Resources
Add and manage the infrastructure targets that users connect to through OnePAM.
What Are Resources?
Resources represent the servers, databases, applications, and services your team needs to access. Each resource is associated with one or more Endpoints (agents) and optionally a Secret for credential injection. OnePAM proxies every connection through a gateway, records the session, and enforces access policies — without exposing ports or sharing credentials.
Supported Resource Types
| Type | Protocol | Default Port | Description |
|---|---|---|---|
| SSH | SSH | 22 | Terminal and SFTP access to Linux/Unix servers |
| Database | SQL / NoSQL | Varies | PostgreSQL, MySQL, MSSQL, MongoDB, Redis, Elasticsearch, CockroachDB, Snowflake, Cassandra, Neo4j, Oracle, ClickHouse, Db2, BigQuery |
| HTTP App | HTTP/HTTPS | 80 / 443 | Internal web applications published through OnePAM with SSO, MFA, and access control |
| RDP | RDP | 3389 | Remote Desktop access to Windows servers |
| VNC | VNC | 5900 | VNC remote desktop access |
| TCP | TCP | — | Generic TCP tunnel for any service |
Adding a Resource
Navigate to Resources in the sidebar and click Add Resource.
- Choose a type — select from the resource type grid (SSH, Database, HTTP App, RDP, VNC, or TCP).
- Name & host — give the resource a descriptive name and enter the target hostname or IP address. The default port is pre-filled for each type.
- Assign endpoints — select one or more enrolled agents that can reach the target host. The first endpoint is the primary.
- Assign a secret — pick a credential from the secrets vault. Required for SSH, RDP, VNC, Database, and TCP resources.
- Optional: gateway — assign a dedicated customer gateway if you use one.
- Tags — add comma-separated tags for filtering and organisation.
Database-specific fields
- Driver — select the database engine (e.g. Postgres, MySQL, MongoDB).
- Database name — the default database to connect to.
- SSL/TLS mode — connection encryption mode.
- Timeouts — connect, read, and write timeouts in seconds.
HTTP App-specific fields
- Short name — defines the published URL pattern (e.g.
myapp.your-org.onepam.com). - Custom domain — bring your own domain (Business plan and above).
- Host rewrite / path prefix — rewrite rules for the upstream request.
- Backend TLS — enable when the upstream uses HTTPS.
- Require SSO / MFA — enforce authentication on every request.
Resource Settings
Open a resource and click Settings to access the full configuration. The settings page is organised into sections:
General
Name, status (enabled/disabled), description, and tags.
Connection
Host, port, assigned endpoints (with primary promotion), and HTTP-specific routing (custom domain, host rewrite, path prefix, backend TLS).
Protocol
Type-specific options: SSH port, database driver/SSL, RDP colour depth/resolution/audio.
Authentication (HTTP)
SSO or LDAP/AD mode, session TTL, allowed emails, MFA requirement, and LDAP connection parameters.
Headers (HTTP)
Upstream header injection (username, email, display name, groups), custom request/response headers.
Access Control (HTTP)
IP allowlist, allowed HTTP methods, and approval-required mode.
Performance (HTTP)
Rate limiting, load-balance mode (single, failover, round-robin, weighted), and WebSocket support.
Session Limits
Maximum concurrent sessions, idle timeout, and maximum session duration.
Health Check
Enable automated probes with configurable path, expected status, interval, and timeout.
Security Headers (HTTP)
Choose a preset (None, Moderate, or Strict) to add standard security headers to HTTP responses.
Security (non-HTTP)
Select the credential / secret binding for SSH, RDP, VNC, Database, and TCP resources.
Data Masking (Database)
Define column-level masking rules for sensitive data. Strategies include full mask, partial mask, email mask, credit-card mask, SHA-256 hash, redact, null, and custom. Rules can target columns by exact name or pattern (glob or regex).
Access Rules Business+
Per-resource ACL rules are configured on the resource detail page under the Access Rules tab. Each rule specifies an action (Allow or Deny) and a rule type:
- CIDR — match by source IP range.
- Country — match by geo-location.
- Email Domain — match by user email domain.
- Time Window — restrict to specific times.
- Browser — match by user agent.
- HTTP Header — match by request header value.
- VPN / Proxy — detect VPN or proxy connections.
Rules are evaluated by priority (lower number = higher priority).
Bulk Operations
Select multiple resources using the checkboxes and apply bulk actions:
- Enable / Disable — toggle resource availability.
- Assign / Unassign Secret — update credential bindings in batch.
- Delete — permanently remove selected resources.
You can also Import resources from a JSON file or Export your inventory as JSON or CSV from the list header.
Connecting to a Resource
Click Connect on any resource to open an in-browser session. For SSH resources this opens a web terminal; for RDP and VNC it opens a remote desktop viewer; for databases it opens the database console. HTTP App resources open the published URL directly.
Every connection is proxied through a gateway, authenticated against your access policies, and fully recorded. Sessions can be monitored in real time from the Sessions page.