Roles

Vulnerability ProtectionDeep Security uses Role-based access control to restrict Users' access to various parts of the Vulnerability ProtectionDeep Security system. Once you have installed the Vulnerability ProtectionDeep Security Manager you should create individual accounts for each User and assign each User a Role that will restrict their activities to all but those necessary for the completion of their duties.

Vulnerability ProtectionDeep Security comes pre-configured with two Roles:

Full Access: The Full Access Role grants the User all possible privileges in terms of managing the Vulnerability ProtectionDeep Security system including creating, editing, and deleting computers, computer groups, Policies, Rules, Malware Scan Configurations, and others.
Auditor: The Auditor Role gives the User the ability to view all the information in the Vulnerability ProtectionDeep Security system but without the ability to make any modifications except to their own personal settings, such as password, contact information, dashboard layout preferences, and others.

Depending on the level of access granted, controls in the Manager interface will be either visible and changeable, visible only but disabled, or hidden. For a list of the rights granted in the pre-configured Roles, as well as the default rights settings when creating a new Role, see User Management.

You can create new Roles which can restrict Users from editing or even seeing Vulnerability ProtectionDeep Security objects such as specific computers, the properties of security Rules, or the System Settings.

Before creating User accounts, identify the Roles that your Users will take and itemize what Vulnerability ProtectionDeep Security objects those Roles will require access to and what the nature of that access will be (viewing, editing, creating, etc.). Once you have created your Roles, you can then begin creating User accounts and assigning them specific Roles.

Do not create a new Role by duplicating and then modifying the Full Access Role. To ensure that a new Role only grants the rights you intend, create the new Role by clicking New in the toolbar. The rights for a new Role are set at the most restrictive settings by default. You can then proceed to grant only the rights that are required. If you duplicate the Full Access Role and then apply restrictions, you risk granting some rights that you did not intend.

From the main page you can:

Create New Roles ()
Examine or modify the Properties of an existing Role ()
Duplicate (and then modify) existing Roles ()
Delete a Role ()

Clicking New () or Properties () displays the Role properties window with six tabs (General, Computer Rights, Policy Rights, User Rights, Other Rights, and Assigned To).

General

General Information

The name and description of this Role.

Access Type

Select whether Users with this Role will have access to the Vulnerability ProtectionDeep Security Manager's Web-based user interface or the Vulnerability ProtectionDeep Security Manager's Web service API, or both.

To enable the Web service API, go to Administration > System Settings > Advanced > SOAP Web Service API.

Computer Rights

Computer and Group Rights

Use the Computer and Group Rights panel to confer viewing, editing, deleting, Alert-dismissal, and Event tagging rights to Users in a Role. These rights can apply to all computers and computer groups or they can be restricted to only certain computers. If you wish to restrict access, select the Selected Computers radio button and put a check next to the computer groups and computers that Users in this Role will have access to.

These Rights restrictions will affect not only the user's access to computers in Vulnerability ProtectionDeep Security Manager, but also what information is visible, including Events and Alerts. As well, email notifications will only be sent if they relate to data that the user has access rights to.

Four basic options are available:

Allow viewing of non-selected computers and data: If Users in this Role have restricted edit/delete/dismiss-Alerts rights, you can still allow them to view (but not change) information about other computers by checking this box.
Allow viewing of events and alerts not related to computers: Set this option to allow Users in this Role to view non-computer-related information (for example, System Events, like Users being locked out, new Firewall Rules being created, IP Lists being deleted, etc.)
The previous two settings affect data Users have access to. Although Users' abilities to make changes to computers have been restricted, these two settings control whether they can see information relating to computers they don't otherwise have access to. This includes receiving email notifications related to those computers.
Allow new computers to be created in selected Groups: Set this option to allow Users in this Role to create new computers in the computer groups they have access to.
Allow sub-groups to be added/removed in selected Groups: Set this option to allow Users in this Role to create and delete sub-groups within the computer groups they have access to.

Advanced Rights

Allow computer file imports: Allow Users in this Role to import computers using files created using the Vulnerability ProtectionDeep Security Manager's Computer Export option.
Allow Directories to be added, removed and synchronized: Allow Users in this Role to add/remove and synchronize computers that are being managed using an LDAP-based directory like MS Active Directory.
Allow VMware vCenters to be added, removed and synchronized: Allow Users in this Role to add, remove and synchronize VMware vCenters.
Allow Cloud Providers to be added, removed, and sychronized: Allow Users in this Role to add, remove, and synchronize Cloud Providers.

Policy Rights

Determines the rights a User in a particular Role has to create, delete, modify, or import Policies.

Policy Rights

Use the Policy Rights panel to confer viewing, editing, and deleting rights to Users in a Role. These rights can apply to all policies or they can be restricted to only certain policies. If you wish to restrict access, select the Selected Policies radio button and put a check next to the policies that Users in this Role will have access to.

When you allow rights to a policy that has "child" policies, Users automatically get rights to the child policies as well.

Two basic options are available:

Allow viewing of non-selected Policies: If Users in this Role have restricted edit/delete rights, you can still allow them to view (but not change) information about other policies by checking this box.
Allow new Policies to be created: Set this option to allow Users in this Role to create new policies.

Advanced Rights

Allow Policy imports: Allow Users in this Role to import policies using files created with the Vulnerability ProtectionDeep Security Manager's Export option on the Policies tab.

User Rights

The options on the User Rights tab allow you to set what kind of authority Users in this Role have over other Users.

Change own password and contact information only: Users in this Role can change their own password and contact information only.
Create and manage Users with equal or less access: Users in this Role can create and manage any Users who do not have any privileges greater than theirs. If there is even a single privilege that exceeds those of the Users with this Role, the Users with this Role will not be able to create or manage them.
Have full control over all Roles and Users: Gives Users in this Role the ability to create and edit and Users or Roles without restrictions.
Be careful when using this last option. If you assign this option to a Role, you may give a User with otherwise restricted privileges the ability to create and then sign in as a User with full unrestricted access to all aspects of the Vulnerability ProtectionDeep Security Manager.

Custom Rights

You can further restrict Users' ability to view/create/edit/delete Users and Roles by selecting Custom and using the options in the Custom Rights panel. Some options may be restricted for certain users if the Can only manipulate Users with equal or lesser rights option is selected (see below).

Delegate Authority

Selecting the Can only manipulate Users with equal or lesser rights option will limit the authority of Users in this Role. They will only be able to effect changes to Users that have equal or lesser rights than themselves.

When this option is selected, Users in this Role will not be able to create, edit, or delete Roles.

Selecting this option also places restrictions on some of the options in the Custom Rights area:

Can Create New Users: Can only create Users with equal or lesser rights.
Can Edit User Properties: Can only edit a User (or set/reset password) with equal or lesser rights.
Can Delete Users: Can only delete Users with equal or lesser rights.

Other Rights

Roles can be restricted with respect to the Vulnerability ProtectionDeep Security objects they can manipulate. Default settings for new Roles are "View Only" or "Hide" for each element, but these rights can be expanded to "Full Control", or customized by choosing "Custom" from the drop-down list.

Assigned To

The Assigned To tab displays a list of the Users who have been assigned this Role.