User Management

As PMP serves as a repository for the sensitive passwords, fine-grained access restrictions are critical for the secure usage of the product. PMP provides role-based access control to achieve this.

 

In practical applications, information stored in PMP will have to be shared among multiple users. By default, PMP comes with four pre-defined roles -

 

 

 

 

Role

Operations

Manage Users

Manage Resources

Manage Passwords

View Passwords

Managing Personal Passwords

View Audit & Reports

Administrator

 

Password Administrator


 


 

Password User

Password Auditor

Irrespective of the role, the personal passwords remain exclusive to the individual user and other users have no control over them.

 

You can create as many users as you desire and define appropriate roles for the user. This section explains how to create users and assign roles for them.

Adding New Users

Note: User Addition can be done only by the Administrators.

From the Users tab, administrators can

New users can be added in four ways

 

By default, PMP stores all user data in the MySQL database and performs authentication using database lookups. When you integrate AD/LDAP as the authentication system, the default authentication of PMP would be replaced by AD or LDAP to authenticate a user's identity. At any point of time, only one mode of authentication could be employed in PMP.

Denying Super-Administrator Creation by Administrators

Super-Administrators in PMP get the privilege to view all the passwords stored in the system. Organizations generally wish to keep the super-administrator role as a break-glass account for emergency access to passwords. At present, any administrator can change the role of another administrator (not himself) as super-administrator.

 

PMP now provides the option to deny administrators from creating super-administrators. This can be done by any super-administrator from Admin >> Super Administrator >> Deny Administrators from Creating Super Administrators.

The Best Practice Approach

If your organization requires super-administrator only as a break-glass account, the following would be the best practice approach:

 

 

The Implications


© 2014, ZOHO Corp. All Rights Reserved.