Creating and Managing Roles

Roles #

Roles allow you to finely control access to the Lucidum system. A role combines:

• a set of Rights for tasks in Lucidum

• a set of Field Permissions to view data that is ingested by Lucidum

Lucidum includes default roles.

You can also create custom roles to meet your needs.

Default Roles #

Lucidum includes default roles.

NOTE: Although you cannot delete or edit these default roles, you can use them as a template for new roles.

• Admin. This role allows access to all rights and all data in Lucidum and is appropriate for the users who administer Lucidum.

• API Users. This role allows access to the Lucidum API and all data in Lucidum.

• IT Operations. This role is for IT and security operations staff and includes rights that an operations user would need and access to all data in Luciudm.

• Lucidum Support (Lucidum internal role only). This is a role assigned to Lucidum support staff and includes the rights a support user would need to maintain a Lucidum system and access to all data in Lucidum.

How Do Roles Affect User Experience? #

• Rights define the actions you can perform in Lucidum.

• Field Permissions define what you can see in Lucidum.

The following sections describe how Rights and Field Permissions affect what a user can see and do in Lucidum.

Dashboards #

To view dashboards, a user must have at least one of the following Rights:

• Manage Dashboards and Charts. Grants access to create, update, and delete Dashboards and Charts

• View Dashboards. Grants access to view Dashboards.

NOTE: Unless you have the Administrator role, you cannot edit dashboards created by other users.

If a user does not have Field Permissions for all fields displayed in a chart, the user will see the message “You do not have permissions required to view this chart”.

Queries #

To view dashboards, a user must have at least one of the following Rights:

• Manage Query Builder API. Grants access to create, update, or delete Queries.

If a user does not have Field Permissions for all fields, the Query Builder displays grayed-out fields.

Actions #

To view actions, a user must have at least one of the following Rights:

• Start Runner. Grants access to the Actions page and allows you to create and edit actions.

NOTE: Unless you have the Administrator role, you cannot edit actions created by other users.

If a user does not have Field Permissions for all fields in the base query, the existing action is grayed-out.

When creating an action, in Details page, in the Output Fields, users can select only fields they have Field Permissions for.

If a user does not have Field Permissions for all fields in the base query, the existing action is grayed-out.

Data Sources #

To view dashboards, a user must have at least one of the following Rights:

• Manage Dashboards and Charts. Grants access to create, update, and delete Dashboards and Charts

• View Dashboards. Grants access to view Dashboards.

When drilling down into the links in the Data Source page, if a user does not have Field Permissions for all fields displayed in the page, lock icons appear in place of the data.

Viewing Roles #

To view the list of existing roles:

1. Navigate to Settings > User Roles.

2. The User Roles page appears:

   

3. The User Roles page displays the following about each role:

   • Name. Name of the role.

   • Occupants. Number of users using the role.

   • Rights. Permissions to perform different actions in Lucidum There are a total of 36 rights.

   • Asset. The number of asset fields the role allows you to view. The total number of asset fields differs depending on the data you have collected with Lucidum data connector and any Tags and Smart Labels you have created.

   • Asset IP.  The number of asset-IP mapping fields the role allows you to view. The total number of asset fields is usually six (6), but differs depending on the data you have collected with Lucidum data connector and any Tags and Smart Labels you have created.

   • User. The number of users fields the role allows you to view. The total number of asset fields differs depending on the data you have collected with Lucidum data connector and any Tags and Smart Labels you have created.

   • User IP. The number of user-IP mapping fields the role allows you to view. The total number of asset fields is usually six (6), but differs depending on the data you have collected with Lucidum data connector and any Tags and Smart Labels you have created.

   • Vulnerability. The number of vulnerability fields the role allows you to view. The total number of asset fields differs depending on the data you have collected with Lucidum data connector and any Tags and Smart Labels you have created.

   • Edit (pencil icon). Edit the role.

   • Delete (trashcan icon). Delete the role. You can delete only roles that are not in use by users.

4. To see details about a role, click the expand (down-arrow) icon.

   

5. To see details about Occupants, Rights, Asset data, Asset IP data, User data, User IP data or Vulnerability data for the role, click the expand (down arrow) icon again.

   

Adding a Custom Role #

To add a custom role:

1. Navigate to Settings > User Roles.

2. In the User Roles page, click the plus-sign (+) in the upper right corner.

3. The Add User Role page appears.

   

4. In the Add User Role page, enter the following:

   • Role Name. Enter a name for the custom role.

   • Select Existing Role to Compare. Optionally, you can select a role to use as a template. The Rights pane and Permissions panes display an additional column of checkboxes so you can see what is selected and unselected for the existing role.

   • Rights. Assign permissions to the custom role.

     • To assign a right, click on its checkbox .

     • To remove a right, un-click on its checkbox.

• • Permissions. You can limit the data sources that a role can access.

    • To assign a field permission to a role, click on its checkbox.

    • To remove a field permission from a role, un-click its checkbox.

NOTE: All existing roles and new roles have Data Source Details and Data Sources selected by default. These permissions cannot be removed from a role.

5. Click Add to save the new role.

Editing a Role #

You cannot edit the name of an existing role. But you can edit the permissions and the data sources associated with an existing role.

1. Navigate to Settings > User Roles.

2. In the User Roles page, find the role you want to edit. Click its edit (pencil) icon.

3. The Edit Role page appears.

   

4. In the Edit Role page, you can edit one or more of the following:

   • Rights. Expand the Rights pane to add or remove rights for the role.

     • To assign a right, click on its checkbox .

     • To remove a right, un-click on its checkbox.

   • Permissions. Expand a Permissions pane to add or remove field Permissions for the role. You can edit the field Permissions for Asset, Asset-IP, User, User-IP, and Vulnerability.

     • To assign a permission, click on its checkbox.

     • To remove a permission, un-click on its checkbox.

5. Click Save (disc icon) to save changes to the role.

Deleting a Role #

To delete a role:

1. Navigate to Settings > User Roles.

2. In the User Roles page, find the role you want to delete.

   

3. Click its delete (trash can) icon.

Default Roles #

Admin #

This role allows access to all rights in Lucidum and is appropriate for the users who administer Lucidum.

This role includes all rights.

This role also can view all Lucidum data for assets, assets-IPs, users, users-IPs, and vulnerabilities.

Right	Description
API Operator	Grants access to interact with the API
Manage Actions	Deprecated (no longer in use)
Manage Customized Queries	Deprecated (no longer in use)
Manage Dashboards and Charts	Grants access to create, update, and delete Dashboards and Charts
Manage Data Mapping	Deprecated (no longer in use)
Manage DataQC API	Grants access to create, update, or delete DataQCs
Manage License API	Grants access to create or update a License
Manage Permissions API	Grants access to create, update, or delete Permissions
Manage Query Builder API	Grants access to create, update, or delete Queries
Manage Roles	Grants access to create, update, or delete Roles
Manage System Settings API	Grants access to modify System Settings
Manage Users API	Grants access to create, update, and delete Users
Schedule	Deprecated (no longer in use)
Search	Deprecated (no longer in use)
Start Runner	Grants access to start a Runner
Stop Runner	Deprecated (no longer in use)
View Actions	Deprecated (no longer in use)
View Chart Information	Deprecated (no longer in use)
View Connections	Deprecated (no longer in use)
View Customized Queries	Deprecated (no longer in use)
View Dashboards	Grants access to view Dashboards
View Data Mapping	Deprecated (no longer in use)
View Data Mapping	Deprecated (no longer in use)
View Data QCs	Deprecated (no longer in use)
View Field Display	Deprecated (no longer in use)
View Homepage	Grants access to view the Homepage
View License	Grants access to view License information
View License Settings	Grants access to view the License Settings tab
View Python Runner	Deprecated (no longer in use)
View Settings	Grants access to view the Settings page
View System Log	Deprecated (no longer in use)
View System Settings	Grants access to view System Settings
View System Settings	Grants access to view System Settings and Tunnel Proxy Settings tabs
View System Stats	Deprecated (no longer in use)
View System Usage	Deprecated (no longer in use)
View User Management	Grants access to view the User Management Settings tab

API Users #

This role allows access to the Lucidum API.

This role allows access to the following rights in Lucidum and is appropriate for the users who implement APIs.

This role also can view all Lucidum data for assets, assets-IPs, users, users-IPs, and vulnerabilities.

IT Operations #

This role is for IT and security operations staff.

This role allows access to the following rights in Lucidum and is appropriate for the users who implement APIs.

This role also can view all Lucidum data for assets, assets-IPs, users, users-IPs, and vulnerabilities.

This is a role assigned to Lucidum support staff, to maintain customer systems.

This role allows access to the following rights in Lucidum and is appropriate for Lucidum employees who maintain customer systems.

This role also can view all Lucidum data for assets, assets-IPs, users, users-IPs, and vulnerabilities.

All Rights #

The following table describes all the permissions you can assign to a role.