Creating a custom delegated administrator role in PAM

book

Article ID: 104096

calendar_today

Updated On:

Products

CA Privileged Access Manager - Cloakware Password Authority (PA) PAM SAFENET LUNA HSM CA Privileged Access Manager (PAM)

Issue/Introduction

We have a need for a custom delegated administrator role that is somewhat different from the default delegated administrator role found in PAM. Our delegated administrators will have specific device groups and user groups assigned by a PAM global administrator and should be able to accomplish the following tasks for the assigned groups:
  • Create a new device and add it to one of the device groups
  • Create target applications and target accounts for the new device
  • Create policies between users or user groups and the new device (or the device group it’s in) and add access methods and services with auto-login using one or more of the new target accounts


Environment

The attached procedure was tested successfully with PAM 3.1.2 and PAM 3.2.

Resolution

The attached document details one procedure to configure a role with the capabilities listed above. This includes creation of the access role, the credential manager (CM) role, and creation of the CM target and user group required for the delegated administrator.

For a discussion of built-in access roles with their privileges along with the privilege definitions, see page https://docops.ca.com/ca-privileged-access-manager/3-2/EN/implementing/configure-your-server/master-provisioning-settings/identify-desired-user-roles.
For information on credential manager roles and groups see https://docops.ca.com/ca-privileged-access-manager/3-2/EN/implementing/add-credential-manager-roles-and-groups.

Attachments

1558536555558RP_DelegatedAdmin_config.docx get_app