Manage user roles

Manage Roles

Out-of-the-box System Roles

Role-based access management lets you assign one of three out-of-the-box system roles to users. Each role is defined by a scope and privilege type (read-only, read/write).

The table below describes permitted User Roles functionality:

	Admin	Security manager	Auditor
User Management	ü
ASMS Integration	ü
View Accounts	ü	ü	ü
Add and delete Accounts and Credentials	ü	ü
View Inventory	ü	ü	ü
View Network Policies	ü	ü	ü
Manage Network Policies	ü	ü
View and Export Risks	ü	ü	ü
Suppress/Activate Risks and Risk Triggers	ü	ü

Out-of-the-box role assignments for users in AlgoSec Cloud and ObjectFlow

When a user is created and assigned a built-in role in one SaaS application, the user is created in the other application and assigned a role, as follows.

• Admin role user created in ObjectFlow is Admin in AlgoSec Cloud and vice versa.

• Security manager role user created in ObjectFlow is Auditor in AlgoSec Cloud and vice versa (Security manager role user created in AlgoSec Cloud has Auditor role in ObjectFlow ).

• Auditor role user created in ObjectFlow is Auditor of AlgoSec Cloud and vice versa.

When an existing user's role changes in AlgoSec Cloud :

• From Admin to either Security Manager or Auditor, the corresponding role in ObjectFlow becomes Auditor.

• From Security Manager to Auditor, there is no effect on the user's role in ObjectFlow.

• From Auditor to Security Manager, there is no effect on the user's role in ObjectFlow.

When a user's role changes in ObjectFlow:

• From Admin to either Security Manager or Auditor, the corresponding role in AlgoSec Cloud becomes Auditor.

• From Security Manager to Auditor, there is no effect on the user's role in AlgoSec Cloud.

• From Auditor to Security Manager, there is no effect on the user's role in AlgoSec Cloud.

Custom Roles

While system roles apply to all accounts and vendors, custom roles define permissions limited to specified individual accounts or vendors. The same custom role can be applied to multiple users and multiple custom roles can be assigned to a single user. However, users cannot have a mixture of custom roles and system roles.

When defining a custom role, Manage permissions or Read-only permissions can be assigned to any account or vendor. Since Manage permissions always include Read-only permissions, selecting the Manage checkbox for an account or vendor automatically displays the Read-only checkbox as selected.

Only users with the system role Admin have permission to define custom roles and assign them to users.

To add a custom role

Do the following:

1. Under Settings, click Access Management.

   The User Tab of the Access Management page is displayed.

2. Click Roles.
   

   The Roles tab is displayed.

3. Click + Add Role at the upper right of the Role tab.

   

4. In the Add role dialog that is displayed, provide a Name, assign SSO Group(s), and a Description for the new custom role.

   

5. In the Select Accounts section, select permission type (Read-only or Manage) on the vendor levels and account levels as needed for the role.

   Tip: To view only vendors and accounts for which permission types are selected, click the Show Selected button.

   • To apply permission types per individual accounts, select the required permission check box for each account.

   • To apply a permission type for all the accounts of the same vendor, select the required permission check box at the vendor level.

   • Do not select any checkbox to the right of accounts that should not be viewed by users on the basis of this custom role.

     See Permissions Table.

     Permissions Table

     Note The table below describes the capabilities granted regarding an account or vendor depending on whether the Read-only permission is selected or the Manage permission is selected.

     Capability	Read-only	Manage
     View Accounts	ü	ü
     Delete or Update Account Credentials	ü
     Delete or Update Account Credentials		ü
     View Inventory	ü	ü
     View Network Policies	ü	ü
     Manage Network Policies		ü
     View and Export Risks	ü	ü
     Suppress/Activate Risks and Risk Triggers		ü

6. Click Save. at the bottom of the dialog.

   Now you can apply the this custom role to users.

To edit a custom role

Do the following:

1. Under Settings, click Access Management.

   The User Tab of the Access Management page is displayed.

2. Click Roles.

   The Roles tab is displayed.

3. Click more and then click edit to the right of the custom role you wish to edit.

   

4. Edit the form as required.

   Note: You cannot edit the name of the role.
   

   Tip: To view only vendors and accounts for which permission types are selected, click the Show Selected button.

5. Edit the Select Accounts section as required:

   • To apply permission types per individual accounts, select the required permission check box for each account.

   • To apply a permission type for all the accounts of the same vendor, select the required permission check box at the vendor level.

   • Do not select any checkbox to the right of accounts that should not be viewed by users on the basis of this custom role.

     See Permissions Table.

     Permissions Table

     Note The table below describes the capabilities granted regarding an account or vendor depending on whether the Read-only permission is selected or the Manage permission is selected.

     Capability	Read-only	Manage
     View Accounts	ü	ü
     Delete or Update Account Credentials		ü
     View Inventory	ü	ü
     View Network Policies	ü	ü
     Manage Network Policies		ü
     View and Export Risks	ü	ü
     Suppress/Activate Risks and Risk Triggers		ü

6. Click Save. at the bottom of the dialog.
   The updated custom role is updated for the users to which it has been applied and can be applied to new users.
   See Add a new user and Edit a user.