Privileged Access Service provides two predefined roles by default: Everybody and System Administrator. Initially, only the members of the System Administrator role have the full rights to perform all administrative tasks. If you want to delegate full administrative activity to other users, you can add them to the predefined System Administrator role.
All other users are added to the Everybody role by default.
In most organizations, however, the two default roles do not provide enough granular control over who can do what or which policies should be applied to different groups of users, so additional roles are necessary. You can create as many additional roles as you need.
You can add roles before or after you add directory service users. If you plan to delegate some administrative activity to other users, you might want to create the roles with specific administrative rights before you add users to the service.
If your users assigned to the role will be accessing enrolled Linux systems, you can specify the Unix Profile information, if desired. You can map a role to either a local group that already exists on systems or a new local group.
To add a role
In the Admin Portal, click Access > Roles.
- Click Add Role.
Enter the role name and an optional description.
Click Save to continue.
Click Members > Add to add users to the role.
You can add directory service users and external identity store users. If you are preparing a role with administrative rights before adding or inviting users, you can add the appropriate members later.
- Click Administrative Rights > Add.
Select the check box associated with each right you want to assign to the role, then click Add.
For a description of the administrative rights, see Admin Portal administrative rights.
If you want the members of this role to be able to access Unix/Linux systems, go to the Unix Profile page and select Map role as a group on enrolled systems.
Unix name: This is the name of the new or existing local group. You must specify this field.
Enter an existing local group name if you want to map this role to a group that exists already on your Linux systems.
GID: This field is optional. If you are mapping this role to an existing local group, be sure to enter the correct GID (otherwise the mapping won't work correctly).
- Click Save.