Basic User Groups, Roles, & Entitlements

Basic User Groups are leveraged in conjunction with Basic User Roles to grant permissions to users. Both Basic User Groups and Basic User Roles are available under the "Administration --> Identity Management" feature.

Identity Management - Basic User Groups and Basic User Roles

Identity Management - Basic User Groups and Basic User Roles

Basic User Groups

  • For Basic User Groups, you can view a list of all of your Organizations Groups, add groups, and perform actions for individual groups.

  • In addition, administrators can modify entitlements (aka access to features in the InsightCloudSec platform) for groups through the Actions menu. Details on those capabilities are included below under the Entitlements section.

Identity Management - Basic User Groups

Identity Management - Basic User Groups

Add a Basic User Group

1. From "Administration --> Identity Management" select the "Basic User Groups" tab.

2. Locate and select the "Add Basic User Group" button on the top right corner of the page.

3. Enter a "Group Name" and click "Submit".

4. Next, you'll need to modify the group to add users (read on to the next section below).

Modify Basic User Group

The following actions are available to modify Basic User Groups:

Basic User Groups Actions
RenameRenames the group.
Manage Basic UsersAdds and/or removes users.
Manage Basic User RolesAdds and/or removes roles.
Manage Basic User EntitlementsModifies Basic User role entitlements.
DeleteDeletes the group.

Basic User Roles

Basic User Roles store specific permission details. Much like Groups, roles are simply a list of groups linked to a list of scopes. From "Administration --> Identity Management" you can select the "Basic User Roles" tab, where you (with the appropriate permissions) will have access to: add roles, modify existing roles, and view effective access for existing roles.

Add a Basic User Role

1. Navigate to "Administration --> Identity Management" in your InsightCloudSec platform.

2. Click on the "Basic User Roles" tab and select the "Add Basic User Role" button on the top right of the page.

3. Enter a name, description, and select the desired permissions.


Create Role Example

Basic User Role Permissions

The following permissions are available for a Basic User Role. These are established when you "Add Role", or can be accessed for existing roles by selecting the actions menu next to the target role and selecting "Update Basic User Role".

Role Permissions
Global ScopeWhen enabled (via toggle), permission applies globally to all clouds/resources.
Add CloudAn explicit permission that allows for least privileged access to add cloud accounts. This will work alongside other individual permissions given.
Delete CloudAn explicit permission that allows for least privileged access to delete cloud accounts. This will work alongside other individual permissions given.
All Resource PermissionsPermission to execute any action within the role scope. Selecting this box will auto-select all of the items below it.
ViewPermission to view resources within the scope. Note: Users without this permission will not be able to view resources in any feature, e.g., Layered Context, Identity Analysis, etc.
ManagePermission to manage the resources in scope.
DeletePermission to destroy resources. Note: Delete is not available for every resource type.

Identity Management - Add or Modify a Role

Update Roles

The following actions are available to modify Roles:

Modify Roles
Show Role's Effective AccessDisplays list of cloud accounts available to selected role.
Update Basic User RoleAllows the modification of name, description, and permissions for selected role.
Modify Basic User Group AssociationsAdds and/or removes Groups.
Modify Badge ScopeAdds and/or removes Badges.
Modify Cloud Account ScopeAdds and/or removes Cloud Accounts.
Modify Resource Group ScopeAdds and/or removes Resource Groups.
DeleteDeletes selected role.

Modify/View Cloud Role Scopes

Users also have the ability to easily identify the cloud accounts that are in scope of a role. From "Administration --> Identity Management" on the Basic User Roles tab, a user can select the "Modify Cloud Account Scope" option from the Actions menu to view the Cloud Accounts that are in scope for the target role.


Modify/View Cloud Accounts in Scope for a Target Role



Entitlements Behavior - Important Information

  • Conflicting entitlements - If a user is part of multiple groups and entitlements are applied to both groups, the user will receive the most permissive entitlements. For example, if one group gives the user “viewer” entitlement and another provides the user “editor” entitlement, the user will ultimately gain the "editor" entitlement. 

  • Auditing Users - For customers looking to audit their user configurations, we recommend taking advantage of the export feature. Navigate to "Identity Management --> Users" and then click the "Download" button. Use the CSV data to review possible duplicate users and associated entitlements prior to creating your new group structure.

Entitlements, through Basic User Groups, give domain users control over basic users' and organization admins' permissions to access certain parts of the InsightCloudSec platform. As of 21.2.3 these are all managed at a group level through Basic User Groups.

Access to these entitlements are available to administrators through "Administration --> Identity Management" on the "Basic User Groups" tab.

Supported Entitlement

Entitlements are currently supported for the following InsightCloudSec platform features:


View Resources Permission Required

Remember that many of the features associated with the entitlements above cannot be used unless the user has View access to at least some or your resources.

The available access entitlements are:

  • Disabled: Disabled completely restricts access to the specified area of the tool. The disabled section (e.g., BotFactory) will not even appear in the navigation menu for this basic user.
  • Viewer: A "Viewer" will be able to see and navigate to the specified section of the tool but will not be able to edit or delete anything.
  • Editor: An "Editor" will be able to see and edit. Users will also be able to perform certain actions such as start, stop, pause, enable, etc. Editors do not have permission to delete.
  • Admin: With "Admin" entitlements users will be able to see the entire section of the tool, as well as edit, and perform delete actions.

Entitlements are mix-and-match, e.g., a Basic User Role or Basic User Group might have "Disabled" for BotFactory, but have "Editor" entitlement for Tag Explorer. By default, all basic user roles will be given "Viewer" entitlement.

For more information on what the different types of entitlements can do (or not do), review the User Entitlements Matrix.

Editing Group Entitlements

Editing Group Entitlements

Configuring Entitlements

1. Navigate to "Administration --> Identity Management" and then select the "Basic User Groups" tab.

2. Select the Basic User Group in which you would like to modify entitlements and select the Actions menu to the left of the name.


Manage Group Entitlements

3. Administrators have several options for managing users/roles/entitlements:

  • Select "Manage Basic Users" to add or remove users from the selected Basic User Group.

    • Individual users are visible under "Administration --> Identity Management --> Users".
  • Select "Manage Basic User Roles" to select from & apply Basic User Roles to your Basic User Group.

    • Note these roles are managed under "Administration --> Identity Management --> Basic User Roles" and apply to cloud accounts and their respective access.
  • Select "Manage Basic User Entitlements" to open the dialog that allows you to select the individual permissions for each feature available for entitlements in the InsightCloudSec platform.

4. Select the Roles you wish to apply to the individual areas of entitlements, and/or select the individual entitlements you want to apply to the Basic User Group. Once you have made the desired changes, click "Submit".

  • These changes will be applied to all users who are members of this group.