User access can be controlled at several levels to limit what users can see and do.

Role Level

Within an account access to data (and functionality) can be controlled by user roles. There are three user roles: Administrator, Analyst and Member.

Administrator

Administrators Can

  • See all data
  • Scan any node and run any policy
  • Add, remove or edit any nodes
  • Add, change access for, or remove, all users
  • Schedule jobs
  • Change appliance settings (Enterprise only)

Member

Members Can

  • Only see data for node groups they are members of
  • Scan and run policies only for nodes in groups they are members of

Members Cannot

  • Access node data for nodes in groups they are not members of
  • Scan or run policies for nodes in groups they are not members of
  • Schedule jobs
  • Manage user access
  • Change appliance settings (Enterprise)

Analyst

Analysts Can

  • See all data

Analysts Cannot

  • Scan nodes or run policies
  • Schedule jobs
  • Manage user access
  • Change appliance settings (Enterprise)

Account Level

For Enterprise users (appliance), increased separation of access can be attained by splitting nodes between accounts. When additional accounts are added to an appliance only users who are explicitly granted access to the new account will have access to nodes and data within that account. Full role based access is also applicable within additional accounts.

Appliance Level

For complete separation of both access and data nodes can be split between appliances. In these instances, not only is user access completely segmented, but data storage is also separated.

Member Users and Node Group Membership

The main purpose for assigning Member status to a user is to restrict their access to a subset of the nodes in your account. That is, Member users can view, scan and run policies on all nodes that belong to node groups they have been assigned to.

Adding a Member User to a Node Group

Navigate to Discover > Monitored and locate the node group you want to assign a user membership to. Hovering your mouse over the node count for a particular node group should reveal a gear icon. Here, we are hovering our mouse over the All Nodes node group’s gear icon.

w400

Clicking the gear icon will reveal options associated with the node group. To manager user membership, click on the Users option.

w300

To add a new user to the group, click the Add User to Group button.

w300

Locate the user or users you want to assign to the group and click Select next to each user. Close the Select users window when finished.

Example Use Case

You are the Engineering and Operations manager and you have the following nodes installed and monitored with UpGuard Core.

Environment Web Server Node Database Node
development web-dev db-dev
production web-prod db-prod

As an Administrator user, you can see, scan and run policies on all nodes. However, you manage a few teams of people who should each be restricted to only see and manage the nodes they are responsible for.

Team Nodes they manage
Developers Only nodes in the development environment.
Production Team Only nodes in the production environment.
Database Admins Only the database nodes across dev and prod environments.

To properly restrict access you would first create a node group associated with each team so that you can assign users accordingly. Note that nodes can be in as little or many node groups as you desire.

Node Group Nodes we would include in the group
Development Team web-dev db-dev
Production Team web-prod db-prod
Database Team db-dev db-prod

You would next invite your teams to UpGuard Core as Member users. When they first register they should not be able to see any nodes as they are Member users but have not yet been assigned membership into any node groups.

As users register you can then assign them to the appropriate node group. If you happen to have an Engineer who works in both the Production and Database Teams then assign them as members to both the Production Team and Database Team node groups.

What Next?

To enable Two Factor Authentication for users, please view our guide on Two Factor Authentication.

Tags: access