The Auditor administrator has read-only access to all features, and has the ability to review all access request activity:
- Monitor appliance information
- Review everything
- Export object history
- Run entitlement reports
There are two additional permission types available once the Auditor role is selected that will help provide limited auditor permissions should you prefer not to use the all-encompassing Auditor role (which incorporates both permission types):
On some pages, it may appear the administrator can edit data, but the change cannot be saved. A message like the following will display: Authorization is required for this request.
Table 277: Auditor administrator: Permissions
|
Dashboard |
(View only) Access request and account automation |
|
Activity Center |
View and export activity events
Audit access request workflow |
|
Reports |
View and export reports |
|
Administrative Tools | Toolbox |
(View only) Access to all Administrative Tools views and the Tasks pane |
|
Administrative Tools | Accounts |
View only |
|
Administrative Tools | Account Groups |
View only |
|
Administrative Tools | Assets |
View only |
|
Administrative Tools | Asset Groups |
View only |
|
Administrative Tools | Discovery |
View only |
|
Administrative Tools | Entitlements |
View only |
|
Administrative Tools | Partitions |
View only |
|
Administrative Tools | Settings: |
|
|
|
View only |
|
|
View only |
|
|
View only |
|
|
View only |
|
|
View only |
|
|
View only |
|
|
View only |
|
|
Login notification: View only.
Set message of the day. |
|
|
View only |
|
|
View only |
|
|
View only |
|
Administrative Tools | Users |
View only |
|
Administrative Tools | User Groups |
View only |
Application Auditor
Application Auditor provides read-only access to features related to the functionality of Safeguard. The Application Auditor permissions correspond with the following roles, however only read-access is allowed:
System Auditor
System Auditor provides read-only access to features related to the operation of Safeguard. The System Auditor permissions correspond with the following roles, however only read-access is allowed:
-
Appliance
-
Operations
-
Help Desk
-
User
-
Global
The Authorizer Administrator is the permissions administrator and performs the following:
- Creates (or imports) Safeguard for Privileged Passwords users.
- Grants administrator permissions to users.
- Sets passwords, unlocks, and enables or disables both local and directory user accounts.
- Creates and maintains the Local Password Rule.
The Authorizer Administrator also has User Administrator and Help Desk Administrator permissions.
IMPORTANT: Authorizer Administrators can change the permissions for their own account, which may affect their ability to grant permissions to other users. When you make changes to your own permissions, they take effect next time you log in.
Table 278: Authorizer Administrator: Permissions
|
Activity Center |
View and export user activity events, including authentication events. |
|
Administrative Tools | Toolbox |
Access to the Users and User Groups view.
Access to Tasks pane. |
|
Administrative Tools | Settings |
|
- External Integration | Identity and Authentication
|
Add, update, and delete directories used for identity and authentication.
External Federation and Radius providers can be configured for authentication use. |
|
|
Login notification (view only).
Set message of the day. |
|
|
Perform access activities including:
- (View only) Login control configuration for user login settings.
- Password rules configuration including complexity rules.
- (View only) Time zone.
|
|
Administrative Tools | Users |
Perform user actions including:
|
|
Administration Tools | User Groups |
Add or delete directory groups, if a directory has been added. |
A Help Desk Administrator:
NOTE: Help Desk Administrators can only view the user object history for their own account.
Table 279: Help Desk Administrator: Permissions
| Activity Center |
View and export user activity events. |
|
Administrative Tools | Toolbox |
Access to the Users view and the Tasks pane. |
|
Administrative Tools | Settings |
|
|
|
View only: Login notification.
Set message of the day. |
|
|
View only: Login control, password rules, and time zone. |
|
Administrative Tools | Users |
Set passwords and unlock accounts for non-administrator users.
A Help Desk Administrator can unlock another Help Desk user but cannot set that user's password. |
The Operations Administrator monitors the status of the appliance and can reboot the appliance.
On some pages, it may appear the administrator can edit data, but the change cannot be saved. A message like the following will display: Authorization is required for this request.
NOTE: This user can be a non-interactive user; that is, an automated script or external monitoring system.
Table 280: Operations Administrator: Permissions
|
Activity Center |
View and export appliance activity events. |
| Administrative Tools | Toolbox |
Access to the Tasks pane. |
|
Administrative Tools | Settings | Access Request |
(View only) Enable or disable configurations for:
- Access requests
- Password and SSH key management services
- Discovery of objects
- Directory sync
- Session module password access
|
|
Administrative Tools | Settings | Appliance |
Appliance actions including:
- Appliance information and control:
- The status of the appliance, performance, and memory.
- Shut down or restart the appliance.
- (View only) Enable or disable services including the Application to Application functionality and the Audit Log Stream Service.
- (View only) Licensing to add or update the Safeguard for Privileged Passwords license.
- Enable or disable Lights Out Management (BMC).
- Network diagnostics to run diagnostic tests on your appliance.
- (View only) Networking to view and configure the network interface and, if applicable, the sessions network interface.
- (View only) Operating system licensing for the virtual appliance.
- (View only) Time to enable Network Time Protocol and set the primary and secondary NTP server.
|
|
Administrative Tools | Settings | Backup and Retention |
View only, except an Operations Administrator can take a backup. As mentioned earlier, it may appear the Operations Admin can edit data, but the operation cannot be saved.
- Archive server
- Audit log management
- Backup and restore (can take a backup)
- Backup retention
|
|
Administrative Tools | Settings | Certificates |
View only:
- Audit log signing certificate
- Certificate signing request
- SSL certificates
- Trusted certificates
|
|
Administrative Tools | Settings | Cluster |
View only:
- Cluster management and health monitoring.
- Managed networks definition for load distribution.
- Offline workflow to trigger if an appliance has lost consensus to resume offline workflow.
- Session appliance connection to Safeguard for Privileged Sessions (SPS), if applicable.
|
|
Administrative Tools | Settings | External Integration |
View only:
- Application to Application (A2A) configuration for application registrations.
- Approval Anywhere service for access request approvals.
- Email to send event notifications.
- Identity providers and authentication providers to use when logging in; can view the grid but not details.
- SNMP configuration to send SNMP traps to the SNMP console.
- Starling join to Safeguard for Privileged Passwords to use services like Starling Two-Factor Authentication (2FA).
- Syslog server configuration to send event notifications.
- Ticketing system configuration to an external ticketing system or for generic tickets not tied to an external ticketing system.
|
|
Administrative Tools | Settings | Messaging |
Perform messaging activities including:
- (View only) Login notification configuration.
- Message of the day creation.
|
|
Administrative Tools | Safeguard Access |
View only:
- Login control configuration for user login settings.
- Password rules configuration including complexity rules.
- Time zone to set the time zone.
|
