Object Level Access Control

The Privileged Access Security solution provides granular access control for passwords and files that are stored in the Vault. Object level access enables you to control who can retrieve and use specific passwords and files in the Safe, regardless of Safe level member authorizations. For example, an external vendor or technician can be given retrieve or use authorizations for a specific password which he will be able to use without being aware of any other passwords or files in the Safe.

When a new password or file is added to a Safe, each Safe member will have their default permissions on that new object, as set in their Safe member authorizations. However, these authorizations can be changed granularly for individual passwords or files.

You can see a general summary of each user’s access control and authorizations in the Entitlement report.

Configure the Safe

Object level access control can be configured in the PVWA. It can be set either when the Safe is created or by updating an existing Safe’s properties. Once enabled, object level access control cannot be disabled.

Configure user accounts

Any user who is a Safe member can be given object level access.

View the Safe members list

Authorized users can view a list of users who have permission to retrieve a selected account or file in the Object Properties window. Users require the following Safe member authorization in order to view the list of Safe members who are authorized to retrieve a specific account or file:

View Safe Members

Users who do not have this authorization will not be able to see the Permissions tab in the Account Details window.

Manage Object Level Access Control

Authorized users can give use and retrieve permissions on individual passwords or files to Safe members who do not have retrieval permissions in the Safe. These users can also revoke retrieval permissions for specific users on individual passwords or files.

TruePrivileged Access Security10.10