Basic User Groups, Roles, & Entitlements

Basic User Groups are leveraged in conjunction with Basic User Roles to grant permissions to users. Both Basic User Groups and Basic User Roles are available under the "Administration --> Identity Management" feature.

14171417

Identity Management - Basic User Groups and Basic User Roles

Basic User Groups

  • For Basic User Groups, you can view a list of all of your Organizations Groups, add groups, and perform actions for individual groups.

  • In addition, administrators can modify entitlements (aka access to features in the InsightCloudSec platform) for groups through the Actions menu. Details on those capabilities are included below under the Entitlements section

24842484

Identity Management - Basic User Groups

Add a Basic User Group

1. From "Administration --> Identity Management" select the "Basic User Groups" tab.

2. Locate and select the "Add Basic User Group" button on the top right corner of the page.

3. Enter a "Group Name" and click "Submit".

4. Next, you'll need to modify the group to add users (read on to the next section below).

Modify Basic User Group

The following actions are available to modify Basic User Groups:

Basic User Groups Actions

Rename

Renames the group.

Manage Basic Users

Adds and/or removes users.

Manage Basic User Roles

Adds and/or removes roles.

Manage Basic User Entitlements

Modifies Basic User role entitlements.

Delete

Deletes the group.

Basic User Roles

Basic User Roles store specific permission details. Much like Groups, roles are simply a list of groups linked to a list of scopes. From "Administration --> Identity Management" you can select the "Basic User Roles" tab, where you (with the appropriate permissions) will have access to: add roles, modify existing roles, and view effective access for existing roles.

Add a Basic User Role

1. Navigate to "Administration --> Identity Management" in your InsightCloudSec platform.

2. Click on the "Basic User Roles" tab and select the "Add Basic User Role" button on the top right of the page.

3. Enter a name, description, and select the desired permissions.

13971397

Create Role Example

Basic User Role Permissions

The following permissions are available for a Basic User Role. These are established when you "Add Role", or can be accessed for existing roles by selecting the actions menu next to the target role and selecting "Update Basic User Role".

Role Permissions

Global Scope

When enabled (via toggle), permission applies globally to all clouds/resources.

Add Cloud

An explicit permission that allows for least privileged access to add cloud accounts. This will work alongside other individual permissions given.

Delete Cloud

An explicit permission that allows for least privileged access to delete cloud accounts. This will work alongside other individual permissions given.

All Resource Permissions

Permission to execute any action within the role scope. Selecting this box will auto-select all of the items below it.

View

Permission to view resources within the scope.

Manage

Permission to manage the resources in scope.

Delete

Permission to destroy resources. Note: Delete is not available for every resource type.

24742474

Identity Management - Add or Modify a Role

Update Roles

The following actions are available to modify Roles:

Modify Roles

Show Role's Effective Access

Displays list of cloud accounts available to selected role.

Update Basic User Role

Allows the modification of name, description, and permissions for selected role.

Modify Basic User Group Associations

Adds and/or removes Groups.

Modify Badge Scope

Adds and/or removes Badges.

Modify Cloud Account Scope

Adds and/or removes Cloud Accounts.

Modify Resource Group Scope

Adds and/or removes Resource Groups.

Delete

Deletes selected role.

Modify/View Cloud Role Scopes

Users also have the ability to easily identify the cloud accounts that are in scope of a role. From "Administration --> Identity Management" on the Basic User Roles tab, a user can select the "Modify Cloud Account Scope" option from the Actions menu to view the Cloud Accounts that are in scope for the target role.

24642464

Modify/View Cloud Accounts in Scope for a Target Role

Entitlements

🚧

Entitlements Behavior - Important Information

--> Conflicting entitlements - If a user is part of multiple groups and entitlements are applied to both groups, the user will receive the most permissive entitlements. For example, if one group gives the user “viewer” entitlement and another provides the user “editor” entitlement, the user will ultimately gain the "editor" entitlement. 


--> Auditing Users - For customers looking to audit their user configurations, we recommend taking advantage of the export feature. Navigate to "Identity Management --> Users" and then click the "Download" button. Use the CSV data to review possible duplicate users and associated entitlements prior to creating your new group structure.

Entitlements, through Basic User Groups, give domain users control over basic users' and organization admins' permissions to access certain parts of the InsightCloudSec platform. As of 21.2.3 these are all managed at a group level through Basic User Groups.

Access to these entitlements are available to administrators through "Administration --> Identity Management" on the "Basic User Groups" tab, as shown in the example below.

15821582

Managing Entitlements

Supported Entitlement

Entitlements are currently supported for the following InsightCloudSec platform features:

  • BotFactory
  • Data Collections
  • Scheduled Events
  • Exemptions
  • Resource Groups
  • Infrastructure as Code
  • Insights
  • Tag Explorer
  • Access Explorer (available to customers who have purchased this add-on feature)

The available access entitlements are:

  • Disabled: Disabled completely restricts access to the specified area of the tool. The disabled section (e.g., BotFactory) will not even appear in the navigation menu for this basic user.
  • Viewer: A "viewer" will be able to see and navigate to the specified section of the tool but will not be able to edit or delete anything.
  • Editor: An "editor" will be able to see and edit. Users will also be able to perform certain actions such as start, stop, pause, enable, etc. Editors do not have permission to delete.
  • Admin: With "admin" entitlements users will be able to see the entire section of the tool, as well as edit, and perform delete actions.

Entitlements are mix-and-match, e.g., a Basic User Role or Basic User Group might have "disabled" for BotFactory, but have "editor" entitlement for Tag Explorer. By default, all basic user roles will be given "Viewer" entitlement.

For more information on what the different types of entitlements can do (or not do), review the User Entitlements Matrix.

13231323

Editing Group Entitlements

Configuring Entitlements

1. Navigate to "Administration --> Identity Management" and then select the "Basic User Groups" tab.

2. Select the Basic User Group in which you would like to modify entitlements and select the Actions menu to the left of the name.

13251325

Manage Group Entitlements

3. Administrators have several options for managing users/roles/entitlements:

  • Select "Manage Basic Users" to add or remove users from the selected Basic User Group.

    • Individual users are visible under "Administration --> Identity Management --> Users".
  • Select "Manage Basic User Roles" to select from & apply Basic User Roles to your Basic User Group.

    • Note these roles are managed under "Administration --> Identity Management --> Basic User Roles" and apply to cloud accounts and their respective access.
  • Select "Manage Basic User Entitlements" to open the dialog that allows you to select the individual permissions for each feature available for entitlements in the InsightCloudSec platform.

4. Select the Roles you wish to apply to the individual areas of entitlements, and/or select the individual entitlements you want to apply to the Basic User Group. Once you have made the desired changes, click "Submit".

  • These changes will be applied to all users who are members of this group.

Did this page help you?