Framework users must be assigned to one or more groups with the appropriate roles defined before they can access any Framework consoles or perform any tasks.
Click Framework User Manager on the home page of the console.
Click Create in the Groups task pane.
Specify a name for the group in the Add New Group task pane.
Click Create <group name>.
To configure the group, continue with Modifying a Framework User Group.
Modifying a user group allows you to:
Add a comment describing the group
Add users and subgroups to the group
Define administrative roles for the group
Specify an audit manager for the group.
To modify a Framework user group :
Click Framework User Manager on the home page of the console.
In the Groups pane, select the group you want to modify.
Click Edit in the Group Information task pane.
(Optional) In the Comment field, enter a comment.
In the Members section, select the users you want to be members of this group.
You can also add a user to groups in the Groups section of the Edit User option, by dragging and dropping the user onto the group, or by dragging and dropping the group onto the user.
You can remove users from the group by deselecting them here. See Removing a Framework User Group from a User for other methods.
In the Sub Groups section, select the groups you want to be subgroups of this group.
You can also add subgroups to groups by dragging and dropping the group onto the main group.
In the Roles section, configure the roles you require for this group of users according to the consoles you want them to be able to access and the tasks you want them to be able to perform. You must assign at least one role. See Configuring Roles for more details.
In the Audit Manager section, specify the details of the group’s manager.
In the Secondary Authentication section, select Bypass Secondary Authentication option if you have enabled secondary authentication for the Administration Console and want to bypass it. See Enabling Advanced Authentication for Administration Console for more details.
In the LDAP Group Maps section, add the Microsoft Active Directory, NetIQ eDirectory, and OpenLDAP groups.
NOTE:To configure LDAP Group Maps, first, go to Account Settings and select the Authentication Domain.
See Assigning Framework Roles for LDAP Users for more details.
Click Update.
The help desk role allows a predefined set of attributes to be set on the Account Settings page so that users assigned to the help desk group can only manage the subset of user attributes.
To set up a help desk group:
Configure the attributes:
Click Framework User Manager on the home page of the console.
Click Account Settings in the Users task pane.
Configure the Helpdesk Attributes.
For information about these attributes, see Configuring Account Settings.
Click Finish.
Create the group:
Click Create in the Groups task pane.
Specify a name for the group, then click Create <group name>.
Select the group you just created, then click Edit.
In the Members option, select the users that you want to belong to the help desk group.
In the Roles option, click Add, then add the following roles:
Module |
Role |
---|---|
auth |
console |
auth |
read |
auth |
helpdesk |
Click Update.
When you create a new Framework user group, you must assign at least one role to the group to allow the users in the group to access one or more Framework modules and perform tasks.
To allow access to all modules and tasks, you can define a role with Module set to * and Role set to *. This is how the default admin group containing the default admin user is initially configured.
To allow access only to specific modules and tasks, use the Modify Group option (see Modifying a Framework User Group) and define one or more roles according to the tables below:
The following roles can be assigned to control access to the Access Dashboard console. Select from the following roles when you are creating a group to manage the Access Dashboard.
Module |
Role |
Allows users to |
---|---|---|
userreqdashboard |
console |
View the Access Dashboard console. |
|
admin |
View and update emergency access and credential checkout requests. |
|
* |
Perform all roles. |
The following roles can be assigned to the auditing module in order to control access to the Reporting console. Select from these roles when you are setting up a group to manage the command control reports.
Module |
Role |
Allows users to |
---|---|---|
audit |
console |
View the Reporting console. |
read |
Read the audit database. You must use console along with read role to view the Reporting console and its content. |
|
|
admin |
Modify reporting settings. |
|
command |
View Command Control reports. |
|
logon |
View Account Logon reports. |
|
* |
Perform all roles. |
|
write |
Create new audit reports and adjust filter settings. |
|
report |
Access reports with the report defined roles. |
|
<report defined> |
Read and update the reports defined in the General tab of the Reporting console. This role is only useful when used in conjunction with the report role. |
You can use these Audit Report roles to create the following types of audit managers:
Administrator: To allow the group to update all aspects of the auditing module, including encryption and rollover, the group needs to be assigned the following roles for the audit module:
Manager: To allow the group to update all aspects of the auditing module, except encryption and rollover, the group needs to be assigned the following roles for the audit module:
User: To allow the group to read and update a specific report, the group needs to be assigned the following roles for the audit module:
If you want the group to have read-only privileges to the report, do no assign the <report defined update> role. Users with read-only rights to a report can view the report from the console, view the keystroke sessions within the report, and select which audit databases to view (see the LogFiles tab). Users who also have the update right can update the report’s filter, its name, and its description.
Each report allows you to specify a read role and an update role. You need to remember those names and manually enter them here. The console does not provide any error checking, so you need to make sure to enter the correct name. For information on how to enable a report for a role, see Modifying General Report Information.
The following roles can be assigned to the command control module in order to control access to the Command Control console. Select from the following roles when you are creating a group that you want to manage and test the rules in the command control database.
Module |
Role |
Allows users to |
---|---|---|
cmdctrl |
console |
View the Command Control console. |
read |
View the Command Control console content and run test suites. You must use console role along with read role to view the Command Control console and its content. |
|
|
write |
Modify the command control database. Users with this role cannot cancel other users’ transactions or modify audit or transaction settings. Must be used in conjunction with the cmdctrl read role. |
|
admin |
Modify the Command Control database, including canceling other users’ transactions and modifying audit and transaction settings. |
|
* |
Perform all roles. |
auth |
read |
Extract user credentials, including name and e-mail address, from the auth database into the account and user group definitions. Used in conjunction with the cmdctrl write (with read) and admin roles. |
prvcrdvlt |
read |
Configure the resources and credentials in the command control rules. |
The following roles can be assigned to the compliance auditing module in order to control access to the Compliance Auditor console. For a group to manage compliance auditing, the group also needs read roles to the auditing and authentication modules.
Module |
Role |
Allows users to |
---|---|---|
secaudit |
console |
View the Compliance Auditor console. |
|
audit |
View and edit records. |
|
admin |
Add and modify audit rules. |
|
* |
Perform the console, audit, and admin roles. |
|
<audit role name > |
Access the records collected by audit rules with this role defined in the Audit Role field on the Modify Audit Rule page. You can choose your own name for the role. See Adding or Modifying an Audit Rule for details about configuring audit rules. |
audit |
read |
View a keystroke replay. |
auth |
read |
Extract user credentials, including name and e-mail address, from the auth database for use with reports. |
The following roles can be assigned to the credential vault module in order to control access to the Credential Vault console. Select from the following roles when you are creating a group to manage the Credential Vault.
Module |
Role |
Allows users to |
---|---|---|
prvcrdvlt |
console |
View the Credential Vault console. |
read |
View the resources and credentials in Credential Vault. You must use console role along with read role to view the Credential Vault console and its content. |
|
|
write |
Add and modify the resources and credentials in Credential Vault. Must be used in conjunction with the prvcrdvlt read role. |
|
admin |
View, add, and modify the domains and credentials in Credential Vault. |
|
* |
Perform all roles. |
The following roles can be assigned to the authentication module in order to control access to the Framework User Manager console. Select from these roles when you are setting up a group to manage Framework Manager users and groups.
Module |
Role |
Allows users to |
---|---|---|
auth |
console |
View the Framework User Manager console. |
|
act_settings |
Modify account settings. |
|
admin |
Add or delete users and groups, and assign users to groups. |
|
helpdesk |
Modify the user account settings. To change which attributes are available for modification, see Configuring Account Settings. For information on how to use this role to create a Help Desk group that can manage user passwords, see Configuring a Help Desk Group. |
read |
Read the auth database. You must use console role along with read role to view the Framework User Manager and its content. This role must be used with all other auth roles. |
|
|
role_admin |
Add or remove roles. |
|
super |
View and modify superusers, and view and modify groups with the super role defined. |
|
api_token |
Generate API tokens. |
|
* |
Perform all roles. |
The following roles can be assigned to the host module in order to control access to the Hosts console. Select from the following roles when creating a group to manage the hosts.
Module |
Role |
Allows users to |
---|---|---|
unifi |
console |
View the Hosts console. |
info |
Run the host status check by using the command line interface. You must type the word info because it is not available in the drop-down list. |
|
|
admin |
View the Hosts console and perform administrative actions. |
The following role can be assigned to the package manager module in order to control access to the Package Manager console. When you are creating a group that you want to manage the distribution of updates to Privileged Account Manager, select the following:
Module |
Role |
Allows users to |
---|---|---|
pkgman |
console |
View the Package Manager console. |
admin |
View, add, update, or remove packages. |
The following roles can be assigned to the distribution module in order to restrict the installation and deployment of certain packages.
Module |
Role |
Allows users to |
---|---|---|
distrib |
acl |
Restricts deployment of packages to specified modules. |
|
Module:rexec |
Install or patch the Command Control Agent (rexec). |
|
Module:distrib |
Install or patch the Distribution Agent (distrib). |
|
Module:regclnt |
Install or patch the Registry Agent (reglcnt). |
Module:strfwd |
Install or patch the Store and Forward Agent (strfwd). |
|
Module:sysinfo |
Install or patch the System Information Agent (sysinfo). |
All modules can be allowed by following the above configuration of Module:<desired-package-name>.
Click Framework User Manager on the home page of the console.
In the Groups pane, select the group you want to delete.
Click Delete in the Group Information task pane.
Click Finish to confirm the deletion.