Privileged Account Manager users must be assigned to one or more groups with the appropriate permissions defined before they can access any resources or perform any tasks.
The following predefined user groups and users are already created for the default * user. Not all predefined user groups contain users. The predefined user groups have default permissions. The following default groups implicitly have “*” permissions to the relevant modules:
Access Administrators: Administrators who manage privileged access to resources.
Admin: Global Administrators.
Agent Administrators: Administrators who manage agents.
API Users: Group membership that has the role which gives permission to make API calls using a secret key that the user generates. The key would be used for authentication in place of user ID and password.
Audit Administrators: Auditors who monitor user activities.
Auditors: Auditors who manage user activities.
Compliance Auditors: Auditors who review user activities.
Package Management Administrators: Administrators who manage package repository.
SSO Administrators: Application SSO Administrators.
User and Group Administrators: Administrators who manage local users, groups and their permissions.
User Requests Administrators: Administrators who manage user access requests.
Vault Administrators: Administrators who manage Credential Vaults and password management.
On the home page of the console, click Users > Users & Groups > Create Group > General.
Group Name: Specify the group name. This is a mandatory field.
(Optional) Comment: Add an explanatory text.
(Optional) Group Manager Name: Specify the name of the group manager.
(Optional) Group Manager E-mail ID: Specify the email address of the group manager.
(Optional) Group Manager Contact Number: Specify the contact number of the group manager.
(Optional) Bypass Secondary Authentication This property is inherited from the parent group. Select Bypass Secondary Authentication option if you have enabled secondary authentication for the Administration Console and want to bypass it. See Benefits of Integration with Advanced Authentication for more details.
Click Next.
In the Members page, select the members you want to add in the user group.
Click Next.
In the Sub Groups page, select the sub groups you want to add to the user group.
Click Next.
In the Advanced Settings page, select the permissions based on the assignments from the list.
In the Role(s) field, select the Module and the Role.
Click Next to select the Group Maps.
Click Create.
Modifying a user group allows you to:
Add a comment describing the group
Add users and subgroups to the group
Define administrative permissions for the group
Specify group maps for the group
Modify the advanced setting involving the module level permissions
To modify a Framework user group:
On the home page of the console, click Users > Users & Groups. Select the group from the left pane, click the edit icon. The Edit Group page is displayed.
In the General pane, select the details you want to modify. You cannot modify the Group Name field.
In the Members section, select to add or remove the users you want to be members of this group.
In the Sub Groups section, select the groups you want to be subgroups of the user group.
In the Advanced Settings section, select the Descriptive Permissions you require for this group of users according to the consoles you want them to be able to access and the tasks you want them to be able to perform. You must assign at least one role. See Section 3.1.4, Configuring Permissions for more details.
In the Group Maps section, add the LDAP users and groups.
See Assigning Permissions for LDAP Users for more details.
Click Save.
From Privileged Account Manager 4.0, "roles" and the associated access to modules have been described to improve the new user interface's readability. These "roles" refer to the administrative permissions used while deploying Privileged Account Manager.
NOTE:Every time a new permission is added the user has to log out and log in for the new permission to take effect.
When you create a user group, you must assign at least one permission to the group.
To allow access, you can define one or more permissions according to the tables below:
The following permissions can be assigned to any module if you want to delegate administrative rights.
|
Descriptive Permissions |
Allows users to... |
|---|---|
|
Super Administrator |
Have permission to access all modules and permissions. |
|
Administrator |
Have permission to view and modify superusers, and view and modify groups with the super role defined. This role should also be able to add or delete users and groups, and assign users to groups. |
The following permissions can be assigned to the command control module to control access to the Command Control and Access Control console. Select from the following permissions when you are creating a group that you want to manage and test the rules in the command control or access control database.
|
Descriptive Permissions |
Allows users to... |
|---|---|
|
All Permissions on Access Control and Command Control |
Have permissions to perform all operations. This implies you have “*” permission to Access Control or Command Control console. |
|
View, Modify Objects and Transaction Permissions in Access Control and Command Control |
Extract user credentials, including name and e-mail address, from the auth database into the account and user group definitions. Used in conjunction with the cmdctrl write (with read) and admin permissions. This implies you have read permission to auth module. |
|
View Access Control or Command Control Console |
View the Access Control and Command Control console. This implies you have console permission to Access Control and Command Control console as applicable. |
|
View Access Control Objects |
View the Access Control and Command Control objects. |
|
Manage Access Control and Command Control Objects |
Configure the resources and credentials in the command control rules. This implies you have read permission to prvcrdvlt module. |
The following permissions can be assigned to the agent management module.
|
Descriptive Permissions |
Allows users to... |
|---|---|
|
All permissions on Agent Management |
Have permissions to perform all operations. This implies you have “*” permission to Agent management. |
|
View the listed agents and perform administrative actions. |
View the listed agents and perform administrative actions. This implies you have administrator permission to unifi module. |
|
View Host Console |
View the Hosts console. This implies you have console permission to unifi module. |
|
Check agents status using command line utility |
Check agents status using command line utility. |
|
Allow addition of Agents and Domains directly from the command line during registration |
Allow addition of Agents and Domains directly from the command line during registration |
|
Allow creation of Agent records during registration |
Allow creation of Agent records during registration. |
|
Allow creation of Domain records during registration |
Allow creation of Domain records during registration |
The following permissions can be assigned to the auditing module to control access to the Reports console. For a group to manage auditing, the group also needs read permission to the auditing and authentication modules.
|
Descriptive Permissions |
Allows users to... |
|---|---|
|
All Permissions on audit reports |
Have permissions to perform all operations. This implies you have “*” permission to audit reports. |
|
View audit sessions and manage settings |
View the Compliance Auditor console. This implies you have console permission to secaudit module. |
|
View Reports Console |
View the Reports console. This implies you have the console permission for audit module. |
|
View audit sessions |
Read the audit database. You must use console along with read. This implies you have read permission for audit module. |
|
Create new audit reports and adjust filter settings in reports |
Read and update the reports defined in the Reports console. This role is only useful when used in conjunction with the report permission. |
|
View command control reports |
Read and update the reports defined in the Reports console. This role is only useful when used in conjunction with the report permission. |
|
View change log reports |
View Account Logon reports. In conjunction you must use console and read permission. This implies you have logon permission for audit module. |
|
View credential checkout reports |
View Credential Checkout Reports. In conjunction you must use console and read permission. This implies you have console permission and read permission for audit module. |
|
View shared key checkout reports |
View Shared Key Checkout Reports. In conjunction you must use console and read permission |
|
Access reports with the report defined roles |
You can access relevant reports based on the roles. |
|
View account logon reports in reporting (old UI) |
View Account Logon reports. |
|
View Command Control reports in reporting (Old UI) |
View Command Control reports. |
You can use these Audit Report permissions to create the following types of audit managers:
Administrator: To allow the group to update all aspects of the auditing module, including encryption and rollover, the group needs to be assigned the following permissions for the audit module:
admin
write
read
command
console
Manager: To allow the group to update all aspects of the auditing module, except encryption and rollover, the group needs to be assigned the following permissions for the audit module:
write
read
command
console
User: To allow the group to read and update a specific report, the group needs to be assigned the following permissions for the audit module:
command
console
report
<report defined read>
<report defined update>
If you want the group to have read-only privileges to the report, do not assign the <report defined update> role. Users with read-only rights to a report can view the report from the console, view the keystroke sessions within the report, and select which audit databases to view (see the LogFiles tab). Users who also have the update right can update the report’s filter, its name, and its description.
Each report allows you to specify a read role and an update role. You need to remember those names and manually specify them here. The console does not provide any error checking, so you need to ensure to specify the valid name.
The following permissions can be assigned to the compliance auditing module to control access to the Compliance Auditor console. For a group to manage compliance auditing, the group also needs read permission to the auditing and authentication modules.
|
Descriptive Permissions |
Allows users to... |
|---|---|
|
All Permissions on Compliance Auditor |
Perform the console, audit, and admin permissions. This implies you have “*” permission to secaudit module. |
|
Add and modify audit rules in Compliance Auditor |
View and edit records. This implies you have audit permission to secaudit module. Access reports with the report defined permissions. This implies you have report permissions to audit module. |
|
View Compliance Auditor console |
View the Compliance Auditor console. This implies you have console permission to secaudit module. |
|
View and edit records in Compliance Auditor |
Access the records collected by audit rules with this permission defined in the Modify Audit Rule page. This implies can choose your own name for the permission in the secaudit module. |
The following permissions can be assigned to the credential vault module in order to control access to the Credential Vault console. Select from the following permissions when you are creating a group to manage the Credential Vault.
|
Descriptive Permissions |
Allows users to... |
|---|---|
|
All Permissions on Credential vault |
Have permissions to perform all operations. In conjunction you have to use cmdctrl module with admin permission. Must be used in conjunction with userreqdashboard module and admin role. This implies you have “*” permission to prvcrdvlt module. |
|
View, Add and Modify Resources and Credentials in Credential Vault |
View, add, and modify the domains and credentials in Credential Vault. Must be used in conjunction with userreqdashboard module and admin role. To add, modify, delete scripts user requires module taskmanager in conjunction with the admin role. This implies you have admin permission to prvcrdvlt module. |
|
View Credential Vault Console |
View the Credential Vault console. This implies you have console permission to prvcrdvlt module. |
|
View Resources and Credentials in Credential Vault |
View the resources and credentials in Credential Vault. You must use console role along with read role to view the Credential Vault console and its content. This implies you have read permission to prvcrdvlt module. |
|
Add and Modify Resources and Credentials in Credential Vault |
Add and modify the resources and credentials in Credential Vault. Must be used in conjunction with the prvcrdvlt read role. This implies you have write permission to prvcrdvlt module. |
|
Application SSO Administration |
Add and modify the resources of Application SSO credentials in Credential Vault. |
The following permissions can be assigned to the host module in order to control access to the Package Distribution console. Select from the following permissions when creating a group to manage the packages.
|
Descriptive Permissions |
Allows users to... |
|---|---|
|
Restricts Deployment of Packages to Specified Modules |
Restricts deployment of packages to specified modules. This implies you have permission to distrib module. |
|
Install or patch the Administration Manager (admin) |
This implies you have install or patch permission to admin module. |
|
Install or patch the Application Single Sign-On Manager (appsso) |
This implies you have install or patch permission to appsso module. |
|
Install or patch the Audit Manager (audit) |
This implies you have install or patch permission to audit module. |
|
Install or patch the Authentication Manager (auth) |
This implies you have install or patch permission to auth module. |
|
Install or patch the Access Control (Command Control) Manager (cmdctrl) |
This implies you have install or patch permission to cmdctrl module. |
|
Install or patch the Database Monitoring Manager (dbaudit) |
This implies you have install or patch permission to dbaudit module. |
|
Install or patch the Package Distribution Agent (distrib) |
This implies you have install or patch permission to distrib module. |
|
Install or patch the LDAP Agent (ldapagnt) |
This implies you have install or patch permission to ldapagnt module. |
|
Install or patch the Messaging Component Agent (msgagnt) |
This implies you have install or patch permission to msgagnt module. |
|
Install or patch the Package Manager (pkgman) |
This implies you have install or patch permission to pkgman module. |
|
Install or patch the Privileged Credentials Manager (prvcrdvlt) |
This implies you have install or patch permission to prvcrdvlt module. |
|
Install or patch the RADIUS Agent (radiusagnt) |
This implies you have install or patch permission to radiusagnt module. |
|
Install or patch the RDP Relay Module (rdprelay) |
This implies you have install or patch permission to rdprelay module. |
|
Install or patch the Registry Agent (regclnt) |
This implies you have install or patch permission to regclnt module. |
|
Install or patch the Registry Manager (registry) |
This implies you have install or patch permission to registry module. |
|
Install or patch the Resource Request Agent (resreqagnt) |
This implies you have install or patch permission to resreqagnt module. |
|
Install or patch the Access Control (Command Control) Agent. (rexec) |
This implies you have install or patch permission to rexec module. |
|
Install or patch the Compliance Auditor. (secaudit) |
This implies you have install or patch permission to secaudit module. |
|
Install or patch the SSH Agent. (sshagnt) |
This implies you have install or patch permission to sshagnt Agent module. |
|
Install or patch the SSH Relay Module. (sshrelay) |
This implies you have install or patch permission to sshrelay module. |
|
Install or patch the Store and Forward Agent. (strfwd) |
This implies you have install or patch permission to strfwd module. |
|
Install or patch the System Information Agent. (sysinfo) |
This implies you have install or patch permission to sysinfo module. |
|
Install or patch the Syslog Emitter. (syslogemit) |
This implies you have install or patch permission to syslogemit module. |
|
Install or patch the Password Management Module. (taskmanager) |
This implies you have install or patch permission to taskmanager module. |
|
Install or patch the Video Offload Manager. (videoprocessor) |
This implies you have install or patch permission to videoprocessor module. |
The following role can be assigned to the package manager module in order to control access to the Package Manager console. When you are creating a group that you want to manage the distribution of updates to Privileged Account Manager, select the following:
|
Descriptive Permissions |
Allows users to... |
|---|---|
|
All Permissions on Package Manager console |
Have permissions to perform all operations. This implies you have “*” permission to audit reports. |
|
Manager Packages in Package repository |
View the Package Manager console. This implies you have console permission to pkgman module. |
|
View Package Manager Console |
View, add, update, or remove packages. This implies you have admin permission to pkgman module. |
The following permissions can be assigned to the task manager module in order to view and modify scripts.
|
Descriptive Permissions |
Allows users to... |
|---|---|
|
View and Modify Scripts for Password Management. |
Used for password management. See, Section 5.6, Password Management. This implies you have permission to taskmanager module |
The following permissions can be assigned to the authentication module in order to control access to the User Manager console. Select from these permissions when you are setting up a group to manage users and groups.
|
Descriptive Permissions |
Allows users to... |
|---|---|
|
All Permissions on Framework user manager console |
Have permissions to perform all operations. This implies you have “*” permission to auth module. |
|
Manage Users and Groups in Framework |
Add or delete users and groups, and assign users to groups. This implies you have admin permission to auth module. |
|
View Users and Groups Management console |
View the Users and Groups Management console. This implies you have console permission to auth module. |
|
Modify Attributes of Framework Users and Groups |
Modify account settings. You must use admin role to view the Framework User Manager and its content. This implies you have act_settings permission to auth module. |
|
Add or Remove Permissions in Framework |
Read the auth database. You must use console role along with read role to view the Framework User Manager and its content. This must be used with all other auth permissions. This implies you have read permission to auth module. |
|
View and Modify Super Users and Groups with Super Role in Framework |
Add or remove permissions. You must use console role along with read and admin role to view the Framework User Manager and its content. This implies you have admin permission to auth module. |
|
Modify Account Settings in Framework |
Modify superusers, and view and modify groups with the super role defined. This role should also be able to add or delete users and groups, and assign users to groups. This implies you have super permission to auth module. |
|
View Framework Users and Groups |
View superusers, and view groups with the super role defined. |
|
Generate API Tokens |
Generate API tokens. This implies you have api_token permission to auth module. |
The following permissions can be assigned to control access to the Requests console. Select from the following permissions when you are creating a group to manage the Requests.
|
Descriptive Permissions |
Allows users to... |
|---|---|
|
All Permissions on Requests Console |
Have permissions to perform all operations. This implies you have the “*” permission for the userreqdashboard module. You will also require read and write permissions for cmdctrl and prvcrdvlt modules. |
|
View and Update Emergency Access and Credential Checkout requests |
View and update emergency access and credential checkout requests. This implies you have the admin permission for the userreqdashboard module. |
|
View User Access Requests Console |
View the Requests console. This implies you have the console permission for the userreqdashboard module. |
On the home page of the console, click Users > Users & Groups and select the group you want to delete from the left pane.
Click delete icon.
Click Yes to confirm the deletion.