Users & Roles

Accounts created in the Dome9 portal and in the Infinity Portal handle users and roles slightly differently. Dome9 users are created in the Dome9 portal. In the Infinity Portal, users are created for the entire portal and then imported to the CloudGuard CNAPPClosed Cloud-Native Application Protection Platform - a cloud-native security model that encompasses Cloud Security Posture Management (CSPM), Cloud Service Network Security (CSNS), and Cloud Workload Protection Platform (CWPP) in a single holistic platform. integrated into it.

Users

Users interact with CloudGuard with:

Infinity Portal

If you do not see the Users page in the Settings menu, the users on your CloudGuard account are fully managed by the Infinity Portal. For more information, see the Infinity Portal Administration Guide.

If you see the Users page in the Settings menu, then it is necessary to import users created in the Infinity Portal to CloudGuard. For more information, see Adding a New User in the Infinity Portal.

Dome9 Portal

The Users page under the Settings menu shows the users of the current CloudGuard account.

The user that creates the account is the Account Owner. This user manages CloudGuard Account-related issues, such as billing and subscription plan and has the privileges of a Super User. Only one Account Owner exists for each account. An Account Owner can assign a different user as the Account Owner. In this case, the previous Account Owner receives the role of Super User.

CloudGuard uniquely identifies a user with an email address. You cannot create more than one user for each email. If you need a user which is not bound to an email address, create a Service Account.

Caution - Make sure to delete unnecessary SSOClosed Single Sign-On (SSO) - A session/user authentication process that permits a user to enter one name and password in order to access multiple applications. users when they are deactivated or no longer need access to CloudGuard (see Deleting users for more information).

Service Accounts

You can create a Service Account to work with CloudGuard through the API. A service account interaction with CloudGuard using the web interface is not possible. You identify the service account with an API Key ID and API Key Secret. Unlike a regular user, this account is not bound to a specific email address. You can use the service account for administration, maintenance, and all other automation tasks, regardless of the person who does these tasks.

You can assign service accounts the same Roles as regular users. To create a service account, see Adding a New Service Account.

Roles

You can configure roles and assign them to users and service accounts. Then you assign permissions to a role. When you assign a role to a user, the permissions of the role are granted to the user, so it is not necessary to assign these permissions to the user explicitly.

In the Infinity Portal only, these e roles are synchronized with Specific Service Roles in your Infinity Portal account. You can assign the roles to users in the Infinity Portal. For more information, see Adding and Editing User Accounts.

You can configure any number of custom roles to include all the different types of users necessary for your CloudGuard account, each with the permissions applicable to it.

The preconfigured CloudGuard roles include:

You cannot change or delete the preconfigured roles. You cannot delete a role that contains members.

Switch User Roles

In the Dome9 portal, use the menu on the top bar next to your username to select a different role in your CloudGuard account. The role must be configured and assigned to you.

Direct Permissions

You can grant direct permissions to users or roles to perform various actions in CloudGuard. Some permissions can be set separately or as part of other permissions. Some other permissions can only be granted collectively, such as View permissions given by inheritance. For example, the permission for managing Policies also grants permission to view Rulesets and Notifications.

To set direct permissions, select where to apply them (Scope & Controls, Network Security, or Code Security) and then drill down to set the required level of granularity. At each level, you can grant permissions to View or Manage.

To see permissions that you have already set, toggle the Show Selected button.

Scope

The All System Resources permission affects permissions to all resources in the system.

Scope

Resource Name

Includes

Impact

All System Resources

System configurations - Set only as part of the All System Resources

  • Accounts

  • Users and roles

  • Network security (can be set separately with the Create Security Groups permission)

  • Leases (can be set separately with the Dynamic Access permission)

  • Onboarding (can be set separately with the Onboarding permission)

 

CloudGuard resources - Can be set separately from the All System Resources

  • Notifications and integrations (can be set separately with the Notifications permission)

  • Rules & rulesets (can be set separately with the Rules & Ruleset permission)

  • Policies (can be set separately with the Policies' permission)

  • Alerts, exclusion, and remediation (can be set separately with the Manage Alerts permission)

Affects permissions to all of these resources:

  • Policy, Rules and Rulesets, Notifications & Integrations

  • Alerts, Exclusions, and Remediations

Code Security resources

Select the permission level to which assign a Code Security role (Admin Access, Member Access, or Read-Only Access). If two permissions are assigned, the higher permission is granted.

 

All or specific assets - Can be set separately from the All System Resources.

  • Create / manage or view access to an Organizational Unit or any of the nested Organizational Units.

  • Select environments to give access to

    • all environments of a specific vendor

    • specific environments for a specific vendor

Affect the specified assets

Controls

Use these permissions to view all CloudGuard resources or manage them at the required granularity.

Controls

Resource Name

Description

Applicable Resources
All CloudGuard Resources

Alerts, exclusions, and remediations

Create and manage findings, exclusions, and remediations. Includes the View permission for Rules and Rulesets.

CloudGuard events, exclusions, remediations, rules, and rulesets

Notifications and integrations

Create and manage Notifications for CloudGuard policies and integrations (see Integration Hub).

Notifications, integrations

Policy

Create and manage CloudGuard policies:

  • Create a new policy, edit an existing policy, delete/unassociate a policy

  • Includes the View permissions for rulesets and notifications

CloudGuard policies, rulesets, rules, notifications

Rules and Rulesets

Create and manage Rules and Rulesets

Rulesets, rules

Onboarding

 

Onboard and offboard environments from your CloudGuard account.

CloudGuard environments

Dynamic Access

Use Dynamic Access Leases for secure access to your Security Groups (see Dynamic Access Leasing) for:

Controls

Use controls to enable permissions to:

  • Create security groups

  • Create CloudGuard agents

Access Level

Select the permission level to which assign a Code Security role:

  • Read-Only Access

  • Member Access

  • Admin Access

If two permissions are assigned, the higher permission is granted.

Configurations

You can manage users, service accounts, and roles in the Users & Roles menu. In the users or roles table, click the menu in the first column to see and select available actions.

Super Users (Admins) and Account Owner (Primary Admin) can add new CloudGuard users to the account:

  • Step 1 - Invite users to the Infinity Portal. To invite users to the Infinity Portal, refer to the instructions in the Infinity Portal Admin Guide and see Configuring Users > To add Users to the Infinity Portal account.

  • Step 2 - Import the users to CloudGuard. This step is only applicable if you have imported users into the existing account before. In this case, you have the Users page in the Settings menu.

    If you create a new CloudGuard account, this step is not applicable.

  • Step 3 - Assign roles or permissions to the users. For more, see Adding a Role.

To import users to CloudGuard:

  1. Select the Users page in the Settings > Roles menu.

  2. Click Import User.

    The new window opens.

  3. Select the user from the list. You can select only a user who accepted your invitation to the Infinity Portal and authenticated with the email address and password.

  4. Select a Role for the user. The permissions corresponding to the role are automatically granted to the user.

  5. Click Add.

    The user appears in the users list with the assigned role.

Super Users and Account Owners can add new CloudGuard users to the account.

  1. Open the Users page in the Settings > Users & Roles menu.

  2. Click Add User.

  3. Enter details for the user. The user is identified by the email address. If the user signs in with Single Sign-On, see Single Sign-On.

  4. Select Roles or Permissions for the user. The user receives the permissions corresponding with the role automatically, so no need to assign these explicitly in the Permissions section. If you do not assign a role, you must explicitly assign permissions to the user in this section. Users with direct permissions have the Direct tag in their Roles list.

  5. Click Close. An email is sent to the new user, based on the email address entered for the user.

Super Users (Admins) and Account Owner (Primary Administrator) can add new CloudGuard Service Accounts.

  1. From the Settings menu, select the Users & Roles > Service Accounts page.

  2. Click Add Account.

  3. In the Add Service Account dialog box, enter the account name.

  4. Select a Role for the service account. You can select more than one role when you click each Role one by one.

  5. Click Add. The New Service Account Details dialog box displays the API Key ID and API Key Secret values.

  6. Click the Copy icon to copy the details of each value and save them for future use.

  7. Click Close.

You can configure roles with specific permissions and assign them to users and service accounts. The roles you configure are specific to your CloudGuard account. In the Infinity Portal, the roles are synchronized with Specific Service Roles in your Infinity Portal account. You can assign roles to the users in the Infinity Portal.

  1. Open the Roles page in the Settings > Users & Roles menu.

  2. Click Add Role.

  3. Enter a name for the role and select permissions for it.

  4. Optionally, select users and service accounts for the role. These users and accounts receive the permissions corresponding with the role.

You can change details for a user or a service account, including their permissions.

  1. Select the user or service account from the list.

  2. On the menu bar, click Edit to make changes to the role(s) or permissions related to the user.

  3. Click Close.

A Super User can configure a user to use Single Sign-On (SSO). To do this, first enable Single Sign-On for the account.

  1. With a Super User account, log in to the CloudGuard portal and navigate to the Users page in the Settings > Users & Roles menu.

  2. Select the user that is necessary to connect to SSO and click Connect to SSO on the menu bar.

  1. With Super User credentials, log in to the CloudGuard portal and navigate to the Users page in the Settings > Users & Roles menu.

  2. Select the user that is necessary to disconnect from SSO and click Disconnect from SSO on the menu bar.

As a best practice, delete all unnecessary SSO and non-SSO users from the user list.

  1. With a Super User account, log in to the CloudGuard portal and navigate to the Users page in the Settings > Users & Roles menu.

  2. Select a user to delete and click Delete on the menu bar.

A Super User can disable MFA for other users.

To disable MFA for a different user:

  1. In CloudGuard, navigate to Settings > Users & Roles > Users to see the list of all users in the CloudGuard account.

  2. Select the user with enabled MFA.

  3. On the menu bar, click Disable MFA.

    A confirmation window opens.

  4. Click OK.

The Account Owner (Primary Administrator) can assign a different user to be the Account Owner. Then, the former Account Owner is automatically assigned the Super User role.

  1. With the Account Owner credentials, log in to the CloudGuard portal and navigate to the Users page in the Settings > Users & Roles menu.

  2. Select the user that is necessary to set as the Account Owner and click Set as account owner on the menu bar.

Users who enter an incorrect password more than a set number of times when logging in are locked out of their account. Their account can be unlocked by a Super User, on the Users page.

  • To unlock the user, select the user and click Reset password on the menu bar.