Manage Safe members

This topic describes how to add Safe members, edit Safe member permissions, and remove a Safe member from a Safe.

What are Safe members?

Users who have access to safes are called Safe members. A Safe member can be a single user or a group.

Each Safe member is given a unique set of permissions in the Safe that enable them to perform tasks on accounts and files in that Safe.

These permissions are given to each Safe member individually.

The list of system users also displays predefined users that are automatically assigned to each Safe by the system when the Safe is created. See Predefined users and groups for Privilege Cloud Standard.

Required authorizations

Users require the following authorizations to manage Safe members:

Authorization	Description
Manage Safe Members	This authorization is given at the Safe level, as part of the Safe member authorizations. It enables the user to perform the following actions: Add existing Privilege Cloud users and groups as Safe members in the Privilege Cloud Portal Add users in external LDAP directories as Safe members in the Privilege Cloud Portal Specify and update Safe permissions Remove a user from a Safe
View Safe Members	Enables the user to view the permissions of Safe members in the Privilege Cloud Portal.

Authorization

Description

Manage Safe Members

This authorization is given at the Safe level, as part of the Safe member authorizations.

It enables the user to perform the following actions:

Add existing Privilege Cloud users and groups as Safe members in the Privilege Cloud Portal
Add users in external LDAP directories as Safe members in the Privilege Cloud Portal
Specify and update Safe permissions
Remove a user from a Safe

View Safe Members

Enables the user to view the permissions of Safe members in the Privilege Cloud Portal.

Add Safe members

Add Safe members through the Privilege Cloud portal.

To add Safe members:

In the Privilege Cloud portal, click Policies> Safes.
Select a Safe from the list, and then click the Members tab.
Click Add Members.

The Add member to Safe wizard opens.

On the Select Safe members page, search and select the members that you want to add.

The maximum number of Safe members is 64, including predefined users. In the list of potential members, select up to ten users at a time, and repeat until all necessary users are assigned.

Use the following filter options.

Field	Description
Source	Narrow the search according to the origin of the users/groups: Privilege Cloud (created locally) External directories, like LDAP
Member type	User Group
Search	Search for a specific member by name. Enter an alphanumeric string of at least three characters. Member names cannot include the following characters: \ / : * < > “ \| ? % & + If you are searching for a name that is less than three characters, enter the first character followed by two spaces, or first two characters followed by a space Results display names that include the search string anywhere in the name.

Field

Description

Source

Narrow the search according to the origin of the users/groups:

Privilege Cloud (created locally)
External directories, like LDAP

Member type

User
Group

Search for a specific member by name.

Enter an alphanumeric string of at least three characters.

Member names cannot include the following characters: \ / : * < > “ | ? % & +

If you are searching for a name that is less than three characters, enter the first character followed by two spaces, or first two characters followed by a space

Results display names that include the search string anywhere in the name.

After you select all the members you want to add to the safe, you can use the Show selected only toggle to verify your selection, and then click Next.
On the Set Permissions page, set the permissions for the Safe member.
- Membership expiration is Off by default. You can click Set and define an expiration date.
- Permissions presets allow to select a preconfigured permissions profile. Select one of the default profiles. You can adjust default preset permissions according to need, in which case the preset type changes to Custom.
  
  For details about permissions and their meaning, see Permissions.
Click Add member.

Edit Safe member permissions

When you edit a Safe member's permissions, you can assign only the specific permissions that your user has.

You can only edit a Safe member's permissions who has either the same permissions that you have or less permissions.

In the Privilege Cloud portal, click Policies > Safes.
Select a Safe from the list, and then click the Members tab.
For the Safe member that you want to update, click the More options button and then select Manage Permissions.
Change the Safe permissions for this Safe member, according to the following options:
- Set membership expiration date
- Select a Permissions preset profile or select a custom group of specific permissions
- Click Show permissions to view the permissions in a group
- Click a check box to either select or remove a specific permission
- Click a group's title check box to select or remove a group of permissions.
Click Save.

Remove Safe members

In the Privilege Cloud portal, click Policies > Safes.
Select a Safe from the list, and then click the Members tab.
For the Safe member that you want to remove, click the More options button and select Remove.

Permissions

This section includes all the permissions that you can grant to Safe members, grouped by the permission's type.

Access

These permissions enable users to access accounts in the Safe, including the following tasks:

Permission	Enables Safe members to …
List accounts	View Account lists. Users who have this authorization can do the following: View the Accounts or Files list.
Use Accounts	Use accounts in the Safe. Users who have this authorization can do the following: Log on to a remote machine through the PSM from the Accounts List by clicking the Connect with account icon. Log on to a remote machine through the PSM from the Account Details page or from the Versions tab by clicking the Connect button.
Retrieve accounts	Retrieve and view accounts in the Safe. Users who have this authorization can do the following: View the account in the Account Details page and the Versions tab by clicking the Show button in the account content panel. If the platform attached to the account doesn’t permit users to view the account, the user requires the ‘Manage Safe’ authorization. Copy the account in the Account Details page by clicking the Copy button. Display the account in the Accounts list by clicking the Show/Copy password icons. Log onto a remote machine transparently through the Privilege Cloud Portal. Platforms can be configured not to display the account value to end users, but only allow the transparent connection. Save files by clicking the Save As button in the Files List, File Details and File Versions pages. Open files that are stored in the Vault through the Files List, File Details and File Versions pages.

Permission

Enables Safe members to …

List accounts

View Account lists. Users who have this authorization can do the following:

View the Accounts or Files list.

Use Accounts

Use accounts in the Safe. Users who have this authorization can do the following:

Log on to a remote machine through the PSM from the Accounts List by clicking the Connect with account icon.
Log on to a remote machine through the PSM from the Account Details page or from the Versions tab by clicking the Connect button.

Retrieve accounts

Retrieve and view accounts in the Safe. Users who have this authorization can do the following:

View the account in the Account Details page and the Versions tab by clicking the Show button in the account content panel. If the platform attached to the account doesn’t permit users to view the account, the user requires the ‘Manage Safe’ authorization.
Copy the account in the Account Details page by clicking the Copy button.
Display the account in the Accounts list by clicking the Show/Copy password icons.
Log onto a remote machine transparently through the Privilege Cloud Portal. Platforms can be configured not to display the account value to end users, but only allow the transparent connection.
Save files by clicking the Save As button in the Files List, File Details and File Versions pages.
Open files that are stored in the Vault through the Files List, File Details and File Versions pages.

Account Management

These permissions enable users to perform account management tasks, including the following tasks:

Permission	Enables Safe members to …
Add accounts	Add accounts in the Safe. Users who are given this authorization in Privilege Cloud portal automatically receive Update account properties as well. Add accounts in the Accounts List and Account Details page by clicking Add Account.
Update account properties	Update existing account properties. This does not include adding new accounts or updating account values. Users who have this authorization can do the following: Update a selected account’s properties in the Account Details page by clicking the Edit button. Manage log on and reconcile accounts in the CPM tab of the Account Details page with the Associate, Add New, and Clear buttons. To access these options, click Additional details and actions in classic interface. Save any account property values that are specified in the Remote connection details window for transparent connections when the user connects to a remote machine from the Accounts List, Account Details page, or the Versions tab.
Update account content	Change account values as well as the contents of files. Users who have this authorization can do the following: Change account values manually in the Account Details page by clicking the Edit button. Undelete accounts in the Account Details page of the deleted account by clicking the Undelete button. This is only relevant during the file retention period. Upload files to the Vault by clicking the Upload button in the Files Details page.
Initiate CPM account management operations	Initiate account management operations through the CPM, such as changing, verifying, and reconciling account values. Users who have this authorization can initiate CPM account management operations in the Accounts List and the Search results page, as well as the Account Details page by clicking Change, Verify, or Reconcile on the toolbar. In the Change Password window, the ‘Manually selected password’ option will be enabled if the user has the ‘Specify next account content’ authorization.
Specify next account content	Specify the content that will be used when the CPM changes the account value. Users who have this authorization can do the following: Specify the next content that will be used as the account value in the Change Password and Immediate Password Change pages. If the user does not have this authorization, the ‘Manually selected password’ option will be disabled and the CPM will set a new randomly generated account value. This authorization can only be given to users to have the Initiate CPM account management operations authorization.
Rename accounts	Rename existing accounts in the Safe in the Advanced section of the Edit Account page.
Delete accounts	Delete existing accounts in the Safe. Users who have this authorization can do the following: Delete the account in the Account Details page by clicking the Delete button.
Unlock accounts	Unlock accounts that are locked by other users. Users who have this authorization can do the following: Unlock files that are locked by other users in the File Details page by clicking Unlock on the toolbar.

Safe management

These permissions enable members to perform safe management tasks, including the following tasks:

Permission	Enables members to …
Manage safe	Edit safe properties
Backup safe	Backup the safe
View audit log	View account activity in the Safe.
View safe members	View Safe members' permissions.
Manage safe members	Manage safe members and their permissions.

Workflow

These permissions enable users to control account workflows in the Safe.

Permission	Enables Safe members to …
Confirm requests (authorize account requests)	Allows to confirm a Safe member's request to enter a Safe. Users also require the ‘List accounts’ authorization to see the Request details of the account requests waiting for their confirmation. Level 1 confirmer - receives requests immediately Level 2 confirmer - receives requests after the required number of level 1 confirmations
Access Safe without confirmation	Access the Safe without confirmation from authorized users. This overrides the Safe properties that specify that Safe members require confirmation to access the Safe.

Permission

Enables Safe members to …

Confirm requests (authorize account requests)

Allows to confirm a Safe member's request to enter a Safe. Users also require the ‘List accounts’ authorization to see the Request details of the account requests waiting for their confirmation.

Level 1 confirmer - receives requests immediately

Level 2 confirmer - receives requests after the required number of level 1 confirmations

Access Safe without confirmation

Access the Safe without confirmation from authorized users. This overrides the Safe properties that specify that Safe members require confirmation to access the Safe.

Advanced

These permissions enable users to perform folder related activities in the Safe, including the following tasks:

Permission	Enables Safe members to …
Move accounts/ folders	Move accounts and folders in the Safe to different folders and subfolders.
Create folders	Create folders in the Safe.
Delete folders	Delete folders from the Safe.