Administrative Users
Introduction
LUCY offers role-based access control (RBAC), which restricts system access to authorized users. Permissions to perform certain operations are assigned to specific roles within the user settings. Members or staff are assigned particular roles, which grant them the necessary permissions to perform specific LUCY functions.
Add New User
Select "New User"
Roles
There are four types of admin accounts in LUCY:
Permissions: Full access and highest privileges.
Capabilities: Can create and delete campaigns, manage all custom data (recipients, clients, templates, etc.), and manage other administrative users' account data.
Administrators have access to all clients. If you want an admin-level user that is restricted to one client only, create a User instead.
Permissions: Can only view campaign statistics without the ability to start/stop campaigns or change settings.
Permissions: Limited to content related to specific clients and branches.
Capabilities: Can access content (campaigns, custom templates, recipient groups) attributed to their assigned clients and branches.
Supervisors maintain oversight with access to campaign specifications, communicate directly with campaign creators, suggest changes, and approve/reject campaigns.
Supervisors cannot supervise Administrators.
Password
You can set password policies in the advanced system settings.
Import Users
You can import users via LDAP or Azure (Entra ID).
Select your pre-defined server from the server list:
Add the relevant LDAP search syntax to query your Administrative Users.
Here is an example for locating an Administrative User in the following directory structure:
Base DN -> Beck.ai OU -> Admin Users OU -> Distribution Groups Group -> IntuneLucy-DevOps
(&(objectClass=user)(memberOf=cn=IntuneLucy-DevOps,ou=Distrubution Groups,ou=Admin Users,dc=beck,dc=ai))For more information on search syntax consult Microsoft's documentation.
Select your user(s) and import:
Once "Import" is selected, a pop-up will appear to define the Role.
Import Role
Define the Role of the imported user group.
Azure Application
Select the specific Azure Entra ID tenant.
Filter Azure Groups
Select the desired group to import from the drop-down.
Filter
Filter by Search Parameters -> Enter Microsoft search filters
Scenario 1: Filter by Email Domain
To import only recipients whose email domain ends with "@lucysecurity.company", use the endswith function:
(mail, '@lucysecurity.com')This filter ensures that only users with emails ending in "@lucysecurity.company" are included in the import.
Scenario 2: Filter by Name Prefix
To import recipients whose names begin with "User", utilize the startswith function:
startswith(displayName, 'User')This filter will match and import users whose display names start with "User".
Scenario 3: Filter by Location
To find all users located in 'Ext1', you can directly match the officeLocation attribute:
officeLocation eq 'Ext1'This query ensures that only users with 'Ext1' listed as their office location are selected.
Scenario 4: Filter by Phone Number Exclusion
To exclude recipients whose phone number is '911', apply the ne (not equal) operator:
mobilePhone ne '911'This filter imports users whose mobile phone number is not '911'.
SAML Users
If you use SAML-based SSO you can create and manage your login links under the SAML tab.
Links can be exported, generated, or deleted by user type.
Administrative Permission List
Access All Campaigns
Right to access all campaigns, overriding Clients and Branches policy.
Create/Delete Campaigns
Right to create and delete campaigns.
Save Campaign As Template
Right to save a campaign as a template.
Attack Templates
Access to predefined attack templates.
Campaign Templates
Access to campaign templates.
Awareness Templates
Access to awareness training templates.
File Templates
Access to file-based attack templates.
Report Templates
Access to report templates.
Download Templates
Access to download templates.
Clients
Access to clients menu.
Recipients
Access to the list of recipients.
End Users
Access to the list of end users.
User Management
Access to user management.
Reputation Levels
Access to reputation levels.
SSH Access
Access to SSH menu.
SSH Password
Right to reset SSH password.
Benchmark Sectors
Access to benchmark sectors.
License
Access to license menu.
Update
Right to update LUCY.
Reboot
Right to reboot LUCY.
Domains
Access to domains menu.
Register Domains
Right to register a domain.
Dynamic DNS
Access to dynamic DNS feature.
Automated Response Detection
Access to automated response detection menu.
Settings
Access to advanced settings, including customization of the 404 page.
SMS Settings
Ability to set up SMS systems for text message delivery.
Performance Test
Access to performance tests.
Test Email
Right to send a test email.
Spam Test
Access to spam test.
System Monitoring
Access to system monitoring.
System Status Page
Access to system status page.
Incident Management
Access to incident management.
Plugin Configuration
Right to configure the Outlook plugin.
Incident Management Configuration
Right to configure incident management.
Manual
Access to the LUCY manual.
Exports
Access to exports.
Invoices
Access to invoices.
Send Logs
Access to send logs menu.
Service Logs
Access to service logs.
Changelog
Access to changelog.
Mail Manager
Access to mail manager.
Tickets
Access to the ticket system.
Last updated
Was this helpful?