Role-Based Access Control (RBAC) for Accounts
Who can make admin changes to a subgroup's settings, host settings or trust profiles ?
No account, (NOT EVEN System Admins), can edit or modify any Security Group settings, host settings or policy profile without being trusted as a Admin by the Inheritance Tree owner or admins.
Master Admins can access other login accounts but leave an audit trail of when they enter or exit that login account. Only administrators who can be trusted with Database access should be trusted as a Master Admin. They have "sudo" privileges in the Dashboard.
What is a Malware Advisor?
A "Malware Advisor" is NOT an "access role" but a system wide application of an Advisor's malware Block Policies for any matching App Handprints or Code-Signing Certificates (CERTs). A Malware Advisor can have any "access role" level. or even be just a Trust-Profile instead of an actual administrator's account. The purpose of Malware Advisors is to simplify which Profiles contribute to the process for blocking Known Malware and Unwanted Apps.
Role-Based Access Control Levels
Each of the following "role access" levels can perform the functions of a lower "role access" level.
- Master Admins
- Master Admins have the ability to "sudo" into an account, but this will leave an audit trail in the security log.
Who are the Master Admins for my White Cloud Security Data Center Appliance?
- With a Data Center Appliance the Master Admin is assigned during the setup process.
Role-Based Access Control Privileges
| Role | Access |
|---|---|
| Master Admin | Can "View As" any account |
| "View As" creates an audit trail in the security log | |
| The first Master Admin is assigned during the setup process | |
| Only a Master Admin can make another admin a Master Admin | |
| System Admin | View all system logs |
| Account Admin | Purge a Login Account after it has been disabled by the account owner |
| System Agent | View all accounts across the platform |
| Account Agent | Create Login Accounts, Organizations and resend activation emails |
| Advisor | Standard Enterprise functional as Trust-Listing Admin |
| Can be added to Admin Groups to allow configuration and policy management | |
| Can be assigned as an Org Admin to add or remove members of an organization | |
| Can be assigned as an Viewer with read only access to status and reports | |
| Basic Account | Limited functionality for Dashboard Interface simplicity |
| --------------- | ----------------------------------------------------------------------------- |
| End User | End Users have no access or visibility into Trust Lockdown |