Role Management

Overview

Roles provide a set of permissions that grant various levels of access and control over the IQ Server as well as the connected suite of tools. To grant permissions, you assign a user to either a system-wide administrator role or an organizational role at one of the levels in the system hierarchy: root organization, organization, or application. Which role and level you choose for a user determines what permissions that user receives.

You can assign roles to individual users or groups of users. IQ Server has a built-in group called Authenticated Users that contains any authenticated user. In addition, LDAP groups may be available, if you configured IQ Server to use an LDAP server with users mapped to specific groups.

Role Hierarchy

The scope of permissions granted to a role is governed by where that role is assigned in the system hierarchy. A role assigned to:

  • Root organization - Grants permissions to all organizations, applications, and repositories.
  • Organization - Grants permissions to that individual organization and any applications attached to it.
  • Application - Grants permissions only to the individual application.

Firewall solution users have an additional entity for which roles can be assigned:

  • Repositories - Grants permissions to repositories.

Built-in Roles

IQ Server has several built-in roles, which are shown below. If one does not suit your needs, you can create a custom role.

Administrator Roles:

  • System Administrator - Manages system configuration and users, which includes LDAP and product license management as well as the ability to assign other users to the System Administrator role.
  • Policy Administrator - Provides full control over organizations, applications, policies, policy violations and custom roles. Only the Policy Administrator has the ability to create organizations.

Organizational Roles:

  • Owner - Manages assigned organizations, applications, policies, and policy violations.
  • Developer - Views all information for their assigned organization or application.
  • Application Evaluator - Evaluates applications and views policy violation summary results.
  • Component Evaluator - Evaluates individual components and views policy violation results for a specified application.

To view roles in IQ Server:

  1. Click the System Preferences icon on the IQ Server toolbar.
  2. Click Roles on the System Preferences submenu. A list of built-in roles is displayed.

Only a user assigned to an administrator role can see the information below. If you are using the built-in Admin user account, it is assigned to all administrator roles. It is highly recommended that you change the Admin password.

Built-in Role Permissions

To view permissions assigned to built-in roles:

  1. Click the System Preferences icon on the IQ Server toolbar.
  2. Click Roles on the System Preferences submenu. A list of roles is displayed.
  3. Click the arrow next to a specific role to view its details and permissions.
  4. The built-in roles have the permissions shown below.

Administrator Roles

Permissions

System Administrator Policy Administrator
Administrator Permissions
Edit System Configuration and Users (thumbs up)

Edit Custom Roles

(thumbs up)
View All Roles (thumbs up) (thumbs up)
IQ Permissions
Edit Proprietary Components

(thumbs up)
Claim Components

(thumbs up)
Edit IQ Elements

(thumbs up)
View IQ Elements

(thumbs up)
Evaluate Applications

(thumbs up)

Evaluate Individual Components

(thumbs up)
Add Applications

(thumbs up)
Manage Automatic Application Creation

(thumbs up)

Organizational Roles

Permissions

Owner Developer Application Evaluator Component Evaluator
Administrator Permissions
Edit System Configuration and Users

Edit Custom Roles

View All Roles (thumbs up)

IQ Permissions
Edit Proprietary Components (thumbs up)

Claim Components

Edit IQ Elements (thumbs up)

View IQ Elements (thumbs up) (thumbs up)

Evaluate Applications (thumbs up)

(thumbs up)

Evaluate Individual Components (thumbs up) (thumbs up)

(thumbs up)
Add Applications (thumbs up)

Manage Automatic Application Creation


IQ Elements includes organizations, applications, policies, component labels, license threat groups, application categories, policy violations and waivers.

Managing Administrator Roles

To manage administrator roles, you must log into IQ Server as a user assigned to the System Administrator role. By default, the built-in Admin user account is assigned to the System Administrator role.

Viewing Administrator Roles

  1. Click the System Preferences icon  on the IQ Server toolbar.
  2. Click Administrators. A list of administrator roles and assigned members is displayed.

Assigning Users to Administrator Roles

  1. Click the System Preferences icon  on the IQ Server toolbar.
  2. Click Administrators. The Administrators view is displayed.
  3. Click the Edit Role button (looks like a pencil) for the role to which you want to add users. The Administrators view is updated to display the role and its members
  4. Search for a user you want to add to the role by entering a full name or part of a name with an asterisk into the search box, then click Search. You can use an asterisk as a wildcard at the beginning or end of a character string. For example, isa*, *mov, and *asi* will all match the name, "Isaac Asimov." Any matching names are displayed in the Available list.
  5. To add a user to the role, click a user’s name in the Available list and use the right arrow to move the name to the Associated list. To remove a user from a role, click a user’s name in the Associated list and use the left arrow to move the name to the Available list.
  6. Click Save to save the role assignment(s).

Managing Organizational Roles

To manage organizational roles, you must log into IQ Server as a user assigned to the Policy Administrator role or Owner role. By default, the built-in Admin user account is assigned to the Policy Administrator role.

Viewing Organizational Role Assignments

To view organizational role assignments:

  1. Click the Organization & Policies icon  on the IQ Server toolbar.
  2. Select an entity (organization, application, or Repositories) in the sidebar.
  3. Click Access in the menu bar at the top of the page to scroll to the Access section. Assigned roles are grouped as follows:
    1. Local - Role assignments with a scope that’s specific to the selected organization or application.
    2. Inherited - Role assignments derived from an organization that’s higher in the system hierarchy than the currently selected organization or application.

Assigning Users to Organizational Roles

To assign a user to an organizational role:

  1. Click the Organization & Policies icon  on the IQ Server toolbar.
  2. Select an entity (organization, application, or Repositories) in the sidebar.
  3. Click Access in the menu bar at the top of the page to scroll to the Access section.
  4. Click the Add Role button. The Access editor is displayed.
  5. In the Role box, select a user role.
  6. In the Search Users box, search for a user by entering a full name or part of name with an asterisk, then click Search. You can use an asterisk as a wildcard at the beginning or end of a character string. For example, isa*, *mov, and *asi* will all match the name, "Isaac Asimov." Any matching names are displayed below in the Associated Users list.
  7. In the Associated Users list, select a user in the Available column on the left, then click the right arrow button to move the user to the Associated column on the right. If you accidentally add a wrong user, select the user in the Associated column, then click the left arrow to return the user to the Available column.
  8. Click Add.

If you integrated an LDAP server with IQ Server, the LDAP users and groups are also displayed in the search results. If you hover over a list item, the LDAP realm and email address are displayed when available.

If you want to continue adding role assignments for the selected organization, application or Repositories, click Add Role in the sidebar.

Editing Organizational Role Assignments

To edit an organizational role assignment:

  1. Click the Organization & Policies icon  on the IQ Server toolbar.
  2. In the sidebar, select the entity (organization, application or Repositories) in which the role is assigned.
  3. Click Access in the menu bar at the top of the page to scroll to the Access section.
  4. Click a listed role (or the chevron next to its name) to display the Access editor.
  5. In the Search Users box, search for a user by entering a full name or part of name with an asterisk, then click Search. You can use an asterisk as a wildcard at the beginning or end of a character string. For example, isa*, *mov, and *asi* will all match the name, "Isaac Asimov." Any matching names are displayed below in the Associated Users list.
  6. In the Associated Users list, you can add a user to a role by selecting the user in the Available column on the left and clicking the right arrow button to move the user to the Associated column. To remove a user from a role, select the user in the Associated column, then click the left arrow to return the user to the Available column.
  7. Click Update.


If you integrated an LDAP server with IQ Server, the LDAP users and groups are also displayed in the search results. If you hover over a list item, the LDAP realm and email address are displayed when available.

If you want to continue adding role assignments for the selected organization, application or Repositories, click Add Role in the sidebar.

Removing Organizational Role Assignments

To remove organizational role assignments:

  1. Click the Organization & Policies icon  on the IQ Server toolbar.
  2. In the sidebar, select the entity (organization, application or Repositories) in which the role is assigned.
  3. Click Access in the menu bar at the top of the page to scroll to the Access section.
  4. Click a listed role (or the chevron next to its name) to display the Access editor.
  5. Click the Remove Role button, then click Continue to remove the role or click Cancel to keep the role.

This is the equivalent of removing or disassociating all users from a role.

Custom Roles

You must have permission to Edit Custom Roles if you want create a custom role. The default Admin account and the built-in Policy Administrator role have this permission.

Custom roles allow you to fine tune IQ security permissions for different users. The following permissions are available for custom roles:

Administrator Roles:

  • View All Roles
  • Edit Proprietary Components

Organizational Roles:

  • Claim Components
  • Edit IQ Elements
  • View IQ Elements
  • Evaluate Applications
  • Evaluate Individual Components
  • Add Applications
  • Manage Automatic Application Creation

To achieve desired behavior in the IQ user interface, you may need to assign View IQ Elements along with other permissions. For example, to allow a user to create applications in an organization but not edit the organization, you should add View IQ Elements and Add Applications to the role.oh sh

To create a custom role:

  1. Click the System Preferences icon  on the IQ Server toolbar and then click Roles.
  2. Click the Create Role button.
  3. Enter a name and description for the role.
  4. Click the Can/Cannot slider to enable or disable a permission as desired.
  5. Click the Save button.

Whenever a user assigned to a custom role with Add Applications permission creates an application, that user is automatically assigned to the Owner role for that application.

Assigning Groups to Roles without Searching

If you have an LDAP configuration that prohibits searching for groups, then the Access editor will have an additional section called Associate Group. You can use this section to enter manually a group name and add it to a role.

To assign groups to roles without searching:

  1. Click the Organization & Policies icon  on the IQ Server toolbar.
  2. In the sidebar, select an entity (organization, application or Repositories).
  3. Click Access in the menu bar at the top of the page to scroll to the Access section.
  4. Open the Access editor by clicking Add Role or the chevron next to an existing role.
  5. In the Associate Group box, enter the group name. The text must be an exact match.
  6. Click Add. The group name is added to the Associated column without performing a search of users and groups.

Role Assignments

To view role assignments:

  1. Click the Organization & Policies icon  on the IQ Server toolbar.
  2. Select an organization or application in the sidebar. A page of customizable settings is displayed.
  3. Click Access in the menu bar at the top of the page to scroll to the Access section. Users are displayed by their assigned roles for the selected entity (i.e. organization or application). The information is grouped by where the role assignments were made: locally in the current entity or inherited from an entity higher in the system hierarchy.