Use Object Level Access Control in Safes

This topic describes the Object level access control feature for Safes, how to enable this feature in a Safe, and how to give users access to specific passwords and files in a Safe.

Overview

The Privileged Access Manager - Self-Hosted solution provides object level access control. This enables you to control user access to passwords and files that are stored in a Safe, at a granular level. You can give a user permissions to retrieve and use specific passwords and files in the Safe, regardless of their Safe level member authorizations.

For example, an external vendor or technician can be given retrieve or use permissions for a specific password only, without being able to view any other passwords or files in the Safe.

When a new password or file is added to a Safe, the existing permissions that each Safe member has are applied to this new object. When using Object level access control, you can change the permissions for individual passwords or files.

You can view a general summary of each Safe member's access control and permissions in the Entitlement report.

Enable Object Level Access Control in a Safe

  • Object Level Access Control cannot be disabled.

  • Enabling OLAC impacts Vault performance.

When you enable Object Level Access Control, you are updating a Safe's properties. To update Safe properties, users must have the following authorization in the Vault:

Authorization

Description

Manage Safe

Enables the user to perform the following actions:

  • View the Safes page in the PVWA

  • Manage the properties of existing Safes

  • Specify and update Safe permissions

  • Remove a user from a Safe

To enable Object Level Access Control:

  1. In the Safes list, select the relevant Safe.
  2. In the Safe properties pane, click Edit.
  3. Click Advanced details and turn on the Enable Object Level Access Control toggle.
  4. Click Save.

Set Use and Retrieve permissions for specific passwords and files

To give Use and Retrieve permissions to users for specific passwords and files, the users must be added as Safe members, and then given the permissions in the specific account.

Required authorizations

The following authorizations are required in the Vault to set permissions for specific passwords and files:

Authorization

Description

Manage Safe Members

Enables the user to perform the following actions:

  • Add existing Vault users and groups as Safe members in the PVWA

  • Add users in external LDAP directories as Safe members in the PVWA

  • Specify and update Safe permissions

  • Remove a user from a Safe

View Safe members

Enables the user to view the permissions of Safe members in the PVWA.

One or more of the Access permissions

Enables users to access accounts in the Safe in the PVWA.

Access permissions:

  • List accounts

  • Use accounts

  • Retrieve accounts

For more information about Access permissions, see Access permissions in Safe member permissions.

Step 1: Add users as Safe members

Only users that are Safe members can have permissions for specific passwords and files.

Manage Safe members authorizations are required for this step.

  1. Add the relevant users as Safe members, as described in Add a Safe member.

  2. Assign Use accounts and Retrieve accounts permissions to the new Safe member.

     

    These permissions can also be assigned or removed from individual passwords and files. See Set permissions for a password or file, below.

Step 2: Set permissions for a password or file

View Safe members authorizations are required for this step.

  1. Open the Account Details window for the password or file.

  2. Click the Permissions tab.

    A list of all Safe members for this Safe appears, and the permissions that each Safe member has.

  3. Click the Safe member whose permissions you want to change for this password or file.

    The Change Permissions window appears.

  4. Select or remove the permissions that you want for this Safe member, and then click OK.