SAPM Account Permissions
Kron PAM administrators can assign different authorization levels to different user groups or users for SAPM accounts. For example, a user group or a user can get full control rights for a SAPM account, while another user group or another user can have list-only rights. To set permissions to SAPM accounts:
- Navigate to SAPM Management > SAPM Management.
- Open the SAPM Accounts tab.
- Select the account to set permissions for, click the Options button, and select Permissions.
- Select the user (User or User Group) and the permission types.
- Click Save.
Permission Types:
LIST_ONLY: To only have the authority to see the account of the SAPM.
READ_ONLY_FIRST_PART: To only have the authority to see the first half of the SAPM password.
READ_ONLY_SECOND_PART: To only have the authority to see the second half of the SAPM password.
READ_ONLY: To only have the authority to see the SAPM password.
MANAGE_PASSWORD: To only have the authority to manage the SAPM password.
READ_WRITE: To have full control permission, except for the edit account option.
FULL_CONTROL: To have full control. Applies to admins of this SAPM account. These users have full authority for actions such as resetting, changing the password, and giving permission to other users.
Multiple permissions can be assigned to a User Group or User. According to the permission levels, users will access the accounts with the highest permission, with those rights.
One user can be a member of multiple user groups with different rights. In this case, the following permission order will apply:
FULL_CONTROL > READ_WRITE > MANAGE_PASSWORD > READ_ONLY > READ_ONLY_FIRST_PART > READ_ONLY_SECOND_PART > LIST_ONLY
If authorized users are assigned to SAPM Management, the Kron PAM administrator must define the following parameter in the system config manager to authorize their own accounts to access other user groups:
Parameter Name | Parameter Value |
sapm.all.usergroup.seen.permission | true |