Global Roles

Global Roles provide system wide access using various level of roles, as described below.

Auditor

The Auditor role grants a limited View Only role to all containers and records in the system.

It grants access to the Audit Log (record and system), Session History (record and system), Job History (record and system) as well as Administration Reports and read only configuration.

Auditors cannot modify the system or records nor can they unlock, execute or connect to any privileged systems or secrets.

System Administrator

The System Administrator role (the highest level available) grants full access to all vaults, folders, records, logs, security, script library, workflows, configuration and reports system wide.

It can be used to grant and revoke other principals to this System Administrator role and therefore it should only be given to trusted users.

Split View

The Split View role grants access to only the first or last part of a split password when the Split View Role is enabled.

The Split View Role is configured in the Parameters section of the Administration page.

Read more about the Split View feature in our article.

Service

The Service account is used for a distributed job engine deployment so an Administrator can designate certain records to be executed by specific job engine nodes.

Read more about Distributed Job Engine Deployments for additional information about this role.

Blocked

The Blocked role is used to block the user or group members’ access to objects in PAM. The blocked user can still login to PAM, but until they are unblocked, they will have no access to any objects or settings. Remove the Blocked role from the principal to restore their access.

Automation

The Automation account is used to throttle the rate of new connections for scripts to control overall system performance. For additional configuration, read the description and adjust the global parameter Throttle SSH Proxy Automation Connections as needed.