How to configure user in PAM  to not be able to view  the target account's passwords?

book

Article ID: 104028

calendar_today

Updated On:

Products

CA Privileged Access Manager - Cloakware Password Authority (PA) PAM SAFENET LUNA HSM CA Privileged Access Manager (PAM)

Issue/Introduction

These steps are to create a Credential Manager Group to allow the user to have any permission on any target account but not to view the passwords. This article was created based in a request to deny the view password access to the Global Administrators in PAM

Environment

Release:
Component: CAPAMX

Resolution

Steps:
  1. Copy the "System Admin" CM Role and remove the " View Account Password " privilege:
    1. Go to Credentials > Manage Credencial Groups > Credential Roles.
    2. Click on "System Admin" role and click on "Copy". 
    3. Rename the new Role and click on "OK".
    4. Select the new role created and click on Update.
    5. Search for "View Account Password" at the right column and move the privilege to the left. Click on "OK".
  2. Create a new Credential Manager Group and assign the new role:
    1. Go to Credentials > Manage Credencial Groups > Credential Groups.
    2. Click on the "Add" button.
    3. Enter a name to the Credential Manager Group.
    4. In the Role field search for the Credential Role created.
    5. Click on "Ok".
  3. Grant the privileges to the user:
    1. Go to Users > Manage Users.
    2. Select the User and go to Credential Manager Groups.
    3. Select the new group created and click on "Ok".

Additional Information

The preconfigured Access Roles with Credential Manager privileges are:

  • Global Administrator
  • Operational Administrator
  • Password Manager

The Credential Manager Group is then assigned to a User account through the Credential Manager Groups tab. This tab has settings that are enabled when you select an Access Role with Credential Manager privileges.

CA Privileged Access Manager is preconfigured with the provisioned Credential Manager Group "System Admin Group". This might appropriately be used to provision a Global Administrator using the PM Groups setting.

Important: The Credential Manager Groups are configured user per user.