Super Administrator in PAM360

By default, PAM360 comes bundled with six predefined user roles that offer specific set of permission levels:

• Privileged Administrators
• Administrators
• Password Administrators
• Password Auditors
• Password Users
• Connection Users

Super administrator is not a user management role directly provided by PAM360, but it is a privilege elevation that gives the administrator an unrestrained access to all resources in PAM360. You can elevate any administrator to a super administrator and once it done, they will have unconditional, full-privileged access to all resources created and owned by other administrators.

Note: Super administrator privilege can be provided only to users with admin-level roles such as Privileged Administrator, Administrator, Password Administrator, and custom roles with administrator permissions.

1. Steps to promote an administrator to a super administrator

   1.1 While adding or editing an admin user

   1.2 While creating a custom role

2. Use case scenarios for creating a super administrator role

   Case I: To gain access to all resources in PAM360

   Case II: As a precautionary break-glass account

   Case III: To transfer ownership of resource groups in bulk

1. Steps to Promote an Administrator to a Super Administrator

There are two ways to promote an administrator to the super admin role from PAM360's user interface:

1. While adding or editing an admin user
2. While creating a custom role

1.1 While Adding or Editing an Admin User

Follow the below steps to give super administrator privileges to an admin either at the time of adding the user or by editing an existing admin user's attributes.

1. Navigate to the Users tab.
2. Click Add User >> Add Manually or click the User Actions >> Edit Useroption beside an existing user.

3. In the window that opens, ensure that the access level is an Administrator role and choose All passwords in the system as the access scope. Click Save.

Now, this user will be promoted as a super administrator and they will be notified of the same via email. Click for more information on adding users and editing users.

1.2 While Creating a Custom Role

You can create a custom admin role and grant super administrator privileges to it, along with other capabilities of your choice. Follow the below steps to create a custom roles:

1. Navigate to Admin >> Customization >> Roles and click Add Roles.
2. In the Add Role window, click the Enable Super Administrator Privileges checkbox. This option will elevate the admin role to a super admin in PAM360.

3. When this custom role is assigned to a user in the future, edit the user attribute as explained in the previous step, and change access scope to All passwords in the system.

2. Use Case Scenarios for Creating a Super Administrator Role

Case I: To Gain Access to All Resources in PAM360

You can promote a manager at the top of your organizational hierarchy such as the organization's CIO/CEO's active directory (AD) or LDAP account to super admin in PAM360 in case they need access to everything that is stored in the PAM360 database. In this case, it is prudent to have Two-Factor Authentication (TFA) enabled for their PAM360 account. This way, even if their AD account is compromised, it cannot be used to gain access to resources without bypassing the TFA in PAM360.

Case II: As a Precautionary Break Glass Account

We recommend creating a super administrator account as a precautionary measure for emergency situations such as sudden demise of an employee with admin rights, or to carry out security measures in the server when the server admin is on a vacation so that users in your organization do not lose access to their accounts. However, it is crucial that only one super administrator account is created for this purpose and access to it is highly restricted.

You can disable addition of more than one super administrator in PAM360 and then restrict the login access to the existing super admin account. This action can be carried our only by a super admin user. Follow the steps to disable addition of further super admins in PAM360:

1. Create a local administrator account in PAM360.
2. Import your administrator account from active directory or LDAP and promote the local admin account to be the super admin.
3. Login using the super admin account, navigate to Admin >> Authentication >> Super Administrators and click the option Deny Creation of Super Admins by Admins.

4. To restrict the usage of the super admin account, navigate to Admin >> Settings >> General Settings.
5. Click User Management from the left pane and select the option Disable local authentication. This option will disable the local authentication of the super admin account.

Once the local authentication option is disabled, it will no longer be available on the login page and the default admin account cannot be used to login to PAM360. To regain access to this account during an emergency, contact our support team to bring back the local authentication option to the login page and use the default admin account to recover your passwords.

Case III: To Transfer Ownership of Resource Groups in Bulk

In PAM360, users with super administrator privileges can transfer ownership of resource groups in bulk. Refer step 1 to promote an administrator to super administrator. Click here to learn how to transfer resources groups in bulk using super administrator privileges.