A reference overview of role-based user access control to manage access to the Intelligence Center and its resources.
EclecticIQ Intelligence Center manages and controls resource access and consumption by defining access profiles at different access tiers with the following characteristics:
Users: individual Intelligence Center consumers.
They can access the Intelligence Center by signing in with their designated account credentials, such as user name and password.
Example: mhamilton / Apollo11
Groups: multiple users brought together under a common umbrella.
They share the same access rights to selected allowed data sources, such as specific datasets, feeds, enrichers, as well as other groups.
Example: Threat analysts
User groups enable controlling user group members' access to specific Intelligence Center data, assets, and resources through the following mechanisms:
Allowed sources: data origins of content stored in the Intelligence Center.
Selecting an allowed data source for a group means that all group members can access Intelligence Center content that the data source in question is the producer of.
Data sources can be existing incoming feeds, enrichers, as well as other user groups.
Example: Entities from Feed A
TLP: TLP stands for Traffic Light Protocol.
TLP color codes flag information to provide handling and sharing guidelines.
You can assign a TLP color value to restrict access to the following Intelligence Center items:
Data you receive via incoming and send out via outgoing feeds.
Data created by users belonging to the groups associated with allowed data sources.
Roles: the expected functions assigned to an individual user or to a group of users.
Roles represent sets of actions users can be tasked with.
Roles group sets of permissions to define the allowed read and modify behaviors that are appropriate to the functions they are related to.
Example: Team lead
Permissions: rules and policies constraining user scope.
Permissions delimit scope by defining the types of action users are authorized to carry out.
For example: read; modify (that is, create, edit, and delete.)
Role-based permissions define:
The type of actions users are allowed to perform.
The type of objects users are allowed to interact with.
Group-based Allowed sources and TLP define:
Specific Intelligence Center data, assets, and resources users are allowed to access.
Write access to user profiles depends on the permissions assigned to a user role.
Usually, admin roles include the modify users permission, and they have read and write access to user profiles.
Non-admin roles should not require this permission: they should be able to edit their own user profiles, and they should access other user profiles in read-only mode.
If you want to configure Intelligence Center users so that they can view their own user profile, but they are not allowed to view any details about other users' profiles, assign them to a role that does not include the read users permission.
If a user has a role that includes the read users permission, that user can access the profile of other Intelligence Center users to view their details.
About user access
The following sections outline the user profile fields that admin and non-admin users can and cannot change, regardless of them attempting to apply any changes through the web-based GUI or by sending API requests.
Any non-editable fields displayed to users on the web-based GUI are grayed out.
API requests use basic authentication and an API Bearer token. Unauthorized API requests always return a 401 HTTP error status code.
Admins can change
Admin users can change the following externally managed/LDAP-controlled profile fields:
Admins cannot change
Admin users cannot change externally managed/LDAP-controlled profile fields because LDAP manages and provides the corresponding values:
Non-admins can change
Non-admin users can change only the following fields in their user profile:
Non-admins cannot change
Non-admin users cannot change externally managed/LDAP-controlled profile fields because LDAP manages and provides the corresponding values:
Non-admin users can modify their profile, but they cannot:
Grant themselves admin rights.
Change group and role settings.
Modify other user profiles in any way, including tampering with API endpoints.
Inactive users, that is, users whose is_active field is set to False, cannot make API calls even if their Bearer token is still valid because it was issued before their status change to inactive.
In this case, an API request returns a 401 HTTP status code, along with a User is inactive notification message.