DivvyCloud

Welcome to the DivvyCloud Docs!

DivvyCloud is a Cloud Security Posture Management (CSPM) platform that provides real-time analysis and automated remediation across leading cloud and container technologies.

For questions about documentation reach out to us [email protected]

Take Me to the Docs!    Release Notes

Users, Groups, and Roles (Administration)

Overview

Access to DivvyCloud is managed through a section of the tool called Identity Management. In DivvyCloud under "Administration --> Identity Management", administrators are able to see details about their Domain Admins, Users (at the Organization level), Basic User Groups, Basic User Roles, and Authentication Servers.

Note: Access and visibility vary based on permissions. Reach out to [email protected] if you have questions or issues.

Identity Management - Users Page Example

Definitions

Domain Admins - Refers to administrators that have all permissions for all cloud resources across the entire DivvyCloud Platform installation. These include Read-Only Admins who have all permissions for all cloud resources throughout DivvyCloud. However, they cannot take any actions.

Users refers to both Organization Admins and Basic Users that are defined at the Organization level:

  • Organization Admins have all permissions for all cloud resources within the organization. You may add these users to Groups and assign permissions to them as you would Basic Users. However, Organization Admin permissions will always take precedence. At any time a user can be converted from Organization Admin to a Basic User and likewise the reverse.

  • Basic Users start with no access to cloud resources and must be granted permissions explicitly. This is done by associating users to User Groups (one or many), which define the permissions allowed for users in the User Group.

Basic User Groups refers to groups of users who can share Basic User Roles (permissions around cloud accounts) and Basic User Entitlements (access to DivvyCloud features - viewer, editor, etc.), so that each member of the group has the same access and permissions.

Basic User Roles provide administrators with granular controls to govern what Basic Users can access and do across their cloud footprint. These Roles define scope and permissions and are attached to one or more Basic User Groups.

Users

Users in DivvyCloud are of two main types: Organization Admins and Basic Users. These users are defined at the Organizations level. In addition to Admin and Basic Users, DivvyCloud also supports API-Only users (which are also Basic Users).

Organization Admins

Organization Admins have all permissions for all cloud resources within the organization. You may add these users to Groups and assign permissions to them as you would Basic Users. However, Organization Admin permissions will always take precedence. At any time, a user can be converted from Organization Admin to a Basic User and likewise the reverse.

  • For a bit more information on Admin capabilities, take a look at our page on Identity Management.
  • For users with Domain Admin or read-only admin permissions, you also have the ability to download a CSV report that lists Domain Administrators/Read-Only Admins.

Download a CSV of Domain Admin and Read-Only Admins

Basic Users

Basic Users start with no access to cloud resources and must be granted permissions explicitly. This is done by associating users to User Groups (one or many), which define the permissions allowed for users in the User Group.

📘

Resource Visibility and Permissions

DivvyCloud resources such as Bots and Provisioning Templates are not restricted by permissions. They are visible to all Organization Users.

A user’s aggregate permissions are the sum of permissions from all groups in which they are a member.

API-Only Users

In addition to Basic Users with access to the DivvyCloud console, Administrators have the ability to create an API-only user. API-Only users are created using API endpoints by preventing console access and granting an API Key.

API Keys can be used instead of user credentials to programmatically log into the system. This functionality operates through a series of API endpoints. Refer to the Users API and DivvyCloud API Keys documentation for details.

  • If you are looking for details on generating an API Key for a regular user, check out the details here.

Some important things to note about this new capability include:

  • When an API-Only user is created, a new unique API key is generated for that user. Once the key is generated it is important to properly store the key as you will not be able to access it at a later time.
  • By default, API-Only users will not have console access.
    • If console access is granted after an API-Only user is created, the user will be converted automatically to local authentication (username/password) and require a password reset to generate a password to access the console.
    • If an Admin removes console access for an existing user, the initial authentication type will persist when console access is restored.
  • An API key can be used to access the endpoints by using a valid 'API-Key' in header instead of 'X-Auth-Token'.
  • All API-Only users are Basic Users.
  • Admins cannot be API-Only. (They can however also have API keys in addition to console access; console access cannot be revoked for Admins).
  • Admins have the ability to revoke access and generate new keys for users.
  • If a new key is generated, any existing API keys will be deactivated.

User Configuration (for Users)

Just below your username is a sub-menu that provides access to view your individual profile, a link to the public DivvyCloud release notes, a link to the DivvyCloud documentation, and a toggle between organizations (with the appropriate permissions).

Dashboard Administration

My Profile

From the sub-menu, if you select "My Profile" you have the ability to make changes to your individual profile.

Individual Profile Settings

  • Update Avatar - allows you to change your system avatar (image).

  • Update Information - allows you to change your name and email address.

  • Update Theme - allows you to select between the light and dark themes.

  • Update Password - allows you to update your password.

  • API Keys - if enabled, allows you to "Generate Key" for a new API Key. If you need access to this feature your administrator can enable this capability for your user.

  • Update Notification Preferences - allows a user to self-select to opt-in for system health notifications.

User Configurations (for Admins)

Refer to the details below on steps required for administrators to add a user, modify a user, or download a user.

Add a User

To create a new "Basic User" refer to the following steps.

1. From "Administration --> Identity Management" select the "Users" tab on the Identity Management page and locate the Add User button on the top right corner.

2. Fill in the "Create User" form as follows:

  • Select the type of "Authentication" you would like to assign the user.
  • From the drop-down, select the Groups in which you want this new user to be included.
  • Leave the account type set to "Basic User".
  • Complete the rest of the form details as desired.

Note: Create User fields will vary based on the authentication type selected. For example, the option to enable API Key Generation is not available until after a user has been initially created.

3. Select "Submit" when you have completed the required details.

Create New Basic User - Username and Password Authentication Example

Modifying a User

Administrators have the ability to modify existing users through the "Actions" menu located to the left of the name of each individual user.

The following actions are available to modify "Users":

Modify User Actions

Result of Action

Unlock Account

Unlocks target account by removing suspension for "locked" users.

Lock Account

Suspends the user and prevents them from logging in without removing the account.

Reset Password

Generates an email to the target user, asking them to set up a new password.

Update User

Allows modification of name, email, and password. In addition, admins can provide users with the ability to generate API keys.

Promote to Domain Admin

Adds domain admin privilege to the user.

Modify Basic User Group Associations

Adds or removes user from Groups, which will grant/revoke privileges to a user from the Group’s roles.

Require MFA for User

Requires MFA for target user. User will be required to setup TFA on their next login attempt. Note: this option will only display if MFA is not already enabled.

Reset MFA

Resets MFA requirement for target user. (Appears only for users who have MFA enabled.)

Disable MFA Requirement

Disables MFA requirement for target user. (Appears only for users who have MFA enabled.)

Delete

Deletes user; record is maintained for change history accountability but name and email are purged.

Identity Management - Modifying Users

Download Users

Administrators also have the ability to download a .CSV file of users from the Users tab. The download button is located at the top right of the Users tab in Identity Management.

Download Button on Users Tab

Domain Admins

Domain Admins can be managed from the first tab in the Identity Management section (under Administration on the left-side menu). Updating, deleting, and requiring ‘Two Factor Authentication’ for a Domain Admin are available via the actions dropdown menu. These actions are the same for Basic Users in the next tab.

Identity Management - Domain Admins

Add Domain Admin

In addition, these steps are identical to create a "Read-Only Admin", simply select "Read Only" for the account type.

1. Navigate to "Administration --> Identity Management" and select the "Domain Admin" tab.

2. Locate the "Add Admin" to open the "Create Admin" form.

3. Select the type of "Authentication" you would like to assign and then fill out the form as desired.

  • Form fields will vary based on the type of authentication selected.

Identity Management - Create Admin

Modify/Update Domain Admin

To update an existing Domain Admin, navigate to "Administration --> Identity Management" and select the Domain Admins tab. Click on the "Actions" menu to the left of the desired Domain Admin and select "Update Admin" to view/modify their settings.

The following actions are available to modify domain admin:

Modify Domain Admin

Unlock Admin

Unlocks target account by removing suspension for "locked" users.

Lock Admin

Suspends the user and prevents them from logging in without removing the account.

Update Admin

Modify name, email, and password.

Reset Password

Generates an email to the target user, asking them to set up a new password.

Revoke Domain Admin Role

Removes Domain Admin privileges.

Require MFA for User

Requires MFA for target user. User will be required to setup TFA on their next login attempt. Note: this option will only display if MFA is not already enabled.

Reset MFA

Resets MFA requirement for target user. (Appears only for users who have MFA enabled.)

Disable MFA

Disables MFA requirement for target user. (Appears only for users who have MFA enabled.)

Delete

Deletes user; record is maintained for change history accountability but name and email are purged.

Read-Only Admin

DivvyCloud includes support for a Read-Only Admin, which allows a user to be given full read-only access to the entire installation; however, users of this type cannot take any lifecycle operations on cloud resources, create Insights, Bots, or any other administrative function within the tool. This feature is especially useful for customers running multiple organizations.

You can set up a Read-Only Admin either by selecting Add Admin on the Domain Admins tab of the Administration main age and then selecting "Read Only Admin" as the "Account Type", or by modifying an existing Admin and changing the account type under the Actions menu.

Creating a Read-Only Admin

Basic User Groups

Basic User Groups are leveraged in conjunction with Basic User Roles to grant permissions to users. Both Basic User Groups and Basic User Roles are available under the "Administration --> Identity Management" feature.

  • For Basic User Groups, you can view a list of all of your Organizations Groups, add groups, and perform actions for individual groups.

  • In addition, administrators can modify entitlements (aka access to features in the DivvyCloud platform) for groups through the Actions menu. Details on those capabilities are provided on the Permissions Entitlements page.

Identity Management - Basic User Groups

Add a Basic User Group

1. From "Administration --> Identity Management" select the "Basic User Groups" tab.

2. Locate and select the "Add Basic User Group" button on the top right corner of the page.

3. Enter a "Group Name" and click "Submit".

4. Next, you'll need to modify the group to add users (read on to the next section below).

Modify Basic User Group

The following actions are available to modify Basic User Groups:

Basic User Groups Actions

Rename

Renames the group.

Manage Basic Users

Adds and/or removes users.

Manage Basic User Roles

Adds and/or removes roles.

Manage Basic User Entitlements

Modifies Basic User role entitlements.

Delete

Deletes the group.

Basic User Roles

Basic User Roles store specific permission details. Much like Groups, roles are simply a list of groups linked to a list of scopes. From "Administration --> Identity Management" you can select the "Basic User Roles" tab, where you (with the appropriate permissions) will have access to: add roles, modify existing roles, and view effective access for existing roles.

Add a Basic User Role

1. Navigate to "Administration --> Identity Management" in your DivvyCloud platform.
2. Click on the "Basic User Roles" tab and select the "Add Role" button on the top right of the page.
3. Enter a name, description, and select the desired permissions.

Create Role Example

Basic User Role Permissions

The following permissions are available for a Basic User Role. These are established when you "Add Role", or can be accessed for existing roles by selecting the actions menu next to the target role and selecting "Update Basic User Role".

Role Permissions

Global Scope

When enabled (via toggle), permission applies globally to all clouds/resources.

Add Cloud

An explicit permission that allows for least privilege access to add cloud accounts. This will work alongside other individual permissions given, but will not work if "All Resource Permissions" is selected.

All Resource Permissions

Permission to execute any action within the role scope. Selecting this box will auto-select all of the items below it.

View

Permission to view resources within the scope.

Provision

Permission to create new resources.

Manage

Permission to manage the resources in scope.

Delete

Permission to destroy resources.

Identity Management - Add or Modify a Role

Update Roles

The following actions are available to modify Roles:

Modify Roles

Show Role's Effective Access

Displays list of cloud accounts available to selected role.

Update Basic User Role

Allows the modification of name, description, and permissions for selected role.

Modify Basic User Group Associations

Adds and/or removes Groups.

Modify Badges Scope

Adds and/or removes Badges.

Modify Cloud Accounts Scope

Adds and/or removes Cloud Accounts.

Modify Resource Groups Scope

Adds and/or removes Resource Groups.

Delete

Deletes selected role.

Modify/View Cloud Role Scopes

Users also have the ability to easily identify the cloud accounts that are in scope of a role. From "Administration --> Identity Management" on the Basic User Roles tab, a user can select the "Modify Cloud Account Scope" option from the Actions menu to view the Cloud Accounts that are in scope for the target role.

Modify/View Cloud Accounts in Scope for a Target Role

Passwords

Password Requirements

DivvyCloud enforces the following password requirements:

A minimum of 12 characters to include: one special character, one uppercase character, one lowercase character, and one number.

Resetting Passwords

🚧

No SMTP Configured

For users with no SMTP configuration, a password reset will require an administrator to manually reset the password with a temporary password. The email notification capability is not available.

Forgotten Password - A password reset can be requested by the user through the "forgot password" link located on the DivvyCloud sign-in form. Clicking this link triggers an email that will enable a user to reset their password. This option is available to new users as well as existing users.

In App Password Reset - A user can change their password by navigating to their profile, confirming their existing password, and then creating a new password.

Admin Password Reset Request (SMTP) - A Domain Admin can select a specific user and generate an email that prompts the target user to reset their password.

  • From the main navigation menu, select "Administration --> Identity Management" and select the Users tab. Locate the user whose password you’d like to reset.
  • Click the action icon to the left of their name and select "Reset Password" to generate a password reset email.

Note: If a user attempts to login with expired credentials (e.g., using the previously active/correct password) after their Domain Admin has triggered the reset email, they will also be automatically redirected to the password reset function.

📘

Email - Password Links

Any links received via email to reset a user's password are valid for 1 hour. After 1 hour a new email and link will have to be requested/generated.

Domain Administrator Password Reset (generates an email to the user)

Admin Password Reset Request (No SMTP) - A Domain Admin can select a specific user and generate a temporary password to share with the user manually.

  • From the main navigation menu, select “Identity Management", select "Users”, and find the user whose password you’d like to reset.
  • Click the action icon to the left of their name and select Reset Password; confirm to generate the temporary credentials.
  • Share these credentials with the target user; when they log in, the system will prompt them to update their password.

Note: If a user attempts to login with expired credentials (e.g., using the previously active/correct password) after their Domain Admin has triggered the reset, they will also be automatically redirected to reach back out to the administrator.

Admin Password Reset with Non-SMTP Setup

Updated 3 months ago

Users, Groups, and Roles (Administration)


Suggested Edits are limited on API Reference Pages

You can only suggest edits to Markdown body content, but not to the API spec.