Security

Roles Tab

The following Privilege Managerroles are available by default and it is possible to add to or remove members from these roles. Privilege Manager also allows the creation of new roles, if a customer environment requires more role support.

alt

Privilege Manager's Roles logic prevents the removal of a user account with an Administrator Role, if that user account is the last with those Administrator Role privileges. Privilege Manager does not allow current users to delete their own account.

Privilege Manager manages the roles of users accessing the console, unless Privilege Manager is connected to Secret Server. When connected to Secret Server, role membership is controlled by Secret Server.

Also refer to the following topic: User Credentials and Roles.

All these roles are considered application role permissions.

Privilege Manager Administrators

This role allows the Privilege Manager Administrator to have full administrative access to the Privilege Manager Server Console.

Privilege Manager Field Engineering

This role is reserved for future use.

Privilege Manager Helpdesk Users

This role allows the user to have approve or deny escalation requests access. The helpdesk role can also disclose passwords.

Privilege Manager macOS Administrators

This role allows the Privilege Manager macOS Administrator to have full administrative access to the Privilege Manager Server Console to administer local security and application control items pertaining to macOS systems. This role can view but not edit Unix/Linux and Windows policies.

Privilege Manager Unix/Linux Administrators

This role allows the Privilege Manager Unix/Linux Administrator to have full administrative access to the Privilege Manager Server Console to administer local security and application control items pertaining to Unix/Linux-based endpoints. This role can view but not edit macOS and Windows policies.

Privilege Manager Users

This role allows the user to have read permissions to most items, but no rights to modify security permissions. This role can disclose passwords.

Privilege Manager View Password Role

This role allows the user to have view access to passwords for managed users in Privilege Manager. They can view the current passwords and password change history.

Privilege Manager Windows Administrators

This role allows the Privilege Manager Administrator to have full administrative access to the Privilege Manager Server Console to administer local security and application control items pertaining to Windows systems. This role can view but not edit macOS and Unix/Linux policies.

Creating a Role

  1. On the top of the Roles page, click Create.

  2. Enter a Role account name and click Create.

    Although spaces are not allowed in the role account name, spaces and special characters can be used in the display name after the role is created.

  3. The new Role page opens, where you can add or edit the Display Name, Description, or Account Name.

Only the display name and description can be changed when the role is created. Account Name is read-only.

  1. Add Users, or any resource, to the role. Click Add.

    alt

    1. At the Select Resources dialog, identify users and groups that will be added to the role. You can enter a name, partial name, or leave it empty to find all. Click Search and then select the users and groups to be added to the role.

    alt

    1. Available users/groups are displayed. Enable the check boxes for resources to add and click Select. Confirm your selections and click Save Changes when prompted.

      The selected resources appear in the Membership portion of the page.

Editing, Deleting, and Exporting a Role

Select an existing role on the Roles page. The Role details page displays, where you can:

  • Edit Basic Details.

  • Click x to remove a user/resource or click Add to reselect resources.

  • Select Delete at the More pull-down to delete the role.

  • Select Export at the More pull-down to download a ZIP file of the role and children.

    alt

Security Configuration Tab

On the Configuration tab, Privilege ManagerAdmins specify the Resource Security. The Resource Security selection controls who can view data associated with specific computers.

alt

  • The Default option allows all Administrators, Users, and Helpdesk Users of Privilege Managerto have access.
  • The Secured Computer Groups option allows for easier customization of which Roles have access to specific computers.
  • The Active Directory Domains option allows customization of which Roles have access to associated AD Domain resources.