Add a Safe member

This topic describes Safe member permissions, and how to add a member (user or group) to a Safe.

Add Safe member authorizations

To add a Safe member, users must have the following authorization in the Vault:

Authorization

Description

Manage Safe Members

This authorization is given at the Safe level, as part of the Safe member authorizations.

It enables the user to perform the following actions:

  • Add existing Vault users and groups as Safe members in the PVWA

  • Add users in external LDAP directories as Safe members in the PVWA

  • Specify and update Safe permissions

  • Remove a user from a Safe

Safe member permissions

Safe member permissions are grouped according to functionality. When adding a Safe member, you can assign a group of permissions to a Safe member or choose specific permissions within a group.

 

When you assign permissions to a new Safe member, you can only assign the specific permissions that your user has.

Safe member permissions are separated into the following groups:

Access permissions enable users to access accounts in the Safe, and perform the following actions:

Permission

Enables Safe Members to …

List accounts

View Account lists. Users who have this authorization can do the following:

View the Accounts or Files list

Use Accounts

Use accounts in the Safe. Users who have this authorization and the List accounts authorization can do the following:

Log on to a remote machine through a PSM connection from the Accounts List by clicking the Connect with account icon.
Log on to a remote machine through a PSM connection from the Account Details page or from the Versions tab by clicking the Connect button.

 

To log on to remote machines through a non-PSM connection, users require the Retrieve accounts authorization as well.

Retrieve accounts

Retrieve and view accounts in the Safe. Users who have this authorization can do the following:

View the account in the Account Details page and the Versions tab by clicking the Show button in the account content panel. If the platform attached to the account doesn’t permit users to view the account, the user requires the ‘Manage Safe’ authorization.
Copy the account in the Account Details page by clicking the Copy button. If the platform attached to the account doesn’t permit users to view the account, the user requires the ‘Manage Safe’ authorization.
Display the account in the Accounts list by clicking the Show/Copy password icons. If the platform attached to the account doesn’t permit users to view the account, the user requires the ‘Manage Safe’ authorization.
Log on to a remote machine through the PVWA. Platforms can be configured not to display the account value to end users, but only allow the connection.
Save files by clicking the Save As button in the Files List, File Details and File Versions pages.
Open files that are stored in the Vault through the Files List, File Details and File Versions pages.

Account Management permissions enable users to perform the following actions on accounts:

Permission

Enables Safe Members to …

Add accounts

 Add accounts in the Safe.
Users who are given this authorization in PVWA automatically receive Update account properties as well.
Add accounts in the Accounts List and Account Details page by clicking Add Account.
Manage account groups and platforms in the CPM tab of the Account Details page by clicking Add, New or Change.

Update account properties

Update existing account properties. This does not include adding new accounts or updating account values. Users who have this authorization can do the following:

Update a selected account’s properties in the Account Details page by clicking the Edit button.
Manage logon and reconcile accounts in the CPM tab of the Account Details page with the Associate, Add New, and Clear buttons.
Manage account groups and platforms in the CPM tab of the Account Details page.
Save any account property values that are specified in the Remote connection details window for connections when the user connects to a remote machine from the Accounts List, Account Details page, or the Versions tab.

Update account content

 Change account values as well as the contents of files. Users who have this authorization can do the following:
Change account values manually in the Account Details page by clicking the Edit button.
Undelete accounts in the Account Details page of the deleted account by clicking the Undelete button. This is only relevant during the file retention period.
Manage account copies that are linked to accounts and are stored in the same Safe by clicking Add or Edit in the account usage tab.
Upload files to the Vault by clicking the Upload button in the Files Details page.

Initiate CPM account management operations

Initiate account management operations through the CPM, such as changing, verifying, and reconciling account values. Users who have this authorization can initiate CPM account management operations in the Accounts List and the Search results page, as well as the Account Details page by clicking Change, Verify, or Reconcile on the toolbar. In the Change Password window, the ‘Manually selected password’ option will be enabled if the user has the ‘Specify next account content’ authorization.

Specify next account content

Specify the content that will be used when the CPM changes the account value. Users who have this authorization can do the following:

Specify the next content that will be used as the account value in the Change Password and Immediate Password Change pages.

If the user does not have this authorization, the ‘Manually selected password’ option will be disabled and the CPM will set a new randomly generated account value.

 

This authorization can only be given to users to have the Initiate CPM account management operations authorization.

Rename accounts

Rename existing accounts in the Safe in the Advanced section of the Edit Account page.

Delete accounts

Delete existing accounts in the Safe. Users who have this authorization can do the following:

Delete the account in the Account Details page by clicking the Delete button.
Delete account copies that are linked to Windows accounts and are stored in the same Safe by clicking Delete in the account usage tab.

Unlock accounts

 Unlock accounts that are locked by other users. Users who have this authorization can do the following:
Unlock accounts that are locked by other users in the Account Details page by clicking Release on the toolbar, This is only relevant when the Enforce check-in/check-out exclusive access policy rule is configured.
Unlock accounts that are locked by other users in the Advanced section of the Edit Account page by clicking Release. This is only relevant when the Enforce check-in/check-out exclusive access policy rule is configured.
Unlock files that are locked by other users in the File Details page by clicking Unlock on the toolbar.

Safe Management permissions enable users to perform account management tasks.

Permission

Enables Safe Members to …

Manage Safe

Edit Safe properties.

Manage Safe members

Set permissions for Safe members.

Back up Safe

Back up a Safe.

Monitor permissions enable users to perform account management tasks.

Permission

Enables Safe Members to …

View audit log

View account activity in the Safe.

View Safe members

View the permissions of Safe members.

Workflow permissions enable users to control account workflows in the Safe.

Permission

Enables Safe Members to …

Confirm requests

Confirm a request to access an account in the Safe.

With Level 1 permissions, a Safe member receives requests immediately.

With Level 2 permissions, a Safe member receives requests after the required number of Level 1 confirmations.

Users also require the ‘List accounts’ authorization to see the Request details of the account requests waiting for their confirmation.

Access Safe without confirmation

Access an account in the Safe without requesting confirmation from authorized users. This overrides the Safe properties that specify that Safe members require confirmation to access the Safe.

Advanced permissions enable users to perform the following folder-related actions in the Safe.

Permission

Enables Safe Members to …

Move accounts/
folders

Move accounts and folders in the Safe to different folders and subfolders.

Create folders

Create folders in the Safe.

Delete folders

Delete folders from the Safe.

Add a Safe member

  1. In the Safes list, locate the relevant Safe, and on the right side of the row, click Manage members.

  2. In the Members window, click Add Member.

    The Add Safe Member window appears.

    add member 1

    The default authorizations for new Safe Members are selected. These authorizations are configured in the Default Safe Authorizations in the Web Access Options in the System Configuration page. For more information, see Default Safe Authorizations.

  3. Search for a user or group:

    1. In the Search box, enter either part of the name or the whole name of the user or group to add as a Safe member. To search for all users, leave the Search box empty.

    2. In the Search In drop-down box, select the Vault or the external directory where the user or group is located, and then click Search.

    A list of users and groups whose names match the specified keyword appears.

  4. Select the user or group that you want, and then select the authorizations:

    • Click a group's title to expand or collapse a group's permissions

    • Click a check box to either select or remove a specific permission

    • Click a group's title check box to select or remove a group of permissions.

  5. To specify a date when the user's Safe membership should end, select the Membership expires on date check box, and enter a date.

  6. Click Add.

    The user or group is added to the Safe.

  7. Click Close.

    The Safe Details page appears and the new Safe member is added to the Safe members list.

For more information about managing users in external directories, see External user accounts. For more information about configuring search parameters for LDAP users and groups, see LDAP directory search parameters.