Users & Roles

Users

The Users page of the Settings menu shows the users of the current CloudGuard account.

The user that creates the account is the Account Owner. This user manages CloudGuard Account-related issues, such as billing and subscription plan and has the privileges of a Super User. Only one Account Owner exists for each account. An Account Owner can assign a different user as the Account Owner. In this case, the previous Account Owner receives the role of Super User.

CloudGuard identifies its users with an email address. You cannot create more than one user for each email. If you need a user which is not bound to an email address, create a Service Account.

Caution - Make sure to delete unnecessary SSOClosed Single Sign-On (SSO) - A session/user authentication process that permits a user to enter one name and password in order to access multiple applications. users when they are deactivated or no longer need access to CloudGuard (see Deleting SSO users for more information).

Users interact with CloudGuard with:

Service Accounts

You can create a Service Account to work with CloudGuard through the API. A service account interaction with CloudGuard with the web interface is not possible. You identify the service account with an API Key ID and API Key Secret. Unlike a regular user, this account is not bound to a specific email address. You can use the service account for administration, maintenance, and all other automation tasks, regardless of the person that does these tasks.

You can assign service accounts the same Roles as regular users. To create a service account, see Adding a New Service Account.

Roles

You can configure roles and assign them to users and service accounts. Then you assign permissions to a role. When you assign a role to a user, the permissions of the role are granted to the user, so it is not necessary to assign these permissions to the user explicitly.

You can configure any number of roles to include all the different types of users necessary for your CloudGuard account, each with the permissions applicable to it.

The preconfigured CloudGuard roles include:

You cannot change or delete the preconfigured roles. You cannot delete a role that contains members.

Switch User Roles

On the top bar, use the menu next to your User name to select a different role in your CloudGuard account. The role must be configured and assigned to you.

Permissions

You can grant the permissions that appear in the table below to users or roles to do actions in CloudGuard.

Permission

Description

Applicable Resources

Dynamic Access

Use Dynamic Access Leases for secure access to your Security Groups (see Dynamic Access Leasing)

Dynamic Access Leases (AWSClosed Amazon® Web Services. Public cloud platform that offers global compute, storage, database, application and other cloud services.)

Create Security Groups

Create Security Groups in your environments

Security Groups in your environments

Manage Resources

Create and manage CloudGuard system resources, such as accounts, leases, settings, users, roles, and network security entities such as Security Groups, in selected environments. You can select all environments, specific environments, or environments in specific Organizational Units.

All CloudGuard system resources

View Resources

See all CloudGuard system resources, but cannot change them. The resources can be for all environments, selected environments, or environments in selected Organizational Units

All CloudGuard system resources

Cross Account Access

Get access to all environments or selected environments, with all roles or selected roles

All CloudGuard system resources

Rulesets and Rules

Create and manage Rulesets - Shows your rulesets and rules, preconfigured rulesets, and custom ones that you define.

Rulesets, rules

Alerts Notifications

Configure Notifications for the Compliance Engine

Notifications

Policies

Create and manage Continuous Posture Policies

CloudGuard Continuous Posture

Manage Alerts

Acknowledge, assign, comment, or delete alerts; create exclusions and remediations

CloudGuard Events, Exclusions, and Remediations

Onboarding

Onboard new environments

CloudGuard Environments

Actions

You can manage users, service accounts, and roles in the Users & Roles menu. In the users or roles table, click the menu in the first column to see and select available actions.

Super Users and Account Owners can add new CloudGuard users to the account.

  1. Open the Users page in the Settings > Users & Roles menu.

  2. Click Add User.

  3. Enter details for the user. The user is identified by the email address. If the user signs in with Single Sign-On, see Single Sign-On.

  4. Select Roles or Permissions for the user. The user receives the permissions corresponding with the role automatically, so no need to assign these explicitly in the Permissions section. If you do not assign a role, you must assign permissions for the user explicitly in this section. Users with direct permissions have the Direct tag in their Roles list.

  5. Click Close. An email is sent to the new user, based on the email address entered for the user.

Super Users and Account Owner can add new CloudGuard Service Accounts.

  1. From the Settings menu, select the Users & Roles > Service Accounts page.

  2. Click Add Account.

  3. In the Add Service Account dialog box, enter the account name.

  4. Select a Role for the service account. You can select more than one role when you click each Role one by one.

  5. Click Add. The New Service Account Details dialog box displays the API Key ID and API Key Secret values.

  6. Click the Copy icon to copy the details of each value and save them for future use.

  7. Click Close.

You can configure roles with specific permissions and assign them to users and service accounts. The roles you configure are specific to your CloudGuard account.

  1. Open the Roles page in the Settings > Users & Roles menu.

  2. Click Add Role.

  3. Enter a name for the role and select permissions for it.

  4. Optionally, select users and service accounts for the role. These users and accounts receive the permissions corresponding with the role.

You can change details for a user or a service account, including their permissions.

  1. Select the user or service account from the list.

  2. On the menu bar, click Edit to make changes to the role(s) or permissions related to the user.

  3. Click Close.

  4. To delete the user, click Delete.

A Super User can configure a user to use Single Sign-On (SSO). For this, first enable Single Sign-On for the account.

  1. With a Super User account, log in to the CloudGuard portal and navigate to the Users page in the Settings > Users & Roles menu.

  2. Select the user that is necessary to connect to SSO and click Connect to SSO on the menu bar.

  1. With Super User credentials, log in to the CloudGuard portal and navigate to the Users page in the Settings > Users & Roles menu.

  2. Select the user that is necessary to disconnect from SSO and click Disconnect from SSO on the menu bar.

Users that no longer need access to CloudGuard are to be removed from the user list. The best practice is to delete all unnecessary SSO and non-SSO users.

  1. With a Super User account, log in to the CloudGuard portal and navigate to the Users page in the Settings > Users & Roles menu.

  2. Select the user that is necessary to delete and click Delete on the menu bar.

A Super User can disable MFA for other users.

To disable MFA for a different user:

  1. In CloudGuard, navigate to Settings > Users & Roles > Users to see the list of all users in the CloudGuard account.

  2. Select the user with enabled MFA.

  3. On the menu bar, click Disable MFA.

    A confirmation window opens.

  4. Click OK.

The Account Owner can assign a different user to be the Account Owner. The former becomes a Super User because only one Account Owner exists per account.

  1. With the Account Owner credentials, log in to the CloudGuard portal and navigate to the Users page in the Settings > Users & Roles menu.

  2. Select the user that is necessary to set as the Account Owner and click Set as account owner on the menu bar.

Users who enter an incorrect password more than a set number of times, when logging in, are locked out of their account. Their account can be unlocked by a Super User, on the Users page.

  • To unlock the user, select the user and click Reset password on the menu bar.