Users

This section lists all users in the system, showing details like their name, account, email, groups, and last login time. From here, you can delete users. Clicking on a user shows their general details and Audit Logs.

image

Figure 5. Management: Users - list of users

Info

Users are sorted by Last Logged in in descending order by default

General Details

image

Figure 6. User - General Details

Audit Logs

image

Figure 7. User - Audit Logs

Filters

Clicking Show Filters displays the filtering options for the audit logs.

image

Figure 8. User - Audit Logs - Filters

Administrators can filter audit logs by:

  • Action Scope

    image

    Figure 9. Filters - Action Scope

  • Action Type

    image

    Figure 10. Filter - Action Types

  • Resource Type

    image

    Figure 11. Filter - Resource Types

  • Username

    image

    Figure 12. Filter - Usernames

  • Date

    image

    Figure 13. Filter - Date

    image

    Figure 14. Filter - Select Date

  • Date Range

    image

    Figure 15. Filter - Select Date Range

Export

To export the audit logs to a CSV file, click the Export button. A dialog box will appear, allowing you to select the language and apply filters.

image

Figure 16. User - Audit Logs - Export

User Groups

This section is where you manage user groups, which help you organize and monitor users.

  • Built-in User Groups: The system includes three default user groups: Administrators, Auditors, and Users. These groups cannot be removed or renamed.
  • You can create as many additional groups as you need and can freely rename, duplicate, edit, or delete them.

The overview page displays key details for all user groups, such as group names and member counts.

image

Figure 17. User Groups overview

From here, you can duplicate, edit, delete, and create user groups.

General Details

Clicking on a user group displays detailed information, including its user list and assigned security policies.

image

Figure 18.1. User Groups - General information and user list

image

Figure 18.2. User Groups - Security policies

Figure 18. User Groups general information

Audit Logs

Select a user group and click the Audit Logs tab to view its audit history. You can filter the logs by date, user, and action (create, update, delete) and export them to a CSV file.

image

Figure 19. User Groups - Audit Logs

Filters

Clicking Show Filters displays the filtering options for the audit logs.

image

Figure 20. User Groups - Audit Logs - Filters

Administrators can filter audit logs by:

  • Action Scope

    image

    Figure 21. Filters - Action Scope

  • Action Type

    image

    Figure 22. Filter - Action Types

  • Resource Type

    image

    Figure 23. Filter - Resource Types

  • Username

    image

    Figure 24. Filter - Usernames

  • Date

    image

    Figure 25. Filter - Date

    image

    Figure 26. Filter - Select Date

  • Date Range

    image

    Figure 27. Filter - Select Date Range

Export

To export the audit logs to a CSV file, click the Export button. A dialog box will appear, allowing you to select the language and apply filters.

image

Figure 28. User Groups - Audit Logs - Export

Create a New User Group

To create a new user group, click the plus button in the bottom-right corner. You can then enter a name and description, and assign security policies to the group.

image

Figure 29. Create a new user group

image

Figure 30. Creating a new user group - Fill in the name and description

You can search for specific users and click the plus button in the Action column to add them to the group.

image

Figure 31. Creating a new user group - Adding users to the user group

You can also select multiple users with the checkboxes and click the Add button to add them all at once.

image

Figure 32. Creating a new user group - Adding multiple users to the user group

The users you add will appear in the Selected Users section.

image

Figure 33. Creating a new user group - Selected users

Click the Save button to create the user group.

Edit a User Group

To edit a group, click the pencil icon in the Action column. You can update its name and description (except for built-in groups) and add or remove members.

Info

The built-in user groups (Administrators, Auditors, and Users) are created during installation and cannot be deleted. Their names and descriptions cannot be edited.

image

Figure 34. Edit a user group

Management - Invitations

This section lists all user invitations that have been sent.

Figure 35. Dashboard: List of invitations

Invitation Utilities

The toolbar above the list provides several options:

Figure 36. Invitation utilities

  1. Search: Show or hide the search bar.

  2. Filter: Show or hide the filter options.

  3. Columns: Choose which columns to show or hide in the list.

  4. Reinvite Selected Users: Select one or more users and click this button to resend their invitations.

  5. Delete Selected Users: Select one or more users and click this button to delete their invitations.

  6. Toggle Density: Change the row height in the list. There are three density levels.

  7. Toggle Full Screen: View the list of invitations in full-screen mode.

Invitation Status

image

Figure 37. Invitation status

Note

Configuring SMTP is recommended for sending invitation emails directly from the system, but it is optional. If it is not configured, you can still invite users by manually copying and sharing the invitation link.

The Status column shows the current status of an invitation:

  • Pending: Waiting to be sent.
  • Sent: The email was successfully sent to the user.
  • Failed: The email could not be delivered (e.g., due to an invalid email address).
  • Blocked: The user entered incorrect credentials three times while trying to register.

Invitation Actions

image

Figure 38. Invitation actions

In the Action column, you can perform the following actions:

  • Copy the invitation link to the clipboard.
  • Re-invite a user (e.g., if their invitation link has expired).
  • Delete an invitation.

Create a New Invitation

To create a new invitation, click the "+" button in the bottom-right corner. Then, select the Identity Store where the user is located.

image

Figure 39. Create a new invitation

Info

Users are sorted by Name in ascending order by default.

image

Figure 40. Select the Identity Store

On the "Invite User" page, if a user is already registered, their avatar will have a green background and a "registered" icon, making it easy to identify existing users. Users with grey icon is not registered.

image

Figure 41. User already registered

Info

Hovering over the icons will display tooltips helping quickly identify the registration status.

Invite a New User

image

Figure 42. Select a user and create an invitation

image

Figure 43. Assign role(s)/user groups to the user

After you send the invitation, a confirmation notification will appear in the bottom-left corner.

Figure 44. Successfully sent invitation

Invite an Invited User

If a user has already been invited, a warning message will appear. You can then follow the same steps as when inviting a new user.

image

Figure 45. User already invited

Invitation - Audit Logs

You can access a user's Audit Logs directly from the Invitations page. Clicking on the user's email or the username in the "Invited By" column will take you to their Audit Logs page.

image

Figure 46. Clickable field to navigate to the corresponding User Audit Logs of the invited user or the invitation creator

Management - Actions

Refer to the User Manual.

Management - Authenticators

This section allows Administrators to manage authenticators such as Passkeys and Tokens.

Passkeys

Passkeys Overview

image

Figure 47. Passkeys overview

You can view a list of all passkeys for users within your tenant, including their names, usage counts, and creation dates. You can also delete any of these passkeys.

Info

Users can manage their own passkeys from their user profile page in the top-right corner.

Passkeys - Audit logs

Clicking on a passkey displays its Audit Logs.

image

Figure 48. Passkeys - Audit Logs

Filters and Export

You can apply filters to the audit logs and export them to a CSV file. See User Groups - Audit Logs for more details.

Tokens

Tokens General Information

Refer to the User Manual for more details.

Tokens - Audit Logs

In addition to general information, Administrators can access the audit logs for Tokens. Whenever a token is created, updated, or deleted, the change is automatically recorded. To view the logs, select a token from the list.

image

Figure 49. Tokens - Audit logs

Filters and Export

The Token Audit Logs can be filtered and exported to a CSV file. See User Groups - Audit Logs for more details.

Management - PAM

This section allows Administrators to manage all aspects of PAM, including adding and configuring targets, managing groups, reviewing session recordings, and performing full-text searches.

Targets

PAM Targets

In addition to standard user actions (connecting to and viewing targets), Administrators can also duplicate, edit, and delete PAM targets. They can also add new targets individually or import them from a CSV file.

image

Figure 50.PAM Targets overview

General Information

See the User Manual for more details on general information for PAM targets.

Audit Logs

Administrators can view Audit Logs for each PAM target. To access them, click View Target details for the desired target.

Figure 51.PAM: View Target details

Figure 52.PAM: Audit logs

An audit log is also created whenever a user performs any of the following actions:

  • Downloads a file
  • Downloads a session recording
  • Uploads or downloads files within a session

image

Figure 53.PAM target: Audit logs

You can filter the logs by date, user, and action (create, update, or delete).

Figure 54.PAM: Audit Logs Filters

You can also export the audit logs to a CSV file by clicking the Export button.

Figure 55.PAM: Audit Logs Export

Create a PAM Target

To create a PAM target, click the plus button in the bottom-right corner.

image

Figure 56. Create a new PAM target

Next, select the type of PAM target. RDP, SSH, and VNC targets are supported.

Figure 57. Select the type of PAM target

After filling in the required information, click the save button to create the target.

Add an RDP Target

Fill in the necessary information.

Add an SSH Target

Add a VNC Target

Import PAM Targets via CSV

To import PAM targets from a CSV file, click the import button in the bottom-right corner.

Figure 58. Import PAM targets via CSV

You can drag and drop a CSV file or click to select one from your computer.

image

Figure 59. Click to select CSV file or drag and drop CSV file

For information on the required data format, click the question mark icon.

This will show you the required format and allow you to download a template.

image

image

Figure 60. Data format required for importing a CSV file

Info

TunnelID field is supported.

Direct Application Streaming via SAM
Overview

Excalibur's Streamed Access Management (SAM) feature allows users to access a specific application on a remote server without seeing the entire desktop. The application is streamed directly to their browser in real-time.

Key benefits include:

  • Remote Hosting: Applications run on a secure server, not on the user's device.
  • No Local Installation: Users only need a web browser to access the application.
  • Real-Time Streaming: The application's interface is streamed live to the user.
  • On-Demand Execution: Applications are launched only when needed, saving resources.
  • End-to-End Protection: All communication is encrypted and secure.
Configuration

To stream an application, it must first be configured on the RDP PAM target (for example, using Microsoft RemoteApp). You can then create or edit an RDP PAM target in Excalibur and configure the Remote Application settings.

Figure 61.PAM: Remote Application configuration

  • In the Application name field, enter the executable name prefixed with ||.
    • Example: ||Notepad. In this case, connecting to the PAM target will only show the Notepad application.
  • In the Working directory field, you can specify a starting directory.
  • In the Command line arguments field, you can add arguments (e.g., a file path to open automatically).
    • Example: c:\users\administrator\Documents\demo_file.txt. In this case, connecting to the PAM target will only show the document demo_file.txt opened in Notepad (provided the file exists).
PAM Target Groups

You can group PAM targets together to make them easier to manage and assign to users via security policies. This enhances efficiency and allows for more specific access control.

Info

A default group called Default system PAM Target Group is created automatically. This group cannot be deleted or renamed.

image

Figure 62.PAM Target Groups - Overview

Create a PAM Target Group

image

Figure 63. Create a new PAM target group

Enter a name and description for the group and choose a color for its tag.

image

Figure 64. Create a new PAM target group - Fill in the name, description, and configure the Tag Color

You can add PAM targets to the group by clicking the plus button next to each target.

image

Figure 65. Add a PAM target to the PAM target group

You can also select multiple targets using the checkboxes and click the Add button.

image

Figure 66. Add multiple PAM targets to the PAM target group

The selected targets will be displayed in the Selected PAM Targets section.

image

Figure 67. List of Selected PAM targets

Click the Save button to create the group.

Edit a PAM Target Group

To edit a group, click the pencil icon in the Action column. You can update its name, description, and members.

Info

The Default system PAM Target Group is created during installation and cannot be deleted. Its name, description, and color tag cannot be edited.

PAM Target Group - Audit logs

Administrators can view the Audit Logs for PAM Target Groups to track all changes and activities.

image

Figure 68.PAM Target Group - Audit logs

Sessions

The PAM Sessions page includes Sessions and Full-text search functionalities. Administrators can access all sessions in the system, while users can only access their own. Tenant Administrators can access all sessions within their tenant.

Refer to the User Manual for more details.

Sessions

image

Figure 69.PAM Sessions overview

The PAM Sessions page is a central place to manage and review all session recordings. This provides comprehensive oversight of user interactions with critical systems, which is crucial for maintaining security and compliance.

Each entry provides details about the session, with options to play or download the recording, download the session transcript, or view associated file transfers.

The Sessions tab lists all active and past PAM sessions. By default, all PAM sessions are logged.

The Full-Text Search feature allows you to find specific text or commands within any recorded session.

Search results are displayed in a table. You can view details about each occurrence or play the corresponding session recording to see the full context. This helps you quickly find relevant information and analyze specific scenarios.

Management - Tenants

This section provides an overview of all tenants in the system and allows you to create new ones. You can use the search field to find specific tenants or switch to a different tenant directly from this menu.

This section is only available to System Administrators.

Tenant List

From this page, you can manage all tenants. System Administrators can edit or delete existing tenants as needed.

Figure 70. Tenants list

Create a New Tenant

To create a new tenant, click the "+" button in the bottom-right corner. Here you can enter the tenant's general information, such as its name, alias, description, and network addresses.

Figure 71. Create a new tenant

Tenant Details

Clicking on a tenant displays its details, which are organized into several tabs.

  • General: Basic information about the tenant, its User Group list, and Cluster Status.

    Figure 72. General information

  • Identity Store: Lists all identity stores associated with the tenant. You can create a new identity store or delete an existing one.

    Figure 73. Identity store

  • Users: Lists all users associated with the tenant. You can delete existing users from here.

    Figure 74. Users

  • Invitations: Displays all invitations sent under the tenant. You can copy an invitation link, resend an invitation, or delete it. You can also create a new invitation from this tab.

    Figure 75. Invitations

    Figure 76. Clicking the "+" button in the bottom-right corner to add a new invitation.

    Figure 77. Select identity store

    Figure 78. Clicking the invitation button

    Figure 79. Selecting the user role: User, Auditor, or Administrator

    Figure 80. Invitation successfully sent

  • Network: Lists all network addresses associated with the tenant. You can add new network addresses or import them from a file.

    Figure 81. Network

Network

Network - Tunnels

Tunnels Overview

The Excalibur Tunnel Client is a component that creates a secure connection from your company's local network to the Excalibur Cloud. This allows users to access resources on your local network (like servers or applications) through the Excalibur Dashboard, even if the Dashboard is hosted in the cloud.

It establishes a secure and reliable connection using mutual TLS (mTLS) for both authentication and encryption, ensuring your data remains protected.

  • Enhanced Security: Provides a secure, encrypted communication channel for privileged access.
  • Flexibility: Can be deployed in VMs or on local machines.
  • Simplified Management: Integrates smoothly with PAM for centralized access management.
  • Hybrid Compatibility: Bridges the gap between on-premise and cloud-based systems.
  • Cross-Platform: Available for Debian/Ubuntu, Red Hat/CentOS, other Linux distributions, and Windows.

Figure 82. Tunnel overview in Dashboard

More details about the Excalibur Tunnel Client are available on GitHub.

After installing the client, you can run the command sudo excalibur-tunnel -h to see all available commands.

image

Figure 83. Excalibur-tunnel client application help menu

Create a Tunnel in Dashboard

To create a new tunnel, click the plus button in the bottom-right corner.

Figure 84. Create a new tunnel

Enter a name and description for the tunnel, then click the save button.

Figure 85. Fill in new tunnel information

Establish a Tunnel Connection with the Excalibur Tunnel Client

After creating a tunnel in the Dashboard, click on its name to see the setup instructions.

Figure 86. Click a tunnel name to view the commands to establish a connection

There are four main steps:

  • Download the Tunnel Package
  • Install the excalibur-tunnel client application
  • Activate the tunnel
  • Verify the tunnel status

Figure 87. Overview of Tunnel setup

First, download and install the Excalibur Tunnel client on a machine in your local network that can access the PAM resources you want to share. Be sure to select the correct operating system.

image

Figure 88. Select the operating system to install the Excalibur Tunnel Client

For Debian and Red Hat-based systems, you can run the commands provided in the Tunnel Setup section.

image

Figure 89. Tunnel Setup for Debian-based systems

image

Figure 90. Tunnel Setup for Red Hat-based systems

For Windows, you can download the installer through the browser or via the command line.

image

Figure 91. Tunnel Setup for Windows systems - Download the installer using GUI

image

Figure 92. Tunnel Setup for Windows systems - Download and install the tunnel via command line

After installing the tunnel client on Windows, you can activate the tunnel using CMD or PowerShell.

image

Figure 93. Tunnel Setup for Windows systems - Activate the tunnel via command line

Excalibur Tunnel Client - Proxy Configuration

The Excalibur Tunnel Client supports proxy configurations, which is useful for environments where internet access is restricted. This feature routes all connections through a specified proxy server.

Run the command sudo excalibur-tunnel setup to configure the proxy settings.

image

Figure 94. Excalibur Tunnel Client - Proxy settings

You can also select different log levels, such as debug, info, warning, error, and fatal.

image

Figure 95. Excalibur Tunnel Client - Select Log Level

Click the Save button to save the settings.

Info

The Windows installer includes log rotation. Logs are compressed every 50MB, and logs older than 7 days are deleted.

Connect to a PAM Target via the Tunnel

Go to PAM targets, then create or edit a PAM target. In the Network details section, select the tunnel you created.

Figure 96. Select the tunnel name in a PAM target

Afterward, you will see the PAM target listed in the tunnel's description.

Figure 97.PAM target in the tunnel description

You can connect to SSH, RDP, and VNC PAM targets through the tunnel.

Connect to an Identity Store via the tunnel

Connection to Identity Stores via the tunnel is supported with full configuration and monitoring capabilities.

Go to Identity Stores and create or edit an existing Identity Store. Then add (or edit) a configuration of that Identity Store.

image

Figure 98. Add or edit a configuration of an Identity Store

In the configuration page, select the tunnel and configure the parameters such as host name, port, and protocol.

image

Figure 99. Configure the Identity Store settings with tunnel

Once connected, the connection status is logged.

image

Figure 100. Connection status of Identity Store via Tunnel

Alerts are generated for failures or timeouts.

image

Figure 101. Alerts for Identity Store connection issues

In the Tunnel page, you will see the Identity Store listed under the Assigned Identity Store Configurations section.

image

Figure 102. Identity Store in Tunnel page

Tunnel Audit Logs

To view a tunnel's audit logs, click on the tunnel and select the Audit Logs tab.

image

Figure 103. Tunnel Audit logs

SAML

Excalibur supports SAML integration, which allows for secure authentication through enterprise identity providers. SAML (Security Assertion Markup Language) is a standard for Single Sign-On (SSO). It lets users log in once to access multiple applications without needing to log in again for each one. It works by passing authentication information from an Identity Provider (IdP) to a Service Provider (SP).

SAML - Service Providers

Service Providers

The Service Providers screen lists all configured Service Providers (SPs) that use Excalibur for SAML-based authentication. From here, you can create, edit, and delete SPs.

image

Figure 104. Service Providers overview

Add a New Service Provider

image

Figure 105. Click the plus button to add a new Service Provider

image

Figure 106. Fill in new Service Provider information

General Information

  • Name: Enter a clear, descriptive name for the Service Provider (e.g., Grafana Cloud).
  • Description (Optional): Add any notes to help other admins understand its purpose.
  • Enabled Toggle: Enable the SP immediately or leave it disabled to finish setup later.
  • Initiated Login: Enable this to allow users to log in to this SP directly from the Excalibur interface.

Metadata Configuration

You have two options for configuring the SP's metadata:

  • Option 1: Fill in Metadata URL

    • Enter the Metadata URL provided by the SP. This is a direct link to the SP's metadata file (usually ending in .xml).

    image

    Figure 107. Fill in Metadata URL

  • Option 2: Upload XML Metadata

    • Upload a metadata file (.xml) provided by the SP.

    image

    Figure 108. Upload XML Metadata

Login to a Service Provider

Users can log in directly to service providers from the interface.

image

Figure 109. Click the login button to log in to a Service Provider

If login isn't available for a service provider, a message will explain why.

image

Figure 110. Login not available for this Service Provider

Info

Users can also authenticate to SAML applications using passkeys.

Edit Service Provider

image

Figure 111. Click the pencil icon to edit a Service Provider

image

Figure 112. Edit the Service Provider as when creating a new one

Service Provider Groups

You can organize Service Providers into groups for easier policy management. This allows you to apply settings to an entire group at once instead of configuring each SP individually.

image

Figure 113. Service Provider Group overview

Create Service Provider Group

image

Figure 114. Click the plus button to create a service provider group

Enter a name and description for the group, then select the Service Providers to add to it.

image

Figure 115. Add a Service Provider to the group

You can select multiple Service Providers using the checkboxes and click the Add button.

image

Figure 116. Add multiple Service Providers to the group

The selected SPs will appear in the Selected Service Providers section.

image

Figure 117. List of Selected Service Providers

Click the Save button to create the group.

Edit Service Provider Groups

To edit a group, click the pencil icon in the Actions column. You can update its name, description, and members.

image

Figure 118. Edit Service Provider Group

SAML - Identity Provider

image

Figure 119. Identity Provider overview

This section provides the URLs and certificate required to configure your service providers.

  • Entity ID: The unique identifier for the Identity Provider.
  • URL (Metadata URL): The endpoint where SPs can retrieve the IdP metadata. You can copy the URL, copy the full metadata content, or download it as an XML file.
  • Certificate: The certificate used to digitally sign SAML assertions. You can renew, copy, or download the certificate. You can also generate a new signing certificate or upload your own.

Security

This section contains settings related to system security. The options available depend on your role (System Administrator or Tenant Administrator).

Security - Geofences

A Geofence is a virtual boundary around a specific geographical area. Here, you can create new Geofences, edit existing ones, and organize them into groups.

Geofences

Overview

image

Figure 120. Geofences overview

Info

The measurement unit of radius in geofences is meters.

The Geofences page allows you to manage all geographical boundaries. If a valid Google API key is provided, a map will be displayed to help you visualize the geofences.

Create a New Geofence

To create a new Geofence, click the plus button in the bottom-right corner.

image

Figure 121. Click the plus button to create a new Geofence

image

Figure 122. Create Geofence page

Enter a name and select the Geofence Groups it should belong to.

image

Figure 123. Select Geofence Groups

You can type an address in the Search address field, and the system will automatically fill in the latitude and longitude. You can also enter these values manually.

image

Figure 124. Search address field

On the right, you can toggle Display all Geofence to see all existing geofences on the map.

image

Figure 125. Display all Geofence toggle

After filling in the information, click the save button.

Edit/Delete a Geofence

You can edit or delete existing geofences from the actions menu in the list.

Figure 126. Edit or delete a geofence

Geofence Audit Logs

To view the audit logs for a geofence, click View Geofence Details in the Actions column.

image

Figure 127. Geofence Audit logs

Geofence Groups

From this page, you can manage all Geofence Groups. You can view, edit, remove, and create new groups.

image

Figure 128. Geofence Groups overview

Create Geofence Group

image

Figure 129. Click the plus button to create a new Geofence Group

image

Figure 130. Fill in the name and description of the Geofence Group

Click the save button to create the group.

Edit Geofence Group

Click the edit button to modify a group's name and description.

Figure 131. Edit Geofence Group

Geofence Group Audit Logs

Clicking on a Geofence Group displays its audit logs.

image

Figure 132. Geofence Group Audit logs

Security - Security Policies

This section is where you manage Security Policies and Rule Sets, which control access between User Groups and PAM Target Groups. You can define policies that specify which users are authorized to access which resources.

Security Policies

Overview
  • A Security Policy defines access rules. It includes a name, description, target type (e.g., Dashboard, PAM), action type, a list of user groups, and a list of rule sets. Depending on the action and target type, a security policy may relate to
    • Dashboard
    • SAML Service Provider Groups
    • PAM Target Groups
  • Evaluation Logic: For access to be granted, a user must meet all the conditions of at least one complete rule set within a policy.
  • Policy Management: Policies can be created, modified, copied, or deleted. System Administrators can manage all policies, while Tenant Administrators can only manage policies within their tenant.

image

Figure 133. Security Policies overview

The system includes four default security policies that can be modified but not deleted.

  • Default registration security policy
  • Default authentication security policy
  • Default authorization security policy
  • Default SAML authentication security policy

When you edit a default policy, a warning will appear to confirm the action.

image

Figure 134. Warning when editing default security policies

Registration Type

image

Figure 135. Security Policies: Registration type

Definition
  • A registration security policy defines the rules a user must meet during the registration process. This policy is always tied to the Dashboard as its target and includes mappings to user groups and rule sets. Every registration policy must have at least one user group assigned to it.

  • In the system scope, a default registration policy is automatically created during database initialization. It includes all three default user roles, has no time or date restrictions, uses the default rule set, and can be edited by authorized users but not deleted.

  • Administrators can also create or copy custom registration policies in the system scope. From the system-level tenant detail view, they can also manage tenant-specific registration policies—similar to how tenant Active Directories are managed.

  • In the tenant scope, a default registration policy is created when the tenant is created and removed if the tenant is deleted. It mirrors the system default but links to the tenant’s default user groups and can be deleted if needed.

Validation
  • During the registration process, the system uses the tenant ID and user ID from the QR code to select the relevant registration security policies and their associated rule sets. If at least one complete set of rules within a policy is successfully validated, the user is authorized to register. If no rule sets pass validation, registration is denied, and the system records which rules prevented it.
  • Additionally, the system keeps track of the rules that were successfully completed. The registration action details will show the policies used to validate the user and the results of those validations.
  • Note: Since rule sets with the same name may exist in both the system and tenant scope, the system clearly indicates which scope each rule set belongs to, ensuring transparency.
Authentication Type

image

Figure 136. Security Policies: Authentication type

Definition
  • An authentication security policy defines the rules users must follow during login. There are two types: one for Dashboard access and another for SAML Service Provider authentication via the Excalibur SAML IdP. Both support login using tokens (QR codes) or passkeys. Dashboard policies require at least one user group, while SAML policies require at least one user group and one SAML service provider group.
  • In the system scope, default Dashboard and SAML authentication policies are created automatically during setup. These include all default user groups, have no time restrictions, and use the default rule sets. Authorized users can edit these policies but cannot delete them.
  • Tenant-level authentication policies are managed similarly. When a tenant is created, default Dashboard and SAML policies are set up with tenant-specific groups and can be edited or deleted. Tenant Administrators can also create their own policies and use system-defined rule sets within the tenant scope.
  • For emergency access, a rescue authentication policy can be created only by System Administrators via the command line. This policy has no restrictions, is used solely for emergency logins, and deletes itself after a successful login. Tenant scopes do not have a rescue policy, but tenant policies can be managed directly by System Administrators.
Validation
  • The validation process varies depending on the target type. For SAML authentication, security policies are selected based on the tenant ID, user ID, user groups, and SAML Service Provider groups. For the Dashboard target, policies are selected based solely on user groups.
  • The system validates the selected security policies and their related rule sets. If at least one complete rule set passes validation, the user is authorized to authenticate. If no rule sets pass, access is denied, and the system records which rules prevented authentication.
  • The action details display the policies used to validate the user during registration and the outcomes of each validation.
Authorization Type

image

Figure 137. Security Policies: Authorization type

Definition
  • An authorization security policy defines the rules a user must follow during the PAM authorization process. It targets PAM and requires at least one PAM target group, one user group, and one rule set to be assigned. Users can authorize by scanning a QR code or using their passkey.
  • In the system scope, a default authorization policy is created during system setup. This policy has no time limits and links to the three default user groups, a default PAM target group, and a default rule set. While it can be edited, it cannot be deleted.
  • System Administrators manage tenant authorization policies through the tenant’s Security Policies tab. When a tenant is created, a default authorization policy is also created for that tenant and is deleted when the tenant is removed. This tenant-specific default policy connects to the tenant’s default user groups, PAM target group, and rule set, and can be edited but not deleted.
  • Tenant Administrators can create, edit, delete, or copy their own authorization policies, which must include at least one PAM target group, one user group, and one rule set. Rule sets defined at the system level are also available within the tenant scope, allowing tenant admins to use or copy them for their policies.
Validation
  • When a user initiates access using a QR code or passkey, the system checks their identity and group membership to determine which authorization policies apply. Based on these policies, it evaluates the necessary security rules. If at least one complete set of rules is successfully validated, the user is authorized, and a PAM session is created. If no rules are fully met, access is denied, and the system logs which rules were attempted and which ones failed.
  • The system also records any rules that were successfully completed. For added efficiency, if the user already passed certain rules during the login process, those validations are reused and not repeated during authorization.
  • The user’s access details clearly show which policies were applied and the results of each validation, ensuring transparency and easier troubleshooting.
Security Policy Audit Logs

Clicking on a security policy displays its audit logs.

image

Figure 138. Security Policy Audit logs

Rule Sets

Overview

Rule Sets define a collection of authentication rules and conditions that can be assigned to Security Policies.

Each rule set includes a required name, an optional description, configuration of authentication factors such as PIN & biometry, an option to allow passkey usage, and additional conditions, including Time range, IP range, Geolocations and Geolocation Groups, Phone status, and Device integrity check.

Rule Set Management: Rule Sets can be created, modified, copied, or deleted by users with the appropriate permissions.

  • System-scope administrators can manage all rule sets.
  • Tenant-scope administrators can manage only rule sets created in their tenant.
  • System-scope Rule Sets are visible in the tenant scope in read-only mode and can be reused in tenant policies.

Default Rule Sets can be modified or copied, but not deleted:

  • Default registration rule set
  • Default authentication rule set
  • Default authorization rule set
  • Default SAML authentication rule set

image

Figure 139. Rule Sets overview

Default geofences / geofence groups are pre-configured for the global regions of Europe and the Middle East, North America, South America, Africa, Asia, and Australia. Each region's time zones are mapped to a corresponding default geofence object. When a user selects a time zone during the setup process, the appropriate default geofence or geofence group is automatically mapped to the default rule set.

Create a New Rule Set

image

Figure 140. Click the plus button to create a new Rule Set

image

Figure 141. Fill in the name and description of the Rule Set

Rule Sets can include rules for:

  • Passkey authentication
  • Time
  • Factors
  • Geofences
  • Phone Connection
  • IP Address

image

Figure 142. Rule Set list

Passkeys

Enable this to allow users to authenticate with a passkey (fingerprint, face, or device PIN) instead of the mobile app token.

image

Figure 143. Enable Passkey authentication

Time

image

Figure 144. Time rule

Factors

image

Figure 145. Factors rule

Geofences

image

Figure 146. Geofences rule

Phone Connection

image

Figure 147. Select type: Status or Integrity check

image

Figure 148. Status

image

Figure 149. Online or Offline status

image

Figure 150. Integrity check

IP Address

image

Figure 151. IP Address rule: select IP or IP range

image

Figure 152. Select IP Address

image

Figure 153. Select IP Address range

Rule Set Audit Logs

Clicking on a rule set displays its audit logs.

image

Figure 154. Rule Set Audit logs

Security - Network Policy

This section allows you to define which network addresses are allowed to connect to the system.

By default, if no network policies are defined, the system will allow connections from all networks. As soon as you create a network policy, the system will only allow connections from the networks specified in the list.

image

Figure 155. Network Policies overview

Create a New Network Policy

image

Figure 156. Click the Add button to create a new Network Policy

image

Figure 157. Fill in the Network Address, click the Save button in the Actions column, and click the Save button in the lower-right corner

Import Network Policies

image

Figure 158. Click the Import button to import Network Policies

image

Figure 159. Select the file to import Network Policies

You can import a text file with a list of network addresses, one per line.

image

Figure 160. After importing a file, the content is automatically displayed in the box below

Click Confirm to import the network addresses, then click the Save button.

Security - Password Rotation Policy

Overview

Excalibur PAM allows you to configure automated password rotation for user accounts on PAM targets. You can schedule password changes at customizable intervals, from a minimum of 1 hour to a maximum of 1 year.

Automated password changes are currently implemented over SSH connections; thus, native support is limited to the SSH PAM protocol. For non-SSH targets such as RDP and VNC PAM, automated password rotation can be achieved by deploying an SSH server on those targets and then applying the password rotation policy accordingly.

Info

The SSH server feature is a built-in functionality in modern Windows servers and desktops that does not require any 3rd-party component:

  • Windows 10 (version 1809 and later) – Optional feature: You can install it via Settings → Apps → Optional Features or using PowerShell (Add-WindowsCapability).
  • Windows 11 – Pre-installed as an optional feature (can still be enabled via Settings or PowerShell).
  • Windows Server 2019 – OpenSSH is included as an optional feature (but not installed by default).
  • Windows Server 2022 – Available as an optional feature.
  • Windows 8.1, 8, 7, Windows Server 2016 and earlier: Can be installed manually as a 3rd-party service.

image

Figure 161. Password Rotation Policy overview

Complexity Requirements

You can configure the following password complexity settings based on your organization's requirements:

Figure 162. Complexity requirements

  • Lowercase letters: Option to require at least one lowercase letter (a-z).
  • Uppercase letters: Option to require at least one uppercase letter (A-Z).
  • Special characters: Option to require at least one special character (e.g., !, @, #, $, etc.).
  • Numbers: Option to require at least one numeric digit (0-9).
  • Password Length: Option to enforce a minimum password length (e.g., 12 characters).

These complexity settings can be enabled or disabled individually, offering flexibility in aligning with internal policies or compliance regulations.

Password Rotation Interval

You can configure how often passwords should be rotated (e.g., every 30, 60, or 90 days).

Figure 163. Password Rotation Interval

Authentication Methods

You can choose whether users authenticate with passwords or private keys when connecting to servers.

Figure 164. Authentication methods

Selection of PAM Targets

You can select the specific PAM targets (both Linux and Windows) to which this password rotation policy should apply.

Figure 165. Selection of PAM targets

Insights

Statistics1

The Statistics section provides tools for monitoring and analyzing system usage, user activity, and device interactions.

General

The General tab offers an overview of user-related statistics, providing insights into registration statuses, user groups, and invitation progress. You can also filter statistics by tenant.

Figure 166. General statistics overview

User Statistics
  • Registered Users: The total number of registered users in the selected tenant.
  • Invited Users: The number of users who have been invited but have not yet registered.
User Group Statistics
  • System User Groups: Groups associated with built-in system roles.
  • Non-System User Groups: Custom user groups created by administrators.
Invitation Statistics

This section provides an overview of the current status of user invitations.

PAM Target Statistics

This section shows statistics for different PAM target types (RDP, SSH, VNC).

Devices

This section provides an overview of device-related statistics, including phone tokens and their distribution across different platforms.

Figure 167. Device statistics overview

Actions

This section provides an overview of user actions, such as registrations, authentications, and authorizations. It offers visibility into different action types, their statuses, and trends over time.

Figure 168. Actions statistics overview

Settings

This section allows you to manage essential application settings for Email, System, and Maps.

Settings - E-mail

This section is where you manage your email configurations, which are essential for sending emails from the application. You can create, edit, activate, and delete configurations.

image

Figure 169. E-mail Settings overview

You can configure email using SMTP or a service like Microsoft Exchange or Gmail (using OAuth2).

image

Figure 170. Click the plus button to add a new E-mail Configuration

image

Figure 171. Two options for E-mail configuration: SMTP or Exchange Online

Info

  • The first configuration is automatically set as active.
  • Additional configurations are not automatically activated if at least one existing configuration is already active.
  • Each row displays an icon for quick configuration recognition, with a tooltip appearing on hover for additional details.

SMTP

Add an SMTP configuration

To create a new SMTP configuration, click the plus button and select Add SMTP Configuration.

image

Figure 172. Fill in the SMTP configuration details

image

Figure 173. Fill in the E-mail verification details and verify to finalize the SMTP configuration

Add Exchange Online Configuration (Microsoft Graph API)

To create a new Exchange Online configuration, click the plus button, select Add Exchange Online Configuration, and fill in the required details.

image

Figure 174. Exchange Online Configuration details overview

Then, enter an email address for verification to finalize the configuration.

image

Figure 175. Fill in the email for verification

Settings - Identity Stores

This section is the central hub for managing Identity Stores, which securely store user identities and credentials. You can add, edit, or remove Identity Stores as needed.

This section is only available to Administrators.

image

Figure 176. Identity Stores overview

The list of identity stores displays their overall connection status. You can expand each entry to see detailed information about its configuration.

image

Figure 177. Identity Store: Expanded view of one Identity Store

Create a New Identity Store

image

Figure 178. Click the plus button to create a new Identity Store

image

Figure 179. Fill in the Identity Store details

You can set up multiple configurations for a single identity store either during the initial setup or directly from the Dashboard. These configurations are checked regularly, and the system will automatically switch to a working one if another becomes unavailable.

image

Figure 180. Click ADD to add configurations

image

Figure 181. Fill in the configuration details

Manage Configurations

You can add, edit, duplicate, or delete configurations. Connection tests are performed before saving to ensure everything works correctly.

image

Figure 182. Identity Store: Multiple configurations

Settings - OAuth Clients

This section is where you manage OAuth Clients, which are used for secure delegated access to server resources for external integrations.

This section is only available to System Administrators.

Overview

image

Figure 183. OAuth Clients overview

Details

Click on an OAuth client to see its details.

image

Figure 184. OAuth Clients: Detailed information about a specific OAuth Client

Create a New OAuth Client

image

Figure 185. Click the plus button to create a new OAuth Client

General Information

image

Figure 186. Fill in the OAuth Client details

Permissions
User Permissions

image

Figure 187. User permissions

PAM Permissions

image

Figure 188.PAM permissions

Identity Store Permissions

image

Figure 189. Identity Store permissions

Tenant Permissions

image

Figure 190. Tenant permissions

Network Policy Permissions

image

Figure 191. Network Policy permissions

Settings - System

In this section, you can modify system-wide settings, including server configurations, expiration times, and map settings.

Server Settings

image

Figure 192. Server settings

Expiration Times

image

Figure 193. Configure expiration times for QR verification email code, SMTP verification email code, and Invitation email

Map Settings

In this section, you can edit map settings and manage the integration with Google Maps.

image

Figure 194. Map settings

Settings - About

This section displays all application services and their versions.

image

Figure 195. About: List of all application services and their version


This guide is for informational purposes only. The functionality and capabilities of individual parts of the Excalibur system depend on the installation, configuration, and System Administrators, and may change with updates.


  1. System Administrators can view statistics across the entire system and all tenants, while Tenant Administrators can only view statistics for their own tenant.