Create and manage users

Deep Security has users, roles, and contacts which can be created and managed under Administration > User Management.

  • Users are Deep Security account holders who can sign in to the Deep Security Manager with a unique user name and password.
  • Roles are a collection of permissions to view data and perform operations within Deep Security Manager. Each user is assigned a role.
  • Contacts do not have a user account and cannot sign in to Deep Security Manager but they can be designated as the recipients of email notifications and scheduled Reports.

Although contacts cannot sign in to Deep Security Manager, they are assigned roles that define the scope of the information that is sent to them.

For example, three contacts may each be listed as the recipients of a weekly summary report but the contents of the three reports could be entirely different for each contact depending on their computer rights.

In this topic:

Create new users

  • In the Deep Security Manager go to Administration > User Management > Users.

Role-based access to computers and policies

Access rights and editing privileges are attached to Roles and not to users. To change the access rights and editing privileges of an individual user, the user must be assigned a different role, or the role itself must be edited.

The access that roles have to computers and policies can be restricted to subsets of computers and policies. This can be controlled at a fairly granular level. For example, users can be permitted to view all existing computers, but only permitted to modify those in a particular group. To edit a role, go to Administration > User Management > Roles and double-click a Role (or click New) to display the Roles Properties window.


Role-based editing privileges

Within those access restrictions, Roles can have limitations placed on their editing privileges.

User rights

The User rights area on the User Rights tab of the Role Properties window has the following options:

  • Change own password and contact information only
  • Create and manage users with equal or less access
  • Have full control over all roles and users
  • Custom

A role can give users delegated rights over other users. That is, the users with that role can create and modify the properties of users only with equal or less access than themselves.

Default settings for full access, auditor, and new roles

The following table identifies the default rights settings for the full access role and the auditor role. Also listed are the rights settings that are in place when creating a new role by clicking New in the toolbar on the Roles page.

RIGHTSSETTINGS BY ROLE
GeneralFull Access RoleAuditor RoleNew Role Defaults
Access to DSM User InterfaceAllowedAllowedAllowed
Access to Web Service APIAllowedAllowedNot allowed
Computer RightsFull Access RoleAuditor RoleNew Role Defaults
ViewAllowed, All ComputersAllowed, All ComputersAllowed, All Computers
EditAllowed, All ComputersNot allowed, All ComputersNot allowed, All Computers
DeleteAllowed, All ComputersNot allowed, All ComputersNot allowed, All Computers
Dismiss Alerts forAllowed, All ComputersNot allowed, All ComputersNot allowed, All Computers
Tag Items forAllowed, All ComputersNot allowed, All ComputersNot allowed, All Computers
Allow viewing of non-selected computers and data (e.g. events, reports)AllowedAllowedAllowed, All Computers
Allow viewing of events and alerts not related to computersAllowedAllowedAllowed, All Computers
Allow new computers to be created in selected GroupsAllowedNot allowedNot allowed
Allow sub-groups to be added or removed in selected GroupsAllowedNot allowedNot allowed
Allow computer file importsAllowedNot allowedNot allowed
Allow Cloud Accounts to be added, removed and synchronizedAllowedNot allowedNot allowed
Policy RightsFull Access RoleAuditor RoleNew Role Defaults
ViewAllowed, All PoliciesAllowed, All PoliciesAllowed, All Policies
EditAllowed, All PoliciesNot allowed, All PoliciesNot allowed, All Policies
DeleteAllowed, All PoliciesNot allowed, All PoliciesNot allowed, All Policies
View non-selected PoliciesAllowedAllowedAllowed
Create new PoliciesAllowedNot allowedNot allowed
Import PoliciesAllowedNot allowedNot allowed
User Rights (See note on User rights below)Full Access RoleAuditor RoleNew Role Defaults
View UsersAllowedAllowedNot allowed
Create UsersAllowedNot allowedNot allowed
Edit User PropertiesAllowedNot allowedNot allowed
Delete UsersAllowedNot allowedNot allowed
View RolesAllowedAllowedNot allowed
Create RolesAllowedNot allowedNot allowed
Edit Role PropertiesAllowedNot allowedNot allowed
Delete RolesAllowedNot allowedNot allowed
Delegate AuthorityAllowedNot allowedNot allowed
Other RightsFull Access RoleAuditor RoleNew Role Defaults
AlertsFull (Can Dismiss Global Alerts)View-OnlyView-Only
Alert ConfigurationFull (Can Edit Alert Configurations)View-OnlyView-Only
IP ListsFull (Can Create, Edit, Delete)View-OnlyView-Only
Port ListsFull (Can Create, Edit, Delete)View-OnlyView-Only
SchedulesFull (Can Create, Edit, Delete)View-OnlyView-Only
System Settings (Global)Full (Can View, Edit System Settings (Global))View-OnlyHide
DiagnosticsFull (Can Create Diagnostic Packages)View-OnlyView-Only
TaggingFull (Can Tag (Items not belonging to Computers), Can Delete Tags, Can Update Non-Owned Auto-Tag Rules, Can Run Non-Owned Auto-Tag Rules, Can Delete Non-Owned Auto-Tag Rules)View-OnlyView-Only
TasksFull (Can View, Add, Edit, Delete Tasks, Execute Tasks)View-OnlyHide
Multi-Tenant AdministrationFullHideView-Only
Scan Cache Configuration AdministrationFullView-OnlyView-Only
ContactsFull (Can View, Create, Edit, Delete Contacts)View-OnlyHide
LicensesFull (Can View, Change License)View-OnlyHide
UpdatesFull (Can Add, Edit, Delete Software; Can View Update For Components; Can Download, Import, Apply Update Components; Can Delete Deep Security Rule Updates)View-OnlyHide
Asset ValuesFull (Can Create, Edit, Delete Asset Values)View-OnlyView-Only
CertificatesFull (Can Create, Delete SSL Certificates)View-OnlyView-Only
Relay GroupsFullView-OnlyView-Only
ProxyFullView-OnlyView-Only
SAML Identity ProvidersFullHideHide
Malware Scan ConfigurationFull (Can Create, Edit, Delete Malware Scan Configuration)View-OnlyView-Only
Quarantined FileFull (Can Delete, Download Quarantined File)View-OnlyView-Only
Web Reputation ConfigurationFullView-OnlyView-Only
Directory ListsFull (Can Create, Edit, Delete)View-OnlyView-Only
File ListsFull (Can Create, Edit, Delete)View-OnlyView-Only
File Extension ListsFull (Can Create, Edit, Delete)View-OnlyView-Only
Firewall RulesFull (Can Create, Edit, Delete Firewall Rules)View-OnlyView-Only
Firewall Stateful ConfigurationsFull (Can Create, Edit, Delete Firewall Stateful Configurations)View-OnlyView-Only
Intrusion Prevention RulesFull (Can Create, Edit, Delete)View-OnlyView-Only
Application TypesFull (Can Create, Edit, Delete)View-OnlyView-Only
MAC ListsFull (Can Create, Edit, Delete)View-OnlyView-Only
ContextsFull (Can Create, Edit, Delete)View-OnlyView-Only
Integrity Monitoring RulesFull (Can Create, Edit, Delete)View-OnlyView-Only
Log Inspection RulesFull (Can Create, Edit, Delete)View-OnlyView-Only
Log Inspection DecodersFull (Can Create, Edit, Delete)View-OnlyView-Only

The custom settings corresponding to the Change own password and contact information only option are listed in the following table:

Custom settings corresponding to "Change own password and contact information only" option
Users
Can View UsersNot allowed
Can Create New UsersNot allowed
Can Edit User Properties (User can always edit select properties of own account)Not allowed
Can Delete UsersNot allowed
Roles
Can View RolesNot allowed
Can Create New RolesNot allowed
Can Edit Role Properties (Warning: conferring this right will let Users with this Role edit their own rights)Not allowed
Can Delete RolesNot allowed
Delegate Authority
Can only manipulate Users with equal or lesser rightsNot allowed


The custom settings corresponding to the Create and manage Users with equal or less access option are listed in the following table:

Custom settings corresponding to "Create and manage Users with equal or less access" option
Users
Can View UsersAllowed
Can Create New UsersAllowed
Can Edit User Properties (User can always edit select properties of own account)Allowed
Can Delete UsersAllowed
Roles
Can View RolesNot allowed
Can Create New RolesNot allowed
Can Edit Role Properties (Warning: conferring this right will let Users with this Role edit their own rights)Not allowed
Can Delete RolesNot allowed
Delegate Authority
Can only manipulate Users with equal or lesser rightsAllowed


The custom settings corresponding to the Have full control over all Roles and Users option are listed in the following table:

Custom settings corresponding to "Have full control over all Roles and Users" option
Users
Can View UsersAllowed
Can Create New UsersAllowed
Can Edit User Properties (User can always edit select properties of own account)Allowed
Can Delete UsersAllowed
Roles
Can View RolesAllowed
Can Create New RolesAllowed
Can Edit Role Properties (Warning: conferring this right will let Users with this Role edit their own rights)Allowed
Can Delete RolesAllowed
Delegate Authority
Can only manipulate Users with equal or lesser rightsNot applicable