Follow

Granular Permissions Levels (Enterprise Edition)

LogMeOnce Enterprise Edition provides creation of custom roles and granular access permissions, and enables a user to perform a specific action, or access a feature.

LogMeOnce role based administration feature comes preconfigured with administrator's roles to simplify administration of your organizational policies. Each role is a combination of granular permissions or entitlement. Please see table at the end of this article with details about permissions and resources. The preconfigured administrator roles are;

  • Super Administrator
    This administrator role has "full" access to all roles, permissions, and policies. Super Administrator can manage security policies for the entire organization.
  • Group Administrator
    This administrator role has access to all roles, permissions, and policies within a "specific" group(s). Group Administrator can manage security policies for the assigned groups (example: marketing group and its assigned users and apps).
  • Users Administrator
    This administrator has full access to user management, groups, and its assigned applications.
  • Sites Administrator
    This administrator has full access to Apps management. This will help to carry out routine tasks to manage and assign Apps to users and groups.
  • Auditor
    This role has read only access to all system logs to perform audit and security investigations.
  • Secure Drive
    This role has full access to secure drive and all files in the organization.
  • Sites Personal
    This role allows users to create and add their own personal Apps.

 

Custom Roles and Permissions Types

Permissions are used to grant system privileges. This allows you to build organizational specific roles to match your requirements, and restrict system administrators from accessing user data. Additionally, LogMeOnce enables you to create granular level permissions.

LogMeOnce granular permissions enables you to set least privilege policy which requires all administrators should be granted as few privileges as possible in order to do their job while enforcing separation of duties. LogMeOnce supports the following permissions types. All permission types are not relevant for all resources.

Permission Types Permission Type Description
Create This permission type enables creation of an object within a resource.
View This permission type enables viewing of an object within a resource.
Update This permission type enables updating of an object within a resource.
Delete This permission type enables deleting of an object within a resource.
Full Visibility This permission type full organization wide visibility of an object within a resource.
Export This permission type enables export of objects from a resource.
Import This permission type enables import of objects to a resource.
Note This permission type enables managing of an notes object within a resource.
Storage This permission type enables managing of storage object within a resource.

 

LogMeOnce manages 15 Resources and 55 Permissions that can be controlled by you to build custom "Admin roles" and enforce security controls for your organization. This enables your organization to setup roles and granular permission for your users and administrators. The following shows "resource" and "allowable permission types" for each resource.

Resource Resource Description  Allowable Permission Types 
Authentication This resource manages adaptive authentication policies. Create, View, Update, Delete
Branding This resource manages your organization branding look and feel. View, Update
Device This resource manages device management policies.  View, Update, Delete, Full Visibility, Export
Directory This resource manages directory services policies  Create, View, Update, Delete
Event This resource manages activity and event log page and policy. Export
Group This resource manages group management policies.  Create, View, Update, Delete, Full Visibility, Export 
Mugshot This resource manages Mugshot feature to detect and collect details of attempted hacks. View 
Policy This resource manages password policies.  Create, View, Update, Delete
Report This resource manages reporting feature.  View
Role This resource manages role management policies and permission and entitlement configuration. Create, View, Update, Delete, Full Visibility 
SAML This resource manages SAML page.  View 
Site  This resource manages application or site setup.  Create, View, Update, Delete, Full Visibility, Note, Storage, Export, Import
Storage  This resource manages encrypted storage feature and policies. Create, View, Delete, Full Visibility  
Subscription  This resource manages subscription feature.  Full Visibility  
User  This resource manages user management policies.  Create, View, Update, Delete, Full Visibility, Export, Import

 

 

Permissions

The following table shows granular permissions granted for each "Resource". As an Administrator you can create custom roles using a combination of "Permissions" listed below;

 Permission  Super
Admin
Group
Admin
User
Admin
Site
Admin
Description
Authentication: Create  Yes  Yes     Allows admin to create adaptive authentication policies.
Authentication: View  Yes  Yes     If “Adaptive Authentication” add-on is purchased, LogMeOnce will allow Admin to view Adaptive Authentication policy. Otherwise, LogMeOnce will allow Admin to view "2FA Settings" policy.
Authentication: Update  Yes  Yes     If “Adaptive Authentication” add-on is purchased, LogMeOnce will allow Admin to modify Adaptive Authentication policy. Otherwise, LogMeOnce will allow Admin to modify "2FA Settings" policy.
Authentication: Delete  Yes  Yes     Allows admin to delete adaptive authentication policies.
Branding: View  Yes  Yes     Allows admin to view organization branding page.
Branding: Update  Yes  Yes     Allows admin to modify organization branding, upload company logo and change website colors.
Device: View   Yes  Yes     Allows user/admin to view list of devices and information.
Device: Update  Yes  Yes     Allows user/admin to perform "Remote Logout" on a device, and to turn on/off passwordless login.
Device: Delete  Yes  Yes     Allows user/admin to delete devices in Device Management. 
Device: Full Visibility  Yes       Allows admin to manage all company devices. 
Device: Export  Yes  Yes     Allows user/admin to export devices. If  Device: Full Visibility permission is not granted only user own devices can be exported.
Directory: Create  Yes  Yes     Allows admin to create and configure new directory agent, such as Active Directory (AD) Agent.
Directory: View  Yes  Yes     Allows admin to view Directories page. Allows admin to view filters and additional data in User/Group Management and Activity Report page.
Directory: Update  Yes  Yes     Allows admin to update directory agent configurations. 
Directory: Delete  Yes  Yes     Allows admin to delete directory agent. 
Event: Export  Yes  Yes     Allows user/admin to export event and audit logs in Activity Report.
Group: Create  Yes  Yes  Yes   Allows admin to create a group in Group Management. 
Group: View  Yes  Yes  Yes  Yes Allows admin to view group settings and memberships. 
Group: Update  Yes  Yes  Yes   Allows admin to modify group settings and memberships. 
Group: Delete  Yes  Yes  Yes   Allows admin to delete groups in Groups Management. 
Group: Full Visibility  Yes    Yes  Yes Allows admin to manage all company groups. 
Group: Export  Yes  Yes  Yes   Allows admin to export groups from Group Management. 
Mugshot: View  Yes  Yes     Allows user/admin to view Mugshot details and related logs.
Policy: Create   Yes  Yes     Allows admin to create password policy. 
Policy: View  Yes  Yes     Allows admin to view password policy page. 
Policy: Update  Yes  Yes     Allows admin to modify password policy settings. 
Policy: Delete  Yes  Yes     Allows admin to delete password policy. 
Report: View   Yes  Yes      
Role: Create   Yes       Allows admin to create custom roles. 
Role: View   Yes  Yes     Allows admin to view custom roles, role assignment in User/Group Management.
Role: Update   Yes       Allows admin to update custom roles. 
Role: Delete   Yes       Allows admin to delete custom roles. 
Role: Full Visibility   Yes       Allows admin to manage all company roles. 
SAML: View   Yes  Yes     Allows admin to view SAML setting page. 
Site: Create   Yes  Yes    Yes Allows user/admin to create an application, and assign to users/groups.
Site: View  Yes  Yes    Yes Allows user/admin to view credentials (username/password). 
Site: Update  Yes  Yes    Yes Allows user/admin to modify application settings. 
Site: Delete  Yes  Yes    Yes Allows user/admin to delete applications. 
Site: Full Visibility  Yes  Yes    Yes Allows admin to manage all company applications. 
Site: Note  Yes  Yes    Yes Allows user/admin to view/update note of a application. 
Site: Storage  Yes  Yes    Yes Allows user/admin to view/update storage of a application. 
Site: Export  Yes  Yes    Yes Allows user/admin to export application settings. 
Site: Import  Yes   Yes    Yes Allows user/admin to import applications from a generic CSV file.
Storage: Create   Yes  Yes     Allows user/admin to upload a file or create a folder. 
Storage: View  Yes  Yes     Allows user/admin to view Secure Drive page. Allows user/admin to view Secure Drive page. Allows user/admin to view Secure Drive page.
Storage: Delete  Yes  Yes     Allows user/admin to delete files/folders. 
Storage: Full Visibility  Yes       Allows admin to create/update/delete storage services configuration.
Subscription : Full Visibility  Yes       Allows admin to change and update subscription and manage payment details for your account.
User: Create   Yes    Yes   Allows admin to create a user in User Management. 
User: View  Yes  Yes  Yes  Yes Allows admin to view users information and settings. 
User: Update  Yes  Yes  Yes   Allows admin to update users information and settings. 
User: Delete  Yes   Yes  Yes   Allows admin to delete user in User Management. 
User: Full Visibility  Yes    Yes  Yes Allows admin to manage all company users. 
User: Export  Yes  Yes  Yes   Allows admin to export users from User Management. 
User: Import  Yes  Yes  Yes   Allows admin to import users into User Management. 

 

How to create custom roles

Custom Roles can be created for Users and Groups. You can access Roles using the Smart Menu option by section Smart Menu->Under Security Section->User Management or Group Management. 

 CustomRoles-1.png

 Then select a user or group and go to Role Assignment Tab. Click on Create New Role.

CustomRoles-2.png

Click on Create New Role.

CustomRoles-3.png

  1. Enter a name for the new role
  2. Enter a description
  3. Select if this permission is applied to Administrator or Users.
  4. select permissions from a list of assigned permissions
  5. Move selected unassigned permission to assigned permission.
  6. Save changes

 

 

 

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request

0 Comments

Article is closed for comments.