This section describes how Osirium PAM roles are managed within the Admin Interface, covering the following:
What are roles?
Roles are used to manage the level of access a user has to the Admin Interface. User groups are assigned to a role and members of the user group will then be granted access based upon the role.
By default Osirium PAM is configured with:
- Four pre-created user groups; PAM Owners, PAM Admins, PAM Auditors and PAM Reporters.
- Four pre-created roles; Owner, Admin, Auditor and Reporter.
- Each pre-created role has the corresponding user group assigned. For example the PAM Owners user group has been assigned the Owner role.
- A user who is a member of two or more user groups that are assigned different roles will inherit the higher role.
- A user that has not been assigned a role via user groups will be granted User access when logging into the Admin Interface.
- You can only manage roles that are hierarchically the same or lower than the role you are a member of. For example a user that is a member of the Admin role cannot add or remove users from the Owner role.
The below table provides a summary of each roles access to the Admin Interface:
|Role||Summary of Access Provided|
|Owner||Full access to the Admin Interface. Able to view, edit and perform all actions on all pages.|
|Admin||Able to view, edit and perform actions on all pages with the exceptions of:
- Generating a breakglass.
- Configuring the osirium_support account.
- Revealing credentials via the Admin Interface.
- Accessing the console Troubleshooting menu.
|Auditor||Read only access to all Manage, Reporting and System pages.|
|Reporter||Read only access to some reports.|
For further details of each role and its associated permissions see Osirium PAM access levels.
How to add a user to a role
The following steps are based upon the default Osirium PAM user groups and roles configuration.
In the left-hand menu click User groups.
Click the name of the PAM user group that you wish to add a user to.
On the User group detail page, click the
MANAGEbutton to the right of Associated users.
The Manager: users window opens, select the checkboxes for the users to be added to the user group.
SAVE CHANGES. The users are added to the user group and will be granted the associated role access.
How to add a user group to a role
In the left-hand menu click Roles.
Click the name of the role that you wish to add a user group to.
On the Role detail page, click the
MANAGEbutton to the right of Associated groups.
The Manager: user groups window opens, select the checkboxes for the user groups to be added to the role.
SAVE CHANGES. The user groups are added to the role and members of the user group will be granted the associated role access.
Editing a role
See the Common Interface functions section for inline editing.