Additional System Permissions

There are a few permissions that are unique to systems. These permissions can be set for individual systems, sets of systems, or globally for all systems.

If you are working with systems, you can set the following additional permissions:

  • Select Manage Session to allow users to watch or terminate active

    sessions on systems.

  • Select Agent Auth to allow users to authenticate and log on to systems

    where the Delinea Client is installed. The Agent Auth permission

    enables users who have an account on the Privileged Access Service to log on

    to a registered Linux or Windows computer. For example, if your organization

    uses Privileged Access Service, you might have user account defined for each

    employee or for employees in specific roles. You can enable all employees or

    employees in the selected roles to log on to the Admin Portal using their

    Privileged Access Service user account and to use

    that same account to log on to registered Linux or Windows computers if they

    are granted the Agent Auth permission on that registered Linux or

    Windows computer.

  • Select Request Zone Role to allow users to request access to a

    collection of rights for computers in a zone. The Request Zone Role

    permission allows a user to request assignment of a particular Privileged

    Access Service zone role to use the elevated privileges associated with the

    role on the computers in a domain or zone.This permission requires several

    preliminary steps to be completed. For example, you must enable the zone

    role workflow for the domain and configure the list of zone roles that can

    be requested by a user, the system must be joined to a zone, and the

    requesting user must be an Active Directory user. For more details about the

    preliminary steps for using this feature and permission, see Managing zone

    role assignment requests and related topics. For an introduction to rights

    and roles, role assignments that do not use a request and approval workflow,

    and managing privilege elevation for computers in zones, see Welcome to Server Suite.

  • Select Add Account to allow a user to add Privileged Access Service

    accounts to a system. If this system permission is not selected, attempting

    to add a new account to a system will fail.

  • Select Unlock Account to allow accounts (used to access a system) the

    permission to manually unlock managed local accounts. This permission only

    applies to systems with the correct policies in place for local account

    password reconciliation. See Configuring Windows Local Account Reconciliation.