Assigning Permissions to Console Users

Console users can be granted permissions to view recorded sessions on one or more endpoints (on which the ITM On-Prem (ObserveIT) Agent is installed, endpoint groups, individual users (domain\user), or Active Directory groups. These permissions are given to users based on their defined role.

Permissions can also be assigned to Active Directory groups to view and access session data on specific endpoints or endpoint groups. When configured, only session data that applies to the Active Directory group will be available.

Active Directory group-based permissions enable security analysts to manage risk at department level. By enforcing permissions and the segregation of duties at department level, security analysts can view risky users under their responsibility only, without being exposed to risky users in other departments. The User Risk Dashboard displays only the data that the currently logged-in Web Console user is permitted to monitor. When allowing a user to view the User Risk Dashboard, you can configure a title text for a department or group that will be displayed in the dashboard header providing some context for the scope of risky users being monitored.

Users can view and access recorded data only for sessions on endpoints that they are permitted to view. This applies throughout the Web Console and in the User Risk Dashboard. If users attempt to access sessions to which they do not have permissions to view, a lock icon appears in the User Risk Dashboard with a tooltip explaining that there was at least one risky activity in a session that they do not have permissions to view. The following screenshot provides an example of this:

In addition to the User Risk Dashboard, Active Directory group permissions are reflected in session recordings throughout the following areas of the Web Console, showing only data that the user has permission to view:

Endpoint Diary, User Diary, and DBA Activity

  • Alerts

  • Search

  • Reports

To assign permissions for Console Users

  1. In the Configuration > User Management > Console Users tab, click the Permissions link next to the Console User name whose permissions you want to modify. The following dialog box opens.

  2. If required, select the check box Console user will be able to view Insider Threat Intelligence Dashboard data to enable this feature. This check box will appear checked by default if the Insider Threat Intelligence Dashboard is configured as the default page to appear upon user login to the Web Console. If you want to define a title that will be displayed in the User Risk Dashboard header providing context for the scope of risky users being monitored, enter the title in the text box provided.

  3. In the Endpoints area, you can assign the console user permissions to view recordings made on specific endpoints or groups of endpoints.

    By default, new Console Users have permissions to the All Endpoints group, which means that they can access activity data of all the deployed ITM On-Prem (ObserveIT) endpoints. If required, you can clear the All Endpoints check box, and then manually grant the user the appropriate access rights to either single ITM On-Prem (ObserveIT) endpoints, or to endpoint groups. For example, you might want to configure a specific Console User to view only recorded sessions on five individual SharePoint servers, and to restrict a different Console User to view recorded sessions on only three different SQL servers.

    • If you do not want the Console User to be able to monitor all the installed endpoints, in the Endpoints section, click the check box next to the All Endpoints group, and click Remove.

      If you do not add at least one endpoint to this list, the Console User will not be able to view any endpoints, and therefore will be rendered useless. You will not be able to save the settings if no endpoint or endpoint group exists in the list.

    • After you have removed the All Endpoints group from the list of permissions, you must add at least one valid endpoint to the list of permissions for that Console User. Click the button, select an endpoint, and click Add. The endpoint is added to the list.

    • To grant permissions for the Console User to view entire groups of machines, click the Endpoint Groups drop-down list, select the endpoint group, and click Add. The endpoint group is added to the list.

    • To remove an endpoint from the list, in the permissions screen for the Console User, in the Endpoints area, select the endpoint you want to remove, and click Remove.

  4. To assign permissions for Console Users to view the activity of individual users:

    1. In the Users area, select User from the drop-down list, enter the user login (in the format Domain\Username) of the specific user, and click Add. Note that you can select the domain from the drop-down list or type free text. The user is added to the list.

    2. Repeat the above step for each user whose recordings you want to allow the Console User to view.

      You can also allow the Console User to view sessions of users who do not have recorded sessions. By not listing any user, the Console User will be able to view all the activity of all users.

    3. To remove a specific user from the permission list of the Console User, select the check box next to the user name, and click Remove.

  5. To assign permissions for Console Users to view the activity of specific groups:

    1. In the Users area, select Group from the drop-down list, enter the group login details (in the format Domain Name\Groupname), and click Add. Note that you can select the domain from the drop-down list or type free text. The group is added to the list.

      If you enter a non-existent AD group, when you click ‘Add’ an error will be displayed: Specified AD Group: MyDomain\NonExistentGroup, cannot be found.

    2. Repeat the above step for each group whose activity you want to allow the Console User to view.

      You can also allow the Console User to view sessions of group members who do not have recorded sessions. By not listing any group, the Console User will be able to view all the activity of all users.

    3. To remove a group from the permission list of the Console User, select the check box next to the group name, and click Remove.

  6. Click Save to save your settings when you have finished assigning permissions on specific endpoints, groups of endpoints, individual users and/or groups.