Permissions
The section is intended to search, issue, revoke and suspend permissions.
Permission Search
Enter a user, account, resource, or description in the search string and click 
.
Click Extended search, select one or more filters and click Search.
Add permission
To be able to manage permissions you need the Permissions management privileges (Permission.Create, Permission.Read, Permission.Revoke, Permission.Suspend).
Go to Permissions section.
Click Create.
Select an organizational unit and users or a group of users.
Select the permission parameter:
Resources — permission is granted to one or more selected resources.
Resource groups — permission is granted to the selected resource group.
Ad hoc resources — permission is granted to any resources with the selected connection type, including resources not registered in PAM.
cautionA special license is required to grant permission to PostgreSQL and MSSQL resources or groups containing such resources. Before creating a permission, add an account from PostgreSQL Server to PAM. When creating a permission, specify this account.
For Ad hoc resources, there is one account for all types of connections. Local account selection is unavailable.
Selecting account for user connection:
- Select account in PAM — service account on behalf of which the user will open a session on the resource.
- Use user account — the permission will not specify a service account, PAM will request credentials before opening the session.
Configure Time restrictions and click Next.
Configure Permission parameters and click Next.
Enter a description and click Next.
Check the selected data and click Create.
Time restrictions
Set an access schedule according to which users can open sessions, view and modify credentials. For example, you can grant permission to work only on weekdays from 8:00 to 17:00.
Configure the parameters:
Validity period — the time period during which the permission is valid. For example, you can grant permission for one day or month.
Begin — set the date and time when the permission becomes active.
If only Begin is set, the permission will become active on the selected date, and its validity period will be unlimited.End — set the date and time when the permission becomes inactive.
If only End is set, the permission will become active at the moment of creation, but will be suspended on the specified dateinfoIf the Begin and End parameters are not set, the permission will be valid indefinitely.
Access schedule — restrictions by days of the week taking into account the specified schedule.
Allow access only on selected days — select the days of the week when the permission will be active.
Allow access only during selected hours — select the time when the permission will be active
infoAccess by days of week is granted according to the management server time zone.
After the validity period expires, the permission will transition to the Restricted/Invalid state, and the user session will be terminated.
Permissions parameters
Set access parameters:
Credentials — defines actions with credentials.
- Allow view account credentials — allows the user to view the password of privileged accounts used in the permission.
- Allow change account credentials — allows the user to change the password of privileged accounts used in the permission.
Connection source — allows you to specify a specific network from which connections are allowed. Select a network in the Network location sources for incoming connections field.
infoIf network locations are not added to PAM, it will be set to No restrictions. This means that this permission can be used from any card on the network.
Privilege elevation in SSH sessions — defines access to PamSu:
- Managed by policies — access is determined by the policy of the resource for which the permission is granted.
- Allowed — the right to use pamsu regardless of policy settings.
- Denied — prohibition on using pamsu regardless of policy settings.
Create copy
You can create a copy of any permission, while the original permission can be revoked or suspended. When copying, a creation window opens with the parameters of the original permission set. This selection can be edited: change the resource, remove users, or set restrictions.
Copying is only available from the permission profile.
If a user, resource, or service account in the original permission is deleted or blocked, they will not be set.
To copy a permission:
- Go to the Permissions section.
- Open the profile of the desired permission.
- Click Create copy.
- Make changes or keep the original selection.
- Click Create.
- Select an action for the original permission:
- Don't touch original permission.
- Suspend original permission.
- Remove original permission.
- Click Finish.
Revoke
Click Revoke and revoke a permission that is no longer needed. Users lose access immediately, not after the session ends.
To revoke multiple permissions, in the Permissions section select the desired permissions and click Revoke.
Revoked permissions cannot be restored.
If you need to temporarily prohibit the use of a permission, suspend it.
Revoked permissions stop displaying in the Permissions section, but they can be found using search:
- Go to the Permissions section.
- Open Extended search.
- Select the Revoked status and click Find.
Suspend
Click Suspend in the permission profile to temporarily prohibit using the permission. Users lose access immediately, not after the session ends.
To suspend multiple permissions, in the Permissions section select the required permissions and click Suspend.
Reactivate
Click Reactivate in the permission profile to activate a suspended permission. The permission will change to the Valid state.
To activate multiple permissions, in the Permissions section select the required permissions and click Reactivate.