Privileged Access Roles

Enterprise Administration Guide › Administering CA Access Control Enterprise Management › Administrative Scoping › Privileged Access Roles

Privileged Access Roles

Privileged access roles in CA Access Control Enterprise Management provide a basic set of roles that you can assign to administrators and users in your enterprise according to your requirements. Out-of-the-box, CA Access Control Enterprise Management comes with the following privileged access roles:

Break Glass—A user with this role can initiate a Break Glass privileged account password check out. A Break Glass checkout lets a user gain immediate access to an endpoint to which they do not have privileged access. This role is assigned by default to all the users in CA Access Control Enterprise Management.
Endpoint Privileged Access Role—A user with this role can perform privileged account tasks on the specified endpoint type. The first time that you define a new type of endpoint, CA Access Control creates a corresponding endpoint privileged access role. For example, the first time you create a Windows endpoint in CA Access Control Enterprise Management, CA Access Control creates the Windows Agentless Connection endpoint privileged access role.
Privileged Account Request—A user with this role can submit or delete requests for privileged account passwords. This role is assigned by default to all the users in CA Access Control Enterprise Management.
PUPM Approver—A user with this role can respond to privileged access requests that CA Access Control Enterprise Management users have submitted. This role is assigned by default to all the users in CA Access Control Enterprise Management.
PUPM Audit Manager—A user with this role can audit privileged account activity and manage the CA Enterprise Log Manager audit collection parameters.
PUPM Policy Manager—A user with this role can manage role members and member polices, assign role owners, and create and delete roles.
PUPM Target System Manager—A user with this role can administer password policies and privileged accounts, and can execute the privileged accounts discovery wizard to discover privileged accounts on endpoints.
PUPM User—A user with this role can check in and check out privileged account passwords that they are permitted to use. This role is assigned by default to all the users in CA Access Control Enterprise Management.
PUPM User Manager—A user with this role can administer CA Access Control Enterprise Management users and groups and password policies, and manage the work items of users.

You should note the following when you assign privileged access roles to users:

To respond to a privileged account request, a user must have the PUPM Approver role and be the requesting user's manager.
If a user has the Break Glass, Privileged Account Request, or PUPM User role but does not also have an endpoint privileged access role, the user cannot access any endpoints. Effectively, the user cannot perform any tasks.
If a user has an endpoint privileged access role but does not have any other role, the user cannot perform any tasks.

Tell Technical Publications how we can improve this information