Object Permissions

Objects (folders, vaults and records) permissions provide access to objects located in the system’s vault and a user’s personal vault.

When granting or sharing permissions to an object, the following roles are available.

Record Control

Record Control provides the selected principal(s) access to the object.

Viewer	The Viewer roles grants View Only access to the object. If you want a principal to see this object in their Record List or search results, they must have at least this role.
Unlock	Viewer plus the ability to Unlock (view) secured fields like Passwords, Secrets and Certificates.
Editor	Unlock plus the ability to Edit the object as well as its associated Formula and to view its Session History, Video Recordings and Session Events.
Manager	Editor plus the ability to Create or Delete objects (folders and records). Manager cannot create (share) or modify object permissions.
Owner	Full Control of the object. This includes creating new objects, modifying or deleting existing objects, sharing access (permissions), Audit Events, History and Session Termination.

Session Control

Session Control provides the selected principal(s) access to connect to Secure Remote Sessions using the record.

None	The principal may not establish a remote session using this record.
Connect (Optionally Recording without Session Events)	The principal may establish a remote session using this record and can choose whether their session is video recorded or not. Session events (keystrokes including SQL traffic over tunnels, clipboard and file transfer) will not be recorded.
Connect (Always Recording without Session Events)	The principal may establish a remote session using this record and their session will always be video recorded. Session events (keystrokes including SQL traffic over tunnels, clipboard and file transfer) will not be recorded.
Connect (Optionally Recording with Session Events)	The principal may establish a remote session using this record and can choose whether their session is video recorded or not. Session events (keystrokes including SQL traffic over tunnels, clipboard and file transfer) will be recorded.
Connect (Always Recording with Session Events)	The principal may establish a remote session using this record and their session will always be video recorded. Session events (keystrokes including SQL traffic over tunnels, clipboard and file transfer) will be recorded.
Connect (No Recording with Session Events)	The principal may establish a remote session using this record and their session will not be video recorded. Session events (keystrokes including SQL traffic over tunnels, clipboard and file transfer) will be recorded.
Connect (No Recording without Session Events)	The principal may establish a remote session using this record and their session will not be video recorded. Session events (keystrokes including SQL traffic over tunnels, clipboard and file transfer) will not be recorded.

Task Control

Task Control provides the selected principal(s) access to Tasks associated to the record.

None	The principal may not execute, review or manage tasks or work with them in any manner.
Execute	The principal may execute tasks from the record’s Execute menu.
Review	The principal may execute or review task results in the Job History report.
Manage	The principal may execute or review task results as well as view the task list. To include the ability to Add/Remove tasks and edit Task Policies, the user should be assigned both Record Control: Owner and Task Control: Manage permissions.

Inheritance

Objects use inheritance from their parent container to simplify the management of objects that share or require a common configuration.

For example, all records in the same folder should have the same permissions or workflow bindings applied.

Newly created or pasted records will also inherit this configuration as well.

By default, all records created within the same container will inherit the Password and Workflow Bindings from the parent container.

Any changes that need to be made to these policies must be done on the parent container and will therefore also be applied to all other records that reside in this same container.

NOTE: While inheritance from parent container to child record is the default configuration, you can also break inheritance on a record and make the above configuration(s) unique. Once the settings are unique to a record, they can be updated as required without affecting the container configuration or any other records that continue to inherit from this parent.

Additionally, you can also choose to Inherit from Parent within the record’s configuration page(s) if you wish to return it back to its inherited state with its parent container.