Permission-based user management
Permission-Based User Management system
Depending on which Rapid7 products you use, you will have permission-based User Management and/or the new role-based access control (RBAC) for the Insight Platform.
This page walks you through managing users and permissions through the permission-based User Management system. For RBAC, see Role-based access control.
Admin and user roles
The following actions are available to admins and users depending on their role:
| Role | Action |
|---|---|
| Platform Admin | - Add and Manage Users on the Insight platform - Grant Free Trial Request |
| Product Admin | - Add Users to a Product - Request to Start a Free Trial |
| Platform and Product Admins | Grant product access Multi-product access is available for all users when a Platform administrator creates a new user on the platform. |
| All users | Request Product Access |
Admin roles
Platform Administrator
This is a global or platform-wide user. A Platform Administrator has full access to the platform administrative console and can perform any of the following organization-wide operations:
- Changing subscriptions for Rapid7 products and services
- Adding, deleting, and managing users
- Changing the organization profile
- Managing the platform-wide settings
- Add other platform administrators
- Add users to provide access to the Customer Portal
- We recommend having at least 2 platform administrators so the other administrator can act as a backup.
Platform and Product administration
Platform admins do not have product access by default and cannot complete product actions unless assigned to a product.
SSO authentication
If you decide to use SSO authentication, platform administrators will no longer be able to add users to the Insight Platform. All new users must be added through your external identity provider.
Product Administrator
This is a product specific user. A Product Administrator can view and access all data, perform any functions within a product, and manage product settings. Product Admins have permission to add, manage, and delete other users to/from the same product, as well as change user roles within a product.
Product administrators cannot add platform administrators. Instead, you can combine both admin roles for a user to complete product and platform actions.
User roles
Read/Write Users
Users with Read/Write access can view and edit all data within the product or service they are assigned. Read/Write Users cannot perform any administrative actions for the product or the Insight platform or change any product settings.
Read-Only Users
Read-Only Users can view all data within a product, but they cannot edit or manage it in any way.
Read-Only users can access the Customer Portal and see support cases submitted by other users in their company.
Product roles
An Insight Platform user’s product role determines what they are able to see and do in each of the Insight products they’re assigned. Here’s how product roles are defined at the Platform level.
Product Role | Capabilities |
|---|---|
(Product) Admin | A product admin can view all data, perform all functions, and manage all settings for any products they’re assigned. Product admins can create, edit, and delete users for any products they’re assigned, though they can’t create Platform Admin users. |
Read Write | Users with Read Write access can view and edit all data within the product they’re assigned. Read Write users cannot perform any administrative actions or change any settings. |
Read Only | Read Only users can view all data within any products they’re assigned, but they can’t edit or manage it in any way. |
Roles by product
Product roles sometimes vary
Many Insight products use these standard product user roles. This means that the way roles are defined at the Platform level, where they’re assigned, is how they are defined and implemented at the product level. However, some products interpret or apply these product user roles a little differently based on specific product use cases.
InsightVM
Product roles assigned to InsightVM users at the Platform level are ignored in favor of the more detailed and specialized InsightVM user roles, which are assigned to users by an product admin in InsightVM. That means that Platform users who are also InsightVM users are given InsightVM permissions associated with whatever role they’re assigned in InsightVM. Platform users who are not also InsightVM users are treated as global administrators.
InsightConnect
InsightConnect uses standard Admin, Read Write, and Read Only product roles.
InsightOps
Product Role | Capabilities |
|---|---|
(Product) Admin | This role is required to access the Agent Management page. If an account does not have the Collector or Insight Agent, a product admin is the only user that can initially download them. |
Read Write | A user with read write access can add data, view and edit their dashboards, manage and create alerts, and access Analytics Packs. |
Read Only | This user can access Log Search and Dashboards and can generate reports and view alerts. |
tCell
Product Role | Capabilities |
|---|---|
(Product) Admin | Product Admin users have all of the same permissions as Read Write users, but they can also add, remove, and edit other users, as well as create and delete tCell apps. |
Read Write | Read Write users can view information across all apps and make changes to app policies. Users with this role can also modify collected data and requests, and specify which client IP addresses to block. However, they can’t create or delete tCell Apps, or modify other users. |
Read Only | Read Only users can view information across all apps in tCell. Users with this role can see all app data such as events, package version information, and agents installed. Users in this role cannot modify the configuration of any apps such as changing policies or setting up alerts. |
tCell application roles
In addition to these product roles, tCell also has the concept of application roles. With application roles, user permissions can be scoped to a specific tCell application. These roles don’t restrict access to the app, only increase it.
Rapid7 Services
Product Role | Capabilities |
|---|---|
(Product) Admin | A Product Admin has access to all functions within their assigned products and services. These actions include: |
Read Write | A user with read write access can complete any onboarding actions for the team to which you are assigned, such as completing forms, uploading documents, and removing any owned documents. This user cannot add or manage users. |
Read Only | A user with read only access can view the status of the onboarding process, as well as documents or reports from any assigned product or service. This user cannot modify any data,such as filling out forms or uploading documents. |
Want a user who can only see reports?
Create a user with a Read Only user role without admin privileges if you only want to provide viewing access to reports.
Request and manage product access
The Insight Platform unites InsightVM, InsightAppSec, InsightIDR, InsightConnect, and Rapid7Services. This united location provides centralized authentication and user management, which makes it easy for platform users to request product access and for Platform Administrators to manage access requests.
Delayed access requests
To reduce the risk of access requests being delayed or missed completely, we recommend reviewing the Platform Administrators within your account to ensure you have sufficient coverage.
Request access
Request product access
As an Insight Platform User you can request access to any Platform product your company is subscribed to, regardless of your user role. From the Insight Platform home page, click the Request Access button for the product you want access to.
A Platform Administrator at your company will grant or reject access and you'll receive an email regarding the status of your request.
Request a free trial
If you're a Product Administrator, you can request a free trial of a product your organization isn't currently subscribed to. From the Insight Platform home page, click the Start trial button of the product you want to try out.
Manage product access requests
Platform Administrators manage Platform users' product access and trial requests and any requests to add a new user to you company account or to grant access to an external user (e.g. Rapid7 Support).
Grant or reject access requests
- Go to the User Management page.
- Select the User Requests tab. "New User" requests are displayed first by default. If you need to view and manage Product Access, Product Trial, or External User requests instead, you can go to the relevant tab.
Add users
New user accounts can be created from both the Insight Platform and individual Insight products. Platform Administrators can add a user to the Insight Platform and can grant them both Insight Platform and Insight product access. Product Administrators can only add a user to an Insight product they have administrative access to.
Add a user to the Insight Platform
An Insight Platform Administrator can add users to the Insight Platform and grant them access to individual Insight products as needed.
To add an Insight Platform user:
- Log in to the Insight Platform.
- From the left menu of the “Platform Home” page, click the User Management icon.
- Click the Add User button. The “Add User” panel appears.
- Enter user details.
- Email: Valid email address associated with the user. You can use a distribution list as the user email address, but if you do, assign read-only access to the associated user account, and verify that the account does not have administrative privileges.
- First and Last Name: User’s name. These fields are editable after account creation from the user’s Profile Settings.
- Time Zone: User’s time zone. This field is editable after account creation from the user’s Profile Settings.
- Click Next.
- Select the appropriate user role options.
- To make this user a Platform Administrator and give them the ability to manage Insight Platform users, toggle the Platform Admin option on.
- If applicable, select the organizations within your company that you want this user to be a part of.
- Choose a Product Role to establish the level of privilege the user will have for any Insight products they are given access to. The default role is “Read Only.”
Organizations
An organization is a logical grouping within your company that uses one or more of your Insight products. Organizations are commonly used when you have several teams that all need to access the same Insight solution, but maintain their own set of data.
- Click Next.
- Select the Insight products you want this user to have access to. If your company has multiple organizations, you must select products for each organization the user is associated with.
- Click Submit.
The new user will receive an email invitation to activate their Insight Platform account. New users also have automatic access to the Customer Portal.
Quick Add Platform Admin
If you need to add a Platform Administrator user, you can click the Quick Add Platform Admin button to expedite the process. Enter an email address and the name of the user, then click Add Platform Admin. If the new administrator later needs Insight product access, you can edit their account from the User Management page.
Add a user to an Insight product
An Insight Product Administrator can add users to the Insight product they have administrative access to. If you have multiple organizations associated with your Insight Platform instance, note that you can only add users to the organizations you have administrative access to.
To add an Insight product user:
- Log in to the Insight Platform.
- Open the Insight product you want to add a user to.
- Go to the user management page, which varies by product.
- InsightIDR: Settings > User Management
- InsightOps: Settings > User Management
- InsightVM: Administration > Users
- InsightAppSec: Settings > User Accounts
- Rapid7 Services: Left Menu > User Management
- Click Add User button. The “Add User” panel appears.
- Enter user details.
- Email: Valid email address associated with the user. You can use a distribution list as the user email address, but if you do, assign read-only rights to the associated user account and verify that the account has no administrative privileges.
- First and Last Name: User’s name. These fields are editable after account creation from the user’s Profile Settings.
- Time Zone: User’s time zone. This field is editable after account creation from the user’s Profile Settings.
- Click Next.
- Do one of the following:
- If this is an existing Insight Platform user, confirm you want to provide this user product access by clicking Add User. They will be added automatically and given the product role specified by the Platform Administrator that created their Insight Platform account.
- If this is a new Insight Platform user, select a Product Role to establish the level of privilege the user will have.
- Click Submit.
Edit and delete user accounts
You may need to edit an existing Insight Platform user’s account details, permissions, or product access, or you may need to delete their account. You can do all of this from the User Management page of the Insight Platform.
Edit account details, permissions, and product access
- From the User Management page, click the pencil icon. A panel appears with editing options.
- Select User Details, Role Management, or Product Assignment.
- User Details - Edit the user’s first name, last name, reset their multi-factor authentication, or reset their account
- Role Management - Edit the user’s roles, and enable or disable Platform Administration access
- Product Assignment - Add and remove product assignments
- When you’re done making edits, click Save.
Delete user accounts
- From the User Management page, click the trashcan icon.
- Click the Yes, remove user button to confirm.
Delete a trial account
You don’t have to contact Rapid7 to delete your company’s trial Insight Platform account. You can save time and delete it yourself.
- Delete all Insight Platform user accounts from the User Management page.
- Click the gear icon and click Company Settings.
- Click Delete this Account in the top right corner of the page.
Deleting your company’s trial Insight Platform account removes the associated customer record along with all associated organizations, and product licenses from the Insight Platform.
Need help deleting your account?
If you can’t delete your account yourself, you need to delete only a specific organization or product instead of the entire company account, or you have questions about deleting product data, submit a case through the Customer Portal for assistance.