Granting User Permissions
Overview of Roles
PrivX users gain permissions from roles. For example, roles may allow users to:
Access target hosts.
Approve/deny requests.
Manage connections.
Manage audit data.
Manage secrets.
Perform PrivX administration.
Members of a role automatically receive the permissions from their roles. In other words, users gain permissions by becoming members of roles. Users may become role members in either of the following ways:
The user is included in the role via rules (mapped users). For more information about configuring rules for roles, see Managing Roles.
The user has been approved as a member of the role (approved users). For more information about approval mechanisms, see Requesting and Approving Memberships.
Both mapped and approved memberships may be time-restricted.
All users automatically start as members of the privx-user
role.
Roles are also used for granting permissions to API clients.
For active PrivX users, permission changes take effect when their access token is refreshed. The interval is specified in /opt/privx/etc/oauth-shared-config.toml
, by the setting access_token_valid
.
Best Practices
Identify the different user groups and usage scenarios in your environment, and then plan what roles you need for sufficiently granular access control. Create those roles, then add your users to appropriate roles.