To initiate any credential vaulting for non-computer credentials, a user needs an access assignment that includes the following the Management Roles. Please note that the VIS-* and ACT-* Management Roles are scoped by location; thus a user will only need to have the specific roles pertaining to the location(s) for which they are responsible for vaulting credentials. Please note that the below list of Management Roles contains only those roles needed to vault non-computer credentials. If a person needs to manage shared credentials in other ways, such as approving check-out requests, that person would need a different set of Management Roles. For a complete list of the Management Roles associated with shared credentials, please see PAM Management Roles. UI-Shared-Credential-Object-Administration — This Management Role grants access to the user interfaces and workflows for managing shared credentials. VIS-Shared-Credential-All — This Management Role grants visibility for all vaulted credentials. VIS-Shared-Credential-MyLocations — This Management Role grants visibility for vaulted credentials in a person's locations. This role would be assigned if the person should have visibility for vaulted credentials in their locations only. VIS-Shared-Credential-MyOrg — This Management Role grants visibility for vaulted credentials in a person's organizations. This role would be assigned if the person should have visibility for all vaulted credentials in their organizations. ACT-Shared-Credential-Create-All — This Management Role grants people with the role the ability to create a shared credential anywhere. ACT-Shared-Credential-Create-MyLocations— This Management Role grants people with the role the ability to create a shared credential in a person's locations. This role would be assigned if the person should be able to create a shared credential in their locations only. ACT-Shared-Credential-Create-MyOrg— This Management Role grants people with the role the ability to create a shared credential in a person's organization. This role would be assigned if the person should be able to create a shared credential in their organization only. ACT-Shared-Credential-Create-All — This Management Role grants people with the role the ability to create a shared credential anywhere. ACT-Shared-Credential-Create-MyLocations — This Management Role grants people with the role the ability to create a shared credential in a person's locations. This role would be assigned if the person should be able to create a shared credential in their locations only. ACT-Shared-Credential-Create-MyOrg — This Management Role grants people with the role the ability to create a shared credential in a person's organization. This role would be assigned if the person should be able to create a shared credential in their organization only. ACT-Shared-Credential-Object-Administration-All — This Management Role grants people with the role the ability to create, edit and delete a shared credential anywhere. ACT-Shared-Credential-Object-Administration-MyLocations — This Management Role grants people with the role the ability to create, edit and delete a shared credential in their locations. This role would be assigned if the person should be able to create, edit and delete a shared credential in their locations only. ACT-Shared-Credential-Object-Administration-MyOrg — This Management Role grants people with the role the ability to create, edit and delete a shared credential in their organization. This role would be assigned if the person should be able to create, edit and delete a shared credential in their organization only.
Users who vault credentials are the owners or Access Managers for those credentials. Access Managers can approve or deny access requests for the credentials they own. |