Groups

The Groups page shows all the user groups in your organization, and lets you create and configure groups.

Figure 1. Groups page

Groups page

Group membership

The access that Vantage grants to a user depends on the group that the user is a member of.

Your identity provider (IdP) normally manages group membership. When a user logs in to Vantage, the group membership details are read from the IdP, and the user is updated in Vantage. The user will be added to, or removed from, groups as necessary. When changes to group membership are made in your IdP, they will be applied the next time the user logs in to Vantage.

A security assertion markup language (SAML) user must belong to a group that is defined in both Vantage, and the IdP. If this is not the case, the user will be denied access in Vantage. Groups are not synchronized between Vantage and your IdP. This can result in situations where groups in your IdP do not exist in Vantage, or groups in Vantage do not exist in your IdP. If a SAML user definition changes in the IdP, and none of its SAML groups now exist in Vantage, access will be denied.

Role assignments

The role assignments of a group determine the access granted to its users. This controls both access rights, and the scope where they apply.

Predefined roles set the combination of rights that the users of the group are granted. For example, the role of Admin has complete access, whereas, the role of Assets Operator has a much more limited set of permissions.

You can also select an organization in order to define access. If no organization is specified, the permissions for the role assignment will apply to your entire Vantage instance.

You can also further limit scope to a specific tag, or site, that has been defined in the organization. For more details, see Role assignment scope.

Nozomi Networks recommends that you assign the most restrictive permissions that still allow your users to perform their tasks. Combine roles that apply to differing tags, sites, and organizations to create an access control policy that protects your Vantage instance, but does not hinder your users.

Note: You should try to create the simplest, highest-level, most restrictive, access control policy that still permits your users to protect your assets.

Role assignment scope

If you do not specify an organization when you create a role assignment, access is granted for all objects in Vantage. For example, you could create an Alerts Operator role that grants access to all alerts in every organization.

To create a more granular access control policy, you can create multiple role assignments and restrict each one to a specific organization.

When you limit the scope of a role assignment to a specific organization, you can further limit the scope to an individual site, or tag, within that organization.

By defining different role assignments for various combinations of organization, tag, and site, you can create an access control policy that correctly grants, and denies, access to each Vantage user.

When you create multiple role assignments for a group, their scopes can overlap. For example, you can create two role assignments for a single organization, tag, or site. This might seem to be a permissions conflict, but in Vantage, granted permissions are cumulative. When multiple roles apply, the most lenient permission is granted.

If you were to assign to a group the role of both:
  • Alerts Operator: Grants all access to alerts
  • Assets Operator: Denies all access to alerts

In this scenario, the user will be granted all access to alerts.

Add

This button lets you add a group.

Columns

The Columns button lets you select which of the available columns for the current page will show.

Refresh

The Refresh icon lets you immediately refresh the current view.

Live

The Live toggle lets you change live view on, or off. When live mode is on, the page will refresh periodically.