Identify User Roles and Privileges

PAM provides a preconfigured set of user roles. You can also configure your own roles from a set of available user privileges.
capam33
Privileged Access Manager
 provides a preconfigured set of user roles. You can also configure your own roles from a set of available user privileges.
2
Predefined Roles
A predefined set of 21 roles is provided with the product. View these roles by selecting 
Users
Manage Roles
. This set has the privileges that are required to perform various common activities.
Roles are assigned to Users and User Groups during their creation and editing. See Provisioning Users for more information.
Administrative Auditor
Allow user read only access to administrative pages (services, users, devices, policies).
Privileges:
 
servicesRead, usersRead, userGroupRead, socketFilterAgentRead, devicesRead, deviceGroupRead, policyRead, socketFiltersRead, commandFiltersRead, rolesRead  
 
Auditor
Allow users to view 
PAM
 logging, session recording, and reporting data. Auditors have read-only access to Global Settings to inspect settings that have impact on log data.
Privileges:
 
overviewRead, loggingAll, sessionRecordingRead, globalSettingsRead
 
Autodiscovery
Allow users to use the autodiscovery feature to find network devices.
Privileges:
 
autodiscovery
 
AWS API Proxy User
Allow the user to log in, select the access page, and remotely access the AWS API Proxy.
Privileges:
 
accessAll, awsApiProxy, manageAll
 
CA TAP API User    
All the privileges that are needed for CA Threat Analytics to use the external API.
Privileges:
 
accessAll, BAPApiManage, devicesRead, usersRead, sessionManage
 
Configuration Manager
Allow users to set "Global Settings" and access all "Configuration" tabs.
Privileges: 
 
globalSettingsRead, globalSettingsManage, configurationManage
 
Delegated Administrator
A combined user role that grants to users the ability to perform all User, Device, and Policy Manager tasks.
Privileges: 
 
usersRead, usersManage, usersDelete, usersAssign, userGroupRead, userGroupUpdate, cacUserApproval, socketFilterAgentRead, socketFilterAgentDelete, devicesRead, devicesManage, devicesDelete, devicesAssign, deviceGroupRead, deviceGroupUpdate, policyRead, policyManage, socketFiltersRead, socketFiltersManage, commandFiltersRead, commandFiltersManage
 
Device and Device Group Manager
Allow users to read, create, update, and delete all types of devices. 
Privileges:
 
socketFilterAgentRead, socketFilterAgentDelete, devicesRead, devicesManage, devicesDelete, devicesAssign, deviceGroupRead, deviceGroupUpdate
 
Global Administrator
Allow access to all and configuration of all 
Privileged Access Manager
 functionality.
Privileges:
 
accessAll, manageAll, monitorAll, sessionRead, sessionManage, overviewRead, toolsAll, loggingAll, sessionRecordingRead, globalSettingsRead, globalSettingsManage, servicesRead, servicesManage, servicesDelete, usersRead, usersManage, usersDelete, usersAssign, userGroupRead, userGroupUpdate, cacUserApproval, socketFilterAgentRead, socketFilterAgentDelete, devicesRead, devicesManage, devicesDelete, devicesAssign, deviceGroupRead, deviceGroupUpdate, policyRead, policyManage, socketFiltersRead, socketFiltersManage, commandFiltersRead, commandFiltersManage, policyImport, policyExport, configurationManage, rolesRead, autodiscovery, credentialsManage
 
Global Setter
Allow users to set "Global Settings".
Privileges: 
 
globalSettingsRead, globalSettingsManage
 
Management Console API User    
Allow user access to CA Management Console API (Internal use only).
Privileges: 
 
managementConsole
 
Monitor
Allow users to monitor devices.
Privileges: 
 
monitorAll
 
Operational Administrator
Allow access to all 
PAM
 administrative functionality, without configuration management.
Privileges:
 
accessAll, manageAll, monitorAll, sessionRead, sessionManage, overviewRead, toolsAll, loggingAll, sessionRecordingRead, globalSettingsRead, globalSettingsManage, servicesRead, servicesManage, servicesDelete, usersRead, usersManage, usersDelete, usersAssign, userGroupRead, userGroupUpdate, cacUserApproval, socketFilterAgentRead, socketFilterAgentDelete, devicesRead, devicesManage, devicesDelete, devicesAssign, deviceGroupRead, deviceGroupUpdate, policyRead, policyManage, socketFiltersRead, socketFiltersManage, commandFiltersRead, commandFiltersManage, policyImport, policyExport, rolesRead, autodiscovery, credentialsManage
 
Password Manager
Allow users to configure Password Management.
Privileges:
 
credentialsManage
 
Policy Manager
Allow users to read, create, update, and delete all policies, socket and command filters, and agents.
Privileges: 
 
socketFilterAgentRead, socketFilterAgentDelete, policyRead, policyManage, socketFiltersRead, socketFiltersManage, commandFiltersRead, commandFiltersManage
 
Service Manager
Allow users to read, create, update, and delete service.
Privileges: 
 
servicesRead, servicesManage, servicesDelete
 
Session Manager
Allow users to view and terminate 
PAM
 login and remote access.
Privileges: 
 
sessionRead, sessionManage
 
Standard User
Allow users to access and manage remote devices.
Privileges: 
 
accessAll, manageAll
 
Troubleshooter
Allow users to access the "Configuration, Tools" page.
Privileges:
 
toolsAll
 
Target Connector Validator
Enables users to view and use the Target Connector Framework validator. The validator examines UI definitions from a JSON file, which renders pages for custom target connectors.
Privilege: v
alidateTargetConnectorUI
 
User and User Group Manager
Allow users to read, create, update, and delete all types of users.
Privileges: 
 
usersRead, usersManage, usersDelete, usersAssign, userGroupRead, userGroupUpdate, cacUserApproval
 
VMware NSX API Proxy User
Allow the user to log in, select the access page, and remotely access the VMware NSX API Proxy.
Privileges:
 
accessAll, manageAll, nsxApiProxy
 
Privilege Definitions
In addition to the set of predefined roles, administrators can also create custom roles. A role is constructed by selecting from a list of Privileges, described in the following table.
Role Privilege
 
Actions Allowed
 
Standard User
 
 
accessAll
 
Use the access page to connect to remote machines.
 
manageAll
 
Use the manage devices page to perform actions like power cycling remote machines.
Monitoring
 
 
monitorAll
 
Use the monitor page to view the status of remote devices.
Sessions
 
 
sessionRead
 
Look at the manage sessions/logins page.
 
sessionManage
 
Use the manage sessions/logins page to kill sessions and logins.
 
overviewRead
 
Examine devices, out of band devices, and connections.
Tools
 
 
toolsAll
 
Use configuration tools such as ping and traceroute.
 
validateTargetConnectorUI
 
Use the Target Connector Validator for TCF custom connectors.
Logging / Recordings
 
 
loggingAll
 
Look at the log page and execute reports.
 
sessionRecordingRead
 
Replay session recordings.
Global Settings
 
 
globalSettingsRead
 
See global settings.
 
globalSettingsManage
 
Alter global settings.
Services
 
 
servicesRead
 
See details of all services, of any type (TCP, RDP Application).
 
servicesManage
 
Add or change any existing services of any type (TCP, RDP Application).
 
servicesDelete
 
Delete any existing services of any type.
Users 
 
 
usersRead
 
See details of all users. Allows export of users.
 
usersManage
 
Create or change users including export. Allows import of users.
 
usersDelete
 
Delete any non-LDAP users.
 
usersAssign
 
Assign a user to a user group or a user group to a user.
 
userGroupRead
 
See details of user groups.
 
userGroupUpdate
 
Change existing user groups, but not their memberships.
 
cacUserApproval
 
Approve candidate CAC users.
 
rolesRead
 
Read roles and privilege definitions.
Socket Filters 
 
 
socketFilterAgentRead
 
View socket filter agents.
 
socketFilterAgentDelete
 
Delete socket filter agents.
 
socketFiltersRead
 
See socket filter lists and configuration.
 
socketFiltersManage
 
Change or remove socket filter lists and configurations.
Devices 
 
 
devicesRead
 
See details of all devices, including power hosts and consoles. Allows export.
 
devicesManage
 
Create and change devices and their memberships. Allows import.
 
devicesDelete
 
Delete any devices.
 
devicesAssign
 
Assign a device to a device group or assign a device group to a device.
 
deviceGroupRead
 
See details of device groups.
 
deviceGroupUpdate
 
Change existing device groups, but not their memberships.
 
autodiscovery
 
Find devices on the network.
Policy 
 
 
policyRead
 
See policies. Do not allow export.
 
policyManage
 
Change or remove policies. Do not allow import.
 
policyImport
 
Import all kinds of associations.
 
policyExport
 
Export all kinds of associations.
Command Filters
 
 
commandFiltersRead
 
See command recording lists and configuration.
 
commandFiltersManage
 
Change or remove command filter lists and configurations.
Configuration
 
 
configurationManage
 
Use the Access configuration tab.
Passwords
 
 
credentialsManage
 
Create and update credential definitions for password chaining.
APIs
 
 
awsApiProxy
 
Allow access to the AWS (Amazon Web Services) API Proxy.
 
BAPApiManage
 
Manage the CA Threat Analytics API.
 
managementConsole
 
Manage the Management Console API.
 
nsxApiProxy
 
Allow access to the VMware NSX API Proxy.