Portal
Forum
Devolutions Force
Hub Business
Hub Personal
Devolutions Send
Devolutions Academy
RDM
Workspace
Launcher
At Devolutions, employees have permission to enter the building during work hours — a standard expectation for any organization. This permission allows employees to access their workplace and perform their duties. In contrast, family members, friends, and guests do not have this same permission. However, they can be granted temporary access (the children yearn for the pinball machines), and this would be considered a privilege.
In everyday life, the differences between "permission" and "privilege" are well understood. However, in the context of access controls, these terms are often used in such proximity with each other that they can seem like synonyms. So, what should one think when encountering terms like "permission sets" and "privilege sets," since both of these terms exist as features in Devolutions Server (DVLS)? This article aims to clarify their distinct functions, applications, and advantages.
Decoding privilege sets
Privilege sets were introduced in 2024.2 for Devolutions Server + Devolutions PAM. This feature enhances the flexibility and security of managing privileged accounts within an Active Directory (AD) or Microsoft Entra ID (formerly Azure Active Directory) environment by allowing more granular control over group memberships and permissions.
These privileged accounts are high-level accounts with elevated permissions, offering rights such as access to a sensitive server or business data.
Functionality
With privilege sets, administrators can now optionally add a PAM account to an Active Directory or Entra ID group upon check-out. This “elevation” action effectively changes the permissions of the PAM account by including it in the specified group. Before this update, every PAM account had access to all groups deemed available, as defined in the initial input box (e.g., "AD Domain Admins").
Customization and control
The introduction of privilege sets allows administrators to create custom sets of Active Directory or Entra ID groups. These sets can then be assigned to specific PAM accounts, ensuring that each account only has access to the groups that are relevant to its intended use.
Benefits
Prior to the 2024.2 release, DVLS displayed all available just-in-time (JIT) elevation groups to all eligible PAM entries. This broad visibility could lead to confusion and incorrect group usage, such as requesting more privilege than necessary or appropriate, as not all groups are applicable to every entry. The new privilege sets feature addresses this issue by allowing administrators to assign specific sets of privileges to entries, thereby improving organization and reducing the risk of incorrect group usage.
Decoding permission sets
Permission sets are a feature in Devolutions Server designed to simplify and streamline the process of assigning permissions to users and roles. This feature allows administrators to manage user permissions efficiently by using predefined or custom sets of permissions, ensuring consistent and appropriate access controls across the organization.
Default roles and custom permissions
Devolutions Server includes several default roles, namely Contributor, Operator, and Reader. These roles come with predefined sets of permissions tailored to typical user needs. However, there are situations in which custom permissions are required for certain users or roles. Instead of manually configuring these custom permissions each time, administrators can create a custom permission set that includes the desired permissions. Permission sets can be managed by going to Administration > System settings > Vault management > Permission sets.
Creating and assigning permission sets
A permission set is a predefined or custom collection of permissions assigned to a given user or role. Administrators can create permission sets to package the necessary permissions together for specific tasks or responsibilities, then assign the permission set to users in batches (the “grant access” button for granting batch access can be found in the properties of entries, folders, and vaults under Security > Permissions).
Benefits
Permission sets offer several advantages:
- Efficiency: Assigning a single permission set is faster and less error-prone than manually selecting individual permissions for each user.
- Consistency: Permission sets ensure that users with similar roles have consistent access levels, reducing the risk of misconfigured permissions.
- Simplified management: Administrators can easily manage and update a permission set, which is a template of permissions that can be quickly assigned to accounts as needed. Changing a permission set template will not affect previously assigned permissions.
Tell us what you think
What other terms or features in Devolutions Server or our other solutions would you like us to clarify next? Share your thoughts and help us create content that addresses your needs and questions.
