Manage Roles and Permissions
Basic Concepts
Roles
A role is a specific configuration of permissions that you apply to one or more user accounts. A user account is authorized to view or modify certain resources in the console depending on the role you assign to it.
A user account can have only one role assigned. However, you can assign a role to more than one user account.
A role consists of these elements:
-
Role name: This is purely for identification. You assign the role name when you create the role.
-
Visibility: Restricts access to certain computers on the network.
-
Permission set: Determines the specific actions that the user account can take on computers belonging to groups defined as accessible.
Why are Roles Necessary?
In a small SOC, all technicians typically access the console with the Full Control role without any restriction. However, in mid-sized or large MSSPs/MDR vendors with large networks and a multitude of clients to manage, it is highly likely that it is necessary to organize or segment access to computers, under two criteria:
The Number of Computers to Manage
MSSPs/MDR vendors with a large computer infrastructure to scan might need to sort it by client and assign computers to analysts to share the workload and improve response time. In that case, each analyst researches only the computers belonging to a specific group of clients.
Another option is taking client priority into account, grouping them by importance and assigning them to teams of different sizes or skill sets.
The Knowledge or Expertise of the Technician
MSSPs/MDR vendors are usually divided into three tiers, which facilitates the analysis workload distribution to prevent bottlenecks. Depending on each analyst skills, they belong to one tier or another, and have access to certain console resources and not others, according to their tasks and responsibilities.
These two criteria can overlap, giving rise to a combination of settings profiles that are highly flexible and easy to set up and maintain. This also makes it easy to define the functions of the console for each analyst, depending on the user account with which they access the system.
Full Control Role
All Cytomic Orion licenses come with the Full Control role assigned. The default account also has this role assigned. This account enables you to take every action available in the console.
You cannot edit or delete the Full Control role. You can assign this role to any user account through the analysis console.
Permission
A permission controls access to a specific section of the management console. There are different types of permissions that provide access to many features included in the Cytomic Orion console. A specific configuration of all available permissions makes up a role, which you can assign to one or more user accounts.
Visibility
Each user account enables you to configure the security of a subset of computers from all the computers added to the Cytomic Orion console. This is determined by the account visibility.
Create and Configure Roles
In the top menu, select Settings. In the left panel, select Users. Select the Roles tab to perform all necessary actions to create and edit a role:
Create a Role
-
In the top menu, select Settings. In the left panel, select Users. Select the Roles tab. A page opens that shows a list of all created roles.
-
Click Add. The Add role page opens.
-
In the Name text box, type a name for the role. In the Description text box, type a description of the role (optional).
-
Enable or disable the relevant permissions.
-
Click Add.
Limitations When you Create Users and Roles
To prevent privilege escalation problems, users with the Manage users, permissions, and clients permission assigned have these limitations when it comes to creating new roles or assigning roles to existing users:
-
A user account can create only new roles with the same or lower permissions than its own.
-
A user account can edit only the same permissions as its own in existing roles. All other permissions remain disabled.
-
A user account can assign only roles with the same or lower permissions than its own.
-
A user account can copy only roles with the same or lower permissions than its own.
Delete a Role
-
In the top menu, select Settings. In the left panel, select Users.
-
Select the Roles tab. A list appears that shows all created roles.
-
Click the
icon of a role to delete it. If the role you are trying to delete has user accounts assigned, the delete operation is canceled.
Copy a Role
-
In the top menu, select Settings. In the left panel, select Users.
-
Select the Roles tab. A list appears that shows all created roles.
-
Click the
icon of a role to copy it. The Copy role page opens. This page shows the settings of the copied role.
-
Edit the role settings. Click Save.
Edit a Role
-
In the top menu, select Settings. In the left panel, select Users.
-
Select the Roles tab. A list appears that shows all created roles.
-
Click the role you want to edit. The Edit role page opens.
-
Edit the role settings. Click Save.