Reference Content — Roles
You can use the reference content as supplemental information to the “How To” content.
Predefined Roles
You use roles to assign applications, permissions, and policies to separate sets of users. Your role must have the Roles Management administrative right to view, add, and modify roles. See Creating Privileged Access Service Administrators for the details.
Privileged Access Service provides the following predefined roles:
-
Everybody: By default, all Privileged Access Service users are assigned to this role. For example, all users that are added to the DelineaDirectory by using bulk import are added to the Everybody. When you add anindividual user, the default setting is to add the account to the Everybody role. To exclude a user from the Everybody role, select the Is Service User option on the user Account page.
It is best practice to assign most users to the Everybody role. However, there are users you may not want to have in the Everybody role; for example, temporary users such as service contractors.
-
Invited Users: This role is created when you use the Invite Users button and select InvitedUsers as the Role.
If you do not use the Invite users button or select the Invited Users role when you invite a user, this role is not created.
-
sysadmin: This role grants full access to all Admin Portal settings. By default, the Delinea Directory account for the user who signed up for Privileged Access Service is a sysadmin role member. You cannot delete or rename the sysadmin role.
Only sysadmin role members can add more users to the sysadmin account.
-
Read only Administrator: This role is automatically created when you enable read-only access for a support technician.
You can delete the Readonly Administrator role after the time period expires.
Creating Privileged Access Service Administrators
You use roles to create Privileged Access Service administrators. Only users in the sysadmin role and users in roles with administrative rights can open the Admin Portal.
To create a Privileged Access Service administrator, you create a role, assign one or more Admin Portal administrative rights, and then add users to the role. The administrative rights let you define roles with separate application, user, device, report, and role management permissions.
For example, you can create a role that limits the administrator to managing applications and application-to-roles assignments only. In this role, the administrators can perform all the functions on the Apps page and read-only access to the Users and Roles pages. Similarly, you can create administrative roles with just device, user, and report management permissions.
System Administrator Role Permissions
The sysadmin role members have access to all Admin Portal tabs and the Delinea Connector Configuration Program settings. They are also the only administrators who can perform the following tasks:
-
Add users to or remove them from the sysadmin role.
-
Modify the Account Customization tab on the Settings page in Admin Portal
-
Modify connector settings in the Delinea Connector tab on the Settings page in Admin Portal.
-
Modify policy sets.
-
Create a Discovery Systems profile.
-
Grant Global Account permissions.
-
Grant Global System permissions.
These rights cannot be assigned to other roles. However, you can add users to the sysadmin role. See Adding Roles.
Discovery jobs run with very high privilege as they update accounts and systems regardless of the access rights associated with the objects. As such, the sysadmin may not want all PAS administrators granted permission for discovery. As such, the sysadmin can create a system discovery profile, and if they choose, explicitly grant rights to view, edit, and run the profile (for example, they can assign all rights to a "PAS Admins" role). Other administrative functions such as Global Account Permissions and Global System Permissions are, similarly, only available to the sysadmin as not all PAS Admins may have rights to assign permissions.
Admin Portal Administrative Rights
The following table describes the administrative rights you can assign to a role. Users cannot log in to the Admin Portal unless they have at least one of the following administrative rights.
If an administrator attempts to perform a task in the Admin Portal for which they do not have the associated administrative right, the Admin Portal displays an error message. In addition, the Admin Portal does not display data if it’s not pertinent to the administrator’s rights. For example, if the administrator has the Application Management right only, that user is not allowed to change policy settings.
Some administrative rights also grant reporting rights, but only for data that the user has been granted rights to read. Additionally, see the administrative right descriptions below.
Administrative right | Description |
---|---|
Add Cloud Providers | If you also have the "Privileged Access Service User" or "Privileged Access Service Power User" right, this permission grants you the ability to add cloud providers (and their respective accounts) to the service. You have the permission to manage any cloud providers that you add. |
Add Databases | If you also have the "Privileged Access Service User" or "Privileged Access Service Power User" right, this permission grants you the ability to add databases (and their respective accounts) to the service. You have the permission to manage any databases that you add. |
Add Domains | If you also have the "Privileged Access Service User" or "Privileged Access Service Power User" right, this permission grants you the ability to add domains (and their respective accounts) to the service. You have the permission to manage any domains that you add. |
Add SSH Keys | If you also have the "Privileged Access Service User" or "Privileged Access Service Power User" right, this permission grants you the ability to add SSH keys to the service. You have the permission to manage any SSH keys that you add. |
Add Systems | If you also have the "Privileged Access Service User" or "Privileged Access Service Power User" right, this permission grants you the ability to add systems (and their respective accounts) to the service. You have the permission to manage any systems that you add. |
Admin Portal Login | Access to the Admin Portal. |
Application Management | Access to any activities that originate on the Apps page, such as the ability to add, modify, or remove applications. From the Application Settings dialog box, this right also grants the ability to change which roles are assigned to a specific application. |
Computer Login and Privilege Elevation | Logging on to Windows, Linux, or UNIX computers where a Cloud Client is installed. This administrative right is only applicable for the computers that are members of an Delinea PAS role with this right. |
Device Management | Permission to unregister or delete mobile devices |
Federation Management | Permission to create, manage, and delete federation partnerships. See How to Set Up Business Partner Federation for information on setting up partner federations. |
MFA Unlock | Suspend multi-factor authentication for 10 minutes. |
MFA Redirect Management | Permission to set MFA redirection for users. |
Privilege Elevation Management | Permission to grant privilege elevation access. |
Privileged Access Service Administrator | If you add this administrative right to a role, members of the role can add new objects—systems, domains, databases, services, or accounts—to the Delinea PAS. Members of a role with this right become the default owner of the objects that they add. If there’s more than one member of the role, each administrator is only the owner of the objects they add by default. Members of a role with this right can perform all administrative tasks on the objects they own. |
Privileged Access Service Power User | If you add this administrative right to a role, members of the role can see all objects you add to the Delinea PAS in the Admin Portal. By default, however, members of a role with this right are not granted the Login, Checkout, or Rotate permissions. The system, domain, database, service, or account owner (or a member of the System Administrator role) must explicitly grant the appropriate permissions. Members of this role cannot add new objects to the Delinea PAS. |
Privileged Access Service User | If you add this administrative right to a role, members of the role can see the objects on which they have been granted View permissions in the Admin Portal. This administrative right is primarily for users who need some administrative access to a selected set of objects. Members of a role with this right are granted the Login, Checkout, and Rotate password permissions. Members of a role with this right can only perform these tasks for the accounts or systems where they have the View permission. Members of this role cannot add new objects to the Delinea PAS. |
Query as a different user | Use this permission to run a query as a different user. |
RADIUS Management | Permission to create, manage, and delete the RADIUS server. See How to Configure Privileged Access Service for RADIUS for information on using the Delinea Connector as a RADIUS server. |
Read Only Resource Management | Provides read-only access to Resources (including secrets), Desktop Apps, Global Account Permissions, and Global System Permissions. |
Read Only System Administrator | Provides read-only access to some of the Admin Portal tabs. For instance, certain Admin Portal tabs are not available, such as Resources, Desktop Apps, Global Account Permissions, and Global System Permissions. If the user attempts to make a change, an error message is displayed when the user attempts to save the change. If you need to have read-only access to Resources (objects), see Read Only Resource Management and Privileged Access Service Power User above. |
Register and Administer connectors | Register a Delinea Connector in your Delinea PAS account. During the connector installation, the wizard prompts you to enter the account of a user that has the Register connector right. This must be a Delinea Directory account. Make sure the account you specify is a member of a role with this permission. |
Report Management | Create, delete, and run reports. |
Role Management | Access to any activities that originate on the Roles page, such as the ability to add, modify, or delete roles; this includes the ability to assign rights. |
System Enrollment | Permission for non-admin users to register Linux and Windows machines. |
User Management | Permission to use the Add User and Bulk User Import buttons to add users and modify Delinea Directory user properties. Additionally, this permission allows users to import and delete OATH tokens. |
See Adding Roles for instructions on how to add administrative rights to a role.