Permission-based user management

Permission-Based User Management system

Depending on which Rapid7 products you use, you will have permission-based User Management and/or the new role-based access control (RBAC) for the Insight Platform.

This page walks you through managing users and permissions through the permission-based User Management system. For RBAC, see Role-based access control.

Admin and user roles

The following actions are available to admins and users depending on their role:

RoleAction
Platform Admin- Add and Manage Users on the Insight platform
- Grant Free Trial Request
Product Admin- Add Users to a Product
- Request to Start a Free Trial
Platform and Product AdminsGrant product access

Multi-product access is available for all users when a Platform administrator creates a new user on the platform.
All usersRequest Product Access

Admin roles

Platform Administrator

This is a global or platform-wide user. A Platform Administrator has full access to the platform administrative console and can perform any of the following organization-wide operations:

  • Changing subscriptions for Rapid7 products and services
  • Adding, deleting, and managing users
  • Changing the organization profile
  • Managing the platform-wide settings
  • Add other platform administrators
  • Add users to provide access to the Customer Portal
  • We recommend having at least 2 platform administrators so the other administrator can act as a backup.

Platform and Product administration

Platform admins do not have product access by default and cannot complete product actions unless assigned to a product.

SSO authentication

If you decide to use SSO authentication, platform administrators will no longer be able to add users to the Insight Platform. All new users must be added through your external identity provider.

Product Administrator

This is a product specific user. A Product Administrator can view and access all data, perform any functions within a product, and manage product settings. Product Admins have permission to add, manage, and delete other users to/from the same product, as well as change user roles within a product.

Product administrators cannot add platform administrators. Instead, you can combine both admin roles for a user to complete product and platform actions.

User roles

Read/Write Users

Users with Read/Write access can view and edit all data within the product or service they are assigned. Read/Write Users cannot perform any administrative actions for the product or the Insight platform or change any product settings.

Read-Only Users

Read-Only Users can view all data within a product, but they cannot edit or manage it in any way.

Read-Only users can access the Customer Portal and see support cases submitted by other users in their company.

Product roles

An Insight Platform user’s product role determines what they are able to see and do in each of the Insight products they’re assigned. Here’s how product roles are defined at the Platform level.

Product Role

Capabilities

(Product) Admin

A product admin can view all data, perform all functions, and manage all settings for any products they’re assigned. Product admins can create, edit, and delete users for any products they’re assigned, though they can’t create Platform Admin users.

Read Write

Users with Read Write access can view and edit all data within the product they’re assigned. Read Write users cannot perform any administrative actions or change any settings.

Read Only

Read Only users can view all data within any products they’re assigned, but they can’t edit or manage it in any way.

Roles by product

Product roles sometimes vary

Many Insight products use these standard product user roles. This means that the way roles are defined at the Platform level, where they’re assigned, is how they are defined and implemented at the product level. However, some products interpret or apply these product user roles a little differently based on specific product use cases.

InsightVM

Product roles assigned to InsightVM users at the Platform level are ignored in favor of the more detailed and specialized InsightVM user roles, which are assigned to users by an product admin in InsightVM. That means that Platform users who are also InsightVM users are given InsightVM permissions associated with whatever role they’re assigned in InsightVM. Platform users who are not also InsightVM users are treated as global administrators.

InsightConnect

InsightConnect uses standard Admin, Read Write, and Read Only product roles.

InsightOps

Product Role

Capabilities

(Product) Admin

This role is required to access the Agent Management page. If an account does not have the Collector or Insight Agent, a product admin is the only user that can initially download them.

Additionally, this role can configure settings, such as plan information, API Keys, user roles, data archiving, and collector credentials.

Read Write

A user with read write access can add data, view and edit their dashboards, manage and create alerts, and access Analytics Packs.

This user cannot edit dashboards created by others.

If a product admin already installed an initial Collector or Insight Agent, a read write user can download additional ones.

Read Only

This user can access Log Search and Dashboards and can generate reports and view alerts.

This user cannot add data.

tCell

Product Role

Capabilities

(Product) Admin

Product Admin users have all of the same permissions as Read Write users, but they can also add, remove, and edit other users, as well as create and delete tCell apps.

Read Write

Read Write users can view information across all apps and make changes to app policies. Users with this role can also modify collected data and requests, and specify which client IP addresses to block. However, they can’t create or delete tCell Apps, or modify other users.

Read Only

Read Only users can view information across all apps in tCell. Users with this role can see all app data such as events, package version information, and agents installed. Users in this role cannot modify the configuration of any apps such as changing policies or setting up alerts.

tCell application roles

In addition to these product roles, tCell also has the concept of application roles. With application roles, user permissions can be scoped to a specific tCell application. These roles don’t restrict access to the app, only increase it.

Rapid7 Services

Product Role

Capabilities

(Product) Admin

A Product Admin has access to all functions within their assigned products and services. These actions include:
* Uploading and removing documents and reports.
* Commenting on forms and reports.
* Completing all onboarding actions for any Managed/Consulting services on the Insight platform.
* Viewing all assigned and unassigned services.
* Adding existing platform users and managing users within the same product that they administrate.

Read Write

A user with read write access can complete any onboarding actions for the team to which you are assigned, such as completing forms, uploading documents, and removing any owned documents. This user cannot add or manage users.

Read Only

A user with read only access can view the status of the onboarding process, as well as documents or reports from any assigned product or service. This user cannot modify any data,such as filling out forms or uploading documents.

Want a user who can only see reports?

Create a user with a Read Only user role without admin privileges if you only want to provide viewing access to reports.

Request and manage product access

The Insight Platform unites InsightVM, InsightAppSec, InsightIDR, InsightConnect, and Rapid7Services. This united location provides centralized authentication and user management, which makes it easy for platform users to request product access and for Platform Administrators to manage access requests.

Delayed access requests

To reduce the risk of access requests being delayed or missed completely, we recommend reviewing the Platform Administrators within your account to ensure you have sufficient coverage.

Request access

Request product access

As an Insight Platform User you can request access to any Platform product your company is subscribed to, regardless of your user role. From the Insight Platform home page, click the Request Access button for the product you want access to.

InsightOps Application Tile

A Platform Administrator at your company will grant or reject access and you'll receive an email regarding the status of your request.

Request a free trial

If you're a Product Administrator, you can request a free trial of a product your organization isn't currently subscribed to. From the Insight Platform home page, click the Start trial button of the product you want to try out.

InsightAppSec Free Trial Tile

Manage product access requests

Platform Administrators manage Platform users' product access and trial requests and any requests to add a new user to you company account or to grant access to an external user (e.g. Rapid7 Support).

Grant or reject access requests
  1. Go to the User Management page.
  2. Select the User Requests tab. "New User" requests are displayed first by default. If you need to view and manage Product Access, Product Trial, or External User requests instead, you can go to the relevant tab.

User Requests Tab

Add users

New user accounts can be created from both the Insight Platform and individual Insight products. Platform Administrators can add a user to the Insight Platform and can grant them both Insight Platform and Insight product access. Product Administrators can only add a user to an Insight product they have administrative access to.

Add a user to the Insight Platform

An Insight Platform Administrator can add users to the Insight Platform and grant them access to individual Insight products as needed.

To add an Insight Platform user:

  1. Log in to the Insight Platform.
  2. From the left menu of the “Platform Home” page, click the User Management icon.
  3. Click the Add User button. The “Add User” panel appears.
  4. Enter user details.
    • Email: Valid email address associated with the user. You can use a distribution list as the user email address, but if you do, assign read-only access to the associated user account, and verify that the account does not have administrative privileges.
    • First and Last Name: User’s name. These fields are editable after account creation from the user’s Profile Settings.
    • Time Zone: User’s time zone. This field is editable after account creation from the user’s Profile Settings.
  5. Click Next.
  6. Select the appropriate user role options.
    • To make this user a Platform Administrator and give them the ability to manage Insight Platform users, toggle the Platform Admin option on.
    • If applicable, select the organizations within your company that you want this user to be a part of.
    • Choose a Product Role to establish the level of privilege the user will have for any Insight products they are given access to. The default role is “Read Only.”

Organizations

An organization is a logical grouping within your company that uses one or more of your Insight products. Organizations are commonly used when you have several teams that all need to access the same Insight solution, but maintain their own set of data.

  1. Click Next.
  2. Select the Insight products you want this user to have access to. If your company has multiple organizations, you must select products for each organization the user is associated with.
  3. Click Submit.

The new user will receive an email invitation to activate their Insight Platform account. New users also have automatic access to the Customer Portal.

Quick Add Platform Admin

If you need to add a Platform Administrator user, you can click the Quick Add Platform Admin button to expedite the process. Enter an email address and the name of the user, then click Add Platform Admin. If the new administrator later needs Insight product access, you can edit their account from the User Management page.

Add a user to an Insight product

An Insight Product Administrator can add users to the Insight product they have administrative access to. If you have multiple organizations associated with your Insight Platform instance, note that you can only add users to the organizations you have administrative access to.

To add an Insight product user:

  1. Log in to the Insight Platform.
  2. Open the Insight product you want to add a user to.
  3. Go to the user management page, which varies by product.
    • InsightIDR: Settings > User Management
    • InsightOps: Settings > User Management
    • InsightVM: Administration > Users
    • InsightAppSec: Settings > User Accounts
    • Rapid7 Services: Left Menu > User Management
  4. Click Add User button. The “Add User” panel appears.
  5. Enter user details.
    • Email: Valid email address associated with the user. You can use a distribution list as the user email address, but if you do, assign read-only rights to the associated user account and verify that the account has no administrative privileges.
    • First and Last Name: User’s name. These fields are editable after account creation from the user’s Profile Settings.
    • Time Zone: User’s time zone. This field is editable after account creation from the user’s Profile Settings.
  6. Click Next.
  7. Do one of the following:
    • If this is an existing Insight Platform user, confirm you want to provide this user product access by clicking Add User. They will be added automatically and given the product role specified by the Platform Administrator that created their Insight Platform account.
    • If this is a new Insight Platform user, select a Product Role to establish the level of privilege the user will have.
  8. Click Submit.

Edit and delete user accounts

You may need to edit an existing Insight Platform user’s account details, permissions, or product access, or you may need to delete their account. You can do all of this from the User Management page of the Insight Platform.

Edit account details, permissions, and product access
  1. From the User Management page, click the pencil icon. A panel appears with editing options.
  2. Select User Details, Role Management, or Product Assignment.
    • User Details - Edit the user’s first name, last name, reset their multi-factor authentication, or reset their account
    • Role Management - Edit the user’s roles, and enable or disable Platform Administration access
    • Product Assignment - Add and remove product assignments
  3. When you’re done making edits, click Save.
Delete user accounts
  1. From the User Management page, click the trashcan icon.
  2. Click the Yes, remove user button to confirm.
Delete a trial account

You don’t have to contact Rapid7 to delete your company’s trial Insight Platform account. You can save time and delete it yourself.

  1. Delete all Insight Platform user accounts from the User Management page.
  2. Click the gear icon and click Company Settings.
  3. Click Delete this Account in the top right corner of the page.

Deleting your company’s trial Insight Platform account removes the associated customer record along with all associated organizations, and product licenses from the Insight Platform.

Need help deleting your account?

If you can’t delete your account yourself, you need to delete only a specific organization or product instead of the entire company account, or you have questions about deleting product data, submit a case through the Customer Portal for assistance.