UNIX Account Administrative Authority in PAM SC
Provides an overview of how you assign administrative authority for UNIX accounts in PAM SC.
capamsc141
When you install
Privileged Access Manager
, you are asked to name one or more Privileged Access Manager
administrators. Administrators have the authority to modify all or part of the rules database. You should have at least one full-authority administrator. This administrator can modify or create access rules freely and can designate other levels of administrators.Once you have defined users for your system, you can assign administrative authority to other users by assigning the ADMIN attribute to them.
A user with the ADMIN attribute possesses powerful authority. Consequently, the number of ADMIN users should be strictly limited. It is also a good policy to separate the roles of the native superuser and ADMIN, removing the ADMIN attribute from the superuser after you have set up one or more
Privileged Access Manager
security administrators.Because you always need at least one user with authority to manage the database,
Privileged Access Manager
does not let you delete the last user that has the ADMIN attribute.If you expect any of the
Privileged Access Manager
administrators to administer other hosts from this workstation, be sure that a rule in the database on that host gives them READ and WRITE access from this workstation.