Enterprise Administration Guide › Planning Your SAM Implementation › Privileged Access Roles and Privileged Accounts › Using Privileged Access Roles
Using Privileged Access Roles
You should consider the following points before you set up SAM for your enterprise:
- We recommend that you use Active Directory as your user store and modify the member policy for each role to point to a group in Active Directory. To add or remove users from a role that you set up in this manner, you add or remove users from the Active Directory group. This simplifies administrative overhead.
- If you use Active Directory as your user store, you cannot use CA ControlMinder Enterprise Management to create or delete users or groups. You can only create and delete users and groups in Active Directory.
- If a role has a member policy defined for it, and a SAM User Manager assigns that specific role to a user but the user does not fit the scope of the member policy, then CA ControlMinder does not assign the role to the user. The rules defined in the member policy override the SAM User Manager assignment.
- To respond to a privileged account request, a user must have the SAM Approver role and be the requesting user's manager. If you use the embedded user store, you can specify a user's manager in the Create User and Modify User tasks in CA ControlMinder Enterprise Management.
- Out-of-the-box, CA ControlMinder assigns the Break Glass, SAM Approver, Privileged Account Request, and SAM User roles to all users. To change this behavior, modify the member policy for each role.
- You can modify scope rules for a role to define the specific endpoints and privileged accounts that the role can access. Scope rules let you implement fine-grained access to privileged accounts across your enterprise. The scope rules are defined in the member policy of a role.
More information:
Member Policies
Copyright © 2013 CA Technologies.
All rights reserved.
|
|