Managing users and authentication

Effective use of scan information depends on how your organization analyzes and distributes it, who gets to see it, and for what reason. Managing access to information in the application involves creating asset groups and assigning roles and permissions to users. This chapter provides best practices and instructions for managing users, roles, and permissions.

Mapping roles to your organization

It is helpful to study how roles and permissions map to your organizational structure.

TIP

While a user authentication system is already included, you should integrate any supported external authentication service with the application to avoid managing multiple sets of user information. The Security Console supports integrations with the following authentication sources:

  • Microsoft Active Directory
  • Kerberos
  • SAML 2.0

See Using external sources for user authentication for instructions.

In a smaller company, one person may handle all security tasks. He or she will be a Global Administrator, initiating scans, reviewing reports, and performing remediation. Or there may be a small team of people sharing access privileges for the entire system. In either of these cases, it is unnecessary to create multiple roles, because all network assets can be included in one site, requiring a single Scan Engine.

Example, Inc. is a larger company. It has a wider, more complex network, spanning multiple physical locations and IP address segments. Each segment has its own dedicated support team managing security for that segment alone.

One or two global administrators are in charge of creating user accounts, maintaining the system, and generating high-level, executive reports on all company assets. They create sites for different segments of the network. They assign security managers, site administrators, and system administrators to run scans and distribute reports for these sites.

The Global Administrators also create various asset groups. Some will be focused on small subsets of assets. Non-administrative users in these groups will be in charge of remediating vulnerabilities and then generating reports after follow-up scans are run to verify that remediation was successful. Other asset groups will be more global, but less granular, in scope. The non-administrative users in these groups will be senior managers who view the executive reports to track progress in the company's vulnerability management program.

Configuring roles and permissions

Whether you create a custom role or assign a preset role for an account depends on several questions: What tasks do you want that account holder to perform? What data should be visible to the user? What data should not be visible to the user.

For example, a manager of a security team that supports workstations may need to run scans on occasion and then distribute reports to team members to track critical vulnerabilities and prioritizing remediation tasks. This account may be a good candidate for an Asset Owner role with access to a site that only includes workstations and not other assets, such as database servers.

Keep in mind that, except for the Global Administrator role, the assigning of a custom or preset role is interdependent with access to site and asset groups.

If you want to assign roles with very specific sets of permissions you can create custom roles. The following tables list and describe all permissions that are available. Some permissions require other permissions to be granted in order to be useful. For example, in order to be able to create reports, a user must also be able to view asset data in the reported-on site or asset group, to which the user must also be granted access.

The tables also indicate which roles include each permission. You may find that certain roles are granular or inclusive enough for a given account. A list of preset roles and the permissions they include follows the permissions tables. See Give a user access to asset groups.

Permissions tables

Global permissions

These permissions automatically apply to all sites and asset groups and do not require additional, specified access.

Permission

Description

Role

Manage Sites

Create, delete, and configure all attributes of sites, except for user access. Implicitly have access to all sites. Manage shared scan credentials. Other affected permissions: When you select this permission, all site permissions automatically become selected. See Site permissions.

Global Administrator

Manage Scan Templates

Create, delete, and configure all attributes of scan templates.

Global Administrator

Manage Report Templates

Create, delete, and configure all attributes of report templates.

Global Administrator,
Security Manager and Site Owner,
Asset Owner,
User

Manage Scan Engines

Create, delete, and configure all attributes of Scan Engines; pair Scan Engines with the Security Console.

Global Administrator

Manage Policies

Copy existing policies; edit and delete custom policies.

Global Administrator

Appear on Report Lists

Appear on user lists in order to view reports.

Prerequisite: A user with this permission must also have asset viewing permission in any relevant site or asset group: View Site Asset Data; View Group Asset Data

Global Administrator,
Security Manager and Site Owner,
Asset Owner,
User

Configure Global Settings

Configure settings that are applied throughout the entire environment, such as risk scoring and exclusion of assets from all scans.

Global Administrator

Manage Tags

Create tags and configure their attributes. Delete tags except for built-in criticality tags. Implicitly have access to all sites.

Global Administrator

Site permissions

These permissions only apply to sites to which a user has been granted access.

Permission

Description

Role

View Site Asset Data

View discovered information about all assets in accessible sites, including IP addresses, installed software, and vulnerabilities.

Global Administrator,
Security Manager and Site Owner,
Asset Owner,
User

Specify Site Metadata

Enter site descriptions, importance ratings, and organization data.

Global Administrator,
Security Manager and Site Owner

Specify Scan Targets

Add or remove IP addresses, address ranges, and host names for site scans.

Global Administrator

Assign Scan Engine

Assign a Scan Engine to sites.

Global Administrator

Assign Scan Template

Assign a scan template to sites.

Global Administrator,
Security Manager and Site Owner

Manage Scan Alerts

Create, delete, and configure all attributes of alerts to notify users about scan-related events.

Global Administrator,
Security Manager and Site Owner

Manage Site Credentials

Provide logon credentials for deeper scanning capability on password-protected assets

Global Administrator,
Security Manager and Site Owner

Schedule Automatic Scans

Create and edit site scan schedules.

Global Administrator,
Security Manager and Site Owner

Start Unscheduled Scans

Manually start one-off scans of accessible sites (does not include ability to configure scan settings).

Global Administrator,
Security Manager and Site Owner,
Asset Owner

Purge Site Asset Data

Manually remove asset data from accessible sites.

Prerequisites: A user with this permission must also have one of the following permissions: View Site Asset Data; View Group Asset Data

Global Administrator

Manage Site Access

Grant and remove user access to sites.

Global Administrator

Asset Group permissions

These permissions only apply to asset groups to which a user has been granted access.

Permission

Description

Role

Manage Dynamic Asset Groups

Create dynamic asset groups. Delete and configure all attributes of accessible dynamic asset groups except for user access. Implicitly have access to all sites.

Note: A user with this permission has the ability to view all asset data in your organization.

Global Administrator

Manage Static Asset Groups

Create static asset groups. Delete and configure all attributes of accessible static asset groups except for user access.

Prerequisite: A user with this permission must also have the following permissions and access to at least one site to effectively manage static asset groups: Manage Group Assets; View Group Asset Data

Global Administrator

View Group Asset Data

View discovered information about all assets in accessible asset groups, including IP addresses, installed software, and vulnerabilities.

Global Administrator](#global-administrator),
Security Manager and Site Owner,
Asset Owner,
User

Manage Group Assets

Add and remove assets in static asset groups.

Note: This permission does not include ability to delete underlying asset definitions or discovered asset data. Prerequisite: A user with this permission must also have of the following permission: View Group Asset Data

Global Administrator

Manage Asset Group Access

Grant and remove user access to asset groups.

Global Administrator

Report permissions

The Create Reports permission only applies to assets to which a user has been granted access. Other report permissions are not subject to any kind of access.

Permission

Description

Role

Create Reports

Create and own reports for accessible assets; configure all attributes of owned reports, except for user access.

Prerequisites: A user with this permission must also have one of the following permissions: View Site Asset Data; View Group Asset Data

Global Administrator,
Security Manager and Site Owner,
Asset Owner,
User

Use Restricted Report Sections

Create report templates with restricted sections; configure reports to use templates with restricted sections.

Prerequisites: A user with this permission must also have one of the following permissions: Manage Report Templates

Global Administrator

Manage Report Access

Grant and remove user access to owned reports.

Global Administrator

Vulnerability exception permissions

These permissions only apply to sites or asset groups to which a user has been granted access.

Permission

Description

Role

Submit Vulnerability Exceptions

Submit requests to exclude vulnerabilities from reports.

Prerequisites: A user with this permission must also have one of the following permissions: View Site Asset Data; View Group Asset Data

Global Administrator,
Security Manager and Site Owner,
Asset Owner,
User

Review Vulnerability Exceptions

Approve or reject requests to exclude vulnerabilities from reports.

Prerequisites: A user with this permission must also have one of the following permissions: View Site Asset Data; View Group Asset Data

Global Administrator

Review Vulnerability Exceptions

Approve or reject requests to exclude vulnerabilities from reports.

Prerequisites: A user with this permission must also have one of the following permissions: View Site Asset Data; View Group Asset Data

Global Administrator

Delete Vulnerability Exceptions

Delete vulnerability exceptions and exception requests.

Prerequisites: A user with this permission must also have one of the following permissions: View Site Asset Data; View Group Asset Data

Global Administrator

Vulnerability investigation permissions

These permissions only apply to assets to which this user has been granted access.

PermissionDescriptionRole
View vulnerability investigationsView vulnerability investigations for accessible assets.Global Administrator, Security Manager and Site Owner, Asset Owner, User
Manage vulnerability investigationsOpen, submit and close vulnerability investigations.Global Administrator, Security Manager and Site Owner

List of roles

Global Administrator

The Global Administrator role differs from all other preset roles in several ways. It is not subject to site or asset group access. It includes all permissions available to any other preset or custom role. It also includes permissions that are not available to custom roles:

  • Manage all functions related to user accounts, roles, and permissions.
  • Manage Dynamic Discovery connections that allow you to pull assets from systems such as VMWare, AWS, DHCP, and Infoblox.
  • Manage configuration, maintenance, and diagnostic routines for the Security Console.
  • Manage shared scan credentials.

Security Manager and Site Owner

The Security Manager and Site Owner roles include the following permissions:

The only distinction between these two roles is the Security Manager’s ability to work in accessible sites and assets groups. The Site Owner role, on the other hand, is confined to sites.

Asset Owner

The Asset Owner role includes the following permissions in accessible sites and asset groups:

User

Although “user” can refer generically to any owner of a Nexpose account, the name User, with an upper-case U, refers to one of the preset roles. It is the only role that does not include scanning permissions. It includes the following permissions in accessible sites and asset groups:

ControlsInsight User

This role provides complete access to ControlsInsight with no access to Nexpose.

Managing and creating user accounts

The Users links on the Administration page provide access to pages for creating and managing user accounts. Click manage next to Users to view the Users page. On this page, you can view a list of all accounts within your organization. The last logon date and time is displayed for each account, giving you the ability to monitor usage and delete accounts that are no longer in use.

To edit a user account:

  1. Click Edit for any listed account, and change its attributes. The application displays the User Configuration panel. The process for editing an account is the same as the process for creating a new user account. See Configure general user account attributes.

To delete an account and reassign reports:

  1. Click Delete for the account you want to remove. A dialog box appears asking you to confirm that you want to delete the account.
  2. Click Yes to delete the account. If that account has been used to create a report, the application displays a dialog box prompting you to reassign or delete the report in question. You can choose to delete a report that contains out-of-date information.
  3. Select an account from the drop-down list to reassign reports to.
  4. (Optional) Click Delete reports to remove these items from the database.
  5. Click OK to complete the reassignment or deletion.

Configure general user account attributes

You can specify attributes for general user accounts on the User Configuration panel.

To configure user account attributes:

  1. Click New User on the Users page.
  2. (Optional) Click Create next to Users on the Administration page. The Security Console displays the General page of the User Configuration panel.
  3. Enter all requested user information in the text fields.
  4. (Optional) Select the appropriate source from the drop-down list to authenticate the user with external sources. Before you can create externally authenticated user accounts you must define external authentication sources. See Using external sources for user authentication.
  5. Check the Account enabled check box. You can later disable the account without deleting it by clicking the check box again to remove the check mark.
  6. Click Save to save the new user information.

Assign a role and permissions to a user

Assigning a role and permissions to a new user allows you to control that user’s access to Security Console functions.

To assign a role and permissions to a new user:

  1. Go to the Roles page.
  2. Choose a role from the drop-down list. When you select a role, the Security Console displays a brief description of that role. If you choose one of the five default roles, the Security Console automatically selects the appropriate check boxes for that role. If you choose Custom Role, select the check box for each permission that you wish to grant the user.
  3. Click Save to save the new user information.

Give a user access to specific sites

A Global Administrator automatically has access to all sites. A security manager, site administrator, system administrator, or nonadministrative user has access only to those sites granted by a global administrator.

To grant a user access to specific sites:

  1. Go to the Site Access page.
  2. (Optional) Click the appropriate radio button to give the user access to all sites.
  3. (Optional) Click the radio button for creating a custom list of accessible sites to give the user access to specific sites.
  4. Click Add Sites.
  5. The Security Console displays a box listing all sites within your organization.
  6. Click the check box for each site that you want the user to access.
  7. Click Save. The new site appears on the Site Access page.
  8. Click Save to save the new user information.

Give a user access to asset groups

A global administrator automatically has access to all asset groups. A site administrator user has no access to asset groups. A security manager, system administrator, or nonadministrative user has access only to those access groups granted by a global administrator.

To grant a user access to asset group:

  1. Go to the Asset Group Access page.
  2. (Optional) Click the appropriate radio button to give the user access to all asset groups.
  3. (Optional) Click the radio button for creating a custom list of accessible asset groups to give the user access to specific asset groups.
  4. Click Add Groups. The Security Console displays a box listing all asset groups within your organization.
  5. Click the check box for each asset group that you want this user to access.
  6. Click Save. The new asset group appears on the Asset Group Access page.
  7. Click Save to save the new user information.

Using external sources for user authentication

You can integrate the Security Console with external authentication sources. If you use one of these sources, leveraging your existing infrastructure will make it easier for you to manage user accounts.

The application provides single-sign-on external authentication with the following sources:

  • LDAP (including Microsoft Active Directory): Active Directory (AD) is an LDAP-supportive Microsoft technology that automates centralized, secure management of an entire network's users, services, and resources. See Configuring LDAP authentication for instructions.
  • Kerberos: Kerberos is a secure authentication method that validates user credentials with encrypted keys and provides access to network services through a “ticket” system. See Configuring Kerberos authentication for instructions.
  • SAML 2.0: Security Assertion Markup Language version 2.0 is an XML-based protocol that authenticates users by way of statement packages (known as assertions) communicated between identity and service providers. See Configuring SAML 2.0 authentication for instructions.

The Security Console's Two Factor Authentication is not currently compatible with Active Directory (LDAP) and Kerberos authentication methods.

The application also continues to support its two internal user account stores:

  • XML file lists default “built-in” accounts. A Global Administrator can use a built-in account to log on to the application in maintenance mode to troubleshoot and restart the system when database failure or other issues prevent access for other users.
  • Datastore lists standard user accounts, which are created by a global administrator.

Setting a password policy

Global Administrators can customize the password policy in your Nexpose installation. One reason to do so is to configure it to correspond with your organization's particular password standards.

When you update a password policy, it will take effect for new users and when existing users change their passwords. Existing users will not be forced to change their passwords.

To customize a password policy:

  1. In the Security Console, go to the Administration page.
  2. Select password policy.
  1. Change the policy name.
  2. Select the desired parameters for the password requirements.

If you do not want to enforce a maximum length, set the maximum length to 0.

  1. Click Save.

Once the password policy is set, it will be enforced on the User Configuration page.

As a new password is typed in, the items on the list of requirements turn from red to green as the password requirements are met.

If a user attempts to save a password that does not meet all the requirements, an error message will appear.