Managing roles

This section describes how Osirium PAM roles are managed within the Admin Interface, covering the following:

• What are roles?
• How to add a user to a role
• How to add a user group to a role
• Editing a role

What are roles?

Roles are primarily used to manage the level of access a user has to the Admin Interface. They are also used to manage access to the Management Interface.

User groups are assigned to a role and members of the user group will then be granted access based upon the role.

By default Osirium PAM is configured with:

• Three pre-created user groups; PAM Owners, PAM Admins and PAM Auditors.
• Three pre-created roles; Owner, Admin and Auditor.
• Each pre-created role has the corresponding user group assigned. For example the PAM Owners user group has been assigned the Owner role.

Note

• A user must be a member of the Owner, Admin, or Auditor user groups to be granted access to the Admin Interface.
• A user who is a member of two or more user groups that are assigned different roles will inherit the higher role.
• You can only manage roles that are hierarchically the same or lower than the role you are a member of. For example a user that is a member of the Admin role cannot add or remove users from the Owner role.

The below table provides a summary of each roles access to the Admin Interface and Management Interface:

Role	Summary of Access Provided
Owner	Access to the Management Interface to configure HA. Full access to the Admin Interface. Able to view, edit and perform all actions on all pages.
Admin	Able to view, edit and perform actions on all Admin Interface pages with the exceptions of: - Generating a breakglass. - Configuring the osirium_support account. - Revealing credentials via the Admin Interface. - Accessing the console Troubleshooting menu.
Auditor	Read only access to all Admin Interface Manage, Reporting and System pages.

For further details of each role and its associated permissions see Osirium PAM access levels.

How to add a user to a role

The following steps are based upon the default Osirium PAM user groups and roles configuration.

1. In the left-hand menu click User groups.

2. Click the name of the PAM user group that you wish to add a user to.

3. On the User group detail page, click the MANAGE button to the right of Associated users.

4. The Manager: users window opens, select the checkboxes for the users to be added to the user group.

5. Click SAVE CHANGES. The users are added to the user group and will be granted the associated role access.

How to add a user group to a role

1. In the left-hand menu click Roles.

2. Click the name of the role that you wish to add a user group to.

3. On the Role detail page, click the MANAGE button to the right of Associated groups.

4. The Manager: user groups window opens, select the checkboxes for the user groups to be added to the role.

5. Click SAVE CHANGES. The user groups are added to the role and members of the user group will be granted the associated role access.

Editing a role

See the Common Interface functions section for inline editing.