Managing access for Security Compliance Management users
Security Compliance Management integrates with Puppet Enterprise (PE) for role-based access control (RBAC). You can create or import new Security Compliance Management users and assign them to roles in the Puppet Enterprise Console. There are three default roles provided for Security Compliance Management users: comply-admin, comply-operator, and comply-viewer. Users must be assigned to one of these roles in order to log into Security Compliance Management.
Adding new Security Compliance Management users and roles
In order to add a new local user in Security Compliance Management, log into the Puppet Enterprise (PE) console associated with your Security Compliance Management instance. Your user in Puppet Enterprise must have the ability to create and edit user roles. Follow the instructions found in the Puppet Enterprise documentation to add a new user and assign them to one of the three provided default Security Compliance Management roles.
For more information on configuring Security Compliance Management with Puppet Enterprise, visit Add your Puppet Enterprise credentials to Security Compliance Management.
Importing existing users to Security Compliance Management
RBAC integrates with LDAP for easy import of existing remote users. Follow these instructions on how to connect to LDAP, import users, and assign them to roles.
Default Security Compliance Management roles
There are three default roles provided for Security Compliance Management users. Each role is assigned different permissions and has a different view of the Security Compliance Management console, meaning that some options in Security Compliance Management are greyed out or unavailable for users with certain roles.
The following table explains the permissions included by default for each role:
| Category | Action | Security Compliance Management Role | ||
| comply-admin | comply-operator | comply-viewer | ||
| Dashboard | View compliance dashboard | ✔ | ✔ | ✔ |
| Node Results | View node results list | ✔ | ✔ | ✔ |
| Export node results data to CSV | ✔ | ✔ | ||
| View node detail | ✔ | ✔ | ✔ | |
| Rule Detail | View rule detail | ✔ | ✔ | ✔ |
| Create an exception | ✔ | ✔ | ||
| Scan Reports | View scans list | ✔ | ✔ | ✔ |
| View scan report | ✔ | ✔ | ✔ | |
| View scan report: rule performance | ✔ | ✔ | ✔ | |
| View scan report: node performance | ✔ | ✔ | ✔ | |
| Run an ad hoc scan | ✔ | ✔ | ||
| Generated Reports | View the list of exported data | ✔ | ✔ | ✔ |
| Download exported data | ✔ | ✔ | ✔ | |
| Inventory | View inventory list | ✔ | ✔ | ✔ |
| Update desired compliance (in bulk and individually) | ✔ | ✔ | ||
| Scan Schedules | View scan schedules list | ✔ | ✔ | ✔ |
| Create a scan schedule | ✔ | ✔ | ||
| View a scan schedule detail | ✔ | ✔ | ✔ | |
| Edit a scan schedule | ✔ | ✔ | ||
| Manage the nodes linked to a scan schedule | ✔ | ✔ | ||
| Pause, end, restart a scan schedule | ✔ | ✔ | ||
| Delete a scan schedule | ✔ | ✔ | ||
| Custom Profiles | Create a custom profile | ✔ | ✔ | |
| View custom profiles list | ✔ | ✔ | ✔ | |
| View custom profile details | ✔ | ✔ | ✔ | |
| Create a custom profile | ✔ | ✔ | ||
| Edit a custom profile | ✔ | ✔ | ||
| Delete a custom profile | ✔ | ✔ | ||
| Export custom profiles to csv | ✔ | ✔ | ||
| Exceptions | View exceptions list | ✔ | ✔ | ✔ |
| View exceptions detail | ✔ | ✔ | ✔ | |
| Create an exception | ✔ | ✔ | ||
| Edit an exception | ✔ | ✔ | ||
| Resolve an exception (one, many, all nodes) | ✔ | ✔ | ||
| Delete an exception | ✔ | ✔ | ||
| Activity Feed | View activity feed scans tab | ✔ | ✔ | |
| View activity feed assessor upgrade tab | ✔ | ✔ | ||
| View activity feed assessor upgrade summary page | ✔ | ✔ | ||
| License | View license page | ✔ | ||
| Sync license | ✔ | |||
| Settings | View settings page | ✔ | ||
| Edit settings page (refresh data, remove/add PE) | ✔ | |||
| Upgrade | See alert advising there is an upgrade available | ✔ | ||