Basic User Groups, Roles, & Entitlements
Basic User Groups are leveraged in conjunction with Basic User Roles to grant permissions to users. Both Basic User Groups and Basic User Roles are available under the "Administration --> Identity Management" feature.
Identity Management - Basic User Groups and Basic User Roles
Basic User Groups
-
For Basic User Groups, you can view a list of all of your Organizations Groups, add groups, and perform actions for individual groups.
-
In addition, administrators can modify entitlements (aka access to features in the InsightCloudSec platform) for groups through the Actions menu. Details on those capabilities are included below under the Entitlements section.
Identity Management - Basic User Groups
Add a Basic User Group
1. From "Administration --> Identity Management" select the "Basic User Groups" tab.
2. Locate and select the "Add Basic User Group" button on the top right corner of the page.
3. Enter a "Group Name" and click "Submit".
4. Next, you'll need to modify the group to add users (read on to the next section below).
Modify Basic User Group
The following actions are available to modify Basic User Groups:
| Basic User Groups Actions | |
|---|---|
| Rename | Renames the group. |
| Manage Basic Users | Adds and/or removes users. |
| Manage Basic User Roles | Adds and/or removes roles. |
| Manage Basic User Entitlements | Modifies Basic User role entitlements. |
| Delete | Deletes the group. |
Basic User Roles
Basic User Roles store specific permission details. Much like Groups, roles are simply a list of groups linked to a list of scopes. From "Administration --> Identity Management" you can select the "Basic User Roles" tab, where you (with the appropriate permissions) will have access to: add roles, modify existing roles, and view effective access for existing roles.
Add a Basic User Role
1. Navigate to "Administration --> Identity Management" in your InsightCloudSec platform.
2. Click on the "Basic User Roles" tab and select the "Add Basic User Role" button on the top right of the page.
3. Enter a name, description, and select the desired permissions.
Create Role Example
Basic User Role Permissions
The following permissions are available for a Basic User Role. These are established when you "Add Role", or can be accessed for existing roles by selecting the actions menu next to the target role and selecting "Update Basic User Role".
| Role Permissions | |
|---|---|
| Global Scope | When enabled (via toggle), permission applies globally to all clouds/resources. |
| Add Cloud | An explicit permission that allows for least privileged access to add cloud accounts. This will work alongside other individual permissions given. |
| Delete Cloud | An explicit permission that allows for least privileged access to delete cloud accounts. This will work alongside other individual permissions given. |
| All Resource Permissions | Permission to execute any action within the role scope. Selecting this box will auto-select all of the items below it. |
| View | Permission to view resources within the scope. Note: Users without this permission will not be able to view resources in any feature, e.g., Layered Context, Identity Analysis, etc. |
| Manage | Permission to manage the resources in scope. |
| Delete | Permission to destroy resources. Note: Delete is not available for every resource type. |
Identity Management - Add or Modify a Role
Update Roles
The following actions are available to modify Roles:
| Modify Roles | |
|---|---|
| Show Role's Effective Access | Displays list of cloud accounts available to selected role. |
| Update Basic User Role | Allows the modification of name, description, and permissions for selected role. |
| Modify Basic User Group Associations | Adds and/or removes Groups. |
| Modify Badge Scope | Adds and/or removes Badges. |
| Modify Cloud Account Scope | Adds and/or removes Cloud Accounts. |
| Modify Resource Group Scope | Adds and/or removes Resource Groups. |
| Delete | Deletes selected role. |
Modify/View Cloud Role Scopes
Users also have the ability to easily identify the cloud accounts that are in scope of a role. From "Administration --> Identity Management" on the Basic User Roles tab, a user can select the "Modify Cloud Account Scope" option from the Actions menu to view the Cloud Accounts that are in scope for the target role.
Modify/View Cloud Accounts in Scope for a Target Role
Entitlements
Entitlements Behavior - Important Information
- Conflicting entitlements - If a user is part of multiple groups and entitlements are applied to both groups, the user will receive the most permissive entitlements. For example, if one group gives the user “viewer” entitlement and another provides the user “editor” entitlement, the user will ultimately gain the "editor" entitlement.
- Auditing Users - For customers looking to audit their user configurations, we recommend taking advantage of the export feature. Navigate to "Identity Management --> Users" and then click the "Download" button. Use the CSV data to review possible duplicate users and associated entitlements prior to creating your new group structure.
Entitlements, through Basic User Groups, give domain users control over basic users' and organization admins' permissions to access certain parts of the InsightCloudSec platform. As of 21.2.3 these are all managed at a group level through Basic User Groups.
Access to these entitlements are available to administrators through "Administration --> Identity Management" on the "Basic User Groups" tab.
Supported Entitlement
Entitlements are currently supported for the following InsightCloudSec platform features:
- Applications
- BotFactory
- Kubernetes Clusters
- Compliance Scorecard
- Exemptions
- Resource Groups
- Host Vulnerability Assessment (Management)
- Infrastructure as Code
- Identity Analysis (Note: This entitlement also comprises Access Explorer)
- Insights
- Layered Context
- Data Collections
- Scheduled Events
- Tag Explorer
- Threat Findings
- Vulnerability Assessment (Container Vulnerability Management)
View Resources Permission Required
Remember that many of the features associated with the entitlements above cannot be used unless the user has View access to at least some or your resources.
The available access entitlements are:
- Disabled: Disabled completely restricts access to the specified area of the tool. The disabled section (e.g., BotFactory) will not even appear in the navigation menu for this basic user.
- Viewer: A "Viewer" will be able to see and navigate to the specified section of the tool but will not be able to edit or delete anything.
- Editor: An "Editor" will be able to see and edit. Users will also be able to perform certain actions such as start, stop, pause, enable, etc. Editors do not have permission to delete.
- Admin: With "Admin" entitlements users will be able to see the entire section of the tool, as well as edit, and perform delete actions.
Entitlements are mix-and-match, e.g., a Basic User Role or Basic User Group might have "Disabled" for BotFactory, but have "Editor" entitlement for Tag Explorer. By default, all basic user roles will be given "Viewer" entitlement.
For more information on what the different types of entitlements can do (or not do), review the User Entitlements Matrix.
Editing Group Entitlements
Configuring Entitlements
1. Navigate to "Administration --> Identity Management" and then select the "Basic User Groups" tab.
2. Select the Basic User Group in which you would like to modify entitlements and select the Actions menu to the left of the name.
Manage Group Entitlements
3. Administrators have several options for managing users/roles/entitlements:
-
Select "Manage Basic Users" to add or remove users from the selected Basic User Group.
- Individual users are visible under "Administration --> Identity Management --> Users".
-
Select "Manage Basic User Roles" to select from & apply Basic User Roles to your Basic User Group.
- Note these roles are managed under "Administration --> Identity Management --> Basic User Roles" and apply to cloud accounts and their respective access.
-
Select "Manage Basic User Entitlements" to open the dialog that allows you to select the individual permissions for each feature available for entitlements in the InsightCloudSec platform.
4. Select the Roles you wish to apply to the individual areas of entitlements, and/or select the individual entitlements you want to apply to the Basic User Group. Once you have made the desired changes, click "Submit".
- These changes will be applied to all users who are members of this group.
Updated 4 months ago