Skip to main content
Version: 7.8

User Management Best Practices

Overview

To promote the best application security and to simplify user management, we recommended the following key principles for managing users and their privileges:

  1. Describe fine-grained, persona-based user groups inside Resolve Actions Pro that correspond to a user's typical work responsibilities.
  2. Utilize centralized, external user authentication and authorization system (such as LDAP) to manage user credentials and authorization through groups.

Describe Fine-grained User Groups inside Actions Pro

Many users will interact with Actions Pro to perform different functions. Users can be segregated by their job functions, such as Administrator, Developer, L1 agents, etc.

  • Users can also be segregated by their organizations. For example, L1 agents may be working for different divisions and will have distinct responsibilities (i.e. Customer Support or Network Operation).
  • Customers should create enough user groups that accurately capture the job and organizational differences among the possible users.
  • Fine-grained, persona-based user groups provide the foundation for accurate permission mapping.

After a user groups has been created, each user groups can contain roles, with each role can be configured with proper privileges such as ViewEditExecute, and Admin. Customers can define their own roles or use the pre-built roles in Actions Pro. It is important that all the roles associated with a user group do not grant more rights than necessary. For example, if a user group has both the less restrictive "admin" role and more restrictive "resolve_user" roles, the less restrictive "admin" role will supersede the more restrictive "resolve_user" role and results in a less restrictive user group.

With properly defined user groups with only the necessary permission, Actions Pro user can be restricted to perform only the functions that they are authorized. Furthermore, access to Runbooks can be restricted based on users' team assignments, for example, when certain runbooks contain sensitive information.

Centralized User Authentication and Authorization System Utilization

Although Actions Pro is fully capable of creating and managing users internally, we recommend customers utilize a centralized user authentication and authorization system, such as LDAP, to manage users. Using a central user management system simplifies the process of managing users on multiple systems, and provides an authoritative source for all users' credentials and privileges.

  • As long as a user is configured with a group that has the same name as the desired group in Actions Pro, after each login, Actions Pro will set the proper roles and permissions for each user.
  • If the roles and user group changes for a user, that change will be reflected immediately after the next log-in.