Assign Permissions to Groups in BeyondInsight
The following permissions may be assigned to user groups in BeyondInsight for each feature and Smart Group.
Permission |
Description |
---|---|
No Access |
Users cannot access the selected feature or Smart Group. In most cases, the feature is not visible to the users. |
Read Only |
Users can view selected areas, but cannot change information. |
Full Control |
Users can view and change information for the selected feature. |
Permissions for a BeyondInsight user must be assigned cumulatively and at the group level. You must assign permissions on features and Smart Groups after creating a new group in order for users in that group to be able to access features in the product. For example, if you want a BeyondInsight administrator to manage discovery scans only, then you must assign full control for the following features:
- Management Console Access
- Asset Management
- Reports Management
- Scan – Job Management
- Scan Management
In addition to the group permissions noted, for the group to be provisioned, there must be at least one enabled Smart Group for the group. This sets the scope for the features.
Assign Features Permissions
The features listed are based upon your BeyondInsight license. Only features relevant to your licensed installation are listed.
- Navigate to Configuration > Role Based Access > User Management.
- From the Groups tab, click the vertical ellipsis for the group.
- Select View Group Details.
- Under Group Details, click Features.
- Filter the list of features displayed in the grid using the Show and Filter by dropdowns.
- Select the features you wish to assign permissions to.
- Click Assign Permissions above the grid.
- Select Assign Permissions Read Only, Assign Permissions Full Control, or Disable Permissions.
The following table provides information on the features permissions you can assign to your groups.
Feature |
Provides Permissions To: |
---|---|
Analytics & Reporting |
Log in to the console and access Analytics & Reporting to generate and subscribe to reports. |
Appliance (U-Series) Access | Grant access to manage the U-Series Appliance as a BeyondInsight user. |
Asset Management |
Create Smart Rules. Edit and delete buttons on the Asset Details window. Create Active Directory queries. Create address groups. |
Attribute Management |
Add, rename, and delete attributes when managing user groups. |
Credential Management |
Add and change credentials when running scans and deploying policies. |
Directory Credential Management | Grant access to the configuration area where directory credentials are managed. This feature must be enabled to support access to directory queries as well. |
Directory Query Management | Grant access to the configuration area where directory queries are managed. Access to Directory Credential Management must also be granted. |
Domain Management | Grants the user permission to configure mappings of bind credentials to domains for account resolution. |
Endpoint Privilege Management | Grant access to the Endpoint Privilege Management features, excluding Policy Editor and Reporting. |
Endpoint Privilege Management Policy Editor | Grant access to the Endpoint Privilege Management Policy Editor feature. |
Endpoint Privilege Management Reporting | Grant access to the Endpoint Privilege Management Reporting feature. |
Endpoint Privilege Management for Unix & Linux | Grant access to the Endpoint Privilege Management for Unix & Linux features. |
File Integrity Monitoring |
Work with File Integrity rules. |
License Reporting | View the Licensing folder in Analytics & Reporting (MSP reports, Endpoint Privilege Management for Windows, Endpoint Privilege Management for Mac true-up reports, and Assets Scanned report). |
Management Console Access | Access the BeyondInsight management console. |
Manual Range Entry |
Allow the user to manually enter ranges for scans and deployments rather than being restricted to smart groups. The specified ranges must be within the selected smart group. |
Option Management |
Change the application options settings (for example, account lockout and account password settings). |
Options - Connectors | Access the configuration area where connectors are managed. |
Options - Scan Options | Access the configuration area where scan options are managed. |
Password Safe Account Management |
Grant read or write permissions to the following features on the Managed Accounts page and through the public API:
|
Password Safe Admin Session | Password Safe web portal admin sessions. |
Password Safe Admin Session Reviewer | Grant a user admin session reviewer permissions only. |
Password Safe Global API Quarantine | Access to the Quarantine APIs. |
Password Safe Bulk Password Change | Change more than one password at a time. |
Password Safe Agent Management | Grant a user administrator permissions to the Configuration > Privileged Access Management Agents page. |
Password Safe Configuration Management | Grant a user administrator permissions to the Configuration > Privileged Access Management page. |
Password Safe Domain Management | Check the Read and Write boxes to permit users to manage domains. |
Password Safe Policy Management | Grant a user administrator permissions to the Configuration > Privileged Access Management Policies page. |
Password Safe Role Management | Allows a user to manage roles, provided they have the following permissions: Password Safe Role Management and User Account Management. |
Password Safe System Management | Read and write managed systems through the public API. |
Password Safe Ticket System Management | This feature is not presently used. |
Reports Management |
Run scans, create reports, and create report categories. |
Scan - Job Management |
Activate Scan and Start Scan buttons. Activate Abort, Resume, Pause, and Delete on the Job Details page. |
Scan - Report Delivery |
Allow a user to set report delivery options when running a scan:
|
Scan Management |
Delete, edit, duplicate, and rename reports on the Manage Report Templates page. Activate New Report and New Report Category. Activate the Update button on the Edit Scan Settings view. |
Secrets Safe | Provides access to Secrets Safe for all members of the selected group. |
Session Monitoring |
Use the session monitoring features. |
Smart Rule Management – Asset |
Grants permission to view, create, and edit asset Smart Rules; editing is limited to Smart Rules that are enabled for groups the user is a member of. Newly created Smart Rules created by a non-administrator are automatically enabled with full permissions for all groups where the user is a member. |
Smart Rule Management – Managed Account |
Grants permission to view, create, and edit managed account Smart Rules; editing is limited to smart rules that are enabled for groups the user is a member of. Newly created Smart Rules created by a non-administrator are automatically enabled with full permissions for all groups where the user is a member. |
Smart Rule Management – Managed System |
Grants permission to view, create, and edit managed system Smart Rules; editing is limited to smart rules that are enabled for groups the user is a member of. Newly created Smart Rules created by a non-administrator are automatically enabled with full permissions for all groups where the user is a member. |
Smart Rule Management – Policy User |
Grants permission to view, create, and edit policy user Smart Rules; editing is limited to smart rules that are enabled for groups the user is a member of. Newly created Smart Rules created by a non-administrator are automatically enabled with full permissions for all groups where the user is a member. |
Ticket System |
View and use the ticket system. |
Ticket System Management |
Mark a ticket as inactive. The ticket no longer exists when Inactive is selected. |
User Accounts Management |
Add, delete, or change user groups and user accounts. A minimum of read access to Directory Credential Management must also be granted to enable creation of AD and LDAP Groups. |
User Audits |
View audit details for management console users on the User Audits page. |
U-Series Appliance Administrator | Provides access to manage all aspects of the U-Series Appliance. |
U-Series Appliance Backups | Provides access to manage the Backup and Restore options of the U-Series Appliance. |
U-Series Appliance High Availability | Provides access to manage the High Availability features of the U-Series Appliance. |
U-Series Appliance Login | Provides access to manage the U-Series Appliance as a BeyondInsight user. |
U-Series Appliance Manage RDP | Provides access to manage Remote Desktop Protocol to the U-Series Appliance. |
U-Series Appliance Patching | Provides access to manage updates to the U-Series Appliance. |
For more information, please see the Managed Accounts section in the BeyondInsight and Password Safe API Guide.
Features Permissions Required for Configuration Options
Configuration Option |
Feature and Permission |
---|---|
Active Directory Queries |
Asset Management - Full Control. |
Address Groups |
Asset Management - Full Control. |
Attributes |
Asset Management - Full Control. |
Connectors |
Asset Management and Management Console Access - Full Control. |
Password Safe Connections |
Member of the Built-In Administrators group. |
Endpoint Privilege Management Module |
Management Console Access and Endpoint Privilege Management - Full Control. |
Scan Options |
Scan Management - Full Control. |
Services |
Member of the Built-In Administrators group. |
User Audits |
User Audits - Full Control. |
User Management |
Everyone can access. Users without the Full Control permission to User Account Management feature can edit only their user record. |
Workgroups |
User Accounts Management - Full Control. |
Assign Smart Groups Permissions
- Navigate to Configuration > Role Based Access > User Management.
- From the Groups tab, click the vertical ellipsis for the group.
- Select View Group Details.
- Under Group Details, select Smart Groups.
- Filter the list of Smart Groups displayed in the grid using the Show and Filter by dropdowns.
- Select the Smart Groups you wish to assign permissions to.
- Click Assign Permissions above the grid.
- Select Assign Permissions Read Only, Assign Permissions Full Control, or Disable Permissions.