Logo
Submit a request Sign in
  1. LogmeOnce
  2. FAQs: Team & Enterprise
  3. Guides
  • Video Tutorial
  • Submit a Request

Articles in this section

  • How to add applications and import passwords
  • Password Manager views
  • Browser extension, mugshot, privacy and key management settings
  • Groups Management
  • Device Management
  • How to allow users to create applications and passwords
  • How to view reports
  • User Management
  • Branding 
  • Corporate Password Policy (Business Edition)
See more

Granular Permissions Levels (Enterprise Edition)

Avatar
Support Team
February 11, 2019 03:15
Follow

LogMeOnce Enterprise Edition provides creation of custom roles and granular access permissions, and enables a user to perform a specific action, or access a feature.

LogMeOnce role based administration feature comes preconfigured with administrator's roles to simplify administration of your organizational policies. Each role is a combination of granular permissions or entitlement. Please see table at the end of this article with details about permissions and resources. The preconfigured administrator roles are;

  • Super Administrator
    This administrator role has "full" access to all roles, permissions, and policies. Super Administrator can manage security policies for the entire organization.
  • Group Administrator
    This administrator role has access to all roles, permissions, and policies within a "specific" group(s). Group Administrator can manage security policies for the assigned groups (example: marketing group and its assigned users and apps).
  • Users Administrator
    This administrator has full access to user management, groups, and its assigned applications.
  • Sites Administrator
    This administrator has full access to Apps management. This will help to carry out routine tasks to manage and assign Apps to users and groups.
  • Auditor
    This role has read-only access to all system logs to perform audit and security investigations.
  • Secure Drive
    This role has full access to secure drive and all files in the organization.
  • Sites Personal
    This role allows users to create and add their own personal Apps.

Custom roles and permissions types

Permissions are used to grant system privileges. This allows you to build organizational-specific roles to match your requirements and restrict system administrators from accessing user data. Additionally, LogMeOnce enables you to create granular level permissions.

LogMeOnce granular permissions enable you to set the least privilege policy which requires all administrators should be granted as few privileges as possible in order to do their job while enforcing separation of duties. LogMeOnce supports the following permissions types. All permission types are not relevant for all resources.

Permission Types Permission Type Description
Create This permission type enables creation of an object within a resource.
View This permission type enables the viewing of an object within a resource.
Update This permission type enables updating of an object within a resource.
Delete This permission type enables deleting of an object within a resource.
Full Visibility This permission type full organization-wide visibility of an object within a resource.
Export This permission type enables the export of objects from a resource.
Import This permission type enables the import of objects to a resource.
Note This permission type enables the managing of notes objects within a resource.
Storage This permission type enables the managing of storage objects within a resource.

 

LogMeOnce manages 15 Resources and 55 Permissions that can be controlled by you to build custom "Admin roles" and enforce security controls for your organization. This enables your organization to setup roles and granular permission for your users and administrators. The following shows "resource" and "allowable permission types" for each resource.

Resource Resource Description  Allowable Permission Types 
Authentication This resource manages adaptive authentication policies. Create, View, Update, Delete
Branding This resource manages your organization branding look and feel. View, Update
Device This resource manages device management policies.  View, Update, Delete, Full Visibility, Export
Directory This resource manages directory services policies  Create, View, Update, Delete
Event This resource manages activity and event log page and policy. Export
Group This resource manages group management policies.  Create, View, Update, Delete, Full Visibility, Export 
Mugshot This resource manages Mugshot feature to detect and collect details of attempted hacks. View 
Policy This resource manages password policies.  Create, View, Update, Delete
Report This resource manages reporting feature.  View
Role This resource manages role management policies and permission and entitlement configuration. Create, View, Update, Delete, Full Visibility 
SAML This resource manages SAML page.  View 
Site  This resource manages application or site setup.  Create, View, Update, Delete, Full Visibility, Note, Storage, Export, Import
Storage  This resource manages encrypted storage feature and policies. Create, View, Delete, Full Visibility  
Subscription  This resource manages the subscription feature.  Full Visibility  
User  This resource manages user management policies.  Create, View, Update, Delete, Full Visibility, Export, Import

 

Permissions

The following table shows granular permissions granted for each "Resource". As an Administrator you can create custom roles using a combination of "Permissions" listed below;

 Permission  Super
Admin
Group
Admin
User
Admin
Site
Admin
Description
Authentication: Create  Yes  Yes     Allows admin to create adaptive authentication policies.
Authentication: View  Yes  Yes     If “Adaptive Authentication” add-on is purchased, LogMeOnce will allow Admin to view Adaptive Authentication policy. Otherwise, LogMeOnce will allow Admin to view "2FA Settings" policy.
Authentication: Update  Yes  Yes     If “Adaptive Authentication” add-on is purchased, LogMeOnce will allow Admin to modify Adaptive Authentication policy. Otherwise, LogMeOnce will allow Admin to modify "2FA Settings" policy.
Authentication: Delete  Yes  Yes     Allows admin to delete adaptive authentication policies.
Branding: View  Yes  Yes     Allows admin to view organization branding page.
Branding: Update  Yes  Yes     Allows admin to modify organization branding, upload company logo and change website colors.
Device: View   Yes  Yes     Allows user/admin to view list of devices and information.
Device: Update  Yes  Yes     Allows user/admin to perform "Remote Logout" on a device, and to turn on/off passwordless login.
Device: Delete  Yes  Yes     Allows user/admin to delete devices in Device Management. 
Device: Full Visibility  Yes       Allows admin to manage all company devices. 
Device: Export  Yes  Yes     Allows user/admin to export devices. If  Device: Full Visibility permission is not granted only user own devices can be exported.
Directory: Create  Yes  Yes     Allows admin to create and configure new directory agent, such as Active Directory (AD) Agent.
Directory: View  Yes  Yes     Allows admin to view Directories page. Allows admin to view filters and additional data in User/Group Management and Activity Report page.
Directory: Update  Yes  Yes     Allows admin to update directory agent configurations. 
Directory: Delete  Yes  Yes     Allows admin to delete directory agent. 
Event: Export  Yes  Yes     Allows user/admin to export event and audit logs in Activity Report.
Group: Create  Yes  Yes  Yes   Allows admin to create a group in Group Management. 
Group: View  Yes  Yes  Yes  Yes Allows admin to view group settings and memberships. 
Group: Update  Yes  Yes  Yes   Allows admin to modify group settings and memberships. 
Group: Delete  Yes  Yes  Yes   Allows admin to delete groups in Groups Management. 
Group: Full Visibility  Yes    Yes  Yes Allows admin to manage all company groups. 
Group: Export  Yes  Yes  Yes   Allows admin to export groups from Group Management. 
Mugshot: View  Yes  Yes     Allows user/admin to view Mugshot details and related logs.
Policy: Create   Yes  Yes     Allows admin to create password policy. 
Policy: View  Yes  Yes     Allows admin to view password policy page. 
Policy: Update  Yes  Yes     Allows admin to modify password policy settings. 
Policy: Delete  Yes  Yes     Allows admin to delete password policy. 
Report: View   Yes  Yes      
Role: Create   Yes       Allows admin to create custom roles. 
Role: View   Yes  Yes     Allows admin to view custom roles, role assignment in User/Group Management.
Role: Update   Yes       Allows admin to update custom roles. 
Role: Delete   Yes       Allows admin to delete custom roles. 
Role: Full Visibility   Yes       Allows admin to manage all company roles. 
SAML: View   Yes  Yes     Allows admin to view SAML setting page. 
Site: Create   Yes  Yes    Yes Allows user/admin to create an application, and assign to users/groups.
Site: View  Yes  Yes    Yes Allows user/admin to view credentials (username/password). 
Site: Update  Yes  Yes    Yes Allows user/admin to modify application settings. 
Site: Delete  Yes  Yes    Yes Allows user/admin to delete applications. 
Site: Full Visibility  Yes  Yes    Yes Allows admin to manage all company applications. 
Site: Note  Yes  Yes    Yes Allows user/admin to view/update note of a application. 
Site: Storage  Yes  Yes    Yes Allows user/admin to view/update storage of a application. 
Site: Export  Yes  Yes    Yes Allows user/admin to export application settings. 
Site: Import  Yes   Yes    Yes Allows user/admin to import applications from a generic CSV file.
Storage: Create   Yes  Yes     Allows user/admin to upload a file or create a folder. 
Storage: View  Yes  Yes     Allows user/admin to view Secure Drive page. Allows user/admin to view Secure Drive page. Allows user/admin to view Secure Drive page.
Storage: Delete  Yes  Yes     Allows user/admin to delete files/folders. 
Storage: Full Visibility  Yes       Allows admin to create/update/delete storage services configuration.
Subscription : Full Visibility  Yes       Allows admin to change and update subscription and manage payment details for your account.
User: Create   Yes    Yes   Allows admin to create a user in User Management. 
User: View  Yes  Yes  Yes  Yes Allows admin to view users information and settings. 
User: Update  Yes  Yes  Yes   Allows admin to update users information and settings. 
User: Delete  Yes   Yes  Yes   Allows admin to delete user in User Management. 
User: Full Visibility  Yes    Yes  Yes Allows admin to manage all company users. 
User: Export  Yes  Yes  Yes   Allows admin to export users from User Management. 
User: Import  Yes  Yes  Yes   Allows admin to import users into User Management. 

 

How to create custom roles

Custom Roles can be created for Users and Groups. You can access Roles using the Smart Menu option by section Smart Menu->Under Security Section->User Management or Group Management. 

 Then select a user or group and go to the Role Assignment Tab. Click on Create New Role.

role1.png

Click on Create New Role.

role2.png

  1. Enter a name for the new role
  2. Enter a description
  3. Select if this permission is applied to Administrators or Users. When User is selected this option is displayed on the user dashboard and when Admin is selected, it is displayed on the Admin section.
  4. Select permissions from a list of assigned permissions
  5. Move selected unassigned permission to assigned permission.
  6. Save changes

 

Examples of custom roles

1. Command Line Interface (CLI) or API Role

This role enables access to use Command Line Interface (CLI) or API which can be used form other scripts or programming languages such as C/C++, C#, Java, Python, etc.

By assigning this Role to a user or a group, it will have access to use CLI from external programs.

Name: CLI Role

Permissions: 

CLI.PNG

2. SAML Administration Role

This role enables SAML Administrations. You may remove or update some of the permissions as shown below based on your organization policy.

By assigning this Role to a user or a group, it will have access to perform SAML administration.

Name: SAML Administration

Permissions: 

SAML-Admin.PNG

 

 

 

 

 

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request

Comments

0 comments

Article is closed for comments.

Can't find what you're looking for?

Let us help you!

Submit a request

Copyright © 2011-2020 LogMeOnce. All rights reserved.

Made with ❤️ by viablecube