Super Administrator Role in PAM360
By default, PAM360 comes bundled with six pre-defined user roles that offer specific set of permission levels:
- Privileged Administrators
- Password Administrators
- Password Auditors
- Password Users
- Connection Users
Super administrator is not a user management role directly provided by PAM360, but it is a privilege elevation that gives the administrator an unrestrained access to all resources in PAM360. You can elevate any administrator to a super administrator and once it done, they will have unconditional, full-privileged access to all resources created and owned by other administrators.
Note: Super administrator privilege can be provided only to users with admin-level roles such as Privileged Administrator, Administrator, Password Administrator, and custom roles with administrator permissions.
- Steps to promote an administrator to a super administrator
- Use case scenarios for creating a super administrator role
1. Steps to Promote an Administrator to a Super Administrator
1.1 While Adding or Editing an Admin User
Follow the below steps to give super administrator privileges to an admin either at the time of adding the user or by editing an existing admin user's attributes.
- Navigate to the Users tab.
- Click Add User >> Add Manually or click the User Actions >> Edit User option beside an existing user.
- In the window that opens, ensure that the access level is an Administrator role and choose All passwords in the system as the access scope. Click Save.
1.2 While Creating a Custom Role
You can create a custom admin role and grant super administrator privileges to it, along with other capabilities of your choice. Follow the below steps to create a custom roles:
- Navigate to Admin >> Customization >> Roles and click Add Roles.
- In the Add Role window, click the Enable Super Administrator Privileges checkbox. This option will elevate the user role to a super admin in PAM360.
- When this custom role is assigned to a user in the future, edit the user attribute as explained in the previous step, and change access scope to All passwords in the system.
2. Use Case Scenarios for Creating a Super Administrator Role
You can promote a manager at the top of your organizational hierarchy such as the organization's CIO/CEO's active directory (AD) or LDAP account to super admin in PAM360 in case they need access to everything that is stored in the PAM360 database. In this case, it is prudent to have Two-Factor Authentication (TFA) enabled for their PAM360 account. This way, even if their AD account is compromised, it cannot be used to gain access to resources without bypassing the TFA in PAM360.
Case II: As a Precautionary Break Glass Account
We recommend creating a super administrator account as a precautionary measure for emergency situations such as sudden demise of an employee with admin rights, or to carry out security measures in the server when the server admin is on a vacation so that users in your organization do not lose access to their accounts. However, it is crucial that only one super administrator account is created for this purpose and access to it is highly restricted.
You can disable addition of more than one super administrator in PAM360 and then restrict the login access to the existing super admin account. This action can be carried our only by a super admin user. Follow the steps to disable addition of further super admins in PAM360:
- Create a local administrator account in PAM360.
- Import your administrator account from active directory or LDAP and promote the local admin account to be the super admin.
- Login using the super admin account, navigate to Admin >> Authentication >> Super Administrators and click the option Deny Creation of Super Admins by Admins.
- To restrict the usage of the super admin account, navigate to Admin >> Settings >> General Settings.
- Click User Management from the left pane and select the option Disable local authentication.
This option will disable the local authentication of the super admin account.
Once the local authentication option is disabled, it will no longer be available on the login page and the default admin account cannot be used to login to PAM360. To regain access to this account during an emergency, contact our support team to bring back the local authentication option to the login page and use the default admin account to recover your passwords.