Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
The Security & User Management section allows admins to manage authentication, multi-factor prompts, user groups, access permissions, report access, and user account settings.
Security & User Management contains the following sections:
The Authentication section under "Security" in the Admin Dashboard has two subsections: Authentication Methods and General Authentication Settings. This section enables admins to configure OAuth/OpenID and SAML providers.
The Authentication Methods page integrates PlexTrac with a third-party tool like Duo or Azure to authenticate and authorize access to PlexTrac.
Visit the Authentication Methods section for detailed instructions on configuration and setup.
The General Authentication Settings page is used to turn on or off the settings that require Multi-factor Authentication for all users.
Administrators can tailor roles and permissions according to their specific requirements within the PlexTrac platform. This customization allows them to manage user access and privileges efficiently, ensuring a secure and organized environment.
If custom roles are required, create these before adding users. Otherwise, new users will need an assignment to an existing role, and adding the custom role later will be an additional step.
When creating custom roles, PlexTrac provides the following recommendations:
Create a role without any permissions to assign unused or intermittent access users. By implementing this practice, administrators can prevent unnecessary access to sensitive information or critical functionalities, mitigating potential risks of granting unnecessary permissions.
Use the Principle of Least Privilege when assessing role permissions. This principle advocates granting users the minimum access required to perform their designated tasks effectively. By adhering to this principle, administrators can significantly reduce the attack surface and the potential impact of security breaches, enhancing the overall security posture of the system.
Conduct periodic user and role audits for an accurate user access posture. Regular user and role audits are essential to maintaining a consistently secure user access environment. Periodic audits allow administrators to review and verify the permissions assigned to each user, ensuring that access rights align with individuals' current roles and responsibilities. This process helps identify deviations or discrepancies, ensuring the user access posture remains accurate and up-to-date.
When assigning roles to a user, it is essential to give each role a unique name. Although PlexTrac generates a unique ID for each role in the backend, the user interface may display seemingly identical values, leading to confusion, as shown below.
Step 1: From the Role Based Access page under "Security" in the Admin Dashboard, click Create Role.
Step 2: Enter the fields provided on the page. Role Name and Role Description are required.
Templates as Baseline: Select the desired baseline template from the drop-down menu when creating a new role.
Role Name: This required field is the role's name and will appear on the Role Based Access page.
Enabled: This feature displays if the role is activated and provides a simple way to disable access temporarily.
Description: A brief description of the role (required).
Users Assigned: Place the cursor in the box and type a user to find and associate users to this role. If a user already belongs to another role, additional screens will appear to disable the previous role or inherit an additional role to existing permissions.
User List: Assigned users will appear in a list under the User Assigned box. They can be deleted by hovering over the name with the cursor and clicking the red trash can icon.
All users MUST be assigned to at least one role, and the platform will provide an error message if an attempt is made to disable a role that contains a user with no other assigned roles.
Step 3: Scroll down the page to select/deselect permissions for the role by clicking the provided tasks to define permissions. A purple button means permission has been given for the role, while a grey button means no permission has been enabled. Clicking a purple button again greys it out and disables authorization.
In this example, all permissions except the ability to manage style guides and access to the admin dashboard where the style guides are managed were removed.
Step 4: Click Save.
A summary page appears to review the list of users and permissions. Click Edit if necessary to adjust.
The new role is listed with the number of users assigned and permissions.
Every role will have at least five permissions displayed on this page, even if no tasks are enabled due to permissions that cannot be configured. For example, if two task buttons were enabled, a number of "7" will show as the total enabled permissions.
The Authorization button under "Security" in the Admin Dashboard allows user group membership and roles to be managed.
This page lists all users (first and last name), email/username, role, classification level, and if they belong to the default group.
Users in the list can be found via search, filtered by client, or sorted by first name, last name, or email/username.
The Default Group is the collection of users granted access to all clients by default. Adding users to this group automatically grants them access to all existing and new clients as they are created.
Removing a user from the Default Group does not remove previously granted client access and only removes the automatic assignment to new clients.
This task is for existing users. This is not the process for adding users to PlexTrac. Users can also be added to clients directly from the Clients module.
Step 1: From the Authorization page in the Admin Dashboard, select a client from the pulldown menu.
Step 2: A new button for adding users appears. Click Add/Authorize User.
Step 3: Select the user from the "User" pulldown menu or begin typing to filter the provided list.
Step 4: Assign the appropriate role from the "Role" pulldown menu, and, if applicable, assign a classification level.
Repeat as needed by clicking Add User.
Step 4: Click Save.
Roles can also be managed directly from the Authorization page.
Step 1: From the Authorization page in the Admin Dashboard, select a client from the pulldown menu.
Step 2: Click the pulldown menu under the "Role" column for the user to be changed and select the new role.
When classification tiers have been enabled (configured in Admin Dashboard>Security>Classification Tiers), a column will appear on the Authorization page, allowing further security restriction configuration for each user by the client.
If not enabled, the column will not appear.
The Users button under "Security & User Management" in the Admin Dashboard allows an admin to view user information and last login date, add users, change passwords, manage authentication providers, lock users, manage MFA per user, disable users, and delete users.
First Name: The user's first name.
Last Name: The user's last name.
Email: The user's email and used to send notifications and account-related emails.
Uses License: Identifies if the person is considered a licensed user.
Tenant ID: The ID of the tenant that the user belongs to.
User ID: The unique ID of the user.
Last Login: The date stamp that the user last logged in.
Authentication Provider: The provider used to authenticate the user.
Change Password: Clicking this will send a password reset email to the email address provided. A warning message will appear to confirm the action.
Account Locked: PlexTrac will lock a user out after multiple failed attempts to protect against brute force attacks. When a user is locked out, this field is not greyed out and will toggle on to identify the user is locked out. The toggle is then actionable for an admin to unlock the user.
MFA Enabled: When enabled by an admin, either at the global level or by a user individually, an admin can disable MFA if a user loses a token and needs to reset MFA.
User Disabled: This prevents a user from logging in when access needs to be temporarily restricted.
Delete: This removes a user from PlexTrac and is used when access needs to be permanent.
Each user added to a licensed role is considered a paid user. When a role is licensed, an icon will appear at the end of the role title (regardless of the number of licenses available).
Roles that use a license are also identified on the RBAC page.
Visit the RBAC page for information on the various messaging related to licensed users and their relationship to permissions.
If a user is added to a role that requires a license but no more seats exist, an error message appears.
Disabled paid users count towards the total user license. To remove a user from the count, a user must be disabled and removed from any assigned paid roles.
Users can be added via the platform or a CSV file template.
If custom roles are required, create these before adding users. Otherwise, new users will need an assignment to an existing role, and adding the custom role later will be an additional step.
Step 1: From the Users page of the Admin Dashboard, under "Security & User Management," click Add Users.
Step 2: Enter the user's email, first name, last name, role, and classification level (if applicable), as well as identify whether the user should belong to the Default Group.
The Default Group is a collection of users who, by default, have access to all clients in PlexTrac. When a user is added to the Default Group, they are granted access to all existing clients, and when a new one is created, they are automatically assigned access.
Removing a user from the Default Group does not remove previously granted client access but only removes the automatic assignment to new clients.
Step 3: Click Add User to repeat the process and add more users. When finished, click Create user.
A message will appear confirming the addition, and the new user will appear on the Users page.
Users also can be created in bulk using a CSV template.
To download the template with four sample values, click the file here:
The CSV file has five fields to collect user information to be imported:
Step 1: Download the PlexTrac Users CSV Template.csv file, delete the sample values, and enter the user information to import.
If any custom roles exist in the CSV file not currently in PlexTrac, add them now before continuing to reduce rework.
Step 2: From the Users page of the Admin Dashboard, under "Security & User Management," click Add Users.
Step 3: A modal appears. Click Import users from CSV.
Step 4: A window opens to select the CSV file from the computer. Select the file to import.
Step 5: The information in the CSV file is imported into the "Add New Users" window for review.
Step 6 (optional): If standard roles were used, no changes are needed. If a custom role was assigned to an imported user, manually select it by clicking the "Role" pulldown menu for the impacted user and selecting the desired custom role value.
Step 7: The tool may retain a blank row at the top that must be removed before importing. Click Delete for that row.
Step 8: Click Create X users.
A message will appear confirming users were added (the time required depends on the number of users). The users will appear on the page.
Password reset emails can be sent to users by clicking the green circle icon under the "Change Password" column for the desired user.
A dialog box will appear asking for confirmation. Click Send Password Email.
The Role Based Access (RBAC) button under "Security" in the Admin Dashboard gives administrators granular control over permissions within PlexTrac, such as actions allowed for a specific user, permissions for customers, access to client data, and report access that restricts viewing sensitive data.
PlexTrac applies roles considering the tenant (instance) and client. This enables teams to grant users the privileges required to accomplish tasks for specific clients.
A user’s tenant role governs what portions of the platform they can access, including the modules, tools, and UI elements presented for use. A user’s permissions can be further scoped in the context of individual clients. Users must have a role in the context of each client.
PlexTrac has three default roles: Administrator, Standard User, and Analyst.
The Security: Role Based Access page includes permission settings on the following topics, which themselves may have additional subtopics allowing for further refinement:
Administration Permissions
Administration Access
Account Information
Custom Templates
Email Settings
General Settings
Integration Settings
Parser Actions
License Management
Security
Style Guides
Tags Management
Analytics Permissions
Analytics Access
Assessments Permissions
Assessment Questionnaires Management
Assessments Access
Assessment Reviewers
Client Permissions
Client Access
Client Asset Management
Client Management
Reports Permissions
Report Access
Report Artifacts
Report Findings
Report Procedures
Runbooks Permissions
Runbooks Access
Runbooks Methodologies
Runbooks Procedures
Runbooks Tactics
Runbooks Techniques
Runbooks Engagements
Runbooks Testplans
Customizations
Customizations Access
Content Library Permissions
NarrativesDB
WriteupsDB
RunbooksDB
Priorities Permissions
Priorities
An icon within the RBAC list identifies permissions that require a license.
For a tenancy, a license can be in different states:
A valid key: In this scenario, no banner message will appear.
An invalid license key: In this scenario, a banner appears (when adding users or viewing a role within the Admin Dashboard), and the admin needs to contact licensing@plextrac.com.
More licenses needed: This scenario applies to situations where the number of licenses remaining is three or fewer, and the admin should contact licensing@plextrac.com. A banner appears when adding users or viewing a role within the Admin Dashboard.
No license key: This scenario could apply to a new instance, and the admin needs to contact licensing@plextrac.com. No banner message is provided.
Platform-wide permissions include access to specific modules (WriteupsDB, Assessments, etc.), the Account Admin section, platform settings, and user management. These permissions are specific to platform access and assigned in the Role Based Access area of the Admin Dashboard.
Users may be assigned to more than one role. Tenant permissions are additive. Adding users to a less-privileged role does not remove other roles or restrict permissions.
Within a tenancy, the following business rules apply:
Administrator: A tenant administrator can access all tools, modules, and UI elements on the platform (all aspects of the Admin Dashboard).
Standard User: A standard user can access all modules and UI elements outside the Admin Dashboard.
Analyst: An analyst user cannot access the Content Library or Runbooks modules. Additionally, most UI elements that provide create or edit capabilities are unavailable.
Admin user permissions can be viewed by clicking the Administrator box on the Security: Role Based Access page.
An administrator is PlexTrac's highest permission role, and admins have complete control and access over every part of the application.
Click the Standard User box on the Security: Role Based Access page to view standard user permissions.
The differences between Standard User and Administrator roles:
No access to Administration Access
No access to Account information
No access to Custom Templates
No access to Email Settings
No access to General Settings
No access to Integration Settings
No access to Parser Actions
No access to License Management
No access to Security
No access to Style Guides
No access to Tags Management
View only permissions for client users (cannot create or delete client users)
View only permissions on Customizations (cannot credit, edit, or remove)
Cannot manage repositories in the Content Library
View only ability on Priorities (cannot create, delete or edit)
View only ability on priority scoring equations (cannot create, delete, or edit)
Analyst user permissions can be viewed by clicking the Analyst box on the Security: Role Based Access page.
Analysts have the same restrictions as Standard Users, plus the following:
View only permissions for assessment questionnaires
Cannot delete assessments
Cannot add or remove reviewers from assessments
Cannot create or delete clients
Can only view client assets (cannot create, import, delete or edit assets)
Cannot manage client users
Can only view or export reports
Can only update or view report findings
Cannot access report procedures
Can only view runbook engagements (no access to other sections of runbooks)
Cannot access Content Library
Client-based permissions are specific to using and accessing Clients, Reports, and Findings. These permissions are assigned on a client level, and more information can be found by visiting Add User to Client.
The role assigned to a user at the client level sets the client, reports, and findings permissions for that client.
In the context of a client, the following business rules apply:
Administrator: A client administrator can edit any data associated with the client, such as the client record, assets, and reports, and manage access of client users.
Standard User: A standard user can edit any data associated with the client, such as the client record, assets and reports.
Analyst: An analyst user can view client assets and related data, reports in published status, upload and delete artifacts in reports, and change the remediation status of findings.
An audit log records events or activities within PlexTrac. Its primary purpose is to provide a chronological and detailed account of actions taken by users and processes, along with relevant information such as timestamps, user IDs, and specific event details.
The audit log is found under the Audit log button of the Admin Dashboard under "Security & User Management."
The following key actions are recorded in the audit log:
Logins (successful, failed, lockouts, etc.)
Password changes
User creation/deletion/updates
Unauthorized access attempts (e.g., someone tried to view a report that they were not allowed to see)
RBAC changes (e.g., a user is assigned to a client)
The page defaults to the most recent events and lists the user, event, and time of the action. Use the filters above to narrow the dates of the events or search for a specific event.
For example, to find users who changed their password in the past month, click the box for "Start date" and select the past 30 days, then type "password" into the search box.
The list of events presented on the page dynamically updates.
CSV header | required field? | Notes |
---|---|---|
If two roles are created with the same name, they cannot be differentiated in the pulldown menu, which is why it is best practice to use unique role names.
yes
A vid email format is required.
first name
yes
last name
yes
role
no (will default to a value of "Standard User" if left blank or a custom role is used)
Accepted values are the default PlexTrac roles: admin
, standard user
, and analyst
. The values are not case-sensitive.
NOTE: The backend value of STD_USER
for the role of "standard user" is also valid.
Custom role names can be used and will not break import, but at this time, any values in the CSV beyond the standard values listed above will map to "Standard User" by default when the import is first loaded and require manual intervention to update before completing the import task (see instructions below).
default group
no
Accepted values are TRUE
(user belongs to default value) and FALSE
(user does not belong to default group).
The Classification Tiers button under "Security" in the Admin Dashboard is where the functionality for classification tiers is turned on or off.
Classification tiers functionality is turned off by default.
Classification tiers enable control for specific users to view and modify particular reports for a specific client. For example, most users may have access to a client and most reports, but a few users may require a higher classification tier to work on a report with more sensitive data.
Once turned on, PlexTrac provides three tiers by default (Tier 1, Tier 2, and Tier 3). The higher the classification level, the more restrictive it is (i.e., Tier 1 is the lowest). For example, everyone in Tier 2 has access to Tier 1, but Tier 2 users do not have access to Tier 3 reports.
Once enabled by toggling on, the default classification tier values and descriptions can be edited, and new ones can be created and managed.
Step 1: After enabling classification tiers, click Create Classification.
Step 2: Enter a classification tier name and description in the provided boxes. If ready to implement, toggle on the "Enabled" button.
Step 3: Click Save.
A message will appear briefly confirming the addition of the new tier, and it will appear on the list at the top of the list by default as the most restrictive.
Step 4: If the new value's default placement at the top is inaccurate and needs adjustment, select and move the value's bar on the page to reflect its appropriate classification level in the existing tier structure.
Once a row is moved, the tiers dynamically reorder and display their new classification level (the bottom of the list will always be the least restrictive Level 1).
Step 5: Exit this page by clicking the breadcrumb Admin Dashboard.
Step 6: Click Security under "Security & User Management."
Step 7: Click Authorization.
Step 8: Select the desired client from the "Client" pulldown menu.
Step 9: Identify the user to configure, click the pulldown menu of the column "Classification Level," and select the appropriate value.
Step 10: Click the Reports module, select a report, and click the Details tab.
Step 11: Click the pulldown menu of "Report Classification" and select the appropriate tier value. Click Save.
Step 1: From the Classification Tiers page, click the value to edit.
Step 2: Make any edits and click Update Classification.
Classification tiers cannot be deleted. This is to protect against existing protected reports being unintentionally exposed. If a specific tier is no longer needed, however, it can be disabled (if to be used again in the future) or edited to reflect a new tier classification.
If classification tiers are disabled at the feature level, any previously classified reports will be exposed, as tier protection will no longer apply.
To disable the value from appearing as an option elsewhere in PlexTrac, toggle off the "Enabled" button and click Update Classification.
If disabling a classification tier, it may be necessary to refresh the browser for the value to disappear.