Access control layer

The senhasegura Access Control Layer is based on permission roles.

senhasegura provides roles that make it easy to grant superpowers to administrators and the technical functions for different user types.

When the user has access to a module or has permission to act, the senhasegura has validated that this user is associated with a role that grants him these powers.

A role can give the user the following powers:

• Which modules it can access

• Run procedures related to the module

• Which module features the user can list

• View details of a record related to the module

Imagine that a user can query all credentials and devices registered in the senhasegura but cannot register new ones or delete existing ones. You will need to watch and assign the user the correct permissions to avoid abuse of privileges.

Since some operations apply to particular user profiles, which makes direct assignment difficult, the senhasegura provides a list of pre-registered roles with access models that enforce the principle of least privilege.

That is, each role will receive only the permissions that match its responsibility.

Each Role is named as a position of responsibility that a person has.

By assigning permissions to the Role and later assigning these roles to a user, we can easily manage the operations of the senhasegura using only the 25 Roles that senhasegura provides in its default installation.

The administrator links users to the desired roles so that the user has access to the relevant modules, screens, and operations.

Default Roles

Now that you are aware of how the entities that make up the senhasegura access control layers work and are related, let's introduce the 25 standard senhasegura roles.

• System Administrator: Administrative access to all modules and Orbit

• System User: Basic user with access to all modules

• System Auditor: Access for auditors to all modules

• Read only: Read-only access to all modules

• DSM Administrator: Manages all the features of the DSM module

• Cloud Administrator: Manages all the resources of the Cloud module

• Information Administrator: Manages all information resources

• Behavior Administrator: Manages all User Behavior parameters

• Domum Administrator: Manages all Domum parameters, groups and suppliers

• Domum Operator: Responsible role for requesting access for employees and third-party users

• Domum Operator - Third-party: Responsible role for requesting access for third-party users.

• Domum Basic internal user: basic access for internal users in Domum. With this role, users can start sessions, view passwords and create credentials.

• Domum Third-party user: Third-party workspace

• Task Manager Administrator: Manage all features of the Task Manager module

• Executions Administrator: Manage all resources of the Execution system

• go Administrator: Manage all senhasegura.go system resources

• go Auditor: Auditor's access to the senhasegura.go system

• Scan Discovery Administrator: Manage all Discovery features

• Certificates Administrator: Manage all features of the Certificate Manager module

• Certificates Approver: Role responsible for approving a request related to the Certificate Manager module

• Certificates Operator: Responsible role for requesting actions related to the Certificate Manager module

• PAM Administrator: Manages all PAM resources

• PAM Operator: Manage PAM resources such as devices, credentials, session and access control parameters

• PAM User: Default PAM user, able to see credentials and start sessions

• PAM Auditor: Auditors' access to PAM

• PAM Approver: Role responsible for credential and session approval

Permissions

Access the menu Settings ➔ User Management ➔ Permissions to view the existing permissions in the system and their respective functions:

A2A

User Behavior

Certificate Manager

Change Audit

Cloud IAM

Discovery

Domum Remote Access

DevOps Secret Manager

Executions

GO Endpoint Manager

Personal Vault

PAM Core

Provisioning

senhasegura platform - Settings

Task Manager

senhasegura platform - Access Control

Settings

Access Control

System Settings

Cloud

Creating new roles

The roles delivered by senhasegura roles are adequate for the administrator to distribute them to users. But sometimes, it may be necessary that a user receives less access than the registered roles offer.

An appropriate division of responsibilities is reflected in the access privileges granted to users becomes necessary for the proper, efficient, and secure execution of the activities of the senhasegura . For this, we use the concept of Segregation of Duties (SoD).

Let's use as an example a consultant who needs to look only at the operational reports of the module Certificate Manager without being able to perform actions.

In this case, we do not recommend that the roles System Administrator, Certificates Administrator and PAM Auditor be assigned. This would be a great risk for the company, as it would grant you more access than necessary.

We will then create a new Role for this user.

1. Go to the menu Settings ➔ User Management ➔ Roles to list the registered roles;

2. Using the report action, go to the registration form and register a new role called Certificate Audit.;

3. Describe the purpose of this role;

4. Go to the Permissions tab;

5. Add the permissions that this role can perform.
   You can filter permissions by: Type, Module and even Description.
   In the case of this example, the permissions that will be added are:

   • CertificateManager.Dashboards.View: View Certificate Manager dashboards

   • CertificateManager.Reports.List: Lists all reports and events related to certificates

   • CertificateManager.Reports.View: View all certificate-related reports and events

   • For permissions to be granted correctly, pay attention to the type of each:
   • List: Permissions to listing in reports
   • 
     
   • 
     
   • 
     
   • 
     
   • 
     
   • 
     
   • 
     
   • 
     
   • 
     
   • 
     
   • 
     
   • 
     
   • 
     
   • 
     
   • 
     
   • 
     
   • 
     
   • 
     
   • 
     
   • 
     
   • 
     
   • 
     
   • 
     
   • 
     
   
   

   • View: Permissions to displaying operation details

   • Write: Permissions for configuring, registering, and changing system records

   • Delete: Permissions for inactivating system records

   • Action: This type concentrates actions of administrative operations specific to each module

6. On the Users tab, add the users that should be associated with this role.
   If the user you want to associate is not yet created you can skip this step.

7. Click Save

Cloning existing Roles

You can also create a new Role based on an existing one. At the Roles report, every record has a Clone action. Clicking on it, senhasegura will create a new Role record based on the choosed record. This new Role can be edited by the administrator adding or removing permissions and users.

User Registration

To create a user, click on the quick action button User, and on the screen will appear the following steps:

1. Set a username. This name is the user representation on the other screens

2. Set the username

3. Into the password field:

4. Leave password field blank if the email service was defined; or

5. Manually enter the password while the email service is not defined

6. The field Ignore two factor authentication? indicates if this user have no obligation to register and use 2FA OTP token when using the senhasegura 

   Caution

   This field is not available if the current user is trying to change their own account and it only appears in the edition mode.

7. Confirm that user status is active in the Status field;

8. Confirm that administrator user has access to Orbit through the Access to Orbit field;

   Caution

   Be careful about accounts in charge to manage the Orbit Portal. Do not grant without concern a user to do this. Orbit Portal has many services control's. See the Orbit documentation for more details.

9. On the Roles tab, select the roles that should be assigned to this user.
   As an example, suppose this user should only consult credentials and perform remote sessions, in this screen, the role PAM User should be added.;

   Caution

   It is possible to add more than one role to a user. However, the administrator must be careful that the roles added do not conflict with the user's activities, giving them higher powers than their responsibilities.

10. On the Access Groups tab, select the access group the user will be part of, that is, the limit of credentials the user will be able to interact with.

11. Save user with Save button;

It is now necessary to perform this user validation. Ask the user who owns this account to access senhasegura and log in first. They will be prompted to change the temporary password in compliance with the default security criteria.

Forgetting a user

senhasegura provides a mechanism to guarantee the right to be forgotten, by being notified by a user that he wishes his data to be removed from the application.

Besides if requested by the user senhasegura can provide a complete report of the data that has been collected from him like:

• Name

• Telephone

• E-mail

• List of accesses with IP, browser, location and time.

This report can be extracted as an action from the user's screen.

Whenever a report is issued or a user is forgotten alerts are sent to Syslog and e-mail notifications can also be registered.

To forget a user go to Settings ➔User management ➔ Users in the line of the user you wish to forget, go to the Action column and choose Forget user.

Users form

 

Import Users

To import users to senhasegura , go to the menu: Settings ➔ System users ➔ Batch import.

Click the Choose File button to select the file to import and select the desired file and click the Open button.

Click the Import Users button to complete the import.

Tokens

Any user can configure his own account to use two steps authentication. You can also force all users to use it at specific actions.

You can see how many users is using two steps authentication, and either cancel tokens, under the report Settings ➔ Authentication ➔ Multi-factor authentication.

Inactivating a user

To inactivate a user, see the following steps:

1. Go to the user's report on: Settings ➔ System users ➔ Users;

2. Filter the report with the desired filtered and locate the registry of the user you wish to inactivate;

3. Click on the action button Change;

4. In the user's form, change the key State to Inactive;

5. Save changes by clicking on the Save button

Auditing

The permission system audit reports are divided into reports that help identify the permissions that a user has, and reports that help identify changes that have occurred in the permission system.

So the administrator will be able to identify security holes that have occurred or are still vulnerable.

Through the module Reports, you will have access to several audit reports of senhasegura . At this book, we will focus only on the reports pertinent to the The Access Control Layer.

In the Permissions menu you have access to the following reports:

• Roles by user:

  • Check which roles have been assigned to each user

  • Even inactive users are considered

  • The filter can be user-based, role-based, or both

• Permissions by user

  • Check which permissions have been granted to each user

  • The filter can be based on user, permission or both

• Audit logs

  • View history of changes made to roles

  • You can identify which users made the change when they made it and what was changed

  • Filter by period, user, and operation

• Permissions migration

  • See which roles compared to the permission system of previous versions of the senhasegura were added, kept, or removed

  • The filter can be based on user code, permission or status