Skip to content

Managing roles

This section describes how Osirium PAM roles are managed within the Admin Interface, covering the following:

What are roles?

Roles are primarily used to manage the level of access a user has to the Admin Interface. They are also used to manage access to the Management Interface.

User groups are assigned to a role and members of the user group will then be granted access based upon the role.

By default Osirium PAM is configured with:

  • Four pre-created user groups; PAM Owners, PAM Admins, PAM Auditors and PAM Reporters.
  • Four pre-created roles; Owner, Admin, Auditor and Reporter.
  • Each pre-created role has the corresponding user group assigned. For example the PAM Owners user group has been assigned the Owner role.

Note

  • A user who is a member of two or more user groups that are assigned different roles will inherit the higher role.
  • A user that has not been assigned a role via user groups will be granted User access when logging into the Admin Interface.
  • You can only manage roles that are hierarchically the same or lower than the role you are a member of. For example a user that is a member of the Admin role cannot add or remove users from the Owner role.

The below table provides a summary of each roles access to the Admin Interface and Management Interface:

Role Summary of Access Provided
Owner Access to the Management Interface to configure HA.

Full access to the Admin Interface. Able to view, edit and perform all actions on all pages.

Admin Able to view, edit and perform actions on all Admin Interface pages with the exceptions of:
- Generating a breakglass.
- Configuring the osirium_support account.
- Revealing credentials via the Admin Interface.
- Accessing the console Troubleshooting menu.
Auditor Read only access to all Admin Interface Manage, Reporting and System pages.
Reporter Read only access to some Admin Interface reports.

For further details of each role and its associated permissions see Osirium PAM access levels.

How to add a user to a role

The following steps are based upon the default Osirium PAM user groups and roles configuration.

  1. In the left-hand menu click User groups.

  2. Click the name of the PAM user group that you wish to add a user to.

  3. On the User group detail page, click the MANAGE button to the right of Associated users.

  4. The Manager: users window opens, select the checkboxes for the users to be added to the user group.

  5. Click SAVE CHANGES. The users are added to the user group and will be granted the associated role access.

How to add a user group to a role

  1. In the left-hand menu click Roles.

  2. Click the name of the role that you wish to add a user group to.

  3. On the Role detail page, click the MANAGE button to the right of Associated groups.

  4. The Manager: user groups window opens, select the checkboxes for the user groups to be added to the role.

  5. Click SAVE CHANGES. The user groups are added to the role and members of the user group will be granted the associated role access.

Editing a role

See the Common Interface functions section for inline editing.