Permissions

Privileged Access Management provides a robust set of permissions that can be granted to users or groups (Principals) in order to control the level of access they have to objects and areas of the software.

Note that permissions in Privileged Access Management are additive, meaning that a higher level of permission includes all the roles of a lesser, and permissions can be inherited via folders.

Below is a list of available permissions and roles in Privileged Access Management.

Global Roles

Global Roles provide system wide access to Privileged Access Management.

  • Auditor

    • The Auditor role grants a limited “View Only” role to all folders and records in the system. It grants access to the Audit Log (record and system), Session History (record and system), Job History (record and system) as well as Administration Reports. For additional information, please see What is the Auditor Role.

  • System Administrator

    • The System Administrator role (the highest level available) grants full access to all vaults, folders, records, logs, security, script library, workflows, configuration and reports system wide. It can be used to grant and revoke other principals to this System Administrator role and therefore it should only be given to trusted users.

  • Split View

    • The Split View roles grants access to only the first or last part of a split password when the Split View Role is enabled. The Split View Role is configured in the Parameters section of the Administration page. What is Split View?

  • Service
    • The Service account is used for a distributed job engine deployment so an Administrator can designate certain records to be executed by specific job engine nodes. Read more about Distributed Job Engine Deployments.

  • Blocked

    • The Blocked role is used to block the user or group members’ access to objects in PAM. The blocked user can still login to PAM, but until they are unblocked, they will have no access to any objects or settings. Remove the Blocked role from the principal to restore their access.

  • Automation

    • The Automation account is used to throttle the rate of new connections for scripts to control overall system performance. For additional configuration, read the description and adjust the global parameter Throttle SSH Proxy Automation Connections as needed.

FAQ-GlobalRoles

Grant Global Access and Permissions

Record Control

Record Control provides access to objects (Folders and Records) located in the Records area of System.

  • Viewer
    • The Viewer role grants View Only access to the object.
  • Unlock
    • Viewer plus the ability to Unlock (view) secured fields like Passwords, Secrets and Certificates.
  • Editor
    • Unlock plus the ability to Edit the object as well as its associated Formula and to view its Session History, Video Recordings and Keystroke and Clipboard Events.
  • Manager
    • Editor plus the ability to Create or Delete objects (folders and records). Manager cannot create (share) or modify object permissions.
  • Owner
    • Full Control of the object. This includes creating new objects, modifying or deleting existing objects, sharing access (permissions), workflow configuration, Audit Events, History and Session Termination.

Session Control

Session Control provides access to connect to Remote Sessions using a record in System.

  • None
    • The principal may not establish a remote session using this record.
  • Connect (Optionally recording without session events)
    • The principal may establish a remote session using this record and can choose whether their session is video recorded or not. Session events (keystrokes including SQL traffic over tunnels, clipboard and file transfer) will not be recorded.
  • Connect (Always recording without session events)
    • The principal may establish a remote session using this record and their session will always be video recorded. Session events (keystrokes including SQL traffic over tunnels, clipboard and file transfer) will not be recorded.
  • Connect (Optionally recording with session events)
    • The principal may establish a remote session using this record and can choose whether their session is video recorded or not. Session events (keystrokes including SQL traffic over tunnels, clipboard and file transfer) will be recorded.
  • Connect (Always recording with session events)
    • The principal may establish a remote session using this record and their session will always be video recorded. Session events (keystrokes including SQL traffic over tunnels, clipboard and file transfer) will be recorded.
  • Connect (No Recording with session events)
    • The principal may establish a remote session using this record and their session will not be video recorded. Session events (keystrokes including SQL traffic over tunnels, clipboard and file transfer) will be recorded.
  • Connect (No Recording without session events)
    • The principal may establish a remote session using this record and their session will not be video recorded. Session events (keystrokes including SQL traffic over tunnels, clipboard and file transfer) will not be recorded.

Task Control

Task Control provides access to Tasks associated to Records in System.

  • None
    • The principal may not execute, review or manage tasks.
  • Execute
    • The principal may execute tasks.
  • Review
    • The principal may execute or review task results.
  • Manage
    • The principal may execute or review task results as well as view the task list. To include the ability to Add/Remove tasks and edit Task Policies, the user should be assigned both Record Control: Owner and Task Control: Manage permissions.

FAQ-ObjectPermissionLevels

Grant Object Access and Permissions

 

FAQ-ObjectPermissionLevelsEdit

Edit Object Access and Permissions