Setting different permissions for requesting passwords and sessions. Including how to deny one and allow the other.
The Permissions tab for Systems, Collections, UserIDs and Groups has 2 separate columns with drop menus for assigning permissions for PPM/PAR and PSM/EGP. Using these drop downs you can assign the same or different permissions for both functions. It is possible to allow a user to request a session but deny them from requesting a password and vice versa.
One practical use for such a scenario is if you wanted users to be able to seemlessly log into a session without any knowledge of the account password. To do this you would:
- Configure the Proxy Connection on the EGP Details of the Account to use "Automatic Login Using Password"
- Go to the Permissions tab of the UserID in question, change the PSM/EGP Assigned Role to Requestor and the PPM/PAR Assigned Role to "Denied" for the System (or all Systems) in question.
The result of this will be that when the User logs in, they will have the option to Request a Session, but the option to Request a Password will be hidden. When they Connect to a session, the Java applet will load and they will automatically be logged into the Account they have requested. At no point in this process do they require or have knowledge of the actual login information.
This is simply one possible example of this functionality. The main point is that the privilege to Request Passwords and Request Sessions can be mutually exclusive.
© 2025 One Identity LLC. ALL RIGHTS RESERVED. Terms of Use Privacy Cookie Preference Center