10 Working with Grantees

This chapter describes the different tasks you can perform when working with grantees in Oracle Privileged Account Manager.

Note:

You must be an Oracle Privileged Account Manager administrator with the User Manager Admin Role to add, edit, or delete grantees.

This chapter includes the following sections:

• Section 10.1, "What Are Grantees?"

• Section 10.2, "Granting Accounts to Users"

• Section 10.3, "Granting Accounts to Groups"

• Section 10.4, "Searching for Grantees"

• Section 10.5, "Opening a Grantee"

• Section 10.6, "Removing Grantees from an Account"

Note:

You can also use Oracle Privileged Account Manager's command line tool or Oracle Privileged Account Manager's RESTful interface to perform many of the tasks described in this chapter.

If you prefer using these interfaces instead of the Oracle Privileged Account Manager Console, refer to Appendix A, "Working with the Command Line Tool" or Appendix B, "Working with Oracle Privileged Account Manager's RESTful Interface" for instructions.

10.1 What Are Grantees?

Grantees are users or groups in the identity store that have been granted access to a privileged account managed by an Oracle Privileged Account Manager administrator. Users cannot check out a privileged account unless they have been granted access to that account.

Oracle Privileged Account Manager evaluates grants in the following sequence:

1. When a user tries to access and check out an account, Oracle Privileged Account Manager looks for a user grant for that user. If Oracle Privileged Account Manager finds a user grant, then the user is permitted to check out the account based on that grant and its associated Usage Policy.

2. If Oracle Privileged Account Manager does not find a user grant, it looks for group grants. A user can be a member of many groups. If Oracle Privileged Account Manager finds a group grant for any one of the user's groups, then the user is permitted to check out the account based on that group grant and its associated Usage Policy.

3. If the user is member of multiple groups, and more than one of those groups is available in group grants - then Oracle Privileged Account Manager can pick any one of the matching group grants at runtime. It is indeterministic to say exactly which matching group grant of the multiple ones Oracle Privileged Account Manager will pick at runtime.

4. If Oracle Privileged Account Manager cannot find a user grant or a group grant, then the user is denied access.

Note:

Before granting privileged accounts to users or groups, be sure to read, Section 2.4.4, "Avoiding Assignments through Multiple Paths."

10.2 Granting Accounts to Users

Use the following steps to grant access to a privileged account:

1. Locate the account where you want to grant access.

   1. Select Accounts in the Administration accordion.

   2. Click Search in the Search Accounts portlet to populate the Search Results table with a list of all available accounts.

      To narrow the results or to locate a particular account, enter search criteria in one or more the Search Accounts fields, and then click Search.

2. Select that account name in the Search Results table.

   The Account: Account Name page displays with the General, Grants, Credential Store Framework, and Checkout History tabs.

3. Select the Grants tab.

   If any users are already associated with this account, their names are listed in the table in the Users area.

4. Click Add to open the Add Users dialog.

5. In the Add Users dialog, enter all or part of a user name and then click Search.

   For example, if you want to add the jjones user, then you could type j, jj, or jon and the search results will include any user names containing those letters.

6. Select (check) one or more user names, and then click Add to make them grantees.

7. Click Close to close the dialog.

   The new user's name displays in the Users table.

Note:

At this point, the Default Usage Policy is automatically assigned to the user. However, you can use the Usage Policy menu to select a different policy for that user.

10.3 Granting Accounts to Groups

Use the following steps to grant access to a privileged account:

1. Locate the account where you want to grant access.

   1. Select Accounts in the Administration accordion.

   2. Click Search in the Search Accounts portlet to populate the Search Results table with a list of all available accounts.

      To narrow the results or to locate a particular account, enter search criteria in one or more the Search Accounts fields, and then click Search.

2. Select the account name in the Search Results table.

   The Account: Account Name page displays with the General, Grants, Credential Store Framework, and Checkout History tabs.

3. Select the Grants tab.

   If any groups are already associated with this account, their names are listed in the table in the Groups area.

4. Click Add to open the Add Groups dialog.

5. In the Add Groups dialog, enter all or part of a group name and then click Search.

   For example, if you want to add the hr_admin group, then you could type h, hr, or admin and the search results will include any group names containing those letters.

6. Select (check) one or more group names, and then click Add to make them grantees.

7. Click Close to close the dialog.

   The new group name displays in the Groups table.

Note:

At this point, the Default Usage Policy is automatically assigned to the group. However, you can use the Usage Policy menu to select a different policy for that group.

10.4 Searching for Grantees

If you have administrator privileges, you can search for grantees by using the following steps

1. Select User Grantees or Group Grantees in the Administration accordion.

2. When the User Grantees or the Group Grantees page displays, use the Search portlet to configure your search.

   • To search for a particular grantee, enter one or more letters of the name into the User Name or Group Name field.

   • To search for all available grantees, do not specify any search parameters.

3. Click Search.

   Review your search results in the Search Results table.

4. To perform another search, click Reset.

10.5 Opening a Grantee

You can open a grantee to view information about that user or group grantee.

Use one of the following methods to open a grantee from the User Grantees or the Group Grantees page:

• Click the User Name or the Group Name (an active link) in the Search Results table.

• Select the user or group Row number and then click the Open icon.

The User: UserName or the Group: GroupName page opens where you can review the information about that grantee and the privileged accounts for which they are granted access.

10.6 Removing Grantees from an Account

Note:

Removing a user or group grant from an account does not automatically cancel all existing check-outs.

When grantees check out an account, they are guaranteed access to that account until one of the following events occur:

• The user checks in the account

• Oracle Privileged Account Manager automatically checks in the account because the checkout duration has exceeded the expiration period specified by the account's Usage Policy

• An administrator forces an account check-in

However, after the account is checked in, the grantee cannot check out that account again unless an administrator re-adds them as a grantee.

To remove one or more grantees from an account

1. Open the account and select the Grants tab.

2. Select the user or group Row number in the Search Results table.

3. Click the Remove icon.

4. When you are prompted to confirm the removal, click the Remove button to continue, (or Cancel to terminate the operation).

   The prompt closes and the user or group is removed from the table.