With the release of the New Alert Logic Console Universal Navigation comes role-based access controls, which provide a unified way to manage authorization of and access controls for users. The addition of role-based access controls simplifies the management of user permissions in the Alert Logic® console.
This article provides you detailed information on the five user roles available, as well as how these roles map to the user permissions, so that you can knowledgeably choose the appropriate user roles for your team.
Note: The phrase "assigned account" below refers to your own Alert Logic account. This is the default account that you will land on after you log in with your Alert Logic credentials.
Note: The phrase "managed account" below refers to any accounts that may be attached to your assigned account. These are like 'child' accounts that you can switch into. Managed accounts are used by decentralized organizations that want clear segregation between business units or by service providers with multiple customers.
In This Article
User Roles
The following are the user roles available within the Alert Logic console:
Note: Checking the Notification Target Only box when creating or editing a user will allow the user to receive notifications but not access the products.
- Administrator. The Administrator role allows you full management and read access on your assigned and managed accounts. This role is the only one that can create or delete users for both assigned and managed accounts. It also allows you to control features for your assigned and managed accounts.
- Use this role primarily for user management and sparingly for your master and super-user account.
- Owner. The Owner role allows full management and read access for the user account they are assigned, but do not have the ability to edit other user accounts. Owners also have full read and modify permissions to any managed accounts, including the ability to edit users on the managed accounts. Owner accounts cannot create or delete users in managed accounts.
- Use this role to delegate daily configuration management activities on your assigned and managed accounts that do not include user management.
- Power User. The Power User role is similar to the Owner role, but with view-only access to your managed accounts. You can do configuration management on your assigned account but can only view the information on your managed accounts - not change it. You cannot do any user management.
- Use this role to delegate configuration management activities on your assigned account, but not to delegate management of managed accounts or of users.
- Support/Care. The Support/Care role provides read access to your assigned and managed accounts.
- Use this role to delegate read access to your assigned and managed accounts for individuals that need to be able to support and troubleshoot on these accounts.
- Read Only. The Read Only user has read-only access to your assigned account and cannot view information on your managed accounts.
- Use this role if you want to delegate visibility to your assigned account but do not want any visibility on your managed accounts.
The table below gives you a visualized understanding of the privileges of each role. It is important to note while reviewing the privileges that you only have downstream access to your accounts. If your account is managed, none of these roles allow you to see within the accounts above yours.
| Administrator | Owner | Power User | Support/Care | Read Only | |
| Full Access & User Management | X | ||||
| Modify Managed Accounts | X | X | |||
| Modify Assigned Accounts | X | X | X | ||
| Read Managed Accounts | X | X | X | X | |
| Read Assigned Accounts | X | X | X | X | X |
Mapping of Roles to User Permissions
The roles outlined above map directly to the deprecated permissions. Utilize this information to choose the appropriate user roles for your team:
| Administrator | Owner | Power User | Support/Care | Read Only | |
| Create new users | X | ||||
| Create new managed account users | X | ||||
| Delete users | X | ||||
| Delete managed account users | X | ||||
| Lock users out of console | X | ||||
| Lock managed account users out of console | X | ||||
| Modify users | X | ||||
| Modify managed account users | X | X | |||
| Run reports | X | X | X | X | X |
| Run reports on managed accounts | X | X | X | X | |
| Configure filters | X | X | X | ||
| Configure managed account filters | X | X | |||
| View managed account events | X | X | X | X | |
| Create managed accounts | X | ||||
| Modify incidents | X | X | X | ||
| Issue containment requests | X | X | X | ||
| Modify signature details | X | X | |||
| Modify global configuration | X | ||||
| Modify managed account global configuration | X | X | |||
| View event packet payload | X | X | X | X | X |
| Modify scan settings | X | X | X | ||
| Modify managed account scan settings | X | X | X | ||
| Modify tags | X | X | X | ||
| Modify managed account tags | X | X | |||
| Manage custom reports | X | ||||
| Modify log policy | X | X | X | ||
| Modify managed account log policy | X | X | |||
| Modify log correlation policy | X | X | X | ||
| Modify managed account log correlation policy | X | X | |||
| Access public API | X | X | X | X | X |
| Impersonate other users via API | X | X | |||
| View log credentials | X | X | X | X | X |
| View log collection statuses | X | X | X | X | X |
| View managed account log collection statuses | X | X | X | X | |
| Modify security options | X | X | X | ||
| Modify managed account security options | X | X | |||
| Hide vulnerabilities | X | X | X | ||
| View Management tab | X | X | X | X | |
| Create and edit cases | X | X | X | X | |
| Modify hosts | X | X | X | ||
| Create and edit custom cases | X | X | X | X | |
| Close cases | X | X | X | X | |
| View Web Security Manager (WSM) configuration | X | X | X | X | X |
| View managed account WSM configuration | X | X | X | X | |
| Modify WSM configuration | X | X | X | ||
| Modify managed account WSM configuration | X | X | |||
| View certificates configuration | X | X | X | X | X |
| View managed account certificates configuration | X | X | X | X | |
| View IDS whitelist configuration | X | X | X | X | X |
| View managed account IDS whitelist configuration | X | X | X | X | |
| View notification contacts | X | X | X | X | X |
| Update, create, and delete notification contacts | X | X | X | ||
| View notification policies | X | X | X | X | X |
| Update, create, and delete notification policies | X | X | X | ||
| View notification contact groups | X | X | X | X | X |
| Update, create, and delete notification contact groups | X | X | X | ||
| View notification WebHooks | X | X | X | X | X |
| Update, create, and delete notification WebHooks | X | X | X | ||
| View notification history | X | X | X | X | X |
| Update, create, and delete notification history | X | X | X | ||
| Manage notifications | X | X | X | ||
| Notification target only | X |
Additional Support
If none of the user roles laid out above seem to fit your needs, contact Alert Logic Support for additional guidance.
Comments
0 comments
Please sign in to leave a comment.