User Management

Vulnerability ProtectionDeep Security has Users, Roles, and Contacts which are found under Administration > User Management.

A User is a Vulnerability ProtectionDeep Security account holder who can sign in to the Vulnerability ProtectionDeep Security Manager with a unique username and password. Users are assigned a Role which is a collection of permissions to view data and perform operations within Vulnerability ProtectionDeep Security Manager. Contacts do not have a User account and cannot sign in to Vulnerability ProtectionDeep Security Manager but they can be designated as the recipients of email notifications and scheduled Reports.

Although Contacts cannot sign in to Vulnerability ProtectionDeep Security Manager, they are assigned Roles that define the scope of the information that is sent to them. For example, three Contacts may each be listed as the recipients of a weekly Summary Report but the contents of the three Reports could be entirely different for each Contact depending on the computers that their Roles give them "View" permissions on.

Role-Based Access Rights and Editing Privileges

Access rights and editing privileges are attached to Roles and not to Users. To change the access rights and editing privileges of an individual User, the User must be assigned a different Role, or the Role itself must be edited.

Role-Based Access to Computers and Policies

The access that Roles have to computers and Policies can be restricted to subsets of computers and Policies. This can be controlled at a fairly granular level. For example, Users can be permitted to view all existing computers, but only permitted to modify those in a particular Group. To edit a Role, go to Administration > User Management > Roles and double-click a Role (or click the New... button) to display the Roles Properties window.

Role-Based Editing Privileges

Within those access restrictions, Roles can have limitations placed on their editing privileges.

User rights

A Role can give Users delegated rights over other Users. That is, the Users with that Role can create and modify the properties of Users only with equal or less access than themselves.

Default Settings for Full Access, Auditor, and New Roles

The following table identifies the default rights settings for the Full Access Role and the Auditor Role. Also listed are the rights settings that are in place when creating a new Role by clicking New in the toolbar on the Roles page.

RIGHTS	SETTINGS BY ROLE
General	Full Access Role	Auditor Role	New Role Defaults
Access to DSMVPM User Interface	Allowed	Allowed	Allowed
Access to Web Service API	Allowed	Allowed	Not allowed
Computer Rights	Full Access Role	Auditor Role	New Role Defaults
View	Allowed, All Computers	Allowed, All Computers	Allowed, All Computers
Edit	Allowed, All Computers	Not allowed, All Computers	Not allowed, All Computers
Delete	Allowed, All Computers	Not allowed, All Computers	Not allowed, All Computers
Dismiss Alerts for	Allowed, All Computers	Not allowed, All Computers	Not allowed, All Computers
Tag Items for	Allowed, All Computers	Not allowed, All Computers	Not allowed, All Computers
Allow viewing of non-selected computers and data (e.g. events, reports)	Allowed	Allowed	Allowed, All Computers
Allow viewing of events and alerts not related to computers	Allowed	Allowed	Allowed, All Computers
Allow new computers to be created in selected Groups	Allowed	Not allowed	Not allowed
Allow sub-groups to be added or removed in selected Groups	Allowed	Not allowed	Not allowed
Allow computer file imports	Allowed	Not allowed	Not allowed
Allow Directories to be added, removed and synchronized	Allowed	Not allowed	Not allowed
Allow VMware vCenters to be added, removed and synchronized	Allowed	Not allowed	Not allowed
Allow Cloud Accounts to be added, removed and synchronized	Allowed	Not allowed	Not allowed
Policy Rights	Full Access Role	Auditor Role	New Role Defaults
View	Allowed, All Policies	Allowed, All Policies	Allowed, All Policies
Edit	Allowed, All Policies	Not allowed, All Policies	Not allowed, All Policies
Delete	Allowed, All Policies	Not allowed, All Policies	Not allowed, All Policies
View non-selected Policies	Allowed	Allowed	Allowed
Create new Policies	Allowed	Not allowed	Not allowed
Import Policies	Allowed	Not allowed	Not allowed
User Rights (See note on User rights below)	Full Access Role	Auditor Role	New Role Defaults
View Users	Allowed	Allowed	Not allowed
Create Users	Allowed	Not allowed	Not allowed
Edit User Properties	Allowed	Not allowed	Not allowed
Delete Users	Allowed	Not allowed	Not allowed
View Roles	Allowed	Allowed	Not allowed
Create Roles	Allowed	Not allowed	Not allowed
Edit Role Properties	Allowed	Not allowed	Not allowed
Delete Roles	Allowed	Not allowed	Not allowed
Delegate Authority	Allowed	Not allowed	Not allowed
Other Rights	Full Access Role	Auditor Role	New Role Defaults
Alerts	Full (Can Dismiss Global Alerts)	View-Only	View-Only
Alert Configuration	Full (Can Edit Alert Configurations)	View-Only	View-Only
IP Lists	Full (Can Create, Edit, Delete)	View-Only	View-Only
Port Lists	Full (Can Create, Edit, Delete)	View-Only	View-Only
Schedules	Full (Can Create, Edit, Delete)	View-Only	View-Only
System Settings (Global)	Full (Can View, Edit System Settings (Global))	View-Only	Hide
System Information	Full (Can View System Information, Can Edit and Decommission Manager Nodes, Can Manage System Extensions)	View-Only	Hide
Diagnostics	Full (Can Create Diagnostic Packages)	View-Only	View-Only
Tagging	Full (Can Tag (Items not belonging to Computers), Can Delete Tags, Can Update Non-Owned Auto-Tag Rules, Can Run Non-Owned Auto-Tag Rules, Can Delete Non-Owned Auto-Tag Rules)	View-Only	View-Only
Tasks	Full (Can View, Add, Edit, Delete Tasks, Execute Tasks)	View-Only	Hide
Multi-Tenant Administration	Full	Hide	View-Only
Scan Cache Configuration Administration	Full	View-Only	View-Only
Contacts	Full (Can View, Create, Edit, Delete Contacts)	View-Only	Hide
Licenses	Full (Can View, Change License)	View-Only	Hide
Updates	Full (Can Add, Edit, Delete Software; Can View Update For Components; Can Download, Import, Apply Update Components; Can Delete Vulnerability ProtectionDeep Security Rule Updates)	View-Only	Hide
Asset Values	Full (Can Create, Edit, Delete Asset Values)	View-Only	View-Only
Certificates	Full (Can Create, Delete SSL Certificates)	View-Only	View-Only
Relay Groups	Full	View-Only	View-Only
Proxy	Full	View-Only	View-Only
Malware Scan Configuration	Full (Can Create, Edit, Delete Malware Scan Configuration)	View-Only	View-Only
Quarantined File	Full (Can Delete, Download Quarantined File)	View-Only	View-Only
Web Reputation Configuration	Full	View-Only	View-Only
Directory Lists	Full (Can Create, Edit, Delete)	View-Only	View-Only
File Lists	Full (Can Create, Edit, Delete)	View-Only	View-Only
File Extension Lists	Full (Can Create, Edit, Delete)	View-Only	View-Only
Firewall Rules	Full (Can Create, Edit, Delete Firewall Rules)	View-Only	View-Only
Firewall Stateful Configurations	Full (Can Create, Edit, Delete Firewall Stateful Configurations)	View-Only	View-Only
Intrusion Prevention Rules	Full (Can Create, Edit, Delete)	View-Only	View-Only
Application Types	Full (Can Create, Edit, Delete)	View-Only	View-Only
MAC Lists	Full (Can Create, Edit, Delete)	View-Only	View-Only
Contexts	Full (Can Create, Edit, Delete)	View-Only	View-Only
Integrity Monitoring Rules	Full (Can Create, Edit, Delete)	View-Only	View-Only
Log Inspection Rules	Full (Can Create, Edit, Delete)	View-Only	View-Only
Log Inspection Decoders	Full (Can Create, Edit, Delete)	View-Only	View-Only

Note on User Rights

The User Rights area on the User Rights tab of the Role Properties window has three general User rights options (Change own password and contact information only, Create and manage users with equal or less access, and Have full control over all Roles and users) and a Custom option.

The custom settings corresponding to the Change own password and contact information only option are listed in the following table:

Custom settings corresponding to "Change own password and contact information only" option
Users
Can View Users	Not allowed
Can Create New Users	Not allowed
Can Edit User Properties (User can always edit select properties of own account)	Not allowed
Can Delete Users	Not allowed
Roles
Can View Roles	Not allowed
Can Create New Roles	Not allowed
Can Edit Role Properties (Warning: conferring this right will let users with this Role edit their own rights)	Not allowed
Can Delete Roles	Not allowed
Delegate Authority
Can only manipulate users with equal or lesser rights	Not allowed

The custom settings corresponding to the Create and manage users with equal or less access option are listed in the following table:

Custom settings corresponding to "Create and manage users with equal or less access" option
Users
Can View Users	Allowed
Can Create New Users	Allowed
Can Edit User Properties (User can always edit select properties of own account)	Allowed
Can Delete Users	Allowed
Roles
Can View Roles	Not allowed
Can Create New Roles	Not allowed
Can Edit Role Properties (Warning: conferring this right will let users with this Role edit their own rights)	Not allowed
Can Delete Roles	Not allowed
Delegate Authority
Can only manipulate users with equal or lesser rights	Allowed

The custom settings corresponding to the Have full control over all Roles and users option are listed in the following table:

Custom settings corresponding to "Have full control over all Roles and users" option
Users
Can View Users	Allowed
Can Create New Users	Allowed
Can Edit User Properties (User can always edit select properties of own account)	Allowed
Can Delete Users	Allowed
Roles
Can View Roles	Allowed
Can Create New Roles	Allowed
Can Edit Role Properties (Warning: conferring this right will let users with this Role edit their own rights)	Allowed
Can Delete Roles	Allowed
Delegate Authority
Can only manipulate users with equal or lesser rights	N/A