Links

Role Based Access (RBAC)

The Role Based Access (RBAC) button under "Security" in the Admin Dashboard gives administrators granular control over permissions within PlexTrac, such as actions allowed for a specific user, permissions for customers, access to client data, and report access that restricts viewing sensitive data.
PlexTrac applies roles with consideration of the tenant (instance) and client. This enables teams to grant users with the privileges required to accomplish tasks for specific clients.
A user’s tenant role governs what portions of the platform a user can access, including the modules, tools and UI elements presented for use. A user’s permissions can be further scoped in the context of individual clients. Users must have a role in the context of each client.
PlexTrac has three default roles: Administrator, Standard User, and Analyst.
The Security: Role Based Access page includes permission settings on the following topics, which themselves have additional subtopic for further refinement:
  • Administration Access
  • Account Information
  • Custom Templates
  • Email Settings
  • General Settings
  • Integration Settings
  • Parser Actions
  • License Management
  • Security
  • Tags Management
  • Analytics Permissions
  • Assessments Permissions
  • Client Permissions
  • Reports Permissions
  • Runbooks Permissions
  • Content Library Permissions
  • Initiatives Permissions

Tenant Permissions

Platform-wide permissions include access to specific modules (WriteupsDB, Assessments, etc.), the Account Admin section, platform settings, and user management.
These permissions are specific to platform access and assigned in the Role Based Access area of the Admin Dashboard. If a user is assigned multiple roles, the permissions from each role are added together and then given to the user.
In the context of a tenancy, the following business rules apply:
  • Administrator: A tenant administrator has access to all tools, modules and UI elements in the platform. This includes all elements of the Admin Dashboard.
  • Standard User: A standard user has access to all modules and UI elements that exist outside of the Admin Dashboard.
  • Analyst: An analyst user does not have access to the Content Library or Runbooks modules. Additionally, most UI elements that provide create or edit capabilities are not available.
Users may be assigned to more than one role. Tenant permissions are additive. Adding a user to a less-privileged role does not remove other roles or restrict permissions.

Administrator

Admin user permissions can be viewed by clicking the Administrator box on the Security: Role Based Access page.
An administrator is PlexTrac's highest permission role, and admins have full control and access over every part of the application. Click the PDF file below for the entire list.
List of all PlexTrac permissions.pdf
216KB
PDF

Standard User

Standard User permissions can be viewed by clicking the Standard User box on the Security: Role Based Access page.
The difference between Standard User and Administrator roles:
  • No access to Administration Access
  • No access to Account information
  • No access to Custom Templates
  • No access to Email Settings
  • No access to General Settings
  • No access to Integration Settings
  • No access to Parser Actions
  • No access to License Management
  • No access to Security
  • No access to Tags Management
  • View only permissions for client users (cannot create or delete users)
  • Cannot delete reports
  • Cannot manage repositories in Content Library
  • View only ability on initiatives (cannot create, delete or edit)

Analyst User

Analyst user permissions can be viewed by clicking the Analyst box on the Security: Role Based Access page.
Analysts have the same restrictions as Standard Users, plus the following:
  • View only permissions for assessment questionnaires
  • Cannot delete assessments
  • Cannot add or remove reviewers from assessments
  • Cannot create or delete clients
  • Can only view client assets (cannot create, import, delete or edit assets)
  • Cannot manage client users
  • Can only view or export reports
  • Can only update or view report findings
  • Cannot access report procedures
  • Can only view runbook engagements (no access to other sections of runbooks)
  • No access to Content Library
  • Can only view initiatives

Client Permissions

Client-based permissions are specific to the use and access for Clients, Reports, and Findings. These permissions are assigned on a client level and more information can be found by visiting Add User to Client.
The role assigned to a user at the client level sets the client, report, and finding permissions for that client.
In the context of a client, the following business rules apply:
  • Administrator: A client administrator can edit any data associated with the client, such as the client record, assets and reports, as well as manage access of client users.
  • Standard User: A standard user can edit any data associated with the client, such as the client record, assets and reports.
  • Analyst: An analyst user can view client assets and associated data, reports in published status, upload and delete artifacts in reports, and change the remediation status of findings.

Creating a Role

Step 1: From the Role Based Access page under "Security" in the Admin Dashboard, click Create Role.
Step 2: Select a template as baseline, if applicable. Enter a role name and description.
  • Templates as Baseline: Choose a baseline of permissions for this role with the drop-down.
  • Role Name: Name of role (required).
  • Enabled: If toggled on will dynamically restrict/give access for all users assigned to this role.
  • Description: A brief description of role (required).
  • Users Assigned: The list of users assigned to this role. When added, they will appear on the screen. They can be deleted by hovering over the name with the cursor and clicking the red trash can icon.
All users MUST be assigned to a role AT ALL TIMES. You'll receive an error if you attempt to disable a role that contains a user with no other roles assigned.
Step 3: Select permissions for the role by clicking the individual buttons identifying permissions. Purple means permission has been given for the role. Grey means no permission. Clicking a purple button again greys it out and disables permission for this role.
Step 4: Click Save.

Recommendations

PlexTrac has the following recommendations on this topic:
  • Create a role without permissions to assign unused or intermittent access users to.
  • Use the Principle of Least Privilege when assessing role permissions.
  • Conduct periodic user and role audits for an accurate user access posture.
© 2022 PlexTrac, Inc. All rights reserved.