The “Users” screen provides the ability to add, edit, delete, or view the details of SecurityCenter user accounts. Users are assigned roles and groups to determine the level of access they have and are also assigned assets, depending on the level of access required. The list of users and actions is limited to the Organization and the permissions of the user viewing the list.
SecurityCenter users can be created with default or customized roles. Roles are adjustable and allow for user creation based on specific business/security models and needs. User accounts created by other users inherit the creating user’s permissions or a subset of the permissions as desired while not exceeding the access or permissions of the creating user. This granular user control and customization enables large organizations to comply with regulations and standards that mandate separation of duties and layers of control.
There are several pre-defined Organizational roles including:
- Security Manager – A Security Manager is the account within an organization that has a broad range of responsibilities. This is the role assigned to the initial user that is assigned when a new organization is created. They have the ability to launch scans, configure users (except for administrator user roles), vulnerability policies, and other objects belonging to their organization.
- Auditor – The Auditor role can access summary information to perform third party audits. An Auditor can view dashboards, reports, and logs, but cannot perform scans or analyze vulnerability or event data.
- Credential Manager – The Credential Manager role can be used specifically for handling credentials. A Credential Manager can create and share credentials without revealing the contents of the credential. This can be used by someone outside the security team to keep scanning credentials up to date.
- Executive – The Executive role is intended for users who are interested in a high-level overview of their security posture and risk profile. Executives would most likely browse dashboards and review reports, but would not be concerned with monitoring running scans or managing users. Executives would also be able to assign tasks to other users using the ticketing interface.
- No Role – This role is available as a catch-all role if a role is deleted. It has virtually no permissions.
- Security Analyst – The Security Analyst role has permissions to perform all actions at the Organizational level except managing groups and users. A Security Analyst is most likely an advanced user who can be trusted with some system related tasks such as setting blackout windows or updating plugins.
- Vulnerability Analyst – The Vulnerability Analyst role can perform basic tasks within the application. A Vulnerability Analyst is allowed to view security data, perform scans, share objects, view logs, and work with tickets.
User Access Control
Within the defined user roles, granular permissions are defined that enable users to perform specific tasks. Custom roles can be created with any combination of desired roles based on enterprise needs.
User Groups are a way to group rights to objects within an Organization for quick assignment to one or more users. When a user creates various objects such as reports, scan policies, dashboards, and other similar items, they are automatically shared among the members if the Group permissions allow the view and control.
When creating a new Group, the basic information includes giving a name and description of the Group being created. In addition, selecting the Repositories, LCEs, and Viewable IPs that are available to the Group are made on the Basic tab.
After the Group’s initial creation, it may be edited, deleted, or have its details viewed from the main Groups page list.