Create a Basic Role

Document ID : KB000011671
Last Modified Date : 14/02/2018
Show Technical Document Details
Question:

This document describes how to create a Privileged Access Role to scope user access to specific privileged accounts.   How do I create a Privileged Access Role to scope user access to specific privileged accounts?

Answer:
Login as a the System Manager or an appropriate account that has permissions to create roles. 
 
Go to: 
Users and Groups > Roles > Privileged Access Roles > Create Role
Create a copy of a Role (Pick one based on the endpoint type that you want to scope.) Example: Windows Agentless Privileged Access Role
 
SS1.png

 

Change Name and Description
 
On the Members tab is where you will be able to define the Member Rule and Scoping Roles. 
On the left side of the member policies chose the Edit button. 
 
SS2.png
 
Modify: Which users are members of this role?
 
This could be an AD group or a specific set of users. This sets up who has access. 
 
SS3.png
 
The example above shows anyone who is a member of AD group Restricted Access SAM will get access. 
 
Next, we will need to define the scope rules. This provides access for the privileged accounts to the users in the AD group defied in the Member Rule. 
 
SS4.png
 
There are a lot of ways to scope the access but the most basic is using the Endpoint and Privileged Account options. With the endpoint you can scope down to an specific endpoint so that if the endpoint has two different types the user can get access to both. You can also use the Privileged Account option to scope our custom fields. 
 
The example shows that if the Endpoint Type is Windows Agentless and the [privileged] Account Name is OU1Group1User109 the groups defined in the Member Rule will have access. 
 
SS5.png
 
Now when a user in the AD group 'Restricted Access SAM' logs into Enterprise Manager they will ONLY see this account base on this Role. (*Unless of course there are other roles that give this user access to accounts.)  
 
SS6.png