Page tree

Contents

The Cloud Services Portal provides role-based access control with which you can manage user access based on roles and permissions. With the ability to define access policies, you can restrict service-related responsibilities to certain user roles and user groups. For example, you can limit BloxOne Threat Defense administrator permissions (defined in the TD Administrator Role) to the BloxOne Threat Defense admin user group (ib-td-admin), while allowing read-only access to the BloxOne Threat Defense user group (ib-td-user) for viewing configurations and reports only. Role-based access control is primarily based on service accessibility, which results in explicit permissions for users or user groups to view, start and stop, or configure service-related tasks and features based on responsibilities within your organization.

The Cloud Service Portal provides several default user roles, user groups, and access policies as a quick-start configuration, so you can quickly assign new users to user group(s) for them to gain access to relevant services and tasks. All default user groups are predefined in quick-start access policies that grant access to specific services and authorize specific users to a set of permissions, so they can perform specific responsibilities based on their roles. For example, the predefined Access Control Administrators Policy applies the Access Control Administrators Role to the access control admin user group (ib-access-control-admin), which grants access to all users in the ib-access-control-admin group permissions to view and configure licenses, users, user groups, and access policies. The Cloud Services Portal offers a few other access policies based on your license entitlements. You can use these quick-start configurations to quickly onboard your new users by placing them in their respective user groups, so they can gain access to the services to perform corresponding tasks. For more information, see About Access Policies.

In addition to adding new users to default user groups and using predefined access policies, you can further manage user access as follows:

  1. Review the default user groups and create additional user groups (if needed) based on your business requirements and user responsibilities. For more information, see About User Groups.
  2. Create new users and assign them to their respective user group(s) based on their respective roles and responsibilities within your organization. For more information, see About Users.
  3. Review the default access policies and create additional access policies (if needed) by applying user roles to respective user groups. Note that an access policy grants all users in a user group a set of permissions defined in the user role, so the users can access the services and perform the tasks associated with the selected user role. For more information, see About Access Policies

 About Users

You must assign users to at least one user group to define their roles. When you set a user group as the default, new users are automatically assigned to this user group. Users assume all the permissions from the access policies across the user groups to which they are assigned.

To add a user, complete the following:

  1. From the Cloud Services Portal, click Administration -> User Access.
  2. Select Users at the top Action bar, and click Create User.
  3. In the Create Users dialog, complete the following:
    • Name: Enter the name of the user you want to add.
    • Email: Enter the email address for the user.
    • From the AVAILABLE USER GROUPS table, select the user group(s) you want to assign to this user, and use the arrow to move the user group(s) to the SELECTED USER GROUPS table. To select all user groups, simply click >>. To deselect all the user groups, click <<.

      Note

      All users must belong to at least one user group. Ensure that you assign at least one user to the access control administrator user group (ib-access-control-admin). This user group has the permissions to view and configure users, user groups, and access policies when applied to the Access Control Administrators Role. For more information, see About User Groups.

  4. Click Save to add the user.

The Users page displays the following information for each portal user:

  • NAME: The user name.
  • EMAIL: The email address for the user.
  • USER GROUPS: The number of user groups to which the user is assigned.
  • LAST LOGIN: The timestamp when the user last logged in to the Cloud Services Portal.

You can also perform the following on this page:

  • Click the Action icon next to a user and select Edit to modify its information, or select Remove to delete it. You can also select a user from the list and click Reset Password at the top of the table, to reset the user password or click Remove to remove it.
  • Click Export to CSV to export the user data to a CSV file. The default file name is portal_users. The file supports up to 50,000 rows of data.

About Roles

A user role defines the set of permissions or responsibilities that the users have the ability to perform. Depending on your subscription and license entitlements, the Cloud Services Portal provides the following default user roles that you can quickly apply to their respective user groups when creating access policies. For more information, see About Access Policies. Each of the following user roles supports various permissions. You can view the list of supported permissions in the detailed panel for a specific role.

  • Access Control Administrator Role: This role has access to view and configure licenses, users, user groups, and access policies.
  • Administrator Role: This is a global role that has access and the capability to administer all aspects of the system.
  • TD Administrator Role: This role has access and the capability to administer all aspects related to BloxOne Threat Defense.
  • DDI Administrator Role: This role has access and the capability to administer all aspects related to BloxOne DDI.
  • TD User Role: This role has read-only access to configurations and reports related to BloxOne Threat Defense.
  • DDI User Role: This role has read-only access to configurations and reports related to BloxOne DDI.
  • User Role: This is a global role that has read-only access to all service-related configurations and reports on the system.
  • DNS Manager: Read/Write all DNS resource types. 
  • DNS Operator: Read/Write on any zone type, record type, and child zone type. Read-only on all other resource types. 
  • DNS User: Read/Write on record types. Read-Only on all other resource types. 
  • DNS Auditor: Read-Only on all DNS resource types. 
  • DHCP Manager: Read/Write on all DHCP resource types.
  • DHCP User: Read/Write on fixed address and lease types. Read-Only on all other DHCP/IPAM resource types.
  • DHCP Auditor: Read-Only on all DHCP/IPAM resource types.
  • IPAM Manager: Read/Write on all IPAM resource types.
  • IPAM Operator: Read-Only on IP Space and Address Block. Read/Write on all other IPAM/DHCP resource types.
  • IPAM User: Read-Only on IP Space, Address Block, and Subnet. Read/Write on all other IPAM/DHCP resource types.
  • IPAM Auditor: Read-Only on all IPAM/DHCP resource types.

About User Groups

A user group contains a list of users that have identical access profiles. You can quickly grant access to new users or change the access profile for all the users in the same user group. You must define at least one user group as the default user group. All new users will automatically be part of the default user group.

The Cloud Services Portal provides the following predefined user groups:

User Group NameRespective User GroupFunction
ib-access-control-adminAccess Control Administrator GroupThis user group can view and administer licenses, users, user group, and access policies. Apply the Access Control Administrators Role to this user group to grant the set of access control permissions.
adminGlobal Administrator GroupThis is the global administrator group to which you can add admin users who can perform administrative tasks to all aspects of the Cloud Services Portal.
ib-ddi-adminBloxOne DDI Administrator GroupThis is the administrator group to which you can add admin users you want to allow read/write access to the BloxOne DDI service and perform administrative tasks to all aspects of BloxOne DDI.
ib-ddi-userBloxOne DDI User GroupThis is the user group to which you add users you want to allow read-only access to the BloxOne DDI service and can only view BloxOne DDI related configurations and reports.
ib-td-adminBloxOne Threat Defense Administrator GroupThis is the administrator group to which you add admin users you want to allow read/write access to the BloxOne Threat Defense service and perform administrative tasks to all aspects of BloxOne Threat Defense.
ib-td-userBloxOne Threat Defense User GroupThis is the user group to which you add users you want to allow read-only access to the BloxOne Threat Defense service and can only view BloxOne Threat Defense related configurations and reports.
userGlobal User GroupThis is the global user group to which you add portal users who have read-only access and can view only cloud Services Portal related configurations and reports. You cannot remove this user group.

To add a user group, complete the following:

  1. From the Cloud Services Portal, click Administration -> User Access.
  2. Select User Groups at the top Action bar, and click Create User Group.
  3. In the Create User Group dialog, complete the following:
    • Name: Enter the name of the user group you want to add. To align your user groups with the corresponding user roles, you might consider including "admin" or "user" in your user group name to differentiate one user group from the other.
    • Description: Enter a description of this user group.
    • From the AVAILABLE USERS table, select the user you want to add to this user group and use the arrow to move the user to the SELECTED USERS table. To select all users, simply click >>. To deselect all the users, click <<.

      Note

      You must have at least one user in a user group.

  4. Click Save to add the user group.

The User Groups page displays the following information for each portal user:

  • USER GROUP: The name of the user group.
  • USERS: The number of users in this user group.
  • DESCRIPTION: The description of this user group.

You can also perform the following on this page:

  • Select a specific user group from the table and click MAKE DEFAULT to make it the default user group. If you do not assign a new user to a specific user group, the user will automatically be added to the default user group.
  • Click the Action icon next to a user group and select Edit to modify its information or select Remove to delete it. Note that when you delete a user group, all users in this user group will not be part of the user group anymore.

Note

You cannot delete the "user" group, because all users are added to this group by default.

About Access Policies

An access policy applies a specific role to a specific user group to grant the set of permissions defined in the user role to all the users in the user group, allowing the users to perform specific tasks for the granted services. For example, the Access Control Administrators Policy applies the Access Control Administrator Role to the access control administrator user group (ib-access-control-admin), so all the users in ib-access-conrol-admin are allowed to access the Cloud Services Portal and are able to view and configure licenses, users, user groups, and access policies.

The Cloud Services Portal provides the following default access policies and their corresponding user roles and user groups for a quick-start configuration, so all you need to do is simply add new users to the correct user groups for them to gain access to their authorized services and tasks.

Access PolicyUser RoleUser GroupPolicy Function
Access Control Administrators PolicyAccess Control Administrators Roleib-access-control-adminThis policy allows all users in the access control administrator group to access the system to view and administer licenses, users, user groups, and access policies.
Administrators PolicyAdministrator RoleadminThis policy allows all admin users to perform administrative tasks for all aspects of the Cloud Services Portal.
DDI Administrators PolicyDDI Administrator Roleib-ddi-adminThis policy grants all users in the ib-ddi-admin group access to the BloxOne DDI service and permission to administer all aspects of BloxOne DDI.
DDI Users PolicyDDI User Roleib-ddi-userThis policy grants all users in the ib-ddi-user group read-only access to the BloxOne DDI service so they can view BloxOne DDI configurations and reports.
TD Administrators PolicyTD Administrator Roleib-td-adminThis policy grants all users in the ib-td-admin group access to the BloxOne Threat Defense service and permission to administer all aspects of BloxOne Threat Defense.
TD Users PolicyTD User Roleib-td-userThis policy grants all users in the ib-td-user group read-only access to the BloxOne Threat Defense service to view BloxOne Threat Defense configurations and reports.
Users PolicyUser RoleuserThis global policy allows all users access to view all the configurations and reports on the Cloud Services Portal.

To add new access policies, complete the following:

  1. From the Cloud Services Portal, click Administration -> User Access.
  2. Select Access Policy at the top Action bar, and click Create Access Policy.
  3. In the Create Access Policy dialog, complete the following:
    • Name: Enter the name of the access policy you want to add. If you create a new policy, ensure that you enter a name that reflects the function of this policy.
    • Description: Enter a description of this access policy.
    • Role: From the drop-down menu, select the user role you want to apply to the user group for this access policy.
    • User Group: From the drop-down menu, select the user group you want to use for this access policy. Note that all users in the user group will assume the access permissions to the applicable services and responsibilities in the selected user role. Ensure that you understand the set of permissions in the user role that you plan to grant to this user group.
  4. Click Save to add the access policy.

The Access Policy page displays the following information for each policy:

  • ACCESS POLICY: The name of the access policy.
  • ROLE: The name of the user role that is associated with this access policy.
  • USER GROUP: The name of the user group to which you apply the selected user role.
  • DESCRIPTION: The description of this access policy.

You can also perform the following on this page:

  • Click the Action icon next to an access policy and select Edit to modify its information or select Remove to delete it.

Note

When you delete a predefined access policy, you are removing the permissions that you have previously granted to the user group. All users in this user group will not have access to the set of permissions anymore.

  • No labels

This page has no comments.