Managing users and authentication

Effective use of scan information depends on how your organization analyzes and distributes it, who gets to see it, and for what reason. Managing access to information in the application involves creating asset groups and assigning roles and permissions to users. This chapter provides best practices and instructions for managing users, roles, and permissions.

Mapping roles to your organization

It is helpful to study how roles and permissions map to your organizational structure.

TIP

While a user authentication system is already included, you should integrate any supported external authentication service with the application to avoid managing multiple sets of user information. The Security Console supports integrations with the following authentication sources:

  • Microsoft Active Directory
  • Kerberos
  • SAML 2.0

See Using external sources for user authentication for instructions.

In a smaller company, one person may handle all security tasks. He or she will be a Global Administrator, initiating scans, reviewing reports, and performing remediation. Or there may be a small team of people sharing access privileges for the entire system. In either of these cases, it is unnecessary to create multiple roles, because all network assets can be included in one site, requiring a single Scan Engine.

Example, Inc. is a larger company. It has a wider, more complex network, spanning multiple physical locations and IP address segments. Each segment has its own dedicated support team managing security for that segment alone.

One or two global administrators are in charge of creating user accounts, maintaining the system, and generating high-level, executive reports on all company assets. They create sites for different segments of the network. They assign security managers, site administrators, and system administrators to run scans and distribute reports for these sites.

The Global Administrators also create various asset groups. Some will be focused on small subsets of assets. Non-administrative users in these groups will be in charge of remediating vulnerabilities and then generating reports after follow-up scans are run to verify that remediation was successful. Other asset groups will be more global, but less granular, in scope. The non-administrative users in these groups will be senior managers who view the executive reports to track progress in the company's vulnerability management program.

Configuring roles and permissions

Whether you create a custom role or assign a preset role for an account depends on several questions: What tasks do you want that account holder to perform? What data should be visible to the user? What data should not be visible to the user.

For example, a manager of a security team that supports workstations may need to run scans on occasion and then distribute reports to team members to track critical vulnerabilities and prioritizing remediation tasks. This account may be a good candidate for an Asset Owner role with access to a site that only includes workstations and not other assets, such as database servers.

Keep in mind that, except for the Global Administrator role, the assigning of a custom or preset role is interdependent with access to site and asset groups.

If you want to assign roles with very specific sets of permissions you can create custom roles. The following tables list and describe all permissions that are available. Some permissions require other permissions to be granted in order to be useful. For example, in order to be able to create reports, a user must also be able to view asset data in the reported-on site or asset group, to which the user must also be granted access.

The tables also indicate which roles include each permission. You may find that certain roles are granular or inclusive enough for a given account. A list of preset roles and the permissions they include follows the permissions tables. See Give a user access to asset groups.

Permissions tables

Global permissions

These permissions automatically apply to all sites and asset groups and do not require additional, specified access.

Permission

Description

Role

Manage Sites

Create, delete, and configure all attributes of sites, except for user access. Implicitly have access to all sites. Manage shared scan credentials. Other affected permissions: When you select this permission, all site permissions automatically become selected. See Site permissions.

Global Administrator

Manage Scan Templates

Create, delete, and configure all attributes of scan templates.

Global Administrator

Manage Report Templates

Create, delete, and configure all attributes of report templates.

Global Administrator,
Security Manager and Site Owner,
Asset Owner,
User

Manage Scan Engines

Create, delete, and configure all attributes of Scan Engines; pair Scan Engines with the Security Console.

Global Administrator

Manage Policies

Copy existing policies; edit and delete custom policies.

Global Administrator

Appear on Report Lists

Appear on user lists in order to view reports.

Prerequisite: A user with this permission must also have asset viewing permission in any relevant site or asset group: View Site Asset Data; View Group Asset Data

Global Administrator,
Security Manager and Site Owner,
Asset Owner,
User

Configure Global Settings

Configure settings that are applied throughout the entire environment, such as risk scoring and exclusion of assets from all scans.

Global Administrator

Manage Tags

Create tags and configure their attributes. Delete tags except for built-in criticality tags. Implicitly have access to all sites.

Global Administrator

Site permissions

These permissions only apply to sites to which a user has been granted access.

Permission

Description

Role

View Site Asset Data

View discovered information about all assets in accessible sites, including IP addresses, installed software, and vulnerabilities.

Global Administrator,
Security Manager and Site Owner,
Asset Owner,
User

Specify Site Metadata

Enter site descriptions, importance ratings, and organization data.

Global Administrator,
Security Manager and Site Owner

Specify Scan Targets

Add or remove IP addresses, address ranges, and host names for site scans.

Global Administrator

Assign Scan Engine

Assign a Scan Engine to sites.

Global Administrator

Assign Scan Template

Assign a scan template to sites.

Global Administrator,
Security Manager and Site Owner

Manage Scan Alerts

Create, delete, and configure all attributes of alerts to notify users about scan-related events.

Global Administrator,
Security Manager and Site Owner

Manage Site Credentials

Provide logon credentials for deeper scanning capability on password-protected assets

Global Administrator,
Security Manager and Site Owner

Schedule Automatic Scans

Create and edit site scan schedules.

Global Administrator,
Security Manager and Site Owner

Start Unscheduled Scans

Manually start one-off scans of accessible sites (does not include ability to configure scan settings).

Global Administrator,
Security Manager and Site Owner,
Asset Owner

Purge Site Asset Data

Manually remove asset data from accessible sites.

Prerequisites: A user with this permission must also have one of the following permissions: View Site Asset Data; View Group Asset Data

Global Administrator

Manage Site Access

Grant and remove user access to sites.

Global Administrator

Asset Group permissions

These permissions only apply to asset groups to which a user has been granted access.

Permission

Description

Role

Manage Dynamic Asset Groups

Create dynamic asset groups. Delete and configure all attributes of accessible dynamic asset groups except for user access. Implicitly have access to all sites.

Note: A user with this permission has the ability to view all asset data in your organization.

Global Administrator

Manage Static Asset Groups

Create static asset groups. Delete and configure all attributes of accessible static asset groups except for user access.

Prerequisite: A user with this permission must also have the following permissions and access to at least one site to effectively manage static asset groups: Manage Group Assets; View Group Asset Data

Global Administrator

View Group Asset Data

View discovered information about all assets in accessible asset groups, including IP addresses, installed software, and vulnerabilities.

Global Administrator,
Security Manager and Site Owner,
Asset Owner,
User

Manage Group Assets

Add and remove assets in static asset groups.

Note: This permission does not include ability to delete underlying asset definitions or discovered asset data. Prerequisite: A user with this permission must also have of the following permission: View Group Asset Data

Global Administrator

Manage Asset Group Access

Grant and remove user access to asset groups.

Global Administrator

Report permissions

The Create Reports permission only applies to assets to which a user has been granted access. Other report permissions are not subject to any kind of access.

Permission

Description

Role

Create Reports

Create and own reports for accessible assets; configure all attributes of owned reports, except for user access.

Prerequisites: A user with this permission must also have one of the following permissions: View Site Asset Data; View Group Asset Data

Global Administrator,
Security Manager and Site Owner,
Asset Owner,
User

Use Restricted Report Sections

Create report templates with restricted sections; configure reports to use templates with restricted sections.

Prerequisites: A user with this permission must also have one of the following permissions: Manage Report Templates

Global Administrator

Manage Report Access

Grant and remove user access to owned reports.

Global Administrator

Platform permissions

These permissions only apply to items the user created.

Permission

Description

Role

Remediation Projects, Goals, and SLAs

Create, delete, and configure this user's Remediation Projects, Goals, and SLAs.

Global Administrator,
Security Manager and Site Owner,
Asset Owner,
User

Automation and Notifications

Create, delete, and configure this user's Automation workflows and Notifications

Global Administrator,
Security Manager and Site Owner,
Asset Owner,
User

Vulnerability exception permissions

These permissions only apply to sites or asset groups to which a user has been granted access.

Permission

Description

Role

Submit Vulnerability Exceptions

Submit requests to exclude vulnerabilities from reports.

Prerequisites: A user with this permission must also have one of the following permissions: View Site Asset Data; View Group Asset Data

Global Administrator,
Security Manager and Site Owner,
Asset Owner,
User

Review Vulnerability Exceptions

Approve or reject requests to exclude vulnerabilities from reports.

Prerequisites: A user with this permission must also have one of the following permissions: View Site Asset Data; View Group Asset Data

Global Administrator

Review Vulnerability Exceptions

Approve or reject requests to exclude vulnerabilities from reports.

Prerequisites: A user with this permission must also have one of the following permissions: View Site Asset Data; View Group Asset Data

Global Administrator

Delete Vulnerability Exceptions

Delete vulnerability exceptions and exception requests.

Prerequisites: A user with this permission must also have one of the following permissions: View Site Asset Data; View Group Asset Data

Global Administrator

Vulnerability investigation permissions

These permissions only apply to assets to which this user has been granted access.

PermissionDescriptionRole
View vulnerability investigationsView vulnerability investigations for accessible assets.Global Administrator, Security Manager and Site Owner, Asset Owner, User
Manage vulnerability investigationsOpen, submit and close vulnerability investigations.Global Administrator, Security Manager and Site Owner

List of roles

Global Administrator

The Global Administrator role differs from all other preset roles in several ways. It is not subject to site or asset group access. It includes all permissions available to any other preset or custom role. It also includes permissions that are not available to custom roles:

  • Manage all functions related to user accounts, roles, and permissions.
  • Manage Dynamic Discovery connections that allow you to pull assets from systems such as VMWare, AWS, DHCP, and Infoblox.
  • Manage configuration, maintenance, and diagnostic routines for the Security Console.
  • Manage shared scan credentials.
  • Creating, managing, viewing, and deleting projects.

Security Manager and Site Owner

The Security Manager and Site Owner roles include the following permissions:

The only distinction between these two roles is the Security Manager’s ability to work in accessible sites and assets groups. The Site Owner role, on the other hand, is confined to sites.

Asset Owner

The Asset Owner role includes the following permissions in accessible sites and asset groups:

User

Although user can refer generically to any owner of a Nexpose account, the name User, with an upper-case U, refers to one of the preset roles. It is the only role that does not include scanning permissions. It includes the following permissions in accessible sites and asset groups:

Managing and creating user accounts

The Users links on the Administration page provide access to pages for creating and managing user accounts. Click Manage users under the Users section. On the Users page, you can view a list of all accounts within your organization. The last logon date and time is displayed for each account, giving you the ability to monitor usage and delete accounts that are no longer in use.

To manage a user account:

  1. Click the Administration tab.
  2. Under the Users section, click Manage users.
  3. Hover to the right side of the user role that you want to manage.
  4. Click the blue ellipsis button.
  5. Select Edit, Delete or Deactivate.
Deleting and reassigning reports

If a user does not own any reports you can can delete the account. If the users owns reports, a pop-up appears to warn and show the reports the user owns. Reassigning the reports is the default choice. You must select a new owner from the dropdown. Select Reassign Reports & Delete User button to complete the reassigning & deletion task.

If you do not want to reassign the reports, select the Delete reports radio button. Click the Delete Reports & Delete User button to complete deletion of the user, and the reports they owned.

The process for editing an account is the same as the process for creating a new user account. See Configure general user account attributes.

Adding a new user

To add a new user you must complete the following pages with the required information: User Info, User Role, Site Permissions, and Asset Group Permissions.

Complete the User Info section
  1. On the Administration page click Users > User Management.
  2. Click Add User.
  3. Enter all required user information in the text fields.
  4. (Optional) Select the appropriate source from the drop-down list to authenticate the user with external sources. Before you can create externally authenticated user accounts you must define external authentication sources. See Using external sources for user authentication.
  5. Click Next.
Complete the User Role section
  1. Select Predefined Role, Existing Custom Role or New Custom Role.
  2. (Optional) To view permissions click See Permissions.
  3. Click Next.

If you choose New Custom Role you must create a name, description and select the permissions you want to apply.

Complete the Site Permissions section
  1. Select the sites the user can access with the role assigned in User Role.
  2. Click Next.
Complete the Asset Group Permissions section
  1. Select the asset groups that the user can access.
  2. Click Add User.

Using external sources for user authentication

You can integrate the Security Console with external authentication sources. If you use one of these sources, leveraging your existing infrastructure will make it easier for you to manage user accounts.

The application provides single-sign-on external authentication with the following sources:

  • LDAP (including Microsoft Active Directory): Active Directory (AD) is an LDAP-supportive Microsoft technology that automates centralized, secure management of an entire network's users, services, and resources. See Configuring LDAP authentication for instructions.
  • Kerberos: Kerberos is a secure authentication method that validates user credentials with encrypted keys and provides access to network services through a ticket system. See Configuring Kerberos authentication for instructions.
  • SAML 2.0: Security Assertion Markup Language version 2.0 is an XML-based protocol that authenticates users by way of statement packages (known as assertions) communicated between identity and service providers. See Configuring SAML 2.0 authentication for instructions.

The Security Console's Two Factor Authentication is not currently compatible with Active Directory (LDAP) and Kerberos authentication methods.

The application also continues to support its two internal user account stores:

  • XML file lists default built-in accounts. A Global Administrator can use a built-in account to log on to the application in maintenance mode to troubleshoot and restart the system when database failure or other issues prevent access for other users.
  • Datastore lists standard user accounts, which are created by a global administrator.

Setting a password policy

Global Administrators can customize the password policy in your Nexpose installation. One reason to do so is to configure it to correspond with your organization's particular password standards.

Updating a password policy

When you update a password policy, it will take effect for new users and when existing users change their passwords. Existing users will not be forced to change their passwords.

To customize a password policy:

  1. In the Security Console, go to the Administration page, and click Users > Password Policy.
  2. Change the policy name.
  3. Select the desired parameters for the password requirements.
  4. Click Save Password Policy.

Once the password policy is set, it is reflected on the User Configuration page. As a new password is typed in, the items on the list of requirements turn from red to green as the password requirements are met. If a user attempts to save a password that does not meet all the requirements, an error message appears.

Changes to the users page
Before 6.6.199Current
Manage users > New UserManage users > Add User
Manage users > Disable UsersManage users > Deactivate Users
Manage users > Enable UsersManage users > Activate Users
Manage profile roles > New Custom User RoleManage profile roles > Create Custom Role