Enterprise Administration Guide › Administering CA ControlMinder Enterprise Management › Administrative Scoping › Privileged Access Roles
Privileged Access Roles
Privileged access roles in CA ControlMinder Enterprise Management provide a basic set of roles that you can assign to administrators and users in your enterprise according to your requirements. Out-of-the-box, CA ControlMinder Enterprise Management comes with the following privileged access roles:
- Break Glass—A user with this role can initiate a Break Glass privileged account password check out. A Break Glass checkout lets a user gain immediate access to an endpoint to which they do not have privileged access. This role is assigned by default to all the users in CA ControlMinder Enterprise Management.
- Endpoint Privileged Access Role—A user with this role can perform privileged account tasks on the specified endpoint type. The first time that you define a new type of endpoint, CA ControlMinder creates a corresponding endpoint privileged access role. For example, the first time you create a Windows endpoint in CA ControlMinder Enterprise Management, CA ControlMinder creates the Windows Agentless Connection endpoint privileged access role.
- Privileged Account Request—A user with this role can submit or delete requests for privileged account passwords. This role is assigned by default to all the users in CA ControlMinder Enterprise Management.
- SAM Approver—A user with this role can respond to privileged access requests that CA ControlMinder Enterprise Management users have submitted. This role is assigned by default to all the users in CA ControlMinder Enterprise Management.
- SAM Audit Manager—A user with this role can audit privileged account activity and manage the CA Enterprise Log Manager audit collection parameters.
- SAM Policy Manager—A user with this role can manage role members and member polices, assign role owners, and create and delete roles.
- SAM Target System Manager—A user with this role can administer password policies and privileged accounts, and can execute the privileged accounts discovery wizard to discover privileged accounts on endpoints.
- SAM User—A user with this role can check in and check out privileged account passwords that they are permitted to use. This role is assigned by default to all the users in CA ControlMinder Enterprise Management.
- SAM User Manager—A user with this role can administer CA ControlMinder Enterprise Management users and groups and password policies, and manage the work items of users.
You should note the following when you assign privileged access roles to users:
- To respond to a privileged account request, a user must have the SAM Approver role and be the requesting user's manager.
- If a user has the Break Glass, Privileged Account Request, or SAM User role but does not also have an endpoint privileged access role, the user cannot access any endpoints. Effectively, the user cannot perform any tasks.
- If a user has an endpoint privileged access role but does not have any other role, the user cannot perform any tasks.
|
Copyright © 2013 CA.
All rights reserved.
|
|
