Least privilege role/permissions for api users to check out a vaulted password.
search cancel

Least privilege role/permissions for api users to check out a vaulted password.

book

Article ID: 268160

calendar_today

Updated On:

Products

CA Privileged Access Manager (PAM)

Issue/Introduction

We need to enable the Rest API for a user and set up least privilege to access 'secrets' data for a single vault in the read/only and r/w modes.

Environment

Release : 4.1

Resolution

API keys are limited to the scope of the user to which they belong. In order to assign a user a role in a vault, the user needs to be assigned Session Manager role "Secrets Management", or some other role that includes privilege "Enable Secrets Management". Once that is the case you can assign the user to a vault under the Vault Managers tab in the Vault editor. For read-only you assign the "SecretViewer" role. For r/w modes you assign the "SecretOwner" role. The latter does include Add and Delete privileges, not just Update. PAM does not have a role that only allows Read and Update at this time. The API key also needs to have the "Secrets Management" role assigned. With this role it will have access to the vaults configured for the user.