How to Create a Privileged Access Role
search cancel

How to Create a Privileged Access Role

book

Article ID: 46751

calendar_today

Updated On:

Products

CA Virtual Privilege Manager CA Privileged Identity Management Endpoint (PIM) CA Privileged Access Manager (PAM)

Issue/Introduction

How to set up SAM to grant access to privileged accounts based on AD groups?

Environment

Release: ACP1M005900-12.8-Privileged Identity Manager
Component:

Resolution

This can be achieved by creating Privileged Access Roles on ENTM. Follow the steps below:

  1. Access ENTM with an ENTM Admin user;
  2. Navigate to “Users and Groups”/”Roles”/”Privileged Access Roles”/”Create Role”;
  3. Check the option to create a new role and click OK;
  4. Give a friendly name to the new role and ensure to have checked the Enabled option;
  5. Click on the “Tasks” tab. At the first drop-down list, select “Home”;
  6. At the second drop-down list, select “My Accounts”;
  7. Repeat steps 5 and 6, this time select “My Privileged Accounts”;
  8. Click on the “Members” tab. At “Users”, select “who are members of <group-member-rule>”;
  9. On the new list that just opened, select “group <group>”;
  10. Click on the ellipsis (…) button and select the AD group you want, by using the search filters on screen (for example, search for “SQL” and select the group “SQL Server Users”);
  11. At the “Add new scoping rule” list, select “Endpoint Type”;
  12. At the filter list, select “where <Endpoint Type-filter>”;
  13. Select “<Endpoint Type-attribute> <comparator> <value>”;
  14. Select the attribute you want to use to filter the endpoint types (for example, “Name”);
  15. Select the operator (for example, “contains”);
  16. Type in the filter value (for example, “SQL”);
  17. Repeat steps 11 to 16, this time selecting “Privileged Account” as scoping rule and “Endpoint Type” as an attribute to use to filter the accounts;
  18. Click OK;
  19. Navigate to the “Owners” tab;
  20. Click Add;
  21. Select Users and “who are members of <role-rule>”;
  22. Select “admin role”;
  23. Click on the ellipsis (…) button and select the “System Manager” Admin Role (by searching for system*);
  24. Click OK;
  25. Click Submit.

Now the members of the group you selected at step 10 will see only the accounts for the endpoint type selected on steps 16 and 17. In case those users need access to different endpoint types, they can request access via the “Privileged Account Request” task. 

Powered by Wolken Software