Enterprise Recon 2.6.1

User Permissions

ER2 uses a form of Role-Based Access Control (RBAC) where a user has access to resources and privileges to perform specific tasks based on the roles and permissions granted to the user.

This article covers the following topics:

Overview

A user is granted access to ER2 resources according to the roles and permissions that are explicitly assigned to the user. Permissions can be assigned via:

  • Global Permissions: Determines the global settings and resources that a user can manage and access.
  • Resource Permissions: Determines the resources that a user can access, and the actions that can be taken on those resources.
  • Roles: Contain pre-set combinations of Global Permissions and Resource Permissions that determine the resources that a user can access, and the actions that can be taken on those resources.

Global Permissions

A Global Admin or Permissions Manager can manage the Global Permissions that are assigned to a user.

  1. Log in to the ER2 Web Console.
  2. Go to the Users > User Accounts page.
  3. Hover over a user, click Edit and navigate to the Roles and Permissions > Global Permissions tab.
    Setting Description for <Setting> = On
    Global Admin

    Superuser with global administrative rights to manage all resources. User can access and edit all pages on the ER2 Web Console.

    The following settings are automatically set to On for a Global Admin:

    • System Manager
    • Permissions Manager
    • Data Type Author PII PRO
    • Allow API Access PII PRO
    • Risk Admin PRO
    • Classification Admin PRO

    System Manager

    User is granted administrative rights to manage the settings in the following Web Console pages:

    • Scans
      • Data Type Profile
    • System
      • Activity Log
      • Server Information
    • Users
      • User Accounts
        • Add edit or delete user accounts
      • Active Directory
    • Settings > Agents
      • Agent Admin
    • Settings > Remediation
      • Tombstone Text Editor
      • PRO Settings PRO
        • Data Access Management
        • Delegated Remediation Email
    • Settings > Security
      • Login Policy
      • Access Control List
    • Settings > Notifications
      • Notification Policy
      • Mail Settings

    Permissions Manager

    User can manage User Roles and also assign Target and Target Group permissions to user accounts.

    See Resource Permissions and Roles for more information.

    Data Type Author User can create and share custom data types PII PRO.
    Allow API Access PII PRO User is granted access to the Enterprise Recon API. User is only able to access resources to which they have explicit permissions to.
    Risk Admin PRO User can create, update, remove or define the priority of Risk Profiles in the Settings > Analysis > Risk Profile page. User is able view all resources when setting up Risk Profile rules, and is not limited by the resource to which they have explicit permissions to. See Risk Scoring and Labeling for more information.
    Classification Admin PRO User can enable the Data Classification with Microsoft Information Protection (MIP) feature, and manage the MIP credentials in the Settings > Analysis > Classification page. User is able to perform manual classification on all Targets or locations which they have permissions to view in the Investigate page. See Data Classification with MIP for more information.

See Permissions Table for a detailed list of components that are accessible for each Global Permissions setting.

Resource Permissions

A Global Admin or Permissions Manager can assign and manage the resources that a user has permissions to. Granular permissions can be assigned for Target Groups, Targets and credentials using the Resource Permissions Manager.

To manage the resources that a user has permissions to:

  1. Log in to the ER2 Web Console.
  2. Go to the Users > User Accounts page.
  3. Hover over a user, click Edit and navigate to the Roles and Permissions > Resource tab.
  4. Click on + Add permissions to open the Resource Permissions Manager to add or remove permissions for the user.

Resource Permissions Manager

Target Group

Target Groups are a means of managing Targets as a group, and for the purposes of permission setting, are treated like an individual Target.

Use the Resource Permissions Manager to set user permissions for all or specific Target Groups. Add multiple Target Groups by pressing the Ctrl key and clicking the selected Target Groups.

Resource Permission Permission Details
Scan User can schedule and manage scans for the selected Target Group.
Remediate - Mark Location for Report User can only perform remedial actions that mark locations for compliance reports (e.g. Confirmed, Remediated Manually, Test Data, False match, Remove Mark). Remediate resource permissions grants the user permissions to view the match details for the applicable match locations.
Remediate - Act Directly on Location User can only perform remedial actions that act directly on selected locations (e.g. Mask all sensitive data, Quarantine, Delete Permanently, Encrypt file). Remediate resource permissions grants the user permissions to view the match details for the applicable match locations.
Report - Summary Reporting

User can view or download only high-level summary information about a Target Group.

In the reports, user can view the total and breakdown of matches by:

  • Match severity (e.g. prohibited data, match data, test data)
  • Data type (e.g. American Express, Australian Phone Number)
  • Target platform (e.g. Linux 2.6 64 bit, Windows 10 64bit)
  • Target type (e.g. MySQL, all local files)
  • File format (e.g. XML files, ZIP archives)

Report - Detailed Reporting

User can view or download detailed information about a Target Group.

In the reports, user can view:

  • The total and breakdown of matches by:
    • Match severity (e.g. prohibited data, match data, test data)
    • Data type (e.g. American Express, Australian Phone Number)
    • Target platform (e.g. Linux 2.6 64 bit, Windows 10 64bit)
    • Target type (e.g. MySQL, all local files)
    • File format (e.g. XML files, ZIP archives)
  • Details on match locations
  • Match data samples and contextual information. See Reports for more information.

Access Control PRO User can take access control actions for match locations on the Target Group with the Data Access Management feature.
Classification PRO User can manually assign classification and sensitivity labels to match locations on the Target Group with Data Classification with MIP.

Target

Targets must belong to one (and are allowed only one) Target Group.

Use the Resource Permissions Manager to set user permissions for all or specific Targets. Add multiple Target by pressing the Ctrl key and clicking the selected Targets.

Access to Targets can be limited to specific paths by defining a Path value. If no Accessible Path is specified, user will be allowed to access all resources on the Target. See Restrict Accessible Path by Target for more information.

Resource Permission Permission Details
Scan User can schedule and manage scans for the selected Target.
Remediate - Mark Location for Report User can only perform remedial actions that mark locations for compliance reports (e.g. Confirmed, Remediated Manually, Test Data, False match, Remove Mark). Remediate resource permissions grants the user permissions to view the match details for the applicable match locations.
Remediate - Act Directly on Location User can only perform remedial actions that act directly on selected locations (e.g. Mask all sensitive data, Quarantine, Delete Permanently, Encrypt file). Remediate resource permissions grants the user permissions to view the match details for the applicable match locations.
Report - Summary Reporting

User can view or download only high-level summary information about a Target.

In the reports, user can view the total and breakdown of matches by:

  • Match severity (e.g. prohibited data, match data, test data)
  • Data type (e.g. American Express, Australian Phone Number)
  • Target platform (e.g. Linux 2.6 64 bit, Windows 10 64bit)
  • Target type (e.g. MySQL, all local files)
  • File format (e.g. XML files, ZIP archives)

Report - Detailed Reporting

User can view or download detailed information about a Target.

In the reports, user can view:

  • The total and breakdown of matches by:
    • Match severity (e.g. prohibited data, match data, test data)
    • Data type (e.g. American Express, Australian Phone Number)
    • Target platform (e.g. Linux 2.6 64 bit, Windows 10 64bit)
    • Target type (e.g. MySQL, all local files)
    • File format (e.g. XML files, ZIP archives)
  • Details on match locations
  • Match data samples and contextual information. See Reports for more information.

Access Control PRO User can take access control actions for match locations on the Target with the Data Access Management feature.
Classification PRO User can manually assign classification and sensitivity labels to match locations on the Target with Data Classification with MIP.

Credentials

Credentials are credential sets saved by the user to access external resources such as Cloud-based Targets, Database Servers, and Remote Scan Targets. Credential sets are treated as independent objects from the Targets they are related to.

Use the Resource Permissions Manager to select the credential sets that will be available to the user.

Resource Permission Permission Details
Credential - Use User can use the selected credential set when scheduling scans.
Credential - Edit User can modify the selected credential set.

Restrict Accessible Path by Target

Granular permissions can be assigned by defining specific paths that a user can access for a Target.

To restrict user access to a specific path on a Target:

  1. Open the Resource Permission Manager > Choose Resource and select Targets.
  2. Click on your selected Target to add it to the right panel.
  3. Click on + Add path to restrict access to target to add a new path.
  4. In the dropdown list, select the correct Target type.
  5. Fill in the Accessible Path value to allow user access only to the specified path.
    Resource Permission Manager dialog box with Scan, Remediate and Report permissions enabled for specific paths on WIN10-AC.
  6. (Optional) Click on + Add line to add more accessible paths.
  7. Click Add to save the changes.

Example

Target A is a MySQL database. Credential Set X contains the user name and password to access Target A.

User B is a System Manager who has the following resource permissions:

Resource Granted Permissions
Target A Scan, Remediate - Mark Location for Report, Report - Detailed Reporting
Credential Set X Use, Edit

User B can scan Target A using Credential Set X. User B has the rights to edit Credential Set X when necessary.

If matches are found on Target A, User B can mark these locations for compliance reports but is not allowed to perform any remedial action that acts directly on these match locations.

Permissions Table

Resource permissions and Global Permissions that are assigned to a user grants access to specific components in ER2.

ER2 Components

Global Permissions

Resource Permissions
Dashboard   Target / Target Group: Scan, Report or Remediate
Investigate PII PRO   Target / Target Group: Report - Detailed Reporting, Access Control, Remediate, or Classification
Tracker PRO All users.
Targets
  • Add Targets
  Target / Target Group: Scan
  • View Targets
  Target / Target Group: Scan, Report or Remediate
  • Scan Targets
  Target / Target Group: Scan
  • Edit Targets
System Manager and Target / Target Group: Scan, Report or Remediate [1]
  • High level summary reports
  Target / Target Group: Report - Summary Reporting
  • Detailed reports
  Target / Target Group: Report - Detailed Reporting
  • View inaccessible locations
  Target / Target Group: Scan, Report - Detailed Reporting or Remediate
Scans
New Scans   Target / Target Group: Scan
Schedule Manager   Target / Target Group: Scan
Data Type Profile
  • View data type profiles

Data Type Author Target / Target Group: Scan
  • Add or edit data type profiles

Data Type Author  
Data Type Author  
Global Filters
  • Add, edit or delete global filters

System Manager [2] Target / Target Group: Scan, Remediate - Mark Location for Report
  • Import or export global filters

System Manager  
System
Activity Log

System Manager [3]

Target / Target Group: Scan, Report or Remediate or Credentials: Edit, Use [3]

Server Information System Manager  
License Details System Manager  
Users
User Accounts
  • Add, edit or delete user accounts
System Manager  
  • Manage Global Permissions
Resource Permissions Manager  
  • Manage Resource Permissions
Resource Permissions Manager  
Roles
  • Add, edit or delete roles
Resource Permissions Manager  
  • Assign roles to user accounts
Resource Permissions Manager  
Active Directory System Manager  
Settings > Targets
Network Discovery System Manager  
Target Credentials
  • Add new credential sets
  Target / Target Group: Scan
  • Edit credential sets
  Credentials: Edit
  • Use credential sets
  Credentials: Use
Settings > Agents
Agent Admin System Manager  
Node Agent Downloads All users.
Settings > Security
Login Policy System Manager  
Access Control List System Manager  
Settings > Notifications
Notification Policy System Manager [4] Target / Target Group: Scan [4]
Mail Settings System Manager  
Settings > Remediation
Tombstone Text Editor System Manager  
PRO Settings PRO
  • Data Access Management
System Manager  
  • Delegated Remediation Email
System Manager  
Settings > Analysis > ODBC Driver Downloads PRO
ODBC Driver Downloads All users.
Access ER2 data via ODBC Reporting feature   Target / Target Group: Report - Detailed Reporting
Settings > Analysis > Risk Profile PRO
Manage Risk Profiles Risk Admin  
Settings > Analysis > Classification PRO
Enable and manage Microsoft Information Protection (MIP) credentials Classification Admin  
Username
My Account All users.
API Access Allow API Access [5] PII PRO  

Note:

  • [1] System Managers can edit Targets they have visibility to via Scan, Report or Remediation permissions.
  • [2] System Managers can add Global Filters that apply to all Targets / Target Groups, or add Global Filters that apply only to Targets / Target Groups to which they have visibility to.
  • [3] Activity Log only contains events that the user has visibility or permissions to.
  • [4] Notification and Alerts are only for Targets and events that the user has permissions to.
  • [5] User is able to use the API to access resources to which they have explicit permissions to.

Roles

A Global Admin or Permissions Manager can assign and manage roles that are associated with a user account.

  1. Log in to the ER2 Web Console.
  2. Go to the Users > Roles page.
  3. Hover over a user, click Edit and navigate to the Roles and Permissions tab to see the roles assigned to a user.
  4. Click on + Add Roles or remove to add or delete roles assigned to the user.

See User Roles for more information.


PII PRO This feature is only available in Enterprise Recon PII and Enterprise Recon Pro Editions. To find out more about upgrading your ER2 license, please contact Ground Labs Licensing. See Subscription License for more information.


PRO This feature is only available in Enterprise Recon PRO Edition. To find out more about upgrading your ER2 license, please contact Ground Labs Licensing. See Subscription License for more information.