Organizations, Users and Roles
With the introduction of Role-Based Access Controls, the ThreatSTOP platform adds the ability to grant access to multiple users to an account.
Organizations accounts are the contains for the configuration - policies, devices, user-defined lists, reports, SIEM settings. Features available to an organization are managed through its subscriptions. Users are now independent from organizations. A user can have access (via a role) into any number of organizations. Users can be granted multiple roles and roles can be revoked from a user by an organization’s administrators. Roles are a set of permissions that grant access to product features using the ThreatSTOP Admin Portal. If a user has multiple roles within an organization, the permissions are combined (added).
Note that the permissions managed through RBAC are independent from the permissions granting access to API services by API tokens.
Predefined and custom roles
- Every ThreatSTOP organizations have 5 predefined roles that can’t be changed.
- The creation of custom roles in an organization requires the organization to have an active subscription that includes the Advanced RBAC feature.
The predefined roles are:
| Role | Description |
|---|---|
| Owner | Full administrator (All permissions) |
| Reporter | View reports and create, edit or delete email reports |
| Report Viewer | Read-only access to reports |
| Report and Policy Manager | Reporter plus edit policies, including list of targets and user-defined lists |
| Help Desk Manager | Reporter plus edit contents of user-defined lists |
Note that multiple users can have the owner role. However, the must be at least one owner. If there is only one user with the Owner role, the role can’t be unassigned from that user.
Permissions
If a user is assigned a role within an organization, the permissions to view the list of devices, the list of policies and the list of user-defined lists are implied. All users are also given access to the Portal dashboard.
The following permissions can be assigned to a role:
System Configuration
| Permissions | Description |
|---|---|
| Manage Devices | Add, edit and delete device entries |
| Manage Device Configuration | Edit settings of existing device entries |
| View Devices | Read-only access to device configuration settings |
| Manage Policies | Add, edit and delete policies |
| Manage Policy Configuration | Edit policy configuration settings |
| View Policies | Read-only access to policy configuration settings |
| Manage User-Defined Lists | Add, edit and delete user-defined lists and their contents |
| View UDLs | Read-only access to user-defined list configurations |
| Manage API Keys | Add, edit and delete API keys |
| View API Keys | View API key tokens and settings |
Analysis features
| Permissions | Description |
|---|---|
| View Check IOC | Access to the Check IOC feature |
| Manage Log Upload | User can upload log files for devices |
| View Reports | Acccess reporting features |
| Manage Reports | Create email reports and triggers |
| Manage SIEM Integration | Configure export to SIEM systems |
Account settings
| Permissions | Description |
|---|---|
| Manage Users | Assign/unassign roles from users |
| Manage Roles | Customize roles (requires subscription) |
| Manage Company Settings | Change organization settings (e.g. company name) |
| View Company Settings | Read-only view of organization settings |
RBAC API Services
There are five API services related to the configuration of the RBAC features.
- /access_objects is used to retrieve the list of permissions supported by the system.
- /roles/ is used to create and retrieve roles
- /roles/<organization identifier>/permissions is used to retrieve or update the permissions for the selected role
- /accounts/ to retrieve the list users that a role in the organization identified by the API Token.
- /accounts/<user identifier>/roles is used to grant or remove a role from the selected user, for the organization identified by the API Token.