How To Grant User Permissions

ER Cloud uses a form of Role-Based Access Control (RBAC) where a user has access to resources and privileges to perform specific tasks based on the roles and permissions granted to the user.

This article covers the following topics:

Overview
Assign Global Permissions
Assign Resource Permissions
View Resource Permissions Manager
Assign Roles

Overview

A user is granted access to ER Cloud resources according to the roles and permissions that are explicitly assigned to the user. Permissions can be assigned via:

Global Permissions: Determines the global settings and resources that a user can manage and access.
Resource Permissions: Determines the resources that a user can access, and the actions that can be taken on those resources.
Roles: Contain pre-set combinations of Global Permissions and Resource Permissions that determine the resources that a user can access, and the actions that can be taken on those resources.

To view the summary table of Resource permissions and Global Permissions that grant access to specific components in ER Cloud, refer to the Access and Permissions - Permissions by ER Components section.

Assign Global Permissions

A Global Admin or Permissions Manager can manage the Global Permissions that are assigned to a user.

Log in to the ER Cloud Web Console.
Go to the Users > User Accounts page.

Hover over a user, click Edit and navigate to the Roles and Permissions > Global Permissions tab.

Setting	Description for <Setting> = On
Global Admin	Superuser with global administrative rights to manage all resources. User can access and edit all pages on the ER Cloud Web Console. The following settings are automatically set to On for a Global Admin: System Manager Permissions Manager Data Type Author PII PRO Allow API Access PII PRO Risk Admin PRO Classification Admin PRO
System Manager	User is granted administrative rights to manage the settings in the following Web Console pages: Scans Data Type Profile System Activity Log Server Information Users User Accounts Add edit or delete user accounts Active Directory Settings > Agents Agent Admin Settings > Remediation Tombstone Text Editor PRO Settings PRO Data Access Management Delegated Remediation Email Settings > Security Login Policy Access Control List Settings > Notifications Notification Policy Mail Settings
Permissions Manager	User can manage user roles and also assign Target and Target Group permissions to user accounts. Refer to Assign Resource Permissions and Assign Roles below.
Data Type Author	User can create and share custom data types PII PRO.
Allow API Access PII PRO	User is granted access to the Enterprise Recon API. User is only able to access resources to which they have explicit permissions to.
Risk Admin PRO	User can create, update, remove or define the priority of Risk Profiles in the Settings > Analysis > Risk Profile page. User is able view all resources when setting up Risk Profile rules, and is not limited by the resource to which they have explicit permissions to. For more information, refer to the Use Risk Scoring and Labeling section.
Classification Admin PRO	User can enable the Data Classification with Microsoft Information Protection (MIP) feature, and manage the MIP credentials in the Settings > Analysis > Classification page. User is able to perform manual classification on all Targets or locations which they have permissions to view in the Investigate page. For more information, refer to the Data Classification with MIP section.

For a detailed list of components that are accessible for each Global Permissions setting, refer to the Access and Permissions - Permissions by ER Components section.

Assign Resource Permissions

A Global Admin or Permissions Manager can assign and manage the resources that a user has permissions to.

To manage the resources that a user has permissions to:

Log in to the ER Cloud Web Console.
Go to the Users > User Accounts page.
Hover over a user, click Edit and navigate to the Roles and Permissions > Resource tab.
Click on + Add permissions to open the Resource Permissions Manager page to add or remove permissions for the user.

Resource Permissions Manager

Granular permissions can be assigned for Target Groups, Targets and credentials using the Resource Permissions Manager.

Target Group

Target Groups are a means of managing Targets as a group, and for the purposes of permission setting, are treated like an individual Target.

Use the Resource Permissions Manager to set user permissions for all or specific Target Groups. Add multiple Target Groups by pressing the Ctrl key and clicking the selected Target Groups.

Resource Permission	Permission Details
Scan	User can schedule and manage scans for the selected Target Group.
Remediate - Mark Location for Report	User can only perform remedial actions that mark locations for compliance reports(e.g. Confirmed, Remediated Manually, Test Data, False match, Remove Mark). Remediate resource permissions grants the user permissions to view the match details for the applicable match locations.
Remediate - Act Directly on Location	User can only perform remedial actions that act directly on selected locations (e.g. Mask all sensitive data, Quarantine, Delete Permanently, Encrypt file). Remediate resource permissions grants the user permissions to view the match details for the applicable match locations.
Report - Summary Reporting	User can view or download only high-level summary information about a Target Group. In the reports, user can view the total and breakdown of matches by: Match severity (e.g. prohibited data, match data, test data) Data type (e.g. American Express, Australian Phone Number) Target platform (e.g. Linux 2.6 64 bit, Windows 10 64bit) Target type (e.g. MySQL, all local files) File format (e.g. XML files, ZIP archives)
Report - Detailed Reporting	User can view or download detailed information about a Target Group. In the reports, user can view: The total and breakdown of matches by: Match severity (e.g. prohibited data, match data, test data) Data type (e.g. American Express, Australian Phone Number) Target platform (e.g. Linux 2.6 64 bit, Windows 10 64bit) Target type (e.g. MySQL, all local files) File format (e.g. XML files, ZIP archives) Details on match locations Match data samples and contextual information. For more information, refer to the Generate Reports section.
Access Control PRO	User can take access control actions for match locations on the Target Group with the Data Access Management feature.
Classification PRO	User can manually assign classification and sensitivity labels to match locations on the Target Group with the Data Classification with MIP feature.

Target

Targets must belong to one (and are allowed only one) Target Group.

Use the Resource Permissions Manager to set user permissions for all or specific Targets. Add multiple Target by pressing the Ctrl key and clicking the selected Targets.

Access to Targets can be limited to specific paths by defining a Path value. If no Accessible Path is specified, user will be allowed to access all resources on the Target. For more information, refer to Restrict Accessible Path by Target section below.

Resource Permission	Permission Details
Scan	User can schedule and manage scans for the selected Target.
Remediate - Mark Location for Report	User can only perform remedial actions that mark locations for compliance reports(e.g. Confirmed, Remediated Manually, Test Data, False match, Remove Mark). Remediate resource permissions grants the user permissions to view the match details for the applicable match locations.
Remediate - Act Directly on Location	User can only perform remedial actions that act directly on selected locations (e.g. Mask all sensitive data, Quarantine, Delete Permanently, Encrypt file). Remediate resource permissions grants the user permissions to view the match details for the applicable match locations.
Report - Summary Reporting	User can view or download only high-level summary information about a Target. In the reports, user can view the total and breakdown of matches by: Match severity (e.g. prohibited data, match data, test data) Data type (e.g. American Express, Australian Phone Number) Target platform (e.g. Linux 2.6 64 bit, Windows 10 64bit) Target type (e.g. MySQL, all local files) File format (e.g. XML files, ZIP archives)
Report - Detailed Reporting	User can view or download detailed information about a Target. In the reports, user can view: The total and breakdown of matches by: Match severity (e.g. prohibited data, match data, test data) Data type (e.g. American Express, Australian Phone Number) Target platform (e.g. Linux 2.6 64 bit, Windows 10 64bit) Target type (e.g. MySQL, all local files) File format (e.g. XML files, ZIP archives) Details on match locations Match data samples and contextual information. For more information, refer to the Generate Reports section.
Access Control PRO	User can take access control actions for match locations on the Target with the Data Access Management feature.
Classification PRO	User can manually assign classification and sensitivity labels to match locations on the Target with the Data Classification with MIP feature.

Credentials

Credentials are credential sets saved by the user to access external resources such as Cloud-based Targets, Database Servers, and Remote Scan Targets. Credential sets are treated as independent objects from the Targets they are related to.

Use the Resource Permissions Manager to select the credential sets that will be available to the user.

Granting users permissions to a credential set does not automatically grant the user access to the Target location it applies to.

Resource Permission	Permission Details
Credential - Use	User can use the selected credential set when scheduling scans.
Credential - Edit	User can modify the selected credential set.

Restrict Accessible Path by Target

Granular permissions can be assigned by defining specific paths that a user can access for a Target.

To restrict user access to a specific path on a Target:

Open the Resource Permission Manager > Choose Resource and select Targets.
Click on your selected Target to add it to the panel below.
Click on + Add path to restrict access to target to add a new path.
In the dropdown list, select the correct Target type.
Fill in the Accessible Path value to allow user access only to the specified path.
(Optional) Click on + Add line to add more accessible paths.
Click Add to save the changes.

Example

Target A is a MySQL database. Credential Set X contains the user name and password to access Target A.

User B is a System Manager who has the following resource permissions:

Resource	Granted Permissions
Target A	Scan, Remediate - Mark Location for Report, Report - Detailed Reporting
Credential Set X	Use, Edit

User B can scan Target A using Credential Set X. User B has the rights to edit Credential Set X when necessary.

If matches are found on Target A, User B can mark these locations for compliance reports but is not allowed to perform any remedial action that acts directly on these match locations.

Assign Roles

A Global Admin or Permissions Manager can assign and manage roles that are associated with a user account.

Log in to the ER Cloud Web Console.
Go to the Users > Roles page.
Hover over a user, click Edit and navigate to the Roles and Permissions tab to see the roles assigned to a user.
Click on + Add Roles or remove to add or delete roles assigned to the user.

For more information, refer to the Assign User Roles section.

PII PRO This feature is only available in Enterprise Recon Cloud PII and Enterprise Recon Pro Editions. To find out more about upgrading your ER Cloud license, please contact Ground Labs Licensing. See Subscription License for more information.

PRO This feature is only available in Enterprise Recon Cloud PRO Edition. To find out more about upgrading your ER Cloud license, please contact Ground Labs Licensing. See Subscription License for more information.