Enterprise Recon 2.0.27

User Permissions

ER2 uses a form of Role-Based Access Control (RBAC) where a user has access to resources and privileges to perform specific tasks based on the roles and permissions granted to the user.

This article covers the following topics:

Overview

A user’s permissions are made up of two permission sub-types that must be explicity assigned to a user:

  • Access Realms: A group of resources a user can access. Assigning users an Access Realm allows users access to the resources belonging to that group.
  • Access Levels: Set of privileges applied to the Access Realm assigned to a user.

A user’s permissions are usually resolved as: Access Realms. When permission conflicts occur, the most permissive set of permissions assigned to the user takes precedence.

Access Realms

Access Realms are how ER2 organizes resources for its permissions system, and can be thought of as the scope within which a given Access Level is applied. These resources are typically Target Groups, Targets, and Credentials, and are treated as individual objects when it comes to assigning permissions. The following sections describe the types of Access Realms:

Global Access Realm

The Global Access Realm is a special Access Realm. Users granted permissions under the Global Access Realm can access additional administrative functions on top having access to all Target Groups, Targets, and Credentials in ER2.

Target Group and Target Access Realms

Credentials are credential sets saved by the user to access external resources such as Cloud-based Targets, Database Servers, and Remote Scan Targets. Credential sets are treated as independent objects from the Targets they are related to.

Credentials

Credentials are credential sets saved by the user to access external resources such as Cloud-based Targets, Database Servers, and Remote Scan Targets. Credential sets are treated as independent objects from the Targets they are related to.

Access Levels

Access Level Description
Manager Start scans on targets and edit objects that reside within their assigned Access Realms.
Reader Inspect in depth the objects that reside within their assigned Access Realms.
Summary Only see object overviews and brief summaries about the objects that reside within their assigned Access Realms.

Access Realm + Access Level

Access Realms and Access Levels work together to give the user permissions on ER2. Assigning Access Realms to a user allows a user access to resources in that Realm. Assigning Access Levels to a user grants a user read or write rights for resources the user has access to (through the user’s Access Realm).

How this resolves as Access Realm + Access Level:

  1. ER2 shows elements depending on the Access Realm + Access Level resolution.
  2. Displays or hides elements.
  3. Allows read or write access on displayed elements.
  4. ER2 allow read or write access to displayed elements and also depending on your Access Realm + Access Level resolution.

Permissions Tables

The following table summarizes the components users can access in the Web Console based their Access Realm + Access Level:

Web Console Access Global Manager Target Group/ Target Manager Global Reader Target Group/ Target Reader Global Summary Target Group/ Target Summary
DASHBOARD
TARGETS
SCANNING
SCHEDULE MANAGER
DATA TYPE PROFILES
TARGET CREDENTIAL MANAGER
GLOBAL FILTER MANAGER
NETWORK CONFIGURATION
ACTIVE DIRECTORY MANAGER
AGENT MANAGER
MAIL SETTINGS
NETWORK DISCOVERY
USERS AND SECURITY
USER ACCOUNTS
MANAGE ROLES
ACCESS CONTROL LIST
MONITORING AND ALERTS
NOTIFICATIONS AND ALERTS
ACTIVITY LOG
SERVER INFORMATION
DOWNLOADS
NODE AGENT DOWNLOADS
MY ACCOUNT
MY ACCOUNT DETAILS
LICENSE DETAILS

Legend:

  • : Access allowed for given user permission page.
  • : See Credentials

How permissions resolve within these Web Console components will largely depend on the user's Access Level.

This will determine the user’s rights when it comes to:

  • Generating reports on the DASHBOARD.
  • Scanning and managing Targets in the TARGETS Page.
  • Whether the user can add or edit resources e.g. new entries in Data Type Profiles.

The following table summarizes the actions allowed based on a user’s Access Level:

Section Component Manager Reader Summary
DASHBOARD
  • Generate Reports
  • Global Summary Report
  • Target Group Report
  • Target Report
  • Global Summary Report
  • Target Group Report
  • Target Report
  • Global Summary Report
TARGETS
  • Start Search/Scan
  • Start Scan
  • Remediate Results
  • Remediate
  • Manage Target
  • Add and edit Targets
  • View Targets
SCANNING > SCHEDULE MANAGER
  • Scheduled Scans
  • Add Scheduled Scan (by starting a new scan)
  • View Scheduled Scans
SCANNING > DATA TYPE PROFILES
  • Manage Data Type Profiles
  • Add and edit Data Type Profiles
  • View Data Type Profiles