Pular para o conteúdo principal
Version: 3.23

senhasegura Access Control Layer

The senhasegura Access Control Layer is based on permission roles.

senhasegura provides roles that make it easy to grant superpowers to administrators and the technical functions for different user types.

When the user has access to a module or has permission to act, the senhasegura has validated that this user is associated with a role that grants him these powers.

A role can give the user the following powers:

  • Which modules it can access;

  • Run procedures related to the module;

  • Which module features the user can list;

  • View details of a record related to the module.

Imagine that a user can query all credentials and devices registered in the senhasegura but cannot register new ones or delete existing ones. You will need to watch and assign the user the correct permissions to avoid abuse of privileges.

Since some operations apply to particular user profiles, which makes direct assignment difficult, the senhasegura provides a list of pre-registered roles with access models that enforce the principle of least privilege.

That is, each role will receive only the permissions that match its responsibility, as in the image usr-sistema-00151

Roles and permissions

Each Role is named as a position of responsibility that a person has.

By assigning permissions to the Role and later assigning these roles to a user, we can easily manage the operations of the senhasegura using only the 25 Roles that senhasegura provides in its default installation.

The administrator links users to the desired roles so that the user has access to the relevant modules, screens, and operations.

Users and Roles relationship

Default Roles

Now that you are aware of how the entities that make up the senhasegura access control layers work and are related, let's introduce the 25 standard senhasegura roles.

info

Go to the Settings ➔ User Management ➔ Roles menu and click the Details action button to check which permissions each role has.

  • System Administrator: Administrative access to all modules and Orbit;

  • System User: Basic user with access to all modules;

  • System Auditor: Access for auditors to all modules;

  • Read only: Read-only access to all modules;

  • DSM Administrator: Manages all the features of the DSM module;

  • Cloud Administrator: Manages all the resources of the Cloud module;

  • Information Administrator: Manages all information resources;

  • Behavior Administrator: Manages all User Behavior parameters;

  • Domum Administrator: Manages all Domum parameters, groups and suppliers;

  • Domum Operator: Responsible role for requesting access for employees and third-party users;

  • Domum Operator - Third: Responsible role for requesting access for third-party users;

  • Domum Third-party user: Third-party workspace;

  • Task Manager Administrator: Manage all features of the Task Manager module;

  • Executions Administrator: Manage all resources of the Execution system;

  • go Administrator: Manage all senhasegura.go system resources;

  • go Auditor: Auditor's access to the senhasegura.go system;

  • Scan Discovery Administrator: Manage all Discovery features;

  • Certificates Administrator: Manage all features of the Certificate Manager module;

  • Certificates Approver: Role responsible for approving a request related to the Certificate Manager module;

  • Certificates Operator: Responsible role for requesting actions related to the Certificate Manager module;

  • PAM Administrator: Manages all PAM resources;

  • PAM Operator: Manage PAM resources such as devices, credentials, session and access control parameters;

  • PAM User: Default PAM user, able to see credentials and start sessions;

  • PAM Auditor: Auditors' access to PAM;

  • PAM Approver: Role responsible for credential and session approval;

Permissions

Access the menu Settings ➔ User Management ➔ Permissions to view the existing permissions in the system and their respective functions:

A2A

IDTypePermissionDescription
1DeleteA2A.DeleteDelete A2A resources
2ListA2A.ListList all A2A resources
3ViewA2A.ViewView A2A resources details
4WriteA2A.WriteCreate and update A2A resources

Behavior

IDTypePermissionDescription
5ListBehavior.ListList all Behavior resources
6WriteBehavior.Settings.WriteUpdate Behavior parameters
7ViewBehavior.ViewView Behavior resources details

Certificates

IDTypePermissionDescription
8DeleteCertificateManager.Certificates.DeleteDelete certificates
9ActionCertificateManager.Certificates.LinkLink certificates to devices
10ListCertificateManager.Certificates.ListList all certificates
11ActionCertificateManager.Certificates.PublishPublish certificates
12ActionCertificateManager.Certificates.Revocation.CheckVerifies the revocation of all certificates on OCSP
13ViewCertificateManager.Certificates.ViewShow certificate details
14WriteCertificateManager.Certificates.WriteCreate and update certificates
15ViewCertificateManager.Dashboards.ViewView Certificate Manager dashboards
16ListCertificateManager.Publishing.ListList certificates publishing
17ViewCertificateManager.Publishing.ViewView certificates publishing details
18ListCertificateManager.Reports.ListList all certificate reports and events
19ViewCertificateManager.Reports.ViewView all certificate reports and events
20ListCertificateManager.Requests.Approval.ListList all personal requests pending approval
21ViewCertificateManager.Requests.Approval.ViewList all requests pending approval
22ActionCertificateManager.Requests.ApproveApprove requests
23DeleteCertificateManager.Requests.DeleteDelete certificate requests
24ListCertificateManager.Requests.ListList all requests
25ViewCertificateManager.Requests.ViewShow requests details
26WriteCertificateManager.Requests.WriteEdit certificates requests
27DeleteCertificateManager.Settings.DeleteDelete settings
28ListCertificateManager.Settings.ListList all settings
29ViewCertificateManager.Settings.ViewView all settings details
30WriteCertificateManager.Settings.WriteCreate and update settings

Change Audit

IDTypePermissionDescription
31ViewChangeAudit.Dashboards.ViewView Change Audit dashboards
32DeleteChangeAudit.DeleteDelete Change Audit resources
33ListChangeAudit.ListList all Change Audit resources
34ViewChangeAudit.ViewView Change Audit resources details
35WriteChangeAudit.WriteCreate and update Change Audit resources

Cloud

IDTypePermissionDescription
36ViewCloud.Dashboards.ViewView all Cloud dashboards
37DeleteCloud.Iam.DeleteDelete Cloud IAM resources
38ListCloud.Iam.ListList all Cloud IAM resources
39ViewCloud.Iam.ViewView Cloud IAM resources details
40WriteCloud.Iam.WriteCreate and update Cloud IAM resources
41DeleteCloud.Settings.DeleteDelete Cloud module Settings
42ListCloud.Settings.ListList all Cloud module Settings
43ViewCloud.Settings.ViewView Cloud module Settings details
44WriteCloud.Settings.WriteCreate and update Cloud module Settings
45ListCloud.VirtualMachines.ListList all Virutal Machines resources
46ActionCloud.VirtualMachines.Session.StartStart Virtual Machines sessions
47ViewCloud.VirtualMachines.ViewView Virutal Machines resources details
48ActionCloud.VirtualMachines.SyncRequest Virtual Machines resources syncronization

Discovery

IDTypePermissionDescription
49DeleteScanDiscovery.Discovery.DeleteDelete Discovery resources
50ListScanDiscovery.Discovery.ListList Discovery resources
51ViewScanDiscovery.Discovery.ViewView Discovery resources details
52WriteScanDiscovery.Discovery.WriteCreate and update Discovery resources
53ListScanDiscovery.Reports.ListList all executions audit and logs reports
54ViewScanDiscovery.Reports.ViewView all executions audit and logs reports
55DeleteScanDiscovery.Settings.DeleteDelete Discovery settings
56ListScanDiscovery.Settings.ListList all Discovery settings
57ViewScanDiscovery.Settings.ViewView all Discovery settings details
58WriteScanDiscovery.Settings.WriteCreate and update Discovery settings

Domum

IDTypePermissionDescription
59DeleteDomum.Access.Employees.DeleteDelete employee's access request
60ListDomum.Access.Employees.ListList access requests for employees
61ViewDomum.Access.Employees.ViewView employees access details
62WriteDomum.Access.Employees.WriteCreate and update employee access
63ListDomum.Access.Requests.ListList own requests and approvals
64ViewDomum.Access.Requests.ViewView all details of your requests and approvals
65DeleteDomum.Access.ThirdPartyUsers.DeleteDelete a third-party user access request
66ListDomum.Access.ThirdPartyUsers.ListList access requests for third-party users
67ViewDomum.Access.ThirdPartyUsers.ViewDetail third-party users access details
68WriteDomum.Access.ThirdPartyUsers.WriteCreate and update third-party user access
69ViewDomum.Dashboards.ViewView all Domum's dashboards
70ListDomum.Reports.ListList all Domum's reports
71ListDomum.Settings.ListList all Domum settings and parameters
72ActionDomum.Settings.PanicButtonDrop all access from a group or vendor
73ListDomum.Settings.ThirdPartyUsers.ListList third-party users
74WriteDomum.Settings.ThirdPartyUsers.WriteCreate and update third-party users
75DeleteDomum.Settings.ThirdPartyUsers.DeleteDelete third-party users
76WriteDomum.Settings.WriteCreate and update Domum settings
77DeleteDomum.Settings.DeleteDelete Domum settings
78ViewDomum.ThirdPartyUsers.Desktop.ViewView third-party user desktop

DSM

IDTypePermissionDescription
79DeleteDSM.Applications.DeleteDelete applications authorizations and CI/CD resources
80ListDSM.Applications.ListList all applications authorizations and CI/CD resources
81ViewDSM.Applications.ViewView applications authorizations and CI/CD resources details
82WriteDSM.Applications.WriteCreate and update applications authorizations and CI/CD
83DeleteDSM.Automations.DeleteDelete DSM module Automations
84ListDSM.Automations.ListList all DSM module Automations
85ViewDSM.Automations.ViewView DSM module Automations details
86WriteDSM.Automations.WriteCreate and update DSM module Automations
87ViewDSM.Dashboards.ViewView all DSM dashboards
88DeleteDSM.Secrets.DeleteDelete DSM module Secrets
89ListDSM.Secrets.ListList all DSM module Secrets
90ViewDSM.Secrets.ViewView DSM module Secrets details
91WriteDSM.Secrets.WriteCreate and update DSM module Secrets

Executions

IDTypePermissionDescription
92ListExecutions.Reports.ListList all Executions reports
93ViewExecutions.Reports.ViewView Executions reports details
94DeleteExecutions.Operations.DeleteDelete Executions operations resources
95WriteExecutions.Operations.WriteCreate and Update Executions operations resources
96ListExecutions.Operations.ListList all Executions operations resources
97ViewExecutions.Operations.ViewView Executions operations resources
98ListExecutions.Settings.ListList all Executions settings
99ViewExecutions.Settings.ViewView Executions settings
100WriteExecutions.Settings.WriteCreate and Update Executions settings
101ViewExecutions.Settings.DeleteDelete Executions settings

go

IDTypePermissionDescription
102ViewGo.Dashboards.ViewView go dashboards
103DeleteGo.Linux.DeleteDelete Linux resources
104ListGo.Linux.ListList all Linux resources
105ViewGo.Linux.ViewView all Linux resources details
106WriteGo.Linux.WriteCreate and update Linux resources
107ListGo.Reports.ListList all reports and events
108ViewGo.Reports.ViewView all reports and events details
109DeleteGo.Settings.DeleteDelete go settings
110ActionGo.Settings.InstallationKey.ViewView installation key
111ListGo.Settings.ListList all go settings
112ViewGo.Settings.ViewView all go module settings
113WriteGo.Settings.WriteCreate and update go settings
114DeleteGo.Users.DeleteDelete and disapprove users
115ListGo.Users.ListList all users
116ViewGo.Users.ViewView all users
117WriteGo.Users.WriteWrite and approve users
118DeleteGo.Windows.DeleteDelete go Windows resources
119ListGo.Windows.ListList go Windows resources
120ViewGo.Windows.ViewView go Windows resources details
121WriteGo.Windows.WriteCreate and update go Windows resources
122DeleteGo.Workstations.DeleteDelete workstations resources
123ListGo.Workstations.ListList all workstations resources
124ViewGo.Workstations.ViewView all workstations resources details
125WriteGo.Workstations.WriteCreate and update workstations resources

Information

IDTypePermissionDescription
126ViewPersonalVault.Dashboards.ViewView information Dashboard
127DeletePersonalVault.Information.DeleteDelete information resources
128ListPersonalVault.Information.ListList all information resource
129ViewPersonalVault.Information.ReadShow information resources details
130WritePersonalVault.Information.WriteCreate and update information resources
131ListPersonalVault.Reports.ListList all reports
132DeletePersonalVault.Settings.DeleteDelete settings resources
133ListPersonalVault.Settings.ListList all settings resources
134ViewPersonalVault.Settings.ReadShow settings resources details
135WritePersonalVault.Settings.WriteCreate and update settings resources

PAM

IDTypePermissionDescription
136ViewPAM.Dashboards.ViewView all PAM Dashboards
137ListPAM.PrivilegedAccounts.Custody.ListList all credentials under user's custody
138DeletePAM.PrivilegedAccounts.Credentials.DeleteDelete credentials
139ListPAM.PrivilegedAccounts.Credentials.ListList all credentials
140ViewPAM.PrivilegedAccounts.Credentials.ViewShow all credential details
141ViewPAM.PrivilegedAccounts.Credentials.Password.ViewGet credential or SSH Key value or part
142WritePAM.PrivilegedAccounts.Credentials.WriteCreate and update credentials
143ViewPAM.PrivilegedAccounts.PasswordChange.ViewShow all password changes details
144ListPAM.PrivilegedAccounts.PasswordChange.ListList all password changes
145ActionPAM.PrivilegedAccounts.PasswordChange.RequestCreate a request for password rotation
146ListPAM.SessionManagement.ListList all session information
147ActionPAM.SessionManagement.StartStart a session
148ActionPAM.SessionManagement.DropDrop a session
149ViewPAM.SessionManagement.ViewShow all sessions details
150ActionPAM.SessionManagement.WriteCreate and update Session Management resources
151ViewPAM.SessionManagement.DeleteDelete Session Management resources
152ActionPAM.SessionManagement.AuditList and execute auditing actions
153DeletePAM.Devices.DeleteDelete devices
154ListPAM.Devices.ListList all device information
155ViewPAM.Devices.ViewShow device details
156WritePAM.Devices.WriteCreate and update devices
157ListPAM.Reports.ListList all PAM reports
158DeletePAM.Settings.DeleteDelete PAM settings
159ListPAM.Settings.ListList all PAM settings
160ViewPAM.Settings.ViewShow all PAM settings details
161WritePAM.Settings.WriteCreate and update PAM settings

Provisioning

IDTypePermissionDescription
162DeleteProvisioning.DeleteDelete provisioning resources
163ListProvisioning.ListList access to all Provisioning module resources
164ViewProvisioning.ReadShow Provisioning resources details
165WriteProvisioning.WriteCreate and update to all provisioning resrouces

Reports

IDTypePermissionDescription
166ActionReports.ScheduleAction to schedule the send of reports periodically

Settings

IDTypePermissionDescription
167DeleteSettings.Authentication.DeleteDelete Authentication resources
168ListSettings.Authentication.ListList all Authentication resources
169ViewSettings.Authentication.ViewView Authentication resources details
170WriteSettings.Authentication.WriteCreate and Update Authentication resources
171DeleteSettings.Backup.DeleteDelete Backup resources
172ListSettings.Backup.ListList all Backup resources
173ViewSettings.Backup.ViewView Backup resources details
174WriteSettings.Backup.WriteCreate and Update Backup resources
175ListSettings.Eula.ListList all Eula resources
176ViewSettings.Eula.ViewView Eula resources details
177DeleteSettings.Notification.DeleteDelete Notification resources
178ListSettings.Notification.ListList all Notification resources
179ViewSettings.Notification.ViewView Notification resources details
180WriteSettings.Notification.WriteCreate and Update Notification resources
181DeleteSettings.Services.DeleteDelete services and execution processes resources
182ListSettings.Services.ListList all services and execution processes resources
183ViewSettings.Services.ViewView services and execution processes resources details
184WriteSettings.Services.WriteCreate and Update services and execution processes resources
185DeleteSettings.SystemParameters.DeleteDelete System Parameteres resources
186ListSettings.SystemParameters.ListList all System Parameteres resources
187ViewSettings.SystemParameters.ViewView System Parameteres resources details
188WriteSettings.SystemParameters.WriteCreate and Update System Parameteres resources
189DeleteSettings.UserManagement.DeleteDelete User Management resources
190ListSettings.UserManagement.ListList all User Management resources
191ViewSettings.UserManagement.ViewView User Management resources details
192WriteSettings.UserManagement.WriteCreate and Update User Management resources
193ListUser.Desktop.ListList user Desktop reports
194ViewUser.Desktop.ViewView user Desktop and dashboards
195WriteUser.Settings.WriteEdit user settings

Task Manager

IDTypePermissionDescription
196ViewTaskManager.Dashboards.ViewView all Task Manager module dashboards
197ListTaskManager.Executions.ListList Task Manager executions and operations
198ViewTaskManager.Executions.ViewView Task Manager executions and operations details
199DeleteTaskManager.Settings.DeleteDelete Task Manager module Settings resources
200ListTaskManager.Settings.ListList all Task Manager module Settings resources
201ViewTaskManager.Settings.ViewShow Task Manager module Settings resources details
202WriteTaskManager.Settings.WriteCreate and update Task Manager module Settings resources.
203DeleteTaskManager.Tasks.DeleteDelete Task Manager tasks
204ListTaskManager.Tasks.ListList all Task Manager tasks
205ViewTaskManager.Tasks.ViewView all Task Manager tasks details
206ActionTaskManager.Tasks.ExecuteAllow user to execute a task
207WriteTaskManager.Tasks.WriteCreate and update Task Manager tasks

Access Control

IDTypePermissionDescription
208DeleteAccessControl.DeleteDelete Access Control resources from all modules
209ListAccessControl.ListList all Access Control resources from all modules
210ViewAccessControl.ViewView Access Control resources details from all modules
211WriteAccessControl.WriteCreate and update Access Control resources from all modules
212ActionAccessControl.ApprovalApprove and disapprove requests

Settings

IDTypePermissionDescription
213ViewSystem.AuditTracking.ViewView system audit trail
214WriteSystem.Settings.WriteWrite system settings

Access Control

IDTypePermissionDescription
215ListAccessControl.AuditWrite system settings
216ListAccessControl.CurrentUser.ListList all Access Control requests for current user

Settings

IDTypePermissionDescription
217ListSystem.Common.ListList system commons settings
218WriteSystem.Common.WriteWrite system commons settings
219ListSettings.Tenants.ListList Tenants settings
220WriteSettings.Tenants.WriteWrite Tenants settings
221WriteSystem.Settings.OrbitOrbit Accesses system settings
222WriteSystem.Settings.EulaEula accepts and manage settings

Cloud

IDTypePermissionDescription
223ViewCloud.Operations.ViewView all Cloud IAM operations

Creating new roles

caution

Attention! The senhasegura update process will automatically update the roles and permissions set in the default installation. The upgrade will not alter the Roles that the administrator has created! It's up to the administrator to constantly review the user and custom roles to ensure the correct assignment of powers.

info

Creating new roles can increase the risk surface since a small error, such as one too many permissions, can give a user more power than they might otherwise have. That's why senhasegura provides roles according to the most common user types. If possible, use one of the 25 pre-registered roles and avoid creating new ones.

The roles delivered by senhasegura roles are adequate for the administrator to distribute them to users. But sometimes, it may be necessary that a user receives less access than the registered roles offer.

An appropriate division of responsibilities is reflected in the access privileges granted to users becomes necessary for the proper, efficient, and secure execution of the activities of the senhasegura . For this, we use the concept of Segregation of Duties (SoD).

Let's use as an example a consultant who needs to look only at the operational reports of the module Certificate Manager without being able to perform actions.

In this case, we do not recommend that the roles System Administrator, Certificates Administrator and PAM Auditor be assigned. This would be a great risk for the company, as it would grant you more access than necessary.

We will then create a new Role for this user.

  1. Go to the menu Settings ➔ User Management ➔ Roles to list the registered roles;

  2. Using the report action, go to the registration form and register a new role called Certificate Audit.;

  3. Describe the purpose of this role;

  4. Go to the Permissions tab;

  5. Add the permissions that this role can perform. You can filter permissions by: Type, Module and even description. In the case of this example, the permissions that will be added are:

    • CertificateManager.Dashboards.View: View Certificate Manager dashboards;

    • CertificateManager.Reports.List: Lists all reports and events related to certificates;

    • CertificateManager.Reports.View: View all certificate-related reports and events;

    For permissions to be granted correctly, pay attention to the type of each:

    • List: Permissions to listing in reports;

    • View: Permissions to displaying operation details;

    • Write: Permissions for configuring, registering, and changing system records;

    • Delete: Permissions for inactivating system records;

    • Action: This type concentrates actions of administrative operations specific to each module.

  6. On the Users tab, add the users that should be associated with this role. If the user you want to associate is not yet created you can skip this step.

  7. Click Save

Cloning existing Roles

You can also create a new Role based on an existing one. At the Roles report, every record has a Clone action. Clicking on it, senhasegura will create a new Role record based on the choosed record. This new Role can be edited by the administrator adding or removing permissions and users.

caution

A cloned role will not inherit users linked to the originating role.

User Registration

To create a user, click on the quick action button User, and on the screen will appear the following steps:

  1. Set a username. This name is the user representation on the other screens;

  2. Set the username;

  3. Into the password field:

  4. Leave password field blank if the email service was defined; or

  5. Manually enter the password while the email service is not defined;

  6. The field Ignore two factor authentication? indicates if this user have no obligation to register and use 2FA OTP token when using the senhasegura .

    caution

    This field is not available if the current user is trying to change their own account and it only appears in the edition mode.

  7. Confirm that user status is active in the Status field;

  8. Confirm that administrator user has access to Orbit through the Access to Orbit field;

    caution

    Be careful about accounts in charge to manage the Orbit Portal. Do not grant without concern a user to do this. Orbit Portal has many services control's. See the Orbit documentation for more details.

  9. On the Roles tab, select the roles that should be assigned to this user. As an example, suppose this user should only consult credentials and perform remote sessions, in this screen, the role PAM User should be added.;

    caution

    It is possible to add more than one role to a user. However, the administrator must be careful that the roles added do not conflict with the user's activities, giving them higher powers than their responsibilities.

  10. On the Access Groups tab, select the access group the user will be part of, that is, the limit of credentials the user will be able to interact with.

  11. Save user with Save button;

It is now necessary to perform this user validation. Ask the user who owns this account to access senhasegura and log in first. They will be prompted to change the temporary password in compliance with the default security criteria.

Forgetting a user

senhasegura provides a mechanism to guarantee the right to be forgotten, by being notified by a user that he wishes his data to be removed from the application.

Besides if requested by the user senhasegura can provide a complete report of the data that has been collected from him like:

  • Name

  • Telephone

  • E-mail

  • List of accesses with IP, browser, location and time.

This report can be extracted as an action from the user's screen.

Whenever a report is issued or a user is forgotten alerts are sent to Syslog and e-mail notifications can also be registered.

To forget a user go to Settings ➔ System users ➔ Users in the line of the user you wish to forget, go to the Action column and choose Forget user.

Forget User button on user's list

Import Users

To import users to senhasegura , go to the menu: Settings ➔ System users ➔ Batch import.

Click the Choose File button to select the file to import and select the desired file and click the Open button.

Click the Import Users button to complete the import.

info

Import spreadsheet templates can be obtained by clicking on the With Users buttons, for a template with example users and Empty, for an unfilled template file.

Tokens

Any user can configure his own account to use two steps authentication. You can also force all users to use it at specific actions.

You can see how many users is using two steps authentication, and either cancel tokens, under the report Settings ➔ Authentication ➔ Multi-factor authentication.

Inactivating a user

To inactivate a user, see the following steps:

  1. Go to the user's report on: Settings ➔ System users ➔ Users;

  2. Filter the report with the desired filtered and locate the registry of the user you wish to inactivate;

  3. Click on the action button Change;

  4. In the user's form, change the key State to Inactive;

  5. Save changes by clicking on the Save button

caution

When inactivating a user, he will be disconnected from his Web session, as well as all the other proxy sessions in execution. For the senhasegura.go , it will be necessary to wait for application records update time.

Only the senhasegura user account will be inactivated. In case senhasegura is configured to use a external authenticator provider, the provider will not be informed of the inactivation

Auditing

The permission system audit reports are divided into reports that help identify the permissions that a user has, and reports that help identify changes that have occurred in the permission system.

So the administrator will be able to identify security holes that have occurred or are still vulnerable.

Through the module Reports, you will have access to several audit reports of senhasegura . At this book, we will focus only on the reports pertinent to the The Access Control Layer.

In the Permissions menu you have access to the following reports:

  • Roles by user:

    • Check which roles have been assigned to each user;

    • Even inactive users are considered;

    • The filter can be user-based, role-based, or both;

  • Permissions by user

    • Check which permissions have been granted to each user;

    • The filter can be based on user, permission or both;

  • Audit logs

    • View history of changes made to roles;

    • You can identify which users made the change when they made it and what was changed;

    • Filter by period, user, and operation;

  • Permissions migration

    • See which roles compared to the permission system of previous versions of the senhasegura were added, kept, or removed.;

    • The filter can be based on user code, permission or status;