DivvyCloud

Welcome to the DivvyCloud Docs!

DivvyCloud is a Cloud Security Posture Management (CSPM) platform that provides real-time analysis and automated remediation across leading cloud and container technologies.

For questions about documentation reach out to us [email protected]

Take Me to the Docs!    Release Notes

User, Groups, and Roles (Administration)

Overview

Access to DivvyCloud is managed through a section of the tool called Identity Management.
In DivvyCloud, under the Administration section, Identity Management enables administrators to see details about their Domain Admins, Users (at the Organization level), User Groups, Roles & Entitlements, and Authentication Servers.

Note: Access and visibility vary based on permissions. Reach out [email protected] if you have questions or issues.

Identity Management - Users Page Example

Users

Users in DivvyCloud are of two types: Organization Admins and Basic Users. These users are defined at the Organizations level.

Organization Admins have all permissions for all cloud resources within the organization. You may add these users to Groups and assign permissions to them as you would Basic Users. However, Organization Admin permission will always take precedence. At any time, a user can be converted from Organization Admin to a Basic User and likewise the reverse.

  • For a bit more information on Admin capabilities take a look at our page on Identity Management.
  • For users with domain admin or read-only admin permissions, you also have the ability to download a CSV report that lists domain administrators/viewers.

Download a CSV of Domain Admin and Admin Viewers

Basic Users start with no access to cloud resources and must be granted permissions explicitly. This is done by associating users to User Groups (one or many), which define the permissions allowed for users in the User Group.

📘

Things to Note

DivvyCloud resources such as Bots and Provisioning Templates are not restricted by permissions and are visible to all Organization Users.

A user’s aggregate permissions are the sum of permissions from all groups in which they are a member.

Add a User

1. To add a Basic User select the "Users" tab on the Identity Management page and locate the Add User button on the top right corner.

2. Select the type of Authentication you would like to assign the user.

3. Select the type of user: Organization Admin or Basic User and then fill out the remaining details.

Modifying a User

Administrators have the ability to modify existing users through the *Actions menu located to the left of the name of each individual user.

The following actions are available to modify Users:

Modify User ActionsResult of Action
Unlock AccountUnlocks target account by removing suspension for "locked" users.
Lock AccountSuspends the user and prevents them from logging in without removing the account.
Update UserModify name, email and password.
Promote to Domain Admin Add domain admin privilege to the user.
Modify Group Associations Add or Remove user from Groups, which will grant/revoke privileges to a user from the Group’s roles.
Require MFA for UserRequire MFA for target user. User will be required to setup TFA on their next login attempt. Note: this option will only display if MFA is not already enabled.
Disable MFA RequirementDisables MFA requirement for target user.
DeleteDelete user, record is maintained for change history accountability but name and email are purged.

Download Users

Administrators also have the ability to download a .CSV file of users from the Users tab. The download button is located at the top right of the Users tab in Identity Management.

Download Button on Users Tab

Domain Admins

Domain admins can be managed from the first tab in the Identity Management section (under Administration on the left-side menu). Updating, deleting, and requiring ‘Two Factor Authentication’ for a domain admin are available via the actions dropdown menu. These actions are the same for Basic Users in the next tab.

Add Domain Admin

1. To add a Domain Admin, locate the Add Admin button on the top right corner of the Domain Admin Tab in the Identity Management page.

2. Select the type of Authentication you would like to assign the user and then fill out the remaining details.

Update Domain Admin

The following actions are available to modify domain admin:

Modify Domain Admin
Update Modify name, email and password.
Revoke Domain Admin Role Remove domain admin privileges.
Require Two Factor Authentication (TFA) Enable or Disable TFA for user. User will be required to setup TFA on their next login attempt.
Delete Delete user, record is maintained for change history accountability but name and email are purged.

Domain Viewer

Allows a user to be given full read-only access to the entire installation; however, users of this type cannot take any lifecycle operations on cloud resources, create Insights, Bots, or any other administrative function within the tool. This feature is especially useful for customers running multiple organizations.

Organization users in DivvyCloud are of two types: Organization Admins and Basic Users.

Organization Admins have all permissions for all cloud resources within the organization. You may add these users to Groups and assign permissions to them as you would basic users. However, Organization Admin permission will always take precedence. At any time a user can be converted from Organization Admin to a Basic User and likewise the reverse.

Basic Users start with no access to cloud resources and must be granted permissions explicitly. This is done by associating users to one to many User Groups which will define the permissions allowed for users in the User Group

User Groups

User Groups are leveraged in conjunction with Roles to grant permissions to Basic Users. User Groups are simply a list of users linked to a list of Roles. This allows for very flexible and reusable permissions organization.

For example, take the simple use case of granting view access to security audit teams. Both users and resources under review will change over time.

Add User Group

1. To create a user group, locate the Add User Group button on the top right corner of the User Groups Tab in the Identity Management page.

2. Enter a Name; select Submit.

3. Then you want to modify the group to add users (read on to the next section below).

Update User Group

The following actions are available to modify User Groups:

User Groups Actions
Rename Rename group.
Manage Users Add and/or Remove users.
Manage Roles Add and/or Remove roles.
Delete Delete group.

Roles

Roles store the specific permission details. Much like Groups, roles are simply a list of groups linked to a list of scopes.

Add Role

1. To create a role, locate the Add Role button on the top right corner of the Roles Tab in the Identity Management page.

2. Enter the name, description, and select the permissions.

Role Permissions
All PermissionsPermission to execute any action within the role scope
ViewPermission to view resources within the scope
ProvisionPermission to create new resources
ManagePermission to manage the resources in scope
DeletePermission to destroy resources
Add CloudAn explicit permission that allows for least privilege access to add cloud accounts; it works alongside other individual permissions given, but will not work if 'All Permissions' is selected
Global ScopePermission applies globally to all clouds/resources

Update Roles

The following actions are available to modify Roles:

Modify Roles
Update Role Modify name, description and permissions for Role
Modify Group Associations Add and/or Remove Groups
Modify Cloud Accounts Scope Add and/or Remove Cloud Accounts
Modify Badges Scope Add and/or Remove Badges
Modify Resource Groups Scope Add and/or Remove Resource Groups
Delete Delete Role

View Role Cloud Scopes

Users also have the ability to easily identify the cloud accounts that are in scope of a role. From "Identity Management - Roles & Entitlements" in the DivvyCloud administration section, each Role Name is now a clickable link.

Selecting the Role Name will open a panel that displays the associated cloud accounts including the Name, Account ID, and Cloud provider (identified by logo).

Passwords

Password Requirements

DivvyCloud enforces the following password requirements:

A minimum of 12 characters to include: one special character, one uppercase character, one lowercase character, and one number.

Resetting Passwords

🚧

No SMTP Configured

For users with no SMTP configuration a password reset will require an administrator to manually reset the password with a temporary password. The email notification capability is not available.

Forgotten Password - A password reset can be requested by the user through the "forgot password" link located on the DivvyCloud sign-in form. Clicking this link triggers an email that will enable a user to reset their password. This option is available to new users as well as existing users.

In App Password Reset - A user can change their password by navigating to their profile, confirming their existing password, and then creating a new password.

Admin Password Reset Request (SMTP) - A Domain Administrator can select a specific user and generate an email that prompts the target user to reset their password.

  • From the main navigation menu, select “Identity Management", select "Users”, and find the user whose password you’d like to reset.
  • Click the action icon to the left of their name and select Reset Password to generate the email.

Note: If a user attempts to login with expired credentials (e.g., using the previously active/correct password) after their Domain Admin has triggered the reset email, they will also be automatically redirected to the password reset function.

📘

Email - Password Links

Any links received via email to reset a user's password are valid for 1 hour. After 1 hour a new email and link will have to be requested/generated.

Domain Administrator Password Reset (generates an email to the user)

Admin Password Reset Request (No SMTP) - A Domain Administrator can select a specific user and generate a temporary password to share with the user manually.

  • From the main navigation menu, select “Identity Management", select "Users”, and find the user whose password you’d like to reset.
  • Click the action icon to the left of their name and select Reset Password to and confirm to generate the temporary credentials.
  • Share these credentials with the target user, when they log in the system will prompt them to update their password.

Note: If a user attempts to login with expired credentials (e.g., using the previously active/correct password) after their Domain Admin has triggered the reset they will also be automatically redirected to reach back out to the administrator.

Admin Password Reset with Non-SMTP Setup

Updated about a month ago

User, Groups, and Roles (Administration)


Suggested Edits are limited on API Reference Pages

You can only suggest edits to Markdown body content, but not to the API spec.