Skip to main content

Managing multiple user accounts using Access Permissions

Use this method to enable dynamic access through access permission rules. This method requires an Active Directory domain integration. For more information on AD integration, refer to this topic.

Create access rules to grant GravityZoneControl Center access to Active Directory users, based on security groups.

Prerequisites

AD domain is integrated with GravityZone. To integrate and synchronize AD domains, refer to the Active Directory Integration section.

Dependencies

Access permission rules are tied to AD domains and user accounts. If one of these changes, chances to impact the others are high. This is what you need to know about the relation between rules, users and AD domains:

  • Access rules become read-only once an associated AD domain is no longer integrated with GravityZone. Users associated with these rules become inactive.

  • An access rule adds a user account only if the email is not already associated with an existing account.

  • For duplicate email addresses within a security group, the access rule creates a GravityZone user account only for the first AD user that logs in Control Center.

  • User accounts created through access rules become inactive if they are removed from their associated AD security group. The same users can become active if they are associated with a new access rule.

  • User accounts created through access rules cannot delete locally created users.

  • User accounts created through access rules cannot delete similar accounts that have the Company Administrator role.

Creating multiple user accounts

To add multiple user accounts, you create access permission rules. The access permission rules are associated with Active Directory security groups.

To add an access permission rule:

  1. Log in to GravityZone Control Center.

  2. Go to the Configuration > Active Directory > Access permissions page from the left side menu.

  3. If you have multiple integrations, select a domain at the upper-left side of the table.

  4. Click add.pngAdd at the left side of the table.

  5. Configure the following access permission settings:

    • Priority. Rules are processed in priority order. The lower the number, the higher the priority.

    • Name. The name of the access rule.

    • Domain. The domain from which to add security groups.

    • Security groups.The security groups that contain your future GravityZone users. You can use the autocomplete box. Security groups added in this list are not subject to change, addition or deletion after you save the access rule.

    • Timezone. The timezone of the user.

    • Language. The console display language.

    • Role. Predefined user roles. For more details, refer to the User roles section.

      Note

      You can grant and revoke privileges to other users with equal or fewer privileges as your account.

    • Rights. Each predefined user role has a certain configuration of rights. For more details, refer to the User rights section.

    • Select targets Select the network groups the user will have access to for each available security service. You can restrict the user access to a certain GravityZone security service or to specific areas of the network.

      Note

      The target selection options will not be displayed for users with Manage Solution right, which, by default, have privileges over the entire network and security services.

  6. Click Save.

    The access rule is saved if there is no user impact. Otherwise, you are prompted to specify user exclusions. For example, when you add a rule with a higher priority, impacted users associated with other rules are tied to the former rule.

  7. If needed, select the users you want to exclude.

  8. Click Confirm. The rule is displayed in the Access permissions page.

Users within the security groups specified by the access rules can now access GravityZoneControl Center with their domain credentials. Control Center automatically create new user accounts when they log in for the first time, using their Active Directory email address and password.

User accounts created through an access rule have the name of the access rule displayed in the Accounts page, under the Access rule column.

Editing multiple user accounts

Edit accounts to keep account details up to date or to change account settings.

  1. Log in to GravityZone Control Center.

  2. Go to the Configuration > Active Directory > Access Permissions page from the left side menu.

  3. Select the name of your access rule to open the configuration window.

  4. Edit access permission settings.

  5. Click Save. The rule is saved if there is no user impact. Otherwise, you are prompted to specify user account exclusions. For example, if you update a rule priority, impacted users can switch to a different rule.

  6. If needed, select the users you want to exclude.

  7. Click Confirm to save changes.

    Note

    You can unlink user accounts created through an access rule by modifying their rights in Control Center. The user account cannot be linked back to the access rule.

Deleting multiple user accounts

To delete an access rule:

  1. Log in to GravityZone Control Center.

  2. Go to the Configuration > Active Directory > Access permissions page from the left side menu.

  3. Select the access rule that you want to delete and click delete.pngDelete. A window prompts you to confirm your action. The access rule is deleted if there is no user impact. Otherwise, you are prompted to specify user exclusions. For example, you may want to specify user exclusions for users impacted by rule deletion.

  4. If needed, select the users you want to exclude.

  5. Click Confirm.

User account exclusions

When you add, edit or delete access rules that result in user impact, you may want to specify user exclusions. You can also view the reasoning and effects of the impacted users.

Specify user exclusions as follows:

  1. Select the users you want to exclude. Or, select the checkbox at the top of the table to add all users to the list.

  2. Click X within a username box to remove it from the list.