Privileged Account Manager 4.0 onwards the “roles” and the respective access to module are descriptive for intuitiveness in the new user interface- they are administrative permissions used while deploying Privileged Account Manager.
For more information on roles, see Section A.0, Appendix: Legacy Roles.
To allow access, you can define one or more permissions according to the tables below:
The following permissions can be assigned to the command control module in order to control access to the Command Control and Access Control console. Select from the following permissions when you are creating a group that you want to manage and test the rules in the command control or access control database.
|
Descriptive Permissions |
Allows users to |
|---|---|
|
All Permissions on Access Control and Command Control |
Have permissions to perform all operations. This implies you have “*” permission to Access Control or Command Control console. |
|
View, Modify Objects and Transaction Permissions in Access Control and Command Control |
Extract user credentials, including name and e-mail address, from the auth database into the account and user group definitions. Used in conjunction with the cmdctrl write (with read) and admin permissions. This implies you have read permission to auth module. |
|
View Access Control or Command Control Console |
View the Access Control and Command Control console. This implies you have console permission to Access Control and Command Control console as applicable. |
|
View Access Control Objects |
View the Access Control and Command Control objects. |
|
Manage Access Control and Command Control Objects |
Configure the resources and credentials in the command control rules. This implies you have read permission to prvcrdvlt module. |
The following permissions can be assigned to the agent management module.
|
Descriptive Permissions |
Allows users to |
|---|---|
|
All permissions on Agent Management |
Have permissions to perform all operations. This implies you have “*” permission to Agent management. |
|
View the listed agents and perform administrative actions. |
View the listed agents and perform administrative actions. This implies you have administrator permission to unifi module. |
|
View Host Console |
View the Hosts console. This implies you have console permission to unifi module. |
|
Check agents status using command line utility |
Check agents status using command line utility. |
|
Allow addition of Agents and Domains directly from the command line during registration |
Allow addition of Agents and Domains directly from the command line during registration |
|
Allow creation of Agent records during registration |
Allow creation of Agent records during registration. |
|
Allow creation of Domain records during registration |
Allow creation of Domain records during registration |
The following permissions can be assigned to the auditing module to control access to the Reports console. For a group to manage auditing, the group also needs read permission to the auditing and authentication modules.
|
Descriptive Permissions |
Allows users to |
|---|---|
|
All Permissions on audit reports |
Have permissions to perform all operations. This implies you have “*” permission to audit reports. |
|
View audit sessions and manage settings |
View the Compliance Auditor console. This implies you have console permission to secaudit module. |
|
View Reports Console |
View the Reports console. This implies you have the console permission for audit module. |
|
View audit sessions |
Read the audit database. You must use console along with read. This implies you have read permission for audit module. |
|
Create new audit reports and adjust filter settings in reports |
Read and update the reports defined in the Reports console. This role is only useful when used in conjunction with the report permission. |
|
View command control reports |
Read and update the reports defined in the Reports console. This role is only useful when used in conjunction with the report permission. |
|
View change log reports |
View Account Logon reports. In conjunction you must use console and read permission. This implies you have logon permission for audit module. |
|
View credential checkout reports |
View Credential Checkout Reports. In conjunction you must use console and read permission. This implies you have console permission and read permission for audit module. |
|
View shared key checkout reports |
View Shared Key Checkout Reports. In conjunction you must use console and read permission |
|
View account logon reports in reporting (old UI) |
View Account Logon reports. |
|
View Command Control reports in reporting (Old UI) |
View Command Control reports. |
|
All Permissions on Compliance Auditor Console |
Perform the console, audit, and admin permissions. This implies you have “*” permission to secaudit module. |
|
Add and Modify audit rules in Compliance Auditor |
View and edit records. This implies you have audit permission to secaudit module. |
|
View compliance auditor console |
Add compliance audit rules. |
|
View and Edit Records in Compliance Auditor |
Access the records collected by audit rules with this permission defined in the Modify Audit Rule page. This implies can choose your own name for the permission in the secaudit module. |
The following permissions can be assigned to the compliance auditing module to control access to the Compliance Auditor console. For a group to manage compliance auditing, the group also needs read permission to the auditing and authentication modules.
|
Descriptive Permissions |
Allows users to |
|---|---|
|
All Permissions on compliance auditor |
Have permissions to perform all operations. This implies you have “*” permission to audit reports. |
|
Add and modify audit rules in compliance auditor |
Access reports with the report defined permissions. This implies you have report permissions to audit module. |
|
View compliance auditor console |
View the Compliance Auditor console. This implies you have console permission to secaudit module. |
|
View and edit records in compliance auditor |
View and edit records. |
You can use these Audit Report permissions to create the following types of audit managers:
Administrator: To allow the group to update all aspects of the auditing module, including encryption and rollover, the group needs to be assigned the following permissions for the audit module:
admin
write
read
command
console
Manager: To allow the group to update all aspects of the auditing module, except encryption and rollover, the group needs to be assigned the following permissions for the audit module:
write
read
command
console
User: To allow the group to read and update a specific report, the group needs to be assigned the following permissions for the audit module:
command
console
report
<report defined read>
<report defined update>
If you want the group to have read-only privileges to the report, do not assign the <report defined update> role. Users with read-only rights to a report can view the report from the console, view the keystroke sessions within the report, and select which audit databases to view (see the LogFiles tab). Users who also have the update right can update the report’s filter, its name, and its description.
Each report allows you to specify a read role and an update role. You need to remember those names and manually specify them here. The console does not provide any error checking, so you need to ensure to specify the valid name.
The following permissions can be assigned to the credential vault module in order to control access to the Credential Vault console. Select from the following permissions when you are creating a group to manage the Credential Vault.
|
Descriptive Permissions |
Allows users to |
|---|---|
|
All Permissions on Credential vault |
Have permissions to perform all operations. In conjunction you have to use cmdctrl module with admin permission. Must be used in conjunction with userreqdashboard module and admin role. This implies you have “*” permission to prvcrdvlt module. |
|
View, Add and Modify Resources and Credentials in Credential Vault |
View, add, and modify the domains and credentials in Credential Vault. Must be used in conjunction with userreqdashboard module and admin role. To add, modify, delete scripts user requires module taskmanager in conjunction with the admin role. This implies you have admin permission to prvcrdvlt module. |
|
View Credential Vault Console |
View the Credential Vault console. This implies you have console permission to prvcrdvlt module. |
|
View Resources and Credentials in Credential Vault |
View the resources and credentials in Credential Vault. You must use console role along with read role to view the Credential Vault console and its content. This implies you have read permission to prvcrdvlt module. |
|
Add and Modify Resources and Credentials in Credential Vault |
Add and modify the resources and credentials in Credential Vault. Must be used in conjunction with the prvcrdvlt read role. This implies you have write permission to prvcrdvlt module. |
|
Application SSO Administration |
Add and modify the resources of Application SSO credentials in Credential Vault. |
The following permissions can be assigned to the host module in order to control access to the Package Distribution console. Select from the following permissions when creating a group to manage the packages.
|
Descriptive Permissions |
Allows users to |
|---|---|
|
Restricts Deployment of Packages to Specified Modules |
Restricts deployment of packages to specified modules. This implies you have acl permission to distrib module. |
|
Install or patch the Command Control Agent (admin). |
This implies you have install or patch permission to admin module. |
|
Install or patch the Command Control Agent (appsso). |
This implies you have install or patch permission to appsso module. |
|
Install or patch the Command Control Agent (auth). |
This implies you have install or patch permission to auth module. |
|
Install or patch the Command Control Agent (cmdctrl). |
This implies you have install or patch permission to cmdctrl module. |
|
Install or patch the Command Control Agent (dbaudit). |
This implies you have install or patch permission to dbaudit module. |
|
Install or patch the Command Control Agent (cmdctrl). |
This implies you have install or patch permission to cmdctrl module. |
|
Install or patch the Command Control Agent (ldapagnt). |
This implies you have install or patch permission to ldapagnt module. |
|
Install or patch the Command Control Agent (msgagnt). |
This implies you have install or patch permission to msgagnt module. |
|
Install or patch the Command Control Agent (pkgman). |
This implies you have install or patch permission to pkgman module. |
|
Install or patch the Command Control Agent (prvcrdvlt). |
This implies you have install or patch permission to prvcrdvlt module. |
|
Install or patch the Command Control Agent (radiusagnt). |
This implies you have install or patch permission to radiusagnt module. |
|
Install or patch the Command Control Agent (rdprelay). |
This implies you have install or patch permission to rdprelay module. |
|
Install or patch the Command Control Agent (regclnt). |
This implies you have install or patch permission to regclnt module. |
|
Install or patch the Command Control Agent (registry). |
This implies you have install or patch permission to registry module. |
|
Install or patch the Command Control Agent (resreqagnt). |
This implies you have install or patch permission to regreqagnt module. |
|
Install or patch the Command Control Agent (Command Control) Agent (rexec). |
This implies you have install or patch permission to Command Control Agent rexec module. |
|
Install or patch the Command Control Agent (secaudit). |
This implies you have install or patch permission to secaudit module. |
|
Install or patch the Command Control Agent (sshrelay). |
This implies you have install or patch permission to sshrelay module. |
|
Install or patch the Command Control Agent (strfwd). |
This implies you have install or patch permission to strfwd module. |
|
Install or patch the Command Control Agent (sysinfo). |
This implies you have install or patch permission to sysinfo module. |
|
Install or patch the Command Control Agent (syslogemit). |
This implies you have install or patch permission to syslogemit module. |
|
Install or patch the Command Control Agent (taskmanager). |
This implies you have install or patch permission to taskmanager module. |
|
Install or patch the Command Control Agent (videoprocessor). |
This implies you have install or patch permission to videoprocessor module. |
The following role can be assigned to the package manager module in order to control access to the Package Manager console. When you are creating a group that you want to manage the distribution of updates to Privileged Account Manager, select the following:
|
Descriptive Permissions |
Allows users to |
|---|---|
|
All Permissions on Package Manager console |
Have permissions to perform all operations. This implies you have “*” permission to audit reports. |
|
Manager Packages in Package repository |
View the Package Manager console. This implies you have console permission to pkgman module. |
|
View Package Manager Console |
View, add, update, or remove packages. This implies you have admin permission to pkgman module. |
The following permissions can be assigned to the task manager module in order to view and modify scripts.
|
Descriptive Permissions |
Allows users to |
|---|---|
|
View and Modify Scripts for Password Management. |
Used for password management. See, Section 7.3, Password Management. This implies you have permission to taskmanager module |
The following permissions can be assigned to the authentication module in order to control access to the User Manager console. Select from these permissions when you are setting up a group to manage users and groups.
|
Descriptive Permissions |
Allows users to |
|---|---|
|
All Permissions on Framework user manager console |
Have permissions to perform all operations. This implies you have “*” permission to auth module. |
|
Manage Users and Groups in Framework |
Add or delete users and groups, and assign users to groups. This implies you have admin permission to auth module. |
|
View Users and Groups Management console |
View the Users and Groups Management console. This implies you have console permission to auth module. |
|
Modify Attributes of Framework Users and Groups |
Modify account settings. You must use admin role to view the Framework User Manager and its content. This implies you have act_settings permission to auth module. |
|
Add or Remove Permissions in Framework |
Read the auth database. You must use console role along with read role to view the Framework User Manager and its content. This must be used with all other auth permissions. This implies you have read permission to auth module. |
|
View and Modify Super Users and Groups with Super Role in Framework |
Add or remove permissions. You must use console role along with read and admin role to view the Framework User Manager and its content. This implies you have admin permission to auth module. |
|
Modify Account Settings in Framework |
Modify superusers, and view and modify groups with the super role defined. This role should also be able to add or delete users and groups, and assign users to groups. This implies you have super permission to auth module. |
|
View Framework Users and Groups |
View superusers, and view groups with the super role defined. |
|
Generate API Tokens |
Generate API tokens. This implies you have api_token permission to auth module. |
The following permissions can be assigned to control access to the Requests console. Select from the following permissions when you are creating a group to manage the Requests.
|
Descriptive Permissions |
Allows users to |
|---|---|
|
All Permissions on Requests Console |
Have permissions to perform all operations. This implies you have the “*” permission for the userreqdashboard module. You will also require read and write permissions for cmdctrl and prvcrdvlt modules. |
|
View and Update Emergency Access and Credential Checkout requests |
View and update emergency access and credential checkout requests. This implies you have the admin permission for the userreqdashboard module. |
|
View User Access Requests Console |
View the Requests console. This implies you have the console permission for the userreqdashboard module. |