Creating a custom delegated administrator role in PAM
Article ID: 104096
CA Privileged Access Manager - Cloakware Password Authority (PA)PAM SAFENET LUNA HSMCA Privileged Access Manager (PAM)
We have a need for a custom delegated administrator role that is somewhat different from the default delegated administrator role found in PAM. Our delegated administrators will have specific device groups and user groups assigned by a PAM global administrator and should be able to accomplish the following tasks for the assigned groups:
Create a new device and add it to one of the device groups
Create target applications and target accounts for the new device
Create policies between users or user groups and the new device (or the device group it’s in) and add access methods and services with auto-login using one or more of the new target accounts
The attached procedure was tested successfully with PAM 3.1.2 and PAM 3.2.
The attached document details one procedure to configure a role with the capabilities listed above. This includes creation of the access role, the credential manager (CM) role, and creation of the CM target and user group required for the delegated administrator.
For a discussion of built-in access roles with their privileges along with the privilege definitions, see page https://docops.ca.com/ca-privileged-access-manager/3-2/EN/implementing/configure-your-server/master-provisioning-settings/identify-desired-user-roles. For information on credential manager roles and groups see https://docops.ca.com/ca-privileged-access-manager/3-2/EN/implementing/add-credential-manager-roles-and-groups.