Roles #
Roles allow you to finely control access to the Lucidum system. A role combines:
-
a set of Rights for tasks in Lucidum
-
a set of Field Permissions to view data that is ingested by Lucidum
Lucidum includes default roles.
You can also create custom roles to meet your needs.
Default Roles #
Lucidum includes default roles.
NOTE: Although you cannot delete or edit these default roles, you can use them as a template for new roles.
-
Admin. This role allows access to all rights and all data in Lucidum and is appropriate for the users who administer Lucidum.
-
API Users. This role allows access to the Lucidum API and all data in Lucidum.
-
IT Operations. This role is for IT and security operations staff and includes rights that an operations user would need and access to all data in Luciudm.
-
Lucidum Support (Lucidum internal role only). This is a role assigned to Lucidum support staff and includes the rights a support user would need to maintain a Lucidum system and access to all data in Lucidum.
How Do Roles Affect User Experience? #
-
Rights define the actions you can perform in Lucidum.
-
Field Permissions define what you can see in Lucidum.
The following sections describe how Rights and Field Permissions affect what a user can see and do in Lucidum.
Dashboards #
To view dashboards, a user must have at least one of the following Rights:
-
Manage Dashboards and Charts. Grants access to create, update, and delete Dashboards and Charts
-
View Dashboards. Grants access to view Dashboards.
NOTE: Unless you have the Administrator role, you cannot edit dashboards created by other users.
If a user does not have Field Permissions for all fields displayed in a chart, the user will see the message “You do not have permissions required to view this chart”.
Queries #
To view dashboards, a user must have at least one of the following Rights:
-
Manage Query Builder API. Grants access to create, update, or delete Queries.
If a user does not have Field Permissions for all fields, the Query Builder displays grayed-out fields.
Actions #
To view actions, a user must have at least one of the following Rights:
-
Start Runner. Grants access to the Actions page and allows you to create and edit actions.
NOTE: Unless you have the Administrator role, you cannot edit actions created by other users.
If a user does not have Field Permissions for all fields in the base query, the existing action is grayed-out.
When creating an action, in Details page, in the Output Fields, users can select only fields they have Field Permissions for.
If a user does not have Field Permissions for all fields in the base query, the existing action is grayed-out.
Data Sources #
To view dashboards, a user must have at least one of the following Rights:
-
Manage Dashboards and Charts. Grants access to create, update, and delete Dashboards and Charts
-
View Dashboards. Grants access to view Dashboards.
When drilling down into the links in the Data Source page, if a user does not have Field Permissions for all fields displayed in the page, lock icons appear in place of the data.
Viewing Roles #
To view the list of existing roles:
-
Navigate to Settings > User Roles.
-
The User Roles page appears:
-
The User Roles page displays the following about each role:
-
Name. Name of the role.
-
Occupants. Number of users using the role.
-
Rights. Permissions to perform different actions in Lucidum There are a total of 36 rights.
-
Asset. The number of asset fields the role allows you to view. The total number of asset fields differs depending on the data you have collected with Lucidum data connector and any Tags and Smart Labels you have created.
-
Asset IP. The number of asset-IP mapping fields the role allows you to view. The total number of asset fields is usually six (6), but differs depending on the data you have collected with Lucidum data connector and any Tags and Smart Labels you have created.
-
User. The number of users fields the role allows you to view. The total number of asset fields differs depending on the data you have collected with Lucidum data connector and any Tags and Smart Labels you have created.
-
User IP. The number of user-IP mapping fields the role allows you to view. The total number of asset fields is usually six (6), but differs depending on the data you have collected with Lucidum data connector and any Tags and Smart Labels you have created.
-
Vulnerability. The number of vulnerability fields the role allows you to view. The total number of asset fields differs depending on the data you have collected with Lucidum data connector and any Tags and Smart Labels you have created.
-
Edit (pencil icon). Edit the role.
-
Delete (trashcan icon). Delete the role. You can delete only roles that are not in use by users.
-
-
To see details about a role, click the expand (down-arrow) icon.
-
To see details about Occupants, Rights, Asset data, Asset IP data, User data, User IP data or Vulnerability data for the role, click the expand (down arrow) icon again.
Adding a Custom Role #
To add a custom role:
-
Navigate to Settings > User Roles.
-
In the User Roles page, click the plus-sign (+) in the upper right corner.
-
The Add User Role page appears.
-
In the Add User Role page, enter the following:
-
Role Name. Enter a name for the custom role.
- Select Existing Role to Compare. Optionally, you can select a role to use as a template. The Rights pane and Permissions panes display an additional column of checkboxes so you can see what is selected and unselected for the existing role.
-
Rights. Assign permissions to the custom role.
-
To assign a right, click on its checkbox .
-
To remove a right, un-click on its checkbox.
-
-
-
-
Permissions. You can limit the data sources that a role can access.
- To assign a field permission to a role, click on its checkbox.
-
To remove a field permission from a role, un-click its checkbox.
-
NOTE: All existing roles and new roles have Data Source Details and Data Sources selected by default. These permissions cannot be removed from a role.
-
Click Add to save the new role.
Editing a Role #
You cannot edit the name of an existing role. But you can edit the permissions and the data sources associated with an existing role.
-
Navigate to Settings > User Roles.
-
In the User Roles page, find the role you want to edit. Click its edit (pencil) icon.
-
The Edit Role page appears.
-
In the Edit Role page, you can edit one or more of the following:
-
Rights. Expand the Rights pane to add or remove rights for the role.
-
To assign a right, click on its checkbox .
-
To remove a right, un-click on its checkbox.
-
-
Permissions. Expand a Permissions pane to add or remove field Permissions for the role. You can edit the field Permissions for Asset, Asset-IP, User, User-IP, and Vulnerability.
-
To assign a permission, click on its checkbox.
-
To remove a permission, un-click on its checkbox.
-
-
-
Click Save (disc icon) to save changes to the role.
Deleting a Role #
To delete a role:
-
Navigate to Settings > User Roles.
-
In the User Roles page, find the role you want to delete.
-
Click its delete (trash can) icon.
Default Roles #
Admin #
This role allows access to all rights in Lucidum and is appropriate for the users who administer Lucidum.
This role includes all rights.
This role also can view all Lucidum data for assets, assets-IPs, users, users-IPs, and vulnerabilities.
Right | Description |
API Operator | Grants access to interact with the API |
Manage Actions | Deprecated (no longer in use) |
Manage Customized Queries | Deprecated (no longer in use) |
Manage Dashboards and Charts | Grants access to create, update, and delete Dashboards and Charts |
Manage Data Mapping | Deprecated (no longer in use) |
Manage DataQC API | Grants access to create, update, or delete DataQCs |
Manage License API | Grants access to create or update a License |
Manage Permissions API | Grants access to create, update, or delete Permissions |
Manage Query Builder API | Grants access to create, update, or delete Queries |
Manage Roles | Grants access to create, update, or delete Roles |
Manage System Settings API | Grants access to modify System Settings |
Manage Users API | Grants access to create, update, and delete Users |
Schedule | Deprecated (no longer in use) |
Search | Deprecated (no longer in use) |
Start Runner | Grants access to start a Runner |
Stop Runner | Deprecated (no longer in use) |
View Actions | Deprecated (no longer in use) |
View Chart Information | Deprecated (no longer in use) |
View Connections | Deprecated (no longer in use) |
View Customized Queries | Deprecated (no longer in use) |
View Dashboards | Grants access to view Dashboards |
View Data Mapping | Deprecated (no longer in use) |
View Data Mapping | Deprecated (no longer in use) |
View Data QCs | Deprecated (no longer in use) |
View Field Display | Deprecated (no longer in use) |
View Homepage | Grants access to view the Homepage |
View License | Grants access to view License information |
View License Settings | Grants access to view the License Settings tab |
View Python Runner | Deprecated (no longer in use) |
View Settings | Grants access to view the Settings page |
View System Log | Deprecated (no longer in use) |
View System Settings | Grants access to view System Settings |
View System Settings | Grants access to view System Settings and Tunnel Proxy Settings tabs |
View System Stats | Deprecated (no longer in use) |
View System Usage | Deprecated (no longer in use) |
View User Management | Grants access to view the User Management Settings tab |
API Users #
This role allows access to the Lucidum API.
This role allows access to the following rights in Lucidum and is appropriate for the users who implement APIs.
This role also can view all Lucidum data for assets, assets-IPs, users, users-IPs, and vulnerabilities.
Name |
Description |
---|---|
API Operator |
Access to the Lucidum API |
IT Operations #
This role is for IT and security operations staff.
This role allows access to the following rights in Lucidum and is appropriate for the users who implement APIs.
This role also can view all Lucidum data for assets, assets-IPs, users, users-IPs, and vulnerabilities.
Name | Description |
Manage Actions | Deprecated (no longer in use) |
Manage DataQC API | Grants access to create, update, or delete DataQCs |
Manage Permissions API | Grants access to create, update, or delete Permissions |
Manage Query Builder API | Grants access to create, update, or delete Queries |
Manage Roles | Grants access to create, update, or delete Roles |
Manage System Settings API | Grants access to modify System Settings |
Manage Users API | Grants access to create, update, and delete Users |
Search | Deprecated (no longer in use) |
Start Runner | Grants access to start a Runner |
Stop Runner | Deprecated (no longer in use) |
View Actions | Deprecated (no longer in use) |
View Chart Information | Deprecated (no longer in use) |
View Connections | Deprecated (no longer in use) |
View Dashboards | Grants access to view Dashboards |
View Data Mapping | Deprecated (no longer in use) |
View Data QCs | Deprecated (no longer in use) |
View Field Display | Deprecated (no longer in use) |
View Homepage | Grants access to view the Homepage |
View License | Grants access to view License information |
View License Settings | Grants access to view the License Settings tab |
View Python Runner | Deprecated (no longer in use) |
View Settings | Grants access to view the Settings page |
View System Log | Deprecated (no longer in use) |
View System Settings | Grants access to view System Settings |
View System Settings | Grants access to view System Settings and Tunnel Proxy Settings tabs |
View System Stats | Deprecated (no longer in use) |
View System Usage | Deprecated (no longer in use) |
View User Management | Grants access to view the User Management Settings tab |
Lucidum Support (Lucidum internal role only) #
This is a role assigned to Lucidum support staff, to maintain customer systems.
This role allows access to the following rights in Lucidum and is appropriate for Lucidum employees who maintain customer systems.
This role also can view all Lucidum data for assets, assets-IPs, users, users-IPs, and vulnerabilities.
Name | Description |
Manage Actions | Deprecated (no longer in use) |
Manage Customized Queries | Deprecated (no longer in use) |
Manage DataQC API | Grants access to create, update, or delete DataQCs |
Manage Query Builder API | Grants access to create, update, or delete Queries |
Manage Roles | Grants access to create, update, or delete Roles |
Manage System Settings API | Grants access to modify System Settings |
Manage Users API | Grants access to create, update, and delete Users |
Schedule | Deprecated (no longer in use) |
Search | Deprecated (no longer in use) |
Start Runner | Grants access to start a Runner |
Stop Runner | Deprecated (no longer in use) |
View Actions | Deprecated (no longer in use) |
View Chart Information | Deprecated (no longer in use) |
View Connections | Deprecated (no longer in use) |
View Customized Queries | Deprecated (no longer in use) |
View Dashboards | Grants access to view Dashboards |
View Data Mapping | Deprecated (no longer in use) |
View Data QCs | Deprecated (no longer in use) |
View Field Display | Deprecated (no longer in use) |
View Homepage | Grants access to view the Homepage |
View License | Grants access to view License information |
View License Settings | Grants access to view the License Settings tab |
View Python Runner | Deprecated (no longer in use) |
View Settings | Grants access to view the Settings page |
View System Log | Deprecated (no longer in use) |
View System Settings | Grants access to view System Settings |
View System Settings | Grants access to view System Settings and Tunnel Proxy Settings tabs |
View System Stats | Deprecated (no longer in use) |
View System Usage | Deprecated (no longer in use) |
View User Management | Grants access to view the User Management Settings tab |
All Rights #
The following table describes all the permissions you can assign to a role.
Name |
Description |
---|---|
PermissionManage |
Read/Write access to assign permissions to roles |
RoleManage |
Read/Write access to Settings > User Roles |
UserManage |
Read/Write access to the Settings > User Management (users can only change their own user settings) |
Read System Usage |
Deprecated |
Read System Log |
Deprecated |
Read System Setting |
Deprecated |
Write System Setting |
Deprecated |
Read License |
Read access to the License page |
Start Runner |
Deprecated |
Stop Runner |
Deprecated |
Read DataQC |
Deprecated |
Read DataMapping |
Deprecated |
Write DataMapping |
Deprecated |
Read Action |
Read access to the Action page |
Write Actions |
Read/Write access to the Action page (user can add or change action) |
Customized Query |
Read/Write Access to the Lucidum support page for updating the UI back-end queries (not for normal users) |
Read Chart |
Read access to the Home page |
Query Builder |
Access to the Query page (user can manage saved queries) |
Search |
Access to the Query page (user can submit and run queries) |
Modify License |
Write access to the License page (user can upload and modify license) |
Front_Dashboard |
Can access the Dashboard page and dashboards |
Front_Home |
Can access the Home page |
Front_DataMapping |
Deprecated |
Front_Dataqc |
Deprecated |
Front_PythonRunner |
Deprecated |
Front_License |
Can access Settings > License page and the Settings > Query Run History page. |
Front_CustomizedQuery |
DeprecatedQuery |
Front_SystemStats |
Deprecated |
Front_Settings |
Can access the sub-menus under the Settings menu. |
Front_Usermanagement |
Can access Settings > User Management and Settings > User Roles |
API_Operator |
Access to the Lucidum API |
Front_SystemSetting |
Can access Settings > Data Settings, Settings > Query Settings, and Settings > Tunnel Proxy Settings |
Schedule |
Read/Write access to the query scheduling |
Front_FieldDisplay |
Deprecated |
Front_Connection |
Deprecated |
TeamChannelAdmin |
Create and manage the Team channel for Dashboards |