Excalibur Enterprise Roles Description¶
Introduction¶
This document describes roles in Excalibur Enterprise and relations between them. User and Manager roles are set up by Active Directory and Administrator, Auditor and Service Desk are set up by Excalibur Dashboard.
Despite multiple User roles a User might have, everyone is logged into the Dashboard under the User role by default. Regular User only sees his / hers own Actions and Sessions. A deployed Excalibur instance always has at least one User with the Administrator role assigned.
In Dashboard User Interface (UI) in the top left corner, there is a drop-down menu to choose among different User Roles assigned to the User. Each Role implies its own range of capabilities available in the Dashboard.
Roles in Excalibur are created in two ways. The first is setting from Active Directory (AD) where the user is defined with his/her level on the company's hierarchy. By default, each account created in the Active Directory has a user role in the Excalibur. Manager role and relation between peers are defined too. Second way is to assign the roles for users in the Excalibur dashboard such as Administrator, Service desk and Auditor.
Info
In case that User, Manager, Auditor or Service role are combined with Administrator role, then they are able to edit fields in non-admin role page, or are redirected to Administrator role page.
Summary¶
| Role | Description |
|---|---|
| User | Person who is registered in Excalibur. User has access to own resources only. |
| Manager | Role based on hierarchy in AD structure. Manager has access to own and subordinates resources. |
| Administrator | High privileged person who has access to all section and it is possible to set Excalibur. Administrator sees activity of all users. Superadministrator is first person registered in Excalibur and is unable to disable administrator role for this person. Due this fact we recommend to use an universal account for first registration. |
| Auditor | Read only role. Auditor has access to the all sections but can not change the setup. |
| Service desk | Read only role. Service Desk has a limited access to sections, and can not see the current PAM activity of another user as well as recorded sessions and files |
| Peer | Role based on hierarchy in AD structure. Peers are people under the same manager. |
Available sections for speciffic role¶
| Screen \ Role | User | Manager | Administrator | Auditor | Service desk |
|---|---|---|---|---|---|
| Overview | ✗ | ✓ | ✓ | ✓ | ✓ |
| Me | ✓ | ✓ | ✓ | ✓ | ✓ |
| Users | ✗ | ✓ | ✓ | ✓ | ✓ |
| Timeline | ✗ | ✓ | ✓ | ✓ | ✓ |
| Actions | ✓ | ✓ | ✓ | ✓ | ✓ |
| Sessions | ✓ | ✓ | ✓ | ✓ | ✓ |
| Computers | ✓ | ✓ | ✓ | ✓ | ✓ |
| Components | ✗ | ✗ | ✓ | ✓ | ✓ |
| PAM | ✓ | ✓ | ✓ | ✓ | ✓ |
| SAML | ✗ | ✗ | ✓ | ✗ | ✗ |
| Groups users | ✗ | ✗ | ✓ | ✓ | ✓ |
| Groups computers | ✗ | ✗ | ✓ | ✓ | ✓ |
| Groups geofences | ✗ | ✗ | ✓ | ✓ | ✓ |
| Roles | ✗ | ✗ | ✓ | ✓ | ✓ |
| Security policies | ✓ | ✓ | ✓ | ✓ | ✓ |
| Incidents | ✓ | ✓ | ✓ | ✓ | ✓ |
| Verifications | ✗ | ✓ | ✓ | ✓ | ✓ |
| Geofences | ✗ | ✗ | ✓ | ✓ | ✓ |
| Audit | ✗ | ✗ | ✓ | ✓ | ✗ |
| Logger | ✗ | ✗ | ✓ | ✓ | ✓ |
| Versions | ✗ | ✓ | ✓ | ✓ | ✓ |
| API access tokens | ✗ | ✗ | ✓ | ✗ | ✗ |
| Syslog | ✗ | ✗ | ✓ | ✗ | ✗ |
Roles who can edit Excalibur¶
| Action \ Role | User | Manager | Administrator | Auditor | Service desk |
|---|---|---|---|---|---|
| Create policy | ✗ | ✗ | ✓ | ✗ | ✗ |
| Edit policy | ✗ | ✗ | ✓ | ✗ | ✗ |
| Remove policy | ✗ | ✗ | ✓ | ✗ | ✗ |
| Add group to policy | ✗ | ✗ | ✓ | ✗ | ✗ |
| Remove group to policy | ✗ | ✗ | ✓ | ✗ | ✗ |
| Create user location | ✓ | ✓ | ✓ | ✓ | ✓ |
| Edit user location | ✓ | ✓ | ✓ | ✓ | ✓ |
| Remove user location | ✓ | ✓ | ✓ | ✓ | ✓ |
| Create component | ✗ | ✗ | ✓ | ✗ | ✗ |
| Edit component | ✗ | ✗ | ✓ | ✗ | ✗ |
| Remove component | ✗ | ✗ | ✓ | ✗ | ✗ |
| Create user group | ✗ | ✗ | ✓ | ✗ | ✗ |
| Edit user group | ✗ | ✗ | ✓ | ✗ | ✗ |
| >Remove user group | ✗ | ✗ | ✓ | ✗ | ✗ |
| Add policies to group | ✗ | ✗ | ✓ | ✗ | ✗ |
| Remove policies to group | ✗ | ✗ | ✓ | ✗ | ✗ |
| Create geofence group | ✗ | ✗ | ✓ | ✗ | ✗ |
| Edit geofence group | ✗ | ✗ | ✓ | ✗ | ✗ |
| Remove geofence group | ✗ | ✗ | ✓ | ✗ | ✗ |
| Create computer group | ✗ | ✗ | ✓ | ✗ | ✗ |
| Edit computer group | ✗ | ✗ | ✓ | ✗ | ✗ |
| Remove computer group | ✗ | ✗ | ✓ | ✗ | ✗ |
| Add groups to role | ✗ | ✗ | ✓ | ✗ | ✗ |
| Remove groups to role | ✗ | ✗ | ✓ | ✗ | ✗ |
| Create geofence | ✗ | ✗ | ✓ | ✓ | ✓ |
| Edit geofence | ✗ | ✗ | ✓ | ✓ | ✓ |
| Remove geofence | ✗ | ✗ | ✓ | ✓ | ✓ |
| Lock User sessions | ✓ | ✓ | ✓ | ✓ | ✓ |
| Logout User sessions | ✓ | ✓ | ✓ | ✓ | ✓ |
| Restart server | ✗ | ✗ | ✓ | ✗ | ✗ |
| Update server | ✗ | ✗ | ✓ | ✗ | ✗ |
| Enable/Disable Client | ✗ | ✗ | ✓ | ✗ | ✗ |
| Create PAM | ✗ | ✗ | ✓ | ✗ | ✗ |
| Update PAM | ✗ | ✗ | ✓ | ✗ | ✗ |
| Remove PAM | ✗ | ✗ | ✓ | ✗ | ✗ |
| Attach to another PAM | ✗ | ✓ | ✓ | ✓ | ✗ |
| See another transferred files | ✗ | ✓ | ✓ | ✓ | ✗ |
| Create SAML | ✗ | ✗ | ✓ | ✗ | ✗ |
| Update SAML | ✗ | ✗ | ✓ | ✗ | ✗ |
| Remove SAML | ✗ | ✗ | ✓ | ✗ | ✗ |
| Create API access tokens | ✗ | ✗ | ✓ | ✗ | ✗ |
| Update API access tokens | ✗ | ✗ | ✓ | ✗ | ✗ |
| Remove API access tokens | ✗ | ✗ | ✓ | ✗ | ✗ |
| Create Syslog | ✗ | ✗ | ✓ | ✗ | ✗ |
| Update Syslog | ✗ | ✗ | ✓ | ✗ | ✗ |
| Remove Syslog | ✗ | ✗ | ✓ | ✗ | ✗ |
How to assign a Manager role in Active Directory¶
- Login to your AD server
- Open Server Manager and select Tools > Active Directory Administrative Center
- Select user from the list and open user details
-
Add a manager role by selecting other user account
-
If you want to assign a manager for this user, click on the Edit button on Organization tab part Manager. Fill the name of the manager and confirm it.
If users have the same manager, then users are peers.
- If you want to assign subordinates to manager, click on the Add button next to Direct reports and fill name of subordinates and save it
How to assign role in Excalibur Dashboard¶
Only Excalibur Administrator can assign the role in Excalibur Dashboard. The procedure how to assign the role for user is following:
- Firstly, User have to be assigned to the User group. Procedure how to assign a user to group is described in Excalibur Administrators Dashboard Manual
- Go to Security section and click on Roles
- Select role which you want assign for User group
- By clicking on + or - button on the right side you can add or remove user groups from / to list.
- Select the group from the list and confirm by the Add or Remove button.
Roles description¶
User¶
By default, each account which is created in Active Directory has a user role. User is a person, an end-user who uses Excalibur to Authenticate and Authorize against Company’s Client(s) and integrations, utilizing his/hers personal Token, and if available on a given Client, manage his/hers sessions. User might also Verify his/hers colleagues (if allowed and required), Reset his/hers own authentication factors, as well as expired password on a Client (if applicable). Every user can also log into the Dashboard, where a regular User only sees his/hers own Actions and Sessions. Detailed description for User Dashboard interface is in Excalibur User’s Dashboard Manual document.
User: Section Summary¶
Overview
| Section | Description |
|---|---|
| Own Overview | Contains user’s Sessions, Actions, Incidents, Tokens, Computers, Accounts, Policies, Groups, Roles and Subordinates organized in tabs. |
| Actions | List of all Actions took by a user, such as Authentication, Authorization, Verification, Registration, Factor reset and Tokenless Authentication. |
| Sessions | List of all Logged, Active, and Manual sessions, as well as their History. |
| PAM | List of PAM resources which are assigned to user. User can see only the own activity, transferred files and search fords in PAM sessions |
Manager¶
Manager is a person who uses Excalibur to Authenticate and Authorize against Company’s Client(s) and integrations, utilizing his/hers personal Token, and if available on a given Client, manage his/hers sessions. Manager might also Verify his/hers colleagues or subordinates (if allowed and required), Reset his/hers own authentication factors, as well as expired password on a Client (if applicable). Every manager can also log into the Dashboard, where a regular Manager can see his/hers own Actions and Sessions. Manager can see and manage settings of his/her subordinates who are managed by him/her. Manager role is set up in the Active Directory by adding subordinates to User account.
Manager: Sections summary¶
Overview
| Section | Description |
|---|---|
| Overview | Page with statistics tabs which provide information about Actions, Devices, Sessions and incidents. They can be shown by date interval. |
| Users | List of all subordinates who are assigned to manager. Manager sees name of geofence fromwhere is user logged. |
| Timeline | Summary view of subordinates activity during a given day. |
| Actions | List of all actions took by subordinates. |
| Sessions | List of all managers and subordinates logged, active, and manual sessions, as well as their history. |
| Computers | List of all computers at manager group, with their names, Excalibur version, OS and current status information. |
| PAM | List of PAM resources which are assigned to user. Manager sees own and subordinates activities, transferred files and can search words in own and subordinates PAM sessions |
Security
| Section | Description |
|---|---|
| Incidents | Lists of all registered incidents by manager group in Excalibur. |
| Verifications | List of all verifications that happened or are currently happening at manager group in Excalibur. |
Status
| Section | Description |
|---|---|
| Versions | List of all Operating System (OS) versions, Statuses and Excalibur versions (version of a respective component) of every device in manager group, as well as a summary of all versions currently used. |
| Errors | Lists of all errors that happened in the manager group under every component. |
Administrator¶
Administrator is a person in the company who has access to all settings at Excalibur Dashboard and who is responsible for the administration of Excalibur system. Administrator can manage all settings in the Excalibur Dashboard. Detailed description for Administrator Dashboard interface is in Excalibur Administrator’s Dashboard Manual document. Super administrator is first person registered in Excalibur.
Administrator: Sections summary¶
Overview
| Section | Description |
|---|---|
| Overview | Page with statistics, which provides information about Actions, Devices, Sessions and incidents. They can be shown by date interval. There is a tab with server information too. Server can be rebooted from this place and show Logs from Active Directory Facade. |
| Users | List of all Active Directory users with their registered Tokens. Administrator sees name of geofence fromwhere is user logged. |
| Timeline | Summary view of users activity during a given day. |
| Actions | List of all actions took by every user. |
| Sessions | List of all logged, active, and manual sessions, as well as their history. |
| Computers | List of all computers with their names, Excalibur version, OS and current status information. |
| Components | Lists of all currently deployed Excalibur components and their versions. |
| PAM | List of all PAM resources. Administrator can create PAM resources, sees all transferred files and can search a words in all PAM session as well as preview a recorded PAM sessions |
| SAML | Page for SAML setup |
Groups
| Section | Description |
|---|---|
| Users | List of all groups of users created in Excalibur. |
| Computers | List of all computers groups created in Excalibur. |
| Geofences | List of all groups of geofences created in Excalibur. |
Security
| Section | Description |
|---|---|
| Roles | List of all roles from the company's Active Directory. |
| Security policies | Page to view, edit, add or remove individual policies. |
| Incidents | Lists of all registered incidents in Excalibur. |
| Verifications | List of all verifications that happened or are currently happening in Excalibur. |
| Geofences | Page which serves to manage existing and create new geofences in Excalibur. |
| Audit | Page which provides information about changes in a list. |
| Logger | Logger tab provides information about each action of the user's token as well as statistic of login pervormance and logining. |
Status
| Section | Description |
|---|---|
| Versions | List of all Operating System (OS) versions, Statuses and Excalibur versions (version of a respective component) of every device in Excalibur ecosystem, as well as a summary of all versions currently used. |
| API Access tokens | Setting page for API tokens |
| Syslog | Lists of all errors that happened in Excalibur under every component. |
Auditor¶
Some companies can require a role for a person who will control the settings of Excalibur. For this case is the Auditor role in Excalibur. This person has access to Excalibur Dashboard like as Administrator but the Auditor can't execute changes of settings. Auditor sees locatiom fromwhere the user executes action
Auditor: Sections summary¶
Overview
| Section | Description |
|---|---|
| Overview | Page with statistics tabs which provide information about Actions, Devices, Sessions and incidents. They can be shown by date interval. There is a table with server information. |
| Users | List of all Active Directory users with their registered Tokens. Auditor sees name of geofence fromwhere is user logged. |
| Timeline | Summary view of users activity during a given day. |
| Actions | List of all actions took by every user. |
| Sessions | List of all logged, active, and manual sessions, as well astheir history. |
| Computers | List of all computers with their names, Excalibur version, OS and current status information. |
| Components | Lists of all currently deployed Excalibur components and their versions. |
| PAM | List of all PAM resources. Auditor sees PAM detial, all transferred files and can search a words in PAM session as well as preview a recorded PAM sessions. |
Groups
| Section | Description |
|---|---|
| Users | List of all groups of users created in Excalibur. |
| Computers | List of all computers groups created in Excalibur. |
| Geofences | List of all groups of geofences created in Excalibur. |
Security
| Section | Description |
|---|---|
| Roles | List of all roles from the company's Active Directory. |
| Security policies | Page to view, edit, add or remove individual policies. |
| Incidents | Lists of all registered incidents in Excalibur. |
| Verifications | List of all verifications that happened or are currently happening in Excalibur. |
| Geofences | Page which serves to manage existing and create new geofences in Excalibur. |
| Audit | Page which provides information about changes in a list. |
| Logger | Logger tab provides information about each action of the user's token as well as statistic of login pervormance and logining. |
Status
| Section | Description |
|---|---|
| Versions | List of all Operating System (OS) versions, Statuses and Excalibur versions (version of a respective component) of every device in Excalibur ecosystem, as well as a summary of all versions currently used. |
Service desk¶
Service desk is role for technical support of Users. Sevice desk has same access to Excalibur dashboard like Administrator, but It has restricted access to edit data in account and fields such as Policies, Groups, etc. Service desk has also a denied access to see recorded PAM session and attach to them.
Service desk: Sections summary¶
Overview
| Section | Description |
|---|---|
| Overview | Page with statistics tabs which provide information about Actions, Devices, Sessions, Incidents and Report. They can be shown by date interval. |
| Users | List of all Active Directory users with Excalibur app installed and registered into Excalibur. Service desk sees that geofence fromwhere is user logged is checked. |
| Timeline | Summary view of users activity during a given day. |
| Actions | List of all actions took by every user. |
| Sessions | List of all logged, active, and manual sessions, as well as their history. |
| Computers | List of all computers with their names, Excalibur version, OS and current status information. |
| Components | Lists of all currently deployed Excalibur components and their versions. |
| PAM | List of all PAM resources. Service desk sees PAM detial, and can search a words in PAM session. In File transfer, the Service desk sees only ofn files. |
Groups
| Section | Description |
|---|---|
| Users | List of all groups of users created in Excalibur. |
| Computers | List of all computers groups created in Excalibur. |
| Geofences | List of all groups of geofences created in Excalibur. |
Security
| Section | Description |
|---|---|
| Roles | List of all roles from the company's Active Directory. |
| Security policies | Page to view, edit, add or remove individualpolicies. |
| Incidents | Lists of all registered incidents in Excalibur. |
| Verifications | List of all verifications that happened or are currently happening in Excalibur. |
| Geofences | Page which serves to manage existing and create new geofences in Excalibur. |
| Logger | Logger tab provides information about each action of the user's token as well as statistic of login pervormance and logining. |
Status
| Section | Description |
|---|---|
| Versions | List of all Operating System (OS) versions, Statuses and Excalibur versions (version of a respective component) of every device in Excalibur ecosystem, as well as a summary of all versions currently used. |
Peer¶
Peer is a special term which is used in policy for verification of users. Peer is not a real role, but it means that user’s accounts created in Active Directory are on the same hierarchy and have the same manager. Users without the same assigned manager are not peers.