Your suggested change has been received. Thank you.

close
Thales Logo

All

  • All
  • CipherTrust Manager
  • CipherTrust Application Data Protection (CADP)
  • CipherTrust Application Key Management (CAKM)
  • CipherTrust Batch Data Transformation (BDT)
  • CipherTrust Cloud Key Management (CCKM)
  • CipherTrust Data Discovery and Classification (DDC)
  • CipherTrust Data Protection Gateway (DPG)
  • CipherTrust Database Protection (CDP)
  • CipherTrust Intelligent Protection (CIP)
  • CipherTrust Integrations
  • CipherTrust Migrations
  • CipherTrust RESTful Data Protection (CRDP)
  • CipherTrust Transparent Encryption (CTE)
  • CipherTrust Transparent Encryption Userspace (CTE-U)
  • CipherTrust Secrets Management (CSM)
  • CipherTrust Vaulted Tokenization (CT-V)
  • CipherTrust Vaultless Tokenization (CT-VL)
  • CTE-Linux
  • CTE-Windows
  • CTE-AIX
  • CTE-K8s
  • CTE-U
  • Crypto Command Center
  • Data Protection on Demand
  • Luna Cloud HSM
  • Luna Network HSM
  • Luna PCIe HSM
  • Luna USB HSM
  • OneWelcome Identity Platform
  • ProtectApp LUKS
  • ProtectServer 2 HSM
  • ProtectServer 3 HSM
  • SafeNet Trusted Access (STA)
  • SafeNet MobilePASS+
  • SafeNet MobilePASS+ for Android
  • SafeNet MobilePASS+ for Chrome
  • SafeNet MobilePASS+ for macOS
  • SafeNet MobilePASS+ for iOS
  • SafeNet MobilePASS+ for WatchOS
  • SafeNet MobilePASS+ for Windows
  • SafeNet Synchronization Agent
  • SafeNet Logging Agent
  • SafeNet Agent for FreeRADIUS
  • SafeNet Agent for NPS
  • SafeNet Agent for Windows Logon
  • SafeNet Authentication Service Private Cloud Edition (SAS PCE)
  • SafeNet Remote Logging Agent
  • SafeNet Keycloak Agent
  • SafeNet IDPrime Virtual (IDPV)
  • SafeNet FIDO Key Manager
  • SafeNet FIDO Key Manager for Android
  • SafeNet FIDO Key Manager for iOS
  • SafeNet FIDO Key Manager for Windows
back

SAS PCE

Operators and roles

search

Please Note:

printsuggest an editpdf paneldownload

Operators and roles

A role defines what an Operator can do through the SAS console. It reflects the account's business objectives, security requirements, operational hierarchy, and workflow.

A role defines a set of access permissions for specific tabs, modules, and actions that are suitable for a particular position. Access to tabs and modules can be disabled. This level of detail allows you to personalize the security settings for each Virtual Server and role based on the operational requirement of the account.

The Operator role can be assigned to the user who is promoted to Operator on the Operators tab. If a different role is required, create the user on the Assignment tab, promote the user to Operator status from the Operators tab (optional), and select an appropriate role.

Roles are specific to the Virtual Server in which they are configured. The Operator role grants unrestricted rights to manage the Virtual Server.

copy link to clipboardRole permissions

All permissions are set at the account level. As a result, an Operator can have different permission levels for different accounts.

note

Note

Some features may not be available in your service zone.

Where access to modules is allowed, you can restrict the actions within a module through permissions, for example:

  • To remove a role's ability to assign a token, deselect the Add check box in the Assignment section > Tokens row.

  • To remove a role's ability to provision a token, deselect the Access check box in the Assignment section > Provisioning row.

  • To remove a role's access to the Operator tab and all of its modules, deselect the Operators check box in the Operators section.

copy link to clipboardAdd or edit a role

Existing roles are displayed in the roles list. All roles except the default Operator role can be edited or removed. The role access options include a check box for each tab, and for the modules and actions on the tabs. Clearing a check box removes the tab, module, or action from the role.

After you configure roles, you can assign them. You can also automate role provisioning.

  1. On the SAS console, select Policy > Role Management and then click the Role Management task.

    alt_text

  2. To add a role, click Add.

    (Optionally) To edit an existing role, click the Edit hyperlink.

    (Optionally) To add a role that is similar to an existing role, select the existing role name, click Duplicate, and then edit the copy as required.

    alt_text

  3. Type the Role Name, and then click Next.

    There is a check box for each tab, module, and action that you can set permissions for.

    alt_text

    alt_text

    alt_text

    alt_text

    caution

    Caution

    It is a best practice to limit a role with Remote Services access to a specific API user. A user whose role includes Remote Services has full access to the management API, regardless of any other limitations that are imposed on that user.

  4. Select the role's access permissions for tabs, modules, and actions:

    • Access—Enables the role to access the module. To limit the role to read-only access, select Access and deselect Edit.

    • Edit—Enables the role to access edit functions, even if Access is not selected.

      note

      Note

      If neither Access nor Edit are selected, the module does not display.

    • Delete—Enables the role to access delete or remove functions.

    • Add—Enables the role to access add functions.

    • Import—Enables the role to access import functions.

    • Export—Enables the role to access export functions.

    • View Log—Enables the role to access the View Log function.

  5. Click Save to commit the role configuration.

    After you add a role, you can assign it to Operators or create provision roles automatically.

On this page