Access Management

This topic describes management for user, API access keys, user roles, Single Sign-On (SSO), and user activity for CloudFlow.

Open access management

To reach CloudFlow Access Management:

  1. Hover over the Settings icon at the lower left of your screen. Settings options are displayed.

  2. Click on Access Management.

    The Access Management page is displayed.

    Access Management has five tabs: Users, API Access, Roles, SSO Setup, and User Activity.

Manage Users

From the Users tab you can:

Note: Click on the ellipsis button to the right of each user to:

Add a new user

When SSO is disabled, Administrators can add a user, assigning any of the CloudFlowManage Roles to the new user.

When SSO is enabled, the +Add User button is disabled.

  1. Click +Add user above the Actions column.

  2. Fill out the Add user form that is displayed according to the Add user fields table.

Note: Usernames must be unique.

After completing the fields, click the Add button at the bottom right of the Add user dialog.
The user is added to the list of users and is automatically sent a welcome email that enables a guided, seamless entrance into CloudFlow. See Inside the invitation email.

Add user fields table

Field Description
Username The identifier of the user in CloudFlow.
The username must be unique in your CloudFlow system, i.e. no two users can have the same username.
Note: The username is permanent.
To give a user a different username, the user must be deleted and a new user must be created for the user.
Email The email at which the user wishes or is authorized to receive messages from CloudFlowand the System Admin.
First name The user's first name.
Last name The user's family name.
Roles

From the left drop down select System Role or Custom Role.

If System Role is selected from the left drop down, select at least one system role from the right drop down:

  • Admin -Read/write permission to User Management, ASMS Integration, Accounts and all resources (Risks, Inventory and Network Policies).

  • Security manager - Read/write permission for Accounts and all resources (Risks, Inventory and Network Policies).

  • Auditor - Read-only permissions for Accounts and all resources (Risks, Inventory and Network Policies).

If Custom role is selected from the left drop down, select at least one name of a defined custom role from the right drop down.
MFA enforced If yes is selected, user will need to authenticate after entering password, using an authenticator application.

Note: The first time that a user enters after MFA enforced is set to yes, the user performs a one-time Authenticator setup.

For more details on setting up Multiple Factor Authentication and logging into CloudFlow using it, refer to First login as MFA user and Subsequent MFA logins.

Edit a user

Note: When SSO is enabled, user’s appear in the Access Management page USERS tab only after first login. They are assigned a default system role Auditor, which can be edited later.

To edit a user:

1. Click on the vertical ellipsis to the right of the user whose information needs editing.

2. On the options pop-up menu that is displayed, click Edit.

3. Modify the fields as required and then click Save to keep your changes or Cancel to discard them.

4. If required, change the MFA functionality for the user here.

Edit user fields

Field Description
Username In edit mode, this field is read-only.
Email The email at which the user wishes or is authorized to receive messages from CloudFlow and the System Admin.
First name The user's first name.
Last name The user's family name.
Roles

From the left drop down select System Role or Custom Role.

If System Role is selected in the left drop down, select at least one system roles from the right drop down:


  • Admin -Read/write permission to User Management, ASMS Integration, Accounts and all resources (Risks, Inventory and Network Policies).

  • Security manager - Read/write permission for Accounts and all resources (Risks, Inventory and Network Policies).

  • Auditor - Read-only permissions for Accounts and all resources (Risks, Inventory and Network Policies).

If custom role is selected from the left drop down, select the name of a defined custom role from the right drop down.
MFA If yes is selected, user will need to authenticate after entering password.

Note: First time user enters after MFA is set to yes, the user performs a one-time Authenticator setup.

Delete user

There are many reasons for deleting users including when a user leaves your organization. Deleting unauthorized users is an important security feature that should be undertaken in a timely manner.

To delete a user:

  1. Click on the ellipsis to the right of the user's row in the user table.

  2. On the options pop-up menu that is displayed, click Delete.
    A confirmation message asks if you are sure you want to delete this specific user:

  3. If you do not want to delete this user, click the x in the upper right corner of the message or click No.
    To proceed with deleting the user, click the Yes button.
    Upon clicking Yes, the User tab is refreshes and the deleted user is no longer in the list of users.

Reset MFA device

An Admin can cause a user to reset their MFA device.

Note: Reset MFA Device is only available if MFA authentication for the user is enabled.

  1. Click on the vertical ellipsis to the right of the user requiring MFA device reset.

  2. On the options pop-up menu that is displayed, click Reset MFA device.

  3. On the confirmation message that is displayed, click Yes to continue.


    As a result, the relevant user will be required to reset their MFA device during their next login to CloudFlow.

Reset Password

An Admin user can reset the user password.

  1. Click on the vertical ellipsis to the right of the user requiring a new password.

  2. On the options pop-up menu that is displayed, click Reset Password.

  3. On the confirmation message that is displayed, click Yes to continue.

    As a result, the relevant user receives an email that provides:

    • a link for resetting the password

    • a verification code.

    When users follow the email instructions and click on the link, they are connected with the relevant tenant and presented with a form for entering the verification code and creating their new password:

Resend invitation

Note: Resend invitation is available for users who have not logged into CloudFlow for the first time.

  1. Click on the vertical ellipsis to the right of the user requiring a new password.

  2. On the options pop-up menu that is displayed, click Resend invitation.

  3. On the confirmation message that is displayed, click OK to continue.

    Tip: Before clicking OK, double-check that the email address of the user is correct!

    The invitation email is sent to the relevant user again. See Inside the invitation email.

Inside the invitation email

The invitation email is a templated email from AlgoSec CloudFlow to a new AlgoSec CloudFlow user in your organization. It provides the new user with:

  • All credentials required for login and a button for first-time login

  • One-click links to product resources and CloudFlow online help and more

A new user's first steps

Typically, the AlgoSec administrator in your organization registers qualified users in AlgoSec CloudFlow as described in these sections.

Each newly added user receives an email invitation. This is an automatic action of CloudFlow.

  • The email invitation includes all credentials needed by the user for logging into CloudFlow for the first time, a direct link to the AlgoSec CloudFlow SaaS URL and much useful information.
    The email explicitly states that credentials will expire in 30 days.

  • Typically, a new user will receive the email, follow the directions and begin using CloudFlow. In such cases, the Send invitation option is not displayed in the per-user actions menu . New users that don't start promptly can be reminded using the Send invitation action.

Filter and Search for Users

In large enterprises, it's important to be able to find specific users quickly. On the Users tab, users can be located quickly by entering text into the search field.

To filter for or find users:

  • Simply enter characters into the search field.
    Users with no fields containing the entered text disappear temporarily from the list.

  • Removing the characters from the filter restores the user list.

Instant User Count

To the right of the search field, the total number of users or the number of filtered users found in the search - filtering is displayed.

Manage API Access Keys

The ability to generate Access Keys is an important security feature, allowing authorized users to access, examine and use relevant AlgoSec APIs.


From the API Access tab you can:

  • View an Access Key

  • Add a new API Access Key

  • Edit an Access Key

  • Delete an Access Key

    View an Access Key

    When you view an access key you can copy the Client ID and the Client secret but you cannot edit any fields.

    1. Click on the vertical ellipsis to the right of the access key to view.

    2. On the options pop-up menu that is displayed, click view.

    3. To get the API Token required for CloudFlow authorization, copy the Client ID and Client Secret to use in the Log in to the Tenant endpoint .

    4. When you finish with the Access key view, click Done to close it.


Add a new API Access Key

  1. From Settings > Access Management > API Access tab, click +Add key.
    The Add Access Key dialog is displayed:

  2. Fill in the fields as indicated in this table, and then click Add in the lower right corner:

    Field Description
    Access key name Any meaningful text
    Role

    Select one or more roles from the Role drop down:


    Admin - Read/write permission to User Management, ASMS Integration, Accounts and all resources (Risks, Inventory and Network Policies).


    Security manager - Read/write permission for Accounts and all resources (Risks, Inventory and Network Policies).


    Auditor - Read-only permissions for Accounts and all resources (Risks, Inventory and Network Policies).
    API access session timeout

    Minutes. Current value is 60 minutes and is editable.

Edit an Access Key

To edit an access key:

  1. Click on the vertical ellipsis to the right of the access key that needs editing.

  2. On the options pop-up menu that is displayed, click Edit. The Edit access key dialog is displayed.

  3. Optionally edit or use fields as follows:

    4. Field Description
    Access key name Edit freely.
    Roles Select one or more roles from the Roles dropdown list.
    Client ID Copy this to a safe place. You cannot edit the Client ID.
    Client secret Copy this to a safe place. You cannot edit the Client secret.
    API access timeout. You can edit the number of minutes.

  4. Click Save to keep your changes or Cancel to discard them.

Delete an Access Key

Deleting an access key is very simple.:

  1. Click on the vertical ellipsis to the right of the access key you wish to delete.

  2. On the options pop-up menu that is displayed, click delete.
    A confirmation Delete access key dialog is displayed, showing the name of the API access key to be deleted.

  3. Click Yes to delete the key.

    Note: You can click No to close the dialog without deleting the API access key.

Manage Roles

Out-of-the-box User Roles

Role-based access management lets you assign one of three out-of-the-box roles to users. Each role is defined by a scope and privilege type (read-only, read/write) as reflected in Manage Roles and the Roles field descriptor.

The table below describes permitted User Roles functionality:

Note: Viewing user information, adding and editing users is only available to users assigned the Admin role.

 

 Admin Security manager Auditor
User Management ü    
ASMS Integration ü    
View Accounts ü ü ü
Add and delete Accounts and Credentials ü ü  
View Inventory ü ü ü
View Network Policies ü ü ü
Manage Network Policies ü ü  
View and Export Risks ü ü ü
Suppress/Activate Risks and Risk Triggers ü ü  

Out-of-the-box role assignments for users in CloudFlow and ObjectFlow

When a user is created and assigned a built-in role in one SaaS application, the user is created in the other application and assigned a role, as follows.

  • Admin role user created in ObjectFlow is Admin in CloudFlow and vice versa.

  • Security manager role user created in ObjectFlow is Auditor in CloudFlow and vice versa (Security manager role user created in CloudFlow has Auditor role in ObjectFlow ).

  • Auditor role user created in ObjectFlow is Auditor of CloudFlow and vice versa.

When an existing user's role changes in CloudFlow :

  • From Admin to either Security Manager or Auditor, the corresponding role in ObjectFlow becomes Auditor.

  • From Security Manager to Auditor, there is no effect on the user's role in ObjectFlow.

  • From Auditor to Security Manager, there is no effect on the user's role in ObjectFlow.

When a user's role changes in ObjectFlow:

  • From Admin to either Security Manager or Auditor, the corresponding role in CloudFlow becomes Auditor.

  • From Security Manager to Auditor, there is no effect on the user's role in CloudFlow.

  • From Auditor to Security Manager, there is no effect on the user's role in CloudFlow.

Custom Roles

While system roles apply to all accounts and vendors, custom roles define permissions limited to specified individual accounts or vendors. The same custom role can be applied to multiple users and multiple custom roles can be assigned to a single user. However, users cannot have a mixture of custom roles and system roles.

When defining a custom role, Manage permissions or Read-only permissions can be assigned to any account or vendor. Since Manage permissions always include Read-only permissions, selecting the Manage checkbox for an account or vendor automatically displays the Read-only checkbox as selected.

Only users with the system role Admin have permission to define custom roles and assign them to users.

To add a custom role:

  1. Under Settings, click Access Management.

    The User Tab of the Access Management page is displayed.

  2. Click Roles.

    The Roles tab is displayed.

  3. Click + Add Role at the upper right of the Role tab.

  4. In the Add role dialog that is displayed, provide a Name and Description for the new custom role.

    Tip: To view only vendors and accounts for which permission types are selected, click the Show Selected button.

  5. In the Select Accounts section, select permission type (Manage or Read-only) on the vendor levels and account levels as needed for the role.

    • To apply permission types per individual accounts, select the required permission check box for each account.

    • To apply a permission type for all the accounts of the same vendor, select the required permission check box at the vendor level.

    • Do not select any checkbox to the right of accounts that should not be viewed by users on the basis of this custom role.

      See Permissions Table.

      Note The table below describes the capabilities granted regarding an account or vendor depending on whether the Read-only permission is selected or the Manage permission is selected.

      Capability

      		 Read-only Manage
      View Accounts ü ü
      Delete or Update Account Credentials   ü
      View Inventory ü ü
      View Network Policies ü ü
      Manage Network Policies   ü
      View and Export Risks ü ü
      Suppress/Activate Risks and Risk Triggers   ü

  6. Click Save. at the bottom of the dialog.

    Now you can apply the this custom role to users.

To edit a custom role:

  1. Under Settings, click Access Management.

    The User Tab of the Access Management page is displayed.

  2. Click Roles.

    The Roles tab is displayed.

  3. Click more and then click edit to the right of the custom role you wish to edit.

  4. Edit the form as required.

    Note: You cannot edit the name of the role.

    Tip: To view only vendors and accounts for which permission types are selected, click the Show Selected button.

  5. Edit the Select Accounts section as required:

    • To apply permission types per individual accounts, select the required permission check box for each account.

    • To apply a permission type for all the accounts of the same vendor, select the required permission check box at the vendor level.

    • Do not select any checkbox to the right of accounts that should not be viewed by users on the basis of this custom role.

      See Permissions Table.

      Note The table below describes the capabilities granted regarding an account or vendor depending on whether the Read-only permission is selected or the Manage permission is selected.

      Capability

      		 Read-only Manage
      View Accounts ü ü
      Delete or Update Account Credentials   ü
      View Inventory ü ü
      View Network Policies ü ü
      Manage Network Policies   ü
      View and Export Risks ü ü
      Suppress/Activate Risks and Risk Triggers   ü
  6. Click Save. at the bottom of the dialog.
    The updated custom role is updated for the users to which it has been applied and can be applied to new users.
    See Add a new user and Edit a user.

Manage Single Sign-On (SSO)

Enable SSO login on your tenant to give users access to multiple services with a single authentication, reducing password fatigue and providing an easier sign up and log in experience.

Note: AlgoSec SaaS applications officially support Azure Active Directory and Okta as SSO providers. Other SAML2 SSO providers may also work. Try to enable following the instructions below. If you encounter difficulties contact AlgoSec support for assistance.

Note: When SSO is enabled, users appear on the Access Management page USERS tab only after first login. They are assigned a default system role Auditor, which can be edited later.

Important: Users must have a valid email address, surname (last name), given name (first name), and name identifier in the relevant fields of the Identity Provider.

Set SAML attributes as specified by your identity provider.

  • For Active Directory, use:

    • Attribute Name= http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress  Value=user.email

    • Attribute Name=http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname and Value= user.surname

    • Attribute Name=http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname and Value= user.givenname

    • Attribute Name=http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name and Value= user.principalname

  • Similarly for Okta, use recommended attribute statements:

    • Name=http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress and Name Format=URI reference format and Value=user.email)

    • Name=http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname and Name Format=URI reference format and Value= user.lastName

    • Name=http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname and Name Format=URI reference format and Value= user.firstName

    • Attribute Name=http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifyer and Name Format=URI reference format and Value= user.login

To configure SSO user authentication

  1. In Access Management, click the SSO SETUP tab.

  2. Enter the email of the IT admin associated with your account and click Send Parameters.

    The application parameters are sent to that email address.

    Note: Using the details sent by CloudFlow, the IT admin generates the XML metadata file needed for the next step.

    Tip for IT department: For more information about Federation Metadata XML, refer to Identity provider documentation.

  3. Upload the XML metadata file provided by the IT admin and then click Activate SSO.

    Once activated, all users in the Users tab can log in with SSO.

    Note:

    • A check appears on the Users tab in the SSO Authenticated column after a user logs in at least one time using SSO.

    • +Add User is disabled for SSO-enabled tenants. Contact your IT department to add additional users.

Deactivate / Reactivate SSO

To deactivate SSO: Administrators can deactivate SSO on a tenant by clicking Deactivate SSO.

To reactivate SSO: Administrators can reactivate SSO using the previously stored XML metadata file by clicking Reactivate SSO.

Track User Activity

The User Activity tab lists user activities detected by the system, including who initiated the activity and when. This makes it easy to check that users are following established protocols, and assists in preventing and tracking down fraud.

Note: User activity is based on the last three months of recorded data.

The following is a list of the user activity tracked by CloudFlow:

Category Event Description
User management User creation A new user was added to the system.
SSO user creation A new user was added to the system using an SSO login session.
User deletion A user was removed from the system.
User modification User information or role was updated.
API management API creation A new access key was created.
Role management Role creation A new role was added to the system.
Role deletion A role was removed in the system.
Role modification An existing role in the system was updated.
Access management SSO Activated Single Sign-On (SSO) was enabled.
SSO Deactivated Single Sign-On (SSO) was disabled.
User Activity User login User login-related activity was detected.
API Activity API connection Access key logged in.
API management API deleted Access key was deleted.
API updated Access key was renamed or configuration changed.

The following details are displayed for each recognized activity:

Column Name Description
Category The category type of the activity detected.
Event Event name as identified in the system.
Initiator Username or access key name (of the API) that initiated the activity.
Time stamp The date and time (UTC) the action took place.
Description Easy-to-understand description of the event.

Search and filtering options

Use the search and filters to see a targeted selection of user activities.

Search Search activities by any of the fields (except for time stamp).
Time range Display activities occurring within the specified dates.
Category Filter activities by category type.
Event Filter activities by event type.
Initiator Filter activities by the username(s) or access key name(s) that initiated the activity.

Export user activites

Export a list of user activities to a CSV file for easy sharing and further analysis.

Do the following:

  1. (Optional) Customize the list of user activites displayed by using the Search and filtering options as needed.

  2. Click .

    The Confirm export popup window appears.

  3. In the Confirm export popup, click Yes.

    A CSV file of the user activites is saved in the browser's download folder.