Sharing and Permission Levels in PAM360

PAM360 offers a flexible and granular control mechanism for sharing accounts, resources, and resource groups with other users or user groups. When a resource or resource group is shared, all associated accounts within that resource or group are automatically included in the shared access.

To maintain strict control over privileged accounts, administrators can define diverse granular permission levels over accounts, resources, and resource groups, ensuring that users only interact with shared passwords based on their assigned permission level.

By leveraging PAM360’s sharing capabilities, organizations can:

  • Restrict and regulate access to privileged accounts based on the required permission level.
  • Enable users or user groups to access shared resources while maintaining strict control over the privileged accounts.
  • Ensure adherence to organizational policies through permission-based access management at each level.

1. Permission Level for Sharing Privileged Resources

Administrators can customize access permissions for individual users or user groups, aligning with operational requirements. PAM360 provides the following permission levels to manage privileged accounts securely:

Remote App Only

View Passwords

Modify Passwords

Full Access

Users or user groups with this permission level can access and use the Remote Apps associated with the accounts or resources.

Users or user groups with this permission level can use the password of the shared accounts, resources, or resource groups.

Users or user groups with this permission level can and modify the passwords of the shared accounts, resources, or resource groups. However, this privilege does not allow the users or users in the user groups to change any other attribute of the shared accounts, resources, or resource groups.

Users or user groups with this permission level can have the complete management of the shared accounts, resources, or resource groups. They can even re-share the shared accounts, resources, or resource groups with other users.

Note: The Default Group cannot be granted with this permission.

Notes:

  1. Remote App Only permission can be provided only for individual accounts or resources.
  2. PAM360 supports RemoteApp only for Windows and Windows Domain resources. Only Connection Users and Users with Remote App privilege will be able to access Remote apps. To know more about user roles and permissions, click here.
  3. Only two permission levels will be available while sharing individual accounts, as the Full Access permission is meant only for resources and resource groups.

2. How Precedence Works for Permission Levels?

PAM360 enforces a strict permission hierarchy to ensure that access to privileged accounts remains granular and secure. When multiple levels of permissions are assigned at the account, resource, or resource group level for a same account, certain rules determine which permission takes precedence. Below are the key principles governing PAM360’s permission hierarchy:

  1. When an account, resource, or resource group is shared with a user or user group at any level with varying permission levels, the following rules apply; if the user receives Full Access permission for an account at any level, Full Access is granted. Else, permission precedence follows the rules outlined below.
  2. Permissions set for individual accounts override the permissions set for a resource/resource group which the account is a part of. Similarly, the permission set for a resource overrides the permissions set for a resource group which the resource is a part of, unless any permission is not set for the account present in the resource at the account level.

    Note: The above scenario works only if the account, resource, and resource group is shared with users and user groups with different permission levels.

  3. A user's individual permission level takes precedence over the permissions assigned to any user group they are part of.
    For example, if an account, resource, or resource group is shared with a specific user with Modify permissions, while the same entity is shared with their user group with View permissions, the user will retain the Modify access for that particular account, resource, or resource group.
  4. When the same account, resource, or resource group is shared with multiple user groups, each with different permission levels, and a user is a member of multiple user groups, PAM360 applies a hierarchical permission evaluation to determine the user’s final access level. The permission hierarchy follows this order: Full Access → View → Modify.
    • If any of the user groups receive Full Access permission, the common user in all those groups will be assigned Full Access permission.
    • If none of the user groups receive Full Access permission, PAM360 will check for View permission followed by Modify permission.



Top