Permissions are inherited or hierarchical. Therefore be careful on how you provision or give the user or group access to the resources available in the system (Passwords).
Like I said previously, we migrated (imported) four (4) roles as stated here. The users that are part of these roles only would be granted access to the passwords on the server.
Let’s demonstrate two scenarios here
- Granting Administrators Access to the entire resources on the Password Server for the Administrators Team.
- Granting Access to the User Team on the Password Server.
For the Administrators Team, we will assign the administrator’s permission to every member of this Team
- Locate and right-click on the root folder
- Since we decided t manage user assignment (permission) via User Groups (Roles). We would select “Roles” under Add Access For
- Under Roles, select the User Group imported from AD
- Assign the Right Access as shown above
- And ensure you select do not expire and
- Click on Add.
We would follow the same steps and added the Roles (user group for the User Team). Pay attention to the access level too.
- The only difference here is that we are ONLY granting access to the Group (Folder) Relativity as shown in the image above.
- Also, take note of the permission assigned (This is currently set to FULL only)
This would ensure, they are only able to access these resources only in the password manager and there, therefore, enhances secure role assignment where teams can access password resources they are only allowed to access.
Access Level
Here you can create, edit and delete Access Levels. Access Levels defines the Operation that can be performed by a Pleasant Password User.
There are two types of permissions:
- Action (A): Which allows a user to perform certain actions or functions on the system.
- Grant (G): This allows a user to assign corresponding (A) actions to a user.
Note: We can also create a new access level as shown in the diagram above and also have modified default Access Level set to default.
Assigning Access Level to Roles (User Group)
Recall we imported four different AD user groups to the Password Manager, which are as follow:
- group1.com
- group2.com
- group3.com
- group4.com
Also, we have the inbuilt Roles which are:
- Administration and
- User role
Hers are the steps in importing roles in the Pleasant Password Manager and Assigning permissions to the various roles.
- Import the desired roles from AD by Clicking on Import Roles From Active Directory / LDAP server as shown below
- Click on Actions and select import roles as shown below
After successfully User Group (Roles) import,
- Navigate to any of the desired roles
- Click on Actions
- Click on Set permission as shown below
- Next, select the desired permissions that are needed for a specific user group as shown below.
- Finally click on set Permissions. These right will be assigned automatically to all members of the User Group.
I hope you found this blog post helpful. If you have any questions, please let me know in the comment session.