Administrator Manual¶
Introduction¶
This manual provides an overview of the Excalibur system from an Administrator's perspective. It covers how to configure and manage the system using the Dashboard, the main web interface.
The Registration and Login instructions are the same as for the User role. For complete details, please refer to the User Manual.
To log in as an Administrator, select the Administrator role in the Role switcher, which is located under Preferences in the top-right corner of the Dashboard.
Figure 1. Select Administrator role in Role switcher
Info
The address where the Excalibur Dashboard is available is determined by your system operator. Other web server settings and access to system components are covered in the Installation and Configuration Guide.
Dashboard - Overview¶
Figure 2. Dashboard overview
In the top-right corner, System Administrators will see a tenant switcher, which allows them to move between different tenants. Other users will only see the tenant they are assigned to.
Figure 3. Switching tenants
The navigation side panel provides access to the system's main functionalities. The sections available depend on your user role.
Users with the Administrator role have access to comprehensive tools for managing system operations:
- Management
- Network
- SAML
- Security
- Insights
- Settings
Figure 4. Navigation side panel
The system is designed to ensure that each user has the appropriate level of access, promoting both security and efficiency.
Management¶
Management - Users¶
This section allows Administrators to manage users and user groups within the Excalibur system.
Users¶
This section lists all users in the system, showing details like their name, account, email, groups, and last login time. From here, you can delete users. Clicking on a user shows their general details and Audit Logs.
Figure 5. Management: Users - list of users
Info
Users are sorted by Last Logged in in descending order by default
General Details¶
Figure 6. User - General Details
Audit Logs¶
Figure 7. User - Audit Logs
Filters¶
Clicking Show Filters displays the filtering options for the audit logs.
Figure 8. User - Audit Logs - Filters
Administrators can filter audit logs by:
-
Action Scope
Figure 9. Filters - Action Scope
-
Action Type
Figure 10. Filter - Action Types
-
Resource Type
Figure 11. Filter - Resource Types
-
Username
Figure 12. Filter - Usernames
-
Date
Figure 13. Filter - Date
Figure 14. Filter - Select Date
-
Date Range
Figure 15. Filter - Select Date Range
Export¶
To export the audit logs to a CSV file, click the Export button. A dialog box will appear, allowing you to select the language and apply filters.
Figure 16. User - Audit Logs - Export
User Groups¶
This section is where you manage user groups, which help you organize and monitor users.
- Built-in User Groups: The system includes three default user groups: Administrators, Auditors, and Users. These groups cannot be removed or renamed.
- You can create as many additional groups as you need and can freely rename, duplicate, edit, or delete them.
The overview page displays key details for all user groups, such as group names and member counts.
Figure 17. User Groups overview
From here, you can duplicate, edit, delete, and create user groups.
General Details¶
Clicking on a user group displays detailed information, including its user list and assigned security policies.
Figure 18.1. User Groups - General information and user list
Figure 18.2. User Groups - Security policies
Figure 18. User Groups general information
Audit Logs¶
Select a user group and click the Audit Logs tab to view its audit history. You can filter the logs by date, user, and action (create, update, delete) and export them to a CSV file.
Figure 19. User Groups - Audit Logs
Filters¶
Clicking Show Filters displays the filtering options for the audit logs.
Figure 20. User Groups - Audit Logs - Filters
Administrators can filter audit logs by:
-
Action Scope
Figure 21. Filters - Action Scope
-
Action Type
Figure 22. Filter - Action Types
-
Resource Type
Figure 23. Filter - Resource Types
-
Username
Figure 24. Filter - Usernames
-
Date
Figure 25. Filter - Date
Figure 26. Filter - Select Date
-
Date Range
Figure 27. Filter - Select Date Range
Export¶
To export the audit logs to a CSV file, click the Export button. A dialog box will appear, allowing you to select the language and apply filters.
Figure 28. User Groups - Audit Logs - Export
Create a New User Group¶
To create a new user group, click the plus button in the bottom-right corner. You can then enter a name and description, and assign security policies to the group.
Figure 29. Create a new user group
Figure 30. Creating a new user group - Fill in the name and description
You can search for specific users and click the plus button in the Action column to add them to the group.
Figure 31. Creating a new user group - Adding users to the user group
You can also select multiple users with the checkboxes and click the Add
button to add them all at once.
Figure 32. Creating a new user group - Adding multiple users to the user group
The users you add will appear in the Selected Users section.
Figure 33. Creating a new user group - Selected users
Click the Save button to create the user group.
Edit a User Group¶
To edit a group, click the pencil icon in the Action column. You can update its name and description (except for built-in groups) and add or remove members.
Info
The built-in user groups (Administrators, Auditors, and Users) are created during installation and cannot be deleted. Their names and descriptions cannot be edited.
Figure 34. Edit a user group
Management - Invitations¶
This section lists all user invitations that have been sent.
Figure 35. Dashboard: List of invitations
Invitation Utilities¶
The toolbar above the list provides several options:
Figure 36. Invitation utilities
-
Search: Show or hide the search bar.
-
Filter: Show or hide the filter options.
-
Columns: Choose which columns to show or hide in the list.
-
Reinvite Selected Users: Select one or more users and click this button to resend their invitations.
-
Delete Selected Users: Select one or more users and click this button to delete their invitations.
-
Toggle Density: Change the row height in the list. There are three density levels.
-
Toggle Full Screen: View the list of invitations in full-screen mode.
Invitation Status¶
Figure 37. Invitation status
Note
Configuring SMTP is recommended for sending invitation emails directly from the system, but it is optional. If it is not configured, you can still invite users by manually copying and sharing the invitation link.
The Status column shows the current status of an invitation:
- Pending: Waiting to be sent.
- Sent: The email was successfully sent to the user.
- Failed: The email could not be delivered (e.g., due to an invalid email address).
- Blocked: The user entered incorrect credentials three times while trying to register.
Invitation Actions¶
Figure 38. Invitation actions
In the Action column, you can perform the following actions:
- Copy the invitation link to the clipboard.
- Re-invite a user (e.g., if their invitation link has expired).
- Delete an invitation.
Create a New Invitation¶
To create a new invitation, click the "+" button in the bottom-right corner. Then, select the Identity Store where the user is located.
Figure 39. Create a new invitation
Info
Users are sorted by Name in ascending order by default.
Figure 40. Select the Identity Store
On the "Invite User" page, if a user is already registered, their avatar will have a green background and a "registered" icon, making it easy to identify existing users. Users with grey icon is not registered.
Figure 41. User already registered
Info
Hovering over the icons will display tooltips helping quickly identify the registration status.
Invite a New User¶
Figure 42. Select a user and create an invitation
Figure 43. Assign role(s)/user groups to the user
After you send the invitation, a confirmation notification will appear in the bottom-left corner.
Figure 44. Successfully sent invitation
Invite an Invited User¶
If a user has already been invited, a warning message will appear. You can then follow the same steps as when inviting a new user.
Figure 45. User already invited
Invitation - Audit Logs¶
You can access a user's Audit Logs directly from the Invitations page. Clicking on the user's email or the username in the "Invited By" column will take you to their Audit Logs page.
Figure 46. Clickable field to navigate to the corresponding User Audit Logs of the invited user or the invitation creator
Management - Actions¶
Refer to the User Manual.
Management - Authenticators¶
This section allows Administrators to manage authenticators such as Passkeys and Tokens.
Passkeys¶
Passkeys Overview¶
Figure 47. Passkeys overview
You can view a list of all passkeys for users within your tenant, including their names, usage counts, and creation dates. You can also delete any of these passkeys.
Info
Users can manage their own passkeys from their user profile page in the top-right corner.
Passkeys - Audit logs¶
Clicking on a passkey displays its Audit Logs.
Figure 48. Passkeys - Audit Logs
Filters and Export¶
You can apply filters to the audit logs and export them to a CSV file. See User Groups - Audit Logs for more details.
Tokens¶
Tokens General Information¶
Refer to the User Manual for more details.
Tokens - Audit Logs¶
In addition to general information, Administrators can access the audit logs for Tokens. Whenever a token is created, updated, or deleted, the change is automatically recorded. To view the logs, select a token from the list.
Figure 49. Tokens - Audit logs
Filters and Export¶
The Token Audit Logs can be filtered and exported to a CSV file. See User Groups - Audit Logs for more details.
Management - PAM¶
This section allows Administrators to manage all aspects of PAM, including adding and configuring targets, managing groups, reviewing session recordings, and performing full-text searches.
Targets¶
PAM Targets¶
In addition to standard user actions (connecting to and viewing targets), Administrators can also duplicate, edit, and delete PAM targets. They can also add new targets individually or import them from a CSV file.
Figure 50.PAM Targets overview
General Information¶
See the User Manual for more details on general information for PAM targets.
Audit Logs¶
Administrators can view Audit Logs for each PAM target. To access them, click View Target details for the desired target.
Figure 51.PAM: View Target details
Figure 52.PAM: Audit logs
An audit log is also created whenever a user performs any of the following actions:
- Downloads a file
- Downloads a session recording
- Uploads or downloads files within a session
Figure 53.PAM target: Audit logs
You can filter the logs by date, user, and action (create, update, or delete).
Figure 54.PAM: Audit Logs Filters
You can also export the audit logs to a CSV file by clicking the Export button.
Figure 55.PAM: Audit Logs Export
Create a PAM Target¶
To create a PAM target, click the plus button in the bottom-right corner.
Figure 56. Create a new PAM target
Next, select the type of PAM target. RDP, SSH, and VNC targets are supported.
Figure 57. Select the type of PAM target
After filling in the required information, click the save button to create the target.
Add an RDP Target¶
Fill in the necessary information.
Add an SSH Target¶
Add a VNC Target¶
Import PAM Targets via CSV¶
To import PAM targets from a CSV file, click the import button in the bottom-right corner.
Figure 58. Import PAM targets via CSV
You can drag and drop a CSV file or click to select one from your computer.
Figure 59. Click to select CSV file or drag and drop CSV file
For information on the required data format, click the question mark icon.
This will show you the required format and allow you to download a template.
Figure 60. Data format required for importing a CSV file
Info
TunnelID field is supported.
Direct Application Streaming via SAM¶
Overview¶
Excalibur's Streamed Access Management (SAM) feature allows users to access a specific application on a remote server without seeing the entire desktop. The application is streamed directly to their browser in real-time.
Key benefits include:
- Remote Hosting: Applications run on a secure server, not on the user's device.
- No Local Installation: Users only need a web browser to access the application.
- Real-Time Streaming: The application's interface is streamed live to the user.
- On-Demand Execution: Applications are launched only when needed, saving resources.
- End-to-End Protection: All communication is encrypted and secure.
Configuration¶
To stream an application, it must first be configured on the RDP PAM target (for example, using Microsoft RemoteApp). You can then create or edit an RDP PAM target in Excalibur and configure the Remote Application settings.
Figure 61.PAM: Remote Application configuration
- In the Application name field, enter the executable name prefixed with
||
.- Example:
||Notepad
. In this case, connecting to the PAM target will only show the Notepad application.
- Example:
- In the Working directory field, you can specify a starting directory.
- In the Command line arguments field, you can add arguments (e.g., a file path to open automatically).
- Example:
c:\users\administrator\Documents\demo_file.txt
. In this case, connecting to the PAM target will only show the documentdemo_file.txt
opened in Notepad (provided the file exists).
- Example:
PAM Target Groups¶
You can group PAM targets together to make them easier to manage and assign to users via security policies. This enhances efficiency and allows for more specific access control.
Info
A default group called Default system PAM Target Group is created automatically. This group cannot be deleted or renamed.
Figure 62.PAM Target Groups - Overview
Create a PAM Target Group¶
Figure 63. Create a new PAM target group
Enter a name and description for the group and choose a color for its tag.
Figure 64. Create a new PAM target group - Fill in the name, description, and configure the Tag Color
You can add PAM targets to the group by clicking the plus button next to each target.
Figure 65. Add a PAM target to the PAM target group
You can also select multiple targets using the checkboxes and click the Add
button.
Figure 66. Add multiple PAM targets to the PAM target group
The selected targets will be displayed in the Selected PAM Targets section.
Figure 67. List of Selected PAM targets
Click the Save button to create the group.
Edit a PAM Target Group¶
To edit a group, click the pencil icon in the Action column. You can update its name, description, and members.
Info
The Default system PAM Target Group is created during installation and cannot be deleted. Its name, description, and color tag cannot be edited.
PAM Target Group - Audit logs¶
Administrators can view the Audit Logs for PAM Target Groups to track all changes and activities.
Figure 68.PAM Target Group - Audit logs
Sessions¶
The PAM Sessions page includes Sessions and Full-text search functionalities. Administrators can access all sessions in the system, while users can only access their own. Tenant Administrators can access all sessions within their tenant.
Refer to the User Manual for more details.
Sessions¶
Figure 69.PAM Sessions overview
The PAM Sessions page is a central place to manage and review all session recordings. This provides comprehensive oversight of user interactions with critical systems, which is crucial for maintaining security and compliance.
Each entry provides details about the session, with options to play or download the recording, download the session transcript, or view associated file transfers.
The Sessions tab lists all active and past PAM sessions. By default, all PAM sessions are logged.
Full-Text Search¶
The Full-Text Search feature allows you to find specific text or commands within any recorded session.
Search results are displayed in a table. You can view details about each occurrence or play the corresponding session recording to see the full context. This helps you quickly find relevant information and analyze specific scenarios.
Management - Tenants¶
This section provides an overview of all tenants in the system and allows you to create new ones. You can use the search field to find specific tenants or switch to a different tenant directly from this menu.
This section is only available to System Administrators.
Tenant List¶
From this page, you can manage all tenants. System Administrators can edit or delete existing tenants as needed.
Figure 70. Tenants list
Create a New Tenant¶
To create a new tenant, click the "+" button in the bottom-right corner. Here you can enter the tenant's general information, such as its name, alias, description, and network addresses.
Figure 71. Create a new tenant
Tenant Details¶
Clicking on a tenant displays its details, which are organized into several tabs.
-
General: Basic information about the tenant, its User Group list, and Cluster Status.
Figure 72. General information
-
Identity Store: Lists all identity stores associated with the tenant. You can create a new identity store or delete an existing one.
Figure 73. Identity store
-
Users: Lists all users associated with the tenant. You can delete existing users from here.
Figure 74. Users
-
Invitations: Displays all invitations sent under the tenant. You can copy an invitation link, resend an invitation, or delete it. You can also create a new invitation from this tab.
Figure 75. Invitations
Figure 76. Clicking the "+" button in the bottom-right corner to add a new invitation.
Figure 77. Select identity store
Figure 78. Clicking the invitation button
Figure 79. Selecting the user role: User, Auditor, or Administrator
Figure 80. Invitation successfully sent
-
Network: Lists all network addresses associated with the tenant. You can add new network addresses or import them from a file.
Figure 81. Network
Network¶
Network - Tunnels¶
Tunnels Overview¶
The Excalibur Tunnel Client is a component that creates a secure connection from your company's local network to the Excalibur Cloud. This allows users to access resources on your local network (like servers or applications) through the Excalibur Dashboard, even if the Dashboard is hosted in the cloud.
It establishes a secure and reliable connection using mutual TLS (mTLS) for both authentication and encryption, ensuring your data remains protected.
- Enhanced Security: Provides a secure, encrypted communication channel for privileged access.
- Flexibility: Can be deployed in VMs or on local machines.
- Simplified Management: Integrates smoothly with PAM for centralized access management.
- Hybrid Compatibility: Bridges the gap between on-premise and cloud-based systems.
- Cross-Platform: Available for Debian/Ubuntu, Red Hat/CentOS, other Linux distributions, and Windows.
Figure 82. Tunnel overview in Dashboard
More details about the Excalibur Tunnel Client are available on GitHub.
After installing the client, you can run the command sudo excalibur-tunnel -h
to see all available commands.
Figure 83. Excalibur-tunnel client application help menu
Create a Tunnel in Dashboard¶
To create a new tunnel, click the plus button in the bottom-right corner.
Figure 84. Create a new tunnel
Enter a name and description for the tunnel, then click the save button.
Figure 85. Fill in new tunnel information
Establish a Tunnel Connection with the Excalibur Tunnel Client¶
After creating a tunnel in the Dashboard, click on its name to see the setup instructions.
Figure 86. Click a tunnel name to view the commands to establish a connection
There are four main steps:
- Download the Tunnel Package
- Install the
excalibur-tunnel
client application - Activate the tunnel
- Verify the tunnel status
Figure 87. Overview of Tunnel setup
First, download and install the Excalibur Tunnel client on a machine in your local network that can access the PAM resources you want to share. Be sure to select the correct operating system.
Figure 88. Select the operating system to install the Excalibur Tunnel Client
For Debian and Red Hat-based systems, you can run the commands provided in the Tunnel Setup section.
Figure 89. Tunnel Setup for Debian-based systems
Figure 90. Tunnel Setup for Red Hat-based systems
For Windows, you can download the installer through the browser or via the command line.
Figure 91. Tunnel Setup for Windows systems - Download the installer using GUI
Figure 92. Tunnel Setup for Windows systems - Download and install the tunnel via command line
After installing the tunnel client on Windows, you can activate the tunnel using CMD or PowerShell.
Figure 93. Tunnel Setup for Windows systems - Activate the tunnel via command line
Excalibur Tunnel Client - Proxy Configuration¶
The Excalibur Tunnel Client supports proxy configurations, which is useful for environments where internet access is restricted. This feature routes all connections through a specified proxy server.
Run the command sudo excalibur-tunnel setup
to configure the proxy settings.
Figure 94. Excalibur Tunnel Client - Proxy settings
You can also select different log levels, such as debug, info, warning, error, and fatal.
Figure 95. Excalibur Tunnel Client - Select Log Level
Click the Save button to save the settings.
Info
The Windows installer includes log rotation. Logs are compressed every 50MB, and logs older than 7 days are deleted.
Connect to a PAM Target via the Tunnel¶
Go to PAM targets, then create or edit a PAM target. In the Network details section, select the tunnel you created.
Figure 96. Select the tunnel name in a PAM target
Afterward, you will see the PAM target listed in the tunnel's description.
Figure 97.PAM target in the tunnel description
You can connect to SSH, RDP, and VNC PAM targets through the tunnel.
Connect to an Identity Store via the tunnel¶
Connection to Identity Stores via the tunnel is supported with full configuration and monitoring capabilities.
Go to Identity Stores and create or edit an existing Identity Store. Then add (or edit) a configuration of that Identity Store.
Figure 98. Add or edit a configuration of an Identity Store
In the configuration page, select the tunnel and configure the parameters such as host name, port, and protocol.
Figure 99. Configure the Identity Store settings with tunnel
Once connected, the connection status is logged.
Figure 100. Connection status of Identity Store via Tunnel
Alerts are generated for failures or timeouts.
Figure 101. Alerts for Identity Store connection issues
In the Tunnel page, you will see the Identity Store listed under the Assigned Identity Store Configurations section.
Figure 102. Identity Store in Tunnel page
Tunnel Audit Logs¶
To view a tunnel's audit logs, click on the tunnel and select the Audit Logs tab.
Figure 103. Tunnel Audit logs
SAML¶
Excalibur supports SAML integration, which allows for secure authentication through enterprise identity providers. SAML (Security Assertion Markup Language) is a standard for Single Sign-On (SSO). It lets users log in once to access multiple applications without needing to log in again for each one. It works by passing authentication information from an Identity Provider (IdP) to a Service Provider (SP).
SAML - Service Providers¶
Service Providers¶
The Service Providers screen lists all configured Service Providers (SPs) that use Excalibur for SAML-based authentication. From here, you can create, edit, and delete SPs.
Figure 104. Service Providers overview
Add a New Service Provider¶
Figure 105. Click the plus button to add a new Service Provider
Figure 106. Fill in new Service Provider information
General Information
- Name: Enter a clear, descriptive name for the Service Provider (e.g., Grafana Cloud).
- Description (Optional): Add any notes to help other admins understand its purpose.
- Enabled Toggle: Enable the SP immediately or leave it disabled to finish setup later.
- Initiated Login: Enable this to allow users to log in to this SP directly from the Excalibur interface.
Metadata Configuration
You have two options for configuring the SP's metadata:
-
Option 1: Fill in Metadata URL
- Enter the Metadata URL provided by the SP. This is a direct link to the SP's metadata file (usually ending in
.xml
).
Figure 107. Fill in Metadata URL
- Enter the Metadata URL provided by the SP. This is a direct link to the SP's metadata file (usually ending in
-
Option 2: Upload XML Metadata
- Upload a metadata file (.xml) provided by the SP.
Figure 108. Upload XML Metadata
Login to a Service Provider¶
Users can log in directly to service providers from the interface.
Figure 109. Click the login button to log in to a Service Provider
If login isn't available for a service provider, a message will explain why.
Figure 110. Login not available for this Service Provider
Info
Users can also authenticate to SAML applications using passkeys.
Edit Service Provider¶
Figure 111. Click the pencil icon to edit a Service Provider
Figure 112. Edit the Service Provider as when creating a new one
Service Provider Groups¶
You can organize Service Providers into groups for easier policy management. This allows you to apply settings to an entire group at once instead of configuring each SP individually.
Figure 113. Service Provider Group overview
Create Service Provider Group¶
Figure 114. Click the plus button to create a service provider group
Enter a name and description for the group, then select the Service Providers to add to it.
Figure 115. Add a Service Provider to the group
You can select multiple Service Providers using the checkboxes and click the Add
button.
Figure 116. Add multiple Service Providers to the group
The selected SPs will appear in the Selected Service Providers section.
Figure 117. List of Selected Service Providers
Click the Save button to create the group.
Edit Service Provider Groups¶
To edit a group, click the pencil icon in the Actions column. You can update its name, description, and members.
Figure 118. Edit Service Provider Group
SAML - Identity Provider¶
Figure 119. Identity Provider overview
This section provides the URLs and certificate required to configure your service providers.
- Entity ID: The unique identifier for the Identity Provider.
- URL (Metadata URL): The endpoint where SPs can retrieve the IdP metadata. You can copy the URL, copy the full metadata content, or download it as an XML file.
- Certificate: The certificate used to digitally sign SAML assertions. You can renew, copy, or download the certificate. You can also generate a new signing certificate or upload your own.
Security¶
This section contains settings related to system security. The options available depend on your role (System Administrator or Tenant Administrator).
Security - Geofences¶
A Geofence is a virtual boundary around a specific geographical area. Here, you can create new Geofences, edit existing ones, and organize them into groups.
Geofences¶
Overview¶
Figure 120. Geofences overview
Info
The measurement unit of radius in geofences is meters.
The Geofences page allows you to manage all geographical boundaries. If a valid Google API key is provided, a map will be displayed to help you visualize the geofences.
Create a New Geofence¶
To create a new Geofence, click the plus button in the bottom-right corner.
Figure 121. Click the plus button to create a new Geofence
Figure 122. Create Geofence page
Enter a name and select the Geofence Groups it should belong to.
Figure 123. Select Geofence Groups
You can type an address in the Search address field, and the system will automatically fill in the latitude and longitude. You can also enter these values manually.
Figure 124. Search address field
On the right, you can toggle Display all Geofence
to see all existing geofences on the map.
Figure 125. Display all Geofence toggle
After filling in the information, click the save button.
Edit/Delete a Geofence¶
You can edit or delete existing geofences from the actions menu in the list.
Figure 126. Edit or delete a geofence
Geofence Audit Logs¶
To view the audit logs for a geofence, click View Geofence Details in the Actions column.
Figure 127. Geofence Audit logs
Geofence Groups¶
From this page, you can manage all Geofence Groups. You can view, edit, remove, and create new groups.
Figure 128. Geofence Groups overview
Create Geofence Group¶
Figure 129. Click the plus button to create a new Geofence Group
Figure 130. Fill in the name and description of the Geofence Group
Click the save button to create the group.
Edit Geofence Group¶
Click the edit button to modify a group's name and description.
Figure 131. Edit Geofence Group
Geofence Group Audit Logs¶
Clicking on a Geofence Group displays its audit logs.
Figure 132. Geofence Group Audit logs
Security - Security Policies¶
This section is where you manage Security Policies and Rule Sets, which control access between User Groups and PAM Target Groups. You can define policies that specify which users are authorized to access which resources.
Security Policies¶
Overview¶
- A Security Policy defines access rules. It includes a name, description, target type (e.g., Dashboard, PAM), action type, a list of user groups, and a list of rule sets. Depending on the action and target type, a security policy may relate to
- Dashboard
- SAML Service Provider Groups
- PAM Target Groups
- Evaluation Logic: For access to be granted, a user must meet all the conditions of at least one complete rule set within a policy.
- Policy Management: Policies can be created, modified, copied, or deleted. System Administrators can manage all policies, while Tenant Administrators can only manage policies within their tenant.
Figure 133. Security Policies overview
The system includes four default security policies that can be modified but not deleted.
- Default registration security policy
- Default authentication security policy
- Default authorization security policy
- Default SAML authentication security policy
When you edit a default policy, a warning will appear to confirm the action.
Figure 134. Warning when editing default security policies
Registration Type¶
Figure 135. Security Policies: Registration type
Definition¶
-
A registration security policy defines the rules a user must meet during the registration process. This policy is always tied to the Dashboard as its target and includes mappings to user groups and rule sets. Every registration policy must have at least one user group assigned to it.
-
In the system scope, a default registration policy is automatically created during database initialization. It includes all three default user roles, has no time or date restrictions, uses the default rule set, and can be edited by authorized users but not deleted.
-
Administrators can also create or copy custom registration policies in the system scope. From the system-level tenant detail view, they can also manage tenant-specific registration policies—similar to how tenant Active Directories are managed.
-
In the tenant scope, a default registration policy is created when the tenant is created and removed if the tenant is deleted. It mirrors the system default but links to the tenant’s default user groups and can be deleted if needed.
Validation¶
- During the registration process, the system uses the tenant ID and user ID from the QR code to select the relevant registration security policies and their associated rule sets. If at least one complete set of rules within a policy is successfully validated, the user is authorized to register. If no rule sets pass validation, registration is denied, and the system records which rules prevented it.
- Additionally, the system keeps track of the rules that were successfully completed. The registration action details will show the policies used to validate the user and the results of those validations.
- Note: Since rule sets with the same name may exist in both the system and tenant scope, the system clearly indicates which scope each rule set belongs to, ensuring transparency.
Authentication Type¶
Figure 136. Security Policies: Authentication type
Definition¶
- An authentication security policy defines the rules users must follow during login. There are two types: one for Dashboard access and another for SAML Service Provider authentication via the Excalibur SAML IdP. Both support login using tokens (QR codes) or passkeys. Dashboard policies require at least one user group, while SAML policies require at least one user group and one SAML service provider group.
- In the system scope, default Dashboard and SAML authentication policies are created automatically during setup. These include all default user groups, have no time restrictions, and use the default rule sets. Authorized users can edit these policies but cannot delete them.
- Tenant-level authentication policies are managed similarly. When a tenant is created, default Dashboard and SAML policies are set up with tenant-specific groups and can be edited or deleted. Tenant Administrators can also create their own policies and use system-defined rule sets within the tenant scope.
- For emergency access, a rescue authentication policy can be created only by System Administrators via the command line. This policy has no restrictions, is used solely for emergency logins, and deletes itself after a successful login. Tenant scopes do not have a rescue policy, but tenant policies can be managed directly by System Administrators.
Validation¶
- The validation process varies depending on the target type. For SAML authentication, security policies are selected based on the tenant ID, user ID, user groups, and SAML Service Provider groups. For the Dashboard target, policies are selected based solely on user groups.
- The system validates the selected security policies and their related rule sets. If at least one complete rule set passes validation, the user is authorized to authenticate. If no rule sets pass, access is denied, and the system records which rules prevented authentication.
- The action details display the policies used to validate the user during registration and the outcomes of each validation.
Authorization Type¶
Figure 137. Security Policies: Authorization type
Definition¶
- An authorization security policy defines the rules a user must follow during the PAM authorization process. It targets PAM and requires at least one PAM target group, one user group, and one rule set to be assigned. Users can authorize by scanning a QR code or using their passkey.
- In the system scope, a default authorization policy is created during system setup. This policy has no time limits and links to the three default user groups, a default PAM target group, and a default rule set. While it can be edited, it cannot be deleted.
- System Administrators manage tenant authorization policies through the tenant’s Security Policies tab. When a tenant is created, a default authorization policy is also created for that tenant and is deleted when the tenant is removed. This tenant-specific default policy connects to the tenant’s default user groups, PAM target group, and rule set, and can be edited but not deleted.
- Tenant Administrators can create, edit, delete, or copy their own authorization policies, which must include at least one PAM target group, one user group, and one rule set. Rule sets defined at the system level are also available within the tenant scope, allowing tenant admins to use or copy them for their policies.
Validation¶
- When a user initiates access using a QR code or passkey, the system checks their identity and group membership to determine which authorization policies apply. Based on these policies, it evaluates the necessary security rules. If at least one complete set of rules is successfully validated, the user is authorized, and a PAM session is created. If no rules are fully met, access is denied, and the system logs which rules were attempted and which ones failed.
- The system also records any rules that were successfully completed. For added efficiency, if the user already passed certain rules during the login process, those validations are reused and not repeated during authorization.
- The user’s access details clearly show which policies were applied and the results of each validation, ensuring transparency and easier troubleshooting.
Security Policy Audit Logs¶
Clicking on a security policy displays its audit logs.
Figure 138. Security Policy Audit logs
Rule Sets¶
Overview¶
Rule Sets define a collection of authentication rules and conditions that can be assigned to Security Policies.
Each rule set includes a required name, an optional description, configuration of authentication factors such as PIN & biometry, an option to allow passkey usage, and additional conditions, including Time range, IP range, Geolocations and Geolocation Groups, Phone status, and Device integrity check.
Rule Set Management: Rule Sets can be created, modified, copied, or deleted by users with the appropriate permissions.
- System-scope administrators can manage all rule sets.
- Tenant-scope administrators can manage only rule sets created in their tenant.
- System-scope Rule Sets are visible in the tenant scope in read-only mode and can be reused in tenant policies.
Default Rule Sets can be modified or copied, but not deleted:
- Default registration rule set
- Default authentication rule set
- Default authorization rule set
- Default SAML authentication rule set
Figure 139. Rule Sets overview
Default geofences / geofence groups are pre-configured for the global regions of Europe and the Middle East, North America, South America, Africa, Asia, and Australia. Each region's time zones are mapped to a corresponding default geofence object. When a user selects a time zone during the setup process, the appropriate default geofence or geofence group is automatically mapped to the default rule set.
Create a New Rule Set¶
Figure 140. Click the plus button to create a new Rule Set
Figure 141. Fill in the name and description of the Rule Set
Rule Sets can include rules for:
- Passkey authentication
- Time
- Factors
- Geofences
- Phone Connection
- IP Address
Figure 142. Rule Set list
Passkeys¶
Enable this to allow users to authenticate with a passkey (fingerprint, face, or device PIN) instead of the mobile app token.
Figure 143. Enable Passkey authentication
Time¶
Figure 144. Time rule
Factors¶
Figure 145. Factors rule
Geofences¶
Figure 146. Geofences rule
Phone Connection¶
Figure 147. Select type: Status or Integrity check
Figure 148. Status
Figure 149. Online or Offline status
Figure 150. Integrity check
IP Address¶
Figure 151. IP Address rule: select IP or IP range
Figure 152. Select IP Address
Figure 153. Select IP Address range
Rule Set Audit Logs¶
Clicking on a rule set displays its audit logs.
Figure 154. Rule Set Audit logs
Security - Network Policy¶
This section allows you to define which network addresses are allowed to connect to the system.
By default, if no network policies are defined, the system will allow connections from all networks. As soon as you create a network policy, the system will only allow connections from the networks specified in the list.
Figure 155. Network Policies overview
Create a New Network Policy¶
Figure 156. Click the Add button to create a new Network Policy
Figure 157. Fill in the Network Address, click the Save button in the Actions column, and click the Save button in the lower-right corner
Import Network Policies¶
Figure 158. Click the Import button to import Network Policies
Figure 159. Select the file to import Network Policies
You can import a text file with a list of network addresses, one per line.
Figure 160. After importing a file, the content is automatically displayed in the box below
Click Confirm to import the network addresses, then click the Save button.
Security - Password Rotation Policy¶
Overview¶
Excalibur PAM allows you to configure automated password rotation for user accounts on PAM targets. You can schedule password changes at customizable intervals, from a minimum of 1 hour to a maximum of 1 year.
Automated password changes are currently implemented over SSH connections; thus, native support is limited to the SSH PAM protocol. For non-SSH targets such as RDP and VNC PAM, automated password rotation can be achieved by deploying an SSH server on those targets and then applying the password rotation policy accordingly.
Info
The SSH server feature is a built-in functionality in modern Windows servers and desktops that does not require any 3rd-party component:
- Windows 10 (version 1809 and later) – Optional feature: You can install it via Settings → Apps → Optional Features or using PowerShell (
Add-WindowsCapability
). - Windows 11 – Pre-installed as an optional feature (can still be enabled via Settings or PowerShell).
- Windows Server 2019 – OpenSSH is included as an optional feature (but not installed by default).
- Windows Server 2022 – Available as an optional feature.
- Windows 8.1, 8, 7, Windows Server 2016 and earlier: Can be installed manually as a 3rd-party service.
Figure 161. Password Rotation Policy overview
Complexity Requirements¶
You can configure the following password complexity settings based on your organization's requirements:
Figure 162. Complexity requirements
- Lowercase letters: Option to require at least one lowercase letter (a-z).
- Uppercase letters: Option to require at least one uppercase letter (A-Z).
- Special characters: Option to require at least one special character (e.g., !, @, #, $, etc.).
- Numbers: Option to require at least one numeric digit (0-9).
- Password Length: Option to enforce a minimum password length (e.g., 12 characters).
These complexity settings can be enabled or disabled individually, offering flexibility in aligning with internal policies or compliance regulations.
Password Rotation Interval¶
You can configure how often passwords should be rotated (e.g., every 30, 60, or 90 days).
Figure 163. Password Rotation Interval
Authentication Methods¶
You can choose whether users authenticate with passwords or private keys when connecting to servers.
Figure 164. Authentication methods
Selection of PAM Targets¶
You can select the specific PAM targets (both Linux and Windows) to which this password rotation policy should apply.
Figure 165. Selection of PAM targets
Insights¶
Statistics1¶
The Statistics section provides tools for monitoring and analyzing system usage, user activity, and device interactions.
General¶
The General tab offers an overview of user-related statistics, providing insights into registration statuses, user groups, and invitation progress. You can also filter statistics by tenant.
Figure 166. General statistics overview
User Statistics¶
- Registered Users: The total number of registered users in the selected tenant.
- Invited Users: The number of users who have been invited but have not yet registered.
User Group Statistics¶
- System User Groups: Groups associated with built-in system roles.
- Non-System User Groups: Custom user groups created by administrators.
Invitation Statistics¶
This section provides an overview of the current status of user invitations.
PAM Target Statistics¶
This section shows statistics for different PAM target types (RDP, SSH, VNC).
Devices¶
This section provides an overview of device-related statistics, including phone tokens and their distribution across different platforms.
Figure 167. Device statistics overview
Actions¶
This section provides an overview of user actions, such as registrations, authentications, and authorizations. It offers visibility into different action types, their statuses, and trends over time.
Figure 168. Actions statistics overview
Settings¶
This section allows you to manage essential application settings for Email, System, and Maps.
Settings - E-mail¶
This section is where you manage your email configurations, which are essential for sending emails from the application. You can create, edit, activate, and delete configurations.
Figure 169. E-mail Settings overview
You can configure email using SMTP or a service like Microsoft Exchange or Gmail (using OAuth2).
Figure 170. Click the plus button to add a new E-mail Configuration
Figure 171. Two options for E-mail configuration: SMTP or Exchange Online
Info
- The first configuration is automatically set as active.
- Additional configurations are not automatically activated if at least one existing configuration is already active.
- Each row displays an icon for quick configuration recognition, with a tooltip appearing on hover for additional details.
SMTP¶
Add an SMTP configuration¶
To create a new SMTP configuration, click the plus button and select Add SMTP Configuration.
Figure 172. Fill in the SMTP configuration details
Figure 173. Fill in the E-mail verification details and verify to finalize the SMTP configuration
Add Exchange Online Configuration (Microsoft Graph API)¶
To create a new Exchange Online configuration, click the plus button, select Add Exchange Online Configuration, and fill in the required details.
Figure 174. Exchange Online Configuration details overview
Then, enter an email address for verification to finalize the configuration.
Figure 175. Fill in the email for verification
Settings - Identity Stores¶
This section is the central hub for managing Identity Stores, which securely store user identities and credentials. You can add, edit, or remove Identity Stores as needed.
This section is only available to Administrators.
Figure 176. Identity Stores overview
The list of identity stores displays their overall connection status. You can expand each entry to see detailed information about its configuration.
Figure 177. Identity Store: Expanded view of one Identity Store
Create a New Identity Store¶
Figure 178. Click the plus button to create a new Identity Store
Figure 179. Fill in the Identity Store details
You can set up multiple configurations for a single identity store either during the initial setup or directly from the Dashboard. These configurations are checked regularly, and the system will automatically switch to a working one if another becomes unavailable.
Figure 180. Click ADD to add configurations
Figure 181. Fill in the configuration details
Manage Configurations¶
You can add, edit, duplicate, or delete configurations. Connection tests are performed before saving to ensure everything works correctly.
Figure 182. Identity Store: Multiple configurations
Settings - OAuth Clients¶
This section is where you manage OAuth Clients, which are used for secure delegated access to server resources for external integrations.
This section is only available to System Administrators.
Overview¶
Figure 183. OAuth Clients overview
Details¶
Click on an OAuth client to see its details.
Figure 184. OAuth Clients: Detailed information about a specific OAuth Client
Create a New OAuth Client¶
Figure 185. Click the plus button to create a new OAuth Client
General Information¶
Figure 186. Fill in the OAuth Client details
Permissions¶
User Permissions¶
Figure 187. User permissions
PAM Permissions¶
Figure 188.PAM permissions
Identity Store Permissions¶
Figure 189. Identity Store permissions
Tenant Permissions¶
Figure 190. Tenant permissions
Network Policy Permissions¶
Figure 191. Network Policy permissions
Settings - System¶
In this section, you can modify system-wide settings, including server configurations, expiration times, and map settings.
Server Settings¶
Figure 192. Server settings
Expiration Times¶
Figure 193. Configure expiration times for QR verification email code, SMTP verification email code, and Invitation email
Map Settings¶
In this section, you can edit map settings and manage the integration with Google Maps.
Figure 194. Map settings
Settings - About¶
This section displays all application services and their versions.
Figure 195. About: List of all application services and their version
This guide is for informational purposes only. The functionality and capabilities of individual parts of the Excalibur system depend on the installation, configuration, and System Administrators, and may change with updates.
-
System Administrators can view statistics across the entire system and all tenants, while Tenant Administrators can only view statistics for their own tenant. ↩