Managing roles
This section describes how Osirium PAM roles are managed within the Admin Interface, covering the following:
What are roles?
Roles are primarily used to manage the level of access a user has to the Admin Interface. They are also used to manage access to the Management Interface.
User groups are assigned to a role and members of the user group will then be granted access based upon the role.
By default Osirium PAM is configured with:
- Four pre-created user groups; PAM Owners, PAM Admins, PAM Auditors and PAM Reporters.
- Four pre-created roles; Owner, Admin, Auditor and Reporter.
- Each pre-created role has the corresponding user group assigned. For example the PAM Owners user group has been assigned the Owner role.
Note
- A user who is a member of two or more user groups that are assigned different roles will inherit the higher role.
- A user that has not been assigned a role via user groups will be granted User access when logging into the Admin Interface.
- You can only manage roles that are hierarchically the same or lower than the role you are a member of. For example a user that is a member of the Admin role cannot add or remove users from the Owner role.
The below table provides a summary of each roles access to the Admin Interface and Management Interface:
Role | Summary of Access Provided |
---|---|
Owner | Access to the Management Interface to configure HA. Full access to the Admin Interface. Able to view, edit and perform all actions on all pages. |
Admin | Able to view, edit and perform actions on all Admin Interface pages with the exceptions of: - Generating a breakglass. - Configuring the osirium_support account. - Revealing credentials via the Admin Interface. - Accessing the console Troubleshooting menu. |
Auditor | Read only access to all Admin Interface Manage, Reporting and System pages. |
Reporter | Read only access to some Admin Interface reports. |
For further details of each role and its associated permissions see Osirium PAM access levels.
How to add a user to a role
The following steps are based upon the default Osirium PAM user groups and roles configuration.
-
In the left-hand menu click User groups.
-
Click the name of the PAM user group that you wish to add a user to.
-
On the User group detail page, click the
MANAGE
button to the right of Associated users. -
The Manager: users window opens, select the checkboxes for the users to be added to the user group.
-
Click
SAVE CHANGES
. The users are added to the user group and will be granted the associated role access.
How to add a user group to a role
-
In the left-hand menu click Roles.
-
Click the name of the role that you wish to add a user group to.
-
On the Role detail page, click the
MANAGE
button to the right of Associated groups. -
The Manager: user groups window opens, select the checkboxes for the user groups to be added to the role.
-
Click
SAVE CHANGES
. The user groups are added to the role and members of the user group will be granted the associated role access.
Editing a role
See the Common Interface functions section for inline editing.