Document Version: 1.3

Date2020-07-08


Copyright

© 2021 Outpost24® All rights reserved. This document may only be redistributed unedited and unaltered. This document may be cited and referenced only if clearly crediting Outpost24® and this document as the source. Any other reproduction and redistribution in print or electronically is strictly prohibited without explicit permission.

Trademark

Outpost24® and OUTSCAN™ are trademarks of Outpost24® in Sweden and other countries.


Purpose

This document describes how to create and manage user access and user roles in the Outpost24 Portal.

IAM

To navigate to this section, 

  1. Log in to OUTSCAN / HIAB
  2. Go to Main Menu > Portal
  3. Click the Account icon in the upper right corner
  4. Select IAM

USERS

The Users view presents a high level overview of the users along with their roles and resource groups they have access to. To add users, refer to Create Users.

The available details are: 

OptionDescription
NameDisplays the name of the user.
TagsDisplays the tags added to that user.
RolesDisplays the roles assigned to that user.
Resource groupsDisplays the resource groups assigned to that user.


Select one or more users, to view the possible actions on the bottom bar.

  1. Add Tags
  2. Remove Tags
  3. Assign Roles
  4. Assign Resource groups 

For more information about adding or removing Tags, refer to Common Settings.

Assign Role

To assign a role to a user, 

  1. Click on the Assign Roles icon displayed on the bottom bar. 

     

  2. Select the required roles and click ASSIGN
  3. The newly assigned roles are shown under the USERS view. 

Assign Resource Group 

To assign a resource group to a user, 

  1. Click on the Assign resource groups icon displayed on the bottom bar. 



  2. Select the required resource groups and click ASSIGN
  3. The newly assigned resource groups are shown under the USERS view. 

OUTSCAN Super Users and Sub Users in the Portal

If a Super user or Sub user is created in OUTSCAN, they cannot access configurations and other tabs in the Appsec portal. In the new UI and Rest API there is no concept of superuser. If a user should have access to everything they must be granted the default role Admin and default resource group All Resources or some other custom roles/resource groups giving them the equivalent access rights. By default,  all users that are create have no roles or resource groups set. and need IAM roles/resource groups granted to access things.

To use the portal, follow the information below:

  1. Log in to OUTSCAN / HIAB with a main user.
  2. Go to Main Menu > Portal.
  3. Click the Account icon in the upper right corner.
  4. Select IAM (Identity Access Management).
  5. Select the user which you need access granted.
  6. Select the role as Admin and resource group as All Resources.


ROLES 

This view presents the detailed information about the permissions to access different modules for the available roles. 


Note

Built-in indicates predefined roles in the system. These roles cannot be deleted or modified so Edit and Delete actions are not available for these roles.  

Add Role

To add a role,

  1. Click on the +Add role button located on the bottom right of the window. It opens the below dialog:

  2. Provide a name for the role.
  3. Under each category, different permission levels are listed.  

    OptionDescription
    DenyNot visible to the user assigned with that role.
    ViewAllows the user to only view.
    View and manageAllows the users to view, add, edit, and delete the associated item.
    ManageAllows the user to edit or delete the associated item.
    SubmitAllows the user to submit for scoping.
  4. Select the necessary permission level to grant for that role.
  5. After adding all permissions, click ADD.

The newly added role is shown in the ROLES view. 

The roles added by the user can be customized or deleted. Select a role and click on the respective icon to edit or delete

When multiple roles are assigned to a user, the user is given the highest level of capabilities granted to any role to which they are assigned. For example, if a user is assigned to the role "Admin" which has the most capabilities, and also to a role "Operator" with a different set of capabilities, the user will have the capabilities of both roles.


Edit / Update an Existing Role

Clicking on the Edit icon opens the below dialog:



Make the necessary changes and click UPDATE to save the changes made to that role.

Delete Role

When you click on the Delete icon: 

  1. If the selected role is not assigned to any user, the below message is displayed:



  2. If the selected role is assigned to any user, the below message is displayed:



  3. Click DELETE to confirm. 

RESOURCE GROUPS

The access to the resources like assets or configurations is based on tags which can form a logical container called a resource group. The resource groups assigned to the user determine the resources the user can access.


Note

All resources is the built-in resource group that gives access to everything. Edit and Delete actions are not allowed on the built-in resource groups. 

Resources that can form a resource group:

  • Assets
  • Configurations
  • Credentials

The tags set on these resources are inherited by the resources closely associated with them:

  • Findings, compliance findings, matches, and services inherit tags from assets.

    Example

    Setting a tag "location:sydney" on an asset lets all findings associated with this asset to inherit the "location:sydney" tag.

  • Scans inherit tags from configurations.

    Note

    A user with an access restriction set on SCANCONFIGURATION, is not allowed to create any scan configurations.

  • Combination of multiple tags in a resource group is treated with AND combination.

    Example

    If a user has a resource group with tags "location:sydney" and "cloud:aws", the user will see only assets where BOTH of these two tags are set.

  • The asset can additionally have other tags. It will not have any impact on the RBAC rules.

    Examples

    Scenario 1: One tag in a resource group

    If the user has access to a resource group with a tag tag-a, the following assets are displayed:

    asset1 (tag-a)
    asset3 (tag-c) (tag-a) (tag-d)
    asset2 (tag-a) (tag-b)

    The user will not see:
    asset4 (tag-k) (tag-o)

    Scenario 2: Two tags in a resource group

    If the user has access to a resource group with two tags tag-a and tag-b, the following assets are displayed:

    asset5 (tag-a) (tag-b)
    asset6 (tag-b) (tag-k) (tag-p) (tag-a)

    The user will not see:
    asset7 (tag-a)
    asset8 (tag-b)
    asset9 (tag-k) (tag-a) (tag-m)
    asset10 (tag-n) (tag-d)

Add Resource Group

To add a resource group,

  1. Click on the +Add group button located on the bottom right of the window. It opens the below dialog:



  2. Provide a name for the group.

  3. Depending on the access level, select one of the available options.

    OptionDescription
    NoneDenies access to the respective item.
    Some

    Allows the user to access that item based on the tags added. 

    AllAllows the user to access that item based on any tag.
  4. Select the permission levels and add required tags
  5. Click ADD

The newly added resource group is shown in the RESOURCE GROUPS view. 

The resource groups added by the user can be customized or deleted. Select a group and click on the respective icon to edit or delete

Edit / Update an Existing Resource Group

Clicking on the Edit icon opens the below dialog:



Make the necessary changes and click UPDATE to save the changes made.

Delete Resource Group

When clicked on the Delete icon to remove a group. 



Click DELETE to confirm removal of that group.