Adding Function Groups

menu permissions and privilege definitions in kron pam are configured based on user groups kron pam provides default portal function groups users can be granted rights through the default groups new function groups can be created using the desired portal functions for various authorization purposes to create a new function group navigate to policy > portal functions open the function group definition tab click on the + add button fill in the function group name and description fields select the functions and module views to be assigned to the users click save to edit an existing function group navigate to policy > portal functions open the realm definition click the action button and edit realm select the functions and module views to be assigned to the users c lick save function description aioc command player modulevisibility grants the right to view the quick commands screen in the utility menu the quick commands section is used to run pre/post check commands aioc cp script builder ui modulevisibility grants the right to view the script builder screen in the script designer menu the script builder is used to design new scripts and manage existing scripts aioc cp script player ui modulevisibility grants the right to view the script player screen in the script designer menu users can run pre defined scripts from the script player aioc cp workflow\ history modulevisibility grants the right to view the workflow history screen in the workflow designer menu when a defined workflow is run, its records are available in the workflow history screen aioc cp workflow\ manager modulevisibility grants the right to view the workflow designer screen in the workflow designer menu workflows are created here user groups require permission to use a workflow aioc device group modulevisibility grants the right to view the device groups screen in the inventory menu device groups are created in this menu and device realms are created to determine the authorizations of user groups in the device groups aioc device group show\ secrets grants the right to view device group secrets such as passwords aioc discovery discover device grants the right to access the tabs “new device discovery”, “auto device discovery”, “auto discovery log”, and “auto discovery dashboard” under the inventory section aioc discovery add device grants access rights to the inventory, discovery, auto discovery log and auto discovery dashboard tabs under the devices section, and grants the right to add devices aioc discovery delete device grants access rights to the inventory under the devices section, and the right to delete devices aioc discovery manage operationmode grants the right to schedule maintenance times for devices in the devices tab under the inventory section aioc discovery manage unassigned grants the right to manage devices in unassigned device groups under the inventory section aioc element type modulevisibility grants the right to view the element type screen under the inventory menu this menu is used to create, delete, or edit element types (and their properties) manually aioc help manager modulevisibility grants rights to view the help manager screen in the device administration menu this is used to create, edit, or delete the help menu content aioc platform activity logs modulevisibility grants the right to view the activity logs screen in the logging menu system events and all transactions made on kron pam are logged and these logs can be viewed from here aioc platform sysconfig modulevisibility grants the right to view the system configuration manager screen in the administration menu from here, authorized users can add, edit, or delete system configuration parameters aioc system backup modulevisibility grants the right to view the backup management page under the administration menu this page allows users to get backups after setting relevant parameters in the system configuration aioc users approve all user grants the right to approve new user requests, even if the grantee is not an admin aioc users approve finalapproval grants the right to approve pre approved user requests aioc users manage user grants the right to manage users aioc users manage user group grants the right to manage user groups statistics dashboard visibility grants the right to view statistics regarding connections, devices, users, and vault netright admin datasource manager modulevisibility grants the right to view the datasource manager screen in the administration menu this section allows the definition of a datasource for kron pam netright bulkimport modulevisibility grants the right to view the bulk import screen in the inventory menu devices can be added in bulk from this section netright commands modulevisibility grants the right to view the command template screen in the utility menu defined commands that are used in scripts or pre/post checks are managed from here netright components modulevisibility grants the right to view the components screen in the administration menu netright discovery modulevisibility grants the right to view the inventory screen in the devices menu this section enables adding, deleting or editing devices netright jobs modulevisibility grants the right to view the job scheduler screen in the administration menu this section allows managing automated and/or manually triggered jobs netright log modulevisibility grants the right to view the system log viewer screen in the administration menu system logs can be monitored from this section netright mailsender modulevisibility grants the right to view the mail management screen in the administration menu you can send emails through kron pam gui from this section netright memory modulevisibility grants the right to view the memory manager screen in the administration menu you can check the memory status from this section netright realms modulevisibility grants the right to view the portal functions screen in the policy menu the screens available to user groups is determined in this section netright siem configuration modulevisibility grants the right to view the siem configuration screen in the system configuration manager menu kron pam can send logs to siem systems netright user approval modulevisibility grants the right to view the user approval in the user management menu the user approval section displays all users who have sent the “new user” request from the main page and is used to confirm their requests netright user auth log modulevisibility grants the right to view the user authentication logs screen in the logging menu the user authentication logs page shows when and where users log in and what authentication method they are using netright users modulevisibility grants the right to view the user accounts screen in the user management menu you can define users and user groups in this section sc aaa remote db modulevisibility grants the right to view the aaa remote database screen in the radius menu in this section, you can define and edit databases sc cloud integration modulevisibility grants the right to view the cloud integration screen in the administration menu in this section, the required configurations to add or discover devices from amazon web services, google cloud platform, and microsoft azure can be set sc devops modulevisibility grants the right to view the devops management screen in the devops menu you can define new devops teams or edit existing ones in this section sc log duplicator this function provides the “duplicate log” option for logs in the command log tab in the session log section under the logging menu sc log search network admin grants the right to access the logs of device groups which the user shares a realm with the user can view the logs of these device groups from the command log tab in the session log section, under the logging menu sc log search skip realm grants the right to view all logs of all devices in the command log tab in the session log section, under the logging menu regardless of the device realm the user is part of, the user with this function can still view logs for all devices sc log session auditor grants the right to access the audit logs tab in the session log section, under the logging menu in this tab, audit users can sign sessions as “passed audit”, “failed”, or “n/a” sc reservation manager request on behalf of group users grants the right to the group manager to enter a connection reservation request on behalf of any group members when granted, the “for user” selection field appears in the connection reservation screen for the group manager sc script builder super user grants the right to access the script realm tab in the script builder section under the script designer menu in this tab, you can authenticate user groups to play scripts sc sensitive data discovery modulevisibility grants the right to view the sensitive data discovery screen in the sensitive data discovery menu this section is used to discover sensitive data in databases sc ssh keys provisioning viewer this function is defined for admins to allow them access to the user key management tab, on the ssh key manager page under the users menu sc tacacs management modulevisibility grants the right to view the tacacs management screen under the administration menu kron pam uses its own tacacs+ server to authenticate users tacacs+ configuration can be done from the tacacs+ management section single connect aapm modulevisibility grants the rights to view the screens related to application token management under vault single connect assigned credential modulevisibility grants the right to use the assigned credentials menu single connect cli modulevisibility grants the right to establish an ssh/telnet connection by clicking the “open terminal” option for devices the “open terminal” option is presented in the device inventory section under the device management menu, or on the dashboard single connect dashboard modulevisibility grants the right to view the statistic screen in the dashboard menu the activities and commands ran by users are viewed in this section single connect diagnostic modulevisibility grants the right to view the policy tracking screen in the policy control menu you can search any user’s authentication/authorization details, and vault account permissions in this section single connect freeradius 802dot1x modulevisibility grants the right to view the radius 802 1x configurations screen in the administration menu kron pam can be used as an 802 1x authentication server users can access their wifi with their username and password after making the required configurations single connect freeradius acc modulevisibility grants the right to view the radius account logs screen in the logging menu single connect httpproxy ui modulevisibility grants the right to view the http proxy logs screen in the logging menu you can view transactions of http proxy sessions in this section single connect instancecontroller modulevisibility grants the right to access the kron pam controller configuration section you can configure all instances by using this section single connect linux audit report modulevisibility grants the right to view the linux audit report screen in the audit report menu this section is used to report the current security status of local linux accounts single connect macfiltering modulevisibility grants the right to view the mac filtering screen in the administration menu this section is used to manage the users' mac addresses allowed mac addresses can be defined, edited or deleted single connect policy enforcement modulevisibility grants the right to view the policy screen single connect rdp client modulevisibility grants the right to establish a remote desktop session by clicking the “open remote desktop” option for devices the “open remote desktop” option is presented in the inventory section, under the device management menu, or on the dashboard single connect rdp disallow\ hiding keys this function is used to disable the key log hiding feature for certain user groups single connect remote desktop app modulevisibility grants the right to view the remote desktop app screen in the administration menu kron pam allows you to limit the applications to be accessed on windows servers from this section after the application name and path are defined in this section, permissions are set from the device management menu single connect remote desktop modulevisibility this function grants the right to play sessions in the command logs tab of the session log section, under the logging menu single connect reports ui modulevisibility grants the right to view the reports screen single connect reservation management modulevisibility grants the right to view the reservation management screen in the policy control menu users can make connection reservations for devices that require managerial approval for connection from this section after the approval from a manager, users can connect to the system within the time frame specified during reservation single connect sapm admin this function makes the user a vault admin vault admins have rights to manage all vault accounts and view all logs single connect sapm approval requirement this function restricts users from viewing passwords without approval when a user wants to retrieve a vault password, an approval email is sent to the vault admin after approval by the vault admin, the user can view the password single connect sapm auditor this function grants rights to list all vault accounts, without seeing details single connect sapm configuration admin grant the right to access the configuration section in the vault menu vault configurations can be edited in this section single connect sapm historical password viewer grants the right to view the old passwords of vault accounts single connect sapm log viewer grants the right to see the “password change”, “new users”, and “password check” logs in the vault page single connect sapm modulevisibility grants the right to view the vault menu single connect sapm network admin grants the right to manage and view all accounts that are on any device the user shares a realm with single connect sapm network auditor grants the right to list all device accounts defined in the user's policy realms, without seeing the details single connect sapm secondlevel admin grants the right to give second level approval for all vault accounts and view all logs single connect secondlevel approval requirement this function restricts viewing the password without a two level approval single connect sapm secondlevel network admin grants the right to give second level approval for all device accounts defined in the user's policy realms single connect session active logs modulevisibility grants the right to view the active sessions screen in the policy menu administrators can manage active proxy sessions, such as wiring to the session or killing the session single connect sessionmanager ui modulevisibility grants the right to view the session manager screen in the administration menu user activities can be viewed in this section single connect setup wizard modulevisibility grants the right to view the kron pam setup wizard screen in the setup wizard menu single connect sql proxy modulevisibility grants the right to view the sql proxy policy screen in the policy control menu the dynamic masking policy and masking methods are defined and managed in this section single connect sshkeys modulevisibility grants the right to view the ssh keys manager screen in the user management menu ssh keys can be generated and managed in this section and used for logging in to the kron pam proxy instead of the user’s password single connect tacacs acc modulevisibility grants the right to view the tacacs account logs screen in the logging menu all commands executed during a tacacs+ session can be viewed in the tacacs account logs menu single connect tenant admin kron pam’s multitenancy function can provide multiple and independent applications and functions it enables an architecture in which a single instance serves multiple customers each customer is called a tenant tenants may be given the ability to customize some parts of the application this function works if the licensing requirements are met tenant admins can only manage devices and users that they are allowed to access and can only see the logs related to the devices and users they have access to single connect twofactor hardwaretoken management grants the right to access hardware token management, and the hardware token bulk import tabs under the multi factor authentication section single connect twofactor acc modulevisibility grants the right to view the multi factor authentication section in the administration menu kron pam provides a multi factor authentication by mobile application or sms verification single connect twofactor assign hardware token this function provides the right to assign hardware tokens in the multi factor authentication section single connect twofactor barcode viewer grants the right to see the mfa token’s qr code or written code in the user information section, in the right hand upper corner of kron pam interface single connect user logs modulevisibility grants the right to view the session log screen in the logging section single connect warp configuration viewer grants the right to access the report configuration tab in the windows audit report section in this tab, you can create a report configuration to check the security of windows accounts single connect warp dashboard viewer grants the right to access the dashboard tab in the windows audit report section in this tab, you can view the reports as graphs single connect warp report viewer grants the right to access the report tab in the windows audit report section in this tab, you can search for reports and view them with their details single connect windows audit report modulevisibility grants the right to view the windows audit report screen in the audit report section the windows audit report is used to report the current security status of local windows accounts tfaprovisioningviewer grants the right to see the “user token management”, and the “user group management” tabs in the multi factor authentication section under the administration menu you can manage user and user group tokens and otps (one time password) for user groups threat analytics dashboard visibility grants the right to view statistics regarding threat analytics