On This Page
Configuring and Assigning User Roles
This topic is intended for TOS Administrators. |
SecureChange and SecureApp have several predefined user roles. You can associate users and user groups to these roles, or create your own roles with specific permissions for SecureChange and SecureApp. All users or groups associated with a role gain the permissions of that role. Users that have multiple roles gain the permissions for all roles combined.
A user must have the System Administrator role to access this page.
General
The General permissions in Settings > Roles > Permissions apply to both SecureChange and SecureApp user roles. The other sections let you configure the permissions for SecureChange and SecureApp user roles:
- View Settings tab and configure Orchestration Suite settings - Configure the SecureChange settings in SecureChange > Settings.
-
Create change requests and view 'My Requests' tab - Submit a request and follow the progress in SecureChange > My Requests.
- View handlers of my requests - Lets users see all possible handlers of their ticket in SecureChange > My Requests.
SecureChange User Permissions
-
View Tickets tab and handle tickets - View and track all tickets in the Tickets page.
-
Assign or reassign tasks to participants - Reassign a task to another handler.
- Assign or reassign tasks to any SecureChange user - Reassign a task to any SecureChange user, including users that are not participants assigned to the task.
- Send tasks to other users to be redone - Send the ticket back to a previous step to be redone.
- Reject requests - Reject the ticket, Send the requester a notification and an explanation as to why the ticket is rejected.
- View tasks assigned to other users - Search the ticket database for all tickets. If not selected, only a list of tickets either assigned to you or available to you for self-assignment is shown.
- Ignore the expiration date of a closed ticket - Track and manage the expired tickets.
- Pause ticket SLA: Stop the progress of the ticket SLA in its current step.
-
- View Workflows tab and configure workflows - Create, manage, and view workflows in SecureChange > Workflows.
- View Reports tab and create reports - Create, manage, and view reports in SecureChange > Reports. This permission lets the user view any ticket in the system, in read-only mode.
- Create and handle tickets on behalf of another user (via API only) - Submit tickets through the REST API and handle tickets on behalf of another user.
Default SecureChange Role Settings
The default settings for the SecureChange roles are:
Permission |
Auditor |
Business Owner |
Requester |
Security Administrator |
System Administrator |
---|---|---|---|---|---|
View Settings tab and configure Orchestration Suite settings |
|
|
|
|
|
Create change requests and view 'My Requests' tab |
|
|
|
|
|
View handlers of my requests |
|
|
|
|
|
View Tasks tab and handle tickets |
|
|
|
|
|
Assign or reassign tasks to participants |
|
|
|
|
|
Assign or reassign tasks to any SecureChange user |
|
|
|
|
|
Send tasks to other users to be redone |
|
|
|
|
|
Reject requests |
|
|
|
|
|
View tasks assigned to other users |
|
|
|
|
|
Ignore the expiration date of a closed ticket |
|
|
|
|
|
View Workflows tab and configure workflows |
|
|
|
|
|
View Reports tab and create reports |
|
|
|
|
|
Create and handle tickets on behalf of another user (via API only) |
|
|
|
|
|
SecureApp User Permissions
Permissions to use SecureApp are given to a user based on the roles that are assigned to the user. To allow a user to use SecureApp, you must assign to them a role that has SecureApp permissions in Admin> Configuration > Users. You can change the permissions for each role in Settings > Roles.
The permissions that impact the use of SecureApp are:
-
View SecureApp and access SecureApp applications - The main SecureApp permissions: All SA permissions are dependent on this permission, except for the access portal permissions.
A user with this permission can view existing applications, configure application connections for applications that they own or for applications that they are an editor of. A user who does not have this permission cannot use SecureApp and does not see the SecureApp tab in the application bar.
Global Permissions
Permissions that do not require any specific application permissions
-
View all applications - View all applications
-
Edit all applications and change ownership - A user with this permission can edit any application and assign another user as the owner of an application. This permission also requires that the View all applications permission.
-
-
Create new applications - A user with this permission can create new applications . The new applications are owned by the user that creates them. The user can also add other users to the list of editors for the applications.
-
View cloud console - Manage cloud resources, via the Cloud Console tab
-
Search LDAP for user groups - A user with this permission can import LDAP groups into their application.
Application-Specific View Permissions
Permissions that require viewing permissions for a specific application
-
View connection status - See if the connection for a specific application is connected or blocked .
-
Run connection status analysis - A user with this permission can click on the status of a connection to create a PDF report with a detailed analysis of the routing and firewall rules that impact the connection. Requires that you also have the View connection status permission.
-
-
View security compliance violations - Run compliance analysis to check if the connection is compliant with organizational security policies in the USP, or if it might require special approval.
-
Discover application connections and resources - A user with this permission can use connection discovery to get suggested source, service and destination information based on the rule log information from your firewall devices.
Application-Specific Edit Permissions
Permissions that require edit permissions for a specific application
-
Create closed ticket - This permission lets you create a closed ticket to document previous changes. A closed ticket does not go through the workflow process, and the changes are not implemented.
Consider the following example:
-
A SecureChange ticket exists for connections that are already configured in the devices so that auditors can see the access request in the ticketing system.
-
The next ticket created from the connection does not include any previous changes.
When you create a closed ticket, revisions that match the ticket are shown in the Change browser in SecureChange as unauthorized, because they do not pass through an approval step in SecureChange.
-
-
Create and edit application interfaces - Lets you create and edit application interfaces
-
Create, edit and delete global services - Lets you create, edit, and delete services that are available for all applications
-
Create, edit and delete servers - Lets you create, edit, and delete server resources in Resources pane > Servers tab
-
A user who does not have this permission can still view all server resources and use them within the connections or interfaces for which they have edit permissions
-
If a group with the option to receive requests from the access portal is added to the application, users who do not have this permission are able to confirm requests and thus add resources to the application
-
Access Portal
Permissions for the Application Access Portal
View application access portal - A user with this permission can use the Application Access Portal to request access to an application without logging into SecureApp.
Default SecureApp Role Settings
The default settings for the SecureApp roles are:
Permission |
Auditor |
Business Owner |
Requester |
Security Administrator |
System Administrator |
---|---|---|---|---|---|
View SecureApp and access SecureApp applications |
|
|
|
|
|
View all applications |
|
|
|
|
|
Edit all applications and change ownership |
|
|
|
|
|
Create new applications |
|
|
|
|
|
View cloud console |
|
|
|
|
|
View connection status |
|
|
|
|
|
Run connection status analysis |
|
|
|
|
|
View security compliance violations |
|
|
|
|
|
Discover application connections and resources |
|
|
|
|
|
Create closed ticket |
|
|
|||
Create and edit application interfaces |
|
|
|||
Create, edit and delete global services |
|
|
|||
Create, edit and delete servers resource |
|
|
|
|
|
View application access portal |
What can I do on this page?
Add a role
-
Click +.
- Fill in the Name and Description, and select the desired permissions for that role.
- Click Save to save your work before navigating to another page.
Delete a role
-
Select a role and click .
-
Click Save to save your work before navigating to another page.
Change the permissions for a role
-
Select the role you want to edit.
-
In Permissions, change the permissions for the role.
-
Click Save to save your work before navigating to another page.
Change the user assignments for a role
-
In Users:
-
To add a user, click the user in Available users.
-
To remove a user, click the user in Selected users
-
-
Click Save to save your work before navigating to another page.
For more information on managing users and groups, see Assigning Roles to Users and Assigning Users to Roles.
How Do I Get Here?
SecureChange > Settings > Roles
SecureApp > Settings > Roles