Managing access for Comply users
Comply integrates with Puppet Enterprise (PE) for role-based access control (RBAC). You can create or import new Comply users and assign them to roles in the PE Console. There are three default roles provided for Comply users: comply-admin, comply-operator, and comply-viewer. Users must be assigned to one of these roles in order to log into Comply.
Adding new Comply users and roles
In order to add a new local user in Comply, log into the Puppet Enterprise (PE) console associated with your Comply instance. Your user in PE must have the ability to create and edit user roles. Follow the instructions found in the PE documentation at https://www.puppet.com/docs/pe/2023.2/rbac_user_roles_intro.html#create_a_new_user to add a new user and assign them to one of the three provided default Comply roles.
For more information on configuring Comply with PE, visit Add your PE credentials to Comply.
Importing existing users to Comply
RBAC integrates with LDAP for easy import of existing remote users. You can find instructions on how to connect to LDAP, import users, and assign them to roles at https://www.puppet.com/docs/pe/2023.2/rbac-ldap.html.
Default Comply roles
There are three default roles provided for Comply users. Each role is assigned different permissions and has a different view of the Comply console, meaning that some options in Comply are greyed out or unavailable for users with certain roles.
The following table explains the permissions included by default for each role:
| Category | Action | Puppet Comply Role | ||
| comply-admin | comply-operator | comply-viewer | ||
| Dashboard | View compliance dashboard | ✔ | ✔ | ✔ |
| Node Results | View node results list | ✔ | ✔ | ✔ |
| Export node results data to CSV | ✔ | ✔ | ||
| View node detail | ✔ | ✔ | ✔ | |
| Rule Detail | View rule detail | ✔ | ✔ | ✔ |
| Create an exception | ✔ | ✔ | ||
| Scan Reports | View scans list | ✔ | ✔ | ✔ |
| View scan report | ✔ | ✔ | ✔ | |
| View scan report: rule performance | ✔ | ✔ | ✔ | |
| View scan report: node performance | ✔ | ✔ | ✔ | |
| Run an ad hoc scan | ✔ | ✔ | ||
| Generated Reports | View the list of exported data | ✔ | ✔ | ✔ |
| Download exported data | ✔ | ✔ | ✔ | |
| Inventory | View inventory list | ✔ | ✔ | ✔ |
| Update desired compliance (in bulk and individually) | ✔ | ✔ | ||
| Scan Schedules | View scan schedules list | ✔ | ✔ | ✔ |
| Create a scan schedule | ✔ | ✔ | ||
| View a scan schedule detail | ✔ | ✔ | ✔ | |
| Edit a scan schedule | ✔ | ✔ | ||
| Manage the nodes linked to a scan schedule | ✔ | ✔ | ||
| Pause, end, restart a scan schedule | ✔ | ✔ | ||
| Delete a scan schedule | ✔ | ✔ | ||
| Custom Profiles | Create a custom profile | ✔ | ✔ | |
| View custom profiles list | ✔ | ✔ | ✔ | |
| View custom profile details | ✔ | ✔ | ✔ | |
| Create a custom profile | ✔ | ✔ | ||
| Edit a custom profile | ✔ | ✔ | ||
| Delete a custom profile | ✔ | ✔ | ||
| Export custom profiles to csv | ✔ | ✔ | ||
| Exceptions | View exceptions list | ✔ | ✔ | ✔ |
| View exceptions detail | ✔ | ✔ | ✔ | |
| Create an exception | ✔ | ✔ | ||
| Edit an exception | ✔ | ✔ | ||
| Resolve an exception (one, many, all nodes) | ✔ | ✔ | ||
| Delete an exception | ✔ | ✔ | ||
| Activity Feed | View activity feed scans tab | ✔ | ✔ | |
| View activity feed assessor upgrade tab | ✔ | ✔ | ||
| View activity feed assessor upgrade summary page | ✔ | ✔ | ||
| License | View license page | ✔ | ||
| Sync license | ✔ | |||
| Settings | View settings page | ✔ | ||
| Edit settings page (refresh data, remove/add PE) | ✔ | |||
| Upgrade | See alert advising there is an upgrade available | ✔ | ||