Users and Roles
User Management and Roles
RegScale provides robust features for managing users, their groups, and their roles. In aggregate, these features provide our customers with multiple options to optimize user management based on their unique customer requirements. A view of user and role management features is shown below:
User Management Concepts
There are multiple concepts for user management within RegScale that are important to understand prior to configuring the system. These concepts include:
- AD/LDAP - the ability to sign in using existing customer AD/LDAP authentication which is external to RegScale (NOTE: This is an Enterprise feature and not available in the Community Edition). See the AD/LDAP documentation for more information.
- Users - the ability to provision users (whether internally or externally authenticated), activate/deactivate accounts, edit metadata, and reset passwords
- Groups - the ability to organize users into logical groups to facilitate workflows, email distributions, or access control
- Roles - the ability to apply preset roles to users that limit that access within RegScale based on least privilege
RegScale User Security
The RegScale platform provides multiple security controls around managing local user accounts (NOTE: EE customers may also delegate user management to AD/LDAP if desired). The first set of controls revolves around password complexity which includes:
- Minimum of 12 characters in length
- Must contain upper and lower case letters
- Must contain one or more numbers
- Must contain one or more special characters
These controls are enforced when creating a default password during account creation and when changing passwords. In addition, RegScale enforces account lockout based on:
- 5 invalid login attempts (incorrect passwords for a given account)
- Accounts lock for 8 hours after 5 failed attempts and then the user may attempt to login again
- Administrators may manually unlock a user from the Admin panel under Setup
These controls ensure that passwords are robust and that accounts are protected from brute force hacking schemes. If more robust requirements are necessary, account management can be delegated to Active Directory (AD) for enforcing password change frequency, Multi-Factor Authentication (MFA), and other related security controls.
Common User Related Tasks
To manage users, you must be an Administrator or GlobalAdmin. To access the User Management page, do the following:
- Click "Setup"
- Click the "Identity & Access Management" tab on the left side of the screen
- Click the "Manage" button underneath Users
You should now see the options for managing users as shown in the screenshot below:
The basic operations are shown by the numbers in the figure above:
- Add New User - create a new RegScale user
- Search - search for a given user or set of users
- Filters - toggle between active and inactive users (NOTE: Active users are the default)
- Activation - activate or de-activate a given user account
- Edit User - edit user metadata, view their activity, and view emails sent to the user
- Reset Password - generates a one-time token that allows a user to reset their password.
These abilities in aggregate provide a useful set of mechanisms for managing user accounts within RegScale. The overall flow of user management is shown below:
WARNING: While email setup is not required to provision users, it is highly desired. RegScale sends emails allowing users to register and reset passwords in a self-service model. If email is not configured for a tenant, the Administrator will need to manually perform these steps for each user.
Managing Groups
RegScale allows customers to logically group their users for ease of management. Each user can be assigned to zero or many groups within the system. To assign groups:
- Click "Setup"
- Click the "Identity & Access Management" tab on the left side of the screen
- Click the green "Manage" button underneath Groups
- The list of existing groups will be shown in the grid and can be searched/filtered
- Click the "Add New Group" button to create a new group
- Give the group a name and click the green "+" button
- The new group is now added to the list
- Click the "View Users" button to see who is in a given group
- Click the "Add User" button to add new users to the group
- Click the red "x" to de-activate a group (NOTE: Groups are not deleted to avoid data integrity issues)
Groups are currently used to assign workflow steps within RegScale.
COMING SOON: In the future, groups will be used to apply access control to individual records and for email distributions.
Global Admin v/s Administrator Role
There are two types of administrator accounts within RegScale. They are described below:
- Global Admin - a "break glass" account,
admin, that is used for initial login, setup of Tenants within the enterprise edition, and provisioning of the user account for the first system administrator. Once the first system administrator account is created, this account should not be used for any other administrative tasks. It is only intended for initial setup and for managing tenants. This account should never be deleted or de-activated. IMPORTANT - once you set youradminpassword, please secure it in a safe place as this password is not retrievable by RegScale. The customer is solely responsible for securely managing this password. - Administrator - god-mode account within a given tenant. It should be used for creating all addtionial users and configuring tenant settings.
The key differences between these accounts are shown below:
- The
adminaccount has god-mode across multiple tenants and can create new tenants. - The
adminaccount will not show in the user list like other administrator roles (which is a privilege assigned to individual accounts). - There is only one
adminaccount per RegScale install. The administrator role can be applied to many users in each tenant based on business need. - The
adminrole has limited access within the RegScale application that is primarily centered on creating tenants and the first administrator account.
Resetting the Global Admin Account
RegScale will not have access to the Global Admin account and cannot recover the password. In some cases, customers have lost this password, mistyped it, or otherwise become locked out of the account. For this reason, we have built in a reset system to restore the password to the default. The following steps will allow you to reset the Global Admin password:
- Add a new Environment Variable as follows
AtlasityReset='true' - Stop the RegScale container
- Apply the new environment variable (locally or in the config files)
- Restart the RegScale container
- When the app restarts, it will reset the Global Admin password to the default
51mpl3Compliance$password (NOTE: Copy and paste this password to be precise as numbers and letters can be easily confused) - Login as
adminwith the password in the previous step - Change the password to something secure and store it in a safe place
- Stop the RegScale container
- Remove the
AtlasityResetenvironment variable or set the flag tofalse(NOTE: If already set, manually remove it from memory on the server/laptop or reapply with thefalsesetting) - Restart the container without the reset flag set
The app is now secure again and the admin password is reset. Customers must ensure that only trusted administrators have access to the server or infrastructure where RegScale is hosted. Access to the Global Admin account applies god mode permissions to the given user (including the ability to create other system administrators). Customers should NEVER leave the Global Admin account in a configuration where it leverages the default password. The default should always be changed immediately.
Role Based Access Control
RegScale provides a number of preset roles that provide limited access to certain functionality within the system. Roles should be applied to each user to ensure least privilege access to only the role(s) necessary to perform their job functions. These roles are shown below:
| Role Name | Access Type | Module Access |
|---|---|---|
| Administrator | Create, Read, Update, Delete | Full access to all modules, Setup for their tenant, Catalogues Management |
| AssessmentUser | Create, Read, Update, Delete | Assessment Module, Questionnaire Module |
| AssetUser | Create, Read, Update, Delete | Asset Module |
| DataCallUser | Create, Read, Update, Delete | Data Call Module |
| ExceptionUser | Create, Read, Update, Delete | Exception Module |
| GeneralUser | Create, Read, Update, Delete | All Modules, no access to setup or Admin functions |
| GlobalAdmin | Create, Read, Update, Delete | Tenant Configuration |
| IncidentUser | Create, Read, Update, Delete | Incident Module |
| InterconnectUser | Create, Read, Update, Delete | Interconnect Module |
| IssueUser | Create, Read, Update, Delete | Issue Module, Causal Analysis Module |
| Maintainer | Create, Read, Update, Delete | Catalogs, Security Controls, and Importer Tools |
| Manager | Create, Read, Update, Delete | Same as general user + ability to impersonate users on the workbench |
| PolicyUser | Create, Read, Update, Delete | Policy Module |
| ProjectUser | Create, Read, Update, Delete | Project Module |
| ReadOnly | Read | All Modules |
| RiskUser | Create, Read, Update, Delete | Risk Module |
| SecurityPlanUser | Create, Read, Update, Delete | Security Plan Module, Security Profiles, Control Implementations |
| SupplyChainUser | Create, Read, Update, Delete | Supply Chain Module |
| ThreatUser | Create, Read, Update, Delete | Threat Module |
Assign Roles
To set a role, navigate to Setup, Identity and Access Management, then click the roles button the the far right. The steps to set a role are as follows:
- Pick the appropriate role from the drop down list
- Select the user you want to assign to the role
- Click the blue "Add User to Role" button
- Green alert should notify you that the user was added successfully
- If the user is currently logged in, they will need to log out and back in to reset their permissions and have the new roles applied
Updated 20 days ago