Adding Function Groups
2 min
menu permissions and privilege definitions in kron dam are configured based on user groups kron dam provides default portal function groups users can be granted rights through the default groups new function groups can be created using the desired portal functions for various authorization purposes to create a new function group 1 navigate to policy > portal functions 2 open the function group definition tab 3 click on the + add button 4 fill in the function group name and description fields 5 select the functions and module views to be assigned to the users 6 click save to edit a current function group navigate to policy > portal functions open the realm definition click the action button and edit realm select the functions and module views to be assigned to the users click save function description aioc device group modulevisibility grants rights to view the device groups screen in the device management menu device groups are created in this menu and device realms are created to determine the authorizations of user groups in the device groups aioc device group show\ secrets grants rights to view the “show secrets” button in the device group properties tab device group secrets can be viewed like passwords with this button aioc discovery add device grants access rights to the inventory, discovery, auto discovery log and auto discovery dashboard tabs under the devices section and the grants rights to add devices aioc discovery delete device grants access rights to the inventory, under the devices section and the right to delete devices aioc discovery manage unassigned grants rights to manage devices in unassigned device groups under the device inventory section aioc element type modulevisibility grants rights to view the element type screen in the device management menu this menu is used to create, delete, or edit devices manually properties of an element type are assigned here aioc help manager modulevisibility grants rights to view the help manager screen in the device administration menu this is used to create, edit, or delete the help menu content aioc platform activity logs modulevisibility grants rights to view the activity logs screen in the logging menu system events and all transactions made in the web interface are logged and these logs can be viewed from here aioc platform sysconfig modulevisibility grants rights to view the system config management screen in the administration menu from here, if authorized, users can add, edit, or delete system configuration parameters aioc users approve all user grants rights to approve new user requests, even if not an admin aioc users approve finalapproval grants rights to approve pre approved user requests aioc users manage user grants rights to manage users aioc users manage user group grants rights to manage user groups netright discovery modulevisibility grants rights to view the device inventory screen in the device management menu this section enables adding, deleting or editing devices netright log modulevisibility grants rights to view the system log viewer screen in the administration menu system logs can be monitored from this section netright realms modulevisibility grants rights to view the portal functions screen in the policy control menu the authorization of user groups is determined in this section netright user approval modulevisibility grants rights to view the user approval in the user management menu the user approval section displays all users who have sent the “new user” request from the main page and is used to confirm their requests netright users modulevisibility grants rights to view the user accounts screen in the user management menu you can define users and user groups in this section sc reservation manager request on behalf of group users grants the right to the group manager to enter a connection reservation request on behalf of any group members when granted, the “for user” selection field appears in the connection reservation screen for the group manager sc sensitive data discovery modulevisibility grants rights to view the sensitive data discovery screen in the sensitive data discovery menu this section is used to discover sensitive data in databases single connect assigned credential modulevisibility grants rights to view the assigned credentials menu and add/edit assigned credentials in the users menu single connect dashboard modulevisibility grants rights to view the statistic screen in the dashboard menu the activities and commands ran by users are viewed in this section single connect policy enforcement modulevisibility grants rights to view the session policy screen in the policy control section the system policies are created and edited by using the policy control section you can manage the “policy key”, “time restriction”, “policy group”, “policy realm”, “permit zone”, and “user location” tabs from this section single connect sapm admin this function makes the user an admin admins have rights to manage all sapm accounts and view all logs single connect sapm approval requirement this function restricts users from viewing passwords without approval when a user wants to retrieve the sapm password, an approval email is sent to the admin after approval by the admin, the user can view the password single connect sapm auditor this function grants rights to list all sapm accounts, without seeing details single connect sapm configuration admin grant rights to access the configuration section in the sapm management menu sapm configurations can be edited in this section single connect sapm historical password viewer grants rights to view the old passwords of sapm accounts single connect sapm log viewer grants rights to see the “password change”, “new users”, and “password check” logs in the sapm page single connect sapm modulevisibility grants rights to view the sapm management menu single connect sapm network admin grants rights to manage and view all the device accounts associated with a user single connect sapm network auditor grants rights to list all device accounts defined in user device group realms, without seeing the details single connect sapm secondlevel admin grants rights to give second level approval for all sapm accounts and view all logs single connect secondlevel approval requirement this function restricts viewing the password without a two level approval single connect sapm secondlevel network admin grants rights to give second level approval for all device accounts defined in user device group realms single connect session active logs modulevisibility grants rights to view the active sessions screens in the policy control menu administrators can manage active proxy sessions, such as wiring to the session or killing the session single connect sessionmanager ui modulevisibility grant rights to view the session manager screen in the administration menu user activities can be viewed in this section single connect sql proxy modulevisibility grants rights to view the sql proxy policy screen in the policy control menu the dynamic masking policy and masking methods are defined and managed in this section single connect tenant admin kron pam’s multi tenancy function can provide multiple and independent applications and functions it enables an architecture in which a single instance serves multiple customers each customer is called a tenant tenants may be given the ability to customize some parts of the application this function works if the “multitenancy enabled” parameter is set as “true” on the system configuration management tenant admins can only manage devices and users that they are allowed to access and can only see the logs related to the devices and users they have access to single connect twofactor hardwaretoken management grants rights to access the hardware token management, and the hardware token bulk import tabs under the 2fa provisioning section single connect twofactor acc modulevisibility grants rights to view the two factor provisioning section in the administration menu kron pam provides a two factor authorization by mobile application or sms verification single connect twofactor assign hardware token this function provides the right to assign hardware tokens in the 2fa provisioning section single connect twofactor barcode viewer grants rights to see the token’s qr code or written code in the 2fa provisioning section threat analytics dashboard visibility grants rights to view statistics regarding threat analytics aioc database object explorer modulevisibility shows the dam object explorer, which displays the hierarchical structure of connected databases after metadata sync aioc database management visible provides visibility of database/device management page where administrators configure database connections and device properties sc sensitive data discovery modulevisibility exposes the sensitive data discovery module that scans databases to locate sensitive fields and ensure compliance single connect sql proxy modulevisibility grants access to the sql proxy module that logs sql sessions and enforces policies like blocking queries and masking data aioc database session log modulevisibility grants rights to view the database session log screen in the database activity monitoring menu database session logs can be monitored from this section aioc database session log kill session visible allows administrators to kill an active database session from the session log interface single connect database audit report modulevisibility makes the database audit report module visible; the module checks security statuses of database users and generates audit reports single connect database audit report viewer grants permission to view generated database audit reports single connect database audit configuration viewer allows viewing audit report configuration settings (e g , scheduling report jobs) single connect database audit dashboard viewer provides access to an audit dashboard summarizing audit results and compliance status single connect vulnerability scanner report modulevisibility makes the vulnerability scanner report module available for scanning database devices for vulnerabilities single connect vulnerability scanner report viewer allows users to view vulnerability scanner reports and findings single connect vulnerability scanner configuration viewer provides visibility to configure vulnerability scanning (e g , scanning frequency, credentials) alarm manager viewer visible duplicate of the above alarm viewer (historic id) dam threat analytics modulevisibility displays the threat analytics module, which analyses queries and behaviours to detect threats and anomalies dam threat analytics lock user visible allows locking a user account directly from the threat analytics interface when suspicious behaviour is detected dam threat analytics suspend user visible enables suspending a user’s access via the threat analytics dashboard dam threat analytics kill session visible provides a control to kill a malicious or suspicious database session from the threat analytics screen alarm manager viewer visible shows the alarm manager viewer, which lists triggered database alarms, their details, and acknowledgement options alarm manager policy visible displays existing alarm policies and rule sets in the alarm manager alarm manager policy management visible allows creating, editing and deleting alarm policies that define triggers and notification actions alarm manager notification visible shows the list of notification targets (e‑mail/sms addresses) used by alarms alarm manager notification management visible enables adding, editing or retiring notification targets for alarm delivery alarm manager event management visible allows management of alarm events, such as reviewing details, acknowledging or deleting alarm records