Purpose

This document describes the Identity and Access Management (IAM) in the Unified View.

Introduction

IAM is a service that control access to resources. IAM is used to control who is authenticated (signed in) and authorized (has permissions) to use resources.

Role-Based Access Control

IAM uses Role-Based Access Control (RBAC) to restrict access depending on a user's role within the system. The roles in RBAC refer to the levels of access that users have to resources on the network. RBAC is a method of regulating access to system resources based on the roles of individual users within the organization. Access is granted on a need-to-know basis. The use of RBAC to manage user privileges within a single system or application is widely accepted as a best practice.

Configure IAM

Clicking the IAM icon displays the Identity Access Management page which is divided in three tabs, Users, Roles, and Resource Groups.

Users

The Users view in Unified View presents a high level overview of the users along with their Tags, Roles, and Resource Groups they have access to.

To add users, refer to Create Users in Vulnerability Management.

The available details are:

Option	Description
Name	Displays the name of the user.
Tags	Displays the tags added to that user.
Roles	Displays the roles assigned to that user.
Groups	Displays the resource groups assigned to that user.

Roles

A user role is a role by which the user is able to operate the resources they have been granted access to. Roles consist of one or more permission, for example, the Analyst role would have Findings permission set to View. For multiple roles, the user is given the highest level of capabilities granted to any role to which they are assigned. For example, if a user is assigned to the role Admin which has the most capabilities, and also to a role Operator with a different set of capabilities, the user will have the capabilities of both roles. A user with no roles would not have any access at all.

The Roles function in the Unified View IAM does not correspond to roles in Vulnerability View (Netsec).

Add Roles

Users can compose their own roles but there are also a few default roles such as Admin, User Admin, Operator, Analyst Executive, Read-only, and Compliance Officer to choose from.

To add Roles:

Select the Roles tab.
Click on the Add Role button in the upper right corner.
In the Add Role view, name the new role and select the appropriate access rights to the role and press add.
The new role is now created and can be tied to a user.

Many of the permissions are the same as for the Portal with some additions for the Unified View such as:

Unified View
AppStaks
Tags

Resource Groups

A Resource Group is a group containing all the relevant tags for an entity and it defines the resources the user can access. The access to the resources (like assets or configurations) is based on a tag system. Tags can be set on resources and form a Resource group. The resource groups assigned to a user determines the users access to the resources with that tag. All resources that can be restricted have settable tags, and each tag can be assigned to one or multiple resource groups. A resource group can be assigned to multiple users, and one user can be assigned to one or more resource groups. A combination of multiple tags is treated as an OR combination, for example if a user has tags location:sydney and cloud:aws, the user will see all assets where any of these two tags is set.

The Resource Groups function in the Unified View IAM does not correspond to groups in Vulnerability View (Netsec).

Add Resource Groups

To add a resource group:

Select the Resource Group tab.
Click on the Add Group button in the upper right corner.
In the Add resource group view, name the new group and add the appropriate tags to the group and press add.
For more information about tags, see Unified View Filters document.
The new Resource Group is now done.