Administrator Manual¶

Introduction¶

The Administrator manual provides a brief overview of the Excalibur PAM system from an Administrator's perspective. It covers system configuration and management through the administration interface, known as the Dashboard, which is accessible as a web application in a browser.

The Registration and Login instructions are identical to those in the User role. For full details, please refer to the User Manual.

Login as an Administrator is done by selecting the Administrator role in the Role switcher. The Role switcher is located in the top right corner -> Preferences of the Excalibur System Dashboard.

Figure 1. Select Administrator role in Role switcher

Info

Publishing the Excalibur System Dashboard, as well as other web server settings and system component accesses, are at the operator's discretion and are covered in the Installation and Configuration Guide. Within these settings, the operator determines at which address the web application will be available.

Dashboard - Overview¶

In the top right corner, there is a clickable tenant switcher, a functionality exclusive to System Administrators. Other users only see their assigned tenant or organization in this area.

The navigation side panel contains a collection of tabs that provide access to the main functionalities of the system. It is available to all users, with access levels varying based on their roles.

Users with Administrator role have access to comprehensive tools for managing system operations:

Management
Network
SAML
Security
Insights
Settings

For standard users, the management functionalities may be limited to specific tasks relevant to their responsibilities, such as submitting requests or viewing other users' actions.

The system is designed to ensure that each user has the appropriate level of access, promoting both security and efficiency.

Management¶

Management - Users¶

This section allows Administrators to manage users, user groups within the Excalibur system.

Users¶

This section lists all users in the Excalibur system. with general information such as Name, Account, E-mail, Groups, Last logged, Actions. The Administrator can perform delete action on users.

Clicking on a user to see their general details and Audit Logs.

General details¶

Audit Logs¶

Filters¶

Clicking on Show Filters displays the filters for the audit logs.

Administrators can apply filters to the audit logs, including:

Action Scope

Figure 9. Filters - Action scope
Action Type

Figure 10. Filter - Action types
Resource Type

Figure 11. Filter - Resource types
Username

Figure 12. Filter - Usernames
Date

Figure 13. Filter - Date

Figure 14. Filter - Select Date
Date range

Figure 15. Filter - Select Date Range

Export¶

The administrator can export the audit logs to a CSV file by clicking on the Export button. Then, a dialog box appears, allowing the administrator to select the language (English or Slovak), and set filters as described in the Filters section above.

User groups¶

This section allows for managing user groups, providing a centralized place to organize and monitor users within the Excalibur system.

Built-in user groups: By default, the system installs three user groups: Administrators, Auditors, and Users that cannot be removed or renamed, and their descriptions are locked.
For other user groups, the Administrators can create as many additional groups as they wish and are free to rename, duplicate, edit, or delete any of these non-default user groups.

An overview of all user groups is available, displaying key details such as group names, member counts.

Key actions include duplicating, editing, deleting, and creating user groups.

General details¶

Clicking on a user group displays detailed information about the group such as user list and security policies assigned to the group.

Figure 18.1. User groups - General information and user list

Audit Logs¶

Clicking on a user groups and selecting the Audit Logs tab displays the audit logs for the user group. The administrator can filter the logs by date, user, and action (create, update, delete) and export the logs to a CSV file.

Filters¶

Clicking on Show Filters displays the filters for the audit logs.

Administrators can apply filters to the audit logs, including:

Action Scope

Figure 21. Filters - Action scope
Action Type

Figure 22. Filter - Action types
Resource Type

Figure 23. Filter - Resource types
Username

Figure 24. Filter - Usernames
Date

Figure 25. Filter - Date

Figure 26. Filter - Select Date
Date range

Figure 27. Filter - Select Date Range

Export¶

The administrator can export the audit logs to a CSV file by clicking on the Export button. Then, a dialog box appears, allowing the administrator to select the language (English or Slovak), and set filters as described in the Filters section above.

Create a new user group¶

Clicking on the plus button in the bottom right corner allows the administrator to create a new user group. The administrator can fill in the name, description, and assign security policies to the user group.

Figure 30. Creating a new user group - Fill in the name and description

The Administrator can search for specific users and click on the plus button in the Action column to add them to the user group.

Figure 31. Creating a new user group - Adding users to the user group

The administrator can also select multiple users using the checkboxes and click on the Add button to add the selected users to the user group.

Figure 32. Creating a new user group - Adding multiple users to the user group

After adding the users, the selected user will be displayed in the Selected Users section.

Figure 33. Creating a new user group - Selected users

Clicking on Save button saves the user group and adds the selected users to the group.

Edit a user group¶

Click the pencil icon in the list’s Action column to edit a group. Administrators can update its name and description - except for the built-in user groups - and add or remove user members using the same steps as when they create a new user group.

Info

The built-in user groups are Administrators, Auditors, and Users. These groups are created during the installation of the Excalibur system and cannot be deleted. It can not be edit the name and description of these groups.

Management - Invitations¶

This section list all invited users in the system.

Figure 35. Dashboard: List of invitations

Invitations ultilities¶

The administrator can perform some actions:

Show/Hide search: Click to show, hide the search function
Show/Hide filter: Click to show, hide the filter function
Show/Hide columns: Click to show options to show/hide some columns in the list
Reinvite selected users: Select one or more users, then click this button to re-invite the selected user(s)
Deleted selected user: Select one or more users, then click this button to delete the selected user(s)
Toggle density: click this button to increase or decrease the height of the rows in the invitation list. There are three levels of density
Toggle full screen: click this button to enter full screen mode for the list of invitations.

Invitation actions¶

In the Action column, the administrator can perform the following actions

Copy the invitation link to the clipboard
Re-invite a user
Delete an invitation

Create a new invitation¶

The administrator can also create a new invitation by clicking the "+" button in the bottom right corner. Then, select the Identity Store (refer to the Identity Store section for more details) where the user is located.

On the "Invite User" page, there’s an update to how user avatars are displayed. If the invited user is already registered, their avatar now appears with a green background and a "registered" icon, making it easy to visually identify existing users at a glance.

Invite a new user¶

Figure 40. Select a user and create an invitation

Figure 41. Assign role(s)/user groups to the user

After making the selection, a notification will appear in the bottom left corner confirming that the invitation has been successfully sent.

Invite an invited user¶

If a user is already invited, there will be a warning message indicating that the user is already invited.

The administrator can follow the same steps as when inviting a new user.

Management - Actions¶

Refer to the User Manual.

Management - Authenticators¶

This section allows administrators to manage authenticators such as Passkeys and Tokens.

Passkeys¶

Passkeys overview¶

The administrator can view the list of all passkeys, including their names, user accounts, count of uses, last used and creation dates of all users within their tenant. The administrator can also delete any of these passkeys.

The administrators can only view passkeys for users within their own tenant. For example, an administrator from Tenant A cannot see passkeys belonging to users from another tenant.

Info

We also have a Passkey page under user profile in the top right corner, where users manage their own passkeys.

Passkeys - Audit logs¶

Clicking on a passkey displays its Audit Logs

Filters and export¶

Administrators can apply filters to the audit logs and export the logs to a CSV file. See User groups - Audit Logs for more details on filters and export.

Tokens¶

Tokens general information¶

Refer to the User Manual for more details.

Tokens - Audit logs¶

In addition to the general information, the administrator has access to audit logs of Tokens. Whenever a token is updated, created, or deleted, the changes are automatically recorded in the audit logs. The administrator can easily verify these changes by navigating to the Tokens table, selecting a token and viewing the details.

Filters and export¶

The Token Audit Logs feature includes an Export button for downloading the logs.

See User groups - Audit Logs for more details on filters and export.

Management - PAM¶

This sections allows administrators to manage all aspects of PAM targets, including adding and configuring targets, managing PAM groups, reviewing session recordings, and performing full-text searches within sessions.

Targets¶

PAM targets¶

In addition to standard user actions like connecting to a PAM target and viewing PAM target details (refer to the User Manual), administrators have additional privileges, including duplicating, editing, and deleting a PAM target. They can also add a new PAM target or import PAM targets from a CSV file.

General information¶

See User Manual for more details on PAM targets general information.

Audit logs¶

In addition to general information of a PAM target, the administrator can view the Audit logs. PAM Target audit logs are accessible after clicking View Target details in the PAM Target list section.

Users can apply filters for date or date range, user (who made the update), and action (such as create, update, or delete).

Users can export PAM target audit logs into a .csv file by clicking the Export button in the audit log timeline. When clicked, a modal will appear, allowing users to specify filters for user, action, and date/date-range. These filters are optional. The predefined language for the exported audit logs is English.

Create a PAM target¶

To create a PAM target, click on the plus button in the bottom right corner:

After that select the type of PAM target: we support RDP, SSH and VNC targets.

Figure 53. Select the type of PAM target

After filling the necessary information, click on the save button to save the target.

Add an RDP target¶

Fill the necessary information

Add an SSH target¶

Add a VNC target¶

Import PAM targets via CSV¶

Click on the button in the lower right corner to import PAM targets via CSV

The administrator can drag and drop a csv file or click to select csv file to upload

Figure 55. Click to select csv file or drag and drop csv file

In addition, the administrator can click on the question mark line to see what data format is required for importing a csv file

After clicking, the administrator can see the list and download the template

Figure 56. Data format required for importing a csv file

Direct application streaming via SAM¶

Overview¶

Excalibur Streamed Access Management (SAM) enables users to directly, secure, real-time access to applications within an RDP PAM target without the need for local installation. It has several key benefits:

Remote hosting: Applications reside in a secure backend or in the cloud, keeping your endpoints lightweight.
No Local Installation: End-user devices do not require the application to be installed - access is entirely streamed via Excalibur Dashboard
Real-Time Streaming: The application interface is streamed live to the user’s device.
On-Demand Execution: Applications are launched only when needed, in a fully managed environment, optimizing resource usage.
End-to-End Protection: All communications and data are protected by robust cryptographic protocols enforced by SAM.

Configuration¶

To enable streaming of an application, the application must first be configured in the RDP PAM target (for example, using Microsoft RemoteApp). Only then can Excalibur connect and stream the application to the end-user. We can create/edit an RDP PAM target and configure the Remote Application configuration as in the below image:

In the Application name field, prefix the executable application name with ||.
Example: ||Notepad. In this case, when we connect to the PAM target, it will only show the Notepad application.
In the Working directory, we can specify the directory that the user will access.
In the Command line arguments field, we can add some arguments.
Example: c:\users\administrator\Documents\demo_file.txt. In this case, when we connect to the PAM target, we will see only the document demo_file.txt opened in Notepad (provided the file exists).

PAM target groups¶

Excalibur PAM allows administrators to group PAM targets into groups for easier assignment via security policies to User groups. In the PAM Groups page, PAM Target groups can be effectively managed. This functionality includes the creation of new groups, as well as the updating and deletion of existing ones. Organizing PAM Targets into groups enhances management efficiency and strengthens security by allowing for more granular access control.

Info

There is a default PAM group called Default system PAM Target Group. This group cannot be deleted, renamed or modify the description.

Create a PAM target group¶

Figure 59. Create a new PAM target group

The administrator can fill in the name and description of the PAM target group and configure the Tag Color.

Figure 60. Create a new PAM target group - Fill in the name, description and configure the Tag Color

The Administrator can add PAM targets to the group by clicking on the plus button in the Actions column corresponding to the PAM target.

Figure 61. Add a PAM target to the PAM target group

The administrator can also select multiple PAM targets using the checkboxes and click on the Add button to add the selected PAM targets to the group.

Figure 62. Add multiple PAM targets to a the PAM target group

After adding the PAM targets, the selected PAM targets will be displayed in the Selected PAM Targets section.

Clicking on the Save button saves the PAM target group.

Edit a PAM target group¶

Click the pencil icon in the list’s Action column to edit a PAM target group. Administrators can update its name and description, and add or remove PAM targets using the same steps as when they create a new PAM target group.

Info

The default PAM target group is Default system PAM Target Group. This group is created during the installation of the Excalibur system and cannot be deleted. It can not be edit the name, description and color tag configuration.

Sessions¶

The PAM Sessions page contains Sessions and Full-text search functionalities which are the same as in the User role. The administrator can access all sessions in the system, while users can only access their own sessions. Tenant administrators can access all sessions in their tenant.

Refer to the User Manual for more details.

Sessions¶

The PAM Sessions page within the application serves as a centralized interface for managing and reviewing all accessible session recordings. This functionality provides a robust framework for comprehensive oversight of recorded sessions associated with specific PAM Targets. By consolidating session management into a single location, this feature enhances the ability to monitor, analyze, and audit user interactions with critical systems.

Each entry provides both general and detailed information about the session, with options to play or download the recording, download the Typescript of the session or view the File Transfer associated with the session.

Through the PAM Sessions page, administrators can gain insights into user behavior, operational processes, and potential security incidents. This oversight is crucial for organizations aiming to maintain stringent security protocols and compliance with regulatory requirements. The ability to review session recordings not only aids in identifying anomalies or unauthorized activities but also serves as an invaluable resource for improving operational efficiencies.

The Sessions tab lists all active and in-active PAM sessions, as well as their start and end times. Each role has predefined session access rules. Users see only their own sessions, tenant admins see all tenant sessions, and system admins see all sessions in the system.

All PAM sessions are logged by default. The user can play the session, download it or click to view the session details.

Full-text search¶

The Full-Text Search feature enables users to efficiently locate specific commands within any executed session, enhancing the overall user experience by providing a streamlined method for retrieving relevant information.

Search results are displayed in a tabular format, with each entry representing a session where the searched command was found. Users can access detailed information regarding each occurrence, including the context in which the command appears. Additionally, there is an option to play the corresponding session recording, allowing for a comprehensive understanding of the context and facilitating better analysis and insights.

This functionality empowers users to quickly and effectively identify pertinent information within session recordings, thereby improving their ability to analyze and respond to specific scenarios.

Excalibur PAM enables full text searching of text that is written / entered by the user during a PAM session. Users can search only in their own sessions, tenant administrators in all tenant sessions, and System Administrators in all sessions in the system.

When we enter a term in the search bar, the sessions with the desired term will be dynamically loaded. The "Play" button on the session itself starts a preview of the session recording. The "Play" button in the search detail with the location where the desired entry was found will start a preview of the session recording from the moment the occurrence was found in the recording.

Management - Tenants¶

The Tenant Management section offers a comprehensive overview of the active Tenant, along with a list of accessible Tenants and the capability to create new ones. Detailed information about each Tenant is readily available for review.

Utilize the integrated Search field to efficiently filter the list of Tenants. Additionally, if necessary, you can switch to (or log in as) a specific Tenant directly from this menu, facilitating seamless navigation and management of your Tenants.

This section is only available to System Administrators. Tenants are always created at the system level.

Tenant List¶

Manage Tenants from this section, which provides an overview of all Tenants based on your permission. System Administrators have the ability to edit or delete existing Tenants as needed, ensuring effective management and oversight of Tenant resources.

Create a new tenant¶

Click the "+" button in the bottom right corner to create a new tenant. Here we can fill the general information of a tenant: Name, Alias, Description, Network Addresses.

Tenant details¶

Clicking on a tenant displays its details and allows editing, organized into several information tabs.

General: Basic information about the tenant, User group list, Cluster Status.

Figure 67. General information
Identity Store: Lists all identity stores associated with the tenant. Administrators can create a new identity store or delete an existing one.

Figure 68. Identity store
Users: List of all users associated with the tenant. Administrators can delete existing users.

Figure 69. Users
Invitations: Displays all invitations sent under the tenant. Administrators can copy a user's invitation link, resend the invitation, or delete it. Additionally, a new invitation can be created by clicking the "+" button in the bottom right corner.

Figure 70. Invitations

Figure 71. Clicking the "+" button in the bottom right corner to add a new invitation.

Figure 72. Select identity store

Figure 73. Clicking the invitation button

Figure 74. Selecting the user role: User, Auditor, Administrator

Figure 75. Invitation successfully sent
Network: Lists all network addresses associated with the tenant. Administrators can add new network addresses or import them from a file.

Figure 76. Network

Network¶

Network - Tunnels¶

Tunnels overview¶

The Excalibur Tunnel Client is an essential part of the Excalibur Tunnel technology, designed to securely connect your local network to the Excalibur Cloud. With this connection, you can seamlessly access SAM (Streamed Access Management) resources hosted in your local network directly from the cloud-based Excalibur environment.

It establishes a secure, reliable connection using mutual TLS (mTLS) for both authentication and encryption, ensuring your data remains protected at all times. Built with security, reliability, and ease of use in mind, the client is ideal for both developers and system administrators.

With its straightforward installation and configuration, the Excalibur Tunnel Client offers a smooth, hassle-free setup experience.

Enhanced Security: SSH tunneling provides a secure, encrypted communication channel for privileged access, reducing the risk of unauthorized access or breaches.
Flexibility: Customers can deploy the solution in VMs or locally, based on their environment and infrastructure.
Simplified Management: This solution integrates smoothly with PAM, offering centralized access management and monitoring for both on-premises and cloud resources.
Hybrid Compatibility: It bridges the gap between on-premises and cloud-based systems, allowing for consistent access control regardless of where the resources are hosted.
Cross-Platform
- Ready-to-use Debian/Ubuntu packages
- Red Hat/CentOS packages for enterprise environments
- Support for other Linux distributions
- Windows MSI installer packages for easy deployment

Create a tunnel¶

Click on the plus button in the lower right corner to create a new tunnel

After that, fill in the name and description of the tunnel then click the save button in the lower right corner.

Install the Excalibur Tunnel Client¶

After creating a tunnel with name and description, click on the tunnel name to see how to establish the tunnel with a local network.

Figure 80. Click a tunnel name to view the commands to establish a connection

Then, we need to install the Excalibur-Tunnel client on a local network machine that hosts the PAM resources you want to access using the commands provided in the Setup part. Remember to select the correct operating system.

Figure 82. Select the operating system to install the Excalibur Tunnel Client

There are 4 mains steps:

Download the Tunnel Package
Install the excalibur-tunnel client application
Activate the tunnel
Verify the tunnel status

For Debian and Red Hat based systems, you can run the commands listed in the Tunnel Setup section.

Figure 83. Tunnel Setup for Debian based systems

Figure 84. Tunnel Setup for Red Hat based systems

For Windows systems, you can Download the installer using GUI or via command line.

Figure 85. Tunnel Setup for Windows systems - Download the installer using GUI

Figure 86. Tunnel Setup for Windows systems - Download and install the tunnel via command line

After installing the tunnel client on Windows, you can activate the tunnel using cmd or power shell.

Figure 87. Tunnel Setup for Windows systems - Activate the tunnel via command line

Excalibur Tunnel Client¶

The Excalibur Tunnel Client is available at GitHub.

To see the available command, run sudo excalibur-tunnel --help

Figure 88. Excalibur-tunnel client application help menu

The Excalibur Tunnel Client can configure proxy settings and establish both control and data channels connections throught the specified proxy. This enhancement is especially userful in environments where internet access requires routing through a proxy server. Run the command sudo excalibur-tunnel setup to configure the proxy settings.

Figure 89. Excalibur Tunnel Client - Proxy settings

Figure 90. Excalibur Tunnel Client - Select Log Level

On Windows installer, log rotation was added. Each 50MB log is compressed and older logs than 7 days are deleted.

Click on the Save button to save the settings.

Connect to a PAM target via the tunnel¶

Go to PAM targets in the side panel, create or edit an existing PAM target. In the Network details, select the tunnel name.

Figure 91. Select the tunnel name in a PAM target

After that, we will see the PAM target in the tunnel description

Figure 92.PAM target in the tunnel description

We can connect to ssh, rdp and vnc PAM targets.

SAML¶

Excalibur enhances security and streamlines the login process by supporting SAML integration, allowing seamless and secure authentication through enterprise identity providers. SAML (Security Assertion Markup Language) is a standard used for Single Sign-On (SSO). It allows users to log in once and access multiple applications without needing to log in again for each one.It works by passing authentication information from an Identity Provider (IdP) to a Service Provider (SP). The IdP confirms the user’s identity and sends a secure message (called a SAML assertion) to the SP, which then grants access.

SAML - Service Providers¶

Service Providers¶

The Service Providers screen lists all configured Service Providers (SPs) integrated with the Identity Provider (IdP) for SAML-based authentication. This view allows administrators to organize, monitor, and manage the connection status of SPs. The administrator can create a new SP, edit and delete existing SPs.

Add a New Service Provider¶

Figure 95. Fill new Service Provider information

General Information

Name: Enter a clear, descriptive name for the Service Provider (e.g., Grafana Cloud, HR Portal). This name will be shown in the SP list.
Description (Optional): Add any notes or context to help other admins understand the purpose or usage of this SP.
Enabled Toggle:
- Toggle Enabled to activate the SP immediately upon creation.
- Leave it disabled if you plan to finish setup or testing later.

Metadata Configuration

Service Provider metadata defines how the SP communicates with the IdP. You have two configuration options:

Option 1: Fill in Metadata URL
- Click "FILL IN METADATA URL" to switch to this method.
- Enter the Metadata URL, which is a direct link provided by the SP to fetch metadata (usually ends in .xml).
- Recommended if the SP maintains a public metadata endpoint.
Figure 96. Fill in Metadata URL
Option 2: Upload XML Metadata
- Click "UPLOAD XML METADATA" to switch to file upload mode.
- Upload a metadata file (.xml) provided by the SP.
Figure 97. Upload XML Metadata

Edit Service Provider¶

Service Provider Groups¶

For environments with multiple integrations, you can organize Service Providers into groups.

Grouping SPs allows for easier policy management and delegation.
You can apply settings or permissions usage across an entire group instead of configuring each SP individually.
Useful for multi-tenant environments, subsidiaries, or teams with distinct SAML requirements.

Figure 100. Service Provider Group overview

Create Service Provider Group¶

Figure 101. Click plus button to create a service provider group

Then fill in the name and description of the service provider group.

The administrator can also select the Service Providers to add to the group.

Figure 102. Add a Service Provider to the group

The administrator can select multiple Service Providers using the checkboxes and click on the Add button to add the selected Service Providers to the group.

Figure 103. Add multiple Service Providers to the group

After adding the Service Providers, the selected Service Providers will be displayed in the Selected Service Providers section.

Figure 104. List of Selected Service Providers

Clicking on the Save button saves the Service Provider group.

Edit Service Provider Groups¶

Clicking on the pencil icon in the Actions column to edit a Service Provider group. Administrators can update its name and description, and add or remove Service Providers using the same steps as when they create a new Service Provider group.

SAML - Identity Provider¶

The metadata section includes URLs required for service provider configuration.

Entity ID:

This is the unique identifier for the Identity Provider

Example: https://demo-v4.xclbr.com/idp

Click the copy icon to copy the Entity ID to your clipboard.
URL (Metadata URL):

This is the endpoint to retrieve the IdP metadata in XML format, typically used for service provider setup.

Example: https://demo-v4.xclbr.com/api/v1/saml/idp/metadata

Click the copy icon to copy the URL.

Click Download Metadata to download the IdP metadata as an XML file.

Click Copy Metadata to copy the entire metadata content to your clipboard.
Certificate:

The Signing Certificate is used to digitally sign SAML assertions.

Renew: Start the renewal process if the certificate is nearing expiration.

Copy: Copies the certificate content for manual use.

Download: Saves the certificate as a file for SP distribution or backup.

Maintaining a valid certificate is critical to avoid login issues.
Certificate Options:

You can generate a signing certificate directly through the interface.

Alternatively, you may upload and use your own certificate, if preferred for alignment with enterprise policies.

Security¶

This section collects functionality related to the security administrator settings of the system. To a different extent - according to the user's role (System Administrator / tenant administrator), it is available to all administrator roles.

Security - Geofences¶

This section provides comprehensive tools for managing Geofences and Geofence Groups. A Geofence is defined as a virtual boundary established around a specific geographical area, enabling precise location-based tracking and activities.

You have the capability to create new Geofences, edit existing ones, and organize them into groups for streamlined management. This functionality allows you to customize Geofences to suit your specific requirements, whether for monitoring, alerts, or other location-based services.

Geofences¶

Overview¶

The Geofences page within the application serves as a comprehensive interface for managing all accessible Geofences. This functionality is essential for organizations that depend on location-based services, providing precise control over geographical boundaries.

To enhance usability, a Google Map is integrated into the application interface, which is activated when a valid Google API key is provided. This feature allows users to visualize Geofences accurately, facilitating more effective management. If a valid Google API key is provided, entering a street name can significantly enhance the efficiency, speed, and accuracy of geolocation retrieval.

By leveraging the capabilities available on the "Geofences" page, users can efficiently manage geographical boundaries, thereby improving location-based operations and ensuring alignment with organizational objectives.

Create a new Geofence¶

Administrators can create a new Geofence by clicking on the plus button on the lower right corner of the screen. Excalibur also provides functionality to autofill/auto complete the address/location when searched in the “Search address” field.

The administrator can fill in the name and select the Geofence Groups.

The administrator can type the address in the Search address field, select the corresponding address in the dropdown list and the system will automatically fill in the latitude and longitude fields. The administrator can also manually enter the latitude and longitude.

On the right side, the administrator can turn on the Display all Geofence toggle to see all Geofences on the map, or turn it off to see only the Geofence being created.

After filling in the necessary information, click save button in the lower right corner to save the Geofence.

Edit/Delete a geofence¶

Administrators can perform actions to edit or delete existing geofences.

Geofence Groups¶

Manage all accessible Geofence Groups. View the list of Geofence Groups, edit or remove existing groups and create new ones using available Geofences.

Create Geofence Group¶

Figure 115. Click the plus button to create a new Geofence Group

Figure 116. Fill in the name and description of the Geofence Group

Click the save button in the lower right corner to save the Geofence Group.

Edit geofence group¶

Clicking on edit button to access editing page and modify the group name and description as when creating a new Geofence Group.

Security - Security Policies¶

The Security Policies section of the application is designed for the comprehensive management of all accessible Security Policies and Rule Sets. This functionality is critical for establishing and maintaining access control between User Groups and PAM (Privileged Access Management) Target Groups.

Within this section, administrators can define Security Policies that specify access rights, clearly delineating which users have authorization to access specific PAM Targets. This ensures that access is granted based on established organizational protocols, enhancing security and compliance.

Additionally, administrators can create and define Rule Sets associated with specific Security Policies. These Rule Sets provide further granularity in access control, allowing for tailored permissions based on varying operational needs.

The interface allows administrators to view, edit, remove, or create new Security Policies and Rule Sets as necessary. This flexibility ensures that organizations can adapt to evolving security requirements and maintain effective governance over access permissions.

By leveraging the capabilities offered in the "Security Policies" section, administrators can effectively manage access rights and enforce security protocols, thereby safeguarding critical resources and ensuring adherence to best practices in access management.

Security Policies¶

Overview¶

Security Policy: an entity that includes a required name, description (optional), target type, action type, list of user groups, list of rule sets.
Depending on the action and target type, a security policy may relate to Dashboard, SAML service provider groups or PAM target groups.
- Additionaly, user can add optional description and validity period (nonstop, date-time range, or recurring intervals), assign one or more rule sets, enable / disable status (disabled policies are excluded from validation).
Evaluation Logic: an action is considered valid if the user fulfills all conditions of at least one complete rule set. Partial fulfillment across multiple rule sets is not sufficient.

Policy Management: can be created, modified, copied, or deleted by users with appropriate permissions.

System-scope administrators can manage all policies.
Tenant-scope administrators can manage only policies created within their tenant.
Default policies can be modified or copied, but not deleted.

By default, there are 4 Default Security Policies created during the installation of the Excalibur system:

Default registration security policy
Default authentication security policy
Default authorization security policy
Default SAML authentication security policy

These policies cannot be deleted, renamed, or modified. It can be edit.

When a user attempts to edit a default security policy or a default rule set, a warning dialog will appear to confirm the action, ensuring that users are aware they are modifying a system setting.

Figure 119. Warning when editing default security policies

For non-default security policies, Administrators have the ability to view existing policies, as well as edit, remove, or create new policies as required. This flexibility allows organizations to respond effectively to changing security needs and to implement best practices in access governance.

Registration type¶

Definition¶

A registration security policy defines the rules a user must meet during the registration process. This policy is always tied to the dashboard as its target and includes mappings to user groups and rule sets. Every registration policy must have at least one user group assigned to it.
In the system scope, a default registration policy is automatically created during database initialization. It includes all three default user roles and has no time or date restrictions. It uses the default rule set and can be edited by authorized users, but not deleted.
Administrators can also create or copy custom registration policies in the system scope. In addition, from the system-level tenant detail view, they can manage tenant-specific registration policies—similar to how tenant Active Directories are managed.
In the tenant scope, a default registration policy is created when the tenant is created and removed if the tenant is deleted. It mirrors the system default but links to the tenant’s default user groups and can be deleted if needed.

Validation¶

During the registration process, the system uses the tenant ID and user ID from the QR code to select the relevant registration security policies and their associated rule sets. If at least one complete set of rules within a policy is successfully validated, the user is authorized to register. If no rule sets pass validation, registration is denied. and the system records which rules prevented registration.
Additionally, the system keeps track of the rules that were successfully completed. The registration action details will show the policies used to validate the user and the results of those validations.
Note: Since rule sets with the same name may exist in both the system scope and tenant scope, the system clearly indicates which scope each rule set belongs to, ensuring transparency.

Authentication type¶

Definition¶

An authentication security policy defines the rules users must follow during login. There are two types: one for dashboard access and another for SAML service provider authentication via the Excalibur SAML IdP. Both support login using tokens (QR codes) or passkeys. Dashboard policies require at least one user group, while SAML policies require at least one user group and one SAML service provider group.
In the system scope, default dashboard and SAML authentication policies are created automatically during setup. These include all default user groups and have no time restrictions, using the default rule sets. Authorized users can edit these policies but cannot delete them.
Tenant-level authentication policies are managed similarly. When a tenant is created, default dashboard and SAML policies are set up with tenant-specific groups and can be edited or deleted. Tenant administrators can also create their own policies and use system-defined rule sets within tenant scope.
For emergency access, a rescue authentication policy can be created only by system administrators via command line. This policy has no restrictions, is used solely for emergency logins, and deletes itself after a successful login. Tenant scopes do not have a rescue policy, but tenant policies can be managed directly by system administrators.

Validation¶

The validation process varies depending on the target type. For SAML authentication, security policies are selected based on the tenant ID, user ID, user groups, and SAML service provider groups. For the Dashboard target, policies are selected based solely on user groups.
The system validates the selected security policies and their related rule sets. If at least one complete rule set passes validation, the user is authorized to authenticate. If no rule sets pass, access is denied and the system records which rules prevented authentication.
The action details display the policies used to validate the user during registration and the outcomes of each validation.

Authorization type¶

Definition¶

An authorization security policy defines the rules a user must follow during the PAM authorization process. It targets PAM and requires at least one PAM target group, one user group, and one rule set to be assigned. Users can authorize by scanning a QR code or using their passkey.
In the system scope, a default authorization policy is created during system setup. This policy has no time limits and links to the three default user groups, a default PAM target group, and a default rule set. While it can be edited, it cannot be deleted.
System administrators manage tenant authorization policies through the tenant’s Security Policies tab. When a tenant is created, a default authorization policy is also created for that tenant and deleted when the tenant is removed. This tenant-specific default policy connects to the tenant’s default user groups, PAM target group, and rule set, and can be edited but not deleted.
Tenant administrators can create, edit, delete, or copy their own authorization policies, which must include at least one PAM target group, one user group, and one rule set. Rule sets defined at the system level are also available within tenant scope, allowing tenant admins to use or copy them for their policies.

Validation¶

When a user initiates access using a QR code or passkey, the system checks their identity and group membership to determine which authorization policies apply. Based on these policies, it evaluates the necessary security rules. If at least one complete set of rules is successfully validated, the user is authorized and a PAM session is created. If no rules are fully met, access is denied, and the system logs which rules were attempted and which ones failed.
System also records any rules that were successfully completed. For added efficiency, if the user already passed certain rules during the login process, those validations are reused and not repeated during authorization.
The user’s access details clearly show which policies were applied and the results of each validation, ensuring transparency and easier troubleshooting.

Rule Sets¶

Overview¶

Rule Sets: define a collection of authentication rules and conditions, assignable to Security Policies.

Each rule set includes required name, optional description, configuration of authentication factors such as PIN & biometry, option to allow passkey usage and additional conditions, including Time range, IP range, geolocations and geolocation groups, phone status, device integrity check.

Rule Set Management: can be created, modified, copied, or deleted by users with the appropriate permissions.

System-scope administrators can manage all rule sets.
Tenant-scope administrators can manage only rule sets created in their tenant.
System-scope Rule Sets are visible in tenant scope in read-only mode and can be reused in tenant policies.

Default Rule Sets can be modified or copied, but not deleted.

Default registration rule set
Default authentication rule set
Default authorization rule set
Default SAML authentication rule set

Default geofences / geofence groups are pre-configured for global regions of Europe and the Middle East, North America, South America, Africa, Asia, Australia. Each region's time zones are mapped to a corresponding default geofence object. When a user selects a time zone during the setup process, the appropriate default geofence or geofence group is automatically mapped to the default rule set.

Create a new Rule Set¶

Figure 125. Fill in the name and description of the Rule Set

Rule Sets include: - Passkey authentication - Time - Factors - Geofences - Phone Connection - IP Address

Passkeys¶

Excalibur supports passkeys for fast, secure, and passwordless login. You can sign in using your fingerprint, face, or device PIN without needing your phone if you're on a trusted device. Once enabled, the policy will enforce passkey authentication for secure access. Passkeys can be saved on the user's device, 3^rd party apps or Yubikeys.

Figure 127. Enable Passkey authentication

Time¶

Factors¶

Geofences¶

Phone Connection¶

Figure 131. Select type: Status or Integrity check

IP Address¶

Security - Network Policy¶

This section allows users to view all network policies linked to the system tenant. It provides a comprehensive overview of the policies in place, facilitating better understanding and management of network configurations associated with the tenant.

By default, if there are no network policies, the system will allow connections from all networks. As soon as a network policy is created, the system will only allow connections from the networks specified in the list.

Create a new Network Policy¶

Figure 140. Fill in the Network Address, click the Save button in Actions column and click the Save button in the lower right corner

Import Network Policies¶

The imported file can be a text file with a list of network addresses, one per line. After selecting the file, the content of the file will be automatically displayed in the box below.

Figure 143. After importing a file, the content is automatically displayed in the box below

Click confirm to import the network addresses. Then click the Save button in the lower right corner to save the Network Policies.

Security - Password Rotation Policy¶

Overview¶

In alignment with industry best practices for privileged access management, the Excalibur Privileged Access Management (PAM) system provides configurable options for password rotation, complexity, and authentication methods for user accounts. The System Administrators can schedule periodic automated password rotations to maintain continuous credential security on PAM targets. Password changes can be scheduled at customizable intervals, ranging from a minimum of 1 hour to a maximum of 1 year.

Automated password changes are currently implemented over SSH connections, thus native support is limited to SSH PAM protocol. For non-SSH targets such as RDP and VNC PAM, automated password rotation can be achieved by deploying an SSH server on those targets and then applying the password rotation policy accordingly.

Info

SSH server feature is a built-in functionality in modern Windows servers and desktops, that does not require any 3^rd party component:

Windows 10 (version 1809 and later) – Optional feature: You can install it via Settings → Apps → Optional Features or using PowerShell (Add-WindowsCapability).
Windows 11 – Pre-installed as an optional feature (can still be enabled via Settings or PowerShell).
Windows Server 2019 – OpenSSH is included as an optional feature (but not installed by default).
Windows Server 2022 – available as an optional feature.
Windows 8.1, 8, 7, Windows Server 2016 and earlier: can be installed manually as 3^rd party service.

Figure 144. Password Rotation Policy overview

Complexity Requirements¶

To ensure flexibility in security, Excalibur allows the following password complexity settings to be enabled or disabled based on organizational requirements:

Lowercase letters: Option to require at least one lowercase letter (a-z).
Uppercase letters: Option to require at least one uppercase letter (A-Z).
Special characters: Option to require at least one special character (e.g., !, @, #, $, etc.).
Numbers: Option to require at least one numeric digit (0-9).
Password Length: Option to enforce a minimum password length (e.g., 12 characters).

These complexity settings can be enabled or disabled individually, offering flexibility in aligning with internal policies or compliance regulations.

Password Rotation Interval¶

Excalibur allows the configuration of the password rotation interval. The interval can be set based on organizational needs, such as rotating passwords every 30 days, 60 days, or as required. The start date for password rotation is recorded. The rotation period is fully configurable to meet security requirements.

Authentication Methods¶

Users may authenticate with passwords or private keys when connecting to servers. The system allows for the selection of preferred authentication methods, offering flexibility to use stronger authentication while adhering to the organization's overall security policy.

Selection of PAM Targets¶

Within Excalibur, administrators can select specific PAM targets for both Linux and Windows systems to ensure that the appropriate access control policies are applied to privileged accounts. The ability to configure PAM targets ensures that password and key management policies are enforced according to each system’s specific needs.

By configuring these settings within Excalibur, we provide a highly customizable, secure framework that aligns with both organizational and regulatory security requirements while minimizing risks associated with unauthorized access.

Insights¶

Statistics¹¶

The Statistics section provides administrators with a powerful tool for monitoring and analyzing system usage, user activity, and device interactions within the Excalibur environment. This section delivers a comprehensive view of key metrics and events. The General tab offers an overview of user-related statistics, providing insights into registration statuses, user groups, and invitation progress. The Devices tab focuses on tracking and managing the various devices interacting with the system, while the Actions tab enables the review of specific user actions and system events, giving administrators the ability to assess activity levels and ensure proper system functioning. With these detailed views, the Statistics section empowers administrators to maintain optimal security, user management, and system performance.

General¶

The General section provides administrators with detailed insights into users, system configurations, and PAM target activities across different tenants in the Excalibur environment. This section offers the ability to filter statistics by tenant and provides key metrics related to users, invitations, user groups, and PAM target types.

User Statistics¶

Registered Users: Displays the total number of users who have completed the registration process within the selected tenant.
Invited Users: Shows the number of users who have been invited but have not yet registered.

User Group Statistics¶

System User Groups: Groups associated with system configurations or built-in roles.
Non-System User Groups: Custom user groups created for specific organizational roles.

Invitation Status¶

Invitation Status: Provides an overview of the current status for user invitations, including:
- Sent: Invitations that have been dispatched.
- Accepted: Invitations that have been accepted by users.
- Failed: Invitations that could not be delivered.
- Blocked: Invitations blocked due to security policies or manual intervention.
- Dismissed: Invitations that have been dismissed.
- Pending: Invitations awaiting user action.

PAM Target Statistics¶

PAM Target Types: Statistics on different PAM target types within the system, including:
- RDP
- SSH
- VNC

By providing the flexibility to view tenant-specific data and focusing on key metrics, the Statistics section helps administrators effectively manage user access, invitation processes, user group configurations, and system integrations, enhancing overall security and compliance.

Devices¶

This section provides an overview of device-related statistics, including phone tokens, token distribution across platforms, and other operating system-specific information.

Actions¶

This section provides an overview of action-related statistics, including insights into user interactions such as registrations, authentications, and authorizations. It offers visibility into different action types, their statuses, and trends over time. Additionally, it includes the option to switch between tenants for a broader or more focused analysis

Settings¶

This section enables users to manage essential application settings, encompassing configurations for Email, System, and Map functionalities. It provides a centralized interface for adjusting these critical settings to ensure optimal application performance and alignment with organizational needs.

Settings - E-mail¶

In this section, users can configure your email settings, including the details for the SMTP server. This interface allows for easy adjustments to ensure proper email functionality and communication within your system.

SMTP¶

This section allows you to manage your SMTP configurations, which are essential for sending emails within the application. Only one verified configuration can be active at any given time. You can edit, activate, delete, or create new configurations as necessary to ensure effective email communication.

Create a new SMTP configuration¶

Figure 154. Fill in the SMTP configuration details

Figure 155. Fill in the E-mail verification details

Settings - Identity Stores¶

The Identity Store Management feature serves as the central hub for managing Identity Stores within the application. This functionality allows users to add, edit, or remove Identity Stores as needed.

Identity Stores play a critical role in the application by securely storing user identities and their associated credentials. This ensures efficient user authentication and authorization, contributing to the overall security and integrity of the system. Through effective management of Identity Stores, users can maintain a robust framework for handling user identities, enhancing both security and operational efficiency.

This section is only available to administrators. Identity sources are always configured at the tenant level.

In the list of identity stores, the overall status is displayed. Whether all configurations are connected, at least one is working, or none are available. Expanding any entry reveals detailed info about each configuration.

Figure 157. Identity Store: Expanded view of one Identity Store

Create a new Identity Store¶

Figure 159. Fill in the Identity Store details

The administrator can set up multiple configurations for a single identity store either during the initial setup or directly from the dashboard. All these configurations stay active and are regularly checked, so if any become unavailable, the UI will clearly indicate this.

Figure 160. Click ADD to add configurations

Figure 161. Fill in the configuration details

Manage Configurations¶

Managing configurations is simple and user-friendly. Can be added or edited through convenient pop-up modals where connection tests happen before saving to ensure everything works smoothly.

Configurations can be duplicated or deleted. Multiple configs at once for efficient management. A Disable button is being added soon for even better control.

The system is designed to automatically switch to another configuration if the current one becomes unreachable, such as when a firewall blocks its port, ensuring uninterrupted service.

Figure 162. Identity Store: Multiple configurations

Settings - OAuth Clients¶

This section is only available to System Administrators. OAuth clients for external integrations are set uniformly, always at the system level, because external integrations can automatically manage system tenants.

The OAuth Clients section within the application is dedicated to the management of all accessible OAuth Clients, which are essential for facilitating secure delegated access to server resources. This section provides users with comprehensive tools and information to effectively manage OAuth Clients, ensuring robust security practices are maintained.

Users can view key information related to each OAuth Client, including client identifiers, secret keys, and associated permissions. The interface allows for the editing of existing clients, enabling users to update configurations as necessary to meet evolving security requirements. Additionally, users have the option to remove clients that are no longer needed, ensuring that only relevant and secure access points remain active.

Furthermore, the application provides functionality to create new OAuth Clients, allowing organizations to expand their security framework as required. This includes specifying necessary parameters and permissions to align with specific use cases.

By utilizing the features available in the OAuth Clients section, users can effectively manage secure access to server resources, thereby enhancing the overall security posture of their application and ensuring compliance with best practices in delegated access management.

Overview¶

Details¶

Click on an OAuth client to see

Figure 164. OAuth Clients: Detailed information about a specific OAuth Client

Create a new OAuth Client¶

General Information¶

Figure 166. Fill in the OAuth Client details

Permissions¶

User permissions¶

PAM permissions¶

Identity Store permissions¶

Tenant permissions¶

Network Policy permissions¶

Settings - System¶

In this section, users can modify system settings, including server configurations, expiration times, map settings. Adjust these settings to optimize performance and ensure proper operation of your system.

Server Settings¶

Expiration Times¶

Map Settings¶

In this section, users can edit map settings and manage the integration with Google Maps. Customize these settings to enhance the mapping experience within your application.

Settings - About¶

In this section, users can view all application services along with their respective versions. This allows you to keep track of the services in use and ensure they are up to date.

Figure 175. About: List of all application services and their version

This guide is for informational purposes only. The functionality and capabilities of individual parts of the Excalibur system depend on the installation, configuration and System Administrators and may change with updates.

System administrators have access to view statistics across the entire system and all tenants, while tenant administrators can only view statistics related to their own tenant. ↩