Super Administrator role in Password Manager Pro
By default, Password Manager Pro comes bundled with five pre-defined user roles that offer specific set of permission levels:
- Privileged Administrators
- Password Administrators
- Password Auditors
- Password Users
In addition to this, we have the provision to elevate the privileges of any administrative user to that of a super administrator in Password Manager Pro (PMP). Super administrator is not a user management role as such, rather it is a privilege elevation which, if provided, gives the user an unrestrained access to all resources in PMP. Please note that only users with admin-level roles such as Privileged Administrator/Administrator/Password Administrator or those with custom-made administrative roles can be provided with the super administrator permissions. Once an administrator is made as a super administrator, they'll have unconditional, full-privileged access to all resources created and owned by other administrators.
We recommend creating a super administrator role as a dedicated break glass account for emergency situations . For security reasons, it is ideal to create only one super admin role and limit it to the managers at the top of your organizational hierarchy.
Two ways to promote an administrator to the super admin role from PMP's user interface:
- Through the Users tab
- By creating a custom role from Admin >> Customization >> Roles.
1) Through the Users tab:
An existing admin user can be promoted to a super admin role from the Users tab. Here, select the required user and click on User Actions >> Edit User.
In the drop down menu, change the Access Scope to 'All passwords in the system.' Now, this user will be promoted as a super admin and they will be notified of the same via email.
2) By creating a custom role:
You can create a custom user role and grant super administrator privileges to it, along with other capabilities of your choice. To do this, navigate to Admin > Customization >> Roles and click on Add Roles. By selecting the 'Enable Super Administrator Privileges' checkbox, you will enable the option to elevate a particular role to super admin in Password Manager Pro. However, when this role is assigned to a user in the future, you would still need to grant them access to all passwords using the Edit User option (as detailed in the previous step) to provide that user with super administrator capabilities.
Two possible scenarios in which the super administrator account may be needed:
- When a top-level manager in the organization needs ultimate access to all assets
- As a precautionary break glass account for emergency scenarios
When a top-level manager in the organization needs ultimate access to all assets:
A top-level manager such as the organization's CIO/CEO's active directory (AD) or LDAP account can be promoted to super admin in PMP in case they need access to everything that is stored in the PMP system. In this case, it is prudent to have two-factor authentication (TFA) enabled for this account. This way, even if their AD account is compromised, it cannot be used to gain access to resources without bypassing the TFA in PMP.
As a precautionary break glass account:
We recommend creating a super administrator account as a precautionary measure for emergency situations such as sudden demise of an employee with admin rights, to carry out security measures in the server when the admin is on a vacation, which may lead to your users losing access to their accounts. In such cases, you might need access to all of your resources to restore access to the local accounts. However, it is crucial that only one super administrator account is created for this purpose and access to it is highly restricted. PMP offers provision to disable addition of more than one super administrator and then restricting login access to the existing super admin account. This setting is available to prevent privilege misuse within the PMP system and can be carried out only by the super admin. To achieve this, create a new admin account in PMP. Once you import your account from active directory, you can promote this new admin account to be the super admin. To disable creation of further super admins, login using the super admin account, navigate to Admin > Authentication > Super Administrators and select the option Deny Creation of Super Admins by Admins.
Now, to restrict the usage of the super admin account, you can disable its local authentication option by navigating to Admin > General Settings > User Management > Disable local authentication.
With this option disabled, the default admin account cannot be used to login to PMP as the local authentication option will no longer be available on the login page. To regain access to this account during an emergency, do contact our support team to bring back the local authentication option to the login page and use the default admin account to recover your passwords.