Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
In Security, admins can manage authentication methods, configure MFA, authorize users for specific roles, and create classification tiers to enforce additional layers of access to reports.
The Security section contains the following sections:
In Security & User Management, admins manage authentication, multi-factor prompts, user groups, access permissions, report access, and user account settings.
Security & User Management contains the following sections:
An audit log records events or activities within PlexTrac. Its primary purpose is to provide a chronological and detailed account of actions taken by users and processes, along with relevant information such as timestamps, user IDs, and specific event details.
The audit log is found under the Audit log button of the Admin Dashboard under "Security & User Management."
The following key actions are recorded in the audit log:
Logins (successful, failed, lockouts, etc.)
Password changes
User creation/deletion/updates
RBAC changes (e.g., a user is assigned to a client)
The audit log displays events for 120 days, updating on the first day of each month.
The page defaults to the most recent events and lists the user, event, and time of the action. Use the filters above to narrow the dates of the events or search for a specific event.
For example, to find users who changed their password in the past month, click the box for "Start date" and select the past 30 days, then type "password" into the search box.
The list of events presented on the page dynamically updates.
OAuth and SAML are protocols in identity and access management. OAuth is used for authorization, allowing third-party apps to access user resources securely. SAML is designed for authentication and single sign-on, facilitating user identity data exchange. OAuth is common in consumer and enterprise apps, while SAML is often used in government and enterprise environments. Both protocols can be used together for a comprehensive authentication and authorization solution.
PlexTrac supports multiple authentication methods for single-sign-on (SSO):
OAuth: OAuth is an open standard for authorization that grants access via access tokens. OAuth authorizes an application to access your data without giving it access to your credentials.
OpenID: OpenID Connect provides an authentication layer on top of OAuth 2.0. It addresses the lack of an authentication mechanism in OAuth and is thus a more secure solution.
SAML: Security Assertion Markup Language (SAML) is an open standard that attempts to bridge the divide between authentication and authorization.
OAuth is used in access authorization, while SAML and OpenID Connect are used in user authentication.
To or reset the token, go to Profile (Personal Settings) and click the Two-Factor Authentication tab.
Users need an account with PlexTrac before being authorized to use an alternative sign-on method. The users' email in PlexTrac must be identical to the email address used to authenticate through the third-party tool.
OAuth (Open Authorization) is a standard token-based authorization framework. OAuth enables account information to be used by a third party without exposing the user's account credentials to the third party.
It provides the third-party service with an access token that authorizes the sharing of specific account information.
OpenID Connect is an identity layer built on the OAuth 2.0 protocol that permits a third-party application to obtain a user's identity information managed by a service. This functionality makes it easier for developers to authenticate users.
Clicking the card below will open further documentation for integrating PlexTrac with the following OAuth/OpenID solutions.
The Authorization button under "Security" in the Admin Dashboard allows user group membership and roles to be managed.
This page lists all users (first and last name), email/username, role, classification level, and if they belong to the default group.
Users in the list can be found via search, filtered by client, or sorted by first name, last name, or email/username.
The Default Group is the collection of users granted access to all clients by default. Adding users to this group automatically grants them access to all existing and new clients as they are created.
Removing a user from the Default Group does not remove previously granted client access and only removes the automatic assignment to new clients.
This task is for existing users. This is not the process for adding users to PlexTrac. Users can also be added to clients directly from the Clients module.
Step 1: From the Authorization page in the Admin Dashboard, select a client from the pulldown menu.
Step 2: A new button for adding users appears. Click Add/Authorize User.
Step 3: Select the user from the "User" pulldown menu or begin typing to filter the provided list.
Step 4: Assign the appropriate role from the "Role" pulldown menu, and, if applicable, assign a classification level.
Repeat as needed by clicking Add User.
Step 4: Click Save.
Roles can also be managed directly from the Authorization page.
Step 1: From the Authorization page in the Admin Dashboard, select a client from the pulldown menu.
Step 2: Click the pulldown menu under the "Role" column for the user to be changed and select the new role.
When classification tiers have been enabled (configured in Admin Dashboard>Security>Classification Tiers), a column will appear on the Authorization page, allowing further security restriction configuration for each user by the client.
If not enabled, the column will not appear.
Google OAuth (Open Authorization) is a secure authorization protocol that allows users to grant third-party applications access to their Google accounts without sharing their usernames and passwords. It is a standard authentication mechanism used by Google to provide secure, delegated access to resources on its platform, including Google Drive, Gmail, Google Calendar, and other services.
OAuth provides a token-based authentication system where users can grant access to their account data without disclosing their credentials to that service. The user first logs in to their Google account and then permits the third-party application to access specific resources using an access token. The application then uses this token to access the authorized resources on the user's behalf without needing the user to provide their login credentials again.
Step 1: Log into the APIs & Services page on the Google Cloud platform: https://console.developers.google.com/apis/credentials
Step 2: Click the project pulldown menu.
Step 3: Click NEW PROJECT.
Step 4: Enter a project name and click Create.
Step 5: Click the OAuth consent screen in the left nav bar.
Step 6: Validate that the user type is "internal" and click EDIT APP.
Step 7: Enter a value for the App name, select a value for the User Support email from the pulldown menu, and enter an email address for the Developer contact information. Click SAVE AND CONTINUE.
Step 8: Click ADD OR REMOVE SCOPES.
Step 9: Add the following scopes: email, profile, and openid. Click Update.
Step 10: Click Credentials from the left main menu.
Step 11: Click CREATE CREDENTIALS and then select OAuth client ID.
Step 12: Select Web application as the Application Type.
Step 13: Click ADD URI under the "Authorized JavaScript origins" header and enter the PlexTrac UI URL (i.e., http://app.plextrac.com).
Step 14: Click ADD URI from "Authorized redirect URIs," insert the PlexTrac URL, and add "/api/v2/authenticate/google
" at the end of the url used in Step 10. Click CREATE.
Step 15: Copy the values provided for Your Client ID and Your Client Secret. Click Ok.
Step 16: Log in to PlexTrac as an admin.
Step 17: Navigate to the Account Admin page. Click Security under "Security & User Management."
Step 18: Click Authentication Methods under "Authentication."
Step 19: From the OAuth Providers tab, select "Google" from the dropdown menu under "Authentication Providers.
Step 20: For the Provider URL, enter https://accounts.google.com. Enter the Client ID value into the "Identifier" field and the Client Secret value obtained earlier from previous steps into the "Secret" field. Toggle on the Enabled button. Click Save.
Step 21: Return to "Security & User Management" and click Users.
Step 22: Under the column header "Authentication Provider," select the desired user and change the value to "Google."
Each user has to be configured individually.
Okta OAuth is a secure authorization protocol that Okta, a cloud-based identity and access management service, allows users to grant third-party applications access to their Okta resources without sharing their username and password.
OAuth provides a token-based authentication system where users can grant access to their Okta resources without disclosing their credentials to that service. The user first logs in to their Okta account and then permits the third-party application to access specific resources using an access token. The application then uses this token to access the authorized resources on the user's behalf without needing the user to provide their login credentials again.
PlexTrac only supports IDP-initiated integration through SAML. If using IDP Okta outside of a SAML-based authentication, PlexTrac does not support but recommends SP-initiated SSO.
Step 1: Log in to Okta.
Step 2: Click Applications in the admin panel.
Step 3: Click Add Application.
Step 4: Click Create New App and fill out the form. For Platform, choose "Web." For the Sign-on method, select "OpenID Connect." Click Create.
Step 5: Enter a value for the Application name and add {{ your_domain }}/api/v2/authenticate/okta
to Login redirect URIs. Click Save.
Step 6: On the next page, copy values for Client ID and Client secret for later use.
Step 7: Click the Sign On tab, copy the value for Issuer, and save for later. This will be later used in PlexTrac as the Provider URL.
Step 8: Log in to PlexTrac as an admin.
Step 9: Navigate to the Account Admin page. Click Security under "Security & User Management."
Step 10: Click Authentication Methods under "Authentication."
Step 11: From the OAuth Providers tab, elect "Okta" from the dropdown menu under "Authentication Providers."
Step 12: Enter values for the fields Provider URL, Identifier, and Secret obtained from earlier steps.
Step 13: Toggle on the Enabled button. Click Save.
Step 14: Return to "Security & User Management" and click Users.
Step 15: Under the column header "Authentication Provider," select the desired user and change the value to "Okta."
Each user has to be set individually.
The General Authentication Settings page is used to turn on or off the settings that require Multi-factor Authentication for all users.
Administrators can tailor roles and permissions within the PlexTrac platform according to their specific requirements. This customization allows for efficient management of user access and privileges, ensuring a secure and organized environment.
If custom roles are required, create them before adding users. Otherwise, new users will need to be assigned to an existing role, and adding the custom role later will be an additional step.
When creating custom roles, PlexTrac provides the following recommendations:
Create a role without any permissions to assign unused or intermittent access users. By implementing this practice, administrators can prevent unnecessary access to sensitive information or critical functionalities, mitigating potential risks of granting unnecessary permissions.
Use the Principle of Least Privilege when assessing role permissions. This principle advocates granting users the minimum access required to perform their designated tasks effectively. By adhering to this principle, administrators can significantly reduce the attack surface and the potential impact of security breaches, enhancing the overall security posture of the system.
Conduct periodic user and role audits for an accurate user access posture. Regular user and role audits are essential to maintaining a secure user access environment. Periodic audits allow administrators to review and verify the permissions assigned to each user, ensuring that access rights align with individuals' current roles and responsibilities. This process helps identify deviations or discrepancies, providing the user access posture remains accurate and up-to-date.
When assigning roles to a user, giving each role a unique name is essential. Although PlexTrac generates a unique ID for each role in the backend, the user interface may display seemingly identical values, leading to confusion, as shown below.
Step 1: From the Role Based Access page under "Security" in the Admin Dashboard, click Create Role.
Step 2: Enter the fields provided on the page. Role Name and Role Description are required.
Templates as Baseline: Select the desired baseline template from the drop-down menu when creating a new role.
Role Name: This required field is the role's name and will appear on the Role Based Access page.
Enabled: This feature displays if the role is activated and provides a simple way to disable access temporarily.
Description: A brief description of the role (required).
Users Assigned: Place the cursor in the box and type a user to find and associate users to this role. If a user already belongs to another role, additional screens will appear to disable the previous role or inherit an additional role to existing permissions.
User List: Assigned users will appear in a list under the User Assigned box. They can be deleted by hovering over the name with the cursor and clicking the red trash can icon.
All users MUST be assigned to at least one role, and the platform will provide an error message if an attempt is made to disable a role that contains a user with no other assigned roles.
Step 3: Scroll down the page to select/deselect permissions for the role by clicking the provided tasks to define permissions. A purple button means permission has been given for the role, while a grey button means no permission has been enabled. Clicking a purple button again greys it out and disables authorization.
In this example, all permissions except the ability to manage style guides and access to the admin dashboard where the style guides are managed were removed.
Step 4: Click Save.
A summary page appears to review the list of users and permissions. Click Edit to adjust.
The new role is listed, along with the number of users assigned and configured permissions.
Every role will have at least five permissions displayed on this page, even if no tasks are enabled due to permissions that cannot be configured. For example, if two task buttons were enabled, a number of "7" will show as the total enabled permissions.
The Role Based Access (RBAC) button under "Security" in the Admin Dashboard gives administrators granular control over permissions within PlexTrac, such as actions allowed for a specific user, permissions for customers, access to client data, and report access that restricts viewing sensitive data.
PlexTrac applies roles that consider the tenant (instance) and client. This enables teams to grant users the privileges required to accomplish tasks for specific clients.
A user’s tenant role governs what portions of the platform they can access, including the modules, tools, and UI elements presented for use. A user’s permissions can be further scoped in the context of individual clients. Users must have a role in the context of each client.
PlexTrac has three default roles: Administrator, Standard User, and Analyst.
An icon within the RBAC list identifies permissions that require a license.
For a tenancy, a license can be in different states:
A valid key: In this scenario, no banner message will appear.
An invalid license key: In this scenario, a banner appears (when adding users or viewing a role within the Admin Dashboard), and the admin needs to contact licensing@plextrac.com.
More licenses needed: This scenario applies to situations where the number of licenses remaining is three or fewer, and the admin should contact licensing@plextrac.com. A banner appears when adding users or viewing a role within the Admin Dashboard.
No license key: This scenario could apply to a new instance, and the admin needs to contact licensing@plextrac.com. No banner message is provided.
Platform-wide permissions include access to specific modules (WriteupsDB, Assessments, etc.), the Account Admin section, platform settings, and user management. These permissions are specific to platform access and assigned in the Role Based Access area of the Admin Dashboard.
Users may be assigned to more than one role. Tenant permissions are additive. Adding users to a less-privileged role does not remove other roles or restrict permissions.
Within a tenancy, the following business rules apply:
Administrator: A tenant administrator can access all tools, modules, and UI elements on the platform (all aspects of the Admin Dashboard).
Standard User: A standard user can access all modules and UI elements outside the Admin Dashboard.
Analyst: An analyst user cannot access the Content Library or Runbooks modules. Additionally, most UI elements that provide create or edit capabilities are unavailable.
Admin user permissions can be viewed by clicking the Administrator box on the Security: Role Based Access page.
An administrator is PlexTrac's highest permission role, and admins have complete control and access over every application part.
Click the Standard User box on the Security: Role Based Access page to view standard user permissions.