👨💼Role-based Access (RBAC) and Tenant Access Logs
12/2024
Overview
The Cisco Identity Intelligence security platform provides several different roles with different permissions for access your Identity Intelligence tenant dashboard.
Full administrator (admin)
Read only
Help desk
Application manager
User manager
Security analyst
This article describes the permissions associated with each role. Role Based Access (RBAC) is fully configured within the Duo Admin Panel. Please refer to their documentation for instructions on how to configure roles for the different permitted groups that have been granted access to Identity Intelligence.
The article also discusses how to use the Tenant Access page to review recent administrator or user access to the Identity Intelligence console.
Roles and Permissions
Full Administrator
As the name suggests, full administrator (admin) can take all actions within your Identity Intelligence tenant, including:
adding or deleting integrations
changing tenant settings
configuring Checks settings
excluding users from Checks
configuring notification targets like Slack or Teams channels
opening tickets with ITSM platforms like ServiceNOW or Jira
all actions available within the Remediation Actions article
Read-only Role
Read-only Identity Intelligence users can view all of the data and users within the console, but cannot make any changes to the configuration of the platform or take any actions related to User objects, such as opening tickets or sending notifications.
Help Desk role
Help desk users can view all data and perform a subset of actions within the console. These actions include user-related actions, such as:
Opening tickets for investigation or remediation
Resetting a users MFA
Modifying specific user attributes, such as User Type
Logging a user out of active sessions in one or more IDPs
Refreshing user events for troubleshooting
Application Manager
The Application manager role's primary purpose is for creating and maintaining the various integrations available within Identity Intelligence. These include IdP systems like Duo, Entra ID, Okta, Google, etc., as well as other notification systems like Webex, Teams, and Slack.
The Application Manager role can:
perform any action on the Integrations page
only access the Integrations and Profile pages
view System Logs for analyzing integration logs
User Manager
The User Manager role:
can perform any operation on Users
cannot triage failed checks ( mark as suspicious/normal, exclude user from check)
cannot access Integrations or Dashboard page
can view System Logs for purposes of analyzing end user logs
Security Analyst Role
The Security Analyst role
can perform operations on the Users table page and individual user objects page - create and modify Saved filters, create tickets, trigger End User Refresh, trigger remediation actions
can perform operations on Checks – modify check settings and check tags, provide feedback, enable/disable checks, triage failed checks for users, (e.g. exclude/include in checks, mark as suspicious/normal)
can update the protected population
cannot access Integrations page
can view System Logs for analyzing end user logs
The full list of Remediation Actions and their associated details is available in this article.
Refresh user data
All read-only actions
All actions
Mark as suspicious
Open ticket (to ITSM platform)
Mark as normal behavior
Remediation actions
Failed Checks triage actions (mark as suspicious/normal, exclude from check)
Send notification (to user, manager, or notification channel in Teams, Slack)
Send push notification (Duo, Okta)
Viewing Recent Dashboard Users and Roles
Within Identity Intelligence, you can view your current role, as well as the users of the platform and their associated roles.
Login to Identity Intelligence
Your current role will be displayed under your profile name in the top right corner Note: if an account is a member of multiple groups associated with roles in the Identity Intelligence console, such as both full admin and read-only admin, then the least privilege group and role with take precedence.
In the left menu bar, there will be an option for Tenant Access
Select that option to view the Identity Intelligence users, their role, and last login timestamp. Note: Tenant access logs displays historical logs. This means there may be users visible in the logs that no longer have access to Identity Intelligence. Because these are audit logs, Identity Intelligence cannot "remove" user records from this page. If you have concerns about who currently has access to Identity Intelligence, review the configuration of the Identity Intelligence Duo SSO App within the Duo Admin Panel as access to Identity Intelligence is fully managed via Duo SSO.
If needed, you can change the time range of the results displayed and also download the currently displayed list to a file using the down arrow.
Last updated