Users, Groups, and Roles (User Management)
In InsightCloudSec access to functionality for Users, Groups, and Roles is managed through our User Management capability. In your InsightCloudSec installation, locate the Administration cog icon (top right) and click to select User Management from the drop-drown.
Administrators are able to see details about their Domain Admins, Users (at the Organization level), API Keys, Basic User Groups, Basic User Roles, and Authentication Servers.
Access and visibility
Access and visibility vary based on permissions, check out the User Entitlements Matrix or reach out to us through the Customer Support Portal if you have questions or issues.
Hierarchy
InsightCloudSec can be deployed in a flexible manner from running entirely on a single server to scaling across multiple servers for performance and redundancy. Check out our Production Deployments section to learn more.
Domains > Organizations > Groups/Roles/Users
Domains
Domains are a collection of Organizations and allow for domain administrators to manage Organizations. Check out our documentation on Domain Admins to learn more.
Organizations
Organizations allow for complete isolation between Cloud Accounts, resources, and users within an individual organization. Cloud Accounts and their resources can only belong to one Organization and cannot be modified or viewed from another Organization. Check out documentation on our multi-tenant functionality - called Organizations section to learn more.
Users/Groups/Roles
With the exception of domain admins, users may only belong to a single Organization. Domain admins may change between organizations but within their current session cannot modify or view Cloud Accounts, or the cloud’s resources, without first changing to the correct organization.
Organization Admins may have their privileges extended to multiple organizations by a Domain Admin (review Modifying a User for more information)
Other Users are either Organization Admins or Basic Users and must be explicitly granted permissions via the Role Based Access system. The system comprises 1) Users, 2) Groups, 3) Roles, and 4) Scopes.
Groups are used to organize users together for the same set of permissions, e.g., Power Users, View Only, AWS-Development-Team, etc.
Permissions are defined by a Role. A Role consists of a name, description, and one or more permissions:
- All Permissions - Permission to execute any action within the role scope
- View - Permission to view resources within the scope
- Provision - Permission to create new resources
- Manage - Permission to manage the resources in scope
- Delete - Permission to destroy resources
A Role can then be associated with one or more Cloud Accounts or Resource Groups which is called the Scope of the Role. Many roles can be associated with a group. Likewise many Scopes can be associated with a Role.
Once a Group with Roles is created that is scoped to some resources, a user can be created and added to the group. Authenticate with this new user’s account and you will see the clouds or groups granted to the user.
Definitions
- Domain Admins - Refers to administrators that have all permissions for all cloud resources across the entire InsightCloudSec Platform installation. These include Read-Only Admins who have all permissions for all cloud resources throughout InsightCloudSec but cannot take any actions. Only Domain Admins can:
- Create/modify InsightCloudSec Organizations
- Move freely between InsightCloudSec Organizations
- Promote other users to Domain Admin
- Update Notification Preference system-wide or for individual users
- Configure Plugins
- Review and configure the System Administration
- Organization Admins have all permissions for all cloud resources within a given InsightCloudSec organization or organizations (Organization Admins may have their privileges extended to multiple organizations by a Domain Admin; review Modifying a User for more information). Domain Admins may add these Organization Admins to Basic User Groups and assign permissions to them as you would Basic Users; however, Organization Admin permissions will always take precedence. At any time, a Basic User can be converted from Organization Admin to a Basic User and vice versa.
- Basic Users start with no access to cloud resources and must be granted permissions explicitly. This is done by associating users to User Groups (one or many), which define the permissions allowed for users in the User Group.
- Basic User Groups refers to groups of users who can share Basic User Roles (permissions around cloud accounts) and Basic User Entitlements (access to InsightCloudSec features - viewer, editor, etc.), so that each member of the group has the same access and permissions.
- Basic User Roles provide administrators with granular controls to govern what Basic Users can access and do across their cloud footprint. These Roles define scope and permissions and are attached to one or more Basic User Groups.
For more information on what the different types of entitlements can do (or not do), review the User Entitlements Matrix.
User Types
Users in InsightCloudSec are of two main types: Admins and Basic Users. These users are defined at the Organization level. In addition to Admin and Basic Users, InsightCloudSec also supports API-Only users (which are also Basic Users).
Admins
There are two types of Admin users within InsightCloudSec: Domain Admins and Organization Admins. Both Domain and Organization Admins have all permissions for all cloud resources within a given organization. Domain Admins have all permissions for all cloud resources across your entire InsightCloudSec instance (all organizations). As of InsightCloudSec version 22.3.4, Organization Admins may have their privileges extended to multiple organizations by a Domain Admin (review Modifying a User for more information). You may add these users to Groups and assign permissions to them as you would Basic Users. However, Organization Admin permissions will always take precedence. At any time, a user can be converted from Organization Admin to a Basic User and likewise the reverse.
- For a bit more information on Admin capabilities, take a look at the User Configurations (for Admins) documentation.
- For users with Domain Admin or read-only admin permissions, you also have the ability to download a CSV report that lists Domain Administrators/Read-Only Admins.
Basic Users
Basic Users start with no access to cloud resources and must be granted permissions explicitly. This is done by associating users to User Groups (one or many), which define the permissions allowed for users in the User Group.
Resource Visibility and Permissions
InsightCloudSec resources such as Bots and Provisioning Templates are not restricted by permissions. They are visible to all Organization Users.
A user’s aggregate permissions are the sum of permissions from all groups in which they are a member.
API-Only Users
In addition to Basic Users with access to the InsightCloudSec console, Administrators have the ability to create an API-only user. API-Only users are created using API endpoints by preventing console access and granting an API Key.
API Keys can be used instead of user credentials to programmatically log into the system. This functionality operates through a series of API endpoints. Refer to the Create API Only User endpoint and InsightCloudSec API documentation for details.
- If you are looking for details on generating an API Key for a regular user check out the details on API Keys.
Some important things to note about this new capability include:
- When an API-Only user is created, a new unique API key is generated for that user. Once the key is generated it is important to properly store the key as you will not be able to access it at a later time.
- By default, API-Only users will not have console access.
- If console access is granted after an API-Only user is created, the user will be converted automatically to local authentication (username/password) and require a password reset to generate a password to access the console.
- If an Admin removes console access for an existing user, the initial authentication type will persist when console access is restored.
- An API key can be used to access the endpoints by using a valid 'API-Key' in header instead of 'X-Auth-Token'.
- All API-Only users are Basic Users.
- Admins cannot be API-Only. (They can however also have API keys in addition to console access; console access cannot be revoked for Admins).
- Admins have the ability to revoke access and generate new keys for users.
- If a new key is generated, any existing API keys will be deactivated.
Authentication
User accounts can be configured to authenticate using several different authentication types:
Local Authentication - This type of user authenticates against the local database
- Via Session Token - The user is authenticated using console login
- Using API Key - The user is authenticated based on the API-Key
Check out the Configuring Authentication Servers page for links to instructions on all of the individually supported options including Active Directory, SAML, and LDAP.
In addition, InsightCloudSec includes support for authentication and sync using external tools, allowing you to create and manage users outside of the InsightCloudSec platform. You can read more about this feature under the Just In-Time User Provisioning (Authentication Server Support) documentation