User Tools

Site Tools


user_management

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision
Previous revision
Next revisionBoth sides next revision
user_management [2019/07/01 15:46] – [How to set up a multitenant capable administration] lucyuser_management [2019/10/02 11:07] – [List of permissions and its description] lucy
Line 1: Line 1:
-===== Introduction =====+====== Introduction ======
  
-LUCY offers a role-based access control (RBAC), restricting system access to authorized users. The permissions to perform certain operations are assigned to specific roles within the user settings. Members or staff (or other system users) are assigned particular roles, and through that role, assignments acquire the computer permissions to perform particular LUCY functions.  
  
- ===== Where can you configure the user settings? =====+LUCY offers a role-based access control (RBAC), restricting system access to authorized users. The permissions to perform certain operations are assigned to specific roles within the user settings. Members or staff (or other system users) are assigned particular roles, and through that role, assignments acquire the computer permissions to perform particular LUCY functions. 
  
 +===== Where can you configure the user settings? =====
  
 In LUCY  you will find the user settings under "Settings/Users": In LUCY  you will find the user settings under "Settings/Users":
Line 12: Line 12:
  
 ===== Is there a limitation on how many users can access LUCY? ===== ===== Is there a limitation on how many users can access LUCY? =====
 +
  
 No. You have the ability to create as many LUCY users that can access the web console as you want.  No. You have the ability to create as many LUCY users that can access the web console as you want. 
Line 19: Line 20:
  
  
-  * **User**: this user role created by the admin user can be given individual rights for each LUCY feature. The user can later be added to a specific campaign.+==== User ====
  
-{{ usr_mng_1.png?600 }}+This user role created by the admin user can be given individual rights for each LUCY feature. The user can later be added to a specific campaign.
  
 +{{ usr_mng_1.png?600 }}
 +{{ usr_mng1_2.png?400 }}
 {{ usr_mng_2.png?600 }} {{ usr_mng_2.png?600 }}
  
-  * **Supervisor**: Maintain the overview with access to the campaign specifications.  Communicate directly with the campaign creator (user) to suggest changes and give approval to green light the campaign. The supervisor is in the hierarchy above the user. Therefore it is not possible to supervise a system admin. The Supervisor is technically the same as the user account, but you may assign users to the supervisor account and approve/reject their campaigns. Within the settings you can select which users you want to supervise:+==== Supervisor ==== 
 + 
 +Maintain the overview with access to the campaign specifications.  Communicate directly with the campaign creator (user) to suggest changes and give approval to green light the campaign. The supervisor is in the hierarchy above the user. Therefore it is not possible to supervise a system admin. The Supervisor is technically the same as the user account, but you may assign users to the supervisor account and approve/reject their campaigns. Within the settings you can select which users you want to supervise:
  
 {{ usr_mng_4.png?600 }} {{ usr_mng_4.png?600 }}
Line 31: Line 36:
 You have the ability to define a supervisor who is able to START/STOP the campaign which was created by a user. To do so add a user to a campaign with all permissions selected, add his supervisor to the same campaign with "Campaign start/stop" permission selected. As a result, the supervisor will only be able to go into the campaign and approve or reject the start. You have the ability to define a supervisor who is able to START/STOP the campaign which was created by a user. To do so add a user to a campaign with all permissions selected, add his supervisor to the same campaign with "Campaign start/stop" permission selected. As a result, the supervisor will only be able to go into the campaign and approve or reject the start.
  
-  * **Administrators**: The LUCY admin can save all settings within LUCY and run the campaign. This is the user that you need to perform your awareness campaigns. You cannot segregate administrators in a way, that an admin A doesn't see the clients from an admin B. This can only be done in the LUCY SaaS edition. +==== Administrators ==== 
-  * **View Only Users**: The View Only User can only see certain statistics of the campaign. This user cannot start/stop a campaign. The user also has no rights in viewing or changing any of the campaign settings. First, you need to create a client name. The client name is always associated with a campaign. Then you can associate that user with the client. As a result, the View Only User will only see all the campaigns which belong to that specific client.+ 
 +The LUCY admin can save all settings within LUCY and run the campaign. This is the user that you need to perform your awareness campaigns. You cannot segregate administrators in a way, that an admin A doesn't see the clients from an admin B. This can only be done in the LUCY SaaS edition. 
 + 
 + 
 +==== View Only Users ==== 
 + 
 +The View Only User can only see certain statistics of the campaign. This user cannot start/stop a campaign. The user also has no rights in viewing or changing any of the campaign settings. First, you need to create a client name. The client name is always associated with a campaign. Then you can associate that user with the client. As a result, the View Only User will only see all the campaigns which belong to that specific client.
  
 {{ usr_mng_5.png?600 }} {{ usr_mng_5.png?600 }}
Line 39: Line 50:
  
 {{ usr_mng_6.png?600 }} {{ usr_mng_6.png?600 }}
 +===== List of permissions and its description =====
 +|Access All Campaigns|Right to access campaigns. If you activate this checkbox, the user can access all campaigns, regardless of who created them.|
 +|Create/Delete Campaigns|Right to Create or Delete campaigns. The user can create and delete campaigns and later access only the campaigns he created himself. Campaigns of other users are not displayed.|
 +|Save Campaign As Template|Right to save a campaign as a template. A campaign template can be used in the setup process when generating new campaigns.|
 +|Attack Templates|Access to the list of Attack Templates. Attack templates are predefined emails or websites which can be used for phishing simulations.|
 +|Campaign Templates|Access to the list of Campaign templates|
 +|Awareness Templates|Access to the list of Awareness Templates. Awareness templates are used in training campaigns.|
 +|File Templates|Access to the list of File Templates. File Templates are used for [[create_a_phishing_campaign_with_malware_simulations|file based attacks]].|
 +|Not Found Template|Access to the LUCY [[not_found_pages_404|404]] page|
 +|Report Templates|Access to the [[create_campaign_reports|Report Templates]]|
 +|Download Templates|Access to the menu of [[download_templates|Templates Downloading]]|
 +|Clients|Access to the [[client_setup|Clients]] menu|
 +|Recipients|Access to the list of [[add_mail_recipients|Recipients]]. Recipients are the users that get attacked or trained.|
 +|End Users|Access to the list of [[end_user_e-learning_portal|End Users]]|
 +|User Management|Access to the [[user_management|User Management]]|
 +|Reputation Levels|Access to the [[assign_multiple_e-learning_templates_based_on_user_reputation_level|Reputation Levels]]|
 +|SSH Access|Access to the [[remote_ssh_support|SSH Access]] menu|
 +|SSH Password|Right to reset SSH Password|
 +|Benchmark Sectors|Access to the [[benchmark|Benchmark Sectors]]|
 +|License|Right to access License menu|
 +|Update|Right to [[update_lucy|Update]] LUCY|
 +|Reboot|Right to [[reboot_lucy|Reboot]] LUCY|
 +|Domains|Right to access [[domain_configuration|Domains menu]]|
 +|Register Domains|Right to register a [[domain_configuration|domain]]|
 +|Dynamic DNS|Access to Dynamic DNS feature.|
 +|Automated Response Detection|Access to the [[response_detection|Automated Responce Detection]] menu|
 +|Advanced Settings|Access to the [[advanced_settings|Advanced Settings]]|
 +|Performance Test|Access to the [[performance_tests|Performance Tests]]|
 +|Test email|Right to send a [[test_mail|test email]]|
 +|Spam Test|Access to the [[spam_check|Spam Test]]|
 +|System Monitoring|Access to the [[system_performance_monitoring|System Monitoring]]|
 +|System Status Page|Access to the System Status Page. The status page gives a user access to certain [[log_files_in_lucy|logs]]|
 +|Incident Management|Access to the [[outlook_plugin_phishing_incidents|Incident Management]]|
 +|Plugin configuration|Right to configure Outlook plugin|
 +|Incident Management Configuration|Right to configure Incident Management|
 +|Manual|Access to LUCY manual. This is the WIKI page hosted on th LUCY server|
 +|Exports|Access to the [[export_campaign_data|exports]]|
 +|Invoices|Access to the Invoices. Invoices can be created inside LUCY as a receipt for purchases like domains, sms credits etc.|
 +|Send Logs|Access to "[[send_us_logs_through_lucy|Send Logs" menu]]. |
 +|Service Logs|Access to the [[log_files_in_lucy|Service logs]]|
 +|Changelog|Access to the Changelog|
 +|Mail Manager|Access to the [[mail_manager|Mail Manager]]|
  
 ===== How to convert users to LDAP-based? ===== ===== How to convert users to LDAP-based? =====
Line 73: Line 126:
 **Use case 2:** You have a customer who wants to create their own campaigns. However, the customer should only have access to his statistics and not see other customers. **Use case 2:** You have a customer who wants to create their own campaigns. However, the customer should only have access to his statistics and not see other customers.
  
-**Solution use case 2:** You create an account with the status "user" in "settings/users". Give the user only the right "Create/delete campaign" and the right to retrieve the statistics of the campaign (1). As soon as the customer logs in, he can then create his campaign and see only the data of the campaigns he created himself (regardless of the assignment of the customer). However, there are areas where this limited administrator has access to possibly sensitive data of other customers. Examples are custom created templates that may contain customer-related information. But also all recipient groups created on the system can be seen by this customer when assigning recipients.+{{ rolebased_acces_view2.png?600 }} 
 + 
 +**Solution use case 2:** You create an account with the status "user" in "settings/users". Give the user only the right "Create/delete campaign" (1). As soon as the customer logs in, he can then create his campaign and see only the data of the campaigns he created himself (regardless of the assignment of the customer). He wont have acccess to any other menu item (2). However, there are areas where this limited administrator has access to possibly sensitive data of other customers. Examples are custom created templates that may contain customer-related information. But also all recipient groups created on the system can be seen by this customer when assigning recipients.
user_management.txt · Last modified: 2021/09/07 12:57 by lucysecurity