Roles
An overview of roles in Policy Management.
A Role is a grouping of users that interacts with data in Protegrity Data Security Platform. A Role can consist of users, groups, or a combination of both. It can be configured for Manual, Automatic, or Semi-Automatic retrieval of its members. Each Role is associated with specific data access privileges in the policy.
You can create, view, and manage Roles by navigating to Policy Management from the main menu, and choosing Roles & Member Sources.
Creating Roles
To create a role:
On the ESA Web UI, navigate to Policy Management > Roles & Member Source > Roles.
Click Add New Role.
The New Role screen appears.
Enter a unique name for the role in the Name textbox.
Note: Ensure that the length of the role name does not exceed 55 characters.
Enter the required description for the role in the Description textbox.
In the Mode drop-down, select a refresh mode.
For more information about about mode types for a role, refer to section Role Refresh Modes.
If you want to apply this role to all members in all the member sources, click Applicable to all members. If enabled, the role is applied to all members in users or groups that do not belong to any other role.
Note: It is recommended to enable Applicable to all members option only for unauthorized user roles. Using it for authorized roles may result in unintentionally open access level to sensitive data.
Click Save.
Managing Roles
Roles can be fully modified after they have been created.
Deleting Roles
To remove a Role:
On the ESA Web UI, navigate to Policy Management > Roles & Member Sources.
The Roles tab appears by default.
Select the name of the role from the list, and click the Delete action.
A confirmation dialog box appears.
Click OK.
A message Role has been deleted successfully appears.
1 - Role Refresh Modes
Role refresh modes define how Roles are synchronized and updated in the security policy.
The Member Sources that you have configured will change over time, as users and groups are added and removed. You can control how those changes are deployed to the Policy by choosing your preferred Refresh Mode.
The following three refresh modes are supported for the Roles:
Manual Mode
In Manual Mode, you manually synchronize the Role members and manually deploy the Policy. For more information on synchronizing members, please refer to the section Managing Members in a Role.
After the synchronization is done, you must set the Policies linked to the Role as Ready to Deploy, followed by deploying the Policy manually.
The Manual Mode accepts both groups and users.
Semi-Automatic Mode
In Semi-Automatic Mode, you manually synchronize the Role members, whilst the Policy deployment is automatic. For more information on synchronizing members, please refer to the section Managing Members in a Role.
The updated Policy is deployed automatically after the synchronization.
The Semi-Automatic Mode accepts groups only.
Automatic Mode
In Automatic Mode, both the Role member synchronization and the Policy deployment are automatic. The updated Policy is deployed automatically after the synchronization.
The Automatic Mode accepts groups only.
Automatic Synchronization and Deployment
Synchronization is performed by the Member Source component. Every hour it pulls the latest changes made in the external Member Sources such as LDAP, AD, file, or database. HubController communicates with the Member Source to update the policy with any changes detected in Roles.
Role Conflicts
The HubController checks for conflicts in the user name capitalization. If there are users of the same name, but different capitalization, that are configured within different roles, an error will be generated in the Hub Controller logs.
This error appears in the Notifications section of the ESA dashboard to inform you that such conflicting users have been found. The error specifies the correlation ID of the HubController audit log that has been generated. To identify the conflicting users, navigate to the Discover page in the Audit Store Dashboards and search for the specified correlation ID.
2 - Adding Members to a Role
This section describes the steps required to add Members to a Role.
To add Members to a Role:
On the ESA Web UI, navigate to Policy Management > Roles & Member Source > Roles.
Click on the role name link to which you want to add members.
The selected role screen appears.
In the Members tab, click Add.
The Add Members screen appears.
In the Choose Member Source drop-down, select the Member Source.
In the Display Member Type drop-down, select the member type.
Automatic or Semi-Automatic mode causes the removal of members of type Users from the role. The Display Member Type drop-down is disabled in this case with default Group member type.
Enter the filter parameter in the Filter Members text box.
It accepts characters such as * to display all results or word search to search with a word.
For more information about filtering members from AD and LDAP member sources, refer to the sections Filtering Members from AD and LDAP Member Sources and Filtering Members from Azure AD Member Source.
Select the number of display results in the Display Number of Results spin box.
Click Next.
The step 2 of Add Members dialog box appears.
Select the check box next to each member you want to add.
Click Add.
The selected members are added to the role.
**Note:** The **ID** column displays the unique identifier for the Azure AD, Posix LDAP and Active Directory member sources.
- Click Save to save the role.
2.1 - Filtering Members in a Role
This section describes the steps required to filter Members in a Role.
By using filtering, you can add specific members to a Role. The filtering mechanism uses search filters based on user-provided criteria for filtering the Member Sources.
2.1.1 - Filtering Members from AD and LDAP Member Sources
When adding members to a role, you can filter members from the member sources, such as, AD, LDAP, or POSIX LDAP. The filtering mechanism uses search filters based on the criteria for filtering the members from AD or LDAP. The search filters help you to query the member sources to fetch the exact results that you are looking for.
You can filter members from Active Directory, LDAP, and POSIX LDAP using the following search convention.
| Search Criteria | Description |
|---|
| * | Retrieves all users and groups |
| Character or word search | Retrieves the results that contain the specified character or word |
| (cn=*protegrity*) | Retrieves all common names that contain the term protegrity in it |
| (sn=abc*) | Retrieves all surnames that starts with abc |
| (objectClass=*) | Retrieves all the results |
| (&(objectClass=user)(!(cn=protegrity))) | Retrieves all the users without the common name as protegrity |
| (&(cn=protegrity)(objectClass=user)(email=*)) | Retrieves all the users with an email attribute and with common name as protegrity |
| (!(email=*)) | Retrieves all the users without an email attribute |
| (&(objectClass=user)(| (cn=protegrity*)(cn=admin*))) | Retrieves all the users with common name that starts with protegrity or admin |
If the input in the search filter includes special characters, then you must use the escape sequence in place of the special character to make it a valid input in the search filters.
The following table lists the escape sequence for each of the special characters.
| ASCII Character | Escape Sequence |
|---|
| ( | \28 |
| ) | \29 |
| * | \2A |
| \ | \5C |
The following table lists some examples of search filters with the usage of escape sequences to include special characters in the search input.
| Input with Special Character | Input with Escape Sequence | Description |
|---|
| (cn=protegrity*)) | (cn=protegrity\2A\29) | The search filter retrieves the values that contain protegrity*)
In this case, the parenthesis requires an escape sequence because it is unmatched. |
| (cn= abc (xyz) abc) | | The search filter retrieves the values that contain abc (xyz) abc
In this case, the escape sequence is not required as the parenthesis are matched. |
2.1.2 - Filtering Members from Azure AD Member Source
When adding members to a role, you can filter members from the Azure AD member source. The filtering mechanism uses search filters based on the criteria for filtering the members from the Azure AD. The search filters help you to query the member source to fetch the exact results that are required.
You can filter members from Azure Active Directory using the following search convention.
| Search Criteria | Description |
|---|
| startsWith(displayname,‘xyz’) | Retrieves all groups and users that start with xyz
Note: For more information and examples about the filter criteria for the Azure AD member source, search for the text Advanced query capabilities on Azure AD on Microsoft’s Technical Documentation site at:
https://learn.microsoft.com/en-us/docs/ |
3 - Managing Members in a Role
This section provides more information on synchronizing, listing, and removing members in Roles.
Note: The ID column in the Members tab displays the unique identifier for the Azure AD, Posix LDAP and Active Directory member sources.
The following actions are available within the Members section of a Role.
| Task Name | Steps |
|---|
| Synchronize Members | 1. Select the role you want to update by clicking on it in the ESA Web UI, under Policy Management > Roles & Member Sources > Roles.
The selected role screen appears.
2. In the Members tab, click the Synchronize Members icon in the Action column.
A status message appears. |
| List Group Members | 1. Select the role you want to update by clicking on it in the ESA Web UI, under Policy Management > Roles & Member Sources > Roles.
The selected role screen appears.
2. In the Members tab, click the List Group Members icon in the Action column.
The dialog box appears with the list of all members in the group. |
| Remove Members | 1. Select the role you want to update by clicking on it in the ESA Web UI, under Policy Management > Roles & Member Sources > Roles.
The selected role screen appears.
2. In the Members tab, click the Remove icon in the Action column.
A confirmation dialog box appears.
3. Click Ok. |
4 - Searching Members
This section provides information on how to search for a user.
The Search Member tab from the Roles & Member Sources screen enables you to search for members within configured Roles. It provides additional information about the users, such as their added time, member source, and associated roles.
To search a member:
On the ESA Web UI, navigate to Policy Management > Roles & Member Source > Search Member.
Enter the search criteria in the Member Name textbox.
For more on valid search criteria, refer to Search Criteria.
- Click the Search icon.
The search results appear.
- Search Criteria
- Consider the following scenario:
- You have created a file member source named MemberSource1 which includes:
- Group File named examplegroups with users examplegroupuser1 and examplegroupuser2.
- User File named exampleusers with users exampleuser1 and exampleuser2.
- You have created a role named Role1.
- You have added all users from MemberSource1 to Role1.
For the given example, the following table lists the search results with different search criteria.
Table: Search Criteria
| Search Criteria | Description | Output |
|---|
| Wild card | Search with *. | It displays all the members. |
| Character search | Search with 1. | It displays examplegroupuser1 and exampleuser1. |
| Word search | Search with group. | It displays examplegroupuser1 and examplegroupuser2. |
You can perform additional actions on the search results such as:
- Clicking on the Role or Source column values redirects you to the Roles or Member Sources page respectively.
- Members can be sorted based on Name, Added Time, Role or Source columns.
- Search results also can be filtered with another search option, which is provided in the search results.