docs/documentation/platform/pam/concepts/access-control.mdx
Access control in PAM happens at two levels:
Before anyone can do anything in PAM, they need to be added as a product member. This is the "entry ticket" to PAM.
There are two product roles:
| Role | What they can do |
|---|---|
| Product Admin | Create and manage templates, folders, and product-level settings |
| Product Member | Access PAM — needs folder/account memberships to connect |
Product Admins set up the governance layer — they don't automatically get access to connect to accounts. To connect, you need a membership on a folder or account.
<Note> Organization Admins can enter PAM as a Product Admin without being explicitly added — they just need to opt in. </Note>Once someone is a product member, they still need to be granted access to specific folders or accounts. You do this by assigning them a role on a folder or account.
| Role | What they can do |
|---|---|
| Admin | Full control — accounts, folders, sessions, memberships |
| Connector | Launch sessions and connect to accounts |
| Auditor | View audit logs and session recordings |
You can assign roles at two levels:
Folder memberships apply to all accounts in the folder. This is the primary way to grant access — if someone needs access to a set of accounts, grant them a role on the folder.
Account memberships apply to a single account. Use this for exceptions — a contractor who needs just one database, or temporary elevated access to a specific account.
For folders:
For accounts:
Here's a typical setup:
platform-team folderThe Product Admin sets up the governance structure. The Folder Admin manages day-to-day access within their scope. Team members connect to what they've been granted access to.