Basic User Groups, Roles, & Entitlements

Basic User Groups are leveraged in conjunction with Basic User Roles to grant permissions to users. Both Basic User Groups and Basic User Roles are available under the Administration > Identity Management feature.

Basic User Groups

  • For Basic User Groups, you can view a list of all of your Organizations Groups, add groups, and perform actions for individual groups.
  • In addition, administrators can modify entitlements (aka access to features in the InsightCloudSec platform) for groups through the Actions menu. Details on those capabilities are included below under the Entitlements section.

Add a Basic User Group

  1. From Administration > Identity Management select the Basic User Groups tab.
  2. Locate and select the Add Basic User Group button on the top right corner of the page.
  3. Enter a Group Name and click Submit.
  4. Next, you'll need to modify the group to add users (read on to the next section below).

Modify Basic User Group

The following actions are available to modify Basic User Groups:

Basic User Groups ActionsDescription
RenameRenames the group.
Manage Basic UsersAdds and/or removes users.
Manage Basic User RolesAdds and/or removes roles.
Manage Basic User EntitlementsModifies Basic User role entitlements.
DeleteDeletes the group.

Basic User Roles

Basic User Roles store specific permission details. Much like Groups, roles are simply a list of groups linked to a list of scopes. From Administration > Identity Management you can select the Basic User Roles tab, where you (with the appropriate permissions) will have access to: add roles, modify existing roles, and view effective access for existing roles.

Add a Basic User Role

  1. Navigate to Administration > Identity Management in your InsightCloudSec platform.
  2. Click on the Basic User Roles tab and select the Add Basic User Role button on the top right of the page.
  3. Enter a name, description, and select the desired permissions.

Basic User Role Permissions

The following permissions are available for a Basic User Role. These are established when you Add Role, or can be accessed for existing roles by selecting the actions menu next to the target role and selecting Update Basic User Role.

Role PermissionsDescription
Global ScopeWhen enabled (via toggle), permission applies globally to all clouds/resources.
Add CloudAn explicit permission that allows for least privileged access to add cloud accounts. This will work alongside other individual permissions given.
Delete CloudAn explicit permission that allows for least privileged access to delete cloud accounts. This will work alongside other individual permissions given.
All Resource PermissionsPermission to execute any action within the role scope. Selecting this box will auto-select all of the items below it.
ViewPermission to view resources within the scope. Note: Users without this permission will not be able to view resources in any feature, e.g., Layered Context, Identity Analysis, etc.
ManagePermission to manage the resources in scope.
DeletePermission to destroy resources. Note: Delete is not available for every resource type.

Update Roles

The following actions are available to modify Roles:

Modify RolesDescription
Show Role's Effective AccessDisplays list of cloud accounts available to selected role.
Update Basic User RoleAllows the modification of name, description, and permissions for selected role.
Modify Basic User Group AssociationsAdds and/or removes Groups.
Modify Badge ScopeAdds and/or removes Badges.
Modify Cloud Account ScopeAdds and/or removes Cloud Accounts.
Modify Resource Group ScopeAdds and/or removes Resource Groups.
DeleteDeletes selected role.

Modify/View Cloud Role Scopes

Users also have the ability to easily identify the cloud accounts that are in scope of a role. From Administration > Identity Management on the Basic User Roles tab, a user can select the Modify Cloud Account Scope option from the Actions menu to view the Cloud Accounts that are in scope for the target role.

Entitlements

Entitlements Behavior - Important Information

Conflicting entitlements - If a user is part of multiple groups and entitlements are applied to both groups, the user will receive the most permissive entitlements. For example, if one group gives the user viewer entitlement and another provides the user editor entitlement, the user will ultimately gain the editor entitlement.

Auditing Users - For customers looking to audit their user configurations, we recommend taking advantage of the export feature. Navigate to Identity Management > Users and then click the Download button. Use the CSV data to review possible duplicate users and associated entitlements prior to creating your new group structure.

Entitlements, through Basic User Groups, give domain users control over basic users' and organization admins' permissions to access certain parts of the InsightCloudSec platform. These are all managed at a group level through Basic User Groups. Access to these entitlements is available to administrators through Administration > Identity Management on the Basic User Groups tab.

View Resources Permission Required

Remember that many of the features associated with entitlements cannot be used unless the user has View access to at least some of your resources.

The available access entitlements are:

  • Disabled: This completely restricts access to the specified area of the tool. The disabled section (e.g., BotFactory) will not even appear in the navigation menu for this basic user.
  • Viewer: A Viewer will be able to see and navigate to the specified section of the tool but will not be able to edit or delete anything.
  • Editor: An Editor will be able to see and edit. Users will also be able to perform certain actions such as start, stop, pause, enable, etc. Editors do not have permission to delete.
  • Admin: With Admin entitlements users will be able to see the entire section of the tool, as well as edit, and perform delete actions.

Entitlements can be mix-and-match; for example: a Basic User Group might have Disabled for BotFactory but have Editor entitlement for Tag Explorer. By default, all basic user groups do not have any entitlements (everything will be Disabled).

For more information on what the different types of entitlements can do (or not do), review the User Entitlements Matrix.

Configuring Entitlements

  1. Navigate to Administration > Identity Management and then select the Basic User Groups tab.
  2. Select the Basic User Group in which you would like to modify entitlements and select the Actions menu to the left of the name.
  3. Select Manage Basic User Entitlements to open the dialog.
  4. Update the entitlements as necessary:
    1. Bulk edit:
      1. Select a role using the drop-down menu at the top of the list (next to Apply Bulk Update).
      2. Select the checkbox(es) next to each entitlement namespace you want to apply the role.
      3. Click Apply Bulk Update, then click Submit.
    2. Single edit:
      1. Next to the entitlement namespace you want to apply, select a role using the drop-down menu.
      2. Click Submit.

These changes will be applied to all users who are members of this group.