Managing User Roles and Permissions

PAM360 serves as a repository for sensitive accounts and passwords, ensuring preliminary access control through user roles. Access to the PAM360 application is contingent upon possessing a specific role, which dictates the scope of privileged operations a user can perform. This fine-grained access control mechanism safeguards data from unauthorized access directly through the PAM360 interface, facilitated by role-based access control.

User roles within PAM360 delineate the operations permissible for each user. Regardless of the role assigned, managing personal passwords in PAM360 remains exclusive to individual users, subject to administrator-enabled settings, with other users having no authority over them.

At the end of this help document, you will learn about the following topics relevant PAM360 user roles.

1. PAM360 User Roles
2. Creating a Custom Role
3. Role Filter
4. Changing User Roles
5. Frequently Asked Questions

1. PAM360 User Roles

The various user roles in PAM360 dictate the extent of operations a user can undertake:

1. Privileged Administrator: Users with the role have the authority to configure, customize, and oversee the PAM360 application comprehensively. They can configure privacy and security controls, including settings related to IP restrictions and emergency measures. Additionally, they possess visibility into resources and accounts they create or those shared with them by other users, enabling them to conduct all operations pertaining to resources, accounts, and connections. Moreover, they can elevate other administrators to the status of Super Administrators, thereby granting them full management authority over all server resources.
2. Cloud Administrator: The Cloud Administrator role is designed specifically to manage PAM360's Cloud Entitlements feature. Users with this role have privileges similar to Privileged Administrators but are restricted from configuring privacy and security controls. Cloud Administrators can manage the supported cloud accounts, identify and remediate identity risks, and audit identity-related activities within PAM360, ensuring effective and secure management of cloud entitlements.
3. Administrator: Administrators share similar privileges with Privileged Administrators, albeit with the exception of configuring certain privacy and security controls.
4. Password Administrator: This role encompasses individuals in executing all configurations and operations related to accounts and password management. Like administrators, they possess the complete management of resources and accounts created by them or those shared with them by other users, with no access to User Management, Audits, Reports, and Dashboards.
5. Password User: Users with this role can only access accounts shared with them by Administrators, Password Administrators, or Privileged Administrators, as per the permissions granted. They can make modifications to accounts if permitted by the sharing settings.
6. Password Auditor: This role shares privileges with Password Users and additionally grants access to dashboards, audit records, and reports of all resources within PAM360.
7. Connection User: Individuals with this role have similar privileges to Password Users, with the added capability to establish HTTPS gateway connections, RemoteApp connections (for resources associated with RemoteApp), and perform secure file transfers.

The allocation of these roles to the users ensures that access to sensitive data within PAM360 is tightly controlled, minimizing the risk of unauthorized access or misuse.

2. Creating a Custom Role

Apart from the above-predefined roles in PAM360, administrators have the flexibility to create custom roles tailored to their organization's specific requirements. This customization feature empowers administrators to design roles from scratch, selecting from over 100+ available operations within PAM360. To ensure an added layer of security, the creation of custom roles follows a dual-control mechanism, mandating approval from another administrator. Follow these steps to add a new custom role:

1. Navigate to Admin >> Customization >> Roles.
2. Click Add Role in the Roles window. This prompts a new window to appear.
3. Here, provide a Name and Description for the new role as per your organizational needs.
4. Use an Existing Role as Template to base the new role on an existing template, either from PAM360's predefined roles or previously created custom roles. This facilitates to preset the permission levels for the new role.
5. Define the scope for the role under the desired PAM360 modules, such as Password, Users, Organization, etc., and by selecting the operations from the categorized list of available options under each module to meet the enterprise-specific needs. Refer to this document to know more about privileges in detail.


Caution

While creating a custom user role, ensure that you select the operations for the role as required. The operations with the magic wand icon beside is of administrator privilege. Selecting those operations for a custom role consider it in the administrator category and creating the user accounts with this user role might affect your PAM360 license counts.

For example,

1. If you like to create a role for the sole purpose of user administration, such as new user addition in PAM360, edit/delete user profiles, change roles, and transfer resources between users, here are the basic operations that should be selected from the User module:

2. If you like to create a role for a junior technicians who maintains a handful of resources in your organization, a role with the following operations is required:

Follow these steps to edit a custom role:

To edit a custom role, click the Edit icon next to the respective role, make necessary modifications, and click Preview and Save. Verify the modifications once and click Save. The edits undergo an approval process by another administrator before implementation. Edits pending for approval will be shown with the status [Waiting for approval] beside the specific role. In the below image, red denotes operations that have been removed in the edit, and blue denotes operations that have been added to the role.

Follow these steps to delete a custom role:

Click the Delete icon beside the respective role and Delete the custom role. If you have users mapped with the custom role, the dialogue-box which opens prompts to transfer associated users to another role before deletion. Once users are mapped to a new role, click Transfer users and delete role to proceed with the role deletion.

This meticulous approach to role management in PAM360 ensures tailored access control aligned with organizational needs, maintaining security and operational efficiency.

3. Role Filter

The role filter feature enables administrators to streamline role assignment by specifying which roles should be visible under the Role field in the Add User window. To enable role filtering:

1. Go to Admin >> Customization >> Roles >> Role Filter.
2. Enable the Enable Role Filter box.
   
3. Organize and enable/disable roles as needed, ensuring only enabled roles appear during user addition or role changes. Save the configured settings to apply the role filter.
   

4. Changing User Roles

Administrators can efficiently update roles for individual users or multiple users in bulk. To do so,

1. Navigate to Admin >> Customization >> Roles >> Change Roles.
2. Utilize the filter above the table to display users associated with a specific role.
3. To change the role of an individual user, click the Change Role button beside the user and assign the desired role as needed.
4. To change the role for a group of users, select the users requiring role changes and click the Change Role button from the top pane to assign them with the desired role from the available options.