The Privileged Access Security solution provides granular access control for passwords and files that are stored in the Vault. Object level access enables you to control who can retrieve and use specific passwords and files in the Safe, regardless of Safe level member authorizations. For example, an external vendor or technician can be given retrieve or use authorizations for a specific password which he will be able to use without being aware of any other passwords or files in the Safe.
When a new password or file is added to a Safe, each Safe member will have their default permissions on that new object, as set in their Safe member authorizations. However, these authorizations can be changed granularly for individual passwords or files.
You can see a general summary of each user’s access control and authorizations in the Entitlement report.
Configure the Safe
Object level access control can be configured in the PVWA. It can be set either when the Safe is created or by updating an existing Safe’s properties. Once enabled, object level access control cannot be disabled.
Configure user accounts
Any user who is a Safe member can be given object level access.
Add all users who will access passwords or files in the Safe as Safe member of the Safe. The authorization that you select will affect access to objects in the Safe as follows:
|■||If the user has the Use accounts or Retrieve accounts authorizations, you can remove these authorizations from individual passwords or files to prevent the user from accessing them.|
|■||If the user does not have either of the above authorizations, you can give them individually on specific passwords and files to enable the user to access them.|
View the Safe members list
Authorized users can view a list of users who have permission to retrieve a selected account or file in the Object Properties window. Users require the following Safe member authorization in order to view the list of Safe members who are authorized to retrieve a specific account or file:
|■||View Safe Members|
Users who do not have this authorization will not be able to see the Permissions tab in the Account Details window.
Display the Account Details window for the password for which you want to see who has access.
Click the Permissions tab; a list of all the Safe Members for this Safe is displayed. You can see which users have the ‘Use passwords’ authorization for the current account and which have the ‘Retrieve passwords’ authorization for it.
Manage Object Level Access Control
Authorized users can give use and retrieve permissions on individual passwords or files to Safe members who do not have retrieval permissions in the Safe. These users can also revoke retrieval permissions for specific users on individual passwords or files.
Users require the following Safe member authorizations in order to manage Object Level Access Control:
|■||View Safe Members|
|■||Manage Safe members|
|■||One of the following:|
|■||Retrieve passwords authorization|
|■||Use passwords authorization|
|■||No ‘Retrieve passwords’ authorization or ‘Use passwords’ authorization, but has authorization to access the password or file.|
Users who do not have all of the above authorizations will not be able to add or remove Safe members to the list of users who are authorized to use or retrieve the specified password or file.
|1.||In the Permissions tab, click the name of the user to grant or deny access to the password; the Change Permissions window appears. This window enables you to change the user’s access permissions for this password or file.|
|2.||Change the permission, then click OK; the user’s permission is changed and the current permission is displayed in the Authorized Safe member list.|