Users & Roles

Users

The Users page of the Settings menu shows the users of the current CloudGuard account.

The user that creates the account is the Account Owner. This user manages CloudGuard Account-related issues, such as billing and subscription plan and has the privileges of a Super User. Only one Account Owner exists for each account. An Account Owner can assign a different user as the Account Owner. In this case, the previous Account Owner receives the role of Super User.

CloudGuard identifies its users with an email address. You cannot create more than one user for each email. If you need a user which is not bound to an email address, create a Service Account.

Caution - Make sure to delete unnecessary SSOClosed Single Sign-On (SSO) - A session/user authentication process that permits a user to enter one name and password in order to access multiple applications. users when they are deactivated or no longer need access to CloudGuard (see Deleting users for more information).

Users interact with CloudGuard with:

Service Accounts

You can create a Service Account to work with CloudGuard through the API. A service account interaction with CloudGuard using the web interface is not possible. You identify the service account with an API Key ID and API Key Secret. Unlike a regular user, this account is not bound to a specific email address. You can use the service account for administration, maintenance, and all other automation tasks, regardless of the person who does these tasks.

You can assign service accounts the same Roles as regular users. To create a service account, see Adding a New Service Account.

Roles

You can configure roles and assign them to users and service accounts. Then you assign permissions to a role. When you assign a role to a user, the permissions of the role are granted to the user, so it is not necessary to assign these permissions to the user explicitly.

You can configure any number of roles to include all the different types of users necessary for your CloudGuard account, each with the permissions applicable to it.

The preconfigured CloudGuard roles include:

You cannot change or delete the preconfigured roles. You cannot delete a role that contains members.

Switch User Roles

On the top bar, use the menu next to your User name to select a different role in your CloudGuard account. The role must be configured and assigned to you.

Permissions

You can grant permissions that appear in the table below to users or roles to do actions in CloudGuard. Some permissions can be set separately or as part of other permissions. Some other permissions inherently have View permissions for dependent resources (for example, the permission for managing Policies also grants permissions to view Rulesets and Notifications).

Permission

Description

Applicable Resources

Dynamic Access

Use Dynamic Access Leases for secure access to your Security Groups (see Dynamic Access Leasing)

Dynamic Access Leases (AWSClosed Amazon® Web Services. Public cloud platform that offers global compute, storage, database, application and other cloud services.)

  • Organizational Units

  • AWS cloud accounts

Create Security Groups

Create Security Groups in your environments

Security Groups in your environments

Manage Resources

Create and manage access for all or specific assets, CloudGuard resources, and system configurations.

Select one or more groups of resources.

All System Resources or

View Resources

See all or part of CloudGuard system resources without changing them.

Select one or more groups of resources.

All System Resources or

Cross Account Access

Get access to all environments or selected environments, with all roles or selected roles

All CloudGuard system resources

Rulesets & Rules

Create and manage Rules and Rulesets

Rulesets, rules

Alerts Notifications

Create, edit, and delete Notifications for CloudGuard policies and Integrations (Integration Hub).

Notifications, integrations

Policies

Create and manage CloudGuard policies:

  • Create a new policy, edit an existing policy, delete/unassociate a policy

  • Includes the View permission for Rulesets and Notifications

CloudGuard policies, rulesets, rules, notifications

Manage Alerts

Acknowledge, assign, comment, or delete findings. Create, edit, and delete exclusions and remediations. Includes the View permission for Rulesets & Rules.

CloudGuard Events, Exclusions, Remediations, Rules, Rulesets

Onboarding

Onboard and delete environments in your CloudGuard account.

CloudGuard Environments

All System Resources

The All System Resources permission affects permissions to all resources in the system.

All resources

Resource Name

Includes

Impact

 

 

 

 

 

 

 

 

 

All System Resources

System configurations - Set only as part of the All System Resources

  • Accounts

  • Users and roles

  • Network security (can be set separately with the Create Security Groups permission)

  • Leases (can be set separately with the Dynamic Access permission)

  • Onboarding (can be set separately with the Onboarding permission)

 

CloudGuard resources - Can be set separately from the All System Resources

  • Notifications and integrations (can be set separately with the Notifications permission)

  • Rules & rulesets (can be set separately with the Rules & Ruleset permission)

  • Policies (can be set separately with the Policies permission)

  • Alerts, exclusion, and remediation (can be set separately with the Manage Alerts permission)

Affects permissions to all of these resources:

  • Policy, Rules and Rulesets, Notifications & Integrations

  • Account, users, and roles

  • Settings

Code Security resources

Select the permission level to which assign a Code Security role (Admin Access, Member Access, or Read-Only Access). If two permissions are assigned, the higher permission is granted.

 

All or specific assets - Can be set separately from the All System Resources.

  • Create / manage or view access to an Organizational Unit or any of the nested Organizational Units.

  • Select environments to give access to

    • all environments of a specific vendor

    • specific environments for a specific vendor

Affect the specified assets

Actions

You can manage users, service accounts, and roles in the Users & Roles menu. In the users or roles table, click the menu in the first column to see and select available actions.

Super Users and Account Owners can add new CloudGuard users to the account.

  1. Open the Users page in the Settings > Users & Roles menu.

  2. Click Add User.

  3. Enter details for the user. The user is identified by the email address. If the user signs in with Single Sign-On, see Single Sign-On.

  4. Select Roles or Permissions for the user. The user receives the permissions corresponding with the role automatically, so no need to assign these explicitly in the Permissions section. If you do not assign a role, you must explicitly assign permissions to the user in this section. Users with direct permissions have the Direct tag in their Roles list.

  5. Click Close. An email is sent to the new user, based on the email address entered for the user.

Super Users and Account Owner can add new CloudGuard Service Accounts.

  1. From the Settings menu, select the Users & Roles > Service Accounts page.

  2. Click Add Account.

  3. In the Add Service Account dialog box, enter the account name.

  4. Select a Role for the service account. You can select more than one role when you click each Role one by one.

  5. Click Add. The New Service Account Details dialog box displays the API Key ID and API Key Secret values.

  6. Click the Copy icon to copy the details of each value and save them for future use.

  7. Click Close.

You can configure roles with specific permissions and assign them to users and service accounts. The roles you configure are specific to your CloudGuard account.

  1. Open the Roles page in the Settings > Users & Roles menu.

  2. Click Add Role.

  3. Enter a name for the role and select permissions for it.

  4. Optionally, select users and service accounts for the role. These users and accounts receive the permissions corresponding with the role.

You can change details for a user or a service account, including their permissions.

  1. Select the user or service account from the list.

  2. On the menu bar, click Edit to make changes to the role(s) or permissions related to the user.

  3. Click Close.

A Super User can configure a user to use Single Sign-On (SSO). To do this, first enable Single Sign-On for the account.

  1. With a Super User account, log in to the CloudGuard portal and navigate to the Users page in the Settings > Users & Roles menu.

  2. Select the user that is necessary to connect to SSO and click Connect to SSO on the menu bar.

  1. With Super User credentials, log in to the CloudGuard portal and navigate to the Users page in the Settings > Users & Roles menu.

  2. Select the user that is necessary to disconnect from SSO and click Disconnect from SSO on the menu bar.

As a best practice, delete all unnecessary SSO and non-SSO users from the user list.

  1. With a Super User account, log in to the CloudGuard portal and navigate to the Users page in the Settings > Users & Roles menu.

  2. Select a user to delete and click Delete on the menu bar.

A Super User can disable MFA for other users.

To disable MFA for a different user:

  1. In CloudGuard, navigate to Settings > Users & Roles > Users to see the list of all users in the CloudGuard account.

  2. Select the user with enabled MFA.

  3. On the menu bar, click Disable MFA.

    A confirmation window opens.

  4. Click OK.

The Account Owner can assign a different user to be the Account Owner. Then, the former Account Owner is automatically assigned the Super User role.

  1. With the Account Owner credentials, log in to the CloudGuard portal and navigate to the Users page in the Settings > Users & Roles menu.

  2. Select the user that is necessary to set as the Account Owner and click Set as account owner on the menu bar.

Users who enter an incorrect password more than a set number of times when logging in are locked out of their account. Their account can be unlocked by a Super User, on the Users page.

  • To unlock the user, select the user and click Reset password on the menu bar.