Manage groups

Intelligence Center administrators can configure and manage user groups to control access rights to EclecticIQ Intelligence Center data sources at team or department level.

Access to data sources delimits the territory users can explore: entities in EclecticIQ Intelligence Center belong to one or more sources.

By allowing access to a specific subset of data sources in EclecticIQ Intelligence Center, you make sure you compartment your intelligence, distribute information to the appropriate recipients, and avoid sharing sensitive information with an unintended audience.

Note

To edit user groups, users require:

• The checkbox Administrator to be checked in the Edit user view.

• Or a non-admin access level that includes the modify groups permission.

EclecticIQ Intelligence Center manages and controls resource access and consumption by defining access profiles at different access tiers with the following characteristics:

• Users: individual Intelligence Center consumers.

  They can access EclecticIQ Intelligence Center by signing in with their designated account credentials, such as user name and password.

  Example: mhamilton / Apollo11

• Groups: multiple users brought together under a common umbrella.

  They share the same access rights to selected allowed data sources, such as specific datasets, feeds, enrichers, as well as other groups.

  Example: Threat analysts

  User groups enable controlling user group members’ access to specific Intelligence Center data, assets, and resources through the following mechanisms:

  • Allowed sources: data origins of content stored in EclecticIQ Intelligence Center.

    Selecting an allowed data source for a group means that all group members can access Intelligence Center content that the data source in question is the producer of.

    Data sources can be existing incoming feeds, enrichers, as well as other user groups.

    Example: Entities from Feed A

  • TLP: TLP stands for Traffic Light Protocol.

    TLP color codes flag information to provide handling and sharing guidelines.

    You can assign a TLP color value to restrict access to the following Intelligence Center items:

    • Entities.

    • Data you receive via incoming and send out via outgoing feeds.

    • Data created by users belonging to the groups associated with allowed data sources.

• Roles: the expected functions assigned to an individual user or to a group of users.

  Roles represent sets of actions users can be tasked with.

  Roles group sets of permissions to define the allowed read and modify behaviors that are appropriate to the functions they are related to.

  Example: Team lead

• Permissions: rules and policies constraining user scope.

  Permissions delimit scope by defining the types of action users are authorized to carry out.

  For example: read; modify (that is, create, edit, and delete.)

Note

• Role-based permissions define:

  • The type of actions users are allowed to perform.

  • The type of objects users are allowed to interact with.

• Group-based Allowed sources and TLP define:

  • Specific Intelligence Center data, assets, and resources users are allowed to access.

When you assign permissions to a role, either to modify an existing role or to define a new role, make sure you understand what permissions are and how they work in EclecticIQ Intelligence Center.

For more information, see:

• Intelligence Center permissions

• Default Intelligence Center roles

• Permissions to access settings

• Permissions to access data

For all the procedures explained in this topic, go first to the Groups view:

• In the side navigation bar click , select User management, and then click the Groups tab.

Note

Required fields are marked with an asterisk (*).

View groups

1. In the Groups view, click anywhere in the row of the group you want to view.

   The Group detail pane is displayed.

2. Click the Overview tab to see a list of the allowed sources the group, and therefore the users that belong to it, have access to.

   Besides the name of the data source you can see if it is an enricher, a feed, or a group, and a TLP color code providing the level of allowed access.

3. Click the Users tab to view a list of the users belonging to the group.

   You can sort the items on the view by column header. To do so, click the column header you want to base the data sorting on.

   An upward-pointing or a downward-pointing arrow in the header indicates ascending and descending sort order, respectively.

4. Click the History tab to display an overview in reverse chronological order of the actions performed on the user group since its creation.

   This reference view enables you to inspect what happened to the user group (the action), who did it (the user who carried out the action), and when it happened (the date and time).

Create groups

1. In the Groups view, go to the top-left corner, and click .

   The Create group view is displayed.

2. In the Name field, enter a descriptive name for the group.

   Example: Fraud analysts

3. In the Description field, enter a short description of the automation group and its purpose.

   Example: Groups fraud analysts from the Black, Red, and Pale Fuchsia teams.

4. Under Allowed sources, click Add or More to add new rows and to assign the group as many allowed data sources they can access as needed.

   Allowed sources are tied to Groups.

   They define what Intelligence Center data, assets, and resources users are allowed to access.

5. From the Source drop-down menu, select one or more data sources the user group and its members can access to fetch data from.

   Data sources can be existing incoming feeds, enrichers, as well as other user groups.

   Note

   If you do not specify any data source, the current group becomes the default allowed data source

6. From the TLP drop-down menu, select a Traffic Light Protocol color to filter data accordingly.

   Default value: red.

7. Click + Add or + More to add new rows and to assign the group as many allowed data sources they can access as needed.

8. From the Source reliability drop-down menu, select a source reliability that entities created with the source of this group can inherit.

9. From the Allowed roles drop-down menu, select one or more roles that group admins can assign to member users of the groups they are admin of.

   Alternatively:

   • Start typing a role name in the autocomplete text input field.

   • Select one or more filtered roles from the matching result list.

   To remove a selection, go to the item(s) you want to remove, and click the cross icon X.

   To remove all selections at once, click the cross icon X next to the drop-down menu arrow in the input field.

   Alternatively, click Unselect all options.

   This setting protects from unwanted privilege escalation by limiting the set of role-based permissions group admins can grant to their group members: they are allowed to assign to the users belonging to the groups they manage only the role subset you define here.

10. To store your changes, click Save; to discard them, click Cancel.

    To access additional save options, click the down arrow on the Save button:

    • Click Save and new to save the current data or configuration for the item you are working on, and to create a new item of the same type right away.

      For example, a new dataset, feed, policy, rule, task, or workspace.

    • Click Save and duplicate to save the current data for the item you are working on, and to create a new prepopulated copy of the same item, which you can use as a template or a blueprint to speed up repetitive manual work.

Edit groups

1. In the Groups view, go to the row of the user group you want to modify, click and select Edit.

   Alternatively: click anywhere in the row of the user group you want to modify, go to the top-right corner of the Group detail pane, click , and select Edit.

   The Edit group view is displayed.

2. Change the user group details as necessary.

3. To store your changes, click Save; to discard them, click Cancel.

Manage the users of a group

Intelligence Center administrators, group administrators, or users with the modify users and modify user-groups can edit, remove, or add group users.

Group admins can only manage the users of the group they are admins of. If they are admins of two or more groups, they will be able to add from one of their groups to another.

Filter group users

1. In the Groups view, click anywhere in the row of the group you want to view.

   The Group detail pane is displayed.

2. Click the Users tab.

3. Click , and click Roles.

4. Select one or more checkboxes to display only group users with the selected role(s).

5. To remove the filter, deselect the checkboxes.

Add one or more users to a group

1. In the Groups view, click anywhere in the row corresponding to the group you want to add users to.

   The Group detail pane is displayed.

2. Click the Users tab.

3. Click +.

4. From the drop-down menu select Add existing user.

   1. Select one or more users from the list to add to the group.

   2. You can also search for a user by starting typing a user name in the autocomplete search input field .

   3. Click Assign to add the selected existing user(s) to the group, or Cancel to abort the operation.

5. Alternatively:

   1. From the drop-down menu select Create user.

   2. Create a new user.

   3. Click Save to add the newly created user to the group, or Cancel to abort the operation.

This is a handy option to add users to a group on the fly.

To add a user to multiple groups, you can go to their user profile, where you can select groups and roles.

Remove users from a group

1. In the Groups overview, click anywhere in the row of the group you want to remove users from. The Group detail pane is displayed.

2. Click the Users tab.

3. Go to the row of the user you want to remove, click , and select Remove from group.

4. In the confirmation dialog, click Remove to confirm the action.

   This is a handy option to remove users from a group on the fly.

To remove a user from multiple groups at once, do the following:

1. In the Groups overview, click anywhere in the row of the group you want to remove users from.

   The Group detail pane opens.

2. Click the Users tab.

3. Go to the row of the user you want to remove, click , and select Edit.

   The Edit user view is displayed.

4. Go to the Groups section, where you find an overview of all the groups the user belongs to.

5. Go to the row of the group you want to remove the user from, and click the X in the top-right corner.

   Repeat this for each group you want to remove the user from.

6. To store your changes, click Save; to discard them, click Cancel.

   The user is removed from the group(s).

Edit users in a group

1. In the Groups view, click anywhere in the row of the group whose users you want to edit.

   The Group detail pane is displayed.

2. Click the Users tab.

3. Go to the row of the user you want to modify, and click , and select Edit.

   The Edit user view is displayed.

4. Modify the user profile as necessary.

5. To store your changes, click Save; to discard them, click Cancel.

This is a handy option to edit users in a group on the fly.

Promote to and demote users from group admin

Intelligence Center administrators and group administrators can promote and demote users to and from group admin:

• Intelligence Center administrators can promote and demote to and from group admin any active Intelligence Center users.

• Group administrators can promote and demote to and from group admin only users belonging to the groups they are admins of.

When you promote a user to group admin, you grant them user permissions to perform the following actions:

• Create and edit the profiles of any users belonging to the current group.

• Activate and deactivate the accounts of any users belonging to the current group.

• Promote to and demote from group admin any users belonging to the current group.

Promote a user to group admin

1. In the Groups view, click anywhere in the row of the group whose user you want to promote to group admin.

   The Group detail pane is displayed.

2. Click the Users tab.

3. Go to the row of the user you want to promote to group admin, and click .

4. From the drop-down menu, select Promote to group admin.

   A pop-up dialog informs you about the effects of the action, and about the broader set of permissions you are granting to the specified user.

   Click Proceed to confirm the action and to promote the selected user to group admin, or Cancel to abort the operation.

After promoting a user to group admin, their avatar displays a star badge: .

Demote a user from group admin

1. In the Groups overview, click anywhere in the row of the group whose user you want to demote from group admin.

2. The Group detail pane is displayed.

3. Click the Users tab.

4. Go to the row of the user you want to demote from group admin, and click .

5. From the drop-down menu, select Demote from group admin.

   The selected user has no longer any group admin permissions.

After demoting a user from group admin, their avatar does not display the badge any longer.

Delete groups

1. In the Groups view, go to the row of the user group you want to delete, click , and select Delete.

   Alternatively: click anywhere in the row of the user group you want to modify, go to the top-right corner of the Group detail pane, click and select Delete.

2. In the confirmation dialog, click Delete to confirm the action.

   The user group is deleted from EclecticIQ Intelligence Center.

Caution

Before deleting a group, check that is not an authorized group in an incoming or an outgoing feed configuration.

Deleting a group that is currently selected as an authorized group to access an incoming or an outgoing feed content breaks feed functionality.

If remove such a group:

1. Remove it from the Authorized groups selection in the relevant incoming and/or outgoing feed(s).

2. Proceed to delete the group.