The Authorizer Administrator is the permissions administrator and performs the following:
- Creates (or imports) Safeguard for Privileged Passwords users.
- Grants administrator permissions to users.
- Sets passwords, unlocks, and enables or disables both local and directory user accounts.
- Creates and maintains the Local Password Rule.
The Authorizer Administrator also has User Administrator and Help Desk Administrator permissions.
Important: Authorizer Administrators can change the permissions for their own account, which may affect their ability to grant permissions to other users. When you make changes to your own permissions, they take effect next time you log in.
Table 220: Authorizer Administrator: Permissions
|
Activity Center |
View and export user activity events, including authentication events |
|
Administrative Tools | Toolbox |
Access to the Users and User Groups view
Access to Tasks pane |
|
Administrative Tools | Settings |
|
- External Integration | Identity and Authentication
|
Add, update, and delete directories used for identity and authentication.
External Federation and Radius providers can be configured for authentication use. |
|
|
Login notification (view only)
Set message of the day |
|
|
Perform access activities including:
- (View only) Login control configuration for user login settings
- Password rules configuration including complexity rules
- (View only) Time zone
|
|
Administrative Tools | Users |
Perform user actions including:
|
|
Administration Tools | User Groups |
Add or delete directory groups, if a directory has
been added |
A Help Desk Administrator:
NOTE: Help Desk Administrators can only view the user object history for their own account.
Table 221: Help Desk Administrator: Permissions
| Activity Center |
View and export user activity events |
|
Administrative Tools | Toolbox |
Access to the Users view and the Tasks pane |
| Administrative Tools | Settings: |
|
|
|
(View only) Login notification
Set message of the day |
|
|
View only: Login control, password rules, and time zone |
|
Administrative Tools | Users |
Set passwords and unlock accounts for non-administrator users
A Help Desk Administrator can unlock another Help Desk user but cannot set that user's password. |
The Operations Administrator monitors the status of the appliance and can reboot the appliance.
On some pages, it may appear the administrator can edit data, but the change cannot be saved. A message like the following will display: Authorization is required for this request.
NOTE: This user can be a non-interactive user; that is, an automated script or external monitoring system.
Table 222: Operations Administrator: Permissions
|
Activity Center |
View and export appliance activity events |
| Administrative Tools | Toolbox |
Access to the Tasks pane |
|
Administrative Tools | Settings | Access Request |
(View only) Enable or disable configurations for:
- Access requests
- Password and SSH key management services
- Discovery of objects
- Directory sync
- Session module password access
|
|
Administrative Tools | Settings | Appliance |
Appliance actions including:
- Appliance information and control:
- The status of the appliance, performance, and memory
- Shut down or restart the appliance
- (View only) Enable or disable services including the Application to Application functionality and the Audit Log Stream Service
- (View only) Licensing to add or update the Safeguard for Privileged Passwords license
- Enable or disable Lights Out Management (BMC)
- Network diagnostics to rune diagnostic tests on your appliance
- (View only) Networking to view and configure the network interface and, if applicable, the sessions network interface
- (View only) Operating system licensing for the virtual appliance
- (View only) Time to enable Network Time Protocol and set the primary and secondary NTP server
|
|
Administrative Tools | Settings | Backup and Retention |
View only, except an Operations Administrator can take a backup. As mentioned earlier, it may appear the Operations Admin can edit data, but the operation cannot be saved.
- Archive server
- Audit log management
- Backup and restore (can take a backup)
- Backup retention
|
|
Administrative Tools | Settings | Certificates |
View only:
- Audit log signing certificate
- Certificate signing request
- SSL certificates
- Trusted certificates
|
|
Administrative Tools | Settings | Cluster |
View only:
- Cluster management and health monitoring
- Managed networks definition for load distribution
- Offline workflow to trigger if an appliance has lost consensus to resume offline workflow
- Session appliance connection to Safeguard for Privileged Sessions (SPS), if applicable
|
|
Administrative Tools | Settings | External Integration |
View only:
- Application to Application (A2A) configuration for application registrations
- Approval Anywhere service for access request approvals.
- Email to send event notifications
- Identity providers and authentication providers to use when logging in; can view the grid but not details
- SNMP configuration to send SNMP traps to the SNMP console
- Starling join to Safeguard for Privileged Passwords to use services like Starling Two-Factor Authentication (2FA) and Starling Identity Analytics & Risk Intelligence.
- Syslog server configuration to send event notifications
- Ticketing system configuration to an external ticketing system or for generic tickets not tied to an external ticketing system
|
|
Administrative Tools | Settings | Messaging |
Perform messaging activities including:
- (View only) Login notification configuration
- Message of the day creation
|
|
Safeguard Access |
View only:
- Login control configuration for user login settings
- Password rules configuration including complexity rules
- Time zone to set the time zone
|
The Security Policy Administrator configures the security policies that govern the access rights to accounts and assets, including the requirements for checking out passwords, such as the maximum duration, if password or SSH key reasons are required, if emergency access is allowed, and so on. This user may not know any details about the assets.
This user configures time restrictions for entitlements and who can request, approve and review access requests.
- Creates account groups, asset groups, and user groups.
- Creates entitlements.
- Configures access request policies.
- Adds users or user groups to entitlements to authorize those accounts to request passwords.
- Can assign linked accounts to users for entitlement access policy governance.
On some pages, it may appear the administrator can edit data, but the change cannot be saved. A message like the following will display: Authorization is required for this request.
Table 223: Security Policy Administrator: Permissions
|
Dashboard | Access Requests |
Full control to manage access requests. |
|
Activity Center |
Perform activities:
- View and export security-related activity events, including access request events
- Audit access request workflow
|
|
Reports |
View and export entitlement reports |
|
Administrative Tools | Toolbox |
Perform activities:
- Access to the Account Groups, Asset Groups, Entitlements, Users, and User Groups view
- Access to the Tasks pane.
|
|
Administrative Tools | Account Groups |
Perform account group activities including:
- Add, modify, or delete account groups and dynamic account groups
- Add accounts to account groups
- Add access request policies to account groups
|
| Administrative Tools | Asset Groups |
Perform asset group activities including:
- Add, modify, or delete asset groups and dynamic asset groups
- Add assets to asset groups
- Assign acces request policies to asset groups
|
|
Administrative Tools | Entitlements |
Perform entitlement activities including:
- Add, modify, or delete entitlements
- Add users or user groups to entitlements
- Define and maintain access request policies
- Assign policies to entitlements
|
|
Administrative Tools | Settings: |
|
|
|
Add, modify, or delete reason codes. |
- Cluster | Session Appliances
|
If Safeguard for Privileged Passwords (SPP) is joined to Safeguard for Privileged Sessions (SPS), view the appliance information for the join. |
|
|
Perform external integration activities including:
- Application to Application (A2) configuration for application registrations
- Approval Anywhere service for access request approvals.
- Starling join to Safeguard for Privileged Passwords to use services like Starling Two-Factor Authentication (2FA) and Starling Identity Analytics & Risk Intelligence.
- (View only) Ticketing system configuration to an external ticketing system or for generic tickets not tied to an external ticketing system
|
|
|
Messaging including:
- (View only) Login notification configuration
- Message of the day creation
|
|
|
View only: Login control, password rules, time zone |
| Administrative Tools | Users |
Perform user activities including:
- Add users to user groups including setting Personal Passwords permission to use the personal password vault
- Add users to entitlements
- Link directory accounts to a user
- View and export the history of users
|
|
Administrative Tools | User Groups |
Perform user group activities including:
- Add, modify, or delete local user groups
- Add local or directory users to user groups
- Assign entitlements to user groups
- View and export the history of users
- Set Personal Passwords permission to use the personal password vault
|
