Getting started¶
Introduction¶
Excalibur is an enterprise solution enabling passwordless multi-factor authentication (MFA), privileged access management (PAM) and access to PAM targets. Excalibur currently recognizes 3 user roles: User, Auditor, Administrator. This user guide provides detailed information on registering and using the Excalibur system as a User role.
The Excalibur mobile app serves as a security token for password-free authentication. It uses your mobile phone to verify authentication factors such as location, PIN code, fingerprint, Face ID, etc.
In order to use Excalibur, you must first install the Excalibur mobile app. The application is available for free in the Play Store and App Store. Store links are available on https://getexcalibur.com, as well as on the registration screen. On request, the application is also available for individual distribution to end users.
User roles¶
A user is an end-user who utilizes the Excalibur system for authentication and authorization to access supported systems within the organization, such as the Dashboard (refer to the Dashboard section), and PAM resources (refer to the PAM section). Users authenticate using their personal token, typically a mobile application, and manage their sessions on the designated client when possible.
User roles define the scope of authorizations within the system. Every user, including administrators, is assigned a basic user role in addition to any advanced roles they may hold.
Description of roles¶
Excalibur currently recognizes 3 user roles:
Administrator is the role with the highest privileges in an Excalibur system deployment. It is also the role of the first created and registered user. There must always be at least one System Administrator on the system. The System Administrator has access to the general settings of the entire deployment, as well as the creation and management of individual tenants and all roles. It has access to all tenants, including the System Tenant.
In addition to these responsibilities, the System Administrator is also authorized to send invitations to new users, allowing them to join the system and access its features. This enables the System Administrator to manage user access and control the growth of the system's user base. The System Administrator's comprehensive privileges and capabilities make them the central authority for managing and maintaining the Excalibur system.
Auditor role is designed to provide oversight and transparency within the Excalibur system. This role is primarily focused on monitoring and reviewing activities without the ability to make any modifications or changes to the system settings or user configurations. Auditors have comprehensive visibility into all information, including user activities and system actions, ensuring that compliance and operational integrity are maintained. However, it is important to note that they do not possess the privileges to alter any configurations or settings within the application. This role is essential for organizations that require an independent review process to ensure adherence to policies and regulations while safeguarding the integrity of the system.
User is an Excalibur system end user role. The user has access only to the tenant environment to which it belongs and to the individual PAM resources assigned to the given user, or user group to which it belongs. This role provides limited access to the system, allowing users to perform tasks and access resources that are specifically assigned to them, while maintaining the security and integrity of the system. The User role is ideal for individuals who need to access specific resources and perform tasks within a controlled environment, without requiring administrative privileges.
Table of roles and authorizations¶
| Permissions / roles | System Administrator | Auditor | User |
|---|---|---|---|
| User profile (custom) | ✔ | ✔ | ✔ |
| User Management | ✔ (all) | ✔ | ✘ |
| PAM-sources, sessions, full-text search | ✔ (all) | ✔ (in your tenant) | ✔ (available to the user in his tenant) |
| Identity resource management | ✔ (all) | ✔ (in your tenant) | ✘ |
| Management-tenants | ✔ | ✘ | ✘ |
| List and manage geofences | ✔ (all) | ✔ (in your tenant) | ✘ |
| Security. OAuth clients | ✔ | ✘ | ✘ |
| Security. Security policies | ✔ (all) | ✔ (in your tenant) | ✘ |
| Settings - Email | ✔ | ✘ | ✘ |
| Settings - SMTP | ✔ | ✘ | ✘ |
Multi-tenancy¶
Excalibur supports multi-tenancy - multiple organizations or organizational units in one deployment. Tenant - the organization has its own environment - its own users, administrators, identity store, security policies, or some system settings.
All tenant organizations, despite having their own environments, are managed by System Administrators within a single deployment, overseen by a superior organization or component.
During the initial system setup, a special type of tenant for System Administrators, Tenant 0 (System Tenant), is created. This system tenant is superior to all other tenants.
The system and tenant environments can be automatically managed by an external management system through integration. For more details, refer to the Administrator manual.
Dashboard¶
The Dashboard is the primary web interface of the Excalibur PAM system, accessible to all users. It facilitates the management of users, groups, security policies, detailed reports, auditing, system settings, and provides administration and access to PAM resources. Each user role has specific functionalities within the dashboard.
For more details, refer to the Administrator, Auditor, and User manuals.
Info
Each list in the dashboard allows filtering, sorting and searching in the displayed items.
Info
The registration process is the same for all users of the Excalibur system. It is implemented as self-registration with a unique link with limited time validity from the email invitation from the System / Administrator, which refers to the registration form of the Excalibur dashboard. The latter prompts the user to enter login data against the chosen source of identities in the organization and, after verification, issues a unique registration QR code with which the user registers via the Excalibur mobile application (token). After successful registration, the user is automatically logged into the system.
PAM (Privileged Access Management)¶
Excalibur PAM provides access to enterprise resources (PAM Targets) through a web browser - either directly as HTML5 to another protocol by a proxy server (RDP, SSH), or through dynamic port forwarding that allows access native clients such as RDP resources on the internal network through port forwarding to Excalibur PAM.
Excalibur PAM considers all sessions "privileged" and records them by default. Every action performed by the user is cryptographically signed to confirm that it was performed by an authenticated user. The effect is that there is a continuous match of every user action (because every user action and user PAM session is recorded and cryptographically signed) with a strongly multi-factor authenticated identity. There is no ability to delegate access or claim it was another user.
Refer to the PAM manual for detailed instructions on connecting to and working with a PAM target. For role-specific functionalities, consult the corresponding user role manual: Administrator manual, Auditor manual, or User manual.
This guide is for informational purposes only. The functionality and capabilities of individual parts of the Excalibur system depend on the installation, configuration and system administrators and may change with updates.