Roles

Users

If you do not see the Users page in the Settings menu, the users on your CloudGuard account are fully managed by the Infinity Portal. For more information, see Infinity Portal Administration Guide.

If you see the Users page in the Settings menu, then it is necessary to import users created in the Infinity Portal to CloudGuard. For more information, see Adding a New User.

Users interact with CloudGuard with:

Service Accounts

You can create a Service Account to work with CloudGuard through the API. A service account interaction with CloudGuard using the web interface is not possible. You identify the service account with an API Key ID and API Key Secret. Unlike a regular user, this account is not bound to a specific email address. You can use the service account for administration, maintenance, and all other automation tasks, regardless of the person who does these tasks.

You can assign service accounts the same Roles as regular users. To create a service account, see Adding a New Service Account.

Roles

You can configure roles and assign them to users and service accounts. Then you assign permissions to a role. When you assign a role to a user, the permissions of the role are granted to the user, so it is not necessary to assign these permissions to the user explicitly. The roles are synchronized with Specific Service Roles in your Infinity Portal account. You can assign the roles to users in the Infinity Portal. For more, see Configuring Users > To edit Users.

You can configure any number of roles to include all the different types of users necessary for your CloudGuard account, each with the permissions applicable to it.

The preconfigured CloudGuard roles include:

You cannot change or delete the preconfigured roles. You cannot delete a role that contains members.

Permissions

You can grant permissions that appear in the table below to users or roles to do actions in CloudGuard. The Global Roles assigned in the Infinity Portal account affect user permissions. Some permissions can be set separately or as part of other permissions. Some other permissions inherently have View permissions for dependent resources (for example, the permission for managing Policies also grants permissions to view Rulesets and Notifications).

Permission

Description

Applicable Resources

Dynamic Access

Use Dynamic Access Leases for secure access to your Security Groups (see Dynamic Access Leasing)

Dynamic Access Leases (AWSClosed Amazon® Web Services. Public cloud platform that offers global compute, storage, database, application and other cloud services.)

  • Organizational Units

  • AWS cloud accounts

Create Security Groups

Create Security Groups in your environments

Security Groups in your environments

Manage Resources

Create and manage access for all or specific assets, CloudGuard resources, and system configurations.

Select one or more groups of resources.

All System Resources or

View Resources

See all or part of CloudGuard system resources without changing them.

Select one or more groups of resources.

All System Resources or

Cross Account Access

Get access to all environments or selected environments, with all roles or selected roles

All CloudGuard system resources

Rulesets & Rules

Create and manage Rules and Rulesets

Rulesets, rules

Alerts Notifications

Create, edit, and delete Notifications for CloudGuard policies and Integrations (Integration Hub).

Notifications, integrations

Policies

Create and manage CloudGuard policies:

  • Create a new policy, edit an existing policy, delete/unassociate a policy

  • Includes the View permission for Rulesets and Notifications

CloudGuard policies, rulesets, rules, notifications

Manage Alerts

Acknowledge, assign, comment, or delete findings. Create, edit, and delete exclusions and remediations. Includes the View permission for Rulesets & Rules.

CloudGuard Events, Exclusions, Remediations, Rules, Rulesets

Onboarding

Onboard and delete environments in your CloudGuard account.

CloudGuard Environments

All System Resources

The All System Resources permission affects permissions to all resources in the system.

All resources

Resource Name

Includes

Impact

 

 

 

 

 

 

 

 

 

All System Resources

System configurations - Set only as part of the All System Resources

  • Accounts

  • Users and roles

  • Network security (can be set separately with the Create Security Groups permission)

  • Leases (can be set separately with the Dynamic Access permission)

  • Onboarding (can be set separately with the Onboarding permission)

 

CloudGuard resources - Can be set separately from the All System Resources

  • Notifications and integrations (can be set separately with the Notifications permission)

  • Rules & rulesets (can be set separately with the Rules & Ruleset permission)

  • Policies (can be set separately with the Policies permission)

  • Alerts, exclusion, and remediation (can be set separately with the Manage Alerts permission)

Affects permissions to all of these resources:

  • Policy, Rules and Rulesets, Notifications & Integrations

  • Account, users, and roles

  • Settings

Code Security resources

Select the permission level to which assign a Code Security role (Admin Access, Member Access, or Read-Only Access). If two permissions are assigned, the higher permission is granted.

 

All or specific assets - Can be set separately from the All System Resources.

  • Create / manage or view access to an Organizational Unit or any of the nested Organizational Units.

  • Select environments to give access to

    • all environments of a specific vendor

    • specific environments for a specific vendor

Affect the specified assets

Actions

You can manage service accounts, and roles in the Roles menu. In the roles table, click the menu in the first column to see and select available actions.