LogMeOnce Enterprise Edition provides creation of custom roles and granular access permissions, and enables a user to perform a specific action, or access a feature.
LogMeOnce role based administration feature comes preconfigured with administrator's roles to simplify administration of your organizational policies. Each role is a combination of granular permissions or entitlement. Please see table at the end of this article with details about permissions and resources. The preconfigured administrator roles are;
- Super Administrator
This administrator role has "full" access to all roles, permissions, and policies. Super Administrator can manage security policies for the entire organization. - Group Administrator
This administrator role has access to all roles, permissions, and policies within a "specific" group(s). Group Administrator can manage security policies for the assigned groups (example: marketing group and its assigned users and apps). - Users Administrator
This administrator has full access to user management, groups, and its assigned applications. - Sites Administrator
This administrator has full access to Apps management. This will help to carry out routine tasks to manage and assign Apps to users and groups. - Auditor
This role has read-only access to all system logs to perform audit and security investigations. - Secure Drive
This role has full access to secure drive and all files in the organization. - Sites Personal
This role allows users to create and add their own personal Apps.
Custom roles and permissions types
Permissions are used to grant system privileges. This allows you to build organizational-specific roles to match your requirements and restrict system administrators from accessing user data. Additionally, LogMeOnce enables you to create granular level permissions.
LogMeOnce granular permissions enable you to set the least privilege policy which requires all administrators should be granted as few privileges as possible in order to do their job while enforcing separation of duties. LogMeOnce supports the following permissions types. All permission types are not relevant for all resources.
| Permission Types | Permission Type Description |
|---|---|
| Create | This permission type enables creation of an object within a resource. |
| View | This permission type enables the viewing of an object within a resource. |
| Update | This permission type enables updating of an object within a resource. |
| Delete | This permission type enables deleting of an object within a resource. |
| Full Visibility | This permission type full organization-wide visibility of an object within a resource. |
| Export | This permission type enables the export of objects from a resource. |
| Import | This permission type enables the import of objects to a resource. |
| Note | This permission type enables the managing of notes objects within a resource. |
| Storage | This permission type enables the managing of storage objects within a resource. |
LogMeOnce manages 15 Resources and 55 Permissions that can be controlled by you to build custom "Admin roles" and enforce security controls for your organization. This enables your organization to setup roles and granular permission for your users and administrators. The following shows "resource" and "allowable permission types" for each resource.
| Resource | Resource Description | Allowable Permission Types |
|---|---|---|
| Authentication | This resource manages adaptive authentication policies. | Create, View, Update, Delete |
| Branding | This resource manages your organization branding look and feel. | View, Update |
| Device | This resource manages device management policies. | View, Update, Delete, Full Visibility, Export |
| Directory | This resource manages directory services policies | Create, View, Update, Delete |
| Event | This resource manages activity and event log page and policy. | Export |
| Group | This resource manages group management policies. | Create, View, Update, Delete, Full Visibility, Export |
| Mugshot | This resource manages Mugshot feature to detect and collect details of attempted hacks. | View |
| Policy | This resource manages password policies. | Create, View, Update, Delete |
| Report | This resource manages reporting feature. | View |
| Role | This resource manages role management policies and permission and entitlement configuration. | Create, View, Update, Delete, Full Visibility |
| SAML | This resource manages SAML page. | View |
| Site | This resource manages application or site setup. | Create, View, Update, Delete, Full Visibility, Note, Storage, Export, Import |
| Storage | This resource manages encrypted storage feature and policies. | Create, View, Delete, Full Visibility |
| Subscription | This resource manages the subscription feature. | Full Visibility |
| User | This resource manages user management policies. | Create, View, Update, Delete, Full Visibility, Export, Import |
Permissions
The following table shows granular permissions granted for each "Resource". As an Administrator you can create custom roles using a combination of "Permissions" listed below;
| Permission | Super Admin |
Group Admin |
User Admin |
Site Admin |
Description |
|---|---|---|---|---|---|
| Authentication: Create | Yes | Yes | Allows admin to create adaptive authentication policies. | ||
| Authentication: View | Yes | Yes | If “Adaptive Authentication” add-on is purchased, LogMeOnce will allow Admin to view Adaptive Authentication policy. Otherwise, LogMeOnce will allow Admin to view "2FA Settings" policy. | ||
| Authentication: Update | Yes | Yes | If “Adaptive Authentication” add-on is purchased, LogMeOnce will allow Admin to modify Adaptive Authentication policy. Otherwise, LogMeOnce will allow Admin to modify "2FA Settings" policy. | ||
| Authentication: Delete | Yes | Yes | Allows admin to delete adaptive authentication policies. | ||
| Branding: View | Yes | Yes | Allows admin to view organization branding page. | ||
| Branding: Update | Yes | Yes | Allows admin to modify organization branding, upload company logo and change website colors. | ||
| Device: View | Yes | Yes | Allows user/admin to view list of devices and information. | ||
| Device: Update | Yes | Yes | Allows user/admin to perform "Remote Logout" on a device, and to turn on/off passwordless login. | ||
| Device: Delete | Yes | Yes | Allows user/admin to delete devices in Device Management. | ||
| Device: Full Visibility | Yes | Allows admin to manage all company devices. | |||
| Device: Export | Yes | Yes | Allows user/admin to export devices. If Device: Full Visibility permission is not granted only user own devices can be exported. | ||
| Directory: Create | Yes | Yes | Allows admin to create and configure new directory agent, such as Active Directory (AD) Agent. | ||
| Directory: View | Yes | Yes | Allows admin to view Directories page. Allows admin to view filters and additional data in User/Group Management and Activity Report page. | ||
| Directory: Update | Yes | Yes | Allows admin to update directory agent configurations. | ||
| Directory: Delete | Yes | Yes | Allows admin to delete directory agent. | ||
| Event: Export | Yes | Yes | Allows user/admin to export event and audit logs in Activity Report. | ||
| Group: Create | Yes | Yes | Yes | Allows admin to create a group in Group Management. | |
| Group: View | Yes | Yes | Yes | Yes | Allows admin to view group settings and memberships. |
| Group: Update | Yes | Yes | Yes | Allows admin to modify group settings and memberships. | |
| Group: Delete | Yes | Yes | Yes | Allows admin to delete groups in Groups Management. | |
| Group: Full Visibility | Yes | Yes | Yes | Allows admin to manage all company groups. | |
| Group: Export | Yes | Yes | Yes | Allows admin to export groups from Group Management. | |
| Mugshot: View | Yes | Yes | Allows user/admin to view Mugshot details and related logs. | ||
| Policy: Create | Yes | Yes | Allows admin to create password policy. | ||
| Policy: View | Yes | Yes | Allows admin to view password policy page. | ||
| Policy: Update | Yes | Yes | Allows admin to modify password policy settings. | ||
| Policy: Delete | Yes | Yes | Allows admin to delete password policy. | ||
| Report: View | Yes | Yes | |||
| Role: Create | Yes | Allows admin to create custom roles. | |||
| Role: View | Yes | Yes | Allows admin to view custom roles, role assignment in User/Group Management. | ||
| Role: Update | Yes | Allows admin to update custom roles. | |||
| Role: Delete | Yes | Allows admin to delete custom roles. | |||
| Role: Full Visibility | Yes | Allows admin to manage all company roles. | |||
| SAML: View | Yes | Yes | Allows admin to view SAML setting page. | ||
| Site: Create | Yes | Yes | Yes | Allows user/admin to create an application, and assign to users/groups. | |
| Site: View | Yes | Yes | Yes | Allows user/admin to view credentials (username/password). | |
| Site: Update | Yes | Yes | Yes | Allows user/admin to modify application settings. | |
| Site: Delete | Yes | Yes | Yes | Allows user/admin to delete applications. | |
| Site: Full Visibility | Yes | Yes | Yes | Allows admin to manage all company applications. | |
| Site: Note | Yes | Yes | Yes | Allows user/admin to view/update note of a application. | |
| Site: Storage | Yes | Yes | Yes | Allows user/admin to view/update storage of a application. | |
| Site: Export | Yes | Yes | Yes | Allows user/admin to export application settings. | |
| Site: Import | Yes | Yes | Yes | Allows user/admin to import applications from a generic CSV file. | |
| Storage: Create | Yes | Yes | Allows user/admin to upload a file or create a folder. | ||
| Storage: View | Yes | Yes | Allows user/admin to view Secure Drive page. Allows user/admin to view Secure Drive page. Allows user/admin to view Secure Drive page. | ||
| Storage: Delete | Yes | Yes | Allows user/admin to delete files/folders. | ||
| Storage: Full Visibility | Yes | Allows admin to create/update/delete storage services configuration. | |||
| Subscription : Full Visibility | Yes | Allows admin to change and update subscription and manage payment details for your account. | |||
| User: Create | Yes | Yes | Allows admin to create a user in User Management. | ||
| User: View | Yes | Yes | Yes | Yes | Allows admin to view users information and settings. |
| User: Update | Yes | Yes | Yes | Allows admin to update users information and settings. | |
| User: Delete | Yes | Yes | Yes | Allows admin to delete user in User Management. | |
| User: Full Visibility | Yes | Yes | Yes | Allows admin to manage all company users. | |
| User: Export | Yes | Yes | Yes | Allows admin to export users from User Management. | |
| User: Import | Yes | Yes | Yes | Allows admin to import users into User Management. |
How to create custom roles
Custom Roles can be created for Users and Groups. You can access Roles using the Smart Menu option by section Smart Menu->Under Security Section->User Management or Group Management.
Then select a user or group and go to the Role Assignment Tab. Click on Create New Role.
Click on Create New Role.
- Enter a name for the new role
- Enter a description
- Select if this permission is applied to Administrators or Users. When User is selected this option is displayed on the user dashboard and when Admin is selected, it is displayed on the Admin section.
- Select permissions from a list of assigned permissions
- Move selected unassigned permission to assigned permission.
- Save changes
Examples of custom roles
1. Command Line Interface (CLI) or API Role
This role enables access to use Command Line Interface (CLI) or API which can be used form other scripts or programming languages such as C/C++, C#, Java, Python, etc.
By assigning this Role to a user or a group, it will have access to use CLI from external programs.
Name: CLI Role
Permissions:
2. SAML Administration Role
This role enables SAML Administrations. You may remove or update some of the permissions as shown below based on your organization policy.
By assigning this Role to a user or a group, it will have access to perform SAML administration.
Name: SAML Administration
Permissions:
Comments
Article is closed for comments.