Additional Account Permissions

There are several additional permissions that are unique to accounts. These permissions can be set for individual accounts, sets of accounts, or globally for all accounts.

The account permissions available depend on the type of account you have selected:

  • Local accounts support all of the common and account permissions.

  • Domain and database accounts support all of the common and account

    permissions except the Login and Workspace Login permissions.

  • Multiplexed accounts only support the Grant, Edit, and Delete permissions

    and require additional permissions for systems.

Checkout

Select Checkout to allow users, groups, or roles to display or copy the password for a selected account.

If the password for the account is managed by the Privileged Access Service, this permission also results in the generation of a new password when the password is checked in manually or when the checkout period expires. If the password is not managed by the Privileged Access Service, this permission enables users, groups, or roles to display or copy a password that will remain unchanged until manually updated.

Login

Select Login to allow users, groups, or roles to log on to a target system or domain using a secure shell (ssh) session or remote desktop (rdp) connection in a web browser or with a native local client.

The Login permission enables users, groups, or roles to log on without knowing the account password. Because the password is not displayed, this permission enables secure access to remote systems and domains when using managed or unmanaged accounts.

File Transfer

Select File Transfer to allow users, groups, or roles to securely transfer files using secure copy (scp) or secure file transfer (sftp) while logged on remotely to a target computer. Users who have the File Transfer permission but don’t have Login permission for the target computer can request access if a request and approval workflow is enabled. Only users who have the File Transfer permission can use accounts in the Privileged Access Service to perform file transfer operations.

Update Password

Select Update Password to allow users, groups, or roles to update the password for a selected account. The Update Password action is available for both managed and unmanaged accounts you add to the service. In both cases, be sure you have the correct current password for the account. If you are unsure, reset the password on the target system first, then update the password stored in the privilege service.

Workspace Login

Select Workspace Login to allow users, groups, or roles to log on to a system using the selected account and stored password. The account is added to the "My System Accounts" table on the Workspace page. You do not need any particular role assignment to use this permission.

Rotate

Select Rotate to allow users, groups, or roles to change the password stored in the Privileged Access Service for a managed account immediately without waiting for the rotation period to expire.

This permission enables selected users to rotate the password “on demand” if there has been suspicious activity or a risk that the password has been compromised.