6.2 Managing Groups

Framework users must be assigned to one or more groups with the appropriate roles defined before they can access any Framework consoles or perform any tasks.

6.2.1 Adding a Framework User Group

  1. Click Framework User Manager on the home page of the console.

  2. Click Create in the Groups task pane.

  3. Specify a name for the group in the Add New Group task pane.

  4. Click Create <group name>.

  5. To configure the group, continue with Modifying a Framework User Group.

6.2.2 Modifying a Framework User Group

Modifying a user group allows you to:

  • Add a comment describing the group

  • Add users and subgroups to the group

  • Define administrative roles for the group

  • Specify an audit manager for the group.

To modify a Framework user group :

  1. Click Framework User Manager on the home page of the console.

  2. In the Groups pane, select the group you want to modify.

  3. Click Edit in the Group Information task pane.

  4. (Optional) In the Comment field, enter a comment.

  5. In the Members section, select the users you want to be members of this group.

    You can also add a user to groups in the Groups section of the Edit User option, by dragging and dropping the user onto the group, or by dragging and dropping the group onto the user.

    You can remove users from the group by deselecting them here. See Removing a Framework User Group from a User for other methods.

  6. In the Sub Groups section, select the groups you want to be subgroups of this group.

    You can also add subgroups to groups by dragging and dropping the group onto the main group.

  7. In the Roles section, configure the roles you require for this group of users according to the consoles you want them to be able to access and the tasks you want them to be able to perform. You must assign at least one role. See Configuring Roles for more details.

  8. In the Audit Manager section, specify the details of the group’s manager.

  9. In the Secondary Authentication section, select Bypass Secondary Authentication option if you have enabled secondary authentication for the Administration Console and want to bypass it. See Enabling Advanced Authentication for Administration Console for more details.

  10. In the LDAP Group Maps section, add the Microsoft Active Directory, NetIQ eDirectory, and OpenLDAP groups.

    NOTE:To configure LDAP Group Maps, first, go to Account Settings and select the Authentication Domain.

    See Assigning Framework Roles for LDAP Users for more details.

  11. Click Update.

6.2.3 Configuring a Help Desk Group

The help desk role allows a predefined set of attributes to be set on the Account Settings page so that users assigned to the help desk group can only manage the subset of user attributes.

To set up a help desk group:

  1. Configure the attributes:

    1. Click Framework User Manager on the home page of the console.

    2. Click Account Settings in the Users task pane.

    3. Configure the Helpdesk Attributes.

      For information about these attributes, see Configuring Account Settings.

    4. Click Finish.

  2. Create the group:

    1. Click Create in the Groups task pane.

    2. Specify a name for the group, then click Create <group name>.

    3. Select the group you just created, then click Edit.

    4. In the Members option, select the users that you want to belong to the help desk group.

    5. In the Roles option, click Add, then add the following roles:

      Module

      Role

      auth

      console

      auth

      read

      auth

      helpdesk

  3. Click Update.

6.2.4 Configuring Roles

When you create a new Framework user group, you must assign at least one role to the group to allow the users in the group to access one or more Framework modules and perform tasks.

To allow access to all modules and tasks, you can define a role with Module set to * and Role set to *. This is how the default admin group containing the default admin user is initially configured.

To allow access only to specific modules and tasks, use the Modify Group option (see Modifying a Framework User Group) and define one or more roles according to the tables below:

Access Dashboard Roles

The following roles can be assigned to control access to the Access Dashboard console. Select from the following roles when you are creating a group to manage the Access Dashboard.

Module

Role

Allows users to

userreqdashboard

console

View the Access Dashboard console.

 

admin

View and update emergency access and credential checkout requests.

 

*

Perform all roles.

Reporting Roles

The following roles can be assigned to the auditing module in order to control access to the Reporting console. Select from these roles when you are setting up a group to manage the command control reports.

Module

Role

Allows users to

 audit

console

View the Reporting console.

read

Read the audit database.

You must use console along with read role to view the Reporting console and its content.

 

admin

Modify reporting settings.

 

command

View Command Control reports.

 

logon

View Account Logon reports.

 

*

Perform all roles.

 

write

Create new audit reports and adjust filter settings.

 

report

Access reports with the report defined roles.

 

<report defined>

Read and update the reports defined in the General tab of the Reporting console.

This role is only useful when used in conjunction with the report role.

You can use these Audit Report roles to create the following types of audit managers:

  • Administrator: To allow the group to update all aspects of the auditing module, including encryption and rollover, the group needs to be assigned the following roles for the audit module:

    • admin
    • write
    • read
    • command
    • console
  • Manager: To allow the group to update all aspects of the auditing module, except encryption and rollover, the group needs to be assigned the following roles for the audit module:

    • write
    • read
    • command
    • console
  • User: To allow the group to read and update a specific report, the group needs to be assigned the following roles for the audit module:

    • command
    • console
    • report
    • <report defined read>
    • <report defined update>

    If you want the group to have read-only privileges to the report, do no assign the <report defined update> role. Users with read-only rights to a report can view the report from the console, view the keystroke sessions within the report, and select which audit databases to view (see the LogFiles tab). Users who also have the update right can update the report’s filter, its name, and its description.

    Each report allows you to specify a read role and an update role. You need to remember those names and manually enter them here. The console does not provide any error checking, so you need to make sure to enter the correct name. For information on how to enable a report for a role, see Modifying General Report Information.

Command Control Roles

The following roles can be assigned to the command control module in order to control access to the Command Control console. Select from the following roles when you are creating a group that you want to manage and test the rules in the command control database.

Module

Role

Allows users to

cmdctrl

console

View the Command Control console.

read

View the Command Control console content and run test suites.

You must use console role along with read role to view the Command Control console and its content.

 

write

Modify the command control database. Users with this role cannot cancel other users’ transactions or modify audit or transaction settings.

Must be used in conjunction with the cmdctrl read role.

 

admin

Modify the Command Control database, including canceling other users’ transactions and modifying audit and transaction settings.

 

*

Perform all roles.

auth

read

Extract user credentials, including name and e-mail address, from the auth database into the account and user group definitions. Used in conjunction with the cmdctrl write (with read) and admin roles.

prvcrdvlt

read

Configure the resources and credentials in the command control rules.

Compliance Auditor Roles

The following roles can be assigned to the compliance auditing module in order to control access to the Compliance Auditor console. For a group to manage compliance auditing, the group also needs read roles to the auditing and authentication modules.

Module

Role

Allows users to

secaudit

console

View the Compliance Auditor console.

 

audit

View and edit records.

 

admin

Add and modify audit rules.

 

*

Perform the console, audit, and admin roles.

 

<audit role name >

Access the records collected by audit rules with this role defined in the Audit Role field on the Modify Audit Rule page. You can choose your own name for the role.

See Adding or Modifying an Audit Rule for details about configuring audit rules.

audit

read

View a keystroke replay.

auth

read

Extract user credentials, including name and e-mail address, from the auth database for use with reports.

Credential Vault Roles

The following roles can be assigned to the credential vault module in order to control access to the Credential Vault console. Select from the following roles when you are creating a group to manage the Credential Vault.

Module

Role

Allows users to

prvcrdvlt

console

View the Credential Vault console.

read

View the resources and credentials in Credential Vault.

You must use console role along with read role to view the Credential Vault console and its content.

 

write

Add and modify the resources and credentials in Credential Vault.

Must be used in conjunction with the prvcrdvlt read role.

 

admin

View, add, and modify the domains and credentials in Credential Vault.

 

*

Perform all roles.

Framework User Manager Roles

The following roles can be assigned to the authentication module in order to control access to the Framework User Manager console. Select from these roles when you are setting up a group to manage Framework Manager users and groups.

Module

Role

Allows users to

auth

console

View the Framework User Manager console.

 

act_settings

Modify account settings.

 

admin

Add or delete users and groups, and assign users to groups.

 

helpdesk

Modify the user account settings. To change which attributes are available for modification, see Configuring Account Settings.

For information on how to use this role to create a Help Desk group that can manage user passwords, see Configuring a Help Desk Group.

read

Read the auth database.

You must use console role along with read role to view the Framework User Manager and its content.

This role must be used with all other auth roles.

 

role_admin

Add or remove roles.

 

super

View and modify superusers, and view and modify groups with the super role defined.

 

api_token

Generate API tokens.

 

*

Perform all roles.

Hosts Roles

The following roles can be assigned to the host module in order to control access to the Hosts console. Select from the following roles when creating a group to manage the hosts.

Module

Role

Allows users to

unifi

console

View the Hosts console.

info

Run the host status check by using the command line interface.

You must type the word info because it is not available in the drop-down list.

 

admin

View the Hosts console and perform administrative actions.

Package Manager Roles

The following role can be assigned to the package manager module in order to control access to the Package Manager console. When you are creating a group that you want to manage the distribution of updates to Privileged Account Manager, select the following:

Module

Role

Allows users to

pkgman

console

View the Package Manager console.

admin

View, add, update, or remove packages.

Distribution Roles

The following roles can be assigned to the distribution module in order to restrict the installation and deployment of certain packages.

Module

Role

Allows users to

distrib

acl

Restricts deployment of packages to specified modules.

 

Module:rexec

Install or patch the Command Control Agent (rexec).

 

Module:distrib

Install or patch the Distribution Agent (distrib).

 

Module:regclnt

Install or patch the Registry Agent (reglcnt).

Module:strfwd

Install or patch the Store and Forward Agent (strfwd).

Module:sysinfo

Install or patch the System Information Agent (sysinfo).

All modules can be allowed by following the above configuration of Module:<desired-package-name>.

6.2.5 Deleting a Framework User Group

  1. Click Framework User Manager on the home page of the console.

  2. In the Groups pane, select the group you want to delete.

  3. Click Delete in the Group Information task pane.

  4. Click Finish to confirm the deletion.