Password Vault Account Permissions
Kron PAM administrators can assign different authorization levels to different user groups or users for Password Vault accounts. For example, a user group or a user can get full control rights for a Password Vault account, while another user group or another user can have list-only rights. To set permissions to Password Vault accounts:
- Navigate to Vault Secrets > Vault.
- Open the Vault tab.
- Select the account to set permissions for, click the Options button, and select Permissions.
- Select the user (User or User Group) and the permission types.
Permission Types:
LIST_ONLY: To only have the authority to see the account of the Password Vault.
READ_ONLY_FIRST_PART: To only have the authority to see the first half of the Password Vault Password.
READ_ONLY_SECOND_PART: To only have the authority to see the second half of the Password Vault Password.
READ_ONLY: To only have the authority to see the Password Vault Password.
MANAGE_PASSWORD: To only have the authority to manage the Password Vault Password.
READ_WRITE: To have full control permission, except for the Permissions option.
FULL_CONTROL: To have full control. Applies to admins of this Password account. These users have full authority for actions such as resetting, changing the password, and giving permission to other users.
Multiple permissions can be assigned to a User Group or User. According to the permission levels, users will access the accounts with the highest permission, with those rights.
One user can be a member of multiple user groups with different rights. In this case, the following permission order will apply:
FULL_CONTROL > READ_WRITE > MANAGE_PASSWORD > READ_ONLY > READ_ONLY_FIRST_PART > READ_ONLY_SECOND_PART > LIST_ONLY
If authorized users are assigned to SAPM Management, the Kron PAM administrator must define the following parameter in the system configuration manager to authorize their accounts to access other user groups:
Parameter Name | Parameter Value |
sapm.all.usergroup.seen.permission | true |