Permissions
There are 3 types of rights in PassMan:
1. Direct rights - adjustable
a. Rights DIRECTLY SET for a given element
b. Can be viewed: folder – right click – access settings menu
2. Inherited rights - adjustable
a. Rules set for a parent element are inherited down the tree (folder structure).
b. Inheritance can be interrupted by a ban set for a given element (all bans or bans for given rules)
3. Effective rights - evaluated
a. Rights ACTUALLY “FORMED” (evaluated) for a given element. This takes into account both DIRECT and INHERITED rights
b. Viewable: folder – right click – access settings menu item – Aggregated permissions button
There is a central setting in PassMan (Padmin interface) that if 2 opposing rights are set for an element, which one should take effect.
According to the default setting in the system, if a user has more than one right for an element and at least one Deny rule is set, then this right will not be available to the given user.
This also applies to the user – group relationship; i.e. if a given user has rights to an element, but as a group member has DENY right, then their effective right will be DENY, i.e. they will not have access to the element.
Read Permission list
Name of permission | Permissions |
|---|---|
| Read Entity | View Element |
| Read Permissions | View Permissions on specific Target/Account |
| Read Job | View executed jobs |
| Read Revisions | Can run restore jobs (can read the different versions of the database) |
| Read Vault | Can view Vault keys |
Permissions for actions performed on Folders
| Operations on Folders | |
| Name of permission | Permissions |
|---|---|
| Create Folder | Create new Folder |
| Update Folder | Edit Folder's details |
| Delete Folder | Delete Folder |
| Move Folder | Move the folder under another one |
Target permissions
| Operations on Targets | |
| Name of permission | Permissions |
|---|---|
| Create Target | Add a new target to the database |
| Update Target | Edit Targets' details |
| Delete Tartget | Delete Target from database |
| Move Target | Move the target under another group |
| Restore Target | Restores the whole target to state what existed at a specified date |
Account permissions
| Operations on Accounts | |
| Name of Permission | Permissions |
|---|---|
| Create Account | Add a new Account to the existing Target |
| Update Account | Edit Accounts' details |
| Delete Account | Delete an Account from the database |
| Checkout Credentials | Show Credentials (Password/PIN/SSH) on screen |
| Secure Login | You can use Credentials (Password/PIN/SSH) with extenders (webPMSL, PMSL, Session Management), but you can't checkout and copy credentials. |
| Check Credentials | Checking the status of the Credential |
| Reset Credentials | Modify an old Credential or generate a new one (Password/PIN/SSH) |
| Update Credentials | Modify credentials stored in database (this is required if a credential has been manually changed on the target system and that can be synchronized with PassMan again) |
| Checkin Credentials | Check in credentials when not needed anymore |
Permission list for actions performed on the Vault
| Name of Permission | Permissions |
|---|---|
| Open Vault | Can open a closed Vault |
| Add Vault Key | Add a new Vault key to the existing one(s) |
| Delete Vault Key | Delete Vault key from the keys list |
Other Permissions
| Entity operations | |
| Name of permission | Permissions |
|---|---|
| Update Permissions | Change permissions |
| Update Credential Policy | Edit Credentials Policy |