Limited PAM Administrator
2 votes
We would like to give a group enough access to PAM to allow them to create Providers, Scan Configurations, Propagations, and allow them to add users to specific vaults, but not allow them full PAM admin rights.
Use case:
We have a network team that we want to have manage PAM for their devices, appliances, and tools. The server team (which also manages DVLS and PAM) does not have access to network team resources and does not want to give network team access to server PAM resources. Network team should be able to manage all their own PAM needs.
Otherwise, it seems we need to stand up and entirely new DLVS instance just for them.
All Comments (2)
Our own team asked for this when we gave them our PAM initially.
We have a huge undertaking of harmonizing our PAM with the RDM architecture. We are hoping to finish the project by the end of the year. Once that is done, we can finally think of reworking the permissions. Its always been a let-down for me to only see the PAM under the Administration menu. I cannot wait to separate the functionalities per area of concern instead.
Sorry about that
Maurice
Hello Maurice,
I'm adding my voice to this thread. I would like to delegate PAM Administrators roles to allow the them to create PAM Providers for customers without allowing them to create new PAM Vaults and prevent them to see our internal PAM Vault.
Actually, PAM Administrators are able to navigate inside any PAM Vault even if they don't have Read access to it.