Auditor Role

What is the Auditor Role in Privileged Access Management and what access does it provide for users?

Beginning with the October 2, 2017 release, Privileged Access Management now includes an additional Global Role named “Auditor”.

This Auditor role allows for a Compliance Officer or Auditor to review and monitor the Privileged Access Management system and its records without having direct permissions to each object or exposing secrets and compromising security.

 

Grant-Access.png

"Auditor" can

A user that has been granted the “Auditor” role:

  • Can View all records and folders. This includes Name, Description as well as any other record fields (except secured fields).
  • Can review Record Properties including Type, Created By and Last Modified By parameters.
  • Can access the Audit Log associated to records as well as the PAM system.
  • Can access the Session History associated to records as well as the PAM system.
  • Can access the Job History associated to records as well as the PAM system.
  • Can access the Formulas, Tasks, Permissions and Workflows of a record or folder.
  • Can access the PAM system Reports.
  • Can access the Scripts, Tokens, Workflows and Command Control configurations throughout the PAM system (view only).

"Auditor" cannot

A user that has been granted the “Auditor” role:

  • Cannot “Unlock” or download secrets, passwords, certificates or any other object associated to a secured field.
  • Cannot Connect, Join or Terminate active sessions.
  • Cannot review a record’s Change History.
  • Cannot execute jobs, scripts or password reset tasks.
  • Cannot Create, Edit or Delete a folder or record.
  • Cannot Create, Edit or Delete a workflow, template, binding or grant approval.
  • Cannot modify Formulas, Tasks, Permissions or Workflows of a record or folder.
  • Cannot reorganize folders or records using the Cut, Copy or Paste commands.

Please note that if a user or group is assigned the Auditor role plus additional permissions to a folder or record, the privileges associated to the folder or record will take precedence over that of the global Auditor role.