Identity and Access Management (IAM)
Purpose
This document describes the Identity and Access Management (IAM) in the Outpost24 portal.
Introduction
The IAM is a service that control access to resources. IAM is used to control who is authenticated (signed in) and authorized (has permissions) to use resources.
Role-Based Access Control
IAM uses Role-Based Access Control (RBAC) to restrict access depending on a user's role within the system. The roles in RBAC refer to the levels of access that users have to resources on the network. RBAC is a method of regulating access to system resources based on the roles of individual users within the organization. Access is granted on a need-to-know basis.
User Management in IAM
To navigate to this section,
- Log in to OUTSCAN / HIAB.
- Go to Main Menu > Portal.
- Click the Account icon in the upper right corner.
- Select the IAM card to access the IAM page.
This displays the Identity Access Management page which is divided in three tabs, Users, Roles, and Resource Groups.
Users
The Users view presents a high level overview of the users along with their Tags, Roles, and Resource groups they have access to along with tools to add, edit, and delete users.
The available details are:
| Option | Description |
|---|---|
| Name | Displays the name of the user. |
| Tags | Displays the tags added to that user. See Tags document to learn more about Tags |
| Roles | Displays the roles assigned to that user. See Roles on how to create roles. |
| Resource groups | Displays the resource groups assigned to that user. See Resource Groups on how to configure the groups. |
Select one or more users, to view the possible actions on the bottom bar.
- Edit Tags
- Assign Roles
- Assign Resource groups
For more information about adding or removing Tags, refer to Tags document.
Add a User
To add a user:
- Click the green +Add user button on the lower right corner.
- Fill in the required user details.
*) Required - Click the blue ADD button to finish adding the user.
Edit User
To edit a user
- Click the Edit icon on the user you want to edit.
- Update the required details.
- Click the blue Update button to save and confirm the update.
Password Recovery
To change a password on a user
- Click the Edit icon on the user you want to edit.
- Click the Password tab.
- Click the blue Send button to send a password recovery e-mail to the user.
Delete User
To remove a user:
- Click the Bin icon on the user you want to remove.
- Click the red DELETE button to confirm.
Assign a Role to a User
To assign a role to a user,
- Click on the Assign Roles icon displayed on the bottom bar.
- Select the required roles and click ASSIGN.
- The newly assigned roles are shown under the USERS view.
Assign a Resource Group to a User
To assign a resource group to a user,
- Click on the Assign resource groups icon displayed on the bottom bar.
- Select the required resource groups and click ASSIGN.
- The newly assigned resource groups are shown under the USERS view.
OUTSCAN Super Users and Sub Users in the Portal
If a Super user or Sub user is created in OUTSCAN, they cannot access configurations and other tabs in the Appsec portal. In the new UI and Rest API there is no concept of superuser. If a user should have access to everything they must be granted the default role Admin and default resource group All Resources or some other custom roles/resource groups giving them the equivalent access rights. By default, all users that are create have no roles or resource groups set. and need IAM roles/resource groups granted to access things.
To use the portal, follow the information below:
- Log in to OUTSCAN / HIAB with a main user.
- Go to Main Menu > Portal.
- Click the Account icon in the upper right corner.
- Select IAM (Identity Access Management).
- Select the user which you need access granted.
- Select the role as Admin and resource group as All Resources.
Roles
Technical Preview
This section is a technical preview of a feature that is currently under development. Some features are hidden behind a feature flag.
A user role is a role by which the user is able to operate the resources they have been granted access to. Roles consist of one or more permission, for example, the Analyst role would have Findings permission set to View. For multiple roles, the user is given the highest level of capabilities granted to any role to which they are assigned. For example, if a user is assigned to the role Admin which has the most capabilities, and also to a role Operator with a different set of capabilities, the user will have the capabilities of both roles. A user with no roles would not have any access at all.
The Roles function in the Portal does not correspond to groups in Vulnerability View (Netsec).
This view presents the detailed information about the permissions to access different modules for the available roles.
Available Resources
| Available resources | Actions to perform |
|---|---|
| AppStaksTM | Deny, View, View and manage |
| Asset groups | Deny, View, View and manage |
| Assets | Deny, View, View and manage |
Configurations | Deny, View, View and manage |
| Scans | Deny, View, View and manage |
| Scan policies | Deny, View, View and manage |
| Schedules | Deny, View, View and manage |
| Findings | Deny, View, View and manage if View and manage, select the additional actions the users will be able to perform by checking boxes:
|
| Compliance | Deny, View, View and manage |
| Tags | Deny, Manage |
Reports | Deny, View and manage |
Users | Deny, View, View and manage |
| Scoping | Deny, Submit |
Audits | Deny, View |
| Accounts | Deny, View, View and manage |
| Scheduled reports | Deny, View, View and manage |
| Managed reports | Deny, View, View and manage |
| Dashboards | Deny, View, View and manage |
| View templates | Deny, View, View and manage |
| Credentials | Deny, View, View and manage |
| Integrations | Deny, View, View and manage |
| Events | Deny, View, View and manage |
| Subscriptions | Deny, View |
| CORE | Deny, View |
Built-in indicates predefined roles in the system. These roles cannot be deleted or modified so Edit and Delete actions are not available for these roles.
Hovering over the column header or the icons in the table, a tooltip is displayed after a short while.
Add Roles
To add a role,
- Click on the +Add role button located on the bottom right of the window. It opens the below dialog:
- Provide a name for the role.
Under each category, different permission levels are listed.
Option Description Deny Not visible to the user assigned with that role. View Allows the user to only view. View and manage Allows the users to view, add, edit, and delete the associated item. Manage Allows the user to edit or delete the associated item. Submit Allows the user to submit for scoping. View and manage and Manage actions can sometimes contain more granular choices.
- Select the necessary permission level to grant for that role.
- After adding all permissions, click ADD.
The newly added role is shown in the ROLES view.
The roles added by the user can be customized or deleted. Select a role and click on the respective icon to edit or delete.
When multiple roles are assigned to a user, the user is given the highest level of capabilities granted to any role to which they are assigned. For example, if a user is assigned to the role "Admin" which has the most capabilities, and also to a role "Operator" with a different set of capabilities, the user will have the capabilities of both roles.
Edit / Update an Existing Role
Clicking on the Edit icon opens the below dialog:
Make the necessary changes and click UPDATE to save the changes made to that role.
Delete Role
When you click on the Delete icon:
- If the selected role is not assigned to any user, the below message is displayed:
- If the selected role is assigned to any user, the below message is displayed:
- Click DELETE to confirm.
Resource Groups
A Resource Group is a group containing all the relevant tags for an entity and it defines the resources the user can access. The access to the resources (like assets or configurations) is based on a tag system. Tags can be set on resources and form a Resource group. The resource groups assigned to a user determines the users access to the resources with that tag. All resources that can be restricted have settable tags, and each tag can be assigned to one or multiple resource groups. A resource group can be assigned to multiple users, and one user can be assigned to one or more resource groups. A combination of multiple tags is treated as an OR combination, for example if a user has tags location:sydney and cloud:aws, the user will see all assets where any of these two tags is set.
The access to the resources like assets or configurations is based on tags which can form a logical container called a resource group. The resource groups assigned to the user determine the resources the user can access.
All resources is the built-in resource group that gives access to everything. Edit and Delete actions are not allowed on the built-in resource groups.
Resources that can form a resource group:
- AppStakTM
- Asset groups
- Assets
- Configurations
- Credentials
- Scheduled reports
- Managed reports
- Dashboards
- View templates
- Events
The tags set on these resources are inherited by the resources closely associated with them:
Findings, compliance findings, matches, and services inherit tags from assets.
Example
Setting a tag "location:sydney" on an asset lets all findings associated with this asset to inherit the "location:sydney" tag.
Scans inherit tags from configurations.
A user with an access restriction set on SCANCONFIGURATION, is not allowed to create any scan configurations.
Combination of multiple tags in a resource group is treated with AND combination.
Example
If a user has a resource group with tags "location:sydney" and "cloud:aws", the user will see only assets where BOTH of these two tags are set.
The asset can additionally have other tags. It will not have any impact on the RBAC rules.
Examples
Scenario 1: One tag in a resource group
If the user has access to a resource group with a tag tag-a, the following assets are displayed:
asset1 (tag-a)
asset3 (tag-c) (tag-a) (tag-d)
asset2 (tag-a) (tag-b)The user will not see:
asset4 (tag-k) (tag-o)Scenario 2: Two tags in a resource group
If the user has access to a resource group with two tags tag-a and tag-b, the following assets are displayed:
asset5 (tag-a) (tag-b)
asset6 (tag-b) (tag-k) (tag-p) (tag-a)The user will not see:
asset7 (tag-a)
asset8 (tag-b)
asset9 (tag-k) (tag-a) (tag-m)
asset10 (tag-n) (tag-d)
Add Resource Group
To add a resource group,
- Click on the +Add group button located on the bottom right of the window. It opens the Add resource group dialog.
- In the Name field, provide a name for the new group..
Select the permission levels and add required tags.
For more information about tags, see Tags document.Option Description None Denies access to the respective item. Some Allows the user to access that item based on the tags added.
All Allows the user to access that item based on any tag. - Click the blue ADD button to finish the new group.
The newly added resource group is shown in the RESOURCE GROUPS view.
Resource groups added by the user can be customized or deleted.
Edit / Update an Existing Resource Group
To edit a resource group:
- Click on the Edit icon on the right hand side of the row of the resource group you want to edit.
- Make the necessary changes and click UPDATE to save the changes made.
Delete a Resource Group
To remove a resource group:
- Click on the Delete icon on the right hand side of the row of the resource group you want to remove.
- Click DELETE to confirm removal of that group.
Related Articles
Copyright
© 2024 Outpost24® All rights reserved. This document may only be redistributed unedited and unaltered. This document may be cited and referenced only if clearly crediting Outpost24® and this document as the source. Any other reproduction and redistribution in print or electronically is strictly prohibited without explicit permission.
Trademark
Outpost24® and OUTSCAN™ are trademarks of Outpost24® and its affiliated companies. All other brand names, product names or trademarks belong to their respective owners.