Configure Role Based Access
Creating groups gives you great flexibility in delegating access to managed systems. Permissions provide access to BeyondInsight system components, while Password Safe roles determine the scope of access to managed systems.
- Group permissions: Permissions are assigned when you create a group. Permissions are system-wide and provide access to various components of the BeyondInsight infrastructure. There are permissions that are specific to accessing and using features of the Password Safe application.
- Password Safe roles: The roles define the actions that Password Safe users can take when using the Password Safe web portal for password releases or access to applications.
Group Features
The following table provides information on the Password Safe features that you can assign to your groups.
| Feature | Full Control permission assigned |
| Password Safe Account Management |
Grants permissions to the following features on the Managed Accounts page:
|
| Password Safe Admin Session |
Allows non-ISA users access to the Admin Session feature in Password Safe. Using an Admin Session allows administrators to open ad-hoc RDP / SSH sessions without going through the request process. |
| Password Safe Bulk Password Change | Use the bulk password change feature on the Managed Accounts page. |
| Password Safe Agent Management | Grant a user administrator permissions to the Configuration > Privileged Access Management Agents page. |
| Password Safe Configuration Management | Grant a user administrator permissions to the Configuration > Privileged Access Management page. |
| Password Safe Policy Management | Grant a user administrator permissions to the Configuration > Privileged Access Management Policies page. |
| Password Safe Role Management | Manage roles provided they have the following permissions: Password Safe Role Management and User Accounts Management. |
| Password Safe System Management |
Users can manage systems on the Managed Systems page, including:
Password Safe Account Management is needed with Password Safe System Management to manage Password Safe accounts. Full Control is required for both. |
| Smart Rule Management - Managed Account | Users can create and edit Managed Account Smart Rules. |
| Smart Rule Management - Managed System | Users can create and edit Managed System Smart Rules. |
| Secrets Safe | Users can access the Secrets Safe feature. |
In addition to Password Safe features permissions, users need the following general permissions:
| Asset Management | Read, create, and delete assets and databases. |
| Management Console Access | Access to log on to the management console. |
Password Safe Roles
In Password Safe, a role is the connection between a Password Safe user account and a managed system. A role defines what the user or group can do with respect to that managed system.
| Role | Description |
| Requester |
Users can submit a request to retrieve a managed password or file. When assigning the Requester role, you must select an access policy. |
| Approver |
Users can approve requests for the release of managed passwords or files. Typically, system administrators and network engineers are assigned to this role. |
| Requester/Approver |
With this cross-functional role, a user can submit or approve requests for password or file releases. However, an approver cannot approve their request when dual control is enforced. This role is typically used in a peer approval environment. |
| Information Security Administrator |
This role is responsible for setting up managed systems and accounts. The ISA role provides the functionality required for security help desk personnel. The ISA role can delegate limited authority to those responsible for resource management. The role enables a user to bypass every workflow and security measure, like approval workflows or checked out accounts. So even if another user already checked out an account and the password is known by this user, an ISA user can look at the password. |
| Auditor |
Users can:
The Auditor role can be assigned with other roles. |
| No Roles | Assign this role to remove any previously assigned roles to a user group. |
| Credentials Manager | Users can set credentials using the PUT ManagedAccounts/{accountId}/Credentials API. |
| Recorded Session Reviewer |
Users can view and take action on recorded Password Safe sessions, including:
|
| Active Session Reviewer |
Users can view and take action on active Password Safe sessions, including:
|
On all systems where a user is granted the ISA role, the user can change the following system details:
- Grant users/groups roles to the managed system.
- Review release requests.
- Add and change accounts on managed systems.
- Assign a system to a collection (provided the ISA role is granted to the user for both the system and the collection).
- Remove their ISA role from a system.
The roles that you can assign vary depending on the Smart Rule type.
- Asset Based Smart Rule: Roles only include the ISA role and Auditor role.
- Managed Accounts Based Smart Rule: Roles include most roles.
