Sharing Records or Containers
When two or more users need access to a record or folder in Privileged Access Management (PAM), the Owner of this object must share access to it, meaning its permissions must be modified.
When the permissions are modified and shared with a user (or group), then the Owner also needs to specify which level of control this user (or group) should have on the object.
Before we show you how to share, let’s review the basic Permission model in PAM.
Sharing and Permissions consists of a few key concepts; Users or Groups (Principals), Record Control, Session Control, Task Control, Inheritance and Global Roles.
For an up-to-date list of permissions, please review Privileged Access Management Permissions.
- Users or Groups (Principals): These may be local users or groups, or Active Directory users or groups.
- Record Control These are the defined set of permissions that will be granted to the user or group. This includes but is not limited to view, edit and delete operations on this object.
- Session Control: If the record contains a host connection, then this will determine if the users or group can establish a secure session to this host.
- Task Control: If the record contains a task, then this will determine if the user or group can execute, review or manage these tasks.
- Inheritance: Inheritance is used throughout PAM to more quickly establish a parent/child relationship between objects. If a parent object has a specific set of permissions and a child inherits from it, then that child object will have identical permissions. If a child has unique permissions (not inherited), then the parent and child may have a different set of permissions associated to them. This concept is important when determining how you want to structure your sharing and permission model for Records and Folders.
- Global Roles: These are the user or group of users that will be granted limited or full system wide access to PAM.
To Share or Grant Permissions a Record or Folder
To Unshare or Revoke Permissions to a Record or Folder
