Create Custom User Roles¶
Other than the predefined/default roles, you can also create custom user roles based on the specific needs of the organization. You can assign features at a granular level by selecting specific features under each category.
To create custom user roles navigate to Admin >> Customization >> Custom User Roles.
In the page that opens, click on the Create Custom Role button
This opens up the role creation page. Each custom role can be given selected privileges from the following categories:
-
Account Management
-
Folder Management
-
User Management
-
Group Management
-
Audit
-
Reports
-
Sessions
-
Admin Operations
-
Miscellaneous
To create a custom role, you need to enter the Role Name you want to create and a suitable Role Description. You may then select the privileges you would like to provide for this new role.
Users assigned with a custom role will be able to carry out select operations in PAM based on the privileges provided to them here.
Once you have selected role privileges, click on the Save button to finish role creation.
Note: A new custom role will have to be approved by an administrator other than the one creating it for it to take effect and be available in the product.
The new administrator can review the privileges of that role and Approve or Reject & Delete this new role.
List of privilege operations for custom user roles¶
Securden PAM has a comprehensive set of privileges that can be modified for each custom role. All such custom role privileges have been explained in the table that follows.
Ability | Description |
Account Management |
|
View Account Details | Users with this privilege will be able to view the details for all accounts to which they have access. (Accounts owned by them/shared with them) |
Add Account | Users with this privilege will be able to add accounts to the centralized repository. They will be the owners of the accounts they added. |
Edit Account | Users with this privilege will be able to edit the attributes of all accounts to which they have access. |
Import Work Accounts | Users with this privilege can import work accounts into the database. (Work accounts can be shared with other users, and can be viewed by the Superadmin) |
Discover Accounts | Users with this privilege can run an account discovery process and onboard privileged accounts from various IT assets, including servers, databases, and other devices. |
Delete Accounts | Users with this privilege can delete accounts owned by them/shared with them. |
Share Accounts | Users with this privilege will be able to share the accounts they own with other users with granular access permissions. |
Clone Account | Users with this privilege will be able to make a copy of the selected accounts with all the account details duplicated. Cloned accounts will carry the suffix 'copy'. |
Transfer Accounts | Users with this privilege will be able to transfer ownership of the accounts they own to other users added in Securden. |
Accounts Color Coding | Users with this privilege will be able to change the background display color for all accounts to which they have modify access permission. |
View Password History | Users with this privilege will be able to view all the previous passwords assigned to accounts to which they have ‘View’ permissions. |
Accounts Reports | Users with this privilege can view individual account reports for accounts present in Securden. |
Offline Access | Users with this privilege will be able to make offline copies of the accounts they have access to. The offline copy will be protected with a passphrase chosen by the user. |
Export Accounts | Users with this privilege will be able to export all the accounts they have access to in a CSV or XLSX file. |
Associate Private Keys | Users with this privilege will be able to associate private keys (SSH) with the accounts to which they have ‘Modify’ access permissions. |
Bulk Password Policy Change | Users with this privilege will be able to carry out password policy changes for multiple accounts at the same time. The user should have “Modify” access permissions to all the selected accounts in addition to this ability to be able to carry out bulk password policy change. |
Bulk Folder Change | Users with this privilege will be able to carry out a folder change for multiple accounts at the same time. The User should have “Modify” access permissions to all the selected accounts and the destination folder in addition to this ability to be able to carry out folder change. |
Configure Approval Workflow | Users with this privilege will be able to configure approvers for request release workflows. The user will need to have ‘Manage’ access permissions for the account involved to be able to configure approvers. |
Account Dependencies | Users with this privilege will be able to fetch the dependencies of accounts they have access to. |
Add Folder from Folder Tree | Users with this privilege will be able to add a folder from the folder tree option that is available to the left of the accounts list. |
Account Settings | Users with this privilege will be able to modify the preferences available in the Account Settings section. |
Manage Personal Passwords | Users with this privilege will be able to generate and rotate passwords of their personal accounts. |
Import Personal Accounts | Users with this privilege will be able to import personal accounts (such as internet banking credentials, membership accounts, streaming service account credentials, etc.) |
Configure Autofill URLs | Users with this privilege will be able to configure auto-filling credentials on URLs to accounts they have access to. |
Configure TOTP | Users with this privilege will be able to configure TOTP generation for specific accounts for which MFA has been enabled. |
Share with Third Parties | Users with this privilege will be able to share the account with third parties and specify a time period until which they have access to the account. They can also choose to rotate the password once third party access ends. |
Add Tags in Bulk | Users with this privilege will be able to add tags to multiple accounts at the same time. |
Folder Management |
|
Add Folder | Users with this privilege will be able to add folders to Securden. |
Edit Folder | Users with this privilege will be able to edit different attributes of folders to which they have access. |
Import Folders | Users with this privilege will be able to import folders and their structure from files. |
Delete Folder | Users with this privilege will be able to delete folders to which they have access to. |
Transfer Folders | Users with this privilege will be able to transfer ownership of folders that they own (Along with the accounts it contains). |
Share Folders | Users with this privilege will be able to share folders with other users with a granularity they choose. |
Configure Remote Password Reset | Users with this privilege will be able to schedule remote password resets for all accounts in the folders they have access to. |
Folder Reports | Users with this privilege will be able to view the reports section of folders they have access to. |
Folder Settings | Users with this privilege will be able to view and change the preferences in the ‘Settings’ section of the folders they can access. |
Configure Approval Workflow | Users with this privilege will be able to designate approvers for accounts in a folder for request-release workflows. |
Change Folder Inheritance in Bulk | Users with this privilege will be able to modify inheritance permissions preferences for multiple folders at the same time. |
User Management |
|
Add User | Users with this privilege will be able to add other users to Securden. |
Edit User | Users with this privilege will be able to edit attributes of existing users such as roles, permissions, etc. |
Import Users from File | Users with this privilege will be able to import users into Securden from a CSV or an XLSX file. |
Delete Users | Users with this privilege will be able to permanently delete existing users in Securden. |
Import Users from AD | Users with this privilege will be able to import users from AD using existing Active Directory domain credentials. |
Import Users from Azure AD | Users with this privilege will be able to import users from Azure AD using existing domain credentials. |
Import Users from LDAP | Users with this privilege will be able to import users from LDAP using existing domain credentials. |
Transfer Ownership | Users with this privilege will be able to transfer the ownership of all the accounts owned by them. |
Concurrent Logins | Users with this privilege will be able to see if any users have concurrently signed in to Securden on another device or browser, and will also be able to terminate any or all the logins, which will forcefully log out the user from Securden GUI. |
User Reports | Users with this privilege can view and access all the user-related details under 'Report' section in the 'Users' tab. |
Configure Temporary Access | Users with this privilege will be able to grant temporary access to Securden web interface to selected user(s) by specifying access expiration time. |
Change User Role | Users with this privilege will be able to change the roles of other users. |
Control Application Access | Users with this privilege can allow or deny access to other user(s) to access the Securden interface. |
Change 2FA | Users with this privilege can alter the two-factor authentication login method used by the selected users(s) to access the Securden interface. |
Change Radius Authentication in Bulk | Users with this privilege can alter RADIUS authentication for many users at once. |
Reset Passwords of Accounts Accessible to the user | Users with this privilege can reset the passwords of accounts that are owned/shared with them. |
Add Users to Groups | Users with this privilege will be able to add other users to groups. |
User Group Management |
|
Add User Group | Users with this privilege will be able to create new user group(s) in Securden. |
Edit User Group | Users with this privilege will be able to edit user groups. |
Delete User Group | Users with this privilege will be able to delete user groups. Deleting user groups does not delete the users in them. |
User Group Reports | Users with this privilege will be able to view reports specific to user groups. |
Import User Groups from AD | Users with this privilege will be able to import user groups from AD using existing domain credentials. |
Import User Groups from Azure AD | Users with this privilege will be able to import user groups from Azure AD using existing domain credentials. |
Import User Groups from LDAP | Users with this privilege will be able to import user groups from LDAP using existing domain credentials. |
Change 2FA in Bulk | Users with this privilege will be able to change the 2FA method used by users in a user group to login to the Securden interface. |
Audit |
|
View Account Activity Trails | Users with this privilege will be able to view and access all the records of account-related activities. |
View User Activity Trails | Users with this privilege will be able to view and access all the records of user-related activities. |
Reports |
|
Standard Reports | Users with this privilege will be able to access all the standard reports, which include the following reports: Account access, Account Activity, Password Compliance, Password Expiry, User Access, User Activity, Dependencies, Processes and Software Inventory, Processes Inventory, Software Inventory, and Securden Agents on Computers. |
Concise Reports | Users with this privilege will be able to view and access concise/micro reports pertaining to accounts and users. (Reports >> Concise Reports) |
Password Analysis Report | Users with this privilege will be able to view the password security analysis report. This includes the Work Account Analysis report and Personal Accounts Analysis report. |
Exported Report | Users with this privilege can view all the reports that were exported and downloaded by other users. |
Dashboard Reports | Users with this privilege can view the detailed summary of all the users and accounts present on the dashboard. |
Sessions |
|
Playback Recorded Sessions | Users with this privilege will be able to view and play back all the recorded sessions of other users. |
Monitor Live Sessions | Users with this privilege can shadow and monitor ongoing sessions of other users. They can also terminate these sessions. |
Admin Operations |
|
Manage Account Types | Account Types define the type of accounts being added under 'Work' and 'Personal' accounts in Securden. Users with this privilege will be able to add custom account types or edit and delete existing account types. |
Manage Password Policies | Password policy in Securden helps you define the strength, complexity requirements, periodicity for password resets and other conditions. Users with this privilege will be able to add/delete a password policy and perform all actions related to it. (Under Admin >> Account Management > Password Policy) |
Manage Event Listeners | You can trigger an action after the occurrence of any specific event or a sequence of events in Securden. For example, when the password of an account is changed, you can trigger a follow-up action automatically. This privilege lets the user add/delete and manage the listeners. |
Device Level Configurations | A user with this privilege will be able to manage all device level configurations that includes managing remote credentials, session recording, remote gateway, and reports. |
Manage SSH Templates | You can define customized templates to carry out remote password resets on devices that can be connected through SSH. Users given this privilege will be able to add, define, delete, and manage all actions related to SSH templates. |
Approve Password Access Requests | Users with this privilege will be able to approve all the requests from other users to access certain passwords. |
Technician Access Policies for Specific Users and Specific Computers | Users with this privilege can create policies authorizing specific technicians to perform administrative tasks on specific endpoints. |
Technician Access Policies for all Users and all Computers | Users with this privilege can create policies authorizing all the users (technicians) to perform administrative tasks on all endpoints. |
Delete Technician Access Policies | You can create policies authorizing specific technicians to perform administrative tasks on specific endpoints. Users with this privilege will be able to delete all the existing technician access policies. |
Add Applications, Commands for Privilege Elevation | Users with this privilege will be able to add applications/commands for performing privilege elevation. (Elevating the privileges for applications (in Windows) and allowing users to run with specific commands with SUDO privileges in Linux.) |
Configure Privilege Elevation Policies | Users with this privilege can define and manage control policies for seamless, on-demand elevation of applications for standard users (in Windows) and elevation of specific commands with SUDO privileges on Linux. |
Remove Admin Rights | Users with this privilege will be able to remove admin rights of any number of users on any number of computers. |
Manage Securden Agents | ‘Privilege Elevation and Delegation’ operates when a Securden agent is installed at all endpoints. Users with this permission will be able to manage the agent across all the endpoints. |
Manage Event Notifications | Securden can send email notifications upon the occurrence of certain events such as password retrieval, deletion, change in share permissions, and others. Users given this privilege will be able to configure the event notifications. |
Manage Expiration Notifications | You can send email notifications a certain number of days prior to the expiration date of the passwords to serve as a reminder to change the password. Users with this privilege will be able to manage the notifications sent during password expiry. |
Manage Breached Passwords Identification | Securden can periodically scan the breached passwords database and check if any of the passwords stored in the product matches with the passwords that have been exposed in known data breaches. Users with this privilege can enable this feature and configure how often Securden should check for breached passwords. |
Manage Account Expiration Notification | You can keep track of the expiration dates of license keys and certificates stored in Securden. You can send email notifications a certain number of days prior to the expiration date to serve as a reminder. Users with this privilege will be able to configure this expiration notification for accounts. |
Manage Custom Roles | You can create custom user roles assigning specific access permissions to users based on the specific needs of your organization. Users with this privilege will be able to create customized user roles with varied features. |
Securden Agent Text Customization | You can customize the labels and messages in the Securden Agent interface. Users with this privilege will be able to modify the text of the interface. |
Manage Configuration Settings | You can customize the features of Securden in a granular manner. You can switch on and switch off certain features anytime as desired under the 'Configurations' section in the ‘Admin’ tab. Users with this privilege will be able to access it. |
Customize Logo, Text | You can replace the Securden logo that appears in the login page and also the text that appears throughout the GUI as you wish. Users with this privilege will be able to customize it. |
Change Product Language | Securden supports multiple languages, and you can carry out the desired language selection. Users with this privilege will be able to change the product language. |
Access and Manage APIs | Securden provides APIs for querying the database programmatically, retrieving credentials, and performing various other tasks. Users with this privilege will be able to create authentication tokens for carrying out various operations using APIs. |
Configure 2FA | You can enforce a second layer of authentication for your users to access their Securden account. Users with this privilege will be able to activate two-factor authentication. |
Manage Email to SMS Gateway | As part of two-factor authentication, Securden integrates with Email to SMS gateway providers to send one-time passwords as SMS to the phone numbers of the users. This privilege lets users configure this feature. |
Manage Duo Configuration | Securden integrates with Duo Security for two factor authentication. Once configured, users will be enforced to authenticate through Duo for accessing the web interface. Users given this privilege will be able to configure this feature. |
Configure RADIUS Server Settings | You can integrate RADIUS server or any RADIUS-compliant two-factor authentication system like OneSpan Digipass, RSA SecurID, Swivel Secure etc. for the second factor authentication. Users given this privilege will be able to configure these settings. |
Smart Card Authentication | If your organization uses smart cards for authenticating user logons, you can leverage the same for Securden authentication. Users given this privilege will be able to enable smart card authentication. |
Manage SIEM Integration | You can periodically share privileged access data logs with SIEM solutions. Users given this privilege will be able to manage the Syslog configuration in Securden. |
Manage SAML SSO Integration | Securden leverages SAML 2.0 to integrate with SAML-compatible federated identity management solutions like Okta, G Suite, Microsoft ADFS, OneLogin, PingIdentity, Azure AD SSO, and others for Single Sign On. Users given this privilege will be able to enable SAML SSO and configure it. |
Manage Ticketing System Integration | Securden integrates with web-based ticketing systems. The integration helps trace specific activities like password retrieval in Securden to corresponding entries in the ticketing system. This privilege lets users activate and configure ticketing system integration in Securden. |
Manage Mail Server Settings | Securden sends various email notifications to the users and to facilitate that, SMTP server details are to be configured. Users with this privilege will be able to configure the server settings. |
Manage Proxy Server Settings | If your organization makes use of a proxy server to regulate internet traffic, you should configure the proxy server details in Securden to connect to the internet. Users who are given this ability will be able to configure the proxy server settings. |
Manage Securden Server Connectivity Settings | Securden server connectivity specifies how client machines connect to the Securden web interface and the name with which client machines identify the Securden server host when deploying agents. Users who are given this privilege will be able to configure these settings. |
Manage Securden License | Users with this privilege can apply for the Securden license key and get information about the existing license from the ‘Admin’ section. Users who are given this privilege will be able to view the available information about the existing license, and also can apply for a new license. |
Manage Domain Administrator Groups | You can create a scheduled task to get notified if there is any modification in the domain administrator groups. Users with this privilege will get access to the Domain Administrator Groups and can also schedule the notifications. |
Change Encryption Key Location | Every installation of Securden is protected with a unique encryption key. Securden doesn’t allow the encryption key and the encrypted data to reside in the same location to ensure security. Hence, the key has to be moved outside the Securden installation folder. Users who are given this privilege will be able to change the location of the encryption key. |
Manage Certificate-based Authentication | To meet the demands of remote work scenarios, you can enable all or select users of your organization to securely access the Securden web interface over the internet. This access requires configuring an additional security measure by way of certificate-based client authentication. This privilege lets users enable certificate-based authentication and configure it. |
Manage IP-based Restrictions | You can control access to Securden server based on the IP addresses of users. Users with this privilege will be able to enable IP restrictions for other users. |
Manage User Access to Securden | If required, you can block access to Securden server from the browser extensions, APIs, and mobile apps. Users who are given this privilege will be able to block access, which will take effect for all users, including the super admin globally. |
Configure Remote Gateway | By default, all remote sessions launched from end user machines are tunneled through the Securden server, which acts as the gateway. There will not be any direct connectivity between the end user machines and the target device. For enhanced security, you may route all remote operations originating from Securden through a single, dedicated gateway (instead of Securden server acting as the gateway). Once configured, Securden will route all operations, including remote connections, session recording, and password resets through the gateway. Users who are given this privilege will be able to configure the remote gateway. |
Configure Session Recording | You can record the various remote privileged sessions initiated by users from Securden GUI. The recordings can then be played back as a video. Users who are given this privilege will be able to enable session recording. |
Use Advanced Session Recorder for Windows | To record the sessions on remote computers, you need to install Securden session recorder on the machines whose sessions are to be recorded. Users with this privilege will be able to deploy this advanced session recorder. |
Deploy Application Servers | If your IT assets/privileged accounts are distributed across multiple networks and if you want to manage all those devices using Securden, you should deploy Securden Application Servers in each of those networks and also associate each application server with a remote gateway. Users who are given this privilege will be able to deploy it. |
Configure Unix Connectors | You can associate the UNIX connector with the required devices. Once you associate, all remote connections and remote operations (including session initiation, session recording, remote password resets, and password verification) to the devices associated will be initiated through the connector. Users with this privilege will be able to configure it. |
Configure Database Backup | To ensure access to your data and passwords even in the unlikely scenario of something going wrong with the current installation, Securden offers disaster recovery provisions. You can take backup of the entire database periodically. Users who are given this privilege will be able to schedule the backup. |
Configure High Availability | To ensure uninterrupted access to the web application, Securden comes with high availability architecture. You can deploy any number of additional application servers, which would serve as the secondary servers. In the event of the primary server going down, users can connect to any of the secondary servers. Securden agents will also connect to the secondary server, when the primary goes down. Users who are given this privilege will be able to set this feature on and configure the secondary application server(s). |
Maintenance and Upgrades | Users who are given this privilege will be able to access 'Product Upgrades' section where the latest product updates, release notes, and the steps to upgrade the latest version are present. |
Configure Emergency Access | You can enable a designated list of users to access all passwords (work accounts) stored in Securden, breaking the usual access controls. This is to meet password access needs during certain emergencies. Users who are given this privilege will be able to configure the emergency access. |
Configure Assets and Assets Association for Remote Connections | Users who have this privilege can add their IT assets to Securden and configure the association between domain accounts and assets for launching remote connections. |
User Assets Association for Remote Connections | You can allow your users to launch remote connections to specific resources using the AD account with which they have logged in to Securden. You can associate the IT assets with the users, which will permit them to launch the connection with the assets allotted. This privilege lets the user configure the association between users and assets for launching remote connections. |
Configure Expired Password Rotation | Securden can automatically rotate passwords for accounts that support remote password reset when they expire or are about to expire. Users who have this privilege will be able to configure the password rotation upon expiration. |
Configure Custom Application Launcher | In addition to the default modes of launching web-based connections and through native clients, you can define custom application launchers to supply credentials and automatically launch any application, including thick application clients. Users who have this privilege will be able to create a profile for any such application and manage them in Securden to launch remote connections. |
Miscellaneous |
|
Access Browser Extensions | Users with this privilege can access browser extensions to facilitate auto-fill of credentials on websites and web applications. |
Manage Browser Extensions | Users with this privilege will be able to manage and configure the browser extension settings. |
Use Windows Remote Launcher | Users with this privilege will be able to launch RDP and other remote connections from Securden web interface. |