User group management is a process of organizing and managing users into coherent groups or roles within a CSPM tool. Grouping users provides organizations with a streamlined approach to access management (AM) and the ability to collectively assign permissions. Administrators can create groups, allocate users to these groups, and manage group membership. This simplifies administration by enabling permissions to be granted to the entire group, eliminating the need to individually assign permissions to each user. You can use groups to give multiple users a single set of permissions. This is the preferred method for assigning the same uniform permissions to many users. Making a user group consists of the following:
- Creating a new group: The group acts as a container for adding users with a single set of permissions.
- Setting group permissions: Choose what permissions you would like the group to have.
- Adding users to the group: When users are added to the group, they will all receive the same permissions and account accesses.
Most CSPM tools are already equipped with built-in user roles that serve the distinct set of permissions that an organization mostly uses to function. Let us look at some built-in roles.
Built-in user roles
As with any other Software-as-a-Service (SaaS) tools, built-in user roles in CSPM are predefined roles that come with the tool’s default configuration. These roles are designed to provide distinct levels of access and permissions to users based on their responsibilities and tasks within the CSPM environment. Next are common built-in user roles you may find in CSPM tools:
- Super-admin/administrator/owner: The administrator or owner role typically has the highest level of access and control over the CSPM tool. Administrators have complete administrative privileges, allowing them to configure settings, manage user accounts, define permissions, and access all features and functionalities of the tool. They have the authority to make changes, create and modify policies, and oversee the overall operation of the CSPM tool.
- Auditor/viewer/read-only: The auditor, viewer, or read-only role is for users who need read access to the CSPM tool without making any modifications. Users with this role can view security findings, reports, dashboards, and other relevant information but do not have the authority to change settings, configure policies, or modify user permissions. This role is suitable for stakeholders who need visibility into the security posture and compliance status of the cloud environment.
- Security analyst/operator: Security analysts or operators play an active role in investigating security findings, triaging alerts, and taking appropriate actions within the CSPM tool. They have permissions to interact with security data, manage remediation workflows, communicate with other team members, and access specific features related to security analysis and incident response (IR). However, they may not have administrative capabilities or access to sensitive configuration settings.
- Compliance manager: Compliance managers have specialized roles focused on ensuring adherence to regulatory requirements and internal policies. They have access to compliance-related features within the CSPM tool, such as defining compliance rules, benchmarks, and requirements. Compliance managers can generate compliance reports, track the organization’s compliance posture, and oversee remediation activities related to compliance violations.
- Cloud account/resource owner: Some CSPM tools offer roles specific to individual cloud accounts or resource owners. These roles provide users with permissions to view and manage security findings, configurations, and compliance posture for their owned cloud resources. Resource owners can monitor and take actions related to the security of their specific cloud accounts or resources while maintaining segregation from other areas of the organization. For example, in the Orca CSPM tool, you can group the onboarded cloud accounts into business units (BUs) and provision access to the responsible team.
- Custom roles: Custom roles and additional permissions are also offered by every CSPM tool to cater to specific requirements or to provide more granular access control within the tool.
These built-in user roles provide a foundation for managing access and permissions in CSPM tools. They offer predefined levels of access and authority, aligning with common organizational roles and responsibilities. However, it is important to note that the specific user roles available may vary depending on the CSPM tool. Organizations can assign these built-in user roles based on the user’s responsibilities and the principle of least privilege (PoLP), ensuring that users have the necessary access required to perform their tasks while minimizing the risk of unauthorized actions or data breaches.
Let us now understand another important topic: managing API tokens.