4.2 Managing Groups

Framework users must be assigned to one or more groups with the appropriate roles defined before they can access any Framework consoles or perform any tasks.

4.2.1 Adding a Framework User Group

  1. Click Framework User Manager on the home page of the console.

  2. Click Groups in the navigation pane.

  3. Click Add Group in the task pane.

  4. Specify a name for the group in the Group name field.

  5. Click Finish.

  6. To configure the group, continue with Section 4.2.2, Modifying a Framework User Group.

4.2.2 Modifying a Framework User Group

The Modify Group option allows you to:

  • Add a comment describing the group

  • Add users and subgroups to the group

  • Define administrative roles for the group

  • Specify an audit manager for the group.

To modify a Framework user group:

  1. Click Framework User Manager on the home page of the console.

  2. Click Groups in the navigation pane.

  3. In the left pane., select the group you want to modify

  4. Click Modify Group in the task pane.

  5. (Optional) In the Comment field, enter a comment.

  6. In the Members section, select the users you want to be members of this group.

    You can also add a user to groups in the Groups section of the Modify User option, by dragging the user onto the group, or by dragging the group onto the user.

    You can remove users from the group by deselecting them here. See Section 4.1.4, Removing a Framework User Group from a User for other methods.

  7. In the Sub Groups section, select the groups you want to be subgroups of this group.

    You can also add subgroups to groups by dragging the group onto the main group.

  8. In the Roles section, configure the roles you require for this group of users according to the consoles you want them to be able to access and the tasks you want them to be able to perform. You must assign at least one role. See Section 4.2.4, Configuring Roles for more details.

  9. In the Audit Manager section, specify the details of the group’s manager.

  10. Click Finish.

4.2.3 Configuring a Help Desk Group

The help desk role allows a predefined set of attributes to be set on the Account Settings page so that users assigned to the help desk group can only manage the subset of user attributes.

To set up a help desk group:

  1. Configure the attributes:

    1. Click Framework User Manager on the home page of the console.

    2. Click Users > Account Settings.

    3. Configure the Helpdesk Attributes.

      For information about these attributes, see Section 4.1.1, Configuring Account Settings.

    4. Click Finish.

  2. Create the group:

    1. Click Groups > Add Group.

    2. Specify a name for the group, then click Finish.

    3. Select the group you just created, then click Modify Group.

    4. In the Members option, select the users that you want to belong to the help desk group.

    5. In the Roles option, click Add, then add the following roles:

      Module

      Role

      auth

      console

      auth

      read

      auth

      helpdesk

  3. Click Finish.

4.2.4 Configuring Roles

When you create a new Framework user group, you must assign at least one role to the group to allow the users in the group to access one or more Framework modules and perform tasks.

To allow access to all modules and tasks, you can define a role with Module set to * and Role set to *. This is how the default admin group containing the default admin user is initially configured.

To allow access only to specific modules and tasks, use the Modify Group option (see Section 4.2.2, Modifying a Framework User Group) and define one or more roles according to the tables below:

Framework User Roles

The following roles can be assigned to the authentication module in order to control access to the Framework User Manager console. Select from these roles when you are setting up a group to manage Framework Manager users and groups.

Module

Role

Allows users to

 auth

act_settings

Modify account settings.

 

admin

Add or delete users and groups, and assign users to groups.

 

console

View the Framework User Manager console.

 

helpdesk

Modify the user account settings. To change which attributes are available for modification, see Section 4.1.1, Configuring Account Settings.

For information on how to use this role to create a Help Desk group that can manage user passwords, see Section 4.2.3, Configuring a Help Desk Group.

read

Read the auth database.

This role must be used with all other auth roles.

 

role_admin

Add or remove roles.

 

super

View and modify superusers, and view and modify groups with the super role defined.

 

*

Perform all roles.

Audit Report Roles

The following roles can be assigned to the auditing module in order to control access to the Reporting console. Select from these roles when you are setting up a group to manage the command control reports.

Module

Role

Allows users to

audit

read

Read the audit database.

This role must be used with all other audit roles.

 

console

View the Reporting console.

 

admin

Modify reporting settings.

 

command

View Command Control reports.

 

logon

View Account Logon reports.

 

*

Perform all roles.

 

write

Create new audit reports and adjust filter settings.

 

report

Access reports with the report defined roles.

 

<report defined>

Read and update the reports defined in the General tab of the Reporting console.

This role is only useful when used in conjunction with the report role.

You can use these Audit Report roles to create the following types of audit managers:

  • Administrator: To allow the group to update all aspects of the auditing module, including encryption and rollover, the group needs to be assigned the following roles for the audit module:

    • admin
    • write
    • read
    • command
    • console

  • Manager: To allow the group to update all aspects of the auditing module, except encryption and rollover, the group needs to be assigned the following roles for the audit module:

    • write
    • read
    • command
    • console

  • User: To allow the group to read and update a specific report, the group needs to be assigned the following roles for the audit module:

    • command
    • console
    • report
    • <report defined read>
    • <report defined update>

    If you want the group to have read-only privileges to the report, do no assign the <report defined update> role. Users with read-only rights to a report can view the report from the console, view the keystroke sessions within the report, and select which audit databases to view (see the LogFiles tab). Users who also have the update right can update the report’s filter, its name, and its description.

    Each report allows you to specify a read role and an update role. You need to remember those names and manually enter them here. The console does not provide any error checking, so you need to make sure to enter the correct name. For information on how to enable a report for a role, see Section 6.4.4, Modifying General Report Information.

Compliance Auditor Roles

The following roles can be assigned to the compliance auditing module in order to control access to the Compliance Auditor console. For a group to manage compliance auditing, the group also needs read roles to the auditing and authentication modules.

Module

Role

Allows users to

secaudit

console

View the Compliance Auditor console.

 

audit

View and edit records.

 

admin

Add and modify audit rules.

 

*

Perform the console, audit, and admin roles.

 

<audit role name >

Access the records collected by audit rules with this role defined in the Audit Role field on the Modify Audit Rule page. You can choose your own name for the role.

See Section 7.2.1, Adding or Modifying an Audit Rule for details about configuring audit rules.

audit

read

View a keystroke replay.

auth

read

Extract user credentials, including name and e-mail address, from the auth database for use with reports.

Host Roles

The following roles can be assigned to the host module in order to control access to the Hosts console. Select from the following roles when creating a group to manage the hosts.

Module

Role

Allows users to

unifi

info

Run the host status check by using the command line interface.

You must type the word info because it is not available in the drop-down list.

 

admin

View the Hosts console and perform administrative actions.

Package Manager Roles

The following role can be assigned to the package manager module in order to control access to the Package Manager console. When you are creating a group that you want to manage the distribution of updates to Privileged User Manager, select the following:

Module

Role

Allows users to

pkgman

admin

View, add, update, or remove packages.

Command Control Roles

The following roles can be assigned to the command control module in order to control access to the Command Control console. Select from the following roles when you are creating a group that you want to manage and test the rules in the command control database.

Module

Role

Allows users to

cmdctrl

read

View the Command Control console and run test suites.

 

write

Modify the command control database. Users with this role cannot cancel other users’ transactions or modify audit or transaction settings.

Must be used in conjunction with the cmdctrl read role.

 

admin

Modify the Command Control database, including canceling other users’ transactions and modifying audit and transaction settings.

 

*

Perform all roles.

auth

read

Extract user credentials, including name and e-mail address, from the auth database into the account and user group definitions. Used in conjunction with the cmdctrl write (with read) and admin roles.

4.2.5 Deleting a Framework User Group

  1. Click Framework User Manager on the home page of the console.

  2. Click Groups in the navigation pane.

  3. In the left pane, select the group you want to delete.

  4. Click Delete Group in the task pane.

  5. Click Finish to confirm the deletion.