Permission-based user management
Permission-Based User Management system
The Command Platform’s user management system is now powered by a role-based access control (RBAC) framework. The legacy permission-based system detailed in this article has been superseded by the RBAC model. If your customer account has not yet been migrated to the RBAC system, the information here still applies for the time being.
Administrator and user roles
The following actions are available to administrators and users depending on their role:
- Platform Administrator
- Product Administrator
- Platform and Product Administrators
- Grant product access
- Multi-product access is available for all users when a Platform Administrator creates a new user.
- All users
Admin roles
Platform Administrator
This is a global or platform-wide user. A Platform Administrator has full access to the platform administrative console and can perform any of the following organization-wide operations:
- Changing subscriptions for Rapid7 products and services
- Adding, deleting, and managing users
- Changing the organization profile
- Managing the platform-wide settings
- Add other platform administrators
- Add users to provide access to the Customer Portal
- We recommend having at least 2 platform administrators so the other administrator can act as a backup.
Platform and Product administration
Platform admins do not have product access by default and cannot complete product actions unless assigned to a product.
SSO authentication
If you decide to use SSO authentication, platform administrators will no longer be able to add users to the Command Platform. All new users must be added through your external identity provider.
Product Administrator
This is a product specific user. A Product Administrator can view and access all data, perform any functions within a product, and manage product settings. Product Admins have permission to add, manage, and delete other users to/from the same product, as well as change user roles within a product.
Product administrators cannot add platform administrators. Instead, you can combine both admin roles for a user to complete product and platform actions.
User roles
Read/Write Users
Users with Read/Write access can view and edit all data within the product or service they are assigned. Read/Write Users cannot perform any administrative actions for the product or the Command Platform or change any product settings.
Read-Only Users
Read-Only Users can view all data within a product, but they cannot edit or manage it in any way.
Read-Only users can access the Customer Portal and see support cases submitted by other users in their company.
Product roles
A Command Platform user’s product role determines what they are able to see and do in each of the Rapid7 products they’re assigned. Here’s how product roles are defined at the Platform level.
| Product role | Capabilities |
|---|---|
| (Product) Administrator | A Product Administrator can view all data, perform all functions, and manage all settings for any products they’re assigned. Product Administrators can create, edit, and delete users for any products they’re assigned, though they can’t create Platform Administrator users. |
| Read Write | Users with Read Write access can view and edit all data within the product they’re assigned. Read Write users cannot perform any administrative actions or change any settings. |
| Read Only | Read Only users can view all data within any products they’re assigned, but they can’t edit or manage it in any way. |
Roles by product
Product roles sometimes vary
Many Rapid7 products use these standard product user roles. This means that the way roles are defined at the Platform level, where they’re assigned, is how they are defined and implemented at the product level. However, some products interpret or apply these product user roles a little differently based on specific product use cases.
InsightVM
Product roles assigned to InsightVM users at the Platform level are ignored in favor of the more detailed and specialized InsightVM user roles, which are assigned to users by an product admin in InsightVM. That means that Platform users who are also InsightVM users are given InsightVM permissions associated with whatever role they’re assigned in InsightVM. Platform users who are not also InsightVM users are treated as global administrators.
InsightConnect
InsightConnect uses standard Admin, Read Write, and Read Only product roles.
InsightOps
| Product role | Capabilities |
|---|---|
| (Product) Administrator | This role is required to access the Agent Management page. If an account does not have the Collector or Insight Agent, a Product Administrator is the only user that can initially download them. Additionally, this role can configure settings, such as plan information, API Keys, user roles, data archiving, and collector credentials. |
| Read Write | A user with Read Write access can add data, view and edit their dashboards, manage and create alerts, and access Analytics Packs. This user cannot edit dashboards created by others. If a Product Administrator already installed an initial Collector or Insight Agent, a Read Write user can download additional ones. |
| Read Only | This user can access Log Search and Dashboards and can generate reports and view alerts. This user cannot add data. |
tCell
| Product role | Capabilities |
|---|---|
| (Product) Administrator | Product Administrator users have all of the same permissions as Read Write users, but they can also add, remove, and edit other users, as well as create and delete tCell apps. |
| Read Write | Read Write users can view information across all apps and make changes to app policies. Users with this role can also modify collected data and requests, and specify which client IP addresses to block. However, they can’t create or delete tCell Apps, or modify other users. |
| Read Only | Read Only users can view information across all apps in tCell. Users with this role can see all app data such as events, package version information, and agents installed. Users in this role cannot modify the configuration of any apps such as changing policies or setting up alerts. |
tCell application roles
In addition to these product roles, tCell also has the concept of application roles. With application roles, user permissions can be scoped to a specific tCell application. These roles don’t restrict access to the app, only increase it.
Rapid7 Services
| Product role | Capabilities |
|---|---|
| (Product) Administrator | A Product Administrator has access to all functions within their assigned products and services, including uploading and removing documents and reports, commenting on forms and reports, completing all onboarding actions for any Managed/Consulting services on the Command Platform, viewing all assigned and unassigned services, adding existing Platform users, and managing users within the same product that they administer. |
| Read Write | A user with Read Write access can complete any onboarding actions for the team to which you are assigned, such as completing forms, uploading documents, and removing any owned documents. This user cannot add or manage users. |
| Read Only | A user with Read Only access can view the status of the onboarding process, as well as documents or reports from any assigned product or service. This user cannot modify any data, such as filling out forms or uploading documents. |
Want a user who can only see reports?
Create a user with a Read Only user role without Administrator privileges if you only want to provide viewing access to reports.
Add users
New user accounts can be created from both the Command Platform and individual Rapid7 products. Platform Administrators can add a user to the Command Platform and can grant them both Command Platform and Rapid7 product access. Product Administrators can only add a user to a Rapid7 product they have administrative access to.
Add a user to the Command Platform
A Platform Administrator can add users to the Command Platform and grant them access to individual Rapid7 products as needed.
To add a Command Platform user:
- Sign in to the Command Platform.
- From the left menu of the Platform Home page, click User Management.
- Click Add User. The Add User panel appears.
- Enter user details.
- Email: This must be a valid email address associated with the user. You can use a distribution list as the user email address, but if you do, assign Read Only access to the associated user account and verify that the account does not have Administrator privileges.
- First name, last name, and time zone: These fields are editable after the account is created from the user’s Profile Settings.
- Click Next.
- Select the appropriate user role options.
- To make this user a Platform Administrator and give them the ability to manage Command Platform users, toggle the Platform Admin option on.
- If applicable, select the organizations within your company that you want this user to be a part of.
- Choose a Product Role to establish the level of privilege the user will have for any Rapid7 products they are given access to. The default role is Read Only.
Organizations
An organization is a logical grouping within your company that uses one or more of your Rapid7 products. Organizations are commonly used when you have several teams that all need to access the same Rapid7 solutions, but maintain their own set of data.
- Click Next.
- Select the Rapid7 products you want this user to have access to. If your company has multiple organizations, you must select products for each organization the user is associated with.
- Click Submit.
The new user will receive an email invitation to activate their Command Platform account. New users also have automatic access to the Customer Portal .
Quick Add Platform Admin
If you need to add a Platform Administrator user, you can click the Quick Add Platform Admin button to expedite the process. Enter an email address and the name of the user, then click Add Platform Admin. If the new administrator later needs Rapid7 product access, you can edit their account from the User Management page.
Add a user to a Rapid7 product
A Product Administrator can add users to the Rapid7 product they have administrative access to. If you have multiple organizations associated with your Command Platform instance, note that you can only add users to the organizations you have administrative access to.
To add a Rapid7 product user:
- Sign in to the Command Platform.
- Open the Rapid7 product you want to add a user to.
- Go to the user management page, which varies by product.
- InsightIDR: Settings > User Management
- InsightOps: Settings > User Management
- InsightVM: Administration > Users
- InsightAppSec: Settings > User Accounts
- Rapid7 Services: Left Menu > User Management
- Click Add User button. The Add User panel appears.
- Enter user details.
- Email: This must be a valid email address associated with the user. You can use a distribution list as the user email address, but if you do, assign Read Only access to the associated user account and verify that the account does not have Administrator privileges.
- First name, last name, and time zone: These fields are editable after the account is created from the user’s Profile Settings.
- Click Next.
- Do one of the following:
- If this is an existing Command Platform user, confirm you want to provide this user product access by clicking Add User. They will be added automatically and given the product role specified by the Platform Administrator that created their Command Platform account.
- If this is a new Command Platform user, select a Product Role to establish the level of privilege the user will have.
- Click Submit.
Edit and delete user accounts
You may need to edit an existing Command Platform user’s account details, permissions, or product access, or you may need to delete their account. You can do all of this from the User Management page of the Command Platform.
Edit account details, permissions, and product access
- From the User Management page, click the edit icon. A panel appears with editing options.
- Select User Details, Role Management, or Product Assignment.
- User Details - Edit the user’s first name, last name, reset their multi-factor authentication, or reset their account
- Role Management - Edit the user’s roles, and enable or disable Platform Administration access
- Product Assignment - Add and remove product assignments
- When you’re done making edits, click Save.
Delete user accounts
- From the User Management page, click the delete icon.
- Click the Yes, remove user button to confirm.