Common Permissions

The Grant, View, Edit, and Delete permissions are the most commonly available permissions for different types of objects. All of the common permissions are supported for sets of objects as well as systems, domains, databases, and their associated accounts.

Only Grant, Edit, and Delete permissions are supported for services and multiplexed accounts.

Only Grant and View are available for applications.

Grant

Select Grant to allow users to grant any permissions to other users for applications, systems, domains, databases, services, or accounts. By default, members of the System Administrator role have Grant permissions for all objects. In addition, users who add objects to the Privileged Access Service have the Grant permission on the objects they add.

Users who are assigned the Grant permission on a set, however, can only assign permissions they have on the members of the set. For example:

  • If you have the Grant permission on a set that includes two computers, you

    can only grant other users the Manage Session permission if you have the

    Manage Session permission on both computers in the set.

  • If you only have the Checkout permission on the members of the set, you

    cannot grant other users permissions such as Login or Update Password.

  • If you only have the View permission on members of an applications set, you

    cannot grant other members the Run permission.

View

Select View to allow users to view applications, systems, domains, databases, secrets, services, or accounts. A user, group, or role must be assigned the View permission to take any kind of action.

If you store text strings or files as secrets, however, the View permission also allows users to view stored text or download stored documents.

Edit

Select Edit to allow users to edit information for systems, domains, databases, secrets services, or accounts.

  • The specific information available to be edited depends on whether you have

    selected a system, domain, database, secret, service, account, or set of

    objects. For example, you must have the Edit permission to select the

    Manage this credential option or to update any optional description.

  • If you store text strings or files as secrets, however, the Edit permission

    also allows users to edit stored text or replace stored documents.

Delete

Select Delete to allow users to delete systems, domains, databases, services, or accounts.

You should note, however, that assigning the Delete permission is not always sufficient to enable users to delete objects. For example, deleting a system from the Privileged Access Service requires you to first delete all of the accounts that have been stored for that system. A user with the Delete permission on a system but not on the accounts for the system would be prevented from deleting the system until someone with the Delete permission for the accounts removed all of the accounts stored for the system.

Users who have Delete permission for accounts must also have Checkout permission because before deleting an account you must display or copy the password to prevent the account from being unusable.