Page tree

Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

The Cloud Services Portal provides role-based access control with which you can manage user access based on roles and permissions. With the ability to define access policies, you can restrict service-related responsibilities to certain user roles and user groups. For example, you can limit BloxOne DDI administrator permissions (defined in the  DDI Administrator Role) to the BloxOne DDI admin user group (ib-ddi-admin), while allowing read-only access to the BloxOne DDI user group (ib-ddi-user) for viewing configurations and reports only. Role-based access control is primarily based on service accessibility, which results in explicit permissions for users or user groups to view, start and stop, or configure service-related tasks and features based on responsibilities within your organization.

The Cloud Service Portal provides several default user roles, user groups, and access policies as a quick-start configuration, so you can quickly assign new users to user group(s) for them to gain access to relevant services and tasks. All default user groups are predefined in quick-start access policies that grant access to specific services and authorize specific users to a set of permissions, so they can perform specific responsibilities based on their roles. For example, the predefined Access Control Administrators Policy applies the Access Control Administrators Role to the access control admin user group (ib-access-control-admin), which grants access to all users in the ib-access-control-admin group permissions to view and configure licenses, users, user groups, and access policies. The Cloud Services Portal offers a few other access policies based on your license entitlements. You can use these quick-start configurations to quickly onboard your new users by placing them in their respective user groups, so they can gain access to the services to perform corresponding tasks. For more information, see About Access Policies.

In addition to adding new users to default user groups and using predefined access policies, you can further manage user access as follows:

  1. Review the default user groups and create additional user groups (if needed) based on your business requirements and user responsibilities. For more information, see About User Groups.
  2. Create new users and assign them to their respective user group(s) based on their respective roles and responsibilities within your organization. For more information, see About Users.
  3. Review the default access policies and create additional access policies (if needed) by applying user roles to respective user groups. Note that an access policy grants all users in a user group a set of permissions defined in the user role, so the users can access the services and perform the tasks associated with the selected user role. For more information, see About Access Policies. 

 About Users

You must assign users to at least one user group to define their roles. When you set a user group as the default, new users are automatically assigned to this user group. Users assume all the permissions from the access policies across the user groups to which they are assigned.

To add a user, complete the following:

  1. From the Cloud Services Portal, click Administration -> User Access.
  2. Select Users at the top Action bar, and click Create User.
  3. In the Create Users dialog, complete the following:
    • Name: Enter the name of the user you want to add.
    • Email: Enter the email address for the user.
    • From the AVAILABLE USER GROUPS table, select the user group(s) you want to assign to this user, and use the arrow to move the user group(s) to the SELECTED USER GROUPS table. To select all user groups, simply click >>. To deselect all the user groups, click <<.

      Note
      titleNote

      All users must belong to at least one user group. Ensure that you assign at least one user to the access control administrator user group (ib-access-control-admin). This user group has the permissions to view and configure users, user groups, and access policies when applied to the Access Control Administrators Role. For more information, see About User Groups.

  4. Click Save to add the user.

The Users page displays the following information for each portal user:

  • NAME: The user name.
  • EMAIL: The email address for the user.
  • USER GROUPS: The number of user groups to which the user is assigned.
  • LAST LOGIN: The timestamp when the user last logged in to the Cloud Services Portal.

You can also perform the following on this page:

  • Click the Action icon next to a user and select Edit to modify its information, or select Remove to delete it. You can also select a user from the list and click Reset Password at the top of the table, to reset the user password or click Remove to remove it.
  • Click Export to CSV to export the user data to a CSV file. The default file name is portal_users. The file supports up to 50,000 rows of data.

About Roles

A user role defines the set of permissions or responsibilities that the users have the ability to perform. Depending on your subscription and license entitlements, the Cloud Services Portal provides the following default user roles that you can quickly apply to their respective user groups when creating access policies. For more information, see About Access Policies. Each of the following user roles supports various permissions. You can view the list of supported permissions in the detailed panel for a specific role.

  • Access Control Administrator Role: This role has access to view and configure licenses, users, user groups, and access policies.
  • Administrator Role: This is a global role that has access and the capability to administer all aspects of the system.
  • TD Administrator Role: This role has access and the capability to administer all aspects related to BloxOne Threat Defense.
  • DDI Administrator Role: This role has access and the capability to administer all aspects related to BloxOne DDI.
  • TD User Role: This role has read-only access to configurations and reports related to BloxOne Threat Defense.
  • DDI User Role: This role has read-only access to configurations and reports related to BloxOne DDI.
  • User Role: This is a global role that has read-only access to all service-related configurations and reports on the system.

About User Groups

A user group contains a list of users that have identical access profiles. You can quickly grant access to new users or change the access profile for all the users in the same user group. You must define at least one user group as the default user group. All new users will automatically be part of the default user group.

The Cloud Services Portal provides the following predefined user groups:

...

To add a user group, complete the following:

  1. From the Cloud Services Portal, click Administration -> User Access.
  2. Select User Groups at the top Action bar, and click Create User Group.
  3. In the Create User Group dialog, complete the following:
    • Name: Enter the name of the user group you want to add. To align your user groups with the corrresponding user roles, you might consider including "admin" or "user" in your user group name to differentiate one user group from the other.
    • Description: Enter a description about this user group.
    • From the AVAILABLE USERS table, select the user you want to add to this user group and use the arrow to move the user to the SELECTED USERS table. To select all users, simply click >>. To deselect all the users, click <<.

      Note
      titleNote

      You must have at least one user in a user group.

  4. Click Save to add the user group.

The User Groups page displays the following information for each portal user:

  • USER GROUP: The name of the user group.
  • USERS: The number of users in this user group.
  • DESCRIPTION: The description of this user group.

You can also perform the following on this page:

  • Select a specific user group from the table and click MAKE DEFAULT to make it the default user group. If you do not assign a new user to a specific user group, the user will automatically be added to the default user group.
  • Click the Action icon next to a user group and select Edit to modify its information or select Remove to delete it. Note that when you delete a user group, all users in this user group will not be part of the user group any more.
Note
titleNote

You cannot delete the "user" group, because all users are added to this group by default.

About Access Policies

An access policy applies a specific role to a specific user group to grant the set of permissions defined in the user role to all the users in the user group, allowing the users to perform specific tasks for the granted services. For example, the Access Control Administrators Policy applies the Access Control Administrator Role to the access control administrator user group (ib-access-control-admin), so all the users in ib-access-conrol-admin are allowed to access the Cloud Services Portal and are able to view and configure licenses, users, user groups, and access policies.

The Cloud Services Portal provides the following default access policies and their corresponding user roles and users groups for a quick-start configuration, so all you need to do is simply add new users to the correct user groups for them to gain access to their authorized services and tasks.

...

To add new access policies, complete the following:

  1. From the Cloud Services Portal, click Administration -> User Access.
  2. Select Access Policy at the top Action bar, and click Create Access Policy.
  3. In the Create Access Policy dialog, complete the following:
    • Name: Enter the name of the access policy you want to add. If you create a new policy, ensure that you enter a name that reflects the function of this policy.
    • Description: Enter a description about this access policy.
    • Role: From the drop-down menu, select the user role you want to apply to the user group for this access policy.
    • User Group: From the drop-down menu, select the user group you want to use for this access policy. Note that all users in the user group will assume the access permissions to the applicable services and responsibilities in the selected user role. Ensure that you understand the set of permissions in the user role that you plan to grant to this user group.
  4. Click Save to add the access policy.

The Access Policy page displays the following information for each policy:

  • ACCESS POLICY: The name of the access policy.
  • ROLE: The name of the user role that is associated with this access policy.
  • USER GROUP: The name of the user group to which you apply the selected user role.
  • DESCRIPTION: The description of this access policy.

You can also perform the following on this page:

  • Click the Action icon next to an access policy and select Edit to modify its information or select Remove to delete it.
Note
titleNote

When you delete a predefined access policy, you are removing the permissions that you have previously granted to the user group. All users in this user group will not have access to the set of permissions anymore.

Include Page
BloxOneCloudDraft:Managing Role-Based Access Control
BloxOneCloudDraft:Managing Role-Based Access Control