User Roles

To perform operations in PAM, each user must be assigned one or more user roles, which define sets of privileges related to different product functions.
capam32
HID_ManageRolesPanel
To perform operations in
Privileged Access Manager
, each user must be assigned one or more
user roles
, which define sets of privileges that are related to different product functions. The many available predefined roles should satisfy most requirements. By default, new users are assigned the
Standard User
role, which allows them to access devices. Assign roles with more privileges to administrators. You can also create custom roles to assign privileges to match your own requirements. You manage roles from the
Users
,
Roles
screen.
2
Manage Credentials Privilege
This content covers user roles for provisioning privileged access to devices and applications. For information about Credential Manager roles, see Add or Modify Credential Manager Roles. However, users who require Credential Manager administrative privileges must be assigned a user role with the
Manage Credentials
privilege. The following preconfigured user roles provide the Manage Credentials privilege:
  • Global Administrator
  • Operational Administrator
  • Password Manager
Also, by default, users are assigned to the "Standard User" role and are
silently
assigned to the "Standard Users" Credential Manager group. ("Standard Users" is not shown on the
Credential Manager Groups
tab). Membership of the "Standard Users" Credential Manager group provides privileges to view account passwords on the
Access
page. However, when a user is assigned any role with the "Manage Credentials" privilege (for example, "Password Manager"), that user is removed from the "Standard Users" Credential Manager group and cannot view passwords on the
Access
page. To find out how to provide password viewing privileges, see Configure Users with the Manage Credentials Privilege to View Passwords on the Access Screen.
If a user needs to manage the Credential Manager's "System Admin Group", then add the Global Administrator role to this user or the user group to which this user belongs. Using a custom role for this scenario is not supported.
Identify User Roles and Privileges
Privileged Access Manager
provides a preconfigured set of user roles. You can also configure your own roles from a set of available user privileges.
Predefined Roles
A predefined set of roles is provided with the product. View these roles by selecting
Users
,
Manage Roles
. This set has the privileges that are required to perform various common activities. Roles are assigned to Users and User Groups during their creation and editing. See Configure Users for more information.
The following table lists the predefined roles:
Role
Description
Privileges
Administrative Auditor
Allow user read only access to administrative pages (services, users, devices, policies).
servicesRead, usersRead, userGroupRead, socketFilterAgentRead, devicesRead, deviceGroupRead, policyRead, socketFiltersRead, commandFiltersRead, rolesRead
Auditor
Allow users to view
PAM
logging, session recording, and reporting data. Auditors have read-only access to Global Settings to inspect settings that have impact on log data.
overviewRead, loggingAll, sessionRecordingRead, globalSettingsRead
Autodiscovery
Allow users to use the autodiscovery feature to find network devices.
autodiscovery
AWS API Proxy User
Allow the user to log in, select the access page, and remotely access the AWS API Proxy.
accessAll, awsApiProxy, manageAll
CA TAP API User
All the privileges that are needed for CA Threat Analytics to use the external API.
accessAll, BAPApiManage, devicesRead, usersRead, sessionManage
Configuration Manager
Allow users to set "Global Settings" and access all "Configuration" tabs.
globalSettingsRead, globalSettingsManage, configurationManage
Delegated Administrator
A combined user role that grants to users the ability to perform all User, Device, and Policy Manager tasks.
usersRead, usersManage, usersDelete, usersAssign, userGroupRead, userGroupUpdate, cacUserApproval, socketFilterAgentRead, socketFilterAgentDelete, devicesRead, devicesManage, devicesDelete, devicesAssign, deviceGroupRead, deviceGroupUpdate, policyRead, policyManage, socketFiltersRead, socketFiltersManage, commandFiltersRead, commandFiltersManage
Device and Device Group Manager
Allow users to read, create, update, and delete all types of devices.
socketFilterAgentRead, socketFilterAgentDelete, devicesRead, devicesManage, devicesDelete, devicesAssign, deviceGroupRead, deviceGroupUpdate
Global Administrator
Allow access to all and configuration of all
Privileged Access Manager
functionality.
accessAll, manageAll, monitorAll, sessionRead, sessionManage, overviewRead, toolsAll, loggingAll, sessionRecordingRead, globalSettingsRead, globalSettingsManage, servicesRead, servicesManage, servicesDelete, usersRead, usersManage, usersDelete, usersAssign, userGroupRead, userGroupUpdate, cacUserApproval, socketFilterAgentRead, socketFilterAgentDelete, devicesRead, devicesManage, devicesDelete, devicesAssign, deviceGroupRead, deviceGroupUpdate, policyRead, policyManage, socketFiltersRead, socketFiltersManage, commandFiltersRead, commandFiltersManage, policyImport, policyExport, configurationManage, rolesRead, autodiscovery, credentialsManage
Please see this important note about roles with the credentialsManage privilege.
Global Setter
Allow users to set "Global Settings".
globalSettingsRead, globalSettingsManage
Management Console API User
Allow user access to CA Management Console API (Internal use only).
managementConsole
Monitor
Allow users to monitor devices.
monitorAll
Operational Administrator
Allow access to all
PAM
administrative functionality, without configuration management.
accessAll, manageAll, monitorAll, sessionRead, sessionManage, overviewRead, toolsAll, loggingAll, sessionRecordingRead, globalSettingsRead, globalSettingsManage, servicesRead, servicesManage, servicesDelete, usersRead, usersManage, usersDelete, usersAssign, userGroupRead, userGroupUpdate, cacUserApproval, socketFilterAgentRead, socketFilterAgentDelete, devicesRead, devicesManage, devicesDelete, devicesAssign, deviceGroupRead, deviceGroupUpdate, policyRead, policyManage, socketFiltersRead, socketFiltersManage, commandFiltersRead, commandFiltersManage, policyImport, policyExport, rolesRead, autodiscovery, credentialsManage
Please see this important note about roles with the credentialsManage privilege.
Password Manager
Allow users to configure Credential Manager.
credentialsManage
Please see this important note about roles with the credentialsManage privilege.
Policy Manager
Allow users to read, create, update, and delete all policies, socket and command filters, and agents.
socketFilterAgentRead, socketFilterAgentDelete, policyRead, policyManage, socketFiltersRead, socketFiltersManage, commandFiltersRead, commandFiltersManage
Service Manager
Allow users to read, create, update, and delete service.
servicesRead, servicesManage, servicesDelete
Session Manager
Allow users to view and terminate
PAM
login and remote access.
sessionRead, sessionManage
Standard User
Allow users to access and manage remote devices.
accessAll, manageAll
Troubleshooter
Allow users to access the
Configuration, Tools
page
toolsAll
User and User Group Manager
Allow users to read, create, update, and delete all types of users
usersRead, usersManage, usersDelete, usersAssign, userGroupRead, userGroupUpdate, cacUserApproval
VMware NSX API Proxy User
Allow the user to log in, select the access page, and remotely access the VMware NSX API Proxy.
accessAll, manageAll, nsxApiProxy
Privilege Definitions
In addition to the set of predefined roles, administrators can also create custom roles. Create a custom role by selecting from a list of available privileges, as shown in the following table.
Role Privilege
Actions Allowed
Standard User
accessAll
Use the access page to connect to remote machines.
manageAll
Use the manage devices page to perform actions like power cycling remote machines.
Monitoring
monitorAll
Use the monitor page to view the status of remote devices.
Sessions
sessionRead
Look at the manage sessions/logins page.
sessionManage
Use the manage sessions/logins page to kill sessions and logins.
overviewRead
Examine devices, out of band devices, and connections.
Tools
toolsAll
Use configuration tools such as ping and traceroute.
Logging / Recordings
loggingAll
Look at the log page and execute reports.
sessionRecordingRead
Replay session recordings.
Global Settings
globalSettingsRead
See global settings.
globalSettingsManage
Alter global settings.
Services
servicesRead
See details of all services, of any type (TCP, RDP Application).
servicesManage
Add or change any existing services of any type (TCP, RDP Application).
servicesDelete
Delete any existing services of any type.
Users
usersRead
See details of all users. Allows export of users.
usersManage
Create or change users including export. Allows import of users.
usersDelete
Delete any non-LDAP users.
usersAssign
Assign a user to a user group or a user group to a user.
userGroupRead
See details of user groups.
userGroupUpdate
Change existing user groups, but not their memberships.
cacUserApproval
Approve candidate CAC users.
rolesRead
Read roles and privilege definitions.
Socket Filters
socketFilterAgentRead
View socket filter agents.
socketFilterAgentDelete
Delete socket filter agents.
socketFiltersRead
See socket filter lists and configuration.
socketFiltersManage
Change or remove socket filter lists and configurations.
Devices
devicesRead
See details of all devices, including power hosts and consoles. Allows export.
devicesManage
Create and change devices and their memberships. Allows import.
devicesDelete
Delete any devices.
devicesAssign
Assign a device to a device group or assign a device group to a device.
deviceGroupRead
See details of device groups.
deviceGroupUpdate
Change existing device groups, but not their memberships.
autodiscovery
Find devices on the network.
Policy
policyRead
See policies. Do not allow export.
policyManage
Change or remove policies. Do not allow import.
policyImport
Import all kinds of associations.
policyExport
Export all kinds of associations.
Command Filters
commandFiltersRead
See command recording lists and configuration.
commandFiltersManage
Change or remove command filter lists and configurations.
Configuration
configurationManage
Use the Access configuration tab.
Passwords
credentialsManage
Create and update credential definitions for password chaining.
APIs
awsApiProxy
Allow access to the AWS (Amazon Web Services) API Proxy.
BAPApiManage
Manage the CA Threat Analytics API.
managementConsole
Manage the Management Console API.
nsxApiProxy
Allow access to the VMware NSX API Proxy.
User Role Cases
Expanded User Privilege Assignment Under Restricted Administration
Privileged Access Manager
administrators with less than a Global Administrator role were once restricted from creating or updating Users beyond Standard User or Monitor roles. Administrators could not then update their own profile, or that of any other User, with privileges higher than their own. This feature is named "restricted administration."
Earlier implementations of restricted administration have also been known as "delegated administration." However, this feature name can easily be confused with the unrelated Delegated Administrator role.
Privileged Access Manager
documentation no longer uses the term "delegated administration."
Restricted administration is now fine-tuned to allow full assignment of any set of privileges less than one's own. An administrator below a Global Administrator can assign preset or custom roles other than Standard User or Monitor, up to and including its own privileges. Conversely, restricted administration prevents the assignment of roles, groups, and other objects that overstep the applicable privileges.
Privileged Access Manager
Provisioning Expanded User Privilege Assignment
Assume that your organization has a population of Devices that are maintained in two geographical or network locations or regions. For each region, you want to assign an administrator with Delegated Administrator privileges to manage only its own Users and Devices. Meanwhile, a User Group is assigned the Device/Group Manager role to manage all Devices in both regions.
The options available to one of these two administrators when creating a User are then restricted. The Delegated Administrator role permits the required privileges within the User/Device scope. The Available Roles for this new User are therefore the "Delegated Administrator", its components ("Device/Group Manager", "Policy Manager", and "User/Group Manager"), and the typical "Standard User" (assuming this administrator also performs Device or credentials access activities).
Meanwhile, the Available Groups list identifies all User Groups that exist on this
Privileged Access Manager
appliance. The "DeviceManagers" group is dim, which allows management of all Devices rather than only those managed by this administrator. Because its choice would effectively result in elevated privileges, it cannot be selected.