Administrative Users
Last updated
Last updated
LUCY offers role-based access control (RBAC), which restricts system access to authorized users. Permissions to perform certain operations are assigned to specific roles within the user settings. Members or staff are assigned particular roles, which grant them the necessary permissions to perform specific LUCY functions.
Navigate to Users -> Administrative Users
Select "New User"
There are four types of admin accounts in LUCY:
Permissions: Full access and highest privileges.
Capabilities: Can create and delete campaigns, manage all custom data (recipients, clients, templates, etc.), and manage other administrative users' account data.
Notes: Administrators cannot be segregated by client visibility.
Please note that there are also End User accounts in LUCY that come as part of the End User Portal functionality and have no admin rights. These accounts are automatically created for recipients assigned to awareness training.
Password Policy -> Adjustable in the advanced settings.
SSO Authentication -> Possible via SAML 2.0 or OAuth 2.0 (Entra ID) for automatic user authentication.
Importing administrative users can be directly done from your company directory either via LDAP or Azure (Entra ID).
Navigate to Users -> Administrative Users
Select "Import"
Select your pre-defined server from the server list:
Add the relevant LDAP search syntax to query your Administrative Users.
For example, locating an Administrative User in the following directory structure:
Base DN -> Beck.ai OU -> Admin Users OU -> Distribution Groups Group -> IntuneLucy-DevOps
A well-formulated Active Directory search filter to obtain an Administrative user in the Group = IntuneLucy-DevOps:
&
: This is the logical operator "AND". It indicates that all the conditions enclosed within the parentheses must be true for the query to return a result. This operator combines multiple search filters.
(objectClass=user)
: This filter specifies that the object being searched should be of the type "user". The objectClass
attribute in LDAP is used to define the schema or type of an object in the directory.
(memberOf=cn=IntuneLucy-DevOps,ou=Distrubution Groups,ou=Admin Users,dc=beck,dc=ai)
: This filter is used to find users who are members of a specific group. Here's a breakdown of the group's distinguished name (DN):
cn=IntuneLucy-DevOps
: "cn" stands for Common Name. In this case, it refers to the name of the group.
ou=Distrubution Groups
: "ou" stands for Organizational Unit.
ou=Admin Users
: Another Organizational Unit, indicating a higher-level grouping within the directory.
dc=beck,dc=ai
: "dc" stands for Domain Component. These components are part of the LDAP naming context and represent different levels of the domain.
This query is structured to ensure that only objects that are users (objectClass=user
) and are members of the specified group (memberOf=...
) are returned.
Select your user(s) and import:
Once "Import" is selected, a pop-up will appear to define the Role.
Scenario: You create a campaign for your customer and want to give them access to view the statistics without allowing them to change the campaign configuration.
Create View-Only Account
Navigate to Users -> Administrative Users
Create a new user account with "view-only" status. This account will only have permission to view campaign statistics.
Assign Campaign to Client
When creating a campaign, you will be prompted to enter the Client for the campaign. This client can be yourself, an organizational unit, or a third party.
Add User to Campaign
Add the view-only user account to the campaign by navigating to the created campaign, selecting Advanced Settings -> User Settings.
Assign Viewing Rights
Assign the necessary permissions to the view-only user to allow them to view the campaign statistics.
Scenario: A customer wants to create their own campaigns, but should only have access to their own campaign data and not see data from other customers.
Create a Limited User Account
Navigate to Users -> Administrative Users
Create a new user account with the role of "user".
Assign Create/Delete Campaign Rights
Give the user the "Create/delete campaign" permission. This allows the user to create and delete their own campaigns.
Customer Access
When the customer logs in, they can create their own campaigns and will only see data related to the campaigns they created.
The user will not have access to other menu items or data from other customers.
Permission | Description |
---|---|
Access All Campaigns | Right to access all campaigns, overriding Clients and Branches policy. |
Create/Delete Campaigns | Right to create and delete campaigns. |
Save Campaign As Template | Right to save a campaign as a template. |
Attack Templates | Access to predefined attack templates. |
Campaign Templates | Access to campaign templates. |
Awareness Templates | Access to awareness training templates. |
File Templates | Access to file-based attack templates. |
Report Templates | Access to report templates. |
Download Templates | Access to download templates. |
Clients | Access to clients menu. |
Recipients | Access to the list of recipients. |
End Users | Access to the list of end users. |
User Management | Access to user management. |
Reputation Levels | Access to reputation levels. |
SSH Access | Access to SSH menu. |
SSH Password | Right to reset SSH password. |
Benchmark Sectors | Access to benchmark sectors. |
License | Access to license menu. |
Update | Right to update LUCY. |
Reboot | Right to reboot LUCY. |
Domains | Access to domains menu. |
Register Domains | Right to register a domain. |
Dynamic DNS | Access to dynamic DNS feature. |
Automated Response Detection | Access to automated response detection menu. |
Settings | Access to advanced settings, including customization of the 404 page. |
SMS Settings | Ability to set up SMS systems for text message delivery. |
Performance Test | Access to performance tests. |
Test Email | Right to send a test email. |
Spam Test | Access to spam test. |
System Monitoring | Access to system monitoring. |
System Status Page | Access to system status page. |
Incident Management | Access to incident management. |
Plugin Configuration | Right to configure the Outlook plugin. |
Incident Management Configuration | Right to configure incident management. |
Manual | Access to the LUCY manual. |
Exports | Access to exports. |
Invoices | Access to invoices. |
Send Logs | Access to send logs menu. |
Service Logs | Access to service logs. |
Changelog | Access to changelog. |
Mail Manager | Access to mail manager. |
Tickets | Access to the ticket system. |