Setting Global Account Permissions

You can use global account permissions to define the specific permissions granted to different users when they use the accounts stored in the Privileged Access Service. The global account permissions apply to all systems, domains, or databases you add by default. You can also override the default permission for individual systems, domains, or databases, as needed.

Most of the activity in the Admin Portal involves managing systems, domains, and databases and the accounts that are specifically used to access them. For example, when you manage user permissions for an account on a particular server, those permissions only apply in the context of that particular account on that specific server.

In some cases, however, you might want to define global account permissions that apply for all systems instead of system-specific permissions. For example, you might want to define a global account permission that allows the admin1@pubs.org user to log on without a password to all target systems you add to the Privileged Access Service, then grant that user the permission to check out an account password only for a specific system and account combination. Similarly, you can grant global account permissions for domains and databases.

The Login and Checkout permissions configured in the global or sets account permissions directly map to the Login and Checkout permission for the account for most accounts (e.g. local accounts, domain accounts, etc). There are two exceptions:

  • For IAM User accounts:

    • Login permission maps to the Use Access Key permission
    • Checkout permission maps to the Retrieve permission.

  • For IAM Role accounts, the Login permission maps to the Assume Role

    permission.

To Set the Global Account Permissions

  1. In the Admin Portal, click Settings > Resources > Security > Global Account Permissions.

  2. Click Add to search for and select users, groups, roles, or computers.

    • Type a search string to search for the users, groups, or roles to which you want to grant global permissions.
    • Select the appropriate users, groups, or roles from the search results.
    • Click Add.

  3. Select the appropriate global account permissions for each user.

    As an administrator in the System Administrator role, your user account has all permissions by default. You can assign specific global rights to otherusers to allow them to work with accounts on all managed systems. Note thatusers must have both the Delete and Checkout permission to delete accountsbecause you must be able to display or copy the password for an accountbefore deleting it. For more detailed information about the permissions available, see Assigning Permissions.

    If any of the permissions are temporary because a request for access has been approved, the Expires column indicates when the permission will expire.

  4. Click Save to save the global account permissions settings.

Viewing Temporary Permissions for Users

If you have configured a “request and approval” work flow for an account, some users might have temporary Login or Checkout permissions. If a request for login or password checkout has been temporarily approved, the permission will have an expiration date and time. Active sessions can continue past the expiration, but users will not be allowed to log on or check out a password without submitting a new request for access.

Only users who have requested and been granted temporary access by a designated approver display an expiration. The Expires column is blank for users who are explicitly granted a permission outside of the “request and approval” work flow or granted a permanent permission by a designated approver.