# Role-based Access (RBAC) and Tenant Access Logs

## Overview <a href="#overview" id="overview"></a>

The Cisco Identity Intelligence security platform provides several different roles with different permissions for access your Identity Intelligence tenant dashboard. \
\
This article describes the permissions associated with each role (listed below), as well as how to use the [Tenant Access page](#viewing-recent-dashboard-users-and-roles) to review recent access to the Identity Intelligence console.&#x20;

{% hint style="warning" %}
**Role Based Access (RBAC) is fully configured and managed within the Duo Admin Panel.** Please refer to their [documentation](https://duo.com/docs/identity-security#provision-your-cisco-identity-intelligence-tenant) for instructions on how to configure roles for the different permitted groups that have been granted access to Identity Intelligence.&#x20;
{% endhint %}

**Roles**&#x20;

* Full administrator (admin)
* Read only
* Help desk
* Application manager - *not currently supported*
* User manager - *not currently supported*
* Security analyst - *not currently supported*

## Roles and Permissions <a href="#roles" id="roles"></a>

### Full Administrator

As the name suggests, **full administrator (admin)** can take all actions within your Identity Intelligence tenant, including:

* adding or deleting integrations
* changing tenant settings
* configuring Checks settings
* excluding users from Checks
* configuring notification targets like Slack or Teams channels
* opening tickets with ITSM platforms like ServiceNOW or Jira
* all actions available within the [Remediation Actions](https://docs.oort.io/understanding-your-users/remediation-actions) article

### **Read-only Role**

**Read-only** Identity Intelligence users can view all of the data and users within the console, but cannot make any changes to the configuration of the platform or take any actions related to User objects, such as opening tickets or sending notifications.

### **Help Desk role**

**Help desk** users can view all data and perform a subset of actions within the console. These actions include user-related actions, such as:

* Opening tickets for investigation or remediation
* Resetting a users MFA
* Modifying specific user attributes, such as User Type
* Logging a user out of active sessions in one or more IDPs
* Refreshing user events for troubleshooting

A full list of detailed Remediation Actions and their associated details is available in [this article](https://docs.oort.io/understanding-your-users/remediation-actions).

<table><thead><tr><th>Read-only role</th><th width="308.3333333333333">Help desk role</th><th>Admin role</th></tr></thead><tbody><tr><td>Refresh user data</td><td>All read-only actions</td><td>All actions</td></tr><tr><td>Mark as suspicious</td><td>Open ticket (to ITSM platform)</td><td></td></tr><tr><td>Mark as normal behavior</td><td>Remediation actions</td><td></td></tr><tr><td></td><td>Failed Checks triage actions (mark as suspicious/normal, exclude from check)</td><td></td></tr><tr><td></td><td>Send notification (to user, manager, or notification channel in Teams, Slack)</td><td></td></tr><tr><td></td><td>Send push notification (Duo, Okta)</td><td></td></tr></tbody></table>

### Other Role Types

#### Application Manager&#x20;

(*Not currently supported*)

The Application manager role's primary purpose is for creating and maintaining the various integrations available within Identity Intelligence.  These include IdP systems like Duo, Entra ID, Okta, Google, etc., as well as other notification systems like Webex, Teams, and Slack. &#x20;

The Application Manager role can:

* perform any action on the Integrations page
* only access the Integrations and Profile pages
* view System Logs for analyzing integration logs

#### User Manager

(*Not currently supported*)

The User Manager role:

* can perform any operation on Users
* cannot triage failed checks ( mark as suspicious/normal, exclude user from check)
* cannot access Integrations or  Dashboard page
* can view System Logs for purposes of analyzing end user logs

#### Security Analyst Role

(*Not currently supported*)

The Security Analyst role&#x20;

* can perform operations on the Users table page and individual user objects page - create and modify Saved filters, create tickets, trigger End User Refresh, trigger remediation actions
* can perform operations on Checks – modify check settings and check tags, provide feedback, enable/disable checks, triage failed checks for users, (e.g. exclude/include in checks, mark as suspicious/normal)
* can update the protected population
* cannot access Integrations page
* can view System Logs for analyzing end user logs

## Viewing Recent Dashboard Users and Roles <a href="#viewing-recent-dashboard-users-and-roles" id="viewing-recent-dashboard-users-and-roles"></a>

Within Identity Intelligence, you can view your current role, as well as the users of the platform and their associated roles.

1. Login to Identity Intelligence
2. Your current role will be displayed under your profile name in the top right corner\
   \ <mark style="color:red;">**Note:**</mark> if an account is a member of multiple groups associated with roles in the Identity Intelligence console, such as both full admin and read-only admin, then the least privilege group and role with take precedence. &#x20;

   <figure><img src="https://oort-docs-site.netlify.app/static/c589f5960b9a39acbd4b8318c07ad492/9f82e/2023-02-06_14-43-49.png" alt=""><figcaption></figcaption></figure>
3. In the left menu bar, there will be an option for **Tenant Access**
4. Select that option to view the Identity Intelligence users, their role, and last login timestamp.\
   \ <mark style="color:$danger;">**Note:**</mark>  Tenant access logs displays **historical** logs. This means there may be users visible in the logs that no longer have access to Identity Intelligence. Because these are audit logs, Identity Intelligence cannot "remove" user records from this page. If you have concerns about who currently has access to Identity Intelligence, review the configuration of the Identity Intelligence Duo SSO App within the Duo Admin Panel as access to Identity Intelligence is fully managed via Duo SSO.<br>

<figure><img src="https://582105988-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FqPSBzsjxd7KYg9DNVZ4l%2Fuploads%2FIuQQJmFVlGaVl5N4X1gx%2Fimage.png?alt=media&#x26;token=dc8237f6-1351-4b57-bee6-0560cde04b04" alt="" width="563"><figcaption></figcaption></figure>

If needed, you can change the time range of the results displayed and also download the currently displayed list to a file using the down arrow.  <br>

<figure><img src="https://582105988-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FqPSBzsjxd7KYg9DNVZ4l%2Fuploads%2FGzklv2id5T0dTS1SMAV7%2Fimage.png?alt=media&#x26;token=05760a90-39c6-427a-aeb5-f8ed6c76b4c8" alt="" width="539"><figcaption></figcaption></figure>