Users and Access Control

Domains

The domain is the basic object collection on Infinity NDRClosed Network Detection and Response Indicator Management. All objects are connected to a domain. This includes sensors, logs, packet captures, indicators, views, insights, reports, etc.

Authorizations

Each domain defines a set of user authorizations that you can view and edit in MANAGEMENT > Users. A user's authorization on the domain defines a Role for the user's access to the domain.

Users

The first time a user authorizes to a domain, it creates a user object with the user's email address. The user is independent of any domain. The user's email address is used both for the user's unique identity and to communicate with the user, for example, for reports and notifications.

The user receives an email with a link. Clicking on the link provisions the user object and generates a certificate with the user's email address as the CN. This certificate is downloaded to the user's endpoint and installed with a user-defined security level.

When the user logs in with his certificate, the Infinity NDR application verifies the user's certificate, retrieves the user's domain authorizations, and matches them to the requested domain and service. Not approved requests are rejected. Authorized and unauthorized requests are audited and you can see them on the MANAGEMENT > System Events tab.

Note - Deleting a user record from MANAGEMENT > Users does not revoke the user's certificate – only the user's authorizations to the domain. If a user is left with no authorizations to any domain, the user account is eventually deleted by automated clean up services, and the user certificate revoked.

Note - A user with Write authorizations can invoke the MANAGEMENT > Users > Actions > REISSUE CREDENTIALS for a user. This sends an email with a reissue link to the target user's email address. If the user receives the email and clicks the link, a new certificate is generated for the user to download.

Roles

A Role defines a set of permissions to use Infinity NDR Indicator Management services. The MANAGEMENT > Roles tab shows the currently supported permissions:

  • Administrator – User authorizations, monitored domains, and input feed management.

  • Write – Modify objects on the domain.

  • Management – Access the MANAGEMENT tab and its services.

  • Analytics – Access the VIEWS and INSIGHTS tabs and their services.

  • Intelligence – Access the INTEL tab and its services.

  • Logs – Can see logs on the domain.

By default, each domain includes the Read Only, Read Write, and Domain Administrator roles. You can configure additional roles as needed.

For example, the Read Only role can access all tabs but cannot manage user authorizations or change any objects. The Intel role shows only the MANAGEMENT and INTEL tabs and can therefore only view and change indicators, not logs.

Monitored Domains

The monitored domain can be accessed by all approved users. The Domain Administrator can create a new domain from the MANAGEMENT > Monitored Domains tab. This creates a monitored subdomain for all the users approved to the monitored domain can access. The new domain is added to the domain drop-down menu.

The monitored domain defines the permissions that users approved to the monitoring domain receive on the monitored domain's objects. Effective permissions are the intersection (the minimum) of the user's permissions on the two domains.

For example, suppose domain X monitors domain Y with the Read Only role. if a user is approved as a Domain Administrator on X, he now has permissions to access Y's objects and services as a Read Only Domain Administrator. If the user is approved to X and Y, access to Y's objects and services is controlled through the more specific role assignment, which means the approval on the Y domain.

When the monitoring relationship is created in the context of the creation of a subdomain, the Domain Administrator role is used for the relationship.

Establishing a Monitoring Relationship between two Domains

You can create the monitoring relationship between any two domains even if the two domains were originally created independently. To do this:

  1. Log in with a user that has Domain Administrator authorizations.

  2. Click * New on the MANAGEMENT > Monitored Domains tab.

  3. Specify a Monitoring Domain Name. It must match the monitoring domain's name fully.

  4. Provide an Email, First Name, and Last Name for the contact person at the monitoring domain.

  5. Select a Role for the monitoring relationship – this restricts the actions the monitoring domain's users can do on the current domain.

  6. Click SAVE.

  7. The request shows up on the monitoring domain. A Domain Administrator for that domain must click Approve on the request before it takes effect.

For example, to allow the Check Point Managed Detection and Response (MDRClosed Managed Detection and Response) service to monitor your domain, enter Check_Point_MDR as the Monitoring Domain Name. When the MDR team approves the monitoring request, the MDR service starts automatically with Infinity NDR APIs to pull insights and logs from Infinity NDR to MDR, and to supply threat indicators to enforcement points for prevention.

A Domain Administrator on either the monitoring or monitored domain can delete the relationship.