You can use global account permissions to define the specific permissions granted to different users when they use the accounts stored in the Privileged Access Service. The global account permissions apply to all systems, domains, or databases you add by default. You can also override the default permission for individual systems, domains, or databases, as needed.
Most of the activity in the Admin Portal involves managing systems, domains, and databases and the accounts that are specifically used to access them. For example, when you manage user permissions for an account on a particular server, those permissions only apply in the context of that particular account on that specific server.
In some cases, however, you might want to define global account permissions that apply for all systems instead of system-specific permissions. For example, you might want to define a global account permission that allows the firstname.lastname@example.org user to log on without a password to all target systems you add to the Privileged Access Service, then grant that user the permission to check out an account password only for a specific system and account combination. Similarly, you can grant global account permissions for domains and databases.
The Login and Checkout permissions configured in the global or sets account permissions directly map to the Login and Checkout permission for the account for most accounts (e.g. local accounts, domain accounts, etc). There are two exceptions:
- For IAM User accounts:
- Login permission maps to the Use Access Key permission
- Checkout permission maps to the Retrieve permission.
- For IAM Role accounts, the Login permission maps to the Assume Role permission.
To set the global account permissions
In the Admin Portal, click Settings > Resources > Security > Global Account Permissions.
Click Add to search for and select users, groups, roles, or computers.
- Type a search string to search for the users, groups, or roles to which you want to grant global permissions.
- Select the appropriate users, groups, or roles from the search results.
- Click Add.
Select the appropriate global account permissions for each user.
As an administrator in the System Administrator role, your user account has all permissions by default. You can assign specific global rights to other users to allow them to work with accounts on all managed systems. Note that users must have both the Delete and Checkout permission to delete accounts because you must be able to display or copy the password for an account before deleting it. For more detailed information about the permissions available, see Assigning permissions.
If any of the permissions are temporary because a request for access has been approved, the Expires column indicates when the permission will expire.
- Click Save to save the global account permissions settings.