Difference between Container Types

Privileged Access Management provides containers to make the organization, sharing and management of many records more easy.

For example, all managed records, endpoints or accounts that are specific to your IT department can be saved in a container named IT Dept.

Or if you are a MSP or MSSP managing multiple customers, then you can save and secure all of your customer’s records in their own customer named container.

These containers can be created in the form of either a Folder or a Vault.

 

PAM-Containers-Folders-vs-Vaults

 

While both Folder and Vault containers provide a similar look, they do offer distinct uses as this article will describe.

Please read through the list of differences to help determine if your needs better fit with the use of a Folder, a Vault or a combination of both in PAM.

  • Vaults can only be created in PAM root folder. You may create a (sub-)Folder in a Vault, but you cannot create a Vault within a Folder.
  • Vaults cannot be created inside containers.

  • Vaults can only be created and deleted by System Administrators.
  • Vaults have a different color and icon compared to Folders so they can be more easily identifiable.
  • Vaults are created with unique permissions. When a new Vault is created, it will include the permissions assigned to PAM Root Folder at the time of creation, but it will not be set to Inherit modifications made to these permissions.
  • Vaults and Folders can be used as Proximity Group Selectors: both options are available now while previously it was limited to Vaults only. Proximity Groups allow for remote session managers to be deployed to isolated networks so records within these Vaults and Folders will have their traffic routed to the specified network without opening standard ports which can be then be found and used by threats.
  • Proximity-Groups.png

  • Cross-vault shadow account usage is not allowed. This means if you have a task running on a record in Vault A, this task will fail when configured with a Shadow Account record from Vault B.

  • Cross-vault dynamic credentials search usage is not allowed. This means if you have dynamic credentials for a specific user finding a record from another vault then the user will fail to Connect with the audit log message Failure to activate dynamic credential to find a record from the same vault using criteria: CRITERIA.

  • You can disable this blocker by adding the following line to your $PAM_HOME/web/conf/catalina.properties file and then restarting the pam management service:

    xtam.shadow.crossvault.disable=true