Managing Roles

Describes the instructions to manage roles

Roles are templates that include permissions and users can be assigned to one or more roles. Users in the appliance must be attached to a role.

The default roles packaged with ESA are as follows:

RolesDescriptionPermissions
Policy Proxy UserAllows a user to connect to DSG via SOAP/REST and access web services using Application Protector (AP).Proxy-User
Policy UserAllows user to connect to DSG via SOAP/REST and perform security operations using Application Protector (AP).Policy-User
Security Administrator ViewerRole that can view the ESA Web UI, CLI, and reports.Security Viewer, Appliance CLI Viewer, Appliance web viewer, Reports Viewer
Shell AccountsRole who has direct SSH access to Appliance OS shell.
Note: It is recommended that careful consideration is taken when assigning the Shell Accounts role and permission to a user.
Ensure that if a user is assigned to the Shell Account role, no other role is linked to the same user. The user has no access to the Web UI or CLI, except when the user has password policy enabled and is required to change password through Web UI.		Shell (non-CLI) Access
Note: The user can access SSH directly if the permission is tied to this role.
Security AdministratorRole who is responsible for setting up data security using ESA policy management, which includes but is not limited to creating policy, managing policy, and deploying policy.Security Officer, Reports Manager, Appliance Web Manager, Appliance CLI Administrator, Export Certificates, DPS Admin, Directory Manager, Export Keys, RLP Manager

The capabilities of a role are defined by the permissions attached to the role. Though roles can be created, modified, or deleted from the appliance, permissions cannot be edited. The permissions that are available to map with a user and packaged with ESA as default permissions are as follows:

PermissionsDescription
Appliance CLI AdministratorAllows users to perform all operations available as part of ESA CLI Manager.
Appliance Web ManagerAllows user to perform all operations available as part of the ESA Web UI.
Audit Store AdminAllows user to manage the Audit Store.
Can Create JWT TokenAllows user to create JWT token for communication.
Customer Business managerAllows users to retrieve metering reports.
DPS AdminAllows user to use the DPS admin tool on the protector node.
Export CertificatesAllows user to use download certificates from ESA.
Key ManagerAllows user to access the Key Management Web UI, rotate ERK or DSK, and modify ERK states.
Policy-UserAllows user to connect to Data Security Gateway (DSG) via REST and perform security operations using Application Protector (AP).
RLP ManagerAllows user to manage rules stored on Row-Level Security Administrator (ROLESA). Manage includes accessing, viewing, creating, etc.
Reports ViewerAllows user to only view reports.
Security ViewerAllows user to have read only access to policy management in the Appliance.
Appliance CLI ViewerAllows user to login to the Appliance CLI as a viewer and view the appliance setup and configuration.
Appliance web viewerAllows user to login to the Appliance web-interface as a viewer.
AWS AdminAllows user to configure and access AWS tools if the AWS Cloud Utility product is installed.
Directory ManagerAllows user to manage the Appliance LDAP Directory Service.
Export KeysAllows user to export keys from ESA.
Reports ManagerAllows user to manage reports and do functions related to reports. Manage includes accessing, viewing, creating, scheduling, etc.
Security Officer Allows user to manage policy, keys, and do functions related to policy and key management. Manage includes accessing, viewing, creating, deploying, etc.
Shell (non-CLI) AccessAllows user to get direct access to the Appliance OS shell via SSH. It is recommended that careful consideration is taken when assigning the Shell Accounts role and permission to a user. Ensure that if a user is assigned to the Shell Account role, no other role is linked to the same user.
Export Resilient PackageAllows user to export package from the ESA by using the RPS API.
Can Create JWT TokenAllows user to create a Java Web Token (JWT) for user authentication.
ESA AdminAllows user to perform operations on Audit Store Cluster Management.
Insight AdminAllows to perform operations on Discover Web UI.
Proxy-UserAllows user to connect to DSG via REST and perform security operations using Application Protector (AP).
SSO LoginAllows user to login to the system using the Single Sign-On (SSO) mechanism.

The ESA Roles web UI is as seen in the following image.

Managing Roles

CalloutColumnDescription
1Role NameName of the role available on ESA. Note: If you want to edit an existing role, click the role name from the displayed list. After making required edits, click Save to save the changes.
2DescriptionBrief description about the role and its capabilities.
3PermissionsPermission mapped to the role. The tasks that a user mapped to a role can perform is based on the permissions enabled.
4ActionThe following Actions are available.
  • - Click to duplicate the role with mapped permissions.
  • Delete Icon - Click to delete a role.
    Note: If the number of unsuccessful password attempts exceed the defined value in the password policy, the account gets locked.
5Add RoleAdd a custom role to ESA.

Duplicating and deleting roles

Keep the following in mind when duplicating and deleting roles.

  • It is recommended to delete a role from the Web UI only. This ensures that the updates are reflected correctly across all the users that were associated with the role.
  • When you duplicate or delete a role, the Enter your password prompt appears. Enter the password and click Ok to complete the task.

Adding a Role

You can create a custom business role with permissions and privileges that you want to map with that role. Custom templates provide the flexibility to create additional roles with ease.

Perform the following steps to add a role. In those steps we will use an example role named “Security Viewer”.

  1. In the Web UI, navigate to Settings > Users > Roles.

    If you want to edit an existing role, click the role name from the displayed list. After making required edits, click Save to save the changes.

  2. Click Add Role to add a business role.

  3. Enter Security Viewer as the Name.

  4. Enter a brief description in the Description text box.

  5. Select custom as the template from the Templates drop-down.

  6. Under Role Permissions and Privileges area, select the permissions you want to grant to the role.
    Click Uncheck All to clear all the check boxes. Ensure that you do not select the Shell (non-CLI) Access permission for users who require Web UI and CLI access.

  7. Click Save to save the role.

  8. Enter your password prompt appears. Enter the password and click Ok.


Last modified : October 31, 2025