To perform operations in PAM, each user must be assigned one or more user roles, which define sets of privileges related to different product functions.
To perform operations in
Privileged Access Manager, each user must be assigned one or more
user roles, which define sets of privileges that are related to different product functions. The many available predefined roles should satisfy most requirements. By default, new users are assigned the
Standard Userrole, which allows them to access devices. Assign roles with more privileges to administrators. You can also create custom roles to assign privileges to match your own requirements. You manage roles from the
Manage Credentials Privilege
This content covers user roles for provisioning privileged access to devices and applications. For information about Credential Manager roles, see Add or Modify Credential Manager Roles. However, users who require Credential Manager administrative privileges must be assigned a user role with the
Manage Credentialsprivilege. The following preconfigured user roles provide the Manage Credentials privilege:
- Global Administrator
- Operational Administrator
- Password Manager
Also, by default, users are assigned to the "Standard User" role and are
silentlyassigned to the "Standard Users" Credential Manager group. ("Standard Users" is not shown on the
Credential Manager Groupstab). Membership of the "Standard Users" Credential Manager group provides privileges to view account passwords on the
Accesspage. However, when a user is assigned any role with the "Manage Credentials" privilege (for example, "Password Manager"), that user is removed from the "Standard Users" Credential Manager group and cannot view passwords on the
Accesspage. To find out how to provide password viewing privileges, see Configure Users with the Manage Credentials Privilege to View Passwords on the Access Screen.
If a user needs to manage the Credential Manager's "System Admin Group", then add the Global Administrator role to this user or the user group to which this user belongs. Using a custom role for this scenario is not supported.
Identify User Roles and Privileges
Privileged Access Managerprovides a preconfigured set of user roles. You can also configure your own roles from a set of available user privileges.
A predefined set of roles is provided with the product. View these roles by selecting
Manage Roles. This set has the privileges that are required to perform various common activities. Roles are assigned to Users and User Groups during their creation and editing. See Configure Users for more information.
The following table lists the predefined roles:
Allow user read only access to administrative pages (services, users, devices, policies).
servicesRead, usersRead, userGroupRead, socketFilterAgentRead, devicesRead, deviceGroupRead, policyRead, socketFiltersRead, commandFiltersRead, rolesRead
Allow users to view
PAMlogging, session recording, and reporting data. Auditors have read-only access to Global Settings to inspect settings that have impact on log data.
overviewRead, loggingAll, sessionRecordingRead, globalSettingsRead
Allow users to use the autodiscovery feature to find network devices.
AWS API Proxy User
Allow the user to log in, select the access page, and remotely access the AWS API Proxy.
accessAll, awsApiProxy, manageAll
CA TAP API User
All the privileges that are needed for CA Threat Analytics to use the external API.
accessAll, BAPApiManage, devicesRead, usersRead, sessionManage
Allow users to set "Global Settings" and access all "Configuration" tabs.
globalSettingsRead, globalSettingsManage, configurationManage
A combined user role that grants to users the ability to perform all User, Device, and Policy Manager tasks.
usersRead, usersManage, usersDelete, usersAssign, userGroupRead, userGroupUpdate, cacUserApproval, socketFilterAgentRead, socketFilterAgentDelete, devicesRead, devicesManage, devicesDelete, devicesAssign, deviceGroupRead, deviceGroupUpdate, policyRead, policyManage, socketFiltersRead, socketFiltersManage, commandFiltersRead, commandFiltersManage
Device and Device Group Manager
Allow users to read, create, update, and delete all types of devices.
socketFilterAgentRead, socketFilterAgentDelete, devicesRead, devicesManage, devicesDelete, devicesAssign, deviceGroupRead, deviceGroupUpdate
Allow access to all and configuration of all
Privileged Access Managerfunctionality.
accessAll, manageAll, monitorAll, sessionRead, sessionManage, overviewRead, toolsAll, loggingAll, sessionRecordingRead, globalSettingsRead, globalSettingsManage, servicesRead, servicesManage, servicesDelete, usersRead, usersManage, usersDelete, usersAssign, userGroupRead, userGroupUpdate, cacUserApproval, socketFilterAgentRead, socketFilterAgentDelete, devicesRead, devicesManage, devicesDelete, devicesAssign, deviceGroupRead, deviceGroupUpdate, policyRead, policyManage, socketFiltersRead, socketFiltersManage, commandFiltersRead, commandFiltersManage, policyImport, policyExport, configurationManage, rolesRead, autodiscovery, credentialsManage
Allow users to set "Global Settings".
Management Console API User
Allow user access to CA Management Console API (Internal use only).
Allow users to monitor devices.
Allow access to all
PAMadministrative functionality, without configuration management.
accessAll, manageAll, monitorAll, sessionRead, sessionManage, overviewRead, toolsAll, loggingAll, sessionRecordingRead, globalSettingsRead, globalSettingsManage, servicesRead, servicesManage, servicesDelete, usersRead, usersManage, usersDelete, usersAssign, userGroupRead, userGroupUpdate, cacUserApproval, socketFilterAgentRead, socketFilterAgentDelete, devicesRead, devicesManage, devicesDelete, devicesAssign, deviceGroupRead, deviceGroupUpdate, policyRead, policyManage, socketFiltersRead, socketFiltersManage, commandFiltersRead, commandFiltersManage, policyImport, policyExport, rolesRead, autodiscovery, credentialsManage
Allow users to configure Credential Manager.
Allow users to read, create, update, and delete all policies, socket and command filters, and agents.
socketFilterAgentRead, socketFilterAgentDelete, policyRead, policyManage, socketFiltersRead, socketFiltersManage, commandFiltersRead, commandFiltersManage
Allow users to read, create, update, and delete service.
servicesRead, servicesManage, servicesDelete
Allow users to view and terminate
PAMlogin and remote access.
Allow users to access and manage remote devices.
Allow users to access the
User and User Group Manager
Allow users to read, create, update, and delete all types of users
usersRead, usersManage, usersDelete, usersAssign, userGroupRead, userGroupUpdate, cacUserApproval
VMware NSX API Proxy User
Allow the user to log in, select the access page, and remotely access the VMware NSX API Proxy.
accessAll, manageAll, nsxApiProxy
In addition to the set of predefined roles, administrators can also create custom roles. Create a custom role by selecting from a list of available privileges, as shown in the following table.
Use the access page to connect to remote machines.
Use the manage devices page to perform actions like power cycling remote machines.
Use the monitor page to view the status of remote devices.
Look at the manage sessions/logins page.
Use the manage sessions/logins page to kill sessions and logins.
Examine devices, out of band devices, and connections.
Use configuration tools such as ping and traceroute.
Logging / Recordings
Look at the log page and execute reports.
Replay session recordings.
See global settings.
Alter global settings.
See details of all services, of any type (TCP, RDP Application).
Add or change any existing services of any type (TCP, RDP Application).
Delete any existing services of any type.
See details of all users. Allows export of users.
Create or change users including export. Allows import of users.
Delete any non-LDAP users.
Assign a user to a user group or a user group to a user.
See details of user groups.
Change existing user groups, but not their memberships.
Approve candidate CAC users.
Read roles and privilege definitions.
View socket filter agents.
Delete socket filter agents.
See socket filter lists and configuration.
Change or remove socket filter lists and configurations.
See details of all devices, including power hosts and consoles. Allows export.
Create and change devices and their memberships. Allows import.
Delete any devices.
Assign a device to a device group or assign a device group to a device.
See details of device groups.
Change existing device groups, but not their memberships.
Find devices on the network.
See policies. Do not allow export.
Change or remove policies. Do not allow import.
Import all kinds of associations.
Export all kinds of associations.
See command recording lists and configuration.
Change or remove command filter lists and configurations.
Use the Access configuration tab.
Create and update credential definitions for password chaining.
Allow access to the AWS (Amazon Web Services) API Proxy.
Manage the CA Threat Analytics API.
Manage the Management Console API.
Allow access to the VMware NSX API Proxy.
User Role Cases
Expanded User Privilege Assignment Under Restricted Administration
Privileged Access Manageradministrators with less than a Global Administrator role were once restricted from creating or updating Users beyond Standard User or Monitor roles. Administrators could not then update their own profile, or that of any other User, with privileges higher than their own. This feature is named "restricted administration."
Earlier implementations of restricted administration have also been known as "delegated administration." However, this feature name can easily be confused with the unrelated Delegated Administrator role.
Privileged Access Managerdocumentation no longer uses the term "delegated administration."
Restricted administration is now fine-tuned to allow full assignment of any set of privileges less than one's own. An administrator below a Global Administrator can assign preset or custom roles other than Standard User or Monitor, up to and including its own privileges. Conversely, restricted administration prevents the assignment of roles, groups, and other objects that overstep the applicable privileges.
Privileged Access ManagerProvisioning Expanded User Privilege Assignment
Assume that your organization has a population of Devices that are maintained in two geographical or network locations or regions. For each region, you want to assign an administrator with Delegated Administrator privileges to manage only its own Users and Devices. Meanwhile, a User Group is assigned the Device/Group Manager role to manage all Devices in both regions.
The options available to one of these two administrators when creating a User are then restricted. The Delegated Administrator role permits the required privileges within the User/Device scope. The Available Roles for this new User are therefore the "Delegated Administrator", its components ("Device/Group Manager", "Policy Manager", and "User/Group Manager"), and the typical "Standard User" (assuming this administrator also performs Device or credentials access activities).
Meanwhile, the Available Groups list identifies all User Groups that exist on this
Privileged Access Managerappliance. The "DeviceManagers" group is dim, which allows management of all Devices rather than only those managed by this administrator. Because its choice would effectively result in elevated privileges, it cannot be selected.