DivvyCloud

Welcome to the DivvyCloud Docs!

DivvyCloud is a Cloud Security Posture Management (CSPM) platform that provides real-time analysis and automated remediation across leading cloud and container technologies.

For questions about documentation reach out to us [email protected]

Take Me to the Docs!    Release Notes

User, Groups, and Roles (Administration)

Overview

Access to DivvyCloud is managed through a section of the tool called Identity Management.
In DivvyCloud, under the Administration section, Identity Management enables administrators to see details about their Domain Admins, Users (at the Organization level), User Groups, Roles & Entitlements, and Authentication Servers.

Note: Access and visibility vary based on permissions. Reach out [email protected] if you have questions or issues.

Identity Management - Users Page Example

Users

Users in DivvyCloud are of two main types: Organization Admins and Basic Users. These users are defined at the Organizations level. In addition to Admin and Basic Users, DivvyCloud also supports API-Only users (which are also Basic Users).

Organization Admins have all permissions for all cloud resources within the organization. You may add these users to Groups and assign permissions to them as you would Basic Users. However, Organization Admin permission will always take precedence. At any time, a user can be converted from Organization Admin to a Basic User and likewise the reverse.

  • For a bit more information on Admin capabilities take a look at our page on Identity Management.
  • For users with domain admin or read-only admin permissions, you also have the ability to download a CSV report that lists domain administrators/viewers.

Download a CSV of Domain Admin and Admin Viewers

Basic Users start with no access to cloud resources and must be granted permissions explicitly. This is done by associating users to User Groups (one or many), which define the permissions allowed for users in the User Group.

📘

Resource Visibility and Permissions

DivvyCloud resources such as Bots and Provisioning Templates are not restricted by permissions. They are visible to all Organization Users.

A user’s aggregate permissions are the sum of permissions from all groups in which they are a member.

Api-Only Users

In addition to Basic Users with access to the DivvyCloud console, Administrators have the ability to create an API-only user. API-Only users are created using API endpoints by preventing console access and granting an API Key.

API Keys can be used instead of user credentials to programmatically log into the system. This functionality operates through a series of API endpoints. Refer to the Users API and DivvyCloud API Keys documentation for details.

Some important things to note about this new capability include:

  • When an API-only user is created a new unique API key is generated for that user. Once the key is generated it is important to properly store the key as you will not be able to access it at a later time.
  • By default, API-only users will not have console access.
    • If console access is granted after an API-only user is created it will convert the user to local authentication (username/password) and require a password reset to generate a password to provide the console access.
    • If an Admin removes console access for an existing user, the initial authentication type will persist when console access is restored.
  • An API Key can be used to access the endpoints by using a valid 'Api-Key' in header instead of 'X-Auth-Token'.
  • All API-only users are basic users
  • Admins cannot be API-only (they can however also have API keys in addition to console access, console access cannot be revoked for Admins).
  • Admins have the ability to revoke access and generate new keys for users.
  • If a new key is generated any existing API keys will be deactivated.

Add a User

1. To add a Basic User select the "Users" tab on the Identity Management page and locate the Add User button on the top right corner.

2. Select the type of Authentication you would like to assign the user.

3. Select the type of user: Organization Admin or Basic User and then fill out the remaining details.

Modifying a User

Administrators have the ability to modify existing users through the *Actions menu located to the left of the name of each individual user.

The following actions are available to modify Users:

Modify User Actions

Result of Action

Unlock Account

Unlocks target account by removing suspension for "locked" users.

Lock Account

Suspends the user and prevents them from logging in without removing the account.

Update User

Modify name, email and password.

Promote to Domain Admin

Add domain admin privilege to the user.

Modify Group Associations

Add or Remove user from Groups, which will grant/revoke privileges to a user from the Group’s roles.

Require MFA for User

Require MFA for target user. User will be required to setup TFA on their next login attempt. Note: this option will only display if MFA is not already enabled.

Disable MFA Requirement

Disables MFA requirement for target user.

Delete

Delete user, record is maintained for change history accountability but name and email are purged.

Download Users

Administrators also have the ability to download a .CSV file of users from the Users tab. The download button is located at the top right of the Users tab in Identity Management.

Download Button on Users Tab

Domain Admins

Domain admins can be managed from the first tab in the Identity Management section (under Administration on the left-side menu). Updating, deleting, and requiring ‘Two Factor Authentication’ for a domain admin are available via the actions dropdown menu. These actions are the same for Basic Users in the next tab.

Add Domain Admin

1. To add a Domain Admin, locate the Add Admin button on the top right corner of the Domain Admin Tab in the Identity Management page.

2. Select the type of Authentication you would like to assign the user and then fill out the remaining details.

Update Domain Admin

The following actions are available to modify domain admin:

Modify Domain Admin

Update

Modify name, email and password.

Revoke Domain Admin Role

Remove domain admin privileges.

Require Two Factor Authentication (TFA)

Enable or Disable TFA for user. User will be required to setup TFA on their next login attempt.

Delete

Delete user, record is maintained for change history accountability but name and email are purged.

Domain Viewer

Allows a user to be given full read-only access to the entire installation; however, users of this type cannot take any lifecycle operations on cloud resources, create Insights, Bots, or any other administrative function within the tool. This feature is especially useful for customers running multiple organizations.

Organization users in DivvyCloud are of two types: Organization Admins and Basic Users.

Organization Admins have all permissions for all cloud resources within the organization. You may add these users to Groups and assign permissions to them as you would basic users. However, Organization Admin permission will always take precedence. At any time a user can be converted from Organization Admin to a Basic User and likewise the reverse.

Basic Users start with no access to cloud resources and must be granted permissions explicitly. This is done by associating users to one to many User Groups which will define the permissions allowed for users in the User Group

User Groups

User Groups are leveraged in conjunction with Roles to grant permissions to Basic Users. User Groups are simply a list of users linked to a list of Roles. This allows for very flexible and reusable permissions organization.

For example, take the simple use case of granting view access to security audit teams. Both users and resources under review will change over time.

Add User Group

1. To create a user group, locate the Add User Group button on the top right corner of the User Groups Tab in the Identity Management page.

2. Enter a Name; select Submit.

3. Then you want to modify the group to add users (read on to the next section below).

Update User Group

The following actions are available to modify User Groups:

User Groups Actions

Rename

Rename group.

Manage Users

Add and/or Remove users.

Manage Roles

Add and/or Remove roles.

Delete

Delete group.

Roles

Roles store the specific permission details. Much like Groups, roles are simply a list of groups linked to a list of scopes.

Add Role

1. Navigate to "Administration --> Identity Management" in your DivvyCloud platform.
2. Click on the "Roles & Entitlements" tab. Select the "Add Role" button on the top right of the content area.
3. Enter the name, description, and select the desired permissions.

Create Role Example

Role Permissions

Global Scope

When enabled (via toggle), permission applies globally to all clouds/resources

Add Cloud

An explicit permission that allows for least privilege access to add cloud accounts; it works alongside other individual permissions given, but will not work if 'All Permissions' is selected

All Resource Permissions

Permission to execute any action within the role scope. Selecting this box will auto-select all of the items below it.

View

Permission to view resources within the scope

Provision

Permission to create new resources

Manage

Permission to manage the resources in scope

Delete

Permission to destroy resources

Update Roles

The following actions are available to modify Roles:

Modify Roles

Show Role's Effective Access

Displays list of cloud accounts available to selected role

Update Role

Modify name, description and permissions for Role

Modify Group Associations

Add and/or Remove Groups

Modify Cloud Accounts Scope

Add and/or Remove Cloud Accounts

Modify Badges Scope

Add and/or Remove Badges

Modify Resource Groups Scope

Add and/or Remove Resource Groups

Delete

Delete Role

View Role Cloud Scopes

Users also have the ability to easily identify the cloud accounts that are in scope of a role. From "Identity Management - Roles & Entitlements" in the DivvyCloud administration section, each Role Name is now a clickable link.

Selecting the Role Name will open a panel that displays the associated cloud accounts including the Name, Account ID, and Cloud provider (identified by logo).

Passwords

Password Requirements

DivvyCloud enforces the following password requirements:

A minimum of 12 characters to include: one special character, one uppercase character, one lowercase character, and one number.

Resetting Passwords

🚧

No SMTP Configured

For users with no SMTP configuration a password reset will require an administrator to manually reset the password with a temporary password. The email notification capability is not available.

Forgotten Password - A password reset can be requested by the user through the "forgot password" link located on the DivvyCloud sign-in form. Clicking this link triggers an email that will enable a user to reset their password. This option is available to new users as well as existing users.

In App Password Reset - A user can change their password by navigating to their profile, confirming their existing password, and then creating a new password.

Admin Password Reset Request (SMTP) - A Domain Administrator can select a specific user and generate an email that prompts the target user to reset their password.

  • From the main navigation menu, select “Identity Management", select "Users”, and find the user whose password you’d like to reset.
  • Click the action icon to the left of their name and select Reset Password to generate the email.

Note: If a user attempts to login with expired credentials (e.g., using the previously active/correct password) after their Domain Admin has triggered the reset email, they will also be automatically redirected to the password reset function.

📘

Email - Password Links

Any links received via email to reset a user's password are valid for 1 hour. After 1 hour a new email and link will have to be requested/generated.

Domain Administrator Password Reset (generates an email to the user)

Admin Password Reset Request (No SMTP) - A Domain Administrator can select a specific user and generate a temporary password to share with the user manually.

  • From the main navigation menu, select “Identity Management", select "Users”, and find the user whose password you’d like to reset.
  • Click the action icon to the left of their name and select Reset Password to and confirm to generate the temporary credentials.
  • Share these credentials with the target user, when they log in the system will prompt them to update their password.

Note: If a user attempts to login with expired credentials (e.g., using the previously active/correct password) after their Domain Admin has triggered the reset they will also be automatically redirected to reach back out to the administrator.

Admin Password Reset with Non-SMTP Setup

Updated 20 days ago

User, Groups, and Roles (Administration)


Suggested Edits are limited on API Reference Pages

You can only suggest edits to Markdown body content, but not to the API spec.