Managing User Roles and Permissions
PAM360 serves as a repository for the sensitive passwords, therefore fine-grained access restrictions are critical for protecting your data. PAM360 provides role-based access control to achieve this.
At the end of this document, you will have learned the following:
- Predefined Roles
- Custom Roles
- List of Operations that Require an Administrator License
- Frequently Asked Questions
1. Predefined Roles
By default, PAM360 has six predefined roles that come with specific set of permissions:
- Privileged Administrators have the same privileges as an administrator. In addition, they also have the privilege to configure privacy and security controls available under Privacy Settings, IP Restrictions, and Emergency Measures.
- Administrators set up, configure, and manage the PAM360 application. Users with this role can manage all user, resource and password-related operations, as well as access audit records and reports. However, they can view only those resources and passwords that were created by them and the ones shared with them by other users.
- Password Administrators can perform resource and password-related operations. However, they can view only those resources and passwords that were created by them and the ones shared with them by other users.
- Password Auditors have the same privileges as Password Users. In addition, they have access to audit records and reports.
- Password Users can only view passwords that are shared with them by the Administrators and/or Password Administrators. In addition, users with these role can modify passwords shared with them, if the share permission gives them that privilege.
- Connection Users have the same privileges as Password Users. In addition, they can take remote connections, perform file transfers, and access Remote Apps when a resource associated with certain Remote Apps is shared to them by the administrators. Click here to learn in detail about Remote Apps.
Note: An Administrator/Password Administrator/Privileged Administrator can be made as a Super Administrator. A super administrator will have the privilege to view and manage all the resources stored in PAM360, irrespective of which user has added the resource. For security reasons, a user can be made a super administrator only by other PAM360 administrators. For steps on how to create a super administrator role, click here.
2. Custom Roles
In addition to the predefined roles in PAM360, the administrator can also create custom roles for your users. The role customization option allows you to create a new role from scratch, by selecting the desired options from the list of 100+ operations available in PAM360. As an additional security measure, dual controls are enforced for custom role creation. Any new custom role added by one administrator has to be approved by another administrator.
2.1 Steps to Add Custom Roles
To add a new 'custom' role, follow the steps given below:
- Go to Admin >> Customization >> Roles.
- In the Roles window, click Add Role. A new window will open up. In it, enter a name for the new role you want to create as well as a description, based on your need.
- While creating a new role from scratch, the scope of the role as to what this role can and cannot do in PAM360 should be defined. This is the next step, i.e. defining the role's scope by selecting the desired options from the list of operations available. These operations are categorized under different sections such as Password, Users, Organization, and more (as shown in the column on the left side of the interface).
Choose the required operations as per your requirements. For better understanding, here are two custom role examples and the list of operations that should be selected for each example:
1. A role for resource addition and password reset: This role is a perfect fit for a junior technician who maintains a handful of resources in your organization. With this role, the technicians can add resources/accounts from their end, modify or delete owned resources, reset passwords, and connect to the resource via PAM360. Basic operations to be selected for this type of role include the following:
- Password
- Resource
- View Resources tab
- Add manually
- Edit
- Delete
- Report
- Account
- View Accounts under resources tab
- Add manually
- Edit
- Delete
- Move
- Password Reset
- Password Verify for an account
- Local password reset
- Remote password reset
- Resource
- Remote Access
- Remote Access
- Show Connections tab
- Remote Connection to Machines
- Manage Auto Logon Helper
- File Transfer
- Upload Files
- Download Files
- Transfer Files
- RemoteApp
- RemoteApp AutoLogon
- Manage RemoteApp
- Configure Connection Settings
- Remote Access
- Custom Settings
- Custom Settings
- Export passwords
- Allow users to manage their personal passwords
- Custom Settings
2. User management role: If you would like to create a role for the sole purpose of user administration such as new user addition in PAM360, edit/delete user profiles, change roles, and transferring resources between users, here are the basic operations that should be selected from the list:
- Users
- Manage web users
- Add users manually
- Import from AD
- Import from LDAP
- Import from Azure AD
- Import from file
- Edit
- Delete
- Manage API Users
- Change user roles
- Transfer resources owned by a user
- User Report
- Manage web users
- User authentication protocols
- Manage Active Directory
- Manage Azure AD
- Manage RADIUS Authentication
- Manage Two-factor Authentication
- Manage LDAP
- Manage SAML Single Sign-on
- Manage Smart Card Authentication
- Reset Two Factor Authentication
- Manage Browser Extension/Mobile Access for Users
- Manage Remote Connect for Users
- User groups
Apart from the above examples, you can customize any role according to your enterprise needs with the appropriate choice of operations.
Optional Step However, if you do not want to create a new role from scratch, you can select any of PAM360's predefined roles or custom roles created earlier as a basic template for the new role under the option Use an Existing Role as Template. Once you select a role as template from the drop-down, the permission levels preset for that role will be applied for the new role.
2.2 Steps to Enable Role Filter
Role filter option allows you to choose the list of roles that should be displayed under the Access Level field in the Add User window. Using role filter, you can restrict the roles that should be assigned to users who have been either newly added or changed roles.
Following are the steps to Enable Role Filter:
- Go to Admin >> Customization >> Roles >> Role Filter. Check the Enable role filter box.
- Now, you can decide which roles should be enabled/disabled and sort them under respective boxes. Only those roles in Enabled box will be displayed during new user addition or role changes. Once you are done, click Save. The role filter will be applied.
2.3 Steps to Change Roles for Users
You can easily change the roles assigned for different users in bulk, by following the steps given below
- Go to Admin >> Customization >> Roles >> Change Roles.
- In the new window that opens, if you would like to first view the list of all users belonging to a specific role, use the filter above the table to choose the role. The users associated to that role will be displayed. Select the users whose role has to be changed.
- Now, choose the role which should be assigned for the selected users and click Change Role.
2.4 Steps to Edit / Delete Custom Roles
- To edit/modify any custom role, click on the Edit icon beside the particular role and carry out necessary changes. Then, click Preview and Save. Verify the edits and click Save. The edits too, before being applied to the role, will be queued for approval from another administrator. Edits pending approval for a role can be viewed by clicking on [Waiting for approval] option available beside the specific role. In the below image, red denotes operations that have been removed and blue denotes operations that have been added to the role.
- To delete a role, click on the Delete icon. Before deletion, you will be prompted to transfer the users associated with the particular role to another. After mapping the users to another role, click Save and Delete.
3. List of Operations that Require an Administrator License
Role Category: Password
- Resource
-
Account
- Discover
- Customize
- Password reset
-
Resource group
- Add
- Delete
- Transfer
- Edit
- Generate reports
-
Access Control
- Configure
- Approve password access requests
-
Share Passwords
- Share accounts (With users and user groups)
- Share resources (With users and user groups)
- Share resource groups (With users and user groups)
-
Users
- Manage web users
- Manage API users
- Changes user roles
- Transfer resources owned by a user
- Transfer access control privileges
- Generate reports
-
User authentication protocols
- Manage Active Directory
- Manage Azure AD
- Manage RADIUS authentication
- Manage two-factor authentication
- Manage LDAP
- Manage SAML single sign-on
- Manage Smart Card authentication
- Manage browser extension/mobile access for users
-
User groups
- Add
- Modify an existing group
- Delete
- Manage user group settings
- Generate reports
All operations specified under this category require an administrator license.
Role Category: Remote access
- Remote access
- Remote session
- Configure session recording
- Join active sessions
- Terminate active sessions
- Database backup
- Failover service
- Proxy settings
- SSL settings (Server settings)
- High availability
- Mail server settings
- Event logging settings
- PAM360 server settings (Change tab preference, rebrand, log level, general settings)
- Manage email templates
- Manage password reset listener
- Password Management API
- Manage ticketing system integration
- Manage schedules
- View support information
- Manage settings for offline access
- Manage password policies
- Manage resource types
- Manage landing server
- Manage license
- Create custom roles
- Download PAM360 agents
4. Frequently Asked Questions
1. Some operations are marked with a magic wand icon. What does that mean?
Options that are followed by a magic wand denote those that qualify as an Administrator's operation. A custom role created with even one of these wand-marked operations is considered as a role equivalent to an Administrator. You can create as many custom roles as desired with wand-marked operations, but the role will be counted towards license only when it is assigned to a user in PAM360. For instance, if your licensing enables you to have 10 administrators and you have a custom role with one or more of the wand-marked operation(s), assigning this role to a user will be counted as 1 out of the 10 licenses allotted for your PAM360 installation.
2. Who can create custom roles in PAM360?
Basically, creating custom roles is an administrative operation. Among PAM360's predefined roles, only the Administrators, Privileged Administrators and the Super Administrator(if you have created one) have the privilege to create custom roles. Apart from that, you can also authorize a custom role with privileges to create future custom roles, by selecting the "Create Custom Roles" options under Custom Settings. (Refer to the image below)
Also, if you would like this new role to have the privilege to be made Super Administrator, check the box Enable Super Admin capabilities for this role. Enabling this option allows users, who are assigned this role, to be made as a super administrator at the time of user creation
After completing all the steps explained above, click Preview and Save. A preview box will open, listing the operations you have chosen for the role. Verify and click Save. The new role will be created and queued for approval from another administrator. To view roles that are pending approval, click on Role Requests.
Once the role is reviewed and approved, you can begin assigning it to desired users. To learn how to add new users and assign roles for them, click here.
3. I'm unable to delete a custom role. Why?
There are two cases when a role cannot be deleted right away:
- Consider that you want to delete a user-type role. You have 5 users associated with this role, who must be transferred to another role before deletion. The role you choose for transfer can either be a user-type role or even an administrator-type role, as long as you have enough administrator licenses. However, if you have zero administrator licenses left, you will not be able to transfer the users from a user-type role to an administrator-type role. Also, if you do not have an existing user-type role to transfer the associated users, PAM360 will not allow you to delete the selected role. In such cases, you either have to create a new user-type custom role or buy additional licenses.
- Another scenario may be due to Role Filters. Say you have switched on role filter settings and disabled all the existing user-type roles under the filter. Now, when you try to delete a user-type role, you will be able to transfer the associated users only to an administrator-type role due to the filter. However, if you have zero administrator licenses remaining, you cannot complete the transfer or delete the role. In such cases, you either have to enable at least one user-type role under role filter settings or buy additional licenses.