Get Started

Getting Started

Deploy

Onboard and Manage Accounts

Amazon Web Services (AWS)

Google Cloud Platform (GCP)

Microsoft Azure

Oracle Cloud Infrastructure (OCI)

Additional Providers

Collect and Integrate Data

Harvesting & Event-Driven Harvesting

Integrations

Understand Data

Visibility & Reporting

Inventory

Query Filters & Insights

Manage and Act on Data

Bots & Automation

Infrastructure as Code (IaC) Security

Cloud IAM Governance

Vulnerability Management

Workload Security

Manage System Settings

InsightCloudSec System Configuration

Developer Resources

APIs

Support

Basic User Groups, Roles, & Entitlements

Basic User Groups are leveraged in conjunction with Basic User Roles to grant permissions to users. Both Basic User Groups and Basic User Roles are available under the Administration > User Management feature.

Basic User Groups

For Basic User Groups, you can view a list of all of your Organizations Groups, add groups, and perform actions for individual groups. In addition, administrators can modify entitlements (access to features in the InsightCloudSec platform) for groups through the Actions menu. Details on those capabilities are included in the Entitlements section.

Add a Basic User Group

From Administration > User Management, select the Basic User Groups tab.
Click + Create Basic User Group button.
Provide a Group Name and click Create.

Next, you'll need to modify the group to add users.

Modify Basic User Group

Open the Action menu (...) for a given user group to reveal the following actions for modifying a Basic User Group:

Basic User Groups Actions	Description
Rename Group	Renames the group.
Manage Users	Adds and/or removes users.
Manage Roles	Adds and/or removes roles.
Manage Entitlements	Modifies Basic User role entitlements.
Delete Group	Deletes the group.

Basic User Roles

Basic User Roles store specific permission details. Much like Groups, roles are simply a list of groups linked to a list of scopes. From Administration > User Management you can select the Basic User Roles tab, where you (with the appropriate permissions) will have access to: add roles, modify existing roles, and view effective access for existing roles.

Add a Basic User Role

Navigate to Administration > User Management in your InsightCloudSec platform.
Click on the Basic User Roles tab and select the Add Basic User Role button on the top right of the page.
Enter a name, description, and select the desired permissions.

Basic User Role Permissions

The following permissions are available for a Basic User Role. These are established when you Add Role, or can be accessed for existing roles by selecting the actions menu next to the target role and selecting Update Basic User Role.

Role Permissions	Description
Global Scope	When enabled (via toggle), permission applies globally to all clouds/resources.
Add Cloud	An explicit permission that allows for least privileged access to add cloud accounts. This will work alongside other individual permissions given.
Delete Cloud	An explicit permission that allows for least privileged access to delete cloud accounts. This will work alongside other individual permissions given.
All Resource Permissions	Permission to execute any action within the role scope. Selecting this box will auto-select all of the items below it.
View	Permission to view resources within the scope. Note: Users without this permission will not be able to view resources in any feature, e.g., Layered Context, Identity Analysis, etc.
Manage	Permission to manage the resources in scope.
Delete	Permission to destroy resources. Note: Delete is not available for every resource type.

Update Roles

The following actions are available to modify Roles:

Modify Roles	Description
Show Role's Effective Access	Displays list of cloud accounts available to selected role.
Update Basic User Role	Allows the modification of name, description, and permissions for selected role.
Modify Basic User Group Associations	Adds and/or removes Groups.
Modify Badge Scope	Adds and/or removes Badges.
Modify Cloud Account Scope	Adds and/or removes Cloud Accounts.
Modify Resource Group Scope	Adds and/or removes Resource Groups.
Delete	Deletes selected role.

Modify/View Cloud Role Scopes

Users also have the ability to easily identify the cloud accounts that are in scope of a role. From Administration > User Management on the Basic User Roles tab, a user can select the Modify Cloud Account Scope option from the Actions menu to view the Cloud Accounts that are in scope for the target role.

Entitlements

Entitlements Behavior - Important Information

Conflicting entitlements - If a user is part of multiple groups and entitlements are applied to both groups, the user will receive the most permissive entitlements. For example, if one group gives the user viewer entitlement and another provides the user editor entitlement, the user will ultimately gain the editor entitlement.

Auditing Users - For customers looking to audit their user configurations, we recommend taking advantage of the export feature. Navigate to User Management > Users and then click the Download button. Use the CSV data to review possible duplicate users and associated entitlements prior to creating your new group structure.

Entitlements, through Basic User Groups, give domain users control over basic users' and organization admins' permissions to access certain parts of the InsightCloudSec platform. These are all managed at a group level through Basic User Groups. Access to these entitlements is available to administrators through Administration > User Management on the Basic User Groups tab.

View Resources Permission Required

Remember that many of the features associated with entitlements cannot be used unless the user has View access to at least some of your resources.

The available access entitlements are:

Disabled: This completely restricts access to the specified area of the tool. The disabled section (e.g., BotFactory) will not even appear in the navigation menu for this basic user.
Viewer: A Viewer will be able to see and navigate to the specified section of the tool but will not be able to edit or delete anything.
Editor: An Editor will be able to see and edit. Users will also be able to perform certain actions such as start, stop, pause, enable, etc. Editors do not have permission to delete.
Admin: With Admin entitlements users will be able to see the entire section of the tool, as well as edit, and perform delete actions.

Entitlements can be mix-and-match; for example: a Basic User Group might have Disabled for BotFactory but have Editor entitlement for Tag Explorer. By default, all basic user groups do not have any entitlements (everything will be Disabled).

For more information on what the different types of entitlements can do (or not do), review the User Entitlements Matrix.

Configuring Entitlements

Navigate to Administration > User Management and then select the Basic User Groups tab.
Select the Basic User Group in which you would like to modify entitlements and select the Actions menu to the left of the name.
Select Manage Basic User Entitlements to open the dialog.
Update the entitlements as necessary:
1. Bulk edit:
  1. Select a role using the drop-down menu at the top of the list (next to Apply Bulk Update).
  2. Select the checkbox(es) next to each entitlement namespace you want to apply the role.
  3. Click Apply Bulk Update, then click Submit.
2. Single edit:
  1. Next to the entitlement namespace you want to apply, select a role using the drop-down menu.
  2. Click Submit.

These changes will be applied to all users who are members of this group.

Did this page help you?

Identity, Access, & Permissions

Configure Users (Admin)

Identity, Access, & Permissions

User Entitlements Matrix