1. Installation

Introduction

Visual Guard is a robust application security system that helps safeguard your data and systems from unauthorized access and potential breaches. It integrates seamlessly with your existing software applications and provides granular control over security, user permissions, and access rights.

Visual Guard provides two consoles for managing security settings:

  • WinConsole: A Windows application that needs to be installed on your system.
  • WebConsole: A web-based application that can be accessed from any web browser.

Additionally, Visual Guard incorporates a notion of groups, allowing you to manage multiple roles and users under one group for easier management of permissions.

Visual Guard also includes the VGIdentityServer component that supports the OAuth 2.0 and OpenID protocols. This component allows client applications to perform user authentication and authorization operations.

Getting Started

Installation

To install Visual Guard, WinConsole, and VGIdentityServer, follow the steps below:

  1. Download the Visual Guard installation package.
  2. Run the installer and follow the on-screen prompts.
  3. Restart your system after installation completes.

The WebConsole does not need to be installed and can be accessed directly from your web browser.

Configuration

After installation, you will need to configure Visual Guard to suit your application needs. This involves setting up a VGRepository, defining user roles, assigning permissions to these roles, and setting up groups.

Creating a VGRepository

A VGRepository (Visual Guard Repository) is a centralized database for Visual Guard that stores all security-related information for your application, including user roles, permissions, groups, and other security data.

Here is a basic guide on how to create a VGRepository:

  1. Launch Visual Guard WinConsole or WebConsole.
  2. Navigate to the configuration settings.
  3. Create a new VGRepository that will store all your configurations.
  4. Save your settings and exit.

Setting User Roles, Permissions and Groups

Once the VGRepository is set up, you can proceed with setting up user roles, assigning permissions to these roles, and creating groups to manage multiple roles and users:

  1. Open Visual Guard WinConsole or WebConsole.
  2. Navigate to the user roles section.
  3. Click on ‘Add new role’ and name the role.
  4. Navigate to the permissions section and assign the relevant permissions to the role.
  5. Navigate to the groups section and create a new group. Assign roles and users to the group as needed.
  6. Save your changes.

User Roles, Permissions, and Groups

With Visual Guard, you can create and manage different user roles, each with its own set of permissions. You can also create groups to manage multiple roles and users simultaneously.

Creating a User Role, Assigning Permissions, and Setting up Groups

  1. Open Visual Guard WinConsole or WebConsole.
  2. Navigate to the user roles section.
  3. Click on ‘Add new role’ and name the role.
  4. Navigate to the permissions section and assign the relevant permissions to the role.
  5. Navigate to the groups section and create a new group. Assign roles and users to the group as needed.
  6. Save your changes.

2. Repository

The Visual Guard Repository (VGRepository) is a key component of Visual Guard’s security infrastructure. It stores all relevant security data for the system.

The VGRepository serves as a centralized database for all security information. This includes details about users, roles, permissions, groups, and other related security information. By consolidating these information in one place, the VGRepository facilitates the management, access, and updating of security information.

Each application secured by Visual Guard can access the VGRepository to verify permissions, authenticate users, and perform other security-related tasks.

It is important to note that managing the VGRepository should be done by an administrator or a user with appropriate permissions due to the sensitive nature of the information it contains.


Licensing

Usage of the VGRepository requires a specific license. This license ensures legal access to and use of the VGRepository and its features. Please contact the Visual Guard team or consult the official Visual Guard documentation for more information about acquiring and managing this license.


All informations is crypted inside of the VGRepository, you can select what type of encryption you want.

2.1 Password Policy

The Password Policy feature in Visual Guard is a crucial tool for maintaining the security of your applications. It allows administrators to establish rules for password creation, ensuring that all user passwords meet certain standards of complexity and security.

These rules can include requirements such as minimum length, the inclusion of uppercase and lowercase letters, numbers, and special characters. By enforcing a strong password policy, you can significantly reduce the risk of unauthorized access to your applications.

An important aspect of the Password Policy is its dynamic nature. If the policy is changed since a user’s last login and their current password does not comply with the new policy, the user will be prompted to change their password. This ensures that all existing passwords meet the current policy standards, maintaining a high level of security even when policy requirements are updated.

For instance, if the policy is updated to require a minimum of 10 characters and a user’s password is only 8 characters long, they will be asked to update their password to meet the new requirements. This proactive approach to password management helps to keep your applications secure and your users’ data protected.

In summary, the Password Policy feature in Visual Guard is a powerful tool for enhancing the security of your applications. By defining password rules and ensuring compliance with these rules, you can effectively safeguard your applications against unauthorized access.


Benefits

  1. Improved Security: A strong password policy helps to protect against unauthorized access and potential data breaches. By enforcing rules such as minimum length, use of special characters, and a mix of uppercase and lowercase letters, you make it more difficult for malicious actors to guess or crack passwords.
  2. Consistency: A password policy ensures that all users adhere to the same standards for password creation. This consistency makes it easier to manage user accounts and reduces the risk of weak passwords being exploited.
  3. User Awareness: Implementing a password policy helps to educate users about the importance of strong passwords. It encourages them to think more carefully about their password choices, which can lead to better security habits overall.
  4. Compliance: Many industries have regulations that require certain security measures, including strong passwords. A password policy can help your organization to meet these compliance requirements.
  5. Proactive Protection: With a password policy in place, you’re not just reacting to security issues – you’re proactively taking steps to prevent them. This proactive approach can save your organization time and resources in the long run.

In summary, a password policy is a critical component of a robust security strategy. It not only enhances the protection of your applications and data but also promotes better security practices among your users.

2.2 Custom Events

Overview

In addition to providing robust security features, Visual Guard allows secured applications to log custom events within Visual Guard. These custom events provide a way to track and monitor specific activities or occurrences within the application for auditing and analysis purposes.

Adding Custom Events

To add custom events in a Visual Guard-secured application, follow these steps:

  1. Identify the specific activities or occurrences that you want to log as custom events.
  2. Integrate the Visual Guard logging functionality into your application’s code.
  3. Determine the appropriate triggers or conditions for capturing the custom events.
  4. When a trigger or condition is met, use the Visual Guard API or logging mechanisms to log the custom event.
  5. Include the following metadata in the custom event log:
    • Identification Number: A unique identifier for the event.
    • Title: A concise title or summary of the event.
    • Message: Detailed information or description of the event.
    • Date and Time of Creation: The timestamp when the event was logged.

Supervising Custom Events with VGMonitoring

Visual Guard offers VGMonitoring, a monitoring component that allows you to supervise and analyze custom events logged within Visual Guard. VGMonitoring provides features such as real-time event monitoring, customizable dashboards, and reporting capabilities to gain insights into the logged custom events.

By leveraging VGMonitoring, you can effectively monitor and analyze the custom events for various purposes, including security auditing, performance analysis, and compliance monitoring.

Benefits of Custom Events

By logging custom events within Visual Guard and supervising them with VGMonitoring, you gain several benefits:

  • Audit Trail: Custom events provide an audit trail that allows you to track specific actions or occurrences within your application.
  • Compliance: Logging custom events can help meet regulatory and compliance requirements by providing a comprehensive record of relevant activities.
  • Analysis and Monitoring: VGMonitoring enables you to monitor and analyze the logged custom events in real-time, generate reports, and gain insights into application usage, user behavior, and system performance.

Retrieving and Analyzing Custom Event Logs

Once custom events are logged in Visual Guard and supervised with VGMonitoring, you can retrieve and analyze the event logs using the provided tools and features. This allows you to perform various analysis tasks, such as generating reports, identifying patterns, and detecting anomalies.

Considerations and Best Practices

When working with custom events in Visual Guard and VGMonitoring, keep the following considerations and best practices in mind:

  • Event Relevance: Log only the events that are relevant to your application’s security and monitoring needs.
  • Data Sensitivity: Ensure that any sensitive data logged in custom events is properly protected and handled in accordance with security and privacy guidelines.
  • Log Retention: Define a log retention policy to determine how long custom event logs should be retained for auditing and compliance purposes.
  • Integration Testing: Test the custom event logging functionality and VGMonitoring features thoroughly to ensure proper integration and functionality within your application.

How create a new log in Visual-Guard ?

We need to insert own VGEntryLog in Visual-Guard, this log entry can have multiple parameters, later on we will review all operations logging.


How to audit the visual-guard log ?

2.3 Storing your repository in a database

  • For Oracle Database Installation:
    Visual Guard will create database objects in the schema associated to the specified user account (we recommend
    that you create a specific schema for Visual Guard repository). If your database
    DBA wants to create the database manually, you can find the database creation script
    in the directory <Visual Guard installation directory>\VisualGuardConsole\Database\Oracle. The DBA can use the script “Install.sql” and adapt it to create the database objects. It is necessary to modify the script to change the value <VISUAL_GUARD_SCHEMA>
    by the name of the schema that will contain Visual Guard database objects.
  • For SQLServer database Installation:
    Visual Guard will create the database objects in the specified database. The default database name is “visualguarddb”. If The DBA of your database want to create manually the database, you can find the script of database creation in the directory <Visual Guard installation directory>\VisualGuardConsole\Database\SQLServer. The DBA can use the script “Install.sql” and adapt it to create the database objects.

    If the repository creation wizard does not detect the database, Visual Guard will create it.


How to grant access to the Visual Guard repository

  • vg_BasicAccess: This role must be granted to a user account that will need to be authenticated by Visual Guard in your application.
  • vg_UserAdminAccess: This role must be granted to a user account
    that will need to access the Visual Guard console as User Administrator. This role allows you to create or edit user accounts and to grant roles to this user.
  • vg_DeveloperAccess: this role must be granted to a user account
    that will need to access the Visual Guard console as Developer. This role allows you to create or edit user accounts, roles, applications, permissions and permission sets.
  • vg_FullAccess: this role must be granted to user account that will need to access the Visual Guard console as Master administrator. This role allows you to create or edit all Visual Guard entities and to drop the repository.

2.4 How to use offline mode

Introduction


Requirements


Scenario

  1. The user connects to the application with the offline mode activated. Visual-Guard will
    automatically save the role or roles that the user has selected in the OfflineStore
  2. When Visual-Guard detects that the VGRepository is no longer available and that the offline mode is
    activated, it will load the security settings from the saved copy found in the OfflineStore
  3. When Visual-Guard detects that the VGRepository is available again, it will synchronize the Event
    Viewer.


Usage


Implementation

  1. Connect to a VGRepository,
  2. Select an Application,
  3. Select the action “Regenerate the VG configuration file”, (a window will open),
  4. Select “User” or “Machine” for the Offline property,
  5. Generate the new configuration files for your application,
  6. Launch your application with the accessible repository,
  7. Sign in as a user and select a role or roles,
  8. Close your application.


Using the application

  1. Using the application
  2. Launch your application,
  3. Sign in as the same user,
  4. Your application will open (without being connected to the repository),
  5. Close your application.


Synchronizing the application with the VGRepository

  1. Connect your computer to the network (a connection to the VGRepository will be made automatically)
  2. Launch your application,
  3. Sign in as any user, Visual-Guard will synchronize the Event Viewers.


Interacting with applications in offline mode

  • CheckForOnlineStatus: Allows the repository detection method to be overridden.
  • AcceptOfflineMode: Allows rejection of the offline mode even if it has been activated.
  • UnableToSaveOffline: This event is launched when there has been a problem saving user data for
    offline mode. The following errors start this event:

    • The OfflineStore is
      currently being used by the same application,
    • The OfflineStore is
      full,
    • There is a connection
      problem while saving user data.

Note Note
Using the offline mode for ASP applications is not recommended.


Restrictions:

  • Offline mode cannot be used with the Visual-Guard API
  • Offline mode is not supported with the console
  • It is not possible to change a person’s Credentials.


OfflineStore Property:

  • None: offline mode is not active,
  • User: data will be saved in the current Windows user’s profile,
  • Machine: data will be saved to the computer

2.5 How to deploy a Visual Guard repository or an application

  • Copy the Visual Guard tables and data from the source database to the target database.
    This solution is simple but you can only copy the full content of the repository
    and not a part of this repository because Visual Guard stores its data in a binary format.
  • Use the Visual Guard Console. The Visual Guard console provides a Wizard that will
    help you to deploy the full content of your repository or the data corresponding to an application.
    To do that, you must be connected to your source repository then right-click this repository and select the option “Deploy repository…”. This wizard
    enables you to directly deploy your repository into another one or export data
    as a deployment configuration file.
  • Use the deployment tool. This tool uses the deployment configuration file exported
    by the console and can be launched as a command line tool. This utility can be used
    to automate your deployment.
  • Use the deployment API. You can use this API to integrate your deployment in a custom
    program. The classes used by the deployment are located in the namespace
    Novalys.VisualGuard.Security.Deployment
    (assembly: vg_deployment.exe). You can contact the Visual Guard support, if you need
    more information about this API.


How to use the deployment tool

Option Description
-? Prints vg_deployment.exe tool Help text in the command window.
-w Run the tool in Wizard mode. This is the default if no command line arguments are specified.
-t repository type Specifies the type of the repository (Oracle, SQLServer, File). This option is not
necessary.

If this option is omitted, the type of the repository is SQLServer.

-s schema name The Oracle schema name containing the Visual Guard tables.

This option is necessary if the type of the repository is Oracle and when the user specified in the connection string is not the owner
of Visual Guard tables.

This value is case sensitive.

-c connection string The connection string to the computer running the database where the repository will be deployed.

This option is necessary if do not use the option -W.

The user specified in the connection string must have the permissions to update
and delete data in Visual Guard table.

When the type of the repository is File, the value must contain
the path of the directory where the repository will be deployed.

-f path The path of the deployment configuration file used by the tool.

This option is not necessary.

By default the tool will use the file “deployment.config” located in its directory.


Deploying the repository for the first time


Deployment and license key


Deployment of the parameters of the repository

Introduction

What are the parameters of the repository?

  • Password Policy,
  • Membership setting (?require unique email?, ?requires
    password question and answer?, etc),
  • Misc (?Supported authentication mode?, ?Allow to
    rename user?, etc).

Export in a configuration file

  1. Open Visual Guard,
  2. Right click on the repository,
  3. Select ?Deploy repository??,
  4. Click on next button,
  5. Select ?Export data in a deployment configuration file?,
  6. Click on ?Next? button,
  7. Select ?Deploy parameter of the repository,
  8. Click on ?Next? button,
  9. Click on ?Finish? button,
  10. Save the configuration file.
  11. Open the tool ?vg_deployment.exe?,
  12. Select the configuration file,
  13. Select the type of the repository,
  14. Enter the complementary information for the repository,
  15. Click on ?Ok? to begin the deployment.

Export directly in a repository

  1. Open Visual Guard,
  2. Right click on the repository,
  3. Select ?Deploy repository??,
  4. Click on next button,
  5. Select ?Deploy in an existing repository?,
  6. Select the repository in the list,
  7. Click on ?Next? button,
  8. Select ?Deploy parameter of the repository,
  9. Click on ?Next? button,
  10. Click on ?Finish? button,

Requirements

  • To use deployment of the parameters of the repository you must have version 2.8 or higher of Visual-Guard.


Restrictions

  • If you want to deploy the properties ? Requires
    unique email? and ?requires Password, question and answer?,
    all the users of the directory have to have an email address and a
    question / response. If one the user don?t have one
    if this information, the deployment will be cancel and a exception will be
    generate.

2.6 Generating Application Configuration Files

Overview

Visual Guard provides a convenient way to generate application configuration files for securing your applications. These configuration files contain the necessary settings and information required to integrate Visual Guard’s security features into your application, including the information to connect to the VGRepository.

Using the WinConsole or WebConsole

To generate the application configuration files using Visual Guard, follow these steps:

  1. Open the Visual Guard WinConsole or WebConsole.
  2. Select the specific application for which you want to generate the configuration files.
  3. Locate the “Generate Configuration File” operation within the console interface.
  4. Execute the “Generate Configuration File” operation.

Purpose of Configuration Files

The generated configuration files serve the following purposes:

  • Security Integration: The configuration files contain the necessary settings and information to integrate Visual Guard’s security features into your application. This includes details such as authentication methods, role and permission mappings, and other security-related configurations.
  • VGRepository Connection: The configuration files also include the necessary information to connect your application to the VGRepository. This includes the connection details, such as the database server address, credentials, and other relevant information.

Configuration File Output

When you execute the “Generate Configuration File” operation, Visual Guard will generate one or more configuration files specific to your application. These files are typically in XML or other structured formats and may include information such as:

  • Security settings, including authentication methods and user management configurations.
  • Role and permission mappings for different application functionalities.
  • VGRepository connection details, including server address, credentials, and other relevant information.

Integrating Configuration Files

Once you have the generated configuration files, you need to integrate them into your application. The exact integration process may vary depending on your application’s technology stack and development environment. Typically, you would include the configuration files in your application’s build or deployment process and ensure that the application reads and applies the configurations at runtime.

Please consult your application’s documentation or development team for specific instructions on integrating the Visual Guard configuration files into your application and establishing the connection to the VGRepository.

2.7 VGRepository in SQL Server Mode for Visual-Guard

  • Overview: VGRepository in SQL Server mode refers to the configuration of Visual-Guard where the repository for storing security data, such as user credentials, permissions, roles, and audit logs, is hosted in a Microsoft SQL Server database.
  • Advantages:
    • Scalability: SQL Server provides robust scalability options, making it suitable for handling large volumes of data and high numbers of concurrent users.
    • Performance: SQL Server is known for its high performance, especially in handling complex queries and large datasets, which is essential for efficient security management.
    • Reliability: SQL Server offers strong reliability and data integrity features, ensuring that the security data is consistently managed and maintained.
  • Security Management: In this mode, Visual-Guard leverages SQL Server’s capabilities to manage security-related data. This includes user authentication, role-based access control, permission assignments, and audit logging.
  • Integration: VGRepository in SQL Server mode seamlessly integrates with the Visual-Guard framework, providing a centralized and secure way to manage security across various applications.
  • Maintenance and Backup: Utilizing SQL Server for the repository also simplifies maintenance tasks like backups, restorations, and data migration, thanks to the comprehensive tools and features provided by SQL Server.
  • Customization and Extensibility: The SQL Server mode allows for customizations and extensions to the security model, such as defining custom roles, permissions, and security policies tailored to specific organizational needs.

This configuration is particularly beneficial for organizations using Visual-Guard in environments where SQL Server is already an integral part of the IT infrastructure, offering a unified approach to security management and data handling.

2.7.1 Database CleanUp

Introduction

As databases grow over time, especially those used for logging activities like in Visual-Guard, it becomes crucial to manage and maintain them efficiently. The vg_Log table, which stores log entries, can become quite large and may lead to increased storage demands and potential performance degradation. Regularly cleaning up old data from this table is an essential maintenance task.

The DatabaseCleanUp stored procedure is specifically designed for this purpose. It targets the vg_Log table in a SQL Server database and removes entries that are older than 12 months, based on the DBTimeStamp field. This periodic cleanup helps in managing the database size and ensures that it remains performant and efficient.

This procedure is particularly useful for administrators and database managers who need to keep their SQL Server databases lean and prevent them from becoming bloated with outdated log data. It strikes a balance between retaining necessary log information for a sufficient period and removing outdated data that is no longer useful.

Below is the SQL script for creating the DatabaseCleanUp stored procedure. It’s important to test this script in a controlled environment before deploying it to a production database. Regular backups and careful planning of the cleanup schedule are also recommended to ensure data safety and minimal disruption.


SQL Script

USE [YourDatabaseName]; -- Replace with your actual database name
GO

-- Backup the database before performing cleanup
BACKUP DATABASE [YourDatabaseName] 
TO DISK = 'D:\Backups\YourDatabaseName_Backup.bak' -- Specify your backup path
WITH FORMAT, 
MEDIANAME = 'SQLServerBackups', 
NAME = 'Full Backup of YourDatabaseName';

-- Check if the DatabaseCleanUp procedure already exists and drop it if it does
IF EXISTS (SELECT * FROM sys.objects WHERE object_id = OBJECT_ID(N'[dbo].[DatabaseCleanUp]') AND type in (N'P', N'PC'))
DROP PROCEDURE [dbo].[DatabaseCleanUp]
GO

-- Create the DatabaseCleanUp stored procedure
CREATE PROCEDURE DatabaseCleanUp
AS
BEGIN
    SET NOCOUNT ON;

    -- Delete log entries older than 12 months
    DELETE FROM vg_Log
    WHERE DBTimeStamp < DATEADD(MONTH, -12, GETDATE());

    -- Optional: Reorganize the table and its indexes to reclaim space
    DBCC SHRINKDATABASE(YourDatabaseName); -- Use with caution
END
GO

Important Notes:

  1. Backup Location: Replace 'D:\Backups\YourDatabaseName_Backup.bak' with the actual path where you want the backup to be stored.
  2. Backup Frequency: This script performs a full backup. Depending on your database size and backup strategy, you might want to consider differential or transaction log backups.
  3. Scheduling: Automate this script to run at regular intervals, preferably during low-traffic periods, to minimize impact on database performance.
  4. Testing: Always test backup and cleanup scripts in a non-production environment before implementing them in your live system.
  5. Monitoring: Regularly monitor the backup process and verify backup files to ensure data integrity.

2.8 License

A license key is a unique code provided by software vendors to legally authorize and activate a copy of a software product. It helps in preventing unauthorized use and ensures that the software is used in compliance with the licensing terms set by the vendor.

We have 2 type of Visual Guard licenses that we generate for the customer.

  • Product License: This is the primary license that activates the comprehensive features of Visual-Guard, including user management, advanced SQL features, auditing, reporting, dynamic permissions, deployment capabilities, and more. It also specifies the number of users, the duration of use, number of installations, distributions. Each VGRepository requires its own Visual-Guard License Key to access the full suite of features.
  • MFA License: This secondary license specifically enables the Multi-Factor Authentication (MFA) service within Visual-Guard. The terms of this license, including its duration and the extent of its use across multiple VGRepositories, are determined by the subscription details outlined in your contract. This allows for flexibility and scalability in implementing robust MFA security measures across different repositories within the organization. The MFA license is an annual or monthly subscription, it can be used by one or multiple VGRepositories and is positioned at the same level as the Visual-Guard license, ensuring integrated and comprehensive security management across your systems.

Below are the quick links to the process of requesting for a license.

2.9 MFA License

MFA (Multi-Factor Authentication) is a security protocol that enhances protection by requiring users to provide multiple forms of verification before accessing a system or application. It significantly reduces the risk of unauthorized access by combining something the user knows (like a password) with something the user has (like a smartphone).

What is a Visual Guard MFA? VG has integrated a security framework to enhance the application by adding an additional verification method beyond just passwords. Here a user would be asked to provide an OTP or link that would be sent over an SMS or email. This MFA license is an annual or monthly subscription, it can be used by one or multiple VGRepositories and is positioned at the same level as the Visual-Guard license, ensuring integrated and comprehensive security management across your systems.

We have 2 type of MFA policies:

  • Global MFA Policy:  A Global MFA Policy in Visual Guard is a centralized set of rules and settings that define how MFA is applied across all applications and users within an organization.
  • Application MFA Policy: Is a specific set of rules and settings that govern the implementation of MFA for a particular application.

3. Authentication

Securing Application Access with Visual-Guard: A Global Approach

In today’s IT security environment, where threats are constantly evolving, it is imperative to adopt a robust and flexible authentication strategy. Visual-Guard is positioned as a forward-looking security solution, offering a global approach to authentication that encompasses both traditional methods and multi-factor authentication (MFA) solutions. This page presents an overview of our global vision of authentication, paving the way for a more in-depth exploration of our authentication and MFA solutions.


Authentication with Visual-Guard

Visual-Guard offers a complete authentication platform, designed to integrate seamlessly with a variety of applications, whether web-based, desktop or mobile. Our aim is to provide uncompromising security while maintaining a seamless user experience. Key features include :

  • Standard and Advanced Authentication: Supports a wide range of authentication methods, from basic username and password authentication to more sophisticated methods such as Windows authentication and database authentication.
  • Easy integration: Designed for easy integration with various tools and platforms, making it easy to set up secure authentication without disrupting application development.
  • Centralized User Management: Enables centralized administration and management of authentication policies and access rights across the VGRepository.

Multi-Factor Authentication (MFA) with Visual-Guard

Recognizing the crucial importance of MFA in strengthening security, Visual-Guard extends its authentication capabilities to include robust multi-factor authentication. MFA adds an extra layer of security by requiring users to provide two or more verification factors before accessing an application, significantly reducing the risk of account compromise.


Why choose Visual-Guard for your authentication?

Enhanced security: With multi-factor authentication, Visual-Guard provides enhanced protection against unauthorized access and hacking attempts.
Flexibility and compatibility: Our solution adapts to your specific needs, offering extensive compatibility with various technologies and platforms.
Optimized User Experience: Visual-Guard maintains a balance between rigorous security and ease of use, ensuring that security measures do not impede the user experience.


Explore Further

We invite you to explore our dedicated pages for an in-depth understanding of Visual-Guard authentication and our multi-factor authentication solution. Discover how our platform can transform the security of your applications while delivering a seamless user experience.

3.1 Authentication

In today’s digital landscape, securing access to applications and data is more crucial than ever. Visual-Guard offers a complete authentication solution to protect your applications from unauthorized access, ensuring that only authenticated users can access critical resources. This documentation guides you through the basic principles of Visual-Guard authentication, its benefits, and how it can be integrated into your applications.


Principles of Visual-Guard authentication

Visual-Guard enables flexible, secure management of user identities through a variety of authentication methods. Whether you’re developing a web, desktop or mobile application, Visual-Guard integrates seamlessly to deliver a secure and transparent user experience.


Supported authentication methods

  • Visual-Guard authentication: Uses credentials such as username and password.
  • Windows authentication: Allows users to authenticate via their Windows credentials, integrating authentication within the Microsoft ecosystem.
  • Database authentication: Authenticates users by verifying credentials stored in a database.
  • External authentication: Integrates third-party identity providers such as OAuth, OpenID Connect, etc.

Benefits of Visual-Guard Authentication

  • Enhanced security: Protect your applications by ensuring that only authenticated users have access to sensitive resources.
  • Flexibility: Offers a variety of authentication methods to meet the specific needs of each application.
  • Easy integration: couples easily with a wide range of technologies and application platforms.
  • Centralized management: Enables centralized management of users and authentication policies through the VGRepository.

Visual-Guard authentication integration

Integrating Visual-Guard into your applications is designed to be simple and straightforward, with specific guides for each type of application, whether developed with .NET, Angular, WinForms, WPF, or other frameworks. Visual-Guard provides APIs, libraries and management tools to facilitate this integration, enabling rapid and efficient implementation of authentication.


Conclusion

Visual-Guard authentication is the key to securing your applications and protecting sensitive data. By offering a flexible and robust platform for identity and access management, Visual-Guard ensures that your applications remain secure, while providing an optimal user experience. For more information on integrating Visual-Guard and implementing specific authentication methods, please consult our detailed integration guides.

3.2 Multi-Factor Authentication (MFA)

Visual-Guard’s Multi-Factor Authentication (MFA) represents an essential security solution for companies seeking to strengthen the protection of their applications and data in an increasingly threatened digital environment. This detailed presentation first explores the importance and benefits of implementing MFA, before diving into an understanding of Visual-Guard’s MFA policies, including global and application-specific policies.


Introduction to Multi-Factor Authentication

In today’s environment, where cyber-attacks are becoming more sophisticated, multi-factor authentication is an essential barrier against unauthorized access. By requiring multiple proofs of identity before granting access, MFA minimizes the risk of accounts being compromised, even if credentials are leaked.

Visual-Guard MFA enhances this approach by offering unprecedented flexibility and integration across a multitude of platforms and technologies, ensuring uniform, robust protection for all enterprise applications.


MFA Policy: Global Vision

The VGMFAGlobal Policy is the foundation of Visual-Guard’s MFA strategy, establishing the authentication methods available within a VGRepository. This policy includes options such as sending secure links and OTPs by email or SMS, enabling administrators to configure an authentication method tailored to the sensitivity and specific requirements of each application.


Key features of VGMFAGlobal Policy include :

Authentication Method Flexibility: Choice between secure links and OTP via email or SMS, offering adaptability to user preferences and security constraints.
Session Scope Information: Defines whether Grace Login applies globally or by application, enabling fine-grained access management.
Session Duration: Allows you to specify a period during which MFA re-authentication is not required, enhancing the user experience without compromising security.

MFAApplicationPolicy enables application-level customization of globally established MFA policies, offering flexibility to meet the unique security needs of each application. Administrators can :

  • Select Specific MFA Types: Prioritize an authentication type, such as SMS authentication, suited to the application.
  • Customize Grace Login: Define or disable Grace Login to adjust the balance between security and ease of access.
  • Adjust MFA Session Duration: Modify the period after which a new MFA authentication is required, offering customized security.
  • Manage Access without MFA for Unregistered Users: Allow limited access to users not registered with MFA, easing the transition to enhanced security policies.

Conclusion

Visual-Guard’s multi-factor authentication offers a complete, customizable security solution, capable of adapting to the specific requirements of each company and application. Thanks to the VGMFAGlobal Policy and the MFAApplicationPolicy, Visual-Guard enables detailed and flexible management of MFA authentication, ensuring optimum protection against unauthorized access while maintaining a fluid and secure user experience. By integrating Visual-Guard MFA, companies can confidently navigate today’s complex digital landscape, protecting their data and applications from growing threats.

3.2.1 Configure MFA with Active Directory

Below are the steps to configure Active Directory with MFA (Multifactor Authentication)

Step 1: Go to Settings –> Domains –> Click on Edit, Change the setting of Email Address and Mobile to “Both” so that the user can enroll on any of the verification methods


Step 2: Once you click Ok, you will get a notification to restart the product so that your changes are reflected for the domain.


Step 3: Go to Modules –> VGWindows –> Configure –> Change the synchronization between Visual Guard and Active Directory to Both


Step 4: Once you click Ok, you will get a notification to restart the product so that your changes are reflected for the module.


4. Authorization

Overview of Authorization Loading after Authentication with Visual-Guard

Authorization management is a crucial aspect of security and personalization of the user experience in applications. Visual-Guard offers a sophisticated solution for loading authorizations after authentication, enabling fine-grained access management based on user roles. This presentation explores how Visual-Guard manages authorizations, from assigning roles to loading specific permissions.


Assigning and managing roles

In Visual-Guard, a user can be assigned one or more roles, depending on the application’s configuration. These roles can be determined in several ways:

  • Roles Assigned Directly to the User: Specific roles can be assigned directly to a user, reflecting their responsibilities and access rights within the application.
  • Roles via VGGroups: Users can also inherit roles through their membership of one or more VGGroups. These groups, designed to group users by department, function or other organizational criteria, can have their own roles assigned to them.

Role selection by the user

During authentication, Visual-Guard can offer the user the option of selecting a preferred group, an optional step that further customizes the user experience. Following this selection, the user is presented with a list of available roles, both from the chosen group and from roles directly assigned to him/her. Depending on the application’s configuration, the user can then choose one or more roles for their session.

Loading authorizations

Once the user’s roles have been determined, Visual-Guard loads the authorizations associated with these roles. This process involves :

  • Loading role permissions: Visual-Guard retrieves all the permissions associated with the roles selected by the user. These permissions define the actions the user can perform within the application, ensuring that access is strictly limited to authorized functionalities.
  • Fine-grained access management: By assigning specific permissions to each role, Visual-Guard enables granular management of access rights, offering optimum flexibility and security.

Benefits of Authorization Management with Visual-Guard

  • Enhanced security: By limiting access to application functionalities to authorized users only, Visual-Guard reinforces overall application security.
    User Experience Customization: The ability for users to choose their roles (and, by extension, their authorizations) enables user experience customization, aligning the interface and available functionalities with each user’s needs and preferences.
  • Centralized management of roles and authorizations: Visual-Guard facilitates the management of roles and authorizations through a centralized interface, simplifying security administration and compliance with access policies.

Conclusion

Visual-Guard’s post-authentication authorization management system offers a powerful and flexible solution for controlling application access. By dynamically assigning roles and precisely loading the associated permissions, Visual-Guard ensures that each user accesses only the functionality they are allowed, while delivering a secure, personalized user experience.

5. Monitoring

All actions of the users are logging in Visual-Guard system.

Overview

Visual Guard offers a comprehensive monitoring solution that allows you to supervise and monitor the security aspects of your applications. This monitoring functionality provides real-time insights, customizable dashboards, and reporting capabilities to help you effectively monitor the security activities within Visual Guard.

Choosing the Scope of Supervision

The monitoring feature allows you to select the scope of your supervision based on your specific needs:

  • All Applications: To supervise all applications secured by Visual Guard within your environment, open the VGRepository and navigate to the “Monitoring” section. This provides a comprehensive overview of the security activities across your entire system.
  • Specific Application: To supervise a specific application or subset of applications, open the section of that particular application in the VGRepository. Then, navigate to the “Monitoring” section within that application. This allows you to monitor the security activities of the selected application in detail.

Selecting Specific Events

Within the Monitoring feature, you have the ability to select specific events for supervision. This allows you to focus on monitoring and analyzing the events that are most relevant to your security objectives. By selecting specific events, you can streamline your supervision efforts and gain targeted insights into potential security issues.

Time-Based Monitoring

The monitoring functionality offers time-based monitoring capabilities to help you track security activities over specific time periods. You can choose to monitor events over the course of a day, week, month, or any custom time range. This allows you to identify patterns and trends in security events during the specified timeframe.

Event History

One of the key features of the Monitoring functionality is the ability to access and review the event history. The event history provides a log of past security events and activities recorded within Visual Guard. You can retrieve and analyze this history to gain insights into past security incidents, user activities, and system behavior.

The event history allows you to search and filter events based on various criteria such as event type, date range, users, and more. This enables you to perform detailed analysis, generate reports, and identify trends or anomalies in the security events over time.

Key Features of Monitoring

The Monitoring feature offers a range of features to enhance your supervision capabilities:

  • Real-Time Monitoring: The monitoring functionality provides real-time monitoring of security events and activities within Visual Guard. You can view events as they occur and gain immediate visibility into potential security issues.
  • Customizable Dashboards: You can create customized dashboards within the Monitoring feature to display the security metrics and information that are most relevant to your specific needs. These dashboards can include charts, graphs, and other visualizations for easy interpretation.
  • Reporting and Analysis: The Monitoring feature enables you to generate reports and perform analysis on the security data collected by Visual Guard. This helps you identify trends, patterns, and potential vulnerabilities in your applications.
  • Alerts and Notifications: You can set up alerts and notifications for specific security events or conditions within the Monitoring feature. This helps you proactively identify and respond to potential security incidents.

Utilizing Monitoring

To start utilizing the Monitoring feature for supervision, follow these steps:

  • For supervising all applications:
    1. Access the Visual Guard WinConsole or WebConsole.
    2. Open the VGRepository and navigate to the “Monitoring” section.
    3. Select the desired scope of supervision (all applications).
    4. Configure the monitoring settings, including the selection of specific events, time range, metrics to track, thresholds for alerts, and dashboard customization.
    5. Monitor the real-time security events and activities through the Monitoring interface.
  • For supervising a specific application:
    1. Access the Visual Guard WinConsole or WebConsole.
    2. Open the section of the specific application in the VGRepository.
    3. Navigate to the “Monitoring” section within that application.
    4. Configure the monitoring settings, including the selection of specific events, time range, metrics to track, thresholds for alerts, and dashboard customization.
    5. Monitor the real-time security events and activities through the Monitoring interface.

Considerations and Best Practices

When utilizing the Monitoring feature for supervision, keep the following considerations and best practices in mind:

  • Scope Definition: Clearly define the scope of your supervision based on your specific requirements and security objectives.
  • Relevant Metrics and Events: Focus on monitoring and tracking the security metrics and events that are most relevant to your applications and align with your security goals.
  • Time-Based Analysis: Utilize the time-based monitoring capabilities to identify patterns and trends in security events over specific time periods.
  • Event History Analysis: Review the event history to gain insights into past security incidents, user activities, and system behavior.
  • Thresholds and Alerts: Set appropriate thresholds and alerts to ensure timely notification of potential security issues.
  • Regular Review: Regularly review the monitoring data, event history, and reports to identify trends, patterns, and areas for improvement in your application security.


6. Groups

Group Hierarchy and Role Inheritance

Overview

Visual Guard allows you to create group hierarchies, which provide a structured way to organize and manage groups. Group hierarchies enable you to establish parent-child relationships between groups, allowing for more flexible and granular control over permissions and user management. In addition to group hierarchy, Visual Guard also supports role inheritance, where child groups can inherit roles from their parent group.

Creating Group Hierarchies

To create a group hierarchy in Visual Guard, follow these steps:

  1. Access the Visual Guard Administration Console (WinConsole or WebConsole).
  2. Navigate to the Groups section.
  3. Create the parent group by clicking on the “Create Group” button.
  4. Provide a name and description for the parent group.
  5. Optionally, assign users and roles to the parent group.
  6. Save the parent group configuration.
  7. Create child groups within the parent group by following the same steps.
  8. Assign users and roles to the child groups as needed.
  9. Save the child group configurations.

Role Inheritance in Group Hierarchy

When configuring the role-to-group relationship, Visual Guard allows you to enable role propagation for child groups. This means that child groups can inherit roles from their parent group, simplifying role assignment and ensuring consistent access rights across the group hierarchy.

To enable role inheritance for child groups in Visual Guard, follow these steps:

  1. Access the Visual Guard Administration Console (WinConsole or WebConsole).
  2. Navigate to the Groups section.
  3. Select the parent group that has the desired roles assigned.
  4. Enable the role propagation option for the relationship between the parent group and child groups.
  5. Save the changes to apply the role inheritance to the child groups.

Utilizing Group Hierarchies and Role Inheritance in Security Configuration

Once group hierarchies are created and configured in Visual Guard, and role inheritance is enabled, you can leverage them in the security configuration of your applications. Permissions assigned to roles in the parent group will be automatically propagated to the child groups that inherit those roles. This ensures a consistent security policy and access rights across the entire hierarchy.

By utilizing group hierarchies and role inheritance, you can streamline the security configuration process, maintain a structured approach to user management, and ensure consistent role assignments within the group hierarchy.


Benefits of using group hierarchies and role inheritance

  1. Simplified Role Assignment: Group hierarchies and role inheritance allow for a more streamlined and efficient process of assigning roles to users. Instead of manually assigning roles to each user individually, you can assign roles at the group level and have them automatically propagated to child groups and their members. This reduces administrative effort and ensures consistent role assignments.
  2. Consistent Access Rights: With role inheritance, you can ensure consistent access rights across the group hierarchy. When a role is assigned to a parent group, all child groups and their members inherit the same role. This helps maintain a consistent security policy and eliminates inconsistencies or discrepancies in access rights.
  3. Flexibility and Scalability: Group hierarchies provide a flexible and scalable approach to user management. As your application grows and security requirements evolve, you can easily add new child groups to the hierarchy and configure role inheritance for them. This allows for a hierarchical structure that can accommodate complex user management scenarios.
  4. Efficient Updates: When a role needs to be updated or modified, you can make the changes at the parent group level, and the updates will automatically propagate to all child groups and their members. This ensures that any modifications to roles are applied consistently throughout the hierarchy, saving time and effort in managing individual role assignments.
  5. Granular Control over Permissions: Group hierarchies allow for granular control over permissions. You can assign specific roles to parent groups and fine-tune the permissions assigned to child groups. This enables you to provide different levels of access and control to different segments of users within the hierarchy based on their roles and responsibilities.
  6. Simplified Auditing and Reporting: Group hierarchies and role inheritance simplify auditing and reporting processes. With role assignments centralized at the group level, it becomes easier to track and report on access rights and permissions within the hierarchy. This can help in compliance efforts, security audits, and generating comprehensive reports on user access and permissions.

By utilizing group hierarchies and role inheritance in Visual Guard, you can streamline user management, ensure consistent access rights, and maintain a scalable and efficient security configuration for your applications.

Please note that this documentation provides an overview of the benefits of group hierarchies and role inheritance in Visual Guard. The exact implementation and features may vary depending on your specific configuration and requirements.


7. Users

Introduction

Users play a vital role in the security management of applications with Visual Guard. This documentation provides information on creating, managing, and utilizing users in Visual Guard.

Creating Users

To create a user in Visual Guard, follow these steps:

  1. Access the Visual Guard Administration Console (WinConsole or WebConsole).
  2. Navigate to the “Users” section.
  3. Click on the “Create User” button.
  4. Provide the required information for the user, such as name, email address, and password.
  5. Assign appropriate roles to the user based on their responsibilities and access rights.
  6. Save the user configuration.

Managing Users

Visual Guard facilitates the management of users registered in the VGRepository. Here are some common operations you can perform on users:

  • Modifying User Information: You can update user information, such as name, email address, or password, by accessing the user profile in the Visual Guard Administration Console.
  • Disabling a User: If a user no longer needs access to the Visual Guard-secured application, you can disable them to revoke their access rights. This can be done by modifying the user’s status in the Visual Guard Administration Console.
  • Locking a User: In certain situations, you may want to lock a user for security reasons. Locking a user prevents their access to the secured application until the lock is lifted.
  • Deleting a User: If a user no longer needs to be registered in the VGRepository, you can remove them from the database. This can be done by accessing the user profile in the Visual Guard Administration Console and selecting the delete option.

Assigning Roles and Groups

When registering a user in Visual Guard, you can assign them appropriate roles and groups. Roles define the user’s access rights, while groups provide a way to organize users and simplify permission assignment. By assigning the user to relevant groups and roles, you ensure that they have the necessary permissions to perform their tasks.

Audit and User Supervision

Visual Guard offers advanced audit and supervision features to track and supervise user actions. You can audit every action performed by a user, recording a detailed history of activities in the secured application. Additionally, you can monitor user actions in real-time to detect suspicious or unauthorized behavior.


Please note that this documentation provides an overview of managing users in Visual Guard. The exact steps and features may vary depending on your specific configuration and requirements. For more detailed information and specific instructions, please refer to the official Visual Guard documentation available at docs.visual-guard.com or contact the Visual Guard support team.


Users operations

7.1 User Types

Introduction

Visual Guard supports various user types to cater to different authentication needs. This documentation provides an overview of the different user types available in Visual Guard.

VGUser

VGUser is the standard user type in Visual Guard. They can be assigned specific roles and permissions to control their access to secured applications.

Windows User

Visual Guard integrates with Windows user accounts for authentication. This allows the application to utilize existing Windows accounts for user management.

Windows By Credential User

Windows By Credential User is a method that allows Visual Guard to authenticate users using specific Windows credentials. This can be useful when you need to verify users based on their Windows account credentials.

Database User

Visual Guard can authenticate users from a database where user information is stored. This is useful when user management is handled through a separate database system.

Okta User

Okta is a popular Identity and Access Management (IAM) service. Visual Guard supports authentication for users who use Okta as their identity provider.

MFA (Multi Factor Authentication) User

MFA (Multi-Factor Authentication) is a security protocol that enhances protection by requiring users to provide multiple forms of verification before accessing a system or application. It significantly reduces the risk of unauthorized access by combining something the user knows (like a password) with something the user has (like a smartphone)

Using User Types

By leveraging these user types in Visual Guard, you can tailor the authentication process to meet your specific requirements. Whether you need to authenticate users through Windows accounts, database systems, or Okta, Visual Guard provides the necessary flexibility to accommodate different user authentication scenarios.

Conclusion

This documentation provides an overview of the user types available in Visual Guard. By leveraging these user types, you can enhance the authentication process and ensure secure access to your applications. For more detailed information on user types and their configuration, please refer to the official Visual Guard documentation available at docs.visual-guard.com or contact the Visual Guard support team.

8. Roles

Introduction

Roles play a crucial role in the security management of applications with Visual Guard. This documentation provides information on creating, managing, and utilizing roles in Visual Guard.

Creating Roles

To create a role in Visual Guard, follow these steps within the context of an application:

  1. Access the Visual Guard Administration Console (WinConsole or WebConsole).
  2. Select an Application.
  3. Within the application context, navigate to the “Roles” section.
  4. Click on the “Create Role” button.
  5. Provide a name and description for the role.
  6. Define the permissions associated with the role by either:
    • Adding individual permissions: Select and add specific permissions that define the access rights for the role.
    • Adding permission sets: Select and add pre-defined permission sets that contain collections of permissions and permission sets.

Managing Roles

Visual Guard simplifies the management of roles registered in the VGRepository within the context of an application. Here are some common operations you can perform on roles:

  • Modifying Role Information: You can update the name, description, and permissions of a role by accessing the role profile in the Visual Guard Administration Console within the application context.
  • Assigning Users to Roles: Assign users to roles within the application context to grant them the associated access rights and permissions. This can be done by accessing the user profile in the Visual Guard Administration Console within the application context and selecting the appropriate role for the user.
  • Assigning Roles to Groups: Assign roles to groups within the application context to grant the associated access rights and permissions to all users within the group. This can be done by accessing the group profile in the Visual Guard Administration Console within the application context and selecting the appropriate role for the group.
  • Revoking Role Assignments: If a user or group no longer requires the access rights and permissions associated with a role within the application context, you can remove the role assignment from their profile.
  • Deleting Roles: If a role within the application context is no longer needed, you can delete it from the VGRepository. This action removes the role and any associated permissions from the system within the application context.

Role Properties

Roles in Visual Guard have two important properties:

  • Name: The name of the role, which helps identify it within the system.
  • Description: An optional description that provides additional information about the role.
  • Permissions: The permissions associated with the role, which define the access rights and actions that users assigned to this role can perform.
  • PermissionSets: The list of permission sets granted to the role.
  • Assignable to Users: This property indicates whether the role can be assigned to individual users. When set to true, the role can be assigned to users, granting them the associated access rights and permissions.
  • Assignable to Groups: This property indicates whether the role can be assigned to groups. When set to true, the role can be assigned to groups, granting all users within the group the associated access rights and permissions.

By configuring these properties for each role, you can have fine-grained control over the assignment of roles to users and groups.

Utilizing Roles

Once roles are created and assigned to users or groups within the application context, you can utilize them in the security configuration of your application. Roles define the access rights and permissions that users have within the secured application. By assigning users or groups to specific roles within the application context, you ensure that they have the appropriate permissions to perform their tasks.

9. Application

In Visual Guard, an “Application” refers to a software system that has been integrated with Visual Guard for security management purposes. This integration allows the application to utilize Visual Guard’s robust features for authentication, authorization, user management, and access control. Essentially, an application in Visual Guard is a client that leverages the framework to secure access to its resources, manage user roles and permissions, and enforce security policies, ensuring that only authorized users can access sensitive functionalities and data.

Please click on the below icons to know more about the settings available in the application.

10. Permissions

Understanding Permissions in Visual Guard for Effective Access Control

Introduction

Access control is a crucial aspect of application security, ensuring that users have the appropriate permissions to perform their designated tasks while safeguarding sensitive data. Visual Guard, a comprehensive security framework, provides robust permission management capabilities. In this article, we will explore the concept of permissions in Visual Guard, their role in access control, and how they can be effectively managed to enhance application security.


What are Permissions?

Permissions in Visual Guard refer to the privileges granted to users or user groups to perform specific actions within an application. These actions can range from viewing, creating, modifying, or deleting data to executing certain functionalities or accessing specific features. By assigning permissions, administrators can control the level of access granted to different users, ensuring that they can perform their intended tasks while maintaining data integrity and security.


Permission Hierarchy

Visual Guard implements a hierarchical structure for permissions, providing granular control over user access. The hierarchy typically consists of the following elements:

  1. Applications: At the top level of the hierarchy, permissions can be assigned to entire applications. This allows administrators to grant or restrict access to specific applications based on user roles or groups.
  2. Permissions folder: Within an application, permissions can be further defined at the folder level. Permission folder represent distinct functional components or sections of an application. By assigning folder-level permissions, administrators can control access to specific features or functionalities within the application.
  3. Operations: At the lowest level, permissions are assigned to operations, which represent specific actions that users can perform within a module. These actions can include read, write, create, delete, or execute operations. By granting or revoking permission for specific operations, administrators can fine-tune user access based on their requirements.

Managing Permissions in Visual Guard

Visual Guard provides a user-friendly interface for managing permissions, making it easy for administrators to define and control access rights. Here are the key steps involved in managing permissions:

  1. Define Roles: Before assigning permissions, it is recommended to define user roles based on job responsibilities or access requirements. Roles help streamline permission management by grouping users with similar access needs together.
  2. Assign Permissions: Once roles are defined, permissions can be assigned to each role at the application, module, or operation level. Visual Guard offers a visual interface to facilitate the assignment process, allowing administrators to easily select and configure permissions for each role.
  3. Role Mapping: After assigning permissions to roles, the next step is to map individual users or user groups to these roles. This mapping ensures that users inherit the permissions associated with their assigned roles.
  4. Fine-tuning Permissions: In some cases, specific users may require exceptions or additional permissions beyond their assigned roles. Visual Guard allows administrators to override role-based permissions for individual users, granting or restricting access as needed.
  5. Regular Review and Updates: It is crucial to regularly review and update permissions as application requirements evolve or user roles change. By periodically auditing and adjusting permissions, administrators can ensure that access control remains aligned with the organization’s security policies and compliance regulations.

Best Practices for Effective Permission Management

To optimize access control and enhance application security using Visual Guard, consider the following best practices:

  1. Principle of Least Privilege: Follow the principle of least privilege, granting users only the permissions necessary to perform their tasks. Avoid assigning excessive or unnecessary permissions, as this can increase the risk of unauthorized access or data breaches.
  2. Regular Audits: Conduct regular audits of permissions to identify and rectify any inconsistencies or vulnerabilities. Remove any outdated or unnecessary permissions to minimize the attack surface and maintain a secure environment.
  3. Role-Based Access: Leverage role-based access control (RBAC) to streamline permission management. By assigning permissions at the role level and mapping users to roles, you can ensure consistent access control across the application.
  4. Segregation of Duties: Implement segregation of duties (SoD) by assigning permissions in a way that prevents conflicts of interest or unauthorized access. Restrict sensitive operations by separating them among different roles or requiring multiple approvals.
  5. Collaboration with Stakeholders: Work closely with application owners, system administrators, and business stakeholders to define and validate permission requirements. Collaboration ensures that permissions are aligned with business needs and comply with regulatory guidelines.

Conclusion

Effective permission management is vital for maintaining application security and data integrity. Visual Guard offers a robust framework for managing permissions, enabling administrators to control user access at various levels within an application. By following best practices and regularly reviewing and adjusting permissions, organizations can enhance access control, reduce the risk of unauthorized activities, and maintain a secure application environment.

11. PermissionSets

Understanding Permission Sets in Visual Guard for Efficient Access Control

Introduction

Access control plays a crucial role in ensuring the security and integrity of applications and data. Visual Guard, a comprehensive security framework, provides powerful permission management capabilities through the use of permission sets. In this article, we will explore the concept of permission sets in Visual Guard, their significance in access control, and how they can be effectively utilized to streamline security administration.

What are Permission Sets? Permission sets in Visual Guard are predefined collections of permissions that represent a specific level of access within an application. They provide a convenient way to group related permissions together, simplifying the task of assigning access rights to users or roles. By assigning permission sets, administrators can quickly grant or revoke a set of permissions to multiple users, ensuring consistent access control across the application.


Role of Permission Sets in Access Control

Permission sets serve as building blocks for access control in Visual Guard. They offer the following advantages:

  1. Simplified Permission Assignment: Permission sets enable administrators to assign multiple permissions at once, reducing the time and effort required for individual permission assignment. By associating users or roles with relevant permission sets, administrators can efficiently manage access rights.
  2. Granular Control: Visual Guard provides a range of preconfigured permission sets that cover common access requirements. These sets can be further customized or combined to create more granular permission sets that align with specific business needs. This flexibility allows for precise control over user access at different levels of an application.
  3. Ease of Maintenance: Permission sets streamline the administration of access control by providing a centralized and organized approach. When there are changes in access requirements or security policies, modifying a permission set automatically updates the permissions associated with all users or roles assigned to that set. This simplifies maintenance and ensures consistency in access control across the application.

Utilizing Permission Sets in Visual Guard

To effectively utilize permission sets in Visual Guard, consider the following steps:

  1. Identify Access Requirements: Understand the access requirements of different user roles or groups within the application. Determine the specific actions or functionalities they need to perform.
  2. Define Custom Permission Sets: Visual Guard offers a range of predefined permission sets to cover common access scenarios. Evaluate these sets and create custom permission sets by combining or modifying existing ones to match your application’s unique access requirements.
  3. Assign Permission Sets: Associate the appropriate permission sets with user roles or groups. This can be done through the Visual Guard Console, which provides a user-friendly interface for permission management. Assigning permission sets to roles ensures that users assigned to those roles inherit the corresponding access rights.
  4. Regular Review and Updates: Regularly review and update permission sets to align with changing business needs, application requirements, and security policies. Add or remove permissions from sets as necessary, ensuring that access control remains up to date and consistent with evolving circumstances.

Best Practices for Permission Set Management

To optimize access control and streamline security administration using permission sets in Visual Guard, consider the following best practices:

  1. Role-Based Access Control (RBAC): Leverage RBAC principles when assigning permission sets. Assign sets based on job responsibilities or functional roles within the application to ensure appropriate access levels for each user.
  2. Minimize Permission Set Proliferation: Keep the number of permission sets manageable by avoiding unnecessary duplication. Review and consolidate sets regularly to maintain a streamlined and efficient permission management process.
  3. Principle of Least Privilege: Apply the principle of least privilege when defining permission sets. Grant only the necessary permissions required for users to perform their designated tasks, limiting potential security vulnerabilities.
  4. Regular Audits: Conduct periodic audits of permission sets to identify any discrepancies, inconsistencies, or potential security risks. Remove any unused or obsolete permission sets to maintain an organized and secure access control structure.

Conclusion

Permission sets in Visual Guard provide a powerful mechanism for managing access control within applications. By grouping related permissions together, administrators can efficiently assign and maintain access rights for users or roles. By following best practices and regularly reviewing and updating permission sets, organizations can ensure streamlined security administration and maintain a secure application environment. Leveraging the flexibility and capabilities of permission sets in Visual Guard enhances access control and contributes to overall application security.

12. Permission Matrix

The Permission Matrix feature of Visual Guard is an essential tool for managing permissions and roles in applications. It provides a detailed and organized view of the permissions assigned to each user and role within the system. What makes it even more powerful is its ability to generate an Excel document that presents this information in a clear and structured manner.

In the generated Excel document, users are listed in the rows and roles and permissions are presented in the columns. This allows administrators to quickly and easily see which permissions are assigned to which users. In addition, they can see which roles are assigned to each user, which facilitates the management of roles and permissions.

The Permission Matrix feature also offers several options for customizing the display and management of permissions and roles:

  1. “Show Permissions”: This option allows all permissions in the matrix to be displayed.
  2. “Show Roles”: This option allows all roles in the matrix to be displayed.
  3. “Show Global Sheet”: This option creates a global matrix that includes all applications.
  4. “Show Application Specific Sheet”: This option creates a specific sheet for each application.
  5. “Show items only when relation exists”: This option allows only elements that have an existing relation to be displayed.
  6. “Show entities count per matrix item”: This option displays the number of entities per matrix item.
  7. “Select application”: This option allows a specific application to be selected to display its permission and role matrix.

These options offer great flexibility in managing permissions and roles in Visual Guard. They allow administrators to customize the display and management of permissions and roles according to their specific needs.

In summary, the Permission Matrix feature of Visual Guard is a valuable tool for any organization that wants to effectively manage the permissions and roles of its users. Its ability to generate a detailed Excel document provides unmatched visibility and control over the permissions and roles in the system.

13. System Roles

The Visual Guard System Role page provides a comprehensive overview of the nine predefined roles offered by Visual Guard. Each role comes with specific access and permissions, allowing for a granular control over the system’s security.

Here’s a brief overview of each role:

RolesDescription
Master AdministratorThis User has the access to all the available features on the console. The user can Create, Delete, Manage, Update the Applications, Permissions, Permission Sets, Roles, Users, and Groups of the Repository. 
DeveloperThis user can edit, update & remove the Permission & Permission set. The users can only create & grant revoke application role to Groups/ Users.
Restricted Developer This type of user can create or edit the applications, permissions, users and roles of the applications for which the user has been granted ‘Membership Manager’ role.
Developer DeployerThis type of user can edit applications, permissions, roles and users but not the repository.

They cannot grant the Visual Guard built in roles to the users.
Restricted Developer DeployerThis type of user can create or edit application, permission, user and role of the applications for which the user has been granted ‘Membership Manager’ role.
User Administrator This user can create new user and view the users that belong to the groups that have been assigned to the user.

The user can create group and read only those group(s) that are assigned to the user.

The user can grant or revoke the Application, Shared & System roles to Groups/Users.
Restricted User Administrator This user can manage user and role in a given application.
AuditorThis user can access the repository in read only mode, he can also read the log and print the report.
Restricted Auditor This user has the same privileges as the auditor except that his access is limited to a single application.

See Also:

13.1 Permission Matrix

The Visual Guard System Role Permission Matrix page provides a detailed breakdown of the permissions associated with each of the nine predefined roles offered by Visual Guard.

The matrix is a comprehensive guide that outlines the level of access each role has to applications, groups, roles, and users. It covers a wide range of permissions, from creating and deleting applications, groups, and roles, to reading and updating permissions, permission sets, and users.


Visual Guard offers 9 predefined roles to the user. Depending on the user role the amount of access to applications, groups, roles and users will be defined.
The matrix defined below defines the permissions associated with each role.

Master AdminDeveloperRestricted DeveloperDeveloper DeployerRestricted Developer DeployerUser AdminRestricted User AdminAuditorRestricted Auditor
Applicationsø
\Applications\CanCreateApplicationø        
\Applications\CanDeleteApplicationø        
\Applications\CanDeployApplicationø  øø    
\Applications\CanReadAllApplicationsøø ø ø ø 
\Applications\CanReadApplicationøøøøøøøøø
\Applications\CanUpdateApplicationøøøøø    
AuditAndReporting
\AuditAndReporting\CanGenerateDocumentationø    øøøø
\AuditAndReporting\CanEditEventLogCategoryø        
\AuditAndReporting\CanReadEventLogøøøøøøøøø
Groups
\Groups\CanCreateGroupø    øø  
\Groups\CanReadGroupøøøøøøøøø
\Groups\CanUpdateGroupø    øø  
\Groups\CanDeleteGroupø    øø  
\Groups\CanReadAllGroupsø      ø 
Permissions
\Permissions\CanCreatePermissionøøøøø    
\Permissions\CanDeletePermissionøøøøø    
\Permissions\CanReadPermissionøøøøø  øø
\Permissions\CanUpdatePermissionøøøøø    
Permission Sets
\PermissionSets\CanCreatePermissionSetøøøøø    
\PermissionSets\CanDeletePermissionSetøøøøø    
\PermissionSets\CanReadPermissionSetøøøøø  øø
\PermissionSets\CanUpdatePermissionSetøøøøø    
\PermissionSets\CanGrantRevokePermissionSetsToApplicationRolesøøøøø    
\PermissionSets\CanGrantRevokePermissionSetsToSharedRolesøøøøø    
Repository
\Repository\CanDeleteRepositoryø        
\Repository\CanDeployRepositoryø        
\Repository\CanUpdatePasswordPolicyø        
\Repository\CanUpdateRepositoryø        
Roles
\Roles\CanCreateApplicationRoleøøøøøøø  
\Roles\CanCreateSharedRoleø    øø  
\Roles\CanCreateSystemRoleø       
\Roles\CanDeleteApplicationRoleøøøøøøø  
\Roles\CanDeleteSharedRoleø    øø  
\Roles\CanDeleteSystemRoleø       
\Roles\CanGrantRevokeApplicationRolesToGroupsøøøøøøø  
\Roles\CanGrantRevokeApplicationRolesToUsersøøøøøøø  
\Roles\CanGrantRevokeSharedRolesToGroupsø    øø  
\Roles\CanGrantRevokeSharedRolesToUsersø    øø  
\Roles\CanGrantRevokeSystemRolesToGroupsø        
\Roles\CanGrantRevokeSystemRolesToUsersø        
\Roles\CanReadApplicationRoleøøøøøøøøø
\Roles\CanReadSharedRoleøøøøøøøøø
\Roles\CanReadSystemRoleø    øøøø
\Roles\CanUpdateApplicationRoleøøøøøøø  
\Roles\CanUpdateSharedRoleø    øø  
\Roles\CanUpdateSystemRoleø        
Users
\Users\CanApprovePendingUsersø    øø  
\Users\CanAssignRemoveUsersToGroupsø    øø  
\Users\CanCreateUserø    øø  
\Users\CanDeleteUserø    øø  
\Users\CanLockUnlockUserø    øø  
\Users\CanReadAllUsersø     ø 
\Users\CanReadUserøøøøøøøøø
\Users\CanUpdateUserø    øø  
ADFS
\ADFS\CanCreateADFSServerø        
\ADFS\CanDeleteADFSServerø        
\ADFS\CanUpdateADFSServerø        

13.2 Master Administrator

If you have been granted the Master Administrator role you will have full access to all the resources of the Visual Guard tools

  • The Master Administrator will be assigned the following permission sets by default:
DescriptionRemarks
Auditor permissionsThis option allows to access to the repository in read only mode and to consult the event log.
Deployer permissionsThis option allows to deploy the application.
Developer Deployer permissionsThis option allows deploying, editing applications, permissions, users and roles but not the repositories.
Developer PermissionsThis option allows to create application and defining roles, permissions, permission sets.
  • The Master Administrator will be assigned following permissions by default:
DescriptionRemarks
Applications\Can Create ApplicationsThis permission allows creating a new application
Applications\Can Delete ApplicationsThis permission allows deleting an application
Applications\Can Deploy ApplicationThis permission allows deploying an application
Applications\Can Read All ApplicationThis permission gives you the right to read all applications.
Applications\Can Read ApplicationThis permission gives you the right to read applications for which you have the role “Membership Manager”
Applications\Can Update ApplicationThis permission gives you the right to update an application.
Audit and Reporting\Can Edit Event Log CategoryThis permission gives you the right to edit event log category
Audit and Reporting\Can Generate DocumentationThis permission gives you the right to generate documentation.
Audit and Reporting\Can Read Event LogThis permission gives you the right to read an Event Log.
Groups\Can Create GroupThis permission gives you the right to create a group.
Groups\Can Delete GroupThis permission gives you the right to delete a group.
Groups\Can Read All GroupsThis permission gives you the right to read all groups.
Groups\Can Read GroupThis permission gives you the right to read groups that have been assigned to you.
Permissions\Can Create PermissionThis permission gives you the right to create permission.
Permissions\Can Delete PermissionThis permission gives you the right to delete a permission.
Permissions\Can Read PermissionThis permission gives you the right to read a permission.
Permissions\Can Update PermissionThis permission gives you the right to update a permission.
Permission Sets\Can Create Permission SetThis permission gives you the right to create a permission set.
Permission Sets\Can Delete Permission SetThis permission gives you the right to delete a permission set.
Permission Sets\Can Read Permission SetThis permission gives you the right to read a permission set.
Permission Sets\Can Update Permission SetThis permission gives you the right to update a permission set.
Repository\Can Delete RepositoryThis permission gives you the right to delete a repository
Repository\Can Deploy RepositoryThis permission gives you the right to deploy a repository
Repository\Can Update Password PolicyThis permission gives you the right to update a password policy.
Repository\Can Update RepositoryThis permission gives you the right to update a Repository.
Roles\Can Create Application RoleThis permission gives you the right to create an application role.
Roles\Can Create Shared RoleThis permission gives you the right to create a shared role
Roles\Can Create System RoleThis permission gives you the right to create a system role
Roles\Can Delete Application RoleThis permission gives you the right to delete an application role
Roles\Can Delete Shared RoleThis permission gives you the right to delete shared role
Roles\Can Delete System RoleThis permission gives you the right to delete system role
Roles\Can Grant Revoke Permission Sets To Application RolesThis permission gives you the right to grant or revoke the permission sets of the application roles.
Roles\Can Grant Revoke Permission Sets To Shared RolesThis permission gives you the right to grant or revoke the permission sets of the shared roles.
Roles\Can Create Application RoleThis permission gives you the right to create an application role.
Roles\Can Grant Revoke Application Roles To GroupsThis permission gives you the right to grant or revoke application roles to groups.
Roles\Can Grant Revoke Application Roles To UsersThis permission gives you the right to grant or revoke application roles to users.
Roles\Can Grant Revoke Shared Roles To GroupsThis permission gives you the right to grant or revoke shared roles to groups
Roles\Can Grant Revoke Shared Roles To UsersThis permission gives you the right to grant or revoke shared roles to users
Roles\Can Grant Revoke System Roles To GroupsThis permission gives you the right to grant or revoke system roles to groups
Roles\Can Grant Revoke System Roles To UsersThis permission gives you the right to grant or revoke system roles to users
Roles\Can Read Application RoleThis permission gives you the right to read an application role.
Roles\Can Read Shared RoleThis permission gives you the right to read a shared role.
Roles\Can Read System RoleThis permission gives you the right to read a system role
Roles\Can Update Application RoleThis permission gives you the right to update an application role
Roles\Can Update Shared RoleThis permission gives you the right to update a shared role
Roles\Can Update System RoleThis permission gives you the right to update a system role
Users\Can Approve Pending UsersThis permission gives you the right to approve or deny users
Users\Can Assign Remove Users To GroupsThis permission gives you the right to assign or remove users to the group
Users\Can Create UserThis permission gives you the right to create an user
Users\Can Delete UserThis permission gives you the right to delete an user
Users\Can Lock Unlock UserThis permission gives you the right to lock or unlock an user
Users\Can Read All UsersThis permission gives you the right to read all users
Users\Can Read UserThis permission gives you the right to read an user
Users\Can Update UserThis permission gives you the right to update an user
ADFS\ Can Create ADFS ServerThis permission allows creating a new ADFS Server
ADFS\ Can Delete ADFS ServerThis permission gives you the right to delete an ADFS Server
ADFS\ Can Update ADFS ServerThis permission gives you the right to update an ADFS Server

See Also:

13.3 User Administrator

This user can create new user and read only those users which are assigned to the groups assigned to the user. Additionally the user can create group and read only those group(s) which are assigned to logged in user.

The user can grant or revoke the Application, Shared & System roles to Groups/Users.

  • The User Administrator will be assigned the User Administrator and Restricted User Administrator permission set by default.
  • The User Administrator will be assigned the following permissions by default:
DescriptionRemarks
User Administrator Permissions
Applications\Can Read All ApplicationsThis permission gives you the right to read all the applications.
Restricted User Administrator Permissions
Audit and Reporting\Can Generate DocumentationThis permission gives you the right to generate the documentation.
Audit and Reporting\Can Read Event LogThis permission gives you the right to read an Event Log.
Groups\Can Create GroupThis permission gives you the right to create a group.
Groups\Can Delete GroupThis permission gives you the right to delete a group.
Groups\Can Read GroupThis permission gives you the right to read a group.
Groups\Can Update GroupThis permission gives you the right to update a group.
Roles\Can Create Application RoleThis permission gives you the right to create an application role
Roles\Can Create Shared RoleThis permission gives you the right to create a shared role
Roles\Can Delete Application RoleThis permission gives you the right to delete an application role
Roles\Can Delete Shared RoleThis permission gives you the right to delete a shared role
Roles\Can Grant Revoke Application Roles To GroupsThis permission gives you the right to grant or revoke application roles to the groups.
Roles\Can Grant Revoke Application Roles To UsersThis permission gives you the right to grant or revoke application roles to the users.
Roles\Can Grant Revoke Shared Roles To GroupsThis permission gives you the right to grant or revoke shared roles to the groups
Roles\Can Grant Revoke Shared Roles To UsersThis permission gives you the right to grant or revoke shared roles to the users
Roles\Can Read Application RoleThis permission gives you the right to read an application role.
Roles\Can Read Shared RoleThis permission gives you the right to read a shared role.
Roles\Can Read System RoleThis permission gives you the right to read a system role
Roles\Can Update Application RoleThis permission gives you the right to update an application role
Roles\Can Update Shared RoleThis permission gives you the right to update a shared role
Users\Can Approve Pending UsersThis permission gives you the right to approve or deny users
Users\Can Assign Remove Users To GroupsThis permission gives you the right to assign or remove users to the group
Users\Can Approve Pending UsersThis permission gives you the right to approve or deny the users
Users\Can Assign Remove Users To GroupsThis permission gives you the right to assign or remove users to the group
Users\Can Create UserThis permission gives you the right to create an user
Users\Can Delete UserThis permission gives you the right to delete an user
Users\Can Lock Unlock UserThis permission gives you the right to lock or unlock an user
Users\Can Read UserThis permission gives you the right to read an user
Users\Can Update UserThis permission gives you the right to update an user
  • To explore the impact of permissions please click on the relevant link below:

Please Note: The sections on which the role has no impact has not been listed

Impact of user administrator role on applications

This module explains the impact on the applications if the user has been granted the User Administrator Role.

  • The User will be assigned following permissions:
Description Remarks
Can Read All Application This permission gives you the right to read all applications.
  • Once the user logs in using the assigned mode of authentication, the following screen will be displayed.
  • The user will be able to view list of all the applications (A).
  • Since the user has permissions to Can Read All Applications the user will be able to view the details of all the applications.
  • The user can click on the Application name to view the application information as shown below:
  • The application information will be available in read only mode.

Impact of User Administrator Role on Audit and Reporting

This module explains the impact on the audit and reporting if the user has been granted the User Administrator Role.

  • The User will be assigned the following permissions:
DescriptionRemarks
CanGenerateDocumentationThis permission gives you the right to generate documentation.
Can Read Event LogThis permission gives you the right to read an Event Log.
  • Once the user logs in using the assigned mode of authentication, the following screen will be displayed.
  • The user will be able to view list of all the applications (A).

Since the user has permissions to Can Generate Documentation he can use the Generate Documentation option to generate the documentation of each entity in the Visual Guard console.

  • Can Read Event Log permission allows access to viewing the event log as shown below:

Impact of User Administrator Role on Groups

This module explains the impact on the groups if the user has been granted the User Administrator Role.

  • The User will be assigned the following permissions:
DescriptionRemarks
Can Create GroupThis permission gives you the right to create a group.
Can Delete GroupThis permission gives you the right to delete a group.
Can Read GroupThis permission gives you the right to read group.
Can Update GroupThis permission gives you the right to update a group.
  • Once the user logs in using the assigned mode of authentication, the following screen will be displayed.
  • The user will be able to view list of all the applications (A).
  • Since the user has permissions to Can Read Groups, the user will be able to view the group that has been assigned to him.
  • The parent groups of the assigned group will also be displayed.
  • Depending on the user privileges and assigned group privileges the list of privileges will be decided automatically.
  • The Can Create Group privilege allows the user to create a group. This option will be available only if a group has been assigned to the user.
  • The new group will be listed under the Parent Group. The user can view group details by clicking on the group name.
  • Since the user has the Can Delete Group and Can Update Group privileges he can remove or update group related details.

Impact of User Administrator Role on Role

This module explains the impact on the roles if the user has been granted the User Administrator Role.

  • The User will be assigned the following permissions:
DescriptionRemarks
Can Create Application RoleThis permission gives you the right to create an application role
Can Create Shared RoleThis permission gives you the right to create a shared role
Can Delete Application RoleThis permission gives you the right to delete a application role
Can Delete Shared RoleThis permission gives you the right to delete a shared role
Can Grant Revoke Application Roles To GroupsThis permission gives you the right to grant or revoke application roles to the groups.
Can Grant Revoke Application Roles To UsersThis permission gives you the right to grant or revoke application roles to the users.
Can Grant Revoke Shared Roles To GroupsThis permission gives you the right to grant or revoke shared roles to the groups
Can Grant Revoke Shared Roles To UsersThis permission gives you the right to grant or revoke shared roles to the users
Can Read Application RoleThis permission gives you the right to read an application role.
Can Read Shared RoleThis permission gives you the right to read a shared role.
Can Read System RoleThis permission gives you the right to read a system role
Can Update Application RoleThis permission gives you the right to update an application role
Can Update Shared RoleThis permission gives you the right to update a shared role
  • Once the user logs in using the assigned mode of authentication, the following screen will be displayed.
  • The user will be able to view list of all the applications (A).
  • The user can create a new role under an application since he has the Can Create Application Role privilege.
  • The new role will be listed under the Application>Roles option. The user can view the role details by clicking on the role name as shown below:
  • Since the user has the Can Read Application Role and Can Update Application Role privilege, the user can view and update role details by clicking on the Application>Role> Rolename.
  • Since the user has also been granted the Can Grant Revoke Application Roles To Users privilege the user can grant/revoke new roles to user using options “Grant role to users”  & “Revoke role from users”  available under tab “Granted User”

Please Note: You can also grant/revoke roles of users Users> Username> Roles> Edit Roles option. Click here (missing link) to know more.

  • Grant role to users: When you select option “Grand role to users” you are provided with a screen to select users to whom the role is to be assigned.

Once the users are successfully assigned to the Group, below message will appear

  • Revoke role from users: When you select option “Revoke role from users” you will be asked for confirmation, as shown below:

Once confirmed by clicking on option “yes” , the role will be successfully revoked and below message will appear:

  • The user can also grant/Revoke the role to the groups, since the user has the Can Grant Revoke Application Roles To Groups privilege.
  • The new role will be listed under the application, the user can select and grant the role.
  • The user can delete the application role since he has the Can Delete Application Role privilege.
  • Additionally the User Administrator has access to manage the Shared Roles.
  • The Can Create Shared Role privilege allows the user to create a new Shared Role.
  • The new role will be listed under the Shared Roles option. The user can view the role details by clicking on the role name as shown below:
  • The user has the privilege to read and update the shared roles information, since he has been granted the Can Read Shared Role and Can Update Shared Role privileges.
  • Since the user has also been granted the Can Grant Revoke Shared Roles To Users privilege the user can edit the granted users option.
  • The user can select and edit the members for the selected role. Click here to know more.
  • The user can also grant the shared role to the groups, since the user has the Can Grant Revoke Shared Roles To Groups privilege.
  • The user can assign the shared role to the group.
  • The user can delete the shared role, since he has the Can Delete Shared Role privilege.
  • The User administrator can just view the System Roles related information, since he has the Can Read System Role privilege.
  • The user can view and update the role details by clicking on the Application>Role> Rolename.

 
Impact of User Administrator Role on Users

This module explains the impact on the user related permissions if the user has been granted a User Administrator Role.

  • The User will be assigned following permissions:
DescriptionRemarks
Can Create UserThis permission gives you the right to create an user
Can Delete UserThis permission gives you the right to delete an user
Can Lock Unlock UserThis permission gives you the right to lock or unlock an user
Can Read UserThis permission gives you the right to read an user
Can Update UserThis permission gives you the right to update an user
  • Once the user logs in using the assigned mode of authentication, the following screen will be displayed.
  • The user will be able to view list of all the applications (A).
  • The user can create a new user, since he has the Can Create User privilege.
  • The user can create a user only under the groups assigned to him.
  • When the user clicks on the new user option following screen will be displayed:
  • Click “OK”  to complete the user creation.
  • The new user account will be created and will be displayed in the Grid on Right side.
  • The user can view the user details by clicking on the user name as shown below:
  • Since the user has the privilege Can Read User and Can Update User, the user will be able to update the user details.
  • The user administrator has the privilege to delete the user, since the user has the Can Delete User privilege.
  • Additionally the user administrator can lock a user or unlock the user accounts since he has the Can Lock Unlock User permission.

See Also:

13.4 Restricted user Administrator

This user can manage users and roles in a given application.
This user type is also allowed to manage users and roles of the applications for which the user is a member of ‘Membership Manager’ role.

  • The Restricted User Administrator will be assigned the restricted user administrator permission set by default.
  • The Restricted User Administrator will be assigned following permissions by default:
DescriptionRemarks
Audit and Reporting\Can Generate DocumentationThis permission gives you the right to generate documentation.
Audit and Reporting\Can Read Event LogThis permission gives you the right to read an Event Log.
Groups\Can Create GroupThis permission gives you the right to create a group.
Groups\Can Delete GroupThis permission gives you the right to delete a group.
Groups\Can Read GroupThis permission gives you the right to read group.
Groups\Can Update GroupThis permission gives you the right to update a group.
Roles\Can Create Application RoleThis permission gives you the right to create an application role
Roles\Can Create Shared RoleThis permission gives you the right to create a shared role
Roles\Can Delete Application RoleThis permission gives you the right to delete application role
Roles\Can Delete Shared RoleThis permission gives you the right to delete shared role
This permission gives you the right to delete shared roleThis permission gives you the right to grant or revoke application roles to groups.
Roles\Can Grant Revoke Application Roles To UsersThis permission gives you the right to grant or revoke application roles to users.
Roles\Can Grant Revoke Shared Roles To GroupsThis permission gives you the right to grant or revoke shared roles to groups.
Roles\Can Grant Revoke Shared Roles To UsersThis permission gives you the right to grant or revoke shared roles to users.
Roles\Can Read Application RoleThis permission gives you the right to read an application role.
Roles\Can Read Shared RoleThis permission gives you the right to read a shared role.
Roles\Can Read System RoleThis permission gives you the right to read a system role.
Roles\Can Update Application RoleThis permission gives you the right to update an application role.
Roles\Can Update Shared RoleThis permission gives you the right to update a shared role.
Users\Can Approve Pending UsersThis permission gives you the right to approve or deny users.
Users\Can Assign Remove Users To GroupsThis permission gives you the right to assign or remove users to the group.
Users\Can Create UserThis permission gives you the right to create an user.
Users\Can Delete UserThis permission gives you the right to delete an user.
Users\Can Lock Unlock UserThis permission gives you the right to lock or unlock an user.
Users\Can Read UserThis permission gives you the right to read an user.
Users\Can Update UserThis permission gives you the right to update an user.
  • To explore the impact of permissions please click on the relevant link below:

 

Impact of Restricted User Administrator Role on Audit and Reporting

This module explains the impact on the audit and reporting if the user has been granted the Restricted User Administrator Role.

  • The User will be assigned following permissions:
DescriptionRemarks
CanGenerateDocumentationThis permission gives you the right to generate documentation.
Can Read Event LogThis permission gives you the right to read an Event Log.
  • When the user logs in using the assigned mode of authentication, the following screen will be displayed.
  • The user will be able to view list of all the applications (A).
  • Since the user has the permissions Can Generate Documentation he can use the Generate Documentation option to generate the documentation for the available entities.
  • Can Read Event Log permission allows access to the event log as shown below:

Impact of Restricted User Administrator Role on Groups

This module explains the impact on the groups if the user has been granted a Restricted User Administrator Role.

  • The User will be assigned the following permissions:
DescriptionRemarks
Can Create GroupThis permission gives you the right to create a group.
Can Delete GroupThis permission gives you the right to delete a group.
Can Read GroupThis permission gives you the right to read group.
Can Update GroupThis permission gives you the right to update a group.
  • When the user logs in using the assigned mode of authentication, the following screen will be displayed.
  • The user will be able to view list of all the applications (A).
  • Since the user has permissions to Can Read Groups, the user will be able to view the group that has been assigned to him.
  • The parent groups of the assigned group will also be displayed.
  • Depending on the user privileges and assigned group privileges the list of privileges will be decided automatically.
  • The Can Create Group privilege allows the user to create a group. This option will be available only if the user has been assigned to a group.
  • The new group will be listed under the Parent Group. The user can view group details by clicking on the group name.
  • Since the user has the Can Delete Group and Can Update Group privileges he can remove or update group related details.

Impact of Restricted User Administrator Role on Roles

This module explains the impact on the roles if the user has been granted a Restricted User Administrator Role.

The users will be allowed to manage only those applications for which the user is a member of ‘Membership Manager’ role.

  • The User will be assigned following permissions:
DescriptionRemarks
Can Create Application RoleThis permission gives you the right to create an application role
Can Create Shared RoleThis permission gives you the right to create a shared role
Can Delete Application RoleThis permission gives you the right to delete application role
Can Delete Shared RoleThis permission gives you the right to delete shared role
Can Grant Revoke Application Roles To GroupsThis permission gives you the right to grant or revoke application roles to groups
Can Grant Revoke Application Roles To UsersThis permission gives you the right to grant or revoke application roles to users
Can Grant Revoke Shared Roles To GroupsThis permission gives you the right to grant or revoke shared roles to groups
Can Grant Revoke Shared Roles To UsersThis permission gives you the right to grant or revoke shared roles to users
Can Read Application RoleThis permission gives you the right to read an application role
Can Read Shared RoleThis permission gives you the right to read a shared role
Can Update Application RoleThis permission gives you the right to update an application role
Can Update Shared RoleThis permission gives you the right to update a shared role
  • When the user logs in using the assigned mode of authentication, the following screen will be displayed:
  • The user will be able to view list of all the applications (A).
  • The user can create a new role under an application (for which he has “Membership Manager” role), since the user has the Can Create Application Role privilege.
  • The new role will be listed under the Application>Roles option. The user can view the role details by clicking on the role name as shown below:
  • Since the user has the Can Read Application Role and Can Update Application Role privilege the user can view and update role details by clicking on Application>Role> Rolename.
  • Since the user has also been granted the Can Grant Revoke Application Roles To Users privilege the user can grant/revoke new roles to user using options “Grant role to users” & “revoke role from users” available under tab “Granted User”

Please Note: You can also grant/revoke roles of users Users> Username> Roles> Edit Roles option. Click here (missing link) to know more.

  • Grant role to users: When you select option “Grant role to users” you are provided with a screen to select users to whom the role is to be assigned.

Once the users are successfully assigned to the Group, below message will appear

  • Revoke role from users: When you select option “Revoke role from users” you will be asked for confirmation, as shown below:

Once confirmed by clicking on option “Yes” , the role will be successfully revoked and below message will appear:

  • The user can also grant the new role to the groups, since the user has the Can Grant Revoke Application Roles To Groups privilege.
  • The new role will be listed under the application, the user can select and grant role.
  • The user can delete the application role since he has the Can Delete Application Role privilege.
  • Additionally the Restricted User Administrator has access to manage the Shared Roles.
  • The Can Create Shared Role privilege allows the user to create a new Shared Role.
  • The new role will be listed under the Shared Roles option. The user can view the role details by clicking on the role name as shown below:
  • The user has the privilege to read shared roles because of the Can Read Shared Role privilege and update information because of the Can Update Shared Role privilege the role details will be displayed in an editable mode.
  • Since the user has also been granted the Can Grant Revoke Shared Roles To Users privilege the user can edit the granted users option.
  • The user can select and edit the members for the selected role. Click here to know more.
  • The user can grant the shared role to the groups, since he has the Can Grant Revoke Shared Roles To Groups privilege.
  • The user can assign the shared role to the group.
  • The user can delete the shared role since he has the Can Delete Shared Role privilege.
  • The Restricted User administrator also has the privilege to view the system roles in read only mode because of the Can Read System Role privilege.

 
Impact of Restricted User Administrator Role on Users

This module explains the impact on the users if the user has been granted a Restricted User Administrator Role.

  • The User will be assigned following permissions:
DescriptionRemarks
Can Create UserThis permission gives you the right to create an user
Can Delete UserThis permission gives you the right to delete an user
Can Lock Unlock UserThis permission gives you the right to lock or unlock an user
Can Read UserThis permission gives you the right to read an user
Can Update UserThis permission gives you the right to update an user
  • When the user logs in using the assigned mode of authentication, the following screen will be displayed.
  • The user will be able to view list of all the applications (A).
  • The user can create a new user because of the Can Create User privilege.
  • The user can create a user only under the groups assigned to him.
  • When the user clicks on the new user option following screen will be displayed.
  • When the user clicks “OK” the new user account will be created and will be displayed in the Grid on Right side.
  • The user can view the user details by clicking on the user name as shown below:
  • Since the user has the privilege Can Read User and Can Update User, the user will be able to update the user details.
  • The restricted user administrator will have the privilege to delete the user, since he has the Can Delete User privilege.
  • Additionally the restricted user administrator can lock an user or unlock user accounts because of the Can Lock Unlock User permission assigned to him.

See Also:

13.5 Developer

This user type has the rights to edit, update & remove the Permission & Permission sets. The users can only create & grant revoke application roles to Groups/ Users.

  • The Developer will be assigned the Developer and Restricted Developer permission sets by default.
  • Depending on the permission sets the Developer will be assigned following permissions by default.
DescriptionRemarks
Developer
Applications\Can Read All ApplicationsThis permission gives you the right to read all applications
Restricted Developer:This user type has permissions to edit applications, permission, user and role of the applications for which the user is the member of ‘Membership manager’ role
Applications\Can Read ApplicationThis permission gives you the right to read applications for which you have the role “Membership Manager”.
Applications\Can Update ApplicationThis permission gives you the right to update an application.
Audit and Reporting\Can Read Event LogThis permission gives you the right to read an Event Log.
Audit and Reporting\Can Read GroupThis permission gives you the right to read group.
Permissions\Can Create PermissionThis permission gives you the right to create a permission.
Permissions\Can Delete PermissionThis permission gives you the right to delete a permission.
Permissions\Can Read PermissionThis permission gives you the right to read a permission.
Permissions\Can Update PermissionThis permission gives you the right to update a permission.
Permission Sets\Can Create Permission SetThis permission gives you the right to create a permission Set.
Permission Sets\Can Delete Permission SetThis permission gives you the right to delete a permission Set.
Permission Sets\Can Grant Revoke Permission Sets To Application RolesThis permission gives you the right to grant or revoke the permission sets of the application roles.
Permission Sets\Can Grant Revoke Permission Sets To Shared RolesThis permission gives you the right to grant or revoke the permission sets of the shared roles.
Permission Sets\Can Read Permission SetThis permission gives you the right to read permission Set.
Permission Sets\Can Update Permission SetThis permission gives you the right to update a permission Set.
Roles\Can Create Application RoleThis permission gives you the right to create an application role.
Roles\Can Grant Revoke Application Roles To GroupsThis permission gives you the right to grant or revoke application roles to groups.
Roles\Can Grant Revoke Application Roles To UsersThis permission gives you the right to grant or revoke application roles to users.
Roles\Can Read Application RoleThis permission gives you the right to read an application role.
Roles\Can Read Shared RoleThis permission gives you the right to read a shared role.
Roles\Can Update Application RoleThis permission gives you the right to update an application role.
  • To explore the impact of permissions please click on the relevant link below:

Impact of Developer Role on Applications

This module explains the impact on the applications if the user has been granted Developer Role.

  • The User will be assigned following permissions:
DescriptionRemarks
Can Read All ApplicationsThis permission gives access to read all applications.
Can Read ApplicationThis permission gives you the right to read applications for which you have the role “Membership Manager”.
Can Update ApplicationThis permission gives you the right to update an application.
  • Once the user logs in using the assigned mode of authentication, the following screen will be displayed:
  • Since the user has permissions to Can Read All Applications and Can Read Application, the Can Read All Applications will override.
  • The user will be able to view list of all the applications (A).
  • The user can click on the Application name to view the application information as shown below:
  • The application information will be available in an editable mode since the user has Can Update Application privilege.
  • The user can update information related to all the applications.

Impact of Developer on Audit and Reporting

This module explains the impact on the audit and reporting if the user has been granted Developer Role.

  • The User will be assigned following permissions:
DescriptionRemarks
Can Read Event LogThis permission gives you the right to read an Event Log.
  • Once the user logs in using the assigned mode of authentication, the following screen will be displayed:
  • The user will be able to view list of all the applications (A).
  • Can Read Event Log permission allows access to view the event log as shown below:

 
Impact of Developer Role on Groups

This module explains the impact on the groups if the user has been granted Developer Role.

  • The User will be assigned following permissions:
DescriptionRemarks
\Groups\CanReadGroupThis permission gives access to read a group for which you have the role “Membership Manager”.
  • Once the user logs in using the assigned mode of authentication, the following screen will be displayed:
  • The user will be able to view list of all the applications (A).
  • Since the user has permissions to Can Read Groups, the user will be able to view the group that has been assigned to the user.
  • The parent groups of the assigned group will also be displayed.
  • The privileges that are available to the user will depend on the user and the group privileges.

Impact of Developer Role on Permissions

This module explains the impact on the permissions if the user has been granted Developer Role.

  • The User will be assigned following permissions:
DescriptionRemarks
Can Create PermissionThis permission gives you the right to create a permission.
Can Delete PermissionThis permission gives you the right to delete a permission.
Can Read PermissionThis permission gives you the right to read a permission.
Can Update PermissionThis permission gives you the right to update a permission.
  • Once the user logs in using the assigned mode of authentication, the following screen will be displayed.
  • The user will be able to view list of all the applications (A).
  • Since the user has permissions to Create, Delete, Read and Update permissions, the user will be able to update existing permission besides having the privilege to create the permission.
  • Additionally the user can manage the other permission related properties using the available options.

Impact of Developer Role on Permission Sets

This module explains the impact on the permission sets if the user has been granted Developer Role.

  • The User will be assigned following permissions:
DescriptionRemarks
Can Create Permission SetThis permission gives you the right to create a permission Set.
Can Delete Permission SetThis permission gives you the right to delete a permission Set.
Can Grant Revoke Permission Sets To Application RolesThis permission gives you the right to grant or revoke the permission sets of the application roles.
Can Grant Revoke Permission Sets To Shared RolesThis permission gives you the right to grant or revoke the permission sets of the shared roles.
Can Read Permission SetThis permission gives you the right to read permission Set.
Can Update Permission SetThis permission gives you the right to update a permission Set.
  • Once the user logs in using the assigned mode of authentication, the following screen will be displayed.
  • The user will be able to view list of all the applications (A).
  • In addition to the privilege to create permission sets, the user has permission to Create, Delete, Read and Update permission sets, and thus will be able to update existing permission sets.
  • Additionally the user can manage the other permission set related properties using the available options. 
  • Since the user has also been granted the Can Grant Revoke Permission Sets to Application Roles privilege the user can Grant permission sets to the selected role as shown below.
  • The user can also grant the permission set to the Shared roles, since the user has Can Grant Revoke Permission Sets to Shared Roles privilege.

 

Impact of Developer Role on Roles

This module explains the impact on the roles if the user has been granted the Developer Role.

  • The User will be assigned following permissions:
DescriptionRemarks
Can Create Application RoleThis permission gives you the right to create an application role.
Can Grant Revoke Application Roles To GroupsThis permission gives you the right to grant or revoke application roles to groups.
Can Grant Revoke Application Roles To UsersThis permission gives you the right to grant or revoke application roles to users.
Can Read Application RoleThis permission gives you the right to read an application role.
Can Read Shared RoleThis permission gives you the right to read a shared role.
Can Update Application RoleThis permission gives you the right to update an application role.
  • Once the user logs in using the assigned mode of authentication, the following screen will be displayed:
  • The user will be able to view list of all the applications (A).
  • The user can create a new role under an application, since the user has Can Create Application Role privilege.
  • The new role will be listed under the Application>Roles option. The user can view the role details by clicking on the role name as shown below:
  • Since the user has also been granted the Can Grant Revoke Application Roles To Users privilege the user can grant/revoke new roles to user using options “grant role to users” & “Revoke role from users”  available under tab “Granted User”

Please Note: You can also grant/revoke roles of users Users> Username> Roles> Edit Roles option. Click here (missing link) to know more.

  • Grant role to users: When you select option “Grant role to users” you are provided with a screen to select users to whom the role is to be assigned.

Once the users are successfully assigned to the Group, below message will appear

  • Revoke role from users: When you select option “Revoke role from users”  you will be asked for confirmation, as shown below:

Once confirmed by clicking on option “YES” , the role will be successfully revoked and below message will appear:

  • The user can also grant the new role to the groups, since the user has Can Grant Revoke Application Roles To Groups privilege.
  • The new role will be listed under the application under which it has been created. The user can select and grant this new role.
  • Since the user has Can Read System Role privilege the system role information will be displayed in read only mode.
  • Since the user has Can Read Shared Role privilege the shared role information will be displayed in read only mode.
  • Additionally the Can Read Special Role privilege will allow the special role information to be displayed in read only mode.
  • Since the user has Can Read Application Role and Can Update Application Role privileges, the user can view and update existing application role information role details.
  • To update the role information click on the role name under Applications> Role.

See Also:

13.6 Restricted Developer

This type of user can create or edit application, permission, user and role of the applications for which the user has been granted ‘Membership Manager’ role.

  • The Restricted Developer will be assigned the restricted developer permission set by default.
  • The Restricted Developer will be assigned following permissions by default for the applications for which he has been granted role:
DescriptionRemarks
Applications\Can Read ApplicationThis permission gives you the right to read applications for which you have the “Membership Manager” role.
Applications\Can Update ApplicationThis permission gives you the right to update an application.
Audit and Reporting\Can Read Event LogThis permission gives you the right to read a Event Log.
Groups\Can Read GroupThis permission gives you the right to read group.
Permissions\Can Create PermissionThis permission gives you the right to create a permission.
Permissions\Can Delete PermissionThis permission gives you the right to delete a permission.
Permissions\Can Read PermissionThis permission gives you the right to read a permission.
Permissions\Can Update PermissionThis permission gives you the right to update a permission.
Permission Sets\Can Create Permission SetThis permission gives you the right to create a permission Set.
Permission Sets\Can Delete Permission SetThis permission gives you the right to delete a permission Set.
Permission Sets\Can Grant Revoke Permission Sets To Application RolesThis permission gives you the right to grant or revoke the permission sets of the application roles.
Permission Sets\Can Grant Revoke Permission Sets To Shared RolesThis permission gives you the right to grant or revoke the permission sets of the shared roles.
Permission Sets\Can Read Permission SetThis permission gives you the right to read permission Set.
Permission Sets\Can Update Permission SetThis permission gives you the right to update a permission Set.
Roles\Can Create Application RoleThis permission gives you the right to create an application role.
Roles\Can Update Application RoleThis permission gives you the right to update an application role.
Roles\Can Grant Revoke Application Roles To GroupsThis permission gives you the right to grant or revoke application roles to groups.
Roles\Can Grant Revoke Application Roles To UsersThis permission gives you the right to grant or revoke application roles to users.
Roles\Can Read Application RoleThis permission gives you the right to read an application role.
Roles\Can Read Shared RoleThis permission gives you the right to read a shared role.
  • To explore the impact of permission please click on the relevant link below:

Please Note: The sections on which the role has no impact has not been listed.

Impact of Restricted Developer Role on Applications

This module explains the impact on the applications if the user has been granted Restricted Developer Role.

  • The User will be assigned following permissions:
DescriptionRemarks
Can Deploy ApplicationThis permission gives you the right to deploy the applications for which you have the” Membership Manager” role.
Can Read ApplicationThis permission gives you the right to read applications for which you have the “Membership Manager” role.
Can Update ApplicationThis permission gives you the right to update an application.
  • Once the user logs in using the assigned mode of authentication, the following screen will be displayed:
  • The applications for which the user has Membership Manager role will be displayed.
  • The user can deploy the application , since the user has the Can Deploy Application permission.
  • Since the user has permissions Can Read Application, when the user clicks on application name the application details (A) will be displayed.
  • The application information will be available in an editable mode since the user has the Can Update Application privilege.
  • The user can update information related to the applications.

Impact of Restricted Developer Role on Audit and Reporting

This module explains the impact on the audit and reporting if the user has been granted Restricted Developer Role.

  • The User will be assigned following permissions:
DescriptionRemarks
Can Read Event LogThis permission gives you the right to read an Event Log.
  • Once the user logs in using the assigned mode of authentication, the following screen will be displayed.
  • The user will be able to view list of all the applications (A) for which he has the Membership Manager role.
  • Can Read Event Log permission allows access to viewing the event log as shown below:

Impact of Restricted Developer Role on Groups

This module explains the impact on the groups if the user has been granted Restricted Developer Role.

  • The User will be assigned following permissions:
DescriptionRemarks
Can Read GroupThis permission gives you the right to read group.
  • Once the user logs in using the assigned mode of authentication, the following screen will be displayed.
  • The user will be able to view list of all the applications (A) for which he has the Membership Manager role. 
  • Since the user has permissions to Can Read Group, the user will be able to view the group that has been assigned to the user.
  • The parent groups of the assigned group will also be displayed.
  • Depending on the user privileges and assigned group privileges the list of privileges will be decided automatically.

Impact of Restricted Developer Role on Permissions

This module explains the impact on the permissions if the user has been granted Restricted Developer Role.

  • The User will be assigned following permissions:
DescriptionRemarks
Can Create PermissionThis permission gives you the right to create a permission.
Can Delete PermissionThis permission gives you the right to delete a permission.
Can Read PermissionThis permission gives you the right to read a permission.
Can Update PermissionThis permission gives you the right to update a permission.
  • Once the user logs in using the assigned mode of authentication, the following screen will be displayed.
  • The user will be able to view list of all the applications (A).
  • Since the user has permissions to Create, Delete, Read and Update permissions, the user will be able to update existing permission besides having the privilege to create the permission.
  • Additionally the user can manage the other permission related properties using the available options.

Impact of Restricted Developer Role on Permission Sets

This module explains the impact on the permission sets if the user has been granted Restricted Developer Role.

  • The User will be assigned following permissions:
DescriptionRemarks
Can Create Permission SetThis permission gives you the right to create a permission Set.
Can Delete Permission SetThis permission gives you the right to delete a permission Set.
Can Grant Revoke Permission Sets To Application RolesThis permission gives you the right to grant or revoke the permission sets of the application roles.
Can Grant Revoke Permission Sets To Shared RolesThis permission gives you the right to grant or revoke the permission sets of the shared roles.
Can Read Permission SetThis permission gives you the right to read permission Set.
Can Update Permission SetThis permission gives you the right to update a permission Set.
  • Once the user logs in using the assigned mode of authentication, the following screen will be displayed
  • The user will be able to view list of all the applications (A) for which he has been granted the Membership Manager Role..
  • Since the user has permissions to Create, Delete, Read and Update permission sets, the user will be able to update existing permission set besides having the privilege to create the permission sets.
  • Additionally the user can manage the other permission set related properties using the available options. 
  • Since the user has also been granted the Can Grant Revoke Permission Sets to Application Roles privilege the user can Grant permission sets to the selected role as shown below.
  • The user can also grant the permission set to the Shared roles , since the user has the Can Grant Revoke Permission Sets to Shared Roles privilege.

Impact of Restricted Developer Role on Roles

This module explains the impact on the roles if the user has been granted Restricted Developer Role.

  • The User will be assigned following permissions:
DescriptionRemarks
Can Create Application RoleThis permission gives you the right to create an application role.
Can Update Application RoleThis permission gives you the right to update an application role.
Can Grant Revoke Application Roles To GroupsThis permission gives you the right to grant or revoke application roles to groups.
Can Grant Revoke Application Roles To UsersThis permission gives you the right to grant or revoke application roles to users.
Can Read Application RoleThis permission gives you the right to read an application role.
Can Read Shared RoleThis permission gives you the right to read a shared role.
  • Once the user logs in using the assigned mode of authentication, the following screen will be displayed.
  • The user will be able to view list of all the applications (A).
  • The user can create a new role under an application, since the user has the Can Create Application Role privilege.
  • The new role will be listed under the Application>Roles option. The user can view the role details by clicking on the role name as shown below:
  • Since the user has the Can Read Application Role and Can Update Application Role privilege, the user can view and update role details.
  • Since the user has also been granted the Can Grant Revoke Application Roles To Users privilege the user can grant/revoke new roles to user using options “Grant role to users”  & “Revoke role from users” available under tab “Granted User”

Please Note: You can also grant/revoke roles of users Users> Username> Roles> Edit Roles option. Click here (missing link) to know more. 

  • Grant role to users: When you select option “Grant role to users” you are provided with a screen to select users to whom the role is to be assigned.

Once the users are successfully assigned to the Group, below message will appear

  • Revoke role from users: When you select option “Revoke role from users” you will be asked for confirmation, as shown below:

Once confirmed by clicking on option “YES” , the role will be successfully revoked and below message will appear:

  • The user can also grant the new role to the groups, since the user has the Can Grant Revoke Application Roles To Groups privilege.
  • The new role will be listed under the application, the user can select and grant role.
  • Though the user can create an application role but has the privilege to just read system roles, since the user has the Can Read Shared Role privilege.
  • Since the user has the Can Read Shared Role privilege the shared role information will be displayed in read only mode.
  • Additionally the Can Read Special Role privilege will allow the special role information to be displayed in read only mode.

See Also:

13.7 Developer Deployer

This type of user can edit applications, permissions, roles and users but not the repository. The user can also deploy the applications.

  • The Developer Deployer will be assigned both the Deployer and Developer permission sets by default.
  • The developer permission set will comprise of both the developer and restricted developer permission sets.
  • Depending on the permission sets the Developer Deployer will be assigned the following permissions by default:
DescriptionRemarks
Deployer
Applications\Can Deploy ApplicationThis permission gives you the right to deploy applications.
Developer Permissions
Applications\Can Read All ApplicationsThis permission gives you the right to read all applications.
Applications\Can Read ApplicationThis permission gives you the right to read applications for which you have the role “Membership Manager”.
Applications\Can Update ApplicationThis permission gives you the right to update an application.
Audit and Reporting\Can Read Event LogThis permission gives you the right to read an Event Log.
Groups\Can Read GroupThis permission gives you the right to read group.
Permissions\Can Create PermissionThis permission gives you the right to create a permission.
Permissions\Can Delete PermissionThis permission gives you the right to delete a permission.
Permissions\Can Read PermissionThis permission gives you the right to read a permission.
Permissions\Can Update PermissionThis permission gives you the right to update a permission.
Permission Sets\Can Create Permission SetThis permission gives you the right to create a permission Set.
Permission Sets\Can Delete Permission SetThis permission gives you the right to delete a permission Set.
Permission Sets\Can Grant Revoke Permission Sets To Application RolesThis permission gives you the right to grant or revoke the permission sets of the application roles.
Permission Sets\Can Grant Revoke Permission Sets To Shared RolesThis permission gives you the right to grant or revoke the permission sets of the shared roles.
Permission Sets\Can Read Permission SetThis permission gives you the right to read permission Set.
Permission Sets\Can Update Permission SetThis permission gives you the right to update a permission Set.
Roles\Can Create Application RoleThis permission gives you the right to create an application role.
Roles\Can Update Application RoleThis permission gives you the right to update an application role.
Roles\Can Grant Revoke Application Roles To GroupsThis permission gives you the right to grant or revoke application roles to groups.
Roles\Can Grant Revoke Application Roles To UsersThis permission gives you the right to grant or revoke application roles to users.
Roles\Can Read Application RoleThis permission gives you the right to read an application role.
Roles\Can Read Shared RoleThis permission gives you the right to read a shared role.
Can Update Application RoleThis permission gives you the right to update an application role.
  • To explore the impact of permission please click on the relevant link below:

Please Note: The sections on which the role has no impact has not been listed

Impact of Developer Deployer Role on Applications

This module explains the impact on the applications if the user has been granted the Developer Deployer Role.

  • The User will be assigned following permissions:
DescriptionRemarks
Can Deploy ApplicationsThis permission gives to the right to deploy the applications.
Can Read All ApplicationsThis permission gives you the right to read all the applications.
Can Read ApplicationThis permission gives you the right to read applications for which you have the role “Membership Manager”.
Can Update ApplicationThis permission gives you the right to update an application.
  • Once the user logs in using the assigned mode of authentication, the following screen will be displayed:
  • The user will be able to view list of all the applications (A).
  • The user can deploy the applications since he has the Can Deploy Applications permission.
  • Since the user has permissions to Can Read All Applications and Can Read Application, the Can Read All Applications will override.
  • The user can click on the Application name to view the application information as shown below:
  • The application information will be available in an editable mode, since the user has the Can Update Application privilege.

Impact of Developer Deployer Role on Audit and Reporting

This module explains the impact on the audit and reporting if the user has been granted the Developer Deployer Role.

  • The User will be assigned following permissions:
DescriptionRemarks
Can Read Event LogThis permission gives you the right to read an Event Log.
  • Once the user logs in using the assigned mode of authentication, the following screen will be displayed:
  • The user will be able to view list of all the applications (A).
  • Can Read Event Log permission allows access to viewing the event log as shown below:

Impact of Developer Deployer Role on Groups

This module explains the impact on the groups if the user has been granted the Developer Deployer Role.

  • The User will be assigned the following permissions:
DescriptionRemarks
\Groups\CanReadGroupThis permission gives access to read a group for which you have the role “Membership Manager”.
  • Once the user logs in using the assigned mode of authentication, the following screen will be displayed:
  • The user will be able to view a list of all the applications (A).
  • Since the user has permissions to Can Read Groups, the user will be able to view the group that has been assigned to the user.
  • The parent groups of the assigned group will also be displayed.
  • Depending on the user privileges and assigned group privileges the list of privileges will be decided automatically.

Impact of Developer Deployer Role on Permissions

This module explains the impact on the permissions if the user has been granted Developer Deployer Role.

  • The User will be assigned following permissions:
DescriptionRemarks
Can Create PermissionThis permission gives you the right to create a permission.
Can Delete PermissionThis permission gives you the right to delete a permission.
Can Read PermissionThis permission gives you the right to read a permission.
Can Update PermissionThis permission gives you the right to update a permission.
  • Once the user logs in using the assigned mode of authentication, the following screen will be displayed:
  • The user will be able to view list of all the applications (A).
  • Since the user has permissions to Create, Delete, Read and Update permissions, the user will be able to update existing permission besides having the privilege to create the permission.
  • Additionally the user can manage the other permission related properties using the available options.

Impact of Developer Deployer Role on Permission Sets

This module explains the impact on the permission sets if the user has been granted the Developer Deployer Role.

  • The User will be assigned the following permissions:
DescriptionRemarks
Can Create Permission SetThis permission gives you the right to create a permission Set.
Can Delete Permission SetThis permission gives you the right to delete a permission Set.
Can Grant Revoke Permission Sets To Application RolesThis permission gives you the right to grant or revoke the permission sets of the application roles.
Can Grant Revoke Permission Sets To Shared RolesThis permission gives you the right to grant or revoke the permission sets of the shared roles.
Can Read Permission SetThis permission gives you the right to read permission Set.
Can Update Permission SetThis permission gives you the right to update a permission Set.
  • Once the user logs in using the assigned mode of authentication, the following screen will be displayed.
  • The user will be able to view list of all the applications (A).
  • Since the user has permissions to Create, Delete, Read and Update permission sets, the user will be able to update existing permission set besides having the privilege to create the permission sets.
  • Additionally the user can manage the other permission set related properties using the available options.
  • Since the user has also been granted the Can Grant Revoke Permission Sets to Application Roles privilege the user can Grant permission sets to the selected role as shown below.
  • The user can also grant the permission set to the Shared roles, since the user has the Can Grant Revoke Permission Sets to Shared Roles privilege.

Impact of Developer Deployer Role on Roles

This module explains the impact on the roles if the user has been granted the Developer Deployer Role.

  • The User will be assigned following permissions:
DescriptionRemarks
Can Create Application RoleThis permission gives you the right to create an application role.
Can Grant Revoke Application Roles To GroupsThis permission gives you the right to grant or revoke application roles to the groups.
Can Grant Revoke Application Roles To UsersThis permission gives you the right to grant or revoke application roles to the users.
Can Read Application RoleThis permission gives you the right to read an application role.
Can Read Shared RoleThis permission gives you the right to read a shared role.
Can Update Application RoleThis permission gives you the right to update an application role.
  • Once the user logs in using the assigned mode of authentication, the following screen will be displayed:
  • The user will be able to view list of all the applications (A).
  • The user can create a new role under an application because he has the Can Create Application Role privilege.
  • The new role will be listed under the Application>Roles option. The user can view the role details by clicking on the role name as shown below:
  • Since the user has also been granted the Can Grant Revoke Application Roles To Users privilege the user can grant/revoke new roles to user using options “Grant role to users” & “Revoke role from users” available under tab “Granted User”

Please Note: You can also grant/revoke roles of users Users> Username> Roles> Edit Roles option. Click here (missing link) to know more.

  • Grant role to users: When you select option “Grant role to users” you are provided with a screen to select users to whom the role is to be assigned.

Once the users are successfully assigned to the Group, below message will appear

  • Revoke role from users: When you select option “Revoke role from users” you will be asked for confirmation, as shown below:
  • Once confirmed by clicking on option “YES” , the role will be successfully revoked and below message will appear:
  • The user can also grant the new role to the groups, since the user has the Can Grant Revoke Application Roles To Groups privilege.
  • The new role will be listed under the application, the user can select and grant role.
  • Though the user can create an application role but has the privilege to just read the system roles because of the Can Read Shared Role privilege.
  • Since the user has Can Read Shared Role privilege the shared role information will be displayed in read only mode.(A)
  • Additionally the Can Read Special Role privilege will allow the special role information to be displayed in read only mode.
  • Since the user has also been granted the Can Grant Revoke Application Roles To Users privilege the user can edit Granted users option.
  • To update the role information click on the role name under the Applications>Role.

See Also:

13.8 Restricted Developer deployer

This type of user can create or edit application, permission, user and role of the applications for which the user has been granted ‘Membership Manager’ role.

  • The Restricted Developer Deployer will be assigned both the Deployer and Restricted Developer permissions sets by default.
  • The Restricted Developer Deployer will be assigned, the following permissions by default:
DescriptionRemarks
Applications\Can Deploy ApplicationThis permission allows deploying application.
Applications\Can Read ApplicationThis permission gives you the right to read an application.
Applications\Can Update ApplicationThis permission gives you the right to update an application.
Applications\Can Update ApplicationThis permission gives you the right to update an application.
Audit and Reporting\Can Read Event LogThis permission gives you the right to read an Event Log.
Permissions\Can Create PermissionThis permission gives you the right to create a permission.
Permissions\Can Delete PermissionThis permission gives you the right to delete a permission.
Permissions\Can Read PermissionThis permission gives you the right to read a permission.
Permissions\Can Update PermissionThis permission gives you the right to update a permission.
Permission Sets\Can Create Permission SetThis permission gives you the right to create a permission Set.
Permission Sets\Can Delete Permission SetThis permission gives you the right to delete a permission set.
Permission Sets\Can Read Permission SetThis permission gives you the right to read a permission set.
Permission Sets\Can Update Permission SetThis permission gives you the right to update a permission set.
Permission Sets\Can Grant Revoke Permission Sets To Application RolesThis permission gives you the right to grant or revoke the permission sets of the application roles.
Permission Sets\Can Grant Revoke Permission Sets To
Shared Roles
This permission gives you the right to grant or revoke the permission sets of the shared roles.
Roles\Can Create Application RoleThis permission gives you the right to create an application role.
Roles\Can Update Application RoleThis permission gives you the right to update an application role.
Roles\Can Grant Revoke Application Roles To GroupsThis permission gives you the right to grant or revoke application roles to groups.
Roles\Can Grant Revoke Application Roles To UsersThis permission gives you the right to grant or revoke application roles to users.
Roles\Can Read Application RoleThis permission gives you the right to read an application role.
Roles\Can Read Shared RoleThis permission gives you the right to read a shared role.
  • To explore the impact of each permission please click on the relevant link below:

Please Note: The sections on which the role has no impact has not been listed

Impact of Restricted Developer Deployer Role on Applications

This module explains the impact on the applications if the user has been granted the Restricted Developer Deployer Role.

  • The User will be assigned the following permissions:
DescriptionRemarks
Can Deploy ApplicationThis permission gives you the right to deploy applications.
Can Read ApplicationThis permission gives you the right to read applications for which you have the role “Membership Manager”.
Can Update ApplicationThis permission gives you the right to update an application.
  • When the user logs in using the assigned mode of authentication, the following screen will be displayed.
  • The applications for which the user has Membership Manager role will be displayed.
  • The user can deploy the application, since the user has the Can Deploy Application permission.
  • Since the user has permissions Can Read Application, when the user clicks on application name the application details (A) will be displayed.
  • The application information will be available in an editable mode, since the user has the Can Update Application privilege.
  • The user can update information related to the applications.

Impact of Restricted Developer Role on Audit and Reporting

This module explains the impact on the audit and reporting if the user has been granted the Restricted Developer Deployer Role.

  • The User will be assigned the following permissions:
DescriptionRemarks
Can Read Event LogThis permission gives you the right to read an Event Log.
  • When the user logs in using the assigned mode of authentication, the following screen will be displayed.
  • The user will be able to view list of all the applications (A) for which he has been granted the Membership Manager Role..
  • Can Read Event Log permission allows access to viewing the event log as shown below:

Impact of Restricted Developer Deployer Role on Groups

This module explains the impact on the groups if the user has been granted the Restricted Developer Deployer Role.

  • The User will be assigned following permissions:
DescriptionRemarks
Can Read GroupThis permission gives you the right to read the group.
  • When the user logs in using the assigned mode of authentication, the following screen will be displayed.
  • The user will be able to view list of all the applications (A) for which he has been granted the Membership Manager Role..
  • Since the user has permissions to Can Read Group, the user will be able to view the group that has been assigned to the user.
  • The parent groups of the assigned group will also be displayed.
  • Depending on the user privileges and assigned group privileges the list of privileges will be decided automatically.

Impact of Restricted Developer Deployer Role on Permissions

This module explains the impact on the permissions if the user has been granted the Restricted Developer Deployer Role.

  • The User will be assigned the following permissions:
DescriptionRemarks
Can Create PermissionThis permission gives you the right to create a permission.
Can Delete PermissionThis permission gives you the right to delete a permission.
Can Read PermissionThis permission gives you the right to read a permission.
Can Update PermissionThis permission gives you the right to update a permission.
  • When the user logs in using the assigned mode of authentication, the following screen will be displayed.
  • The user will be able to view list of all the applications (A).
  • Since the user has permissions to Create, Delete, Read and Update permissions, the user will be able to update existing permission besides having the privilege to create the permission.
  • Additionally the user can manage the other permission related properties using the available options.

Impact of Restricted Developer Deployer Role on Permission Sets

This module explains the impact on the permission sets if the user has been granted the Restricted Developer Deployer Role.

  • The User will be assigned the following permissions:
DescriptionRemarks
Can Create Permission SetThis permission gives you the right to create a permission Set.
Can Delete Permission SetThis permission gives you the right to delete a permission Set.
Can Grant Revoke Permission Sets To Application RolesThis permission gives you the right to grant or revoke the permission sets of the application roles.
Can Grant Revoke Permission Sets To Shared RolesThis permission gives you the right to grant or revoke the permission sets of the shared roles.
Can Read Permission SetThis permission gives you the right to read permission Set.
Can Update Permission SetThis permission gives you the right to update a permission Set.
  • When the user logs in using the assigned mode of authentication, the following screen will be displayed.
  • The user will be able to view list of all the applications (A) for which he has been granted the Membership Manager Role..
  • Since the user has permissions to Create, Delete, Read and Update permission sets, the user will be able to update an existing permission set besides having the privilege to create the permission sets.
  • Additionally the user can manage the other permission set related properties using the available options.
  • Since the user has also been granted the Can Grant Revoke Permission Sets to Application Roles privilege the user can Grant permission sets to the selected role as shown below.
  • The user can also grant the permission set to the Shared roles, since the user has Can Grant Revoke Permission Sets to Shared Roles privilege.

Impact of Restricted Developer Deployer Role on Roles

This module explains the impact on the roles if the user has been granted the Restricted Developer Deployer Role.

  • The User will be assigned the following permissions:
DescriptionRemarks
Can Create Application RoleThis permission gives you the right to create an application role.
Can Update Application RoleThis permission gives you the right to update an application role.
Can Grant Revoke Application Roles To GroupsThis permission gives you the right to grant or revoke application roles to groups.
Can Grant Revoke Application Roles To UsersThis permission gives you the right to grant or revoke application roles to users.
Can Read Application RoleThis permission gives you the right to read an application role.
Can Read Shared RoleThis permission gives you the right to read a shared role.
  • When the user logs in using the assigned mode of authentication, the following screen will be displayed.
  • The user will be able to view list of all the applications (A).
  • The user can create a new role under an application, since the user has the Can Create Application Role privilege.
  • The new role will be listed under the Application>Roles option. The user can view the role details by clicking on the role name as shown below:
  • Since the user has the Can Read Application Role and Can Update Application Role privilege the user can view and update the role details.
  • Since the user has also been granted the Can Grant Revoke Application Roles To Users privilege the user can grant/revoke new roles to user using options “Grant role to users”  & “Revoke role from users” available under tab “Granted User”.

Please Note: You can also grant/revoke roles of users Users> Username> Roles> Edit Roles option. Click here (missing link) to know more.

  • Grant role to users: When you select option “Grant role to users” you are provided with a screen to select users to whom the role is to be assigned.

Once the users are successfully assigned to the Group, below message will appear

  • Revoke role from users: When you select option “Revoke role from users” you will be asked for confirmation, as shown below:

Once confirmed by clicking on option “YES” , the role will be successfully revoked and below message will appear:

  • The user can also grant the new role to the groups, since the user has the Can Grant Revoke Application Roles To Groups privilege.
  • The new role will be listed under the application, the user can select and grant role.
  • Since the user has the Can Read Shared Role privilege the shared role information will be displayed in the read only mode.
  • Additionally the Can Read Special Role privilege will allow the special role information to be displayed in read only mode.

See Also:

13.9 Auditor

This user can access the repository in read only mode, he can also read the log and print the report.

  • The Auditor will be granted the Auditor and Restricted Auditor permission sets by default.
  • Depending on the permission sets the Auditor will be assigned following permissions by default:
DescriptionRemarks
Auditor Permissions
Applications\Can Read All ApplicationsThis permission gives you the right to read all applications.
Users\Can Read All UsersThis permission gives you the right to read all users.
Groups\Can Read All GroupsThis permission gives you the right to read all groups.
Restricted Auditor Permissions: The restricted auditor role will have access to applications for which he has been granted “Membership Manager” role.
Applications\Can Read ApplicationThis permission gives you the right to read applications for which you have the role “Membership Manager”
Audit and Reporting\Can Generate DocumentationThis permission gives you the right to generate documentation.
Audit and Reporting\Can Read Event LogThis permission gives you the right to read an Event Log.
Groups\Can Read GroupThis permission gives you the right to read group.
Users\Can Read UserThis permission gives you the right to read user.
Permissions\Can Read PermissionThis permission gives you the right to read a permission.
Permission Sets\Can Read Permission SetThis permission gives you the right to read a permission set.
Roles\Can Read Application RoleThis permission gives you the right to read an application role.
Roles\Can Read Shared RoleThis permission gives you the right to read a shared role.
Roles\Can Read System RoleThis permission gives you the right to read a system role.

Impact of Auditor Role on Applications

This module explains the impact on the applications if the user has been granted Auditor Role.

  • The User will be assigned following permissions:
DescriptionRemarks
Can Read All ApplicationsThis permission gives access to read all applications.
Can Read ApplicationThis permission gives you the right to read applications for which you have the role “Membership Manager”.
  • Once the user logs in using the assigned mode of authentication, the following screen will be displayed:
  • Since the user has permissions to Can Read All Applications and Can Read Application, the Can Read All Applications will override.
  • The user will be able to view list of all the applications. (A)
  • The user can click on the Application name to view the application information as shown below:
  • Other application related options will be disabled as shown below:

Impact of Auditor Role on Audit and Reporting

This module explains the impact on the audit and reporting if the user has been granted the Auditor Role.

  • The User will be assigned following permissions:
DescriptionRemarks
CanGenerateDocumentationThis permission gives you the right to generate documentation.
Can Read Event LogThis permission gives you the right to read an Event Log.
  • Once the user logs in using the assigned mode of authentication, the following screen will be displayed.
  • The user will be able to view list of all the applications (A).
  • Since the user has permissions to Can Generate Documentation he can use Generate Documentation option to generate documentation of each entity in the Visual Guard console.
  • Can Read Event Log permission allows access to viewing the event log as shown below:

Impact of Auditor Role on Groups

This module explains the impact on the groups if the user has been granted an Auditor Role.

  • The User will be assigned following permissions:
DescriptionRemarks
\Groups\CanReadGroupThis permission gives access to read a group for which you have the role “Membership Manager”.
\Groups\CanReadAllGroupsThis permission gives you the right to read all the groups.
  • Once the user logs in using the assigned mode of authentication, the following screen will be displayed.
  • The user will be able to view list of all the applications (A).
  • Since the user has permissions to Can Read All Groups and Can Read Groups, the Can Read All Groups will override.
  • The user will be able to view list of all the groups.
  • The user cannot rename, remove or add a new group, the options will be disabled as shown below:

Impact of Auditor Role on Permissions

This module explains the impact on the permissions if the user has been granted an Auditor Role.

  • The User will be assigned following permissions:
DescriptionRemarks
Can Read PermissionThis permission gives you the right to read a permission.
  • Once the user logs in using the assigned mode of authentication, the following screen will be displayed.
  • The user will be able to view list of all the applications (A).
  • Since the user has permissions to Read permissions all permission details will be displayed in read only mode. (A)
  • Additionally the options to rename, remove or add a new permission will also be disabled as shown below:

Impact of Auditor Role on Permission Sets

This module explains the impact on the permission sets if the user has been granted an Auditor Role.

  • The User will be assigned following permissions:
DescriptionRemarks
Can Read Permission SetsThis permission gives you the right to read a permission set.
  • Once the user logs in using the assigned mode of authentication, the following screen will be displayed:
  • The user will be able to view list of all the applications (A).
  • Since the user has permissions to Read permission sets all permission set details will be displayed in read only mode. (A)
  • Additionally the options to rename, remove or add a new permission set will also be disabled as shown below:

Impact of Auditor Role on Roles

This module explains the impact on the roles if the user has been granted an Auditor Role.

The User will be assigned following permissions:

DescriptionRemarks
Can Read Application RoleThis permission gives you the right to read an application role.
Can Read Shared RoleThis permission gives you the right to read a shared role.
Can Read System RoleThis permission gives you the right to read a system role.
  • Once the user logs in using the assigned mode of authentication, the following screen will be displayed:
  • The user will be able to view list of all the applications (A).
  • Since the user has Can Read Application Role privilege he can view just the role details.
  • Additional options such as rename, remove or add a new role will be disabled as shown below:
  • Similarly the Can Read Shared Role privilege will allow the user to view the shared role information in read only mode.
  • Additional options such as rename, remove or add a new role will be disabled as shown below:
  • Similarly the Can Read Special Role privilege will allow the user to view the special role information in read only mode.
  • Additional options such as rename, remove or add a new role will be disabled as shown below:

Impact of Auditor Role on Users

This module explains the impact on the users if the user has been granted an Auditor Role.

  • The User will be assigned following permissions:
DescriptionRemarks
Can Read All UsersThis permission gives you the right to read all users
Can Read UserThis permission gives you the right to read user
  • Once the user logs in using the assigned mode of authentication, the following screen will be displayed:
  • The user will be able to view list of all the applications (A).
  • Since the user has both the privileges namely Can Read All Users and Can Read User permissions, Can Read All Users permission will override.
  • Can Read All Users permission will allow the user to view the list of all users.
  • The user can view the user details by clicking on username.
  • All details will be displayed in read only mode.

See Also:

13.10 Restricted Auditor

This user has same privilege as the auditor except that his access is limited to a single application.

The permission allows auditing applications for which the user is a member of the ‘Membership Manager’ role.

  • The Restricted Auditor will be assigned, the following permission set by default:
DescriptionRemarks
Restricted Auditor permissionsThis permission gives you the right to audit applications for which you have the role “Membership Manager”.
  • The Restricted Auditor will be assigned, the following permissions by default:
DescriptionRemarks
Applications\Can Read ApplicationThis permission gives you the right to read applications for which you have the role “Membership Manager”.
Audit and Reporting\Can Generate DocumentationThis permission gives you the right to generate the documentation.
Audit and Reporting\Can Read Event LogThis permission gives you the right to read an Event Log.
Groups\Can Read GroupThis permission gives you the right to read a group.
Groups\Can Read PermissionThis permission gives you the right to read a permission.
Permission Sets\Can Read Permission SetThis permission gives you the right to read a permission set.
Roles\Can Read Application RoleThis permission gives you the right to read an application role.
Roles\Can Read Shared RoleThis permission gives you the right to read a shared role.
Roles\Can Read System RoleThis permission gives you the right to read a system role.
Users\Can Read UseThis permission gives you the right to read a user.

Impact of Restricted Auditor Role on Applications

This module explains the impact on the applications if the user has been granted the Restricted Auditor Role.

  • The User will be assigned following permissions:
DescriptionRemarks
Can Read ApplicationThis permission gives you the right to read applications for which you have the role “Membership Manager”.
  • Once the user logs in using the assigned mode of authentication, the following screen will be displayed:
  • Since the user has permissions to Can Read Application, the user will be able to view the application details in read only format.
  • Once the user clicks on the Application name the application details will be displayed as below:
  • Other application related options will be disabled as shown below:

Impact of Restricted Auditor Role on Audit and Reporting

This module explains the impact on the audit and reporting if the user has been granted the Restricted Auditor Role.

  • The User will be assigned following permissions:
DescriptionRemarks
CanGenerateDocumentationThis permission gives you the right to generate documentation.
Can Read Event LogThis permission gives you the right to read an Event Log.
  • Once the user logs in using the assigned mode of authentication, the following screen will be displayed:
  • The Restricted Auditor Role, do not have permission to view the application list, hence as soon as they Login, they can view the below screen.
  • Since the user has permissions to Can Generate Documentation he can use the Generate Documentation option to generate the documentation.
  • Can Read Event Log permission allows access to viewing the event log as shown below:

Impact of Restricted Auditor Role on Groups

This module explains the impact on the groups if the user has been granted a Restricted Auditor Role.

  • The User will be assigned following permissions:
DescriptionRemarks
\Groups\CanReadGroupThis permission gives access to read a group for which you have the role “Membership Manager”.
  • Once the user logs in using the assigned mode of authentication, the following screen will be displayed:
  • The user will be able to view list of all the applications (A).
  • Since the user has permissions to Can Read Groups he will be able to view the list of groups that are assigned to him.
  • In case a child group is assigned to the user, automatically the parent group will also be displayed.
  • The user will be able to view list of all the groups. (B)
  • Depending on the roles assigned to the user and the group the role with maximum privileges will take effect.
  • For example if the user has role of Restricted Auditor and assigned group has Master Administrator role, the user will be granted Master Administrator role.

Impact of Restricted Auditor Role on Permissions

This module explains the impact on the permissions if the user has been granted a Restricted Auditor Role.

  • The User will be assigned the following permissions:
DescriptionRemarks
Can Read PermissionThis permission gives you the right to read a permission.
  • Once the user logs in using the assigned mode of authentication, the following screen will be displayed:
  • The user will be able to view list of all the applications (A) for which he has the Membership Manager role.
  • Since the user has permissions to Read permissions all permission details will be displayed in read only mode. (A)
  • Additionally the options to rename, remove or add a new permission will also be disabled as shown below:

Impact of Restricted Auditor Role on Permission Sets

This module explains the impact on the permissions if the user has been granted a Restricted Auditor Role.

  • The User will be assigned the following permissions:
DescriptionRemarks
Can Read Permission SetsThis permission gives you the right to read a permission set.
  • Once the user logs in using the assigned mode of authentication, the following screen will be displayed.
  • The user will be able to view a list of all the applications (A) for which he has the Membership Manager role.
  • Since the user has permissions to Read permission sets all permission set details will be displayed in read only mode. (A)
  • Additionally the options to rename, remove or add a new permission set will also be disabled as shown below:

Impact of Restricted Auditor Role on Roles

This module explains the impact on the roles if the user has been granted a Restricted Auditor Role.

  • The User will be assigned the following permissions:
DescriptionRemarks
Can Read Application RoleThis permission gives you the right to read an application role.
Can Read Shared RoleThis permission gives you the right to read a shared role.
Can Read System RoleThis permission gives you the right to read a system role.
  • Once the user logs in using the assigned mode of authentication, the following screen will be displayed:
  • The user will be able to view list of all the applications (A) for which he has the Membership Manager role.
  • Since the user has Can Read Application Role privilege the user can view only the role details of the application for which the user has Membership Manager role.
  • Additional options such as rename, remove or add a new role will be disabled as shown below:
  • Similarly the Can Read Shared Role privilege will allow the user to view the shared role information in read only mode.
  • Additional options such as rename, remove or add a new role will be disabled as shown below:
  • Similarly the Can Read Special Role privilege will allow the user to view the special role information in read only mode.
  • Additional options such as rename, remove or add a new role will be disabled as shown below:

Impact of Restricted Auditor Role on Users

This module explains the impact on the users if the user has been granted a Restricted Auditor Role.

  • The User will be assigned following permissions:
DescriptionRemarks
Can Read UserThis permission gives you the right to read user
  • Once the user logs in using the assigned mode of authentication, the following screen will be displayed.
  • The user will be able to view list of all the applications (A) for which he has the Membership Manager role.
  • Since the user has the Can Read User permission the option will allow the user to view list of all users that belong to the same group as the user.
  • Additionally depending on the group permissions list of users that are listed might vary.
  • For example the current user has restricted auditor permission but if the user group has the Master Administrator role then the list of all the users will be displayed.
  • The user can view the user details by clicking on the username.

See Also:

13.11 MemberShipRole

Visual Guard allows you to manage membership role and manage users and groups assigned to the role.

To view role related details follow the steps below:

  • The Membership Manager Role is displayed under Repository> Application> Roles.
  • To make effect of the Membership Manager you need to change the Membership Access Level available in the application.

See Also: 

13.12 Multiple role assignment

Visual Guard offers 9 predefined roles to the user. The users can be assigned one or more roles simultaneously.

Depending on the assignment the system will automatically decide the level of access.

For example Create a user and grant him two special roles namely Restricted Developer and Auditor.

The list of privileges assigned to the user will be as below:

Restricted DeveloperAuditor
Applicationsø
\Applications\CanReadAllApplicationsø
\Applications\CanReadApplicationø
\Applications\CanUpdateApplicationø
Audit and Reporting
\AuditAndReporting\CanGenerateDocumentationø
\AuditAndReporting\CanReadEventLogøø
Groups
\Groups\CanReadGroupøø
\Groups\CanReadAllGroupsø
Permissions
\Permissions\CanCreatePermissionø
\Permissions\CanDeletePermissionø
\Permissions\CanReadPermissionøø
\Permissions\CanUpdatePermissionø
Permission Sets
\PermissionSets\CanCreatePermissionSetø
\PermissionSets\CanDeletePermissionSetø
\PermissionSets\CanReadPermissionSetøø
\PermissionSets\CanUpdatePermissionSetø
\PermissionSets\CanGrantRevokePermissionSetsToApplicationRolesø
\PermissionSets\CanGrantRevokePermissionSetsToSharedRolesø
Roles
\Roles\CanCreateApplicationRoleø
\Roles\CanUpdateApplicationRoleø
\Roles\CanGrantRevokeApplicationRolesToGroupsø
\Roles\CanGrantRevokeApplicationRolesToUsersø
\Roles\CanReadApplicationRoleøø
\Roles\CanReadSharedRoleøø
\Roles\CanReadSystemRoleø
Users
\Users\CanReadAllUsersø
\Users\CanReadUserø
Domains
\Domains\CanReadDomainø

Impact of Restricted Developer and Auditor Role on Applications

This module explains the impact on the applications if the user has been granted the Restricted Developer and Auditor Role.

  • The User will be assigned following permissions:
DescriptionRemarks
Can Read All ApplicationsThis permission gives access to read all the applications.
Can Read ApplicationThis permission gives you the right to read applications for which you have the role “Membership Manager”.
Can Update ApplicationThis permission gives you the right to update an application.
  • Once the user logs in using the assigned mode of authentication, the following screen will be displayed.
  • Since the user has permissions to Can Read All Applications and Can Read Application, the Can Read All Applications will override.
  • The user will be able to view list of all the applications (A).
  • The user can click on the Application name to view the application information as shown below:
  • The application information will be available in an editable mode, since the user has the Can Update Application privilege.
  • The user can update information related to all the applications.

Impact of Restricted Developer and Auditor Role on Audit and Reporting

This module explains the impact on the audit and reporting if the user has been granted the Restricted Developer and Auditor Role.

  • The User will be assigned following permissions:
DescriptionRemarks
CanGenerateDocumentationThis permission gives you the right to generate documentation.
Can Read Event LogThis permission gives you the right to read an Event Log.
  • Once the user logs in using the assigned mode of authentication, the following screen will be displayed:
  • The user will be able to view list of all the applications (A).
  • Since the user has permissions to Can Generate Documentation he can use Generate Documentation option to generate documentation of each entity in the Visual Guard console.
  • Can Read Event Log permission allows access to viewing the event log as shown below:

Impact of Restricted Developer and Auditor Role on Groups

This module explains the impact on the groups if the user has been granted the Restricted Developer and Auditor Role.

  • The User will be assigned following permissions:
DescriptionRemarks
\Groups\CanReadGroupThis permission gives access to read a group for which you have the role “Membership Manager”.
\Groups\CanReadAllGroupsThis permission gives you the right to read all the groups.
  • Once the user logs in using the assigned mode of authentication, the following screen will be displayed.
  • The user will be able to view list of all the applications (A).
  • Since the user has permissions to Can Read All Groups and Can Read Groups, the Can Read All Groups will override.
  • The user will be able to view list of all the groups.
  • The user cannot rename, remove or add a new group, the options will be disabled as shown below:

Impact of Restricted Developer and Auditor Role on Permissions

This module explains the impact on the permissions if the user has been granted the Restricted Developer and Auditor Role.

  • The User will be assigned the following permissions:
DescriptionRemarks
Can Create PermissionThis permission gives you the right to create a permission.
Can Delete PermissionThis permission gives you the right to delete a permission.
Can Read PermissionThis permission gives you the right to read a permission.
Can Update PermissionThis permission gives you the right to update a permission.
  • Once the user logs in using the assigned mode of authentication, the following screen will be displayed.
  • The user will be able to view list of all the applications (A).
  • The user will have the permission Create Permission as a result the New Permission option will be enabled.
  • Additional permission related privileges that have been assigned to the user comprise of Update and Delete permissions, these privileges allow access to Rename, Remove, and Duplicate options to the user as shown below. 
  • The Can Read Permission allows the user to view the Permission information when the user clicks on the permission name.

Impact of Restricted Developer and Auditor Role on Permission Sets

This module explains the impact on the permission sets if the user has been granted the Restricted Developer and Auditor Role.

  • The User will be assigned the following permissions:
DescriptionRemarks
Can Create Permission SetThis permission gives you the right to create a permission Set.
Can Delete Permission SetThis permission gives you the right to delete a permission Set.
Can Grant Revoke Permission Sets To Application RolesThis permission gives you the right to grant or revoke the permission sets of the application roles.
Can Grant Revoke Permission Sets To Shared RolesThis permission gives you the right to grant or revoke the permission sets of the shared roles.
Can Read Permission SetThis permission gives you the right to read permission Set.
Can Update Permission SetThis permission gives you the right to update a permission Set.
  • Once the user logs in using the assigned mode of authentication, the following screen will be displayed.
  • The user will be able to view list of all the applications (A).
  • The user will have the permission Create Permission Sets as a result the New Permission Set option will be enabled.
  • Additional permission set related privileges that have been assigned to the user comprise of Update and Delete permissions, these privileges allow access to Rename, Remove, and Duplicate options to the user as shown below.
  • The Can Read Permission Set allows the user to view the Permission Set information when the user clicks on the permission name.
  • Additionally the user will also have access to Can Grant Revoke Permission Sets To Application Roles this permission will allow the user to modify the permission sets belonging to the application role.
  • Can Grant Revoke Permission Sets To Application Roles permission allows access to the Edit Permission Set option as shown below:
  • When the user clicks on the Edit Permission Sets he will be able to grant or revoke the permission sets.
  • Can Grant Revoke Permission Sets To Shared Roles permission allows the user to grant or revoke the permission sets listed under the shared role
  • The Edit Permission Set will be available.
  • When the user clicks on Edit Permission Sets he will be able to grant or revoke the permission sets.

Impact of Restricted Developer and Auditor Role on Roles

This module explains the impact on the roles if the user has been granted the Restricted Developer and Auditor Role.

  • The User will be assigned following permissions:
DescriptionRemarks
Can Create Application RoleThis permission gives you the right to create an application role.
Can Update Application RoleThis permission gives you the right to update an application role.
Can Grant Revoke Application Roles To GroupsThis permission gives you the right to grant or revoke application roles to groups.
Can Grant Revoke Application Roles To UsersThis permission gives you the right to grant or revoke application roles to users.
Can Read Application RoleThis permission gives you the right to read an application role.
Can Read System RoleThis permission gives you the right to read a system role.
  • When the user logs in using the assigned mode of authentication, the following screen will be displayed.
  • The user will be able to view list of all the applications (A).
  • The user can create a new role under an application , since the user has the Can Create Application Role privilege.
  • The new role will be listed under the Application>Roles option. The user can view the role details by clicking on the role name as shown below:
  • Since the user has the Can Read Application Role and Can Update Application Role privilege the user can view and update the role details.
  • Since the user has also been granted the Can Grant Revoke Application Roles To Users privilege the user can grant/revoke new roles to user using options “Grant role to users”  & “Revoke role from users” available under tab “Granted User”

Please Note: You can also grant/revoke roles of users Users> Username> Roles> Edit Roles option. Click here to know more.

  • Grant role to users: When you select option “Grant role to users” you are provided with a screen to select users to whom the role is to be assigned.

Once the users are successfully assigned to the Group, below message will appear

  • Revoke role from users: When you select option   you will be asked for confirmation, as shown below:

Once confirmed by clicking on option “Yes” , the role will be successfully revoked and below message will appear:

  • The user can also grant the new role to the groups, since the user has the Can Grant Revoke Application Roles To Groups privilege.
  • The new role will be listed under the application, the user can select and grant role.
  • Since the user has the Can Read System Role privilege the system role information will be displayed in read only mode.
  • Since the user has the Can Read Shared Role privilege the shared role information will be displayed in read only mode. 
  • Additionally the Can Read Special Role privilege will allow the special role information to be displayed in read only mode.

Impact of Restricted Developer and Auditor Role on Users

This module explains the impact on the users if the user has been the granted Restricted Developer and Auditor Role.

  • The User will be assigned following permissions:
DescriptionRemarks
Can Read All UsersThis permission gives you the right to read all users
Can Read UserThis permission gives you the right to read a user
  • When the user logs in using the assigned mode of authentication, the following screen will be displayed.
  • The user will be able to view list of all the applications (A).
  • Since the user has both the privileges Can Read All Users and Can Read User permission, Can Read All Users permission will override.
  • Can Read All Users permission will allow the user to view the list of all users.
  • The user can view the user details by clicking on username.
  • All details will be displayed in the read only mode.

See Also:

14. Database roles

When Visual Guard needs to authenticate a database user, it must be connected to the database.

The database account used to connect to the database must have access to the Visual Guard database objects. This account is specified in the configuration file or provided by the user for Database authentication mode.

Visual Guard offers 4 database roles to the users.

RoleDescription
vg_BasicAccessThis role can be granted to the users that will need to be authenticated by Visual Guard in your application.
vg_UserAdminAccess
This role must be granted to a user account that will need to access the Visual Guard console as User Administrator.

This role allows you to create or edit user accounts and to grant roles to this user.
vg_DeveloperAccessThis role must be granted to a user account that will need to access the Visual Guard console as Developer.

This role allows you to create or edit user accounts, roles, applications, permissions and permission sets.
vg_FullAccessThis role must be granted to user account that will need to access the Visual Guard console as Master administrator.

This role allows you to create or edit all Visual Guard entities and to drop the repository.

14.1 vg_BasicAccess

This role restricts the user account from editing the Visual Guard application.

  • The user with Auditor role and vg_BasicAccess database role will be having the following access:
DescriptionRemarks (in Yes or No)
Access to repository in read only modeYes
Allow to edit applicationNo
Allow to edit Password PolicyNo
Allow to edit roleNo
Allow to read event logYes
Allow to remove repositoryNo
Disallow to edit permissionYes
Disallow to edit permission setYes
Disallow to edit Shared roleYes
Disallow to grant permission set to a roleYes
Disallow to grant role to a userYes
Disallow to grant Visual Guard Permission SetYes
Disallow to grant Visual Guard roleYes
Hide application for which the user is not memberNo
Hide Permission SetsNo
Hide PermissionsNo
Hide Visual Guard ItemsNo
  • The user with Developer role and vg_BasicAccess database role will be having the following access:
DescriptionRemarks (in Yes or No)
Access to repository in read only modeYes
Allow to edit applicationNo
Allow to edit Password PolicyNo
Allow to edit roleNo
Allow to read event logNo
Allow to remove repositoryNo
Disallow to edit permissionYes
Disallow to edit permission setYes
Disallow to edit Shared roleYes
Disallow to grant permission set to a roleYes
Disallow to grant role to a userYes
Disallow to grant Visual Guard Permission SetYes
Disallow to grant Visual Guard roleYes
Hide application for which the user is not memberNo
Hide Permission SetsNo
Hide PermissionsNo
Hide Visual Guard ItemsYes
  • The user with Master Administrator role and vg_BasicAccess database role will be having the following access:
DescriptionRemarks (in Yes or No)
Access to repository in read only modeNo
Allow to edit applicationNo
Allow to edit Password PolicyNo
Allow to edit roleNo
Allow to read event logNo
Allow to remove repositoryNo
Disallow to edit permissionYes
Disallow to edit permission setYes
Disallow to edit Shared roleYes
Disallow to grant permission set to a roleYes
Disallow to grant role to a userYes
Disallow to grant Visual Guard Permission SetYes
Disallow to grant Visual Guard roleYes
Hide application for which the user is not memberNo
Hide Permission SetsNo
Hide PermissionsNo
Hide Visual Guard ItemsNo
  • The user with Restricted Auditor role and vg_BasicAccess database role will be having the following access:
DescriptionRemarks (yes or no)
Access to repository in read only modeYes
Allow to edit applicationNo
Allow to edit Password PolicyNo
Allow to edit roleNo
Allow to read event logNo
Allow to remove repositoryNo
Disallow to edit permissionYes
Disallow to edit permission setYes
Disallow to edit Shared roleYes
Disallow to grant permission set to a roleYes
Disallow to grant role to a userYes
Disallow to grant Visual Guard Permission SetYes
Disallow to grant Visual Guard roleYes
Hide application for which the user is not memberYes
Hide Permission SetsNo
Hide PermissionsNo
Hide Visual Guard ItemsYes
  • The user with Restricted User Administrator role and vg_BasicAccess database role will be having the following access:
DescriptionRemarks (Yes or no)
Access to repository in read only modeYes
Allow to edit applicationNo
Allow to edit Password PolicyNo
Allow to edit roleNo
Allow to read event logNo
Allow to remove repositoryNo
Disallow to edit permissionYes
Disallow to edit permission setYes
Disallow to edit Shared roleYes
Disallow to grant permission set to a roleYes
Disallow to grant role to a userYes
Disallow to grant Visual Guard Permission SetYes
Disallow to grant Visual Guard roleYes
Hide application for which the user is not memberYes
Hide Permission SetsYes
Hide PermissionsYes
Hide Visual Guard ItemsYes
  • The user with User Administrator role and vg_BasicAccess database role will be having the following access:
DescriptionRemarks (yes or no)
Access to repository in read only modeYes
Allow to edit applicationNo
Allow to edit Password PolicyNo
Allow to edit roleNo
Allow to read event logNo
Allow to remove repositoryNo
Disallow to edit permissionYes
Disallow to edit permission setYes
Disallow to edit Shared roleYes
Disallow to grant permission set to a roleYes
Disallow to grant role to a userYes
Disallow to grant Visual Guard Permission SetYes
Disallow to grant Visual Guard roleYes
Hide application for which the user is not memberNo
Hide Permission SetsYes
Hide PermissionsYes
Hide Visual Guard ItemsYes

14.2 vg_userAdminAccess

This role allows you to create or edit user accounts and to grant roles to this user.

  • The user with Auditor role and vg_UserAdminAccess database role will be having the following access:
DescriptionRemarks (Yes or No)
Access to repository in read only modeYes
Allow to edit applicationNo
Allow to edit Password PolicyNo
Allow to edit roleNo
Allow to read event logYes
Allow to remove repositoryNo
Disallow to edit permissionYes
Disallow to edit permission setYes
Disallow to edit Shared roleYes
Disallow to grant permission set to a roleYes
Disallow to grant role to a userYes
Disallow to grant Visual Guard Permission SetYes
Disallow to grant Visual Guard roleYes
Hide application for which the user is not memberNo
Hide Permission SetsNo
Hide PermissionsNo
Hide Visual Guard ItemsNo
  • The user with Developer role and vg_UserAdminAccess database role will be having the following access:
Description Remarks (Yes or No)
Access to repository in read only modeYes
Allow to edit applicationNo
Allow to edit Password PolicyNo
Allow to edit roleYes
Allow to read event logNo
Allow to remove repositoryNo
Disallow to edit permissionYes
Disallow to edit permission setYes
Disallow to edit Shared roleNo
Disallow to grant permission set to a roleNo
Disallow to grant role to a userNo
Disallow to grant Visual Guard Permission SetYes
Disallow to grant Visual Guard roleYes
Hide application for which the user is not memberNo
Hide Permission SetsNo
Hide PermissionsNo
Hide Visual Guard ItemsYes
  • The user with Master Administrator role and vg_UserAdminAccess database role will be having the following access:
Description Remarks (Yes or No)
Access to repository in read only modeNo
Allow to edit applicationNo
Allow to edit Password PolicyNo
Allow to edit roleYes
Allow to read event logYes
Allow to remove repositoryNo
Disallow to edit permissionYes
Disallow to edit permission setYes
Disallow to edit Shared roleNo
Disallow to grant permission set to a roleNo
Disallow to grant role to a userNo
Disallow to grant Visual Guard Permission SetYes
Disallow to grant Visual Guard roleNo
Hide application for which the user is not memberNo
Hide Permission SetsNo
Hide PermissionsNo
Hide Visual Guard ItemsNo
  • The user with Restricted Auditor role and vg_UserAdminAccess database role will be having the following access:
DescriptionRemarks (Yes or No)
Access to repository in read only modeYes
Allow to edit applicationNo
Allow to edit Password PolicyNo
Allow to edit roleNo
Allow to read event logNo
Allow to remove repositoryNo
Disallow to edit permissionYes
Disallow to edit permission setYes
Disallow to edit Shared roleYes
Disallow to grant permission set to a roleYes
Disallow to grant role to a userYes
Disallow to grant Visual Guard Permission SetYes
Disallow to grant Visual Guard roleYes
Hide application for which the user is not memberYes
Hide Permission SetsNo
Hide PermissionsNo
Hide Visual Guard ItemsYes
  • The user with Restricted User Administrator role and vg_UserAdminAccess database role will be having the following access:
DescriptionRemarks (yes or No)
Access to repository in read only modeYes
Allow to edit applicationNo
Allow to edit Password PolicyNo
Allow to edit roleNo
Allow to read event logNo
Allow to remove repositoryNo
Disallow to edit permissionYes
Disallow to edit permission setYes
Disallow to edit Shared roleYes
Disallow to grant permission set to a roleYes
Disallow to grant role to a userNo
Disallow to grant Visual Guard Permission SetYes
Disallow to grant Visual Guard roleYes
Hide application for which the user is not memberYes
Hide Permission SetsYes
Hide PermissionsYes
Hide Visual Guard ItemsYes
  • The user with User Administrator role and vg_UserAdminAccess database role will be having the following access:
DescriptionRemarks (Yes or No)
Access to repository in read only modeYes
Allow to edit applicationNo
Allow to edit Password PolicyNo
Allow to edit roleNo
Allow to read event logNo
Allow to remove repositoryNo
Disallow to edit permissionYes
Disallow to edit permission setYes
Disallow to edit Shared roleYes
Disallow to grant permission set to a roleYes
Disallow to grant role to a userYes
Disallow to grant Visual Guard Permission SetYes
Disallow to grant Visual Guard roleYes
Hide application for which the user is not memberNo
Hide Permission SetsYes
Hide PermissionsYes
Hide Visual Guard ItemsYes

14.3 vg_DeveloperAccess

This role allows you to create or edit user accounts, roles, applications, permissions and permission sets

  • The user with Auditor role and vg_DeveloperAccess database role will be having the following access:
DescriptionRemarks (Yes or No)
Access to repository in read only modeYes
Allow to edit applicationNo
Allow to edit Password PolicyNo
Allow to edit roleNo
Allow to read event logYes
Allow to remove repositoryNo
Disallow to edit permissionYes
Disallow to edit permission setYes
Disallow to edit Shared roleYes
Disallow to grant permission set to a roleYes
Disallow to grant role to a userYes
Disallow to grant Visual Guard Permission SetYes
Disallow to grant Visual Guard roleYes
Hide application for which the user is not memberNo
Hide Permission SetsNo
Hide PermissionsNo
Hide Visual Guard ItemsNo
  • The user with Developer role and vg_DeveloperAccess database role will be having the following access:
DescriptionRemarks (Yes or No)
Access to repository in read only modeYes
Allow to edit applicationYes
Allow to edit Password PolicyYes
Allow to edit roleYes
Allow to read event logNo
Allow to remove repositoryNo
Disallow to edit permissionNo
Disallow to edit permission setNo
Disallow to edit Shared roleNo
Disallow to grant permission set to a roleNo
Disallow to grant role to a userNo
Disallow to grant Visual Guard Permission SetYes
Disallow to grant Visual Guard roleYes
Hide application for which the user is not memberNo
Hide Permission SetsNo
Hide PermissionsNo
Hide Visual Guard ItemsYes
  • The user with Master Administrator role and vg_DeveloperAccess database role will be having the following access:
DescriptionRemarks (Yes or No)
Access to repository in read only modeNo
Allow to edit applicationYes
Allow to edit Password PolicyYes
Allow to edit roleYes
Allow to read event logYes
Allow to remove repositoryNo
Disallow to edit permissionNo
Disallow to edit permission setNo
Disallow to edit Shared roleNo
Disallow to grant permission set to a roleNo
Disallow to grant role to a userNo
Disallow to grant Visual Guard Permission SetNo
Disallow to grant Visual Guard roleNo
Hide application for which the user is not memberNo
Hide Permission SetsNo
Hide PermissionsNo
Hide Visual Guard ItemsNo
  • The user with Restricted Auditor role and vg_DeveloperAccess database role will be having the following access:
DescriptionRemarks (yes or No)
Access to repository in read only modeYes
Allow to edit applicationNo
Allow to edit Password PolicyNo
Allow to edit roleNo
Allow to read event logNo
Allow to remove repositoryNo
Disallow to edit permissionYes
Disallow to edit permission setYes
Disallow to edit Shared roleYes
Disallow to grant permission set to a roleYes
Disallow to grant role to a userYes
Disallow to grant Visual Guard Permission SetYes
Disallow to grant Visual Guard roleYes
Hide application for which the user is not memberYes
Hide Permission SetsNo
Hide PermissionsNo
Hide Visual Guard ItemsYes
  • The user with Restricted User Administrator role and vg_DeveloperAccess database role will be having the following access:
DescriptionRemarks (Yes or No)
Access to repository in read only modeYes
Allow to edit applicationNo
Allow to edit Password PolicyNo
Allow to edit roleNo
Allow to read event logNo
Allow to remove repositoryNo
Disallow to edit permissionYes
Disallow to edit permission setYes
Disallow to edit Shared roleYes
Disallow to grant permission set to a roleYes
Disallow to grant role to a userNo
Disallow to grant Visual Guard Permission SetYes
Disallow to grant Visual Guard roleYes
Hide application for which the user is not memberYes
Hide Permission SetsYes
Hide PermissionsYes
Hide Visual Guard ItemsYes
  • The user with User Administrator role and vg_DeveloperAccess database role will be having the following access:
DescriptionRemarks (Yes or No)
Access to repository in read only modeYes
Allow to edit applicationNo
Allow to edit Password PolicyNo
Allow to edit roleNo
Allow to read event logNo
Allow to remove repositoryNo
Disallow to edit permissionYes
Disallow to edit permission setYes
Disallow to edit Shared roleYes
Disallow to grant permission set to a roleYes
Disallow to grant role to a userYes
Disallow to grant Visual Guard Permission SetYes
Disallow to grant Visual Guard roleYes
Hide application for which the user is not memberNo
Hide Permission SetsYes
Hide PermissionsYes
Hide Visual Guard ItemsYes

14.4 vg_FullAccess

This role allows you to create or edit all Visual Guard entities and to drop the repository.

  • The user with Auditor role and vg_FullAccess database role will be having the following access:
DescriptionRemarks (Yes or No)
Access to repository in read only modeYes
Allow to edit applicationNo
Allow to edit Password PolicyNo
Allow to edit roleNo
Allow to read event logYes
Allow to remove repositoryNo
Disallow to edit permissionYes
Disallow to edit permission setYes
Disallow to edit Shared roleYes
Disallow to grant permission set to a roleYes
Disallow to grant role to a userYes
Disallow to grant Visual Guard Permission SetYes
Disallow to grant Visual Guard roleYes
Hide application for which the user is not memberNo
Hide Permission SetsNo
Hide PermissionsNo
Hide Visual Guard ItemsNo
  • The user with Developer role and vg_FullAccess database role will be having the following access:
DescriptionRemarks (Yes or No)
Access to repository in read only modeYes
Allow to edit applicationYes
Allow to edit Password PolicyYes
Allow to edit roleYes
Allow to read event logNo
Allow to remove repositoryNo
Disallow to edit permissionNo
Disallow to edit permission setNo
Disallow to edit Shared roleNo
Disallow to grant permission set to a roleNo
Disallow to grant role to a userNo
Disallow to grant Visual Guard Permission SetYes
Disallow to grant Visual Guard roleYes
Hide application for which the user is not memberNo
Hide Permission SetsNo
Hide PermissionsNo
Hide Visual Guard ItemsYes
  • The user with Master Administrator role and vg_FullAccess database role will be having the following access:
DescriptionRemarks (Yes or No)
Access to repository in read only modeNo
Allow to edit applicationYes
Allow to edit Password PolicyYes
Allow to edit roleYes
Allow to read event logYes
Allow to remove repositoryYes
Disallow to edit permissionNo
Disallow to edit permission setNo
Disallow to edit Shared roleNo
Disallow to grant permission set to a roleNo
Disallow to grant role to a userNo
Disallow to grant Visual Guard Permission SetNo
Disallow to grant Visual Guard roleNo
Hide application for which the user is not memberNo
Hide Permission SetsNo
Hide PermissionsNo
Hide Visual Guard ItemsNo
  • The user with Restricted Auditor role and vg_FullAccess database role will be having the following access:
DescriptionRemarks (Yes or No)
Access to repository in read only modeYes
Allow to edit applicationNo
Allow to edit Password PolicyNo
Allow to edit roleNo
Allow to read event logNo
Allow to remove repositoryNo
Disallow to edit permissionYes
Disallow to edit permission setYes
Disallow to edit Shared roleYes
Disallow to grant permission set to a roleYes
Disallow to grant role to a userYes
Disallow to grant Visual Guard Permission SetYes
Disallow to grant Visual Guard roleYes
Hide application for which the user is not memberYes
Hide Permission SetsNo
Hide PermissionsNo
Hide Visual Guard ItemsYes
  • The user with Restricted User Administrator role and vg_FullAccess database role will be having the following access:
DescriptionRemarks (Yes or No)
Access to repository in read only modeYes
Allow to edit applicationNo
Allow to edit Password PolicyNo
Allow to edit roleNo
Allow to read event logNo
Allow to remove repositoryNo
Disallow to edit permissionYes
Disallow to edit permission setYes
Disallow to edit Shared roleYes
Disallow to grant permission set to a roleYes
Disallow to grant role to a userNo
Disallow to grant Visual Guard Permission SetYes
Disallow to grant Visual Guard roleYes
Hide application for which the user is not memberYes
Hide Permission SetsYes
Hide PermissionsYes
Hide Visual Guard ItemsYes
  • The user with User Administrator role and vg_FullAccess database role will be having the following access:
DescriptionRemarks (Yes or No)
Access to repository in read only modeYes
Allow to edit applicationNo
Allow to edit Password PolicyNo
Allow to edit roleNo
Allow to read event logNo
Allow to remove repositoryNo
Disallow to edit permissionYes
Disallow to edit permission setYes
Disallow to edit Shared roleYes
Disallow to grant permission set to a roleYes
Disallow to grant role to a userYes
Disallow to grant Visual Guard Permission SetYes
Disallow to grant Visual Guard roleYes
Hide application for which the user is not memberNo
Hide Permission SetsYes
Hide PermissionsYes
Hide Visual Guard ItemsYes

15. Deployment

Visual Guard offers three types of deployment options to facilitate the transfer and configuration of data and settings between repositories. These options are:

  1. VGRepository to another VGRepository: This type of deployment allows you to transfer an entire VGRepository, including its data, configuration, and security settings, to another VGRepository. It enables you to replicate the repository or specific components within a different environment, such as Dev, QA, Pre-Prod, or Prod.
  2. VGApplication deployment: With this deployment option, you can deploy a specific VGApplication from one VGRepository to another. This process involves exporting the application’s data, settings, and security configurations from the source repository and importing them into the target repository. It provides flexibility in deploying individual applications across different environments.
  3. VGRepository Settings to another VGRepository: This deployment type involves transferring the settings of a VGRepository to another repository. It allows you to export and import repository parameters, configurations, and security policies from one VGRepository to another. This ensures consistency in repository settings across multiple environments.

These deployment options in Visual Guard provide flexibility and convenience for managing and transferring repositories, applications, and settings across different environments, enabling efficient replication of configurations and security measures within the Visual Guard framework.

When deploying to a production environment, it is crucial to follow proper procedures and precautions. Here are some recommended steps:

  1. Backup Your Production Repository: Before making any changes to your production environment, create a backup of your repository. This ensures a fallback option in case any issues occur during the deployment process.
  2. Export Security Data from Development Repository: In Visual Guard Console, export the security data (users, roles, permissions) from your development repository. This will create a file containing your security data.
  3. Import Security Data to Production Repository: Switch to your production repository in Visual Guard Console and use the “Import” option to import the file created in the previous step. This will update your production repository with the latest security data from the development repository.
  4. Verify Your Changes: After the import process is complete, carefully review your production repository to ensure that all the changes are correct and complete. Verify that the users, roles, and permissions align with your expectations.
  5. Test Your Production Application: Thoroughly test your production application to ensure that the security features function as expected with the new data.

It is important to note that these steps provide a simplified guide, and the actual deployment process may vary based on your specific environment and requirements. Always refer to the official Visual Guard documentation or consult their support for detailed instructions tailored to your situation.

Additionally, ensure that you adhere to your company’s deployment policies and procedures to maintain the integrity and security of your production environment.

Visual Guard also provides the option to deploy directly to other VGRepositories or create a deploy file for importing into another repository. This allows for convenient deployment across multiple environments.

Directly to another repository

16. Migration

16.1 Migrate to Visual-Guard 2024.X

Migration is a crucial process when upgrading to a newer version of Visual-Guard, a robust Identity and Access Management (IAM) solution. This process involves transferring all security configurations, user data, and settings from the old version to the new one. It requires careful planning and execution to ensure a smooth transition. It’s highly recommended to schedule sessions with Visual-Guard’s technical support team for guidance throughout the migration process.


Requirements

Before starting the migration process, ensure that your system meets the following requirements:

  1. Identity Server: Ensure that you comply with the installation and setup requirements for the Identity Server. You can check the requirements here. .NET 6 and Hosting Bundle 6 should be installed before the session.
  2. WinConsole: Make sure that your system meets the installation requirements for the WinConsole. You can check the requirements here.
  3. WebConsole: Ensure that your system meets the setup requirements for the WebConsole. You can check the requirements here.
  4. .NET Framework: Your system should have the .NET framework 4.7.2 or higher installed.
  5. Application Migration: Migrate all applications (App1, App2, App3) with the .NET framework 4.7.2.
  6. Backups: Take backups of your VG 2020.X repositories.
  7. DBA Attendance: Ensure that a Database Administrator (DBA) attends the session.
  8. Download VG 2024.X: Download the VG 2024.X version.

Migration Steps

  1. Backup: Before starting the migration process, please take a backup of all VG repository databases.
  2. Environment Setup: Set up a parallel environment on a virtual machine and duplicate the environment Windows Server 2022 Build 20348 or later.
  3. VG Installation: Install VG 2024.X in the new environment (VG Winconsole, VG Webconsole, VG identity Server).
  4. Repository Addition: Add the existing repository that was created in VG 2020.X.
  5. Migration and Licensing: Migrate and request a new license.
  6. Upgrade VG Assemblies: Once migration is done, upgrade all VG assemblies in all applications of a repository.
  7. Build Application: Once upgraded, build the application to make sure if everything is fine.
  8. Generate VG Configuration File: Later, generate VG configuration file for each application from Win Console.
  9. Decommission VG 2020.X: Once the migration is done for all repositories and environments, decommission the VG 2019 environments.

16.2 Migrate to Visual-Guard 2020.X

Migration is a crucial process when upgrading to a newer version of Visual-Guard, a robust Identity and Access Management (IAM) solution. This process involves transferring all security configurations, user data, and settings from the old version to the new one. It requires careful planning and execution to ensure a smooth transition. It’s highly recommended to schedule sessions with Visual-Guard’s technical support team for guidance throughout the migration process.


Requirements

Before starting the migration process, ensure that your system meets the following requirements:

  1. Identity Server: Ensure that you comply with the installation and setup requirements for the Identity Server.
    • Please ensure that .Net framework 4.7.2 has been installed on the machine. If not, download it here.
    • Please ensure that .Net Core hosting bundle 2.1 (including the .Net core runtime and IIS Support) has been installed on the machine. If not, download it here.
    • Install the VGIdentityServerSetup. [Link available in the table above]
      1. Doing so, will create a ‘VisualGuardIdentityServer’ website.
      2. It will also create an application pool ‘AspNetCore’ ‘with – .Net CLR Version – “No Managed Code”.
        (If not created, please create it manually)
    • Check the list of websites, select ‘VisualGuardIdentityServer’.
      Go to ‘Advanced Settings’, and select application pool – ‘AspNetCore’.
    • Check ‘permissions’, and assign full permissions to ‘IIS_IUSRS’.
  2. WinConsole: Make sure that your system meets the installation requirements for the WinConsole.
  3. WebConsole: Ensure that your system meets the setup requirements for the WebConsole.
    • Please ensure that .Net Core hosting bundle 3.1 (including the .Net core runtime and IIS Support) has been installed on the machine. If not, download it here.
  4. .NET Framework: Your system should have the .NET framework 4.7.2 or higher installed.
  5. Application Migration: Migrate all applications (App1, App2, App3) with the .NET framework 4.7.2.
  6. Backups: Take backups of your VG 2019 repositories.
  7. DBA Attendance: Ensure that a Database Administrator (DBA) attends the session.
  8. Download VG 2020.3: Download the VG 2020.3 version.

Migration Steps

  1. Backup: Before starting the migration process, please take a backup of all VG repository databases.
  2. Environment Setup: Set up a parallel environment on a virtual machine and duplicate the environment Windows Server 2022 Build 20348 or later.
  3. VG Installation: Install VG 2020.X in the new environment (VG Winconsole, VG Webconsole, VG identity Server).
  4. Repository Addition: Add the existing repository that was created in VG 2019.
  5. Migration and Licensing: Migrate and request a new license.
  6. Upgrade VG Assemblies: Once migration is done, upgrade all VG assemblies in all applications of a repository.
  7. Build Application: Once upgraded, build the application to make sure if everything is fine.
  8. Generate VG Configuration File: Later, generate VG configuration file for each application from Win Console.
  9. Decommission VG 2019: Once the migration is done for all repositories and environments, decommission the VG 2019 environments.

16.3 Update Visual-Guard

Procedure to Update Visual-Guard

  1. Backup the Database: Start by creating a backup of your database. This is a crucial step to ensure that you have a recovery point in case anything goes wrong during the update process.
  2. Uninstall the Current Version of Visual-Guard: Before installing the new version, it’s important to uninstall the current version of Visual-Guard from your system. This ensures a clean installation of the new version and prevents potential conflicts.
  3. Install the Minor Version of Visual-Guard: Download and install the minor version of Visual-Guard in your development environment. It’s always safer to test the new version in a development environment before deploying it to production.
  4. Open the Repository via VGWinconsole: After the installation, open the VGWinconsole, which is a part of Visual-Guard and allows you to manage your security system. Use it to open the repository that you want to update.
  5. Enter the Migration Code: When opening the repository with the new version of Visual-Guard, you will be asked for a migration code. This code is required to migrate your repository to the new version. The default migration code is ‘0000’.
  6. Update Visual-Guard Components: Once the repository is open, you can start updating all the Visual-Guard components. This includes the VGWebConsole, VGServer, and VGIdentityServer. Follow the instructions provided by Visual-Guard for each component to ensure a smooth update process.
  7. Update Visual-Guard Assemblies: After updating the components, proceed to update the Visual-Guard assemblies. These are the building blocks of .NET applications, and updating them ensures that your application can leverage the latest features and security updates provided by Visual-Guard.

Remember to thoroughly test the updated system in the development environment before deploying it to the production environment. This will help you identify and fix any potential issues before they can affect your production environment.