Add or Modify Credential Manager Roles

Credential Manager roles define the privileges that a user has to perform Credential Manager functions.
capam332
HID_PARolesPanel
Credential Manager roles define the privileges that a user has to perform Credential Manager functions.
When selecting available privileges for a role, Credential Manager requires the associated
get
and
list
privileges. For example, if you want a user to have
addAgent
or
deleteAgent
, you must also add privilege to
getAgent
.
This topic provides the following information about Credential Manager roles and how to manage them:
2
Preconfigured Roles
Credential Manager is preconfigured with the following roles:
  • FirecallApprover
    : This role provides a user with the ability to approve password view requests only. This role is assigned to users with a view type of General User.
  • FirecallAutoConnect
    : This role is deprecated. Do not use it.
  • FirecallUser
    : This role provides a user with the ability to view target account passwords only. This role is assigned to users with a view type of General User.
  • ReadOnly
    : This role allows read-only access to the Credential Manager pages. Users can view information but not make any changes. Users with this role can view target account passwords. This role is distinguished from a General User role, which can view a limited subset of the Credential Manager pages.
  • RequestorAdmin
    : This role provides a user privilege to access and update only requestor information. Give this role to personnel doing requestor integration for A2A integration. Users with this role cannot add script authorizations and do not have access to any target or user information.
  • ScriptAuthorizationAdmin
    : This role allows a user to add script authorizations. Give this role to personnel doing requestor integration for A2A integration.
  • ServerAdmin
    : This role provides the User access to all Credential Manager administrative functions, except those functions in Targets, Applications; Targets, Aliases; A2A or Groups menus.
  • System Admin
    : The System Admin is the default role. This role has access to all Credential Manager functionality.
    Do not modify this role.
  • TargetAdmin
    : This role allows a user to access and update only target information. Give this role to database administrators that register and manage database accounts using Credential Manager. Users with this role can add and update password policies; however, they cannot delete password policies. Users with this role do not have access to any requestor or user information.
    The TargetAdmin role includes the updateGroup privilege, which can be exploited by an administrator that belongs to a credential group that has the TargetAdmin role to promote their own privileges. For example, say a target administrator user belongs to a credential group that has the TargetAdmin role that is limited by a target group (for example, if the administrator is only supposed to administer accounts that belong to applications of type Oracle). However, Because they have the updateGroup privilege, they can edit the target group to expand its scope (say to cover all target servers with an IP address that contains the digit 1).
    To prevent promotion attacks on target groups:
      Create a custom role based on the TargetAdmin role that does not include any 'group' related privileges (addGroup, deleteGroup, getGroup, listTargetGroup, updateGroup). Administrators with that role cannot see or manipulate target groups in any way. Alternatively, leave the privileges that allow administrators to see target groups and delete addGroup, deleteGroup, and updateGroup and they will be able to view all target groups but not be able to edit them.
  • UserAdmin
    : This role allows a user to administer Credential Manager Roles and Credential Manager User Groups. This role does not allow access to targets or requestor information, nor to individual User accounts or (regular) User Groups.
  • ViewReports
    : This role allows a user to run some but not all of the available Credential Manager reports. Additional privileges are required to run the other reports.
    For information about what reports a user with the ViewReports role can run and which privileges are required to run the other reports, see Credential Manager Report Roles and Privileges.
  • BaseRole
    : This role is used internally.
    Do not modify this role.
Only the FirecallUser and System Admin roles include the privileges required to view passwords on the
Access
screen. For information on how to configure Credential Manager administrative users to view passwords, see Configure Users with the Manage Credentials Privilege to View Passwords on the Access Screen
Add a Credential Manager Role
Use one of the following methods to add a Credential Manager role:
Add a Credential Manager Role Using the UI
Use the following procedure to add or modify a role in the UI.
Follow these steps:
  1. Select
    Credentials
    ,
    Manage Credential Groups
    ,
    Credential Roles
    .
    The Credential Manager Roles page appears.
  2. Select
    ADD
    .
    The Add Credential Manager Role page appears.
  3. Supply a role
    Name
    and
    Description
    .
  4. Add or remove privileges using the arrows.
  5. Select
    OK
    to save.
Add a Credential Manager Role using the CLI
Use the following procedure to add a role with the Remote CLI.
Follow these steps:
  1. Add a role. For example:
    capam_command adminUserID=admin capam=mycompany.com cmdName=addRole Role.name=patchMgrRole Role.description="Manages patches" Role.privileges=activatePatch,activatePatchNow,addPatch,deletePatch,deletePatchDetail,getPatchDetail,listPatch,listPatchDetailSummary updatePatch,updatePatchDetail,updatePatchDetailList
    For a complete list and description of the available roles for the role.privileges parameter, see Credential Manager CLI User Interface Actions.
  2. Enter your password at the prompt. Credential Manager returns the following XML command string:
    <CommandResult> <cr.itemNumber>0</cr.itemNumber> <cr.statusCode>400</cr.statusCode> <cr.statusDescription>Success.</cr.statusDescription> <cr.result> <Role> <ID>11</ID> <createDate>Tue Apr 08 10:31:28 EDT 2008</createDate> <updateDate>Tue Apr 08 10:31:28 EDT 2008</updateDate> <createUser>admin</createUser> <updateUser>admin</updateUser> <hash>SD0la6QKWvtwUPILIy5eznW7I7I=</hash> <name>patchMgrRole</name> <description>Manages patches</description> <privileges>[activatePatch, activatePatchNow, addPatch, deletePatch, deletePatchDetail, getPatchDetail, listPatch, listPatchDetailSummary, updatePatch, updatePatchDetail, updatePatchDetailList]</privileges> <readOnly>false</readOnly> <hidden>false</hidden> </Role> </cr.result> </CommandResult>
Available Privileges for Roles
Use the following table to determine the privileges you can assign when adding or modifying a Credential Manager role.
If a command is available in the CLI and the UI, the names are similar for each interface. For example, the command activatePatch is named Activate Patch in the UI. To see the complete list of UI privileges, go to Credentials, Manage Credential Groups, Credential Roles. To see the complete list of CLI commands, go to Credential Manager CLI Commands.
Command/Privilege Name
Interface
Description
activatePatch
UI
Sets the active flag for patches.
activatePatchDeployments
UI
Activates selected patches in the system
addAgent
UI
Adds a Credential Manager Windows Proxy.
addAuthorization
UI, CLI
Adds an authorization mapping.
addFilter
UI, CLI
Adds a filter to a target group or request group.
addGroup
UI, CLI
Adds a target or request group.
addPasswordPolicy
UI, CLI
Adds password policies.
addPasswordViewPolicy
UI, CLI
Adds a password view policy.
addPatch
UI
Loads a Credential Manager client patch in the Credential Manager server.
addRequestScript
UI, CLI
Adds a request application.
addRequestServer
UI, CLI
Adds a request server.
addRequestServerDefaults
UI, CLI
Adds a request server defaults.
addRole
UI, CLI
Adds a role.
addScheduleJob
UI, CLI
Schedules a target account update or verify for later execution.
addSite
UI, CLI
Adds a site to a multi site configuration.
addSSHKeyPairPolicy
CLI
Adds an SSH Key Pair Policy to
Privileged Access Manager
.
addTargetAccount
UI, CLI
Adds a target account.
addTargetAlias
UI, CLI
Adds a target alias.
addTargetApplication
UI, CLI
Adds target applications.
addTargetServer
UI, CLI
Adds a target server.
addUser
UI, CLI
Adds a user.
addUserGroup
UI, CLI
Adds a user group.
archiveAuditData
CLI
Archives audit data.
archiveMetricData
CLI
Archives metric data.
autoConnectTargetAccount
UI
Allows the user to auto-connect to a target account.
batchSequence
CLI
Provides bulk registration for CLI commands.
canGetCredentials
CLI
Validates a specified A2A request can retrieve credentials from Credential Manager.
checkConnectionStatus
UI, CLI
Checks the connection status of a client.
checkDelete
CLI (internal only)
Checks if a target server or request server can be deleted (or were previously deleted)
checkInAccountPassword
UI, CLI
Checks in an account that was previously checked out by a user viewing the password.
deleteAgent
UI
Deletes a Credential Manager Windows Proxy.
deleteAuthorization
UI, CLI
Deletes an authorization mapping.
deleteFilter
UI, CLI
Deletes a filter to a target group or request group.
deleteGroup
UI, CLI
Deletes a target or request group.
deletePasswordPolicy
UI, CLI
Deletes a password policy.
deletePasswordViewPolicy
UI, CLI
Deletes a password view policy.
deletePasswordViewRequest
UI, CLI
Deletes either a specific password view request or all expired password view requests
deletePatch
UI
Removes a Credential Manager client patch from the Credential Manager server.
deleteRequestScript
UI, CLI
Deletes a request application.
deleteRequestServer
UI, CLI
Deletes a request server (Credential Manager client).
deleteRequestServerDefaults
UI, CLI
Deletes a request server defaults.
deleteRole
UI, CLI
Deletes a role.
deleteScheduleJob
UI
Used to delete a scheduled job.
deleteSite
UI, CLI
Deletes a site from a multi-site configuration.
deleteSSHKeyPairPolicy
UI, CLI
Deletes an SSH Key Pair policy.
deleteSystemProperty
CLI
Delete a system property (Example: set isDeleted = 1).
deleteTargetAccount
UI, CLI
Deletes a target account.
deleteTargetAlias
UI, CLI
Deletes a target alias.
deleteTargetApplication
UI, CLI
Deletes a target application.
deleteTargetServer
UI, CLI
Delete a target server.
deleteUser
UI, CLI
Deletes a user.
deleteUserGroup
UI, CLI
Deletes a user group.
disableCLIHostNameCheck
CLI
Disables Host Name verification when authenticating using the CLI.
disableFingerprinting
UI, CLI
Disables the Credential Manager client hardware fingerprinting feature.
enableCLIHostNameCheck
CLI
Forces host name checking when connecting with the CLI.
enableFingerprinting
UI, CLI
Enables the Credential Manager client hardware fingerprinting feature.
enableLicense
UI, CLI
Activates a Credential Manager license.
expirePasswordViewRequest
UI, CLI
expires a password view request.
forceCheckInAccountPassword
UI, CLI
Checks in an account that is checked out by another user.
generateEncryptedPassword
CLI
Generates an encrypted String from the value that is passed in.
generateReport
UI
Generates Credential Manager reports.
getAgent
UI
Retrieves a Credential Manager Windows proxy.
getAllScriptHash
UI, CLI
Refreshes the script hash for all the request applications on the specified request server (Credential Manager client).
getAuthorization
UI
Retrieves an authorization mapping.
getAwsManagementConsoleSessionUrl
CLI
Retrieves a URL to an authenticated Amazon Web Services Management Console federation session.
getErrorCodes
CLI
Retrieves the list of Credential Manager server error codes.
getEventProcessingMetrics
CLI
Gets metrics for notification event processing.
getGroup
UI
Retrieves a target group or request group.
getLocalProperty
CLI
Retrieves the property value which matches the property name.
getLogs
UI, CLI
Retrieves a ZIP file containing the logs from a siteServer or requestServer.
getMetric
UI
Retrieves metric data.
getMostRecentPasswordHistory
Internal
Retrieves the most recent password history for a target account.
getMSOLFederatedSessionCmd
CLI
Generates a federated session request for presentation to the MSOL portal. The request is returned as a web form that is automatically submitted by the browser. Submitting the form launches a federated session with MSOL.
getNumberOfAccounts
UI, CLI
Retrieves the number of target accounts that are registered in Credential Manager.
getPasswordHistory
UI
Retrieves the password history for a target account.
getPasswordViewPolicy
UI
Retrieves a single password view policy from the DB by ID or name
getReportData
UI
A command to retrieve data for a named report
getRequestServerDefaults
UI, CLI
Gets a request server defaults.
getScheduleJob
UI
Gets a scheduled job.
getScript
UI
Retrieves a request application.
getScriptHashAsynchronous
UI, CLI
Refreshes the script hash for a specified request script on a request server (Credential Manager client).
getServiceStatus
CLI
Gets the status of services that are associated with a Windows Domain Service target account. This command assumes that the service information is stored in the extend attribute serviceInfo.
getSite
UI
Retrieves a site.
getSystemProperty
CLI
Retrieves the property value which matches the property name.
getTargetAccount
UI
Retrieves a target account.
getTargetAlias
UI
Retrieves a target alias.
getTargetApplication
UI
Retrieves a target application.
getTargetServer
UI
Retrieves a target server.
getUser
UI
Retrieves a user.
getUserGroup
UI
Retrieves a user group.
listAuthorization
UI
Lists authorization mappings.
listDBClusterMembers
UI, CLI
Lists database cluster members in the system.
listGroups
UI
Lists user groups.
listMetrics
UI
Retrieves metric data.
listPasswordHistory
UI
Lists the password history for target accounts.
listPasswordViewRequestByApproverSummary
UI, CLI
Returns a list of password view requests for an approver.
listPasswordViewRequestByRequestorSummary
UI, CLI
Returns a list of password view requests for a requestor.
listPasswordViewRequestSummary
UI
Returns a list of password view requests.
listPatch
UI
Lists the Credential Manager client patches loaded in the Credential Manager server.
listPatchDeploymentSummary
UI
Lists the patch deployments.
listReports
UI
Lists the available reports.
listRequestScript
UI
Lists request applications.
listRequestServerDefaults
CLI
Lists Request Server defaults.
listScheduleJob
UI
Lists scheduled password validation and updates.
listTargetAccounts
UI
Lists target accounts.
listTargetAliases
UI
Lists target aliases.
listTargetApplications
UI
Lists target applications.
listUsers
UI
Lists Credential Manager users.
renameUser
CLI
Creates a copy of an existing user with a new name, and deletes the old user.
resetClientCache
CLI
Informs all active clients that their caches of saved passwords should be reset. Please contact CA Support before using this command.
resetDBHash
UI, CLI
Resets the database hash for an object.
resetGroupCache
CLI
Resets the group cache for all groups, or a single group. This command is asynchronous.
searchAgent
CLI
Lists Credential Manager Windows Proxies.
searchAuditLog
UI
Lists audit log records.
searchAuthorization
CLI
Lists authorization mappings.
searchFilter
UI, CLI
Lists filters.
searchGroup
CLI
Lists target groups or request groups.
searchPasswordPolicy
CLI
Lists Password Composition Policies.
searchPasswordViewPolicy
UI, CLI
Lists password view policies in the system.
searchPasswordViewRequest
UI, CLI
Lists the password view requests in the system.
searchPasswordViewRequestByApprover
UI, CLI
Lists the password view requests for a particular approver. The approver is the user executing the command.
searchPasswordViewRequestByRequestor
UI, CLI
Lists the password view requests for a particular requestor. The requestor is the user executing the command.
searchRequestScript
CLI
Lists request applications.
searchRequestServer
UI, CLI
Lists request servers.
searchRole
CLI
Lists roles.
searchServerKey
UI
Lists all the server keys.
searchSite
UI, CLI
Lists sites.
searchSSHKeyPairPolicy
CLI
Lists SSH Key Pair policies.
searchTargetAccount
CLI
Lists target accounts.
searchTargetAlias
CLI
Lists target aliases.
searchTargetApplication
CLI
Lists target applications.
searchTargetServer
UI, CLI
Lists target servers.
searchUser
CLI
Lists users.
searchUserGroup
CLI
Lists user groups.
setInitProperty
CLI
Sets the initialization property (database username and password) for DB2 databases.
setLocalProperty
CLI
Sets the site name in the site-local Credential Manager data store.
setPasswordViewReasons
CLI
Sets the password view reasons text for UI display.
setPasswordViewRequestDeleteInterval
UI, CLI
Sets the Password View Request Delete Interval.
setReportRowLimit
UI, CLI
Sets the maximum number of entries that   reports display.
setSystemProperty
CLI
Sets a Credential Manager system property.
showGroup
UI
A command that retrieves the contents of a Requestor or Target group.
updateAgent
UI
Changes a Proxy.
updateAuthorization
UI, CLI
Changes an authorization mapping.
updateCompoundServers
UI
Changes a target compound server.
updateDBClusterMembers
UI, CLI
Update information about a database cluster member.
updateDBPassword
CLI
Changes the Credential Manager datastore administrator password on all databases except DB2.
updateFilter
UI, CLI
Updates a filter in a target group or request group.
updateGroup
UI, CLI
Changes target and request groups.
updatePasswordHistory
UI
Changes a password history item.
updatePasswordPolicy
UI, CLI
Updates password policies.
updatePasswordViewPolicy
UI, CLI
Updates a password view policy.
updatePasswordViewRequestStatus
UI, CLI
Updates status of password view request to 'approved' or 'denied'.
updateRequestScript
UI, CLI
Changes a request application.
updateRequestServer
UI, CLI
Changes a request server.
updateRequestServerDefaults
UI, CLI
Updates a request server defaults.
updateRequestServerKey
UI, CLI
Changes a request server (Credential Manager client) encryption key.
updateRole
UI, CLI
Changes a role.
updateServerKey
CLI
Changes the Credential Manager server encryption key.
updateSite
UI, CLI
Changes site information.
updateSSHKeyPairPolicy
CLI
Updates an existing SSH Key Pair Policy in
Privileged Access Manager
.
updateTargetAccount
UI, CLI
Changes a target account.
updateTargetAccountDescriptor
CLI
Changes a target account descriptor value.
updateTargetAccountPassword
UI, CLI
Changes a target account password.
Note
:
To change passwords using the UI
, this Role also requires the updateTargetAccount permission.
The CLI only requires
the updateTargetAccountPassword permission to change passwords.
updateTargetAlias
UI, CLI
Changes target aliases.
updateTargetApplication
UI, CLI
Changes target applications.
updateTargetServer
UI, CLI
Changes target servers.
updateUser
UI, CLI
Changes user information.
updateUserGroup
UI, CLI
Changes a user group.
updateUserPassword
CLI
Changes a user password.
updateUserStatus
UI, CLI
Enable or disable access of a Credential Manager user to the system.
verifyAccountPassword
UI, CLI
Verifies a synchronized account password or all synchronized accounts in a target group (optionally excluding verified or non verified accounts).
verifyDBHash
CLI
Verifies the hash value of most BaseModel objects that are stored in DB.
viewAccountPassword
UI, CLI
Allows the user to view an account password.