Users & Roles

Users

The Users page of the Settings menu shows the users of the current CloudGuard account.

The user that creates the account is the Account Owner. This user manages CloudGuard Account-related issues, such as billing and subscription plan and has the privileges of a Super User. Only one Account Owner exists for each account. An Account Owner can assign a different user as the Account Owner. In this case, the previous Account Owner receives the role of Super User.

CloudGuard identifies its users with an email address. You cannot create more than one user for each email. If you need a user which is not bound to an email address, create a Service Account.

Caution - Make sure to delete unnecessary SSOClosed Single Sign-On (SSO) - A session/user authentication process that permits a user to enter one name and password in order to access multiple applications. users when they are deactivated or no longer need access to CloudGuard (see Deleting users for more information).

Users interact with CloudGuard with:

Service Accounts

You can create a Service Account to work with CloudGuard through the API. A service account interaction with CloudGuard using the web interface is not possible. You identify the service account with an API Key ID and API Key Secret. Unlike a regular user, this account is not bound to a specific email address. You can use the service account for administration, maintenance, and all other automation tasks, regardless of the person who does these tasks.

You can assign service accounts the same Roles as regular users. To create a service account, see Adding a New Service Account.

Roles

You can configure roles and assign them to users and service accounts. Then you assign permissions to a role. When you assign a role to a user, the permissions of the role are granted to the user, so it is not necessary to assign these permissions to the user explicitly.

You can configure any number of roles to include all the different types of users necessary for your CloudGuard account, each with the permissions applicable to it.

The preconfigured CloudGuard roles include:

You cannot change or delete the preconfigured roles. You cannot delete a role that contains members.

Switch User Roles

On the top bar, use the menu next to your User name to select a different role in your CloudGuard account. The role must be configured and assigned to you.

Permissions

You can grant permissions that appear in the table below to users or roles to do actions in CloudGuard. Some permissions can be set separately or as part of other permissions. Some other permissions inherently have View permissions for dependent resources (for example, the permission for managing Policies also grants permissions to view Rulesets and Notifications).

Permission

Description

Applicable Resources

Dynamic Access

Use Dynamic Access Leases for secure access to your Security Groups (see Dynamic Access Leasing)

Dynamic Access Leases (AWSClosed Amazon® Web Services. Public cloud platform that offers global compute, storage, database, application and other cloud services.)

  • Organizational Units

  • AWS cloud accounts

Create Security Groups

Create Security Groups in your environments

Security Groups in your environments

Manage Resources

Create and manage access for all or specific assets, CloudGuard resources, and system configurations.

Select one or more groups of resources.

All System Resources or

View Resources

See all or part of CloudGuard system resources without changing them.

Select one or more groups of resources.

All System Resources or

Cross Account Access

Get access to all environments or selected environments, with all roles or selected roles

All CloudGuard system resources

Rulesets & Rules

Create and manage Rules and Rulesets

Rulesets, rules

Alerts Notifications

Create, edit, and delete Notifications for CloudGuard policies and Integrations (Integration Hub).

Notifications, integrations

Policies

Create and manage CloudGuard policies:

  • Create a new policy, edit an existing policy, delete/unassociate a policy

  • Includes the View permission for Rulesets and Notifications

CloudGuard policies, rulesets, rules, notifications

Manage Alerts

Acknowledge, assign, comment, or delete findings. Create, edit, and delete exclusions and remediations. Includes the View permission for Rulesets & Rules.

CloudGuard Events, Exclusions, Remediations, Rules, Rulesets

Onboarding

Onboard and delete environments in your CloudGuard account.

CloudGuard Environments

All System Resources

The All System Resources permission affects permissions to all resources in the system.

All resources

Resource Name

Includes

Impact

 

 

 

 

 

 

 

 

 

All System Resources

System configurations - Set only as part of the All System Resources

  • Accounts

  • Users and roles

  • Network security (can be set separately with the Create Security Groups permission)

  • Leases (can be set separately with the Dynamic Access permission)

  • Onboarding (can be set separately with the Onboarding permission)

 

CloudGuard resources - Can be set separately from the All System Resources

  • Notifications and integrations (can be set separately with the Notifications permission)

  • Rules & rulesets (can be set separately with the Rules & Ruleset permission)

  • Policies (can be set separately with the Policies permission)

  • Alerts, exclusion, and remediation (can be set separately with the Manage Alerts permission)

Affects permissions to all of these resources:

  • Policy, Rules and Rulesets, Notifications & Integrations

  • Account, users, and roles

  • Settings

Code Security resources

Select the permission level to which assign a Code Security role (Admin Access, Member Access, or Read-Only Access). If two permissions are assigned, the higher permission is granted.

 

All or specific assets - Can be set separately from the All System Resources.

  • Create / manage or view access to an Organizational Unit or any of the nested Organizational Units.

  • Select environments to give access to

    • all environments of a specific vendor

    • specific environments for a specific vendor

Affect the specified assets

Actions

You can manage users, service accounts, and roles in the Users & Roles menu. In the users or roles table, click the menu in the first column to see and select available actions.