1. Installation

Introduction

Visual Guard is a robust application security system that helps safeguard your data and systems from unauthorized access and potential breaches. It integrates seamlessly with your existing software applications and provides granular control over security, user permissions, and access rights.

Visual Guard provides two consoles for managing security settings:

  • WinConsole: A Windows application that needs to be installed on your system.
  • WebConsole: A web-based application that can be accessed from any web browser.

Additionally, Visual Guard incorporates a notion of groups, allowing you to manage multiple roles and users under one group for easier management of permissions.

Visual Guard also includes the VGIdentityServer component that supports the OAuth 2.0 and OpenID protocols. This component allows client applications to perform user authentication and authorization operations.

Getting Started

Installation

To install Visual Guard, WinConsole, and VGIdentityServer, follow the steps below:

  1. Download the Visual Guard installation package.
  2. Run the installer and follow the on-screen prompts.
  3. Restart your system after installation completes.

The WebConsole does not need to be installed and can be accessed directly from your web browser.

Configuration

After installation, you will need to configure Visual Guard to suit your application needs. This involves setting up a VGRepository, defining user roles, assigning permissions to these roles, and setting up groups.

Creating a VGRepository

A VGRepository (Visual Guard Repository) is a centralized database for Visual Guard that stores all security-related information for your application, including user roles, permissions, groups, and other security data.

Here is a basic guide on how to create a VGRepository:

  1. Launch Visual Guard WinConsole or WebConsole.
  2. Navigate to the configuration settings.
  3. Create a new VGRepository that will store all your configurations.
  4. Save your settings and exit.

Setting User Roles, Permissions and Groups

Once the VGRepository is set up, you can proceed with setting up user roles, assigning permissions to these roles, and creating groups to manage multiple roles and users:

  1. Open Visual Guard WinConsole or WebConsole.
  2. Navigate to the user roles section.
  3. Click on ‘Add new role’ and name the role.
  4. Navigate to the permissions section and assign the relevant permissions to the role.
  5. Navigate to the groups section and create a new group. Assign roles and users to the group as needed.
  6. Save your changes.

User Roles, Permissions, and Groups

With Visual Guard, you can create and manage different user roles, each with its own set of permissions. You can also create groups to manage multiple roles and users simultaneously.

Creating a User Role, Assigning Permissions, and Setting up Groups

  1. Open Visual Guard WinConsole or WebConsole.
  2. Navigate to the user roles section.
  3. Click on ‘Add new role’ and name the role.
  4. Navigate to the permissions section and assign the relevant permissions to the role.
  5. Navigate to the groups section and create a new group. Assign roles and users to the group as needed.
  6. Save your changes.

2. Repository

The Visual Guard Repository (VGRepository) is a key component of Visual Guard’s security infrastructure. It stores all relevant security data for the system.

The VGRepository serves as a centralized database for all security information. This includes details about users, roles, permissions, groups, and other related security information. By consolidating these information in one place, the VGRepository facilitates the management, access, and updating of security information.

Each application secured by Visual Guard can access the VGRepository to verify permissions, authenticate users, and perform other security-related tasks.

It is important to note that managing the VGRepository should be done by an administrator or a user with appropriate permissions due to the sensitive nature of the information it contains.


Licensing

Usage of the VGRepository requires a specific license. This license ensures legal access to and use of the VGRepository and its features. Please contact the Visual Guard team or consult the official Visual Guard documentation for more information about acquiring and managing this license.


All informations is crypted inside of the VGRepository, you can select what type of encryption you want.

2.1 Password Policy

The Password Policy feature in Visual Guard is a crucial tool for maintaining the security of your applications. It allows administrators to establish rules for password creation, ensuring that all user passwords meet certain standards of complexity and security.

These rules can include requirements such as minimum length, the inclusion of uppercase and lowercase letters, numbers, and special characters. By enforcing a strong password policy, you can significantly reduce the risk of unauthorized access to your applications.

An important aspect of the Password Policy is its dynamic nature. If the policy is changed since a user’s last login and their current password does not comply with the new policy, the user will be prompted to change their password. This ensures that all existing passwords meet the current policy standards, maintaining a high level of security even when policy requirements are updated.

For instance, if the policy is updated to require a minimum of 10 characters and a user’s password is only 8 characters long, they will be asked to update their password to meet the new requirements. This proactive approach to password management helps to keep your applications secure and your users’ data protected.

In summary, the Password Policy feature in Visual Guard is a powerful tool for enhancing the security of your applications. By defining password rules and ensuring compliance with these rules, you can effectively safeguard your applications against unauthorized access.


Benefits

  1. Improved Security: A strong password policy helps to protect against unauthorized access and potential data breaches. By enforcing rules such as minimum length, use of special characters, and a mix of uppercase and lowercase letters, you make it more difficult for malicious actors to guess or crack passwords.
  2. Consistency: A password policy ensures that all users adhere to the same standards for password creation. This consistency makes it easier to manage user accounts and reduces the risk of weak passwords being exploited.
  3. User Awareness: Implementing a password policy helps to educate users about the importance of strong passwords. It encourages them to think more carefully about their password choices, which can lead to better security habits overall.
  4. Compliance: Many industries have regulations that require certain security measures, including strong passwords. A password policy can help your organization to meet these compliance requirements.
  5. Proactive Protection: With a password policy in place, you’re not just reacting to security issues – you’re proactively taking steps to prevent them. This proactive approach can save your organization time and resources in the long run.

In summary, a password policy is a critical component of a robust security strategy. It not only enhances the protection of your applications and data but also promotes better security practices among your users.

2.2 Custom Events

Overview

In addition to providing robust security features, Visual Guard allows secured applications to log custom events within Visual Guard. These custom events provide a way to track and monitor specific activities or occurrences within the application for auditing and analysis purposes.

Adding Custom Events

To add custom events in a Visual Guard-secured application, follow these steps:

  1. Identify the specific activities or occurrences that you want to log as custom events.
  2. Integrate the Visual Guard logging functionality into your application’s code.
  3. Determine the appropriate triggers or conditions for capturing the custom events.
  4. When a trigger or condition is met, use the Visual Guard API or logging mechanisms to log the custom event.
  5. Include the following metadata in the custom event log:
    • Identification Number: A unique identifier for the event.
    • Title: A concise title or summary of the event.
    • Message: Detailed information or description of the event.
    • Date and Time of Creation: The timestamp when the event was logged.

Supervising Custom Events with VGMonitoring

Visual Guard offers VGMonitoring, a monitoring component that allows you to supervise and analyze custom events logged within Visual Guard. VGMonitoring provides features such as real-time event monitoring, customizable dashboards, and reporting capabilities to gain insights into the logged custom events.

By leveraging VGMonitoring, you can effectively monitor and analyze the custom events for various purposes, including security auditing, performance analysis, and compliance monitoring.

Benefits of Custom Events

By logging custom events within Visual Guard and supervising them with VGMonitoring, you gain several benefits:

  • Audit Trail: Custom events provide an audit trail that allows you to track specific actions or occurrences within your application.
  • Compliance: Logging custom events can help meet regulatory and compliance requirements by providing a comprehensive record of relevant activities.
  • Analysis and Monitoring: VGMonitoring enables you to monitor and analyze the logged custom events in real-time, generate reports, and gain insights into application usage, user behavior, and system performance.

Retrieving and Analyzing Custom Event Logs

Once custom events are logged in Visual Guard and supervised with VGMonitoring, you can retrieve and analyze the event logs using the provided tools and features. This allows you to perform various analysis tasks, such as generating reports, identifying patterns, and detecting anomalies.

Considerations and Best Practices

When working with custom events in Visual Guard and VGMonitoring, keep the following considerations and best practices in mind:

  • Event Relevance: Log only the events that are relevant to your application’s security and monitoring needs.
  • Data Sensitivity: Ensure that any sensitive data logged in custom events is properly protected and handled in accordance with security and privacy guidelines.
  • Log Retention: Define a log retention policy to determine how long custom event logs should be retained for auditing and compliance purposes.
  • Integration Testing: Test the custom event logging functionality and VGMonitoring features thoroughly to ensure proper integration and functionality within your application.

How create a new log in Visual-Guard ?

We need to insert own VGEntryLog in Visual-Guard, this log entry can have multiple parameters, later on we will review all operations logging.


How to audit the visual-guard log ?

2.3 Deployment

Repository deployment in Visual Guard refers to the process of deploying security configurations, such as roles, permissions, and user profiles, from a central repository to target environments. This deployment ensures consistency and synchronicity of security settings across different environments, such as development, testing, and production.

What is the the VGDeploy of VGrepository ?

Several customers maintain multiple VGRepositories for various environments such as Dev, Test, PreProd, and Prod. Whenever a developer creates a new User Attribute, it must be deployed to Test, PreProd, and Prod environments. For each attribute, the VGRepository Deploy parameter needs to be checked.


Key Aspects

  1. Centralized Management: Security configurations are managed and stored centrally in a repository within Visual Guard, allowing administrators to define and maintain security settings in one location.
  2. Version Control: Visual Guard supports versioning of security configurations, enabling administrators to track changes over time and rollback to previous versions if needed.
  3. Environment Consistency: By deploying security configurations from a central repository, Visual Guard ensures consistency of security settings across different environments, reducing the risk of configuration drift and ensuring reliable access control.
  4. Scalability: Deployment processes are designed to scale effectively as the number of applications, environments, or users grows, ensuring that security configurations remain manageable and consistent across the enterprise.
  5. Reliability: By ensuring the timely and accurate deployment of security configurations, Visual Guard facilitates reliable access control, enabling organizations to enforce security policies effectively and mitigate security risks.

Overall, repository deployment in Visual Guard facilitates efficient management and deployment of security configurations, promoting security best practices and ensuring consistent access control across enterprise applications and environments.

Once we deploy a repository, we can also import the deployment configuration files. Importing deployment configuration files refers to the process of loading external files containing predefined settings and configurations related to the deployment of software or applications. These files typically include details such as environment-specific configurations, deployment targets, versioning information, and other parameters necessary for deploying the software effectively. Importing deployment configuration files streamlines the deployment process by providing a standardized way to configure deployment settings, ensuring consistency and accuracy across different environments and deployment scenarios.

2.4 License

A license key is a unique code provided by software vendors to legally authorize and activate a copy of a software product. It helps in preventing unauthorized use and ensures that the software is used in compliance with the licensing terms set by the vendor.

We have 2 type of Visual Guard licenses that we generate for the customer.

  • Product License: This is the primary license that activates the comprehensive features of Visual-Guard, including user management, advanced SQL features, auditing, reporting, dynamic permissions, deployment capabilities, and more. It also specifies the number of users, the duration of use, number of installations, distributions. Each VGRepository requires its own Visual-Guard License Key to access the full suite of features.
  • MFA License: This secondary license specifically enables the Multi-Factor Authentication (MFA) service within Visual-Guard. The terms of this license, including its duration and the extent of its use across multiple VGRepositories, are determined by the subscription details outlined in your contract. This allows for flexibility and scalability in implementing robust MFA security measures across different repositories within the organization. The MFA license is an annual or monthly subscription, it can be used by one or multiple VGRepositories and is positioned at the same level as the Visual-Guard license, ensuring integrated and comprehensive security management across your systems.

Below are the quick links to the process of requesting for a license.

2.5 MFA License

MFA (Multi-Factor Authentication) is a security protocol that enhances protection by requiring users to provide multiple forms of verification before accessing a system or application. It significantly reduces the risk of unauthorized access by combining something the user knows (like a password) with something the user has (like a smartphone).

What is a Visual Guard MFA? VG has integrated a security framework to enhance the application by adding an additional verification method beyond just passwords. Here a user would be asked to provide an OTP or link that would be sent over an SMS or email. This MFA license is an annual or monthly subscription, it can be used by one or multiple VGRepositories and is positioned at the same level as the Visual-Guard license, ensuring integrated and comprehensive security management across your systems.

We have 2 type of MFA policies:

  • Global MFA Policy:  A Global MFA Policy in Visual Guard is a centralized set of rules and settings that define how MFA is applied across all applications and users within an organization.
  • Application MFA Policy: Is a specific set of rules and settings that govern the implementation of MFA for a particular application.

2.6 Storing your repository in a database

  • For Oracle Database Installation:
    Visual Guard will create database objects in the schema associated to the specified user account (we recommend
    that you create a specific schema for Visual Guard repository). If your database
    DBA wants to create the database manually, you can find the database creation script
    in the directory <Visual Guard installation directory>\VisualGuardConsole\Database\Oracle. The DBA can use the script “Install.sql” and adapt it to create the database objects. It is necessary to modify the script to change the value <VISUAL_GUARD_SCHEMA>
    by the name of the schema that will contain Visual Guard database objects.
  • For SQLServer database Installation:
    Visual Guard will create the database objects in the specified database. The default database name is “visualguarddb”. If The DBA of your database want to create manually the database, you can find the script of database creation in the directory <Visual Guard installation directory>\VisualGuardConsole\Database\SQLServer. The DBA can use the script “Install.sql” and adapt it to create the database objects.

    If the repository creation wizard does not detect the database, Visual Guard will create it.


How to grant access to the Visual Guard repository

  • vg_BasicAccess: This role must be granted to a user account that will need to be authenticated by Visual Guard in your application.
  • vg_UserAdminAccess: This role must be granted to a user account
    that will need to access the Visual Guard console as User Administrator. This role allows you to create or edit user accounts and to grant roles to this user.
  • vg_DeveloperAccess: this role must be granted to a user account
    that will need to access the Visual Guard console as Developer. This role allows you to create or edit user accounts, roles, applications, permissions and permission sets.
  • vg_FullAccess: this role must be granted to user account that will need to access the Visual Guard console as Master administrator. This role allows you to create or edit all Visual Guard entities and to drop the repository.

2.7 Generating Application Configuration Files

Overview

Visual Guard provides a convenient way to generate application configuration files for securing your applications. These configuration files contain the necessary settings and information required to integrate Visual Guard’s security features into your application, including the information to connect to the VGRepository.

Using the WinConsole or WebConsole

To generate the application configuration files using Visual Guard, follow these steps:

  1. Open the Visual Guard WinConsole or WebConsole.
  2. Select the specific application for which you want to generate the configuration files.
  3. Locate the “Generate Configuration File” operation within the console interface.
  4. Execute the “Generate Configuration File” operation.

Purpose of Configuration Files

The generated configuration files serve the following purposes:

  • Security Integration: The configuration files contain the necessary settings and information to integrate Visual Guard’s security features into your application. This includes details such as authentication methods, role and permission mappings, and other security-related configurations.
  • VGRepository Connection: The configuration files also include the necessary information to connect your application to the VGRepository. This includes the connection details, such as the database server address, credentials, and other relevant information.

Configuration File Output

When you execute the “Generate Configuration File” operation, Visual Guard will generate one or more configuration files specific to your application. These files are typically in XML or other structured formats and may include information such as:

  • Security settings, including authentication methods and user management configurations.
  • Role and permission mappings for different application functionalities.
  • VGRepository connection details, including server address, credentials, and other relevant information.

Integrating Configuration Files

Once you have the generated configuration files, you need to integrate them into your application. The exact integration process may vary depending on your application’s technology stack and development environment. Typically, you would include the configuration files in your application’s build or deployment process and ensure that the application reads and applies the configurations at runtime.

Please consult your application’s documentation or development team for specific instructions on integrating the Visual Guard configuration files into your application and establishing the connection to the VGRepository.

2.8 VGRepository in SQL Server Mode for Visual-Guard

  • Overview: VGRepository in SQL Server mode refers to the configuration of Visual-Guard where the repository for storing security data, such as user credentials, permissions, roles, and audit logs, is hosted in a Microsoft SQL Server database.
  • Advantages:
    • Scalability: SQL Server provides robust scalability options, making it suitable for handling large volumes of data and high numbers of concurrent users.
    • Performance: SQL Server is known for its high performance, especially in handling complex queries and large datasets, which is essential for efficient security management.
    • Reliability: SQL Server offers strong reliability and data integrity features, ensuring that the security data is consistently managed and maintained.
  • Security Management: In this mode, Visual-Guard leverages SQL Server’s capabilities to manage security-related data. This includes user authentication, role-based access control, permission assignments, and audit logging.
  • Integration: VGRepository in SQL Server mode seamlessly integrates with the Visual-Guard framework, providing a centralized and secure way to manage security across various applications.
  • Maintenance and Backup: Utilizing SQL Server for the repository also simplifies maintenance tasks like backups, restorations, and data migration, thanks to the comprehensive tools and features provided by SQL Server.
  • Customization and Extensibility: The SQL Server mode allows for customizations and extensions to the security model, such as defining custom roles, permissions, and security policies tailored to specific organizational needs.

This configuration is particularly beneficial for organizations using Visual-Guard in environments where SQL Server is already an integral part of the IT infrastructure, offering a unified approach to security management and data handling.

2.8.1 Database CleanUp

Introduction

As databases grow over time, especially those used for logging activities like in Visual-Guard, it becomes crucial to manage and maintain them efficiently. The vg_Log table, which stores log entries, can become quite large and may lead to increased storage demands and potential performance degradation. Regularly cleaning up old data from this table is an essential maintenance task.

The DatabaseCleanUp stored procedure is specifically designed for this purpose. It targets the vg_Log table in a SQL Server database and removes entries that are older than 12 months, based on the DBTimeStamp field. This periodic cleanup helps in managing the database size and ensures that it remains performant and efficient.

This procedure is particularly useful for administrators and database managers who need to keep their SQL Server databases lean and prevent them from becoming bloated with outdated log data. It strikes a balance between retaining necessary log information for a sufficient period and removing outdated data that is no longer useful.

Below is the SQL script for creating the DatabaseCleanUp stored procedure. It’s important to test this script in a controlled environment before deploying it to a production database. Regular backups and careful planning of the cleanup schedule are also recommended to ensure data safety and minimal disruption.


SQL Script

USE [YourDatabaseName]; -- Replace with your actual database name
GO

-- Backup the database before performing cleanup
BACKUP DATABASE [YourDatabaseName] 
TO DISK = 'D:\Backups\YourDatabaseName_Backup.bak' -- Specify your backup path
WITH FORMAT, 
MEDIANAME = 'SQLServerBackups', 
NAME = 'Full Backup of YourDatabaseName';

-- Check if the DatabaseCleanUp procedure already exists and drop it if it does
IF EXISTS (SELECT * FROM sys.objects WHERE object_id = OBJECT_ID(N'[dbo].[DatabaseCleanUp]') AND type in (N'P', N'PC'))
DROP PROCEDURE [dbo].[DatabaseCleanUp]
GO

-- Create the DatabaseCleanUp stored procedure
CREATE PROCEDURE DatabaseCleanUp
AS
BEGIN
    SET NOCOUNT ON;

    -- Delete log entries older than 12 months
    DELETE FROM vg_Log
    WHERE DBTimeStamp < DATEADD(MONTH, -12, GETDATE());

    -- Optional: Reorganize the table and its indexes to reclaim space
    DBCC SHRINKDATABASE(YourDatabaseName); -- Use with caution
END
GO

Important Notes:

  1. Backup Location: Replace 'D:\Backups\YourDatabaseName_Backup.bak' with the actual path where you want the backup to be stored.
  2. Backup Frequency: This script performs a full backup. Depending on your database size and backup strategy, you might want to consider differential or transaction log backups.
  3. Scheduling: Automate this script to run at regular intervals, preferably during low-traffic periods, to minimize impact on database performance.
  4. Testing: Always test backup and cleanup scripts in a non-production environment before implementing them in your live system.
  5. Monitoring: Regularly monitor the backup process and verify backup files to ensure data integrity.

2.9 How to use offline mode

Introduction


Requirements


Scenario

  1. The user connects to the application with the offline mode activated. Visual-Guard will
    automatically save the role or roles that the user has selected in the OfflineStore
  2. When Visual-Guard detects that the VGRepository is no longer available and that the offline mode is
    activated, it will load the security settings from the saved copy found in the OfflineStore
  3. When Visual-Guard detects that the VGRepository is available again, it will synchronize the Event
    Viewer.


Usage


Implementation

  1. Connect to a VGRepository,
  2. Select an Application,
  3. Select the action “Regenerate the VG configuration file”, (a window will open),
  4. Select “User” or “Machine” for the Offline property,
  5. Generate the new configuration files for your application,
  6. Launch your application with the accessible repository,
  7. Sign in as a user and select a role or roles,
  8. Close your application.


Using the application

  1. Using the application
  2. Launch your application,
  3. Sign in as the same user,
  4. Your application will open (without being connected to the repository),
  5. Close your application.


Synchronizing the application with the VGRepository

  1. Connect your computer to the network (a connection to the VGRepository will be made automatically)
  2. Launch your application,
  3. Sign in as any user, Visual-Guard will synchronize the Event Viewers.


Interacting with applications in offline mode

  • CheckForOnlineStatus: Allows the repository detection method to be overridden.
  • AcceptOfflineMode: Allows rejection of the offline mode even if it has been activated.
  • UnableToSaveOffline: This event is launched when there has been a problem saving user data for
    offline mode. The following errors start this event:

    • The OfflineStore is
      currently being used by the same application,
    • The OfflineStore is
      full,
    • There is a connection
      problem while saving user data.

Note Note
Using the offline mode for ASP applications is not recommended.


Restrictions:

  • Offline mode cannot be used with the Visual-Guard API
  • Offline mode is not supported with the console
  • It is not possible to change a person’s Credentials.


OfflineStore Property:

  • None: offline mode is not active,
  • User: data will be saved in the current Windows user’s profile,
  • Machine: data will be saved to the computer

2.10 How to deploy a Visual Guard repository or an application

  • Copy the Visual Guard tables and data from the source database to the target database.
    This solution is simple but you can only copy the full content of the repository
    and not a part of this repository because Visual Guard stores its data in a binary format.
  • Use the Visual Guard Console. The Visual Guard console provides a Wizard that will
    help you to deploy the full content of your repository or the data corresponding to an application.
    To do that, you must be connected to your source repository then right-click this repository and select the option “Deploy repository…”. This wizard
    enables you to directly deploy your repository into another one or export data
    as a deployment configuration file.
  • Use the deployment tool. This tool uses the deployment configuration file exported
    by the console and can be launched as a command line tool. This utility can be used
    to automate your deployment.
  • Use the deployment API. You can use this API to integrate your deployment in a custom
    program. The classes used by the deployment are located in the namespace
    Novalys.VisualGuard.Security.Deployment
    (assembly: vg_deployment.exe). You can contact the Visual Guard support, if you need
    more information about this API.


How to use the deployment tool

Option Description
-? Prints vg_deployment.exe tool Help text in the command window.
-w Run the tool in Wizard mode. This is the default if no command line arguments are specified.
-t repository type Specifies the type of the repository (Oracle, SQLServer, File). This option is not
necessary.

If this option is omitted, the type of the repository is SQLServer.

-s schema name The Oracle schema name containing the Visual Guard tables.

This option is necessary if the type of the repository is Oracle and when the user specified in the connection string is not the owner
of Visual Guard tables.

This value is case sensitive.

-c connection string The connection string to the computer running the database where the repository will be deployed.

This option is necessary if do not use the option -W.

The user specified in the connection string must have the permissions to update
and delete data in Visual Guard table.

When the type of the repository is File, the value must contain
the path of the directory where the repository will be deployed.

-f path The path of the deployment configuration file used by the tool.

This option is not necessary.

By default the tool will use the file “deployment.config” located in its directory.


Deploying the repository for the first time


Deployment and license key


Deployment of the parameters of the repository

Introduction

What are the parameters of the repository?

  • Password Policy,
  • Membership setting (?require unique email?, ?requires
    password question and answer?, etc),
  • Misc (?Supported authentication mode?, ?Allow to
    rename user?, etc).

Export in a configuration file

  1. Open Visual Guard,
  2. Right click on the repository,
  3. Select ?Deploy repository??,
  4. Click on next button,
  5. Select ?Export data in a deployment configuration file?,
  6. Click on ?Next? button,
  7. Select ?Deploy parameter of the repository,
  8. Click on ?Next? button,
  9. Click on ?Finish? button,
  10. Save the configuration file.
  11. Open the tool ?vg_deployment.exe?,
  12. Select the configuration file,
  13. Select the type of the repository,
  14. Enter the complementary information for the repository,
  15. Click on ?Ok? to begin the deployment.

Export directly in a repository

  1. Open Visual Guard,
  2. Right click on the repository,
  3. Select ?Deploy repository??,
  4. Click on next button,
  5. Select ?Deploy in an existing repository?,
  6. Select the repository in the list,
  7. Click on ?Next? button,
  8. Select ?Deploy parameter of the repository,
  9. Click on ?Next? button,
  10. Click on ?Finish? button,

Requirements

  • To use deployment of the parameters of the repository you must have version 2.8 or higher of Visual-Guard.


Restrictions

  • If you want to deploy the properties ? Requires
    unique email? and ?requires Password, question and answer?,
    all the users of the directory have to have an email address and a
    question / response. If one the user don?t have one
    if this information, the deployment will be cancel and a exception will be
    generate.

3. Authentication

Securing Application Access with Visual-Guard: A Global Approach

In today’s IT security environment, where threats are constantly evolving, it is imperative to adopt a robust and flexible authentication strategy. Visual-Guard is positioned as a forward-looking security solution, offering a global approach to authentication that encompasses both traditional methods and multi-factor authentication (MFA) solutions. This page presents an overview of our global vision of authentication, paving the way for a more in-depth exploration of our authentication and MFA solutions.


Authentication with Visual-Guard

Visual-Guard offers a complete authentication platform, designed to integrate seamlessly with a variety of applications, whether web-based, desktop or mobile. Our aim is to provide uncompromising security while maintaining a seamless user experience. Key features include :

  • Standard and Advanced Authentication: Supports a wide range of authentication methods, from basic username and password authentication to more sophisticated methods such as Windows authentication and database authentication.
  • Easy integration: Designed for easy integration with various tools and platforms, making it easy to set up secure authentication without disrupting application development.
  • Centralized User Management: Enables centralized administration and management of authentication policies and access rights across the VGRepository.

Multi-Factor Authentication (MFA) with Visual-Guard

Recognizing the crucial importance of MFA in strengthening security, Visual-Guard extends its authentication capabilities to include robust multi-factor authentication. MFA adds an extra layer of security by requiring users to provide two or more verification factors before accessing an application, significantly reducing the risk of account compromise.


Why choose Visual-Guard for your authentication?

Enhanced security: With multi-factor authentication, Visual-Guard provides enhanced protection against unauthorized access and hacking attempts.
Flexibility and compatibility: Our solution adapts to your specific needs, offering extensive compatibility with various technologies and platforms.
Optimized User Experience: Visual-Guard maintains a balance between rigorous security and ease of use, ensuring that security measures do not impede the user experience.


Explore Further

We invite you to explore our dedicated pages for an in-depth understanding of Visual-Guard authentication and our multi-factor authentication solution. Discover how our platform can transform the security of your applications while delivering a seamless user experience.

3.1 Authentication

In today’s digital landscape, securing access to applications and data is more crucial than ever. Visual-Guard offers a complete authentication solution to protect your applications from unauthorized access, ensuring that only authenticated users can access critical resources. This documentation guides you through the basic principles of Visual-Guard authentication, its benefits, and how it can be integrated into your applications.


Principles of Visual-Guard authentication

Visual-Guard enables flexible, secure management of user identities through a variety of authentication methods. Whether you’re developing a web, desktop or mobile application, Visual-Guard integrates seamlessly to deliver a secure and transparent user experience.


Supported authentication methods

  • Visual-Guard authentication: Uses credentials such as username and password.
  • Windows authentication: Allows users to authenticate via their Windows credentials, integrating authentication within the Microsoft ecosystem.
  • Database authentication: Authenticates users by verifying credentials stored in a database.
  • External authentication: Integrates third-party identity providers such as OAuth, OpenID Connect, etc.

Benefits of Visual-Guard Authentication

  • Enhanced security: Protect your applications by ensuring that only authenticated users have access to sensitive resources.
  • Flexibility: Offers a variety of authentication methods to meet the specific needs of each application.
  • Easy integration: couples easily with a wide range of technologies and application platforms.
  • Centralized management: Enables centralized management of users and authentication policies through the VGRepository.

Visual-Guard authentication integration

Integrating Visual-Guard into your applications is designed to be simple and straightforward, with specific guides for each type of application, whether developed with .NET, Angular, WinForms, WPF, or other frameworks. Visual-Guard provides APIs, libraries and management tools to facilitate this integration, enabling rapid and efficient implementation of authentication.


Conclusion

Visual-Guard authentication is the key to securing your applications and protecting sensitive data. By offering a flexible and robust platform for identity and access management, Visual-Guard ensures that your applications remain secure, while providing an optimal user experience. For more information on integrating Visual-Guard and implementing specific authentication methods, please consult our detailed integration guides.

3.2 Multi-Factor Authentication (MFA)

Visual-Guard’s Multi-Factor Authentication (MFA) represents an essential security solution for companies seeking to strengthen the protection of their applications and data in an increasingly threatened digital environment. This detailed presentation first explores the importance and benefits of implementing MFA, before diving into an understanding of Visual-Guard’s MFA policies, including global and application-specific policies.


Introduction to Multi-Factor Authentication

In today’s environment, where cyber-attacks are becoming more sophisticated, multi-factor authentication is an essential barrier against unauthorized access. By requiring multiple proofs of identity before granting access, MFA minimizes the risk of accounts being compromised, even if credentials are leaked.

Visual-Guard MFA enhances this approach by offering unprecedented flexibility and integration across a multitude of platforms and technologies, ensuring uniform, robust protection for all enterprise applications.


Multiple Authentication Methods:

  • SMS/Email OTP: One-time passwords sent via SMS or email.
  • Authenticator Apps: Time-based one-time passwords (TOTP) generated by apps like Google Authenticator or Microsoft Authenticator.
  • VGMagicLink: VGMagicLink allows for real-time authentication, enabling users to gain access to secured applications immediately after validating a unique link

Benefits of Using VG MFA

  1. Enhanced Security: Significantly reduces the risk of unauthorized access by requiring multiple verification factors.
  2. Compliance: Helps meet regulatory requirements for strong authentication (e.g., GDPR, HIPAA).
  3. User Assurance: Increases user confidence in the security of their accounts and sensitive data.
  4. Flexibility: Adaptable to various user needs and organizational policies, offering multiple authentication options.

By implementing Visual Guard MFA, organizations can strengthen their security posture, protect sensitive information, and comply with industry regulations.

3.2.1 OTP (One-Time Password)

The OTP (One-Time Password) feature in Visual Guard enhances security by providing a dynamic, time-sensitive password that can be used only once for authentication purposes. This method significantly reduces the risk of unauthorized access and is especially useful for protecting sensitive operations and transactions.

Key Aspects:

  1. Delivery Methods:
    • SMS: OTPs can be sent to the user’s registered mobile phone via SMS.
    • Email: OTPs can be emailed to the user’s registered email address.
  2. Security Enhancements:
    • OTPs provide an additional layer of security beyond traditional passwords.
    • They are particularly effective against phishing attacks, keyloggers, and other forms of credential theft.
  3. Compliance and Auditing:
    • Using OTPs can help organizations meet regulatory requirements for multi-factor authentication (MFA).
    • Visual Guard logs all OTP authentication attempts, providing an audit trail for security reviews and compliance purposes.

Benefits of OTP in Visual Guard:

  • Increased Security: Reduces the risk of unauthorized access by ensuring that each password can only be used once and is valid for a short period.
  • User Convenience: Multiple delivery methods offer flexibility and convenience for users.
  • Regulatory Compliance: Helps organizations comply with industry standards and regulations that require strong authentication mechanisms.
  • Ease of Integration: Can be easily integrated into existing authentication processes without significant changes to the infrastructure.

3.2.3 TOTP (Time-Based One-Time Password)

The TOTP (Time-Based One-Time Password) feature in Visual Guard provides a secure, time-sensitive authentication method that generates unique passwords which are valid only for a short period. This method leverages mobile apps like Google Authenticator and Microsoft Authenticator to enhance security for user logins and sensitive transactions.


Key Aspects:

  1. TOTP Generation:
    • Visual Guard generates TOTPs based on a shared secret and the current time.
    • The TOTP changes at regular intervals (typically every 30 seconds), ensuring that each password is only valid for a brief window.
  2. Authenticator Apps:
    • Users can use popular authenticator apps like Google Authenticator and Microsoft Authenticator to generate TOTPs.
    • These apps do not require internet connectivity to generate TOTPs, as they use the device’s internal clock.
  3. User Enrollment:
    • During the enrollment process, users scan a QR code provided by Visual Guard with their authenticator app.
    • The app stores the shared secret and starts generating TOTPs that can be used for authentication.
  4. Integration with Existing Systems:
    • Visual Guard’s TOTP feature integrates seamlessly into existing authentication workflows, providing an additional layer of security without disrupting user experience.
    • It supports various applications and systems, ensuring broad compatibility and ease of use.
  5. Security Enhancements:
    • TOTPs significantly reduce the risk of unauthorized access by ensuring that passwords are valid only for a short period.
    • This method is particularly effective against phishing attacks, replay attacks, and other forms of credential theft.
  6. Compliance and Auditing:
    • Using TOTPs can help organizations meet regulatory requirements for multi-factor authentication (MFA).
    • Visual Guard logs all TOTP authentication attempts, providing an audit trail for security reviews and compliance purposes.

Benefits of TOTP in Visual Guard:

  • Enhanced Security: Provides a robust authentication mechanism that is resistant to common attacks like phishing and keylogging.
  • User Convenience: Easily integrates with widely-used authenticator apps, offering a familiar and convenient method for users.
  • Regulatory Compliance: Assists organizations in meeting industry standards and regulations requiring strong authentication methods.
  • Seamless Integration: Integrates smoothly into existing authentication processes, enhancing security without complicating the user experience.

3.2.4 MFA Policy

MFA Policy: Global Vision

The VGMFAGlobal Policy is the foundation of Visual-Guard’s MFA strategy, establishing the authentication methods available within a VGRepository. This policy includes options such as sending secure links and OTPs by email or SMS, enabling administrators to configure an authentication method tailored to the sensitivity and specific requirements of each application.


Key features of VGMFAGlobal Policy include :

Authentication Method Flexibility: Choice between secure links and OTP via email or SMS, offering adaptability to user preferences and security constraints.
Session Scope Information: Defines whether Grace Login applies globally or by application, enabling fine-grained access management.
Session Duration: Allows you to specify a period during which MFA re-authentication is not required, enhancing the user experience without compromising security.

MFAApplicationPolicy enables application-level customization of globally established MFA policies, offering flexibility to meet the unique security needs of each application. Administrators can :

  • Select Specific MFA Types: Prioritize an authentication type, such as SMS authentication, suited to the application.
  • Customize Grace Login: Define or disable Grace Login to adjust the balance between security and ease of access.
  • Adjust MFA Session Duration: Modify the period after which a new MFA authentication is required, offering customized security.
  • Manage Access without MFA for Unregistered Users: Allow limited access to users not registered with MFA, easing the transition to enhanced security policies.

Conclusion

Visual-Guard’s multi-factor authentication offers a complete, customizable security solution, capable of adapting to the specific requirements of each company and application. Thanks to the VGMFAGlobal Policy and the MFAApplicationPolicy, Visual-Guard enables detailed and flexible management of MFA authentication, ensuring optimum protection against unauthorized access while maintaining a fluid and secure user experience. By integrating Visual-Guard MFA, companies can confidently navigate today’s complex digital landscape, protecting their data and applications from growing threats.

3.2.5 Configure MFA with Active Directory

Preparing Active Directory & VG for MFA

  1. Update User Information: Ensure that user accounts in Active Directory are up-to-date with current email addresses and cellphone numbers. This information is essential for MFA mechanisms like OTP (One-Time Password) via email or SMS.
  2. Organizational Units and Groups: Organize users within Active Directory into appropriate Organizational Units (OUs) and groups based on their roles and access needs. This organization aids in managing MFA policies more effectively.
  3. Security Permissions: Verify that Visual-Guard has the necessary permissions to read user information from Active Directory. This may involve configuring service accounts with specific read privileges.

Below are the steps to configure Active Directory with MFA (Multifactor Authentication)

Step 1: Go to Settings –> Domains –> Click on Edit, Change the setting of Email Address and Mobile to “Both” so that the user can enroll on any of the verification methods


Step 2: Once you click Ok, you will get a notification to restart the product so that your changes are reflected for the domain.


Step 3: Go to Modules –> VGWindows –> Configure –> Change the synchronization between Visual Guard and Active Directory to Both


Step 4: Once you click Ok, you will get a notification to restart the product so that your changes are reflected for the module.


4. Authorization

Overview of Authorization Loading after Authentication with Visual-Guard

Authorization management is a crucial aspect of security and personalization of the user experience in applications. Visual-Guard offers a sophisticated solution for loading authorizations after authentication, enabling fine-grained access management based on user roles. This presentation explores how Visual-Guard manages authorizations, from assigning roles to loading specific permissions.


Assigning and managing roles

In Visual-Guard, a user can be assigned one or more roles, depending on the application’s configuration. These roles can be determined in several ways:

  • Roles Assigned Directly to the User: Specific roles can be assigned directly to a user, reflecting their responsibilities and access rights within the application.
  • Roles via VGGroups: Users can also inherit roles through their membership of one or more VGGroups. These groups, designed to group users by department, function or other organizational criteria, can have their own roles assigned to them.

Role selection by the user

During authentication, Visual-Guard can offer the user the option of selecting a preferred group, an optional step that further customizes the user experience. Following this selection, the user is presented with a list of available roles, both from the chosen group and from roles directly assigned to him/her. Depending on the application’s configuration, the user can then choose one or more roles for their session.

Loading authorizations

Once the user’s roles have been determined, Visual-Guard loads the authorizations associated with these roles. This process involves :

  • Loading role permissions: Visual-Guard retrieves all the permissions associated with the roles selected by the user. These permissions define the actions the user can perform within the application, ensuring that access is strictly limited to authorized functionalities.
  • Fine-grained access management: By assigning specific permissions to each role, Visual-Guard enables granular management of access rights, offering optimum flexibility and security.

Benefits of Authorization Management with Visual-Guard

  • Enhanced security: By limiting access to application functionalities to authorized users only, Visual-Guard reinforces overall application security.
    User Experience Customization: The ability for users to choose their roles (and, by extension, their authorizations) enables user experience customization, aligning the interface and available functionalities with each user’s needs and preferences.
  • Centralized management of roles and authorizations: Visual-Guard facilitates the management of roles and authorizations through a centralized interface, simplifying security administration and compliance with access policies.

Conclusion

Visual-Guard’s post-authentication authorization management system offers a powerful and flexible solution for controlling application access. By dynamically assigning roles and precisely loading the associated permissions, Visual-Guard ensures that each user accesses only the functionality they are allowed, while delivering a secure, personalized user experience.

5. Monitoring

All actions of the users are logging in Visual-Guard system.

Overview

Visual Guard offers a comprehensive monitoring solution that allows you to supervise and monitor the security aspects of your applications. This monitoring functionality provides real-time insights, customizable dashboards, and reporting capabilities to help you effectively monitor the security activities within Visual Guard.

Choosing the Scope of Supervision

The monitoring feature allows you to select the scope of your supervision based on your specific needs:

  • All Applications: To supervise all applications secured by Visual Guard within your environment, open the VGRepository and navigate to the “Monitoring” section. This provides a comprehensive overview of the security activities across your entire system.
  • Specific Application: To supervise a specific application or subset of applications, open the section of that particular application in the VGRepository. Then, navigate to the “Monitoring” section within that application. This allows you to monitor the security activities of the selected application in detail.

Selecting Specific Events

Within the Monitoring feature, you have the ability to select specific events for supervision. This allows you to focus on monitoring and analyzing the events that are most relevant to your security objectives. By selecting specific events, you can streamline your supervision efforts and gain targeted insights into potential security issues.

Time-Based Monitoring

The monitoring functionality offers time-based monitoring capabilities to help you track security activities over specific time periods. You can choose to monitor events over the course of a day, week, month, or any custom time range. This allows you to identify patterns and trends in security events during the specified timeframe.

Event History

One of the key features of the Monitoring functionality is the ability to access and review the event history. The event history provides a log of past security events and activities recorded within Visual Guard. You can retrieve and analyze this history to gain insights into past security incidents, user activities, and system behavior.

The event history allows you to search and filter events based on various criteria such as event type, date range, users, and more. This enables you to perform detailed analysis, generate reports, and identify trends or anomalies in the security events over time.

Key Features of Monitoring

The Monitoring feature offers a range of features to enhance your supervision capabilities:

  • Real-Time Monitoring: The monitoring functionality provides real-time monitoring of security events and activities within Visual Guard. You can view events as they occur and gain immediate visibility into potential security issues.
  • Customizable Dashboards: You can create customized dashboards within the Monitoring feature to display the security metrics and information that are most relevant to your specific needs. These dashboards can include charts, graphs, and other visualizations for easy interpretation.
  • Reporting and Analysis: The Monitoring feature enables you to generate reports and perform analysis on the security data collected by Visual Guard. This helps you identify trends, patterns, and potential vulnerabilities in your applications.
  • Alerts and Notifications: You can set up alerts and notifications for specific security events or conditions within the Monitoring feature. This helps you proactively identify and respond to potential security incidents.

Utilizing Monitoring

To start utilizing the Monitoring feature for supervision, follow these steps:

  • For supervising all applications:
    1. Access the Visual Guard WinConsole or WebConsole.
    2. Open the VGRepository and navigate to the “Monitoring” section.
    3. Select the desired scope of supervision (all applications).
    4. Configure the monitoring settings, including the selection of specific events, time range, metrics to track, thresholds for alerts, and dashboard customization.
    5. Monitor the real-time security events and activities through the Monitoring interface.
  • For supervising a specific application:
    1. Access the Visual Guard WinConsole or WebConsole.
    2. Open the section of the specific application in the VGRepository.
    3. Navigate to the “Monitoring” section within that application.
    4. Configure the monitoring settings, including the selection of specific events, time range, metrics to track, thresholds for alerts, and dashboard customization.
    5. Monitor the real-time security events and activities through the Monitoring interface.

Considerations and Best Practices

When utilizing the Monitoring feature for supervision, keep the following considerations and best practices in mind:

  • Scope Definition: Clearly define the scope of your supervision based on your specific requirements and security objectives.
  • Relevant Metrics and Events: Focus on monitoring and tracking the security metrics and events that are most relevant to your applications and align with your security goals.
  • Time-Based Analysis: Utilize the time-based monitoring capabilities to identify patterns and trends in security events over specific time periods.
  • Event History Analysis: Review the event history to gain insights into past security incidents, user activities, and system behavior.
  • Thresholds and Alerts: Set appropriate thresholds and alerts to ensure timely notification of potential security issues.
  • Regular Review: Regularly review the monitoring data, event history, and reports to identify trends, patterns, and areas for improvement in your application security.


6. Groups

Group Hierarchy and Role Inheritance

Overview

Visual Guard allows you to create group hierarchies, which provide a structured way to organize and manage groups. Group hierarchies enable you to establish parent-child relationships between groups, allowing for more flexible and granular control over permissions and user management. In addition to group hierarchy, Visual Guard also supports role inheritance, where child groups can inherit roles from their parent group.

Creating Group Hierarchies

To create a group hierarchy in Visual Guard, follow these steps:

  1. Access the Visual Guard Administration Console (WinConsole or WebConsole).
  2. Navigate to the Groups section.
  3. Create the parent group by clicking on the “Create Group” button.
  4. Provide a name and description for the parent group.
  5. Optionally, assign users and roles to the parent group.
  6. Save the parent group configuration.
  7. Create child groups within the parent group by following the same steps.
  8. Assign users and roles to the child groups as needed.
  9. Save the child group configurations.

Role Inheritance in Group Hierarchy

When configuring the role-to-group relationship, Visual Guard allows you to enable role propagation for child groups. This means that child groups can inherit roles from their parent group, simplifying role assignment and ensuring consistent access rights across the group hierarchy.

To enable role inheritance for child groups in Visual Guard, follow these steps:

  1. Access the Visual Guard Administration Console (WinConsole or WebConsole).
  2. Navigate to the Groups section.
  3. Select the parent group that has the desired roles assigned.
  4. Enable the role propagation option for the relationship between the parent group and child groups.
  5. Save the changes to apply the role inheritance to the child groups.

Utilizing Group Hierarchies and Role Inheritance in Security Configuration

Once group hierarchies are created and configured in Visual Guard, and role inheritance is enabled, you can leverage them in the security configuration of your applications. Permissions assigned to roles in the parent group will be automatically propagated to the child groups that inherit those roles. This ensures a consistent security policy and access rights across the entire hierarchy.

By utilizing group hierarchies and role inheritance, you can streamline the security configuration process, maintain a structured approach to user management, and ensure consistent role assignments within the group hierarchy.


Benefits of using group hierarchies and role inheritance

  1. Simplified Role Assignment: Group hierarchies and role inheritance allow for a more streamlined and efficient process of assigning roles to users. Instead of manually assigning roles to each user individually, you can assign roles at the group level and have them automatically propagated to child groups and their members. This reduces administrative effort and ensures consistent role assignments.
  2. Consistent Access Rights: With role inheritance, you can ensure consistent access rights across the group hierarchy. When a role is assigned to a parent group, all child groups and their members inherit the same role. This helps maintain a consistent security policy and eliminates inconsistencies or discrepancies in access rights.
  3. Flexibility and Scalability: Group hierarchies provide a flexible and scalable approach to user management. As your application grows and security requirements evolve, you can easily add new child groups to the hierarchy and configure role inheritance for them. This allows for a hierarchical structure that can accommodate complex user management scenarios.
  4. Efficient Updates: When a role needs to be updated or modified, you can make the changes at the parent group level, and the updates will automatically propagate to all child groups and their members. This ensures that any modifications to roles are applied consistently throughout the hierarchy, saving time and effort in managing individual role assignments.
  5. Granular Control over Permissions: Group hierarchies allow for granular control over permissions. You can assign specific roles to parent groups and fine-tune the permissions assigned to child groups. This enables you to provide different levels of access and control to different segments of users within the hierarchy based on their roles and responsibilities.
  6. Simplified Auditing and Reporting: Group hierarchies and role inheritance simplify auditing and reporting processes. With role assignments centralized at the group level, it becomes easier to track and report on access rights and permissions within the hierarchy. This can help in compliance efforts, security audits, and generating comprehensive reports on user access and permissions.

By utilizing group hierarchies and role inheritance in Visual Guard, you can streamline user management, ensure consistent access rights, and maintain a scalable and efficient security configuration for your applications.

Please note that this documentation provides an overview of the benefits of group hierarchies and role inheritance in Visual Guard. The exact implementation and features may vary depending on your specific configuration and requirements.


6.1 Group Attribute

In Visual Guard the Group Attribute refers to the capability to define and manage additional properties or characteristics associated with user groups or categories beyond basic membership. These attributes provide additional context and flexibility for group management, allowing administrators to capture and store diverse information about groups.


Key Aspects

  1. Customization: Users can define custom attributes tailored to their organization’s specific needs, enabling them to capture relevant information unique to their group definitions. This customization ensures that group profiles align with the organization’s structure, policies, and requirements.
  2. Flexibility: Administrators can configure various types of attributes, such as text fields, dropdown lists, checkboxes, or date fields, to accommodate different types of data and ensure data integrity.
  3. Visibility and Editability: Administrators can control the visibility and editability of group profile attributes based on user roles or permissions, ensuring that sensitive information is appropriately secured and only accessible to authorized personnel.
  4. Integration: Group profile attributes can integrate with other systems or applications to synchronize group data across different platforms, streamlining group management processes and ensuring data consistency.
  5. Enhanced Group Definition: Group profile attributes enhance group definitions by providing additional context and information about groups, such as departmental affiliations, project assignments, or team roles. This helps administrators better understand and manage groups within the organization.

Structure of the Group Attribute

  1. Primary Information which includes;
  • Property Name: Identifier for a specific attribute or characteristic of an entity.
  • Display Name: Human-readable label used to represent a property or attribute.
  • Data type value: Specification defining the type of data stored in a property or attribute i.e
    • String
    • Integer
    • Double
    • Date Time
    • Boolean
    • DropDown List
  • Description: Brief explanation or summary providing additional context or details.
  • ID: ID, short for “identifier,” is a unique alphanumeric code or label assigned to a specific entity within a system or database.

2. Other Infromation details include;

  • Attribute Group Name: Categorization label for grouping related attributes together
  • Is Visible: Indicator specifying whether an attribute is visible or hidden in the role interface for e.g if we select PhoneNumber is visible then you will be able to see the phone number details under the shared role profile

Result: Group –> Click on the group –> under profile you will see the Company Name

If you uncheck the Is visible icon the the details will not be visible to you

  • Is Required: Flag indicating whether an attribute must be populated with data. e.g if you select the Is required icon then the feature will become a mandatory parameter.

Result: Group -> Click on the group –> under profile you will see the default ‘company name’, if you leave the parameter blank then it will prompt you to enter the details. The page will not be saved unless and until you entered the details.

If you uncheck the Is Required icon the the details will be saved with out any details on the specific parameter.

  • Is Search Allowed: Permission setting determining whether an attribute can be used for searching or filtering
  • Is ReadOnly for API: Setting determining whether an attribute can be modified via an API or not. is a setting within Visual Guard that specifies whether an attribute associated with a group profile can be modified via an API (Application Programming Interface) or not. When this setting is enabled (set to “readonly”), it restricts the ability to modify the attribute’s value programmatically through API calls. This setting ensures data integrity and security by controlling access to attribute modification functionalities, particularly when changes need to be tightly regulated or restricted to specific user roles or permissions.
  • IS ReadOnly for UI: Setting determining whether an attribute is editable in the user interface. is a setting within Visual Guard that determines whether an attribute associated with a group profile can be modified through the user interface (UI) or not. When this setting is enabled (set to “ReadOnly”), it restricts users from modifying the attribute’s value directly via the Visual Guard interface. This setting is useful for ensuring data integrity and security by controlling access to attribute modification functionalities through the UI, particularly when certain attributes should only be modified by administrators or authorized personnel. e.g if we choose the phone number to be ReadOnly for UI then that parameter will be a read only.

Result: Group –> Click on the group –> under profile you will see the company name portion will be ReadOnly and will not be editable.

If you uncheck the Is ReadOnly for UI icon the the parameter will be editable

  • Need to save in Log: Specification indicating whether changes to an attribute should be logged for auditing purposes

Overall, the group profile attribute feature enhances the flexibility, granularity, and usability of group management within a user management system, empowering administrators to define and manage groups effectively to meet the organization’s needs and requirements.


7. Users

Introduction

Users play a vital role in the security management of applications with Visual Guard. This documentation provides information on creating, managing, and utilizing users in Visual Guard.

Creating Users

To create a user in Visual Guard, follow these steps:

  1. Access the Visual Guard Administration Console (WinConsole or WebConsole).
  2. Navigate to the “Users” section.
  3. Click on the “Create User” button.
  4. Provide the required information for the user, such as name, email address, and password.
  5. Assign appropriate roles to the user based on their responsibilities and access rights.
  6. Save the user configuration.

Managing Users

Visual Guard facilitates the management of users registered in the VGRepository. Here are some common operations you can perform on users:

  • Modifying User Information: You can update user information, such as name, email address, or password, by accessing the user profile in the Visual Guard Administration Console.
  • Disabling a User: If a user no longer needs access to the Visual Guard-secured application, you can disable them to revoke their access rights. This can be done by modifying the user’s status in the Visual Guard Administration Console.
  • Locking a User: In certain situations, you may want to lock a user for security reasons. Locking a user prevents their access to the secured application until the lock is lifted.
  • Deleting a User: If a user no longer needs to be registered in the VGRepository, you can remove them from the database. This can be done by accessing the user profile in the Visual Guard Administration Console and selecting the delete option.

Assigning Roles and Groups

When registering a user in Visual Guard, you can assign them appropriate roles and groups. Roles define the user’s access rights, while groups provide a way to organize users and simplify permission assignment. By assigning the user to relevant groups and roles, you ensure that they have the necessary permissions to perform their tasks.

Audit and User Supervision

Visual Guard offers advanced audit and supervision features to track and supervise user actions. You can audit every action performed by a user, recording a detailed history of activities in the secured application. Additionally, you can monitor user actions in real-time to detect suspicious or unauthorized behavior.


Please note that this documentation provides an overview of managing users in Visual Guard. The exact steps and features may vary depending on your specific configuration and requirements. For more detailed information and specific instructions, please refer to the official Visual Guard documentation available at docs.visual-guard.com or contact the Visual Guard support team.


Users operations

7.1 User Attribute

In Visual Guard, user attribute refer to the properties or characteristics associated with individual user accounts within the security management system. These attributes provide essential information about users and play a crucial role in defining and managing user profiles

This feature refers to the capability to define and manage additional properties or characteristics associated with user accounts beyond basic login credentials. These attributes provide additional context and flexibility for user management, allowing administrators to capture and store diverse information about users. Examples of user profile attributes include department, job title, email address, phone number, employee ID, and custom fields.

Key aspects of the user profile attribute feature include:

  1. Customization: Users can define custom attributes tailored to their organization’s specific needs, enabling them to capture relevant information unique to their user population.
  2. Flexibility: Administrators can configure various types of attributes, such as text fields, dropdown lists, checkboxes, or date fields, to accommodate different types of data and ensure data integrity.
  3. Visibility and Editability: Administrators can control the visibility and editability of user profile attributes based on user roles or permissions, ensuring that sensitive information is appropriately secured and only accessible to authorized personnel.
  4. Integration: User profile attributes can integrate with other systems or applications to synchronize user data across different platforms, streamlining user management processes and ensuring data consistency.
  5. Personalization: User profile attributes enable personalized user experiences by allowing applications to tailor content, features, and functionality based on user attributes, preferences, or roles.

Overall, the user profile attribute feature enhances the flexibility, granularity, and usability of user management systems, empowering administrators to capture and leverage additional user information to support various business processes and enhance user experiences.

7.2 User Types

Introduction

Visual Guard supports various user types to cater to different authentication needs. This documentation provides an overview of the different user types available in Visual Guard.

VGUser

VGUser is the standard user type in Visual Guard. They can be assigned specific roles and permissions to control their access to secured applications.

Windows User

Visual Guard integrates with Windows user accounts for authentication. This allows the application to utilize existing Windows accounts for user management.

Windows By Credential User

Windows By Credential User is a method that allows Visual Guard to authenticate users using specific Windows credentials. This can be useful when you need to verify users based on their Windows account credentials.

Database User

Visual Guard can authenticate users from a database where user information is stored. This is useful when user management is handled through a separate database system.

Okta User

Okta is a popular Identity and Access Management (IAM) service. Visual Guard supports authentication for users who use Okta as their identity provider.

MFA (Multi Factor Authentication) User

MFA (Multi-Factor Authentication) is a security protocol that enhances protection by requiring users to provide multiple forms of verification before accessing a system or application. It significantly reduces the risk of unauthorized access by combining something the user knows (like a password) with something the user has (like a smartphone)

Using User Types

By leveraging these user types in Visual Guard, you can tailor the authentication process to meet your specific requirements. Whether you need to authenticate users through Windows accounts, database systems, or Okta, Visual Guard provides the necessary flexibility to accommodate different user authentication scenarios.

Conclusion

This documentation provides an overview of the user types available in Visual Guard. By leveraging these user types, you can enhance the authentication process and ensure secure access to your applications. For more detailed information on user types and their configuration, please refer to the official Visual Guard documentation available at docs.visual-guard.com or contact the Visual Guard support team.

8. Roles

VGRole is a fundamental entity in Visual Guard, playing a crucial role in managing permissions and defining access within an application. Stored within VGApplication, VGRole allows grouping permissions or sets of permissions, thereby facilitating the coherent assignment of access rights to users and groups.

Roles play a crucial role in the security management of applications with Visual Guard. This documentation provides information on creating, managing, and utilizing roles in Visual Guard.


Structure of VGRole

  • Permissions: Individual permissions represent specific access rights within the application. They can be as granular as needed, ranging from accessing a specific feature to viewing a particular UI element.
  • PermissionSets: A PermissionSet is a collection of permissions grouped together to simplify access rights management. It allows for a logical structuring of permissions, often based on business roles or application features.

Properties of VGRole

  • Can Grant to User: This property determines whether the role can be assigned directly to users. If enabled, administrators can assign the role to individual users, granting them the associated permissions.
  • Can Grant to VGGroup: Similar to the above property, but for groups. If this option is selected, the role can be assigned to user groups, enabling access rights management at the group level.
  • Name: The name of the role, which must be unique within the application. It serves as an identifier and should be descriptive enough to be easily recognized and understood by administrators.
  • Description: A detailed description of the role, explaining its purpose, the permissions it encompasses, and possibly the target users or groups.

Advantages of Using VGRole

  • Simplified Permission Management: Grouping permissions into roles simplifies the management of access rights, allowing administrators to handle authorizations more intuitively and systematically.
  • Consistent Access: Using roles ensures that permissions are granted consistently, reducing the risk of errors or omissions in access rights assignment.
  • Flexibility: The ability to assign roles to users or groups offers significant flexibility, allowing for precise customization of access levels based on organizational needs.

Creating VGRoles

To create a role in Visual Guard, follow these steps within the context of an application:

  1. Access the Visual Guard Administration Console (WinConsole or WebConsole).
  2. Select an Application.
  3. Within the application context, navigate to the “Roles” section.
  4. Click on the “Create Role” button.
  5. Provide a name and description for the role.
  6. Define the permissions associated with the role by either:
    • Adding individual permissions: Select and add specific permissions that define the access rights for the role.
    • Adding permission sets: Select and add pre-defined permission sets that contain collections of permissions and permission sets.

Managing VGRoles

Visual Guard simplifies the management of roles registered in the VGRepository within the context of an application. Here are some common operations you can perform on roles:

  • Modifying Role Information: You can update the name, description, and permissions of a role by accessing the role profile in the Visual Guard Administration Console within the application context.
  • Assigning Users to Roles: Assign users to roles within the application context to grant them the associated access rights and permissions. This can be done by accessing the user profile in the Visual Guard Administration Console within the application context and selecting the appropriate role for the user.
  • Assigning Roles to Groups: Assign roles to groups within the application context to grant the associated access rights and permissions to all users within the group. This can be done by accessing the group profile in the Visual Guard Administration Console within the application context and selecting the appropriate role for the group.
  • Revoking Role Assignments: If a user or group no longer requires the access rights and permissions associated with a role within the application context, you can remove the role assignment from their profile.
  • Deleting Roles: If a role within the application context is no longer needed, you can delete it from the VGRepository. This action removes the role and any associated permissions from the system within the application context.

Utilizing Roles

  • Once roles are created and assigned to users or groups within the application context, you can utilize them in the security configuration of your application. Roles define the access rights and permissions that users have within the secured application. By assigning users or groups to specific roles within the application context, you ensure that they have the appropriate permissions to perform their tasks.
  • By configuring these properties for each role, you can have fine-grained control over the assignment of roles to users and groups.

8.1 Role Attribute

In Visual Guard, a role attribute refers to a property or characteristic associated with a specific role within the security management system. Role attributes provide additional context or information about roles, enabling administrators to define and manage roles effectively.

The feature refers to the capability to define and manage additional properties or characteristics associated with user roles beyond basic permissions. These attributes provide additional context and flexibility for role management, allowing administrators to capture and store diverse information about roles.


Key Aspects

  1. Customization: Users can define custom attributes tailored to their organization’s specific needs, enabling them to capture relevant information unique to their role definitions. This customization ensures that role profiles align with the organization’s structure, policies, and requirements.
  2. Flexibility: Administrators can configure various types of attributes, such as text fields, dropdown lists, checkboxes, or date fields, to accommodate different types of data and ensure data integrity.
  3. Visibility and Editability: Administrators can control the visibility and editability of role profile attributes based on user roles or permissions, ensuring that sensitive information is appropriately secured and only accessible to authorized personnel.
  4. Integration: Role profile attributes can integrate with other systems or applications to synchronize role data across different platforms, streamlining role management processes and ensuring data consistency.
  5. Role Definition Enhancement: Role profile attributes enhance role definitions by providing additional context and information about roles, such as departmental affiliations, job responsibilities, or skill requirements. This helps administrators better understand and manage roles within the organization.

Structure of the Role Attribute

  1. Primary Information which includes;
  • Property Name: Identifier for a specific attribute or characteristic of an entity.
  • Display Name: Human-readable label used to represent a property or attribute.
  • Data type value: Specification defining the type of data stored in a property or attribute i.e
    • String
    • Integer
    • Double
    • Date Time
    • Boolean
    • DropDown List
  • Description: Brief explanation or summary providing additional context or details.
  • ID: ID, short for “identifier,” is a unique alphanumeric code or label assigned to a specific entity within a system or database.

2. Other Infromation details include;

  • Attribute Group Name: Categorization label for grouping related attributes together
  • Is Visible: Indicator specifying whether an attribute is visible or hidden in the role interface for e.g if we select PhoneNumber is visible then you will be able to see the phone number details under the shared role profile

Result: Shared Role or Role –> Click on the role –> under profile you will see the phone number

If you uncheck the Is visible icon the the details will not be visible to you

  • Is Required: Flag indicating whether an attribute must be populated with data. e.g if you select the Is required icon then the feature will become a mandatory parameter.

Result: Shared Role / Role –> Click on the role –> under profile you will see the default phone number, if you leave the parameter blank then it will prompt you to enter the details. The page will not be saved unless and until you entered the details.

If you uncheck the Is Required icon the the details will be saved with out any details on the specific parameter

  • Is Search Allowed: Permission setting determining whether an attribute can be used for searching or filtering
  • Is ReadOnly for API: Setting determining whether an attribute can be modified via an API or not. is a setting within Visual Guard that specifies whether an attribute associated with a group profile can be modified via an API (Application Programming Interface) or not. When this setting is enabled (set to “readonly”), it restricts the ability to modify the attribute’s value programmatically through API calls. This setting ensures data integrity and security by controlling access to attribute modification functionalities, particularly when changes need to be tightly regulated or restricted to specific user roles or permissions.
  • IS ReadOnly for UI: Setting determining whether an attribute is editable in the user interface. is a setting within Visual Guard that determines whether an attribute associated with a group profile can be modified through the user interface (UI) or not. When this setting is enabled (set to “ReadOnly”), it restricts users from modifying the attribute’s value directly via the Visual Guard interface. This setting is useful for ensuring data integrity and security by controlling access to attribute modification functionalities through the UI, particularly when certain attributes should only be modified by administrators or authorized personnel. e.g if we choose the phone number to be ReadOnly for UI then that parameter will be a read only.

Result: Shared Role / Role –> Click on the role –> under profile you will see the phone number portion will be ReadOnly and will not be editable.

If you uncheck the Is ReadOnly for UI icon the the parameter will be editable

  • Need to save in Log: Specification indicating whether changes to an attribute should be logged for auditing purposes

Overall, the role profile attribute feature enhances the flexibility, granularity, and usability of role management within a user management system, empowering administrators to define and manage roles effectively to meet the organization’s needs and requirements.


9. Application

In Visual Guard, an “Application” refers to a software system that has been integrated with Visual Guard for security management purposes. This integration allows the application to utilize Visual Guard’s robust features for authentication, authorization, user management, and access control. Essentially, an application in Visual Guard is a client that leverages the framework to secure access to its resources, manage user roles and permissions, and enforce security policies, ensuring that only authorized users can access sensitive functionalities and data.

Key Characteristics of Applications in Visual Guard:

  1. Diverse Platforms: Visual Guard is designed to support applications built on various platforms, including .NET, SQL, Oracle , making it versatile for securing a wide range of software environments.
  2. Security Control: Visual Guard allows administrators to implement security controls within applications, defining access rights, permissions, and user roles at a fine-grained level to ensure that sensitive resources are protected adequately.
  3. Centralized Management: With Visual Guard, administrators can centrally manage security policies and user access across multiple applications from a single administration console. This centralized approach streamlines security administration and ensures consistency across the organization’s software ecosystem.
  4. Integration Capabilities: Visual Guard offers robust integration capabilities, allowing seamless integration with existing application architectures and identity management systems. This enables organizations to leverage Visual Guard’s security features without requiring significant changes to their existing infrastructure.
  5. Auditing and Compliance: Visual Guard provides auditing and logging functionalities to track user activities, access attempts, and security events within applications. This audit trail helps organizations maintain compliance with regulatory requirements and enables forensic analysis in the event of security incidents.

Below are the details you will be able to configure for your Application

  • Application Security:
    • Anonymous Role: Here the setting defines the permissions that unauthenticated users will have when accessing the application. This role is crucial for applications that allow partial access to users without requiring them to log in.
    • Anonymous System Role: Similar to the Anonymous Role, the Anonymous System Role specifies a set of permissions for unauthenticated users but at a system-wide level. This role is applied across all applications managed by Visual Guard.
    • Default Role: This is assigned to users upon successful authentication, provided no other specific roles are assigned to them. This role acts as a baseline access level for authenticated users.
    • Membership Access Level: This setting determines the extent to which users can interact with the application. It can range from full access to read-only access, depending on the level of interaction you wish to allow for general users.
  • Contextual Settings:
    • Group Selection Display Mode: This configuration controls how groups are displayed to the user during the login or role assignment process. It can be set to show all groups, none, or only those that are relevant to the user, enhancing the user experience and streamlining access management.
    • Group Selection Mode: This dictates how users can be associated with groups within the application. It can allow users to be part of multiple groups, restrict them to a single group, or provide a hybrid approach based on the application’s security requirements.
    • Role Selection Display Mode: This setting determines how roles are presented to users or administrators within the application. It can be configured to display all available roles, only assigned roles, or roles based on specific criteria, ensuring that users are granted appropriate access levels.
  • Misc: This involves the Name of the application, ID, Version and much more
    • Description: This field allows administrators to provide a detailed explanation of the application’s purpose, its security requirements, or any other relevant information that can assist in identifying and managing the application within Visual Guard.
    • Version: This attribute helps in maintaining different iterations of the application’s security configurations. As applications evolve, their security needs might change, and keeping track of these changes through versioning ensures that the right configurations are applied to the correct version of the application.
    • VGApplication Name: This is the identifier for the application within Visual Guard. It’s crucial to choose a unique and descriptive name, as it will be used to reference the application across the Visual Guard administration console and API.
  • Manage Application Attributes: Here you can administer various characteristics and properties of an application
  • Confugure Identity Client for Application: This can be used to Setting up authentication and authorization mechanisms specific to an application, enabling secure access control and user management within the application’s environment.
  • Edit MFA Policy: This helps you to modify multi-factor authentication policies to enhance security by requiring additional verification steps beyond passwords

Please click on the below icons to know more about the settings available in the application.

9.1 Deployment

Application deployment in Visual Guard refers to the process of deploying security configurations, such as roles, permissions, and user profiles, to specific applications or systems within an environment. This deployment ensures that security settings are applied effectively to the target applications, enabling consistent access control and enforcing security policies.

Key aspects of application deployment in Visual Guard include:

  1. Targeted Application Configuration: Security configurations are deployed selectively to specific applications or systems within the environment, ensuring that each application receives the appropriate security settings tailored to its requirements.
  2. Version Control and Management: Application deployment may involve versioning of security configurations, allowing administrators to track changes over time, revert to previous versions if necessary, and maintain an audit trail of configuration modifications.
  3. Integration with Development Lifecycle: Application deployment integrates with the development lifecycle, enabling security configurations to be deployed seamlessly across different stages, such as development, testing, and production.
  4. Scalability: Application deployment processes are designed to scale effectively with the organization’s growth and increasing complexity, ensuring that security configurations remain manageable and consistent across a diverse range of applications and systems.
  5. Reliable Access Control: By ensuring the timely and accurate deployment of security configurations to target applications, Visual Guard facilitates reliable access control, enabling organizations to enforce security policies effectively and mitigate security risks.

Overall, application deployment in Visual Guard plays a crucial role in ensuring that security configurations are effectively applied to target applications, promoting consistency, reliability, and scalability in access control across enterprise environments.

9.2 Identity Client

In Visual Guard, the Identity Client is a component responsible for interacting with the VGIdentity Server to handle user authentication and authorization within applications. It acts as a client-side library or module integrated into the application code to facilitate user authentication, obtain security tokens, and enforce access control policies.

Overall, the Identity Client plays a crucial role in enabling secure and seamless user authentication and access control within Visual Guard-protected applications. It helps enforce authentication and authorization policies, manage user sessions, and provide a smooth user experience while maintaining robust security measures.

Below are the different functionalities that fall under Identity Client configuration

  1. Primary Information: Essential data or key details that are fundamental to understanding the application.
  • Name: A unique identifier or label assigned to the application
  • Platform types: VisualGuard Identity Client configuration supports various platform types for integration with applications, each catering to different use cases and environments. Here’s an explanation of the different platform types:
    • Web Applications (Java, Asp.Net, etc): Software programs or platforms accessed through web browsers, allowing users to interact with services, data, and functionalities over the internet.
    • SPAs (Single Page Application) (Javascript Front end apps, Angular.js, Node.js, etc): Web applications that dynamically update content without reloading the entire page, offering a seamless and responsive user experience similar to desktop applications
    • Native Applications (Mobile/Desktop, Powerbuilder, PowerServer etc): Software programs developed specifically for a particular platform or device, leveraging its native features and capabilities to deliver optimized performance and user experience.
    • Service Applications (Machine to Machine – On behalf of the client, no interactive user is present): Software programs designed to run in the background, providing specific functionalities or performing tasks independently of user interaction, often used to automate processes or manage system resources
  • Description: A brief explanation or summary providing additional context or details about the application
  • Application type: Classification specifying the nature or purpose of a software application such PowerBuilder, PowerBuilder + PowerServer

2. Identity Resources/Scope: The client specifies the scope of the access requested, which defines the resources and operations the client is allowed to access on behalf of the user. The scope is included in the authorization request.

  • VG Activity Date: It requests access for the VGActivityDate information
  • VGApplications: It requests access for the list of accessible applications
  • VGDeveloper: It requests access for the information for api operations for developers (vgPermissionInfo, vgRoleInfo, vgAppInfo)
  • VGIsApproved: It requests access for whether a user is approved user or not
  • VGIsLocked: It requests access for whether a user is locked user or not
  • VGPermissions: It requests access for the list of accessible permissions
  • VGProfile: It requests access for the user profile information (firstname, lastname, email etc.)
  • VGRoles: It requests access for the list of accessible roles
  • VGToken: It requests access for the VGToken

3. Redirect URIs Information – Uniform Resource Identifiers (URIs): The client specifies one or more redirect URIs where the Identity server will redirect the user after authentication. The redirect URI must be registered with the VisualGuard Identity server during client registration to prevent certain types of attacks, such as authorization code interception.

  • Allowed Redirect URIs
  • Post Logout URIs
  • Is Overwrite URI Information when deployed
  • CORS: Refers to Cross-Origin Resource Sharing (CORS), which is a mechanism that allows resources on a web page to be requested from another domain outside the domain from which the resource originated.
    • Allowed cors origin

4. Grant Types: The client specifies the type of authorization grant it will use to obtain access tokens. Common grant types include Authorization Code, Implicit, Resource Owner Password Credentials, and Client Credentials.

  • Client credentials: On behalf of a client, no interactive user is present
  • Implicit: Normally used for JavaScript applications, where all tokens are transmitted via browser, access token is returned immediately without an extra authorization code exchange step and advanced features like refresh tokens are thus not allowed
  • Authorization Code: Provides a way to retrieve tokens on a back-channel as opposed to the browser front-channel
  • ResourceOwner Password: It allows to request tokens on behalf of a user by sending the user’s name and password to the token endpoint. This is so called “non-interactive” authentication and is generally not recommended
  • Hybrid: It is a combination of the implicit and authorization code flow – it uses combinations of multiple grant types, most typically code id_token. In hybrid flow the identity token is transmitted via the browser channel and contains the signed protocol response along with signatures for other artifacts like the authorization code. This mitigates a number of attacks that apply to the browser channel

5. Secret Keys: This is a piece of confidential information, typically a long string of characters, used for cryptographic purposes, such as encrypting and decrypting data, or for authenticating communication between parties.

  • Secret: A confidential string used for cryptographic operations, such as encrypting and decrypting data
  • Description: A brief explanation or summary providing additional context or details about the application
  • Expiry: The date becomes invalid or no longer usable
  • Is override when deployed: Indicating whether a configuration should be replaced with a new value when deployed

Please click on the respective links to create your identity clients


9.3 Application Attribute

The “Manage Application Attribute” refers to the capability to define and manage additional properties or characteristics associated with applications or software systems within the user management platform. These attributes provide additional context and flexibility for application management, allowing administrators to capture and store diverse information about applications.

Key aspects of the application profile attribute feature include:

  1. Customization: Users can define custom attributes tailored to their organization’s specific needs, enabling them to capture relevant information unique to their applications. This customization may include attributes such as application name, description, version, platform compatibility, or metadata relevant to application configuration and management.
  2. Visibility and Editability: Administrators can control the visibility and editability of application profile attributes based on user roles or permissions, ensuring that sensitive information is appropriately secured and only accessible to authorized personnel.
  3. Integration: Application profile attributes can integrate with other systems or applications to synchronize application data across different platforms, streamlining application management processes and ensuring data consistency.
  4. Metadata Management: Application profile attributes enable administrators to manage metadata associated with applications, such as release notes, installation instructions, licensing information, or third-party dependencies, facilitating comprehensive application lifecycle management.

Overall, the application profile attribute feature enhances the flexibility, granularity, and usability of user management systems, empowering administrators to capture and leverage additional application information to support various business processes and enhance application management practices.

Features:

  • Name: Identifier or label assigned to the application profile attribute
  • Is Encrypted: Flag indicating whether the attribute value is encrypted for security purposes or not
  • Is Overwrite when Deployed: Setting determining whether the attribute should be replaced with a new value during deployment
  • Edit: Action allowing modification of the application profile attribute
  • Delete: Action allowing removal of the application profile attribute

10. Permissions

Understanding Permissions in Visual Guard for Effective Access Control

Introduction

Access control is a crucial aspect of application security, ensuring that users have the appropriate permissions to perform their designated tasks while safeguarding sensitive data. Visual Guard, a comprehensive security framework, provides robust permission management capabilities. In this article, we will explore the concept of permissions in Visual Guard, their role in access control, and how they can be effectively managed to enhance application security.


What are Permissions?

Permissions in Visual Guard refer to the privileges granted to users or user groups to perform specific actions within an application. These actions can range from viewing, creating, modifying, or deleting data to executing certain functionalities or accessing specific features. By assigning permissions, administrators can control the level of access granted to different users, ensuring that they can perform their intended tasks while maintaining data integrity and security.


Permission Hierarchy

Visual Guard implements a hierarchical structure for permissions, providing granular control over user access. The hierarchy typically consists of the following elements:

  1. Applications: At the top level of the hierarchy, permissions can be assigned to entire applications. This allows administrators to grant or restrict access to specific applications based on user roles or groups.
  2. Permissions folder: Within an application, permissions can be further defined at the folder level. Permission folder represent distinct functional components or sections of an application. By assigning folder-level permissions, administrators can control access to specific features or functionalities within the application.
  3. Operations: At the lowest level, permissions are assigned to operations, which represent specific actions that users can perform within a module. These actions can include read, write, create, delete, or execute operations. By granting or revoking permission for specific operations, administrators can fine-tune user access based on their requirements.

Managing Permissions in Visual Guard

Visual Guard provides a user-friendly interface for managing permissions, making it easy for administrators to define and control access rights. Here are the key steps involved in managing permissions:

  1. Define Roles: Before assigning permissions, it is recommended to define user roles based on job responsibilities or access requirements. Roles help streamline permission management by grouping users with similar access needs together.
  2. Assign Permissions: Once roles are defined, permissions can be assigned to each role at the application, module, or operation level. Visual Guard offers a visual interface to facilitate the assignment process, allowing administrators to easily select and configure permissions for each role.
  3. Role Mapping: After assigning permissions to roles, the next step is to map individual users or user groups to these roles. This mapping ensures that users inherit the permissions associated with their assigned roles.
  4. Fine-tuning Permissions: In some cases, specific users may require exceptions or additional permissions beyond their assigned roles. Visual Guard allows administrators to override role-based permissions for individual users, granting or restricting access as needed.
  5. Regular Review and Updates: It is crucial to regularly review and update permissions as application requirements evolve or user roles change. By periodically auditing and adjusting permissions, administrators can ensure that access control remains aligned with the organization’s security policies and compliance regulations.

Best Practices for Effective Permission Management

To optimize access control and enhance application security using Visual Guard, consider the following best practices:

  1. Principle of Least Privilege: Follow the principle of least privilege, granting users only the permissions necessary to perform their tasks. Avoid assigning excessive or unnecessary permissions, as this can increase the risk of unauthorized access or data breaches.
  2. Regular Audits: Conduct regular audits of permissions to identify and rectify any inconsistencies or vulnerabilities. Remove any outdated or unnecessary permissions to minimize the attack surface and maintain a secure environment.
  3. Role-Based Access: Leverage role-based access control (RBAC) to streamline permission management. By assigning permissions at the role level and mapping users to roles, you can ensure consistent access control across the application.
  4. Segregation of Duties: Implement segregation of duties (SoD) by assigning permissions in a way that prevents conflicts of interest or unauthorized access. Restrict sensitive operations by separating them among different roles or requiring multiple approvals.
  5. Collaboration with Stakeholders: Work closely with application owners, system administrators, and business stakeholders to define and validate permission requirements. Collaboration ensures that permissions are aligned with business needs and comply with regulatory guidelines.

Conclusion

Effective permission management is vital for maintaining application security and data integrity. Visual Guard offers a robust framework for managing permissions, enabling administrators to control user access at various levels within an application. By following best practices and regularly reviewing and adjusting permissions, organizations can enhance access control, reduce the risk of unauthorized activities, and maintain a secure application environment.

11. PermissionSets

Understanding Permission Sets in Visual Guard for Efficient Access Control

Introduction

Access control plays a crucial role in ensuring the security and integrity of applications and data. Visual Guard, a comprehensive security framework, provides powerful permission management capabilities through the use of permission sets. In this article, we will explore the concept of permission sets in Visual Guard, their significance in access control, and how they can be effectively utilized to streamline security administration.

What are Permission Sets? Permission sets in Visual Guard are predefined collections of permissions that represent a specific level of access within an application. They provide a convenient way to group related permissions together, simplifying the task of assigning access rights to users or roles. By assigning permission sets, administrators can quickly grant or revoke a set of permissions to multiple users, ensuring consistent access control across the application.


Role of Permission Sets in Access Control

Permission sets serve as building blocks for access control in Visual Guard. They offer the following advantages:

  1. Simplified Permission Assignment: Permission sets enable administrators to assign multiple permissions at once, reducing the time and effort required for individual permission assignment. By associating users or roles with relevant permission sets, administrators can efficiently manage access rights.
  2. Granular Control: Visual Guard provides a range of preconfigured permission sets that cover common access requirements. These sets can be further customized or combined to create more granular permission sets that align with specific business needs. This flexibility allows for precise control over user access at different levels of an application.
  3. Ease of Maintenance: Permission sets streamline the administration of access control by providing a centralized and organized approach. When there are changes in access requirements or security policies, modifying a permission set automatically updates the permissions associated with all users or roles assigned to that set. This simplifies maintenance and ensures consistency in access control across the application.

Utilizing Permission Sets in Visual Guard

To effectively utilize permission sets in Visual Guard, consider the following steps:

  1. Identify Access Requirements: Understand the access requirements of different user roles or groups within the application. Determine the specific actions or functionalities they need to perform.
  2. Define Custom Permission Sets: Visual Guard offers a range of predefined permission sets to cover common access scenarios. Evaluate these sets and create custom permission sets by combining or modifying existing ones to match your application’s unique access requirements.
  3. Assign Permission Sets: Associate the appropriate permission sets with user roles or groups. This can be done through the Visual Guard Console, which provides a user-friendly interface for permission management. Assigning permission sets to roles ensures that users assigned to those roles inherit the corresponding access rights.
  4. Regular Review and Updates: Regularly review and update permission sets to align with changing business needs, application requirements, and security policies. Add or remove permissions from sets as necessary, ensuring that access control remains up to date and consistent with evolving circumstances.

Best Practices for Permission Set Management

To optimize access control and streamline security administration using permission sets in Visual Guard, consider the following best practices:

  1. Role-Based Access Control (RBAC): Leverage RBAC principles when assigning permission sets. Assign sets based on job responsibilities or functional roles within the application to ensure appropriate access levels for each user.
  2. Minimize Permission Set Proliferation: Keep the number of permission sets manageable by avoiding unnecessary duplication. Review and consolidate sets regularly to maintain a streamlined and efficient permission management process.
  3. Principle of Least Privilege: Apply the principle of least privilege when defining permission sets. Grant only the necessary permissions required for users to perform their designated tasks, limiting potential security vulnerabilities.
  4. Regular Audits: Conduct periodic audits of permission sets to identify any discrepancies, inconsistencies, or potential security risks. Remove any unused or obsolete permission sets to maintain an organized and secure access control structure.

Conclusion

Permission sets in Visual Guard provide a powerful mechanism for managing access control within applications. By grouping related permissions together, administrators can efficiently assign and maintain access rights for users or roles. By following best practices and regularly reviewing and updating permission sets, organizations can ensure streamlined security administration and maintain a secure application environment. Leveraging the flexibility and capabilities of permission sets in Visual Guard enhances access control and contributes to overall application security.

12. Permission Matrix

The Permission Matrix feature of Visual Guard is an essential tool for managing permissions and roles in applications. It provides a detailed and organized view of the permissions assigned to each user and role within the system. What makes it even more powerful is its ability to generate an Excel document that presents this information in a clear and structured manner.

In the generated Excel document, users are listed in the rows and roles and permissions are presented in the columns. This allows administrators to quickly and easily see which permissions are assigned to which users. In addition, they can see which roles are assigned to each user, which facilitates the management of roles and permissions.

The Permission Matrix feature also offers several options for customizing the display and management of permissions and roles:

  1. “Show Permissions”: This option allows all permissions in the matrix to be displayed.
  2. “Show Roles”: This option allows all roles in the matrix to be displayed.
  3. “Show Global Sheet”: This option creates a global matrix that includes all applications.
  4. “Show Application Specific Sheet”: This option creates a specific sheet for each application.
  5. “Show items only when relation exists”: This option allows only elements that have an existing relation to be displayed.
  6. “Show entities count per matrix item”: This option displays the number of entities per matrix item.
  7. “Select application”: This option allows a specific application to be selected to display its permission and role matrix.

These options offer great flexibility in managing permissions and roles in Visual Guard. They allow administrators to customize the display and management of permissions and roles according to their specific needs.

In summary, the Permission Matrix feature of Visual Guard is a valuable tool for any organization that wants to effectively manage the permissions and roles of its users. Its ability to generate a detailed Excel document provides unmatched visibility and control over the permissions and roles in the system.

13. System Roles

The Visual Guard System Role page provides a comprehensive overview of the nine predefined roles offered by Visual Guard. Each role comes with specific access and permissions, allowing for a granular control over the system’s security.

Here’s a brief overview of each role:

RolesDescription
Master AdministratorThis User has the access to all the available features on the console. The user can Create, Delete, Manage, Update the Applications, Permissions, Permission Sets, Roles, Users, and Groups of the Repository. 
DeveloperThis user can edit, update & remove the Permission & Permission set. The users can only create & grant revoke application role to Groups/ Users.
Restricted Developer This type of user can create or edit the applications, permissions, users and roles of the applications for which the user has been granted ‘Membership Manager’ role.
Developer DeployerThis type of user can edit applications, permissions, roles and users but not the repository.

They cannot grant the Visual Guard built in roles to the users.
Restricted Developer DeployerThis type of user can create or edit application, permission, user and role of the applications for which the user has been granted ‘Membership Manager’ role.
User Administrator This user can create new user and view the users that belong to the groups that have been assigned to the user.

The user can create group and read only those group(s) that are assigned to the user.

The user can grant or revoke the Application, Shared & System roles to Groups/Users.
Restricted User Administrator This user can manage user and role in a given application.
AuditorThis user can access the repository in read only mode, he can also read the log and print the report.
Restricted Auditor This user has the same privileges as the auditor except that his access is limited to a single application.

See Also:

13.1 Permission Matrix

The Visual Guard System Role Permission Matrix page provides a detailed breakdown of the permissions associated with each of the nine predefined roles offered by Visual Guard.

The matrix is a comprehensive guide that outlines the level of access each role has to applications, groups, roles, and users. It covers a wide range of permissions, from creating and deleting applications, groups, and roles, to reading and updating permissions, permission sets, and users.


Visual Guard offers 9 predefined roles to the user. Depending on the user role the amount of access to applications, groups, roles and users will be defined.
The matrix defined below defines the permissions associated with each role.

Master AdminDeveloperRestricted DeveloperDeveloper DeployerRestricted Developer DeployerUser AdminRestricted User AdminAuditorRestricted Auditor
Applicationsø
\Applications\CanCreateApplicationø        
\Applications\CanDeleteApplicationø        
\Applications\CanDeployApplicationø  øø    
\Applications\CanReadAllApplicationsøø ø ø ø 
\Applications\CanReadApplicationøøøøøøøøø
\Applications\CanUpdateApplicationøøøøø    
AuditAndReporting
\AuditAndReporting\CanGenerateDocumentationø    øøøø
\AuditAndReporting\CanEditEventLogCategoryø        
\AuditAndReporting\CanReadEventLogøøøøøøøøø
Groups
\Groups\CanCreateGroupø    øø  
\Groups\CanReadGroupøøøøøøøøø
\Groups\CanUpdateGroupø    øø  
\Groups\CanDeleteGroupø    øø  
\Groups\CanReadAllGroupsø      ø 
Permissions
\Permissions\CanCreatePermissionøøøøø    
\Permissions\CanDeletePermissionøøøøø    
\Permissions\CanReadPermissionøøøøø  øø
\Permissions\CanUpdatePermissionøøøøø    
Permission Sets
\PermissionSets\CanCreatePermissionSetøøøøø    
\PermissionSets\CanDeletePermissionSetøøøøø    
\PermissionSets\CanReadPermissionSetøøøøø  øø
\PermissionSets\CanUpdatePermissionSetøøøøø    
\PermissionSets\CanGrantRevokePermissionSetsToApplicationRolesøøøøø    
\PermissionSets\CanGrantRevokePermissionSetsToSharedRolesøøøøø    
Repository
\Repository\CanDeleteRepositoryø        
\Repository\CanDeployRepositoryø        
\Repository\CanUpdatePasswordPolicyø        
\Repository\CanUpdateRepositoryø        
Roles
\Roles\CanCreateApplicationRoleøøøøøøø  
\Roles\CanCreateSharedRoleø    øø  
\Roles\CanCreateSystemRoleø       
\Roles\CanDeleteApplicationRoleøøøøøøø  
\Roles\CanDeleteSharedRoleø    øø  
\Roles\CanDeleteSystemRoleø       
\Roles\CanGrantRevokeApplicationRolesToGroupsøøøøøøø  
\Roles\CanGrantRevokeApplicationRolesToUsersøøøøøøø  
\Roles\CanGrantRevokeSharedRolesToGroupsø    øø  
\Roles\CanGrantRevokeSharedRolesToUsersø    øø  
\Roles\CanGrantRevokeSystemRolesToGroupsø        
\Roles\CanGrantRevokeSystemRolesToUsersø        
\Roles\CanReadApplicationRoleøøøøøøøøø
\Roles\CanReadSharedRoleøøøøøøøøø
\Roles\CanReadSystemRoleø    øøøø
\Roles\CanUpdateApplicationRoleøøøøøøø  
\Roles\CanUpdateSharedRoleø    øø  
\Roles\CanUpdateSystemRoleø        
Users
\Users\CanApprovePendingUsersø    øø  
\Users\CanAssignRemoveUsersToGroupsø    øø  
\Users\CanCreateUserø    øø  
\Users\CanDeleteUserø    øø  
\Users\CanLockUnlockUserø    øø  
\Users\CanReadAllUsersø     ø 
\Users\CanReadUserøøøøøøøøø
\Users\CanUpdateUserø    øø  
ADFS
\ADFS\CanCreateADFSServerø        
\ADFS\CanDeleteADFSServerø        
\ADFS\CanUpdateADFSServerø        

13.2 Master Administrator

If you have been granted the Master Administrator role you will have full access to all the resources of the Visual Guard tools

  • The Master Administrator will be assigned the following permission sets by default:
DescriptionRemarks
Auditor permissionsThis option allows to access to the repository in read only mode and to consult the event log.
Deployer permissionsThis option allows to deploy the application.
Developer Deployer permissionsThis option allows deploying, editing applications, permissions, users and roles but not the repositories.
Developer PermissionsThis option allows to create application and defining roles, permissions, permission sets.
  • The Master Administrator will be assigned following permissions by default:
DescriptionRemarks
Applications\Can Create ApplicationsThis permission allows creating a new application
Applications\Can Delete ApplicationsThis permission allows deleting an application
Applications\Can Deploy ApplicationThis permission allows deploying an application
Applications\Can Read All ApplicationThis permission gives you the right to read all applications.
Applications\Can Read ApplicationThis permission gives you the right to read applications for which you have the role “Membership Manager”
Applications\Can Update ApplicationThis permission gives you the right to update an application.
Audit and Reporting\Can Edit Event Log CategoryThis permission gives you the right to edit event log category
Audit and Reporting\Can Generate DocumentationThis permission gives you the right to generate documentation.
Audit and Reporting\Can Read Event LogThis permission gives you the right to read an Event Log.
Groups\Can Create GroupThis permission gives you the right to create a group.
Groups\Can Delete GroupThis permission gives you the right to delete a group.
Groups\Can Read All GroupsThis permission gives you the right to read all groups.
Groups\Can Read GroupThis permission gives you the right to read groups that have been assigned to you.
Permissions\Can Create PermissionThis permission gives you the right to create permission.
Permissions\Can Delete PermissionThis permission gives you the right to delete a permission.
Permissions\Can Read PermissionThis permission gives you the right to read a permission.
Permissions\Can Update PermissionThis permission gives you the right to update a permission.
Permission Sets\Can Create Permission SetThis permission gives you the right to create a permission set.
Permission Sets\Can Delete Permission SetThis permission gives you the right to delete a permission set.
Permission Sets\Can Read Permission SetThis permission gives you the right to read a permission set.
Permission Sets\Can Update Permission SetThis permission gives you the right to update a permission set.
Repository\Can Delete RepositoryThis permission gives you the right to delete a repository
Repository\Can Deploy RepositoryThis permission gives you the right to deploy a repository
Repository\Can Update Password PolicyThis permission gives you the right to update a password policy.
Repository\Can Update RepositoryThis permission gives you the right to update a Repository.
Roles\Can Create Application RoleThis permission gives you the right to create an application role.
Roles\Can Create Shared RoleThis permission gives you the right to create a shared role
Roles\Can Create System RoleThis permission gives you the right to create a system role
Roles\Can Delete Application RoleThis permission gives you the right to delete an application role
Roles\Can Delete Shared RoleThis permission gives you the right to delete shared role
Roles\Can Delete System RoleThis permission gives you the right to delete system role
Roles\Can Grant Revoke Permission Sets To Application RolesThis permission gives you the right to grant or revoke the permission sets of the application roles.
Roles\Can Grant Revoke Permission Sets To Shared RolesThis permission gives you the right to grant or revoke the permission sets of the shared roles.
Roles\Can Create Application RoleThis permission gives you the right to create an application role.
Roles\Can Grant Revoke Application Roles To GroupsThis permission gives you the right to grant or revoke application roles to groups.
Roles\Can Grant Revoke Application Roles To UsersThis permission gives you the right to grant or revoke application roles to users.
Roles\Can Grant Revoke Shared Roles To GroupsThis permission gives you the right to grant or revoke shared roles to groups
Roles\Can Grant Revoke Shared Roles To UsersThis permission gives you the right to grant or revoke shared roles to users
Roles\Can Grant Revoke System Roles To GroupsThis permission gives you the right to grant or revoke system roles to groups
Roles\Can Grant Revoke System Roles To UsersThis permission gives you the right to grant or revoke system roles to users
Roles\Can Read Application RoleThis permission gives you the right to read an application role.
Roles\Can Read Shared RoleThis permission gives you the right to read a shared role.
Roles\Can Read System RoleThis permission gives you the right to read a system role
Roles\Can Update Application RoleThis permission gives you the right to update an application role
Roles\Can Update Shared RoleThis permission gives you the right to update a shared role
Roles\Can Update System RoleThis permission gives you the right to update a system role
Users\Can Approve Pending UsersThis permission gives you the right to approve or deny users
Users\Can Assign Remove Users To GroupsThis permission gives you the right to assign or remove users to the group
Users\Can Create UserThis permission gives you the right to create an user
Users\Can Delete UserThis permission gives you the right to delete an user
Users\Can Lock Unlock UserThis permission gives you the right to lock or unlock an user
Users\Can Read All UsersThis permission gives you the right to read all users
Users\Can Read UserThis permission gives you the right to read an user
Users\Can Update UserThis permission gives you the right to update an user
ADFS\ Can Create ADFS ServerThis permission allows creating a new ADFS Server
ADFS\ Can Delete ADFS ServerThis permission gives you the right to delete an ADFS Server
ADFS\ Can Update ADFS ServerThis permission gives you the right to update an ADFS Server

See Also:

13.3 User Administrator

This user can create new user and read only those users which are assigned to the groups assigned to the user. Additionally the user can create group and read only those group(s) which are assigned to logged in user.

The user can grant or revoke the Application, Shared & System roles to Groups/Users.

  • The User Administrator will be assigned the User Administrator and Restricted User Administrator permission set by default.
  • The User Administrator will be assigned the following permissions by default:
DescriptionRemarks
User Administrator Permissions
Applications\Can Read All ApplicationsThis permission gives you the right to read all the applications.
Restricted User Administrator Permissions
Audit and Reporting\Can Generate DocumentationThis permission gives you the right to generate the documentation.
Audit and Reporting\Can Read Event LogThis permission gives you the right to read an Event Log.
Groups\Can Create GroupThis permission gives you the right to create a group.
Groups\Can Delete GroupThis permission gives you the right to delete a group.
Groups\Can Read GroupThis permission gives you the right to read a group.
Groups\Can Update GroupThis permission gives you the right to update a group.
Roles\Can Create Application RoleThis permission gives you the right to create an application role
Roles\Can Create Shared RoleThis permission gives you the right to create a shared role
Roles\Can Delete Application RoleThis permission gives you the right to delete an application role
Roles\Can Delete Shared RoleThis permission gives you the right to delete a shared role
Roles\Can Grant Revoke Application Roles To GroupsThis permission gives you the right to grant or revoke application roles to the groups.
Roles\Can Grant Revoke Application Roles To UsersThis permission gives you the right to grant or revoke application roles to the users.
Roles\Can Grant Revoke Shared Roles To GroupsThis permission gives you the right to grant or revoke shared roles to the groups
Roles\Can Grant Revoke Shared Roles To UsersThis permission gives you the right to grant or revoke shared roles to the users
Roles\Can Read Application RoleThis permission gives you the right to read an application role.
Roles\Can Read Shared RoleThis permission gives you the right to read a shared role.
Roles\Can Read System RoleThis permission gives you the right to read a system role
Roles\Can Update Application RoleThis permission gives you the right to update an application role
Roles\Can Update Shared RoleThis permission gives you the right to update a shared role
Users\Can Approve Pending UsersThis permission gives you the right to approve or deny users
Users\Can Assign Remove Users To GroupsThis permission gives you the right to assign or remove users to the group
Users\Can Approve Pending UsersThis permission gives you the right to approve or deny the users
Users\Can Assign Remove Users To GroupsThis permission gives you the right to assign or remove users to the group
Users\Can Create UserThis permission gives you the right to create an user
Users\Can Delete UserThis permission gives you the right to delete an user
Users\Can Lock Unlock UserThis permission gives you the right to lock or unlock an user
Users\Can Read UserThis permission gives you the right to read an user
Users\Can Update UserThis permission gives you the right to update an user
  • To explore the impact of permissions please click on the relevant link below:

Please Note: The sections on which the role has no impact has not been listed

Impact of user administrator role on applications

This module explains the impact on the applications if the user has been granted the User Administrator Role.

  • The User will be assigned following permissions:
Description Remarks
Can Read All Application This permission gives you the right to read all applications.
  • Once the user logs in using the assigned mode of authentication, the following screen will be displayed.
  • The user will be able to view list of all the applications (A).
  • Since the user has permissions to Can Read All Applications the user will be able to view the details of all the applications.
  • The user can click on the Application name to view the application information as shown below:
  • The application information will be available in read only mode.

Impact of User Administrator Role on Audit and Reporting

This module explains the impact on the audit and reporting if the user has been granted the User Administrator Role.

  • The User will be assigned the following permissions:
DescriptionRemarks
CanGenerateDocumentationThis permission gives you the right to generate documentation.
Can Read Event LogThis permission gives you the right to read an Event Log.
  • Once the user logs in using the assigned mode of authentication, the following screen will be displayed.
  • The user will be able to view list of all the applications (A).

Since the user has permissions to Can Generate Documentation he can use the Generate Documentation option to generate the documentation of each entity in the Visual Guard console.

  • Can Read Event Log permission allows access to viewing the event log as shown below:

Impact of User Administrator Role on Groups

This module explains the impact on the groups if the user has been granted the User Administrator Role.

  • The User will be assigned the following permissions:
DescriptionRemarks
Can Create GroupThis permission gives you the right to create a group.
Can Delete GroupThis permission gives you the right to delete a group.
Can Read GroupThis permission gives you the right to read group.
Can Update GroupThis permission gives you the right to update a group.
  • Once the user logs in using the assigned mode of authentication, the following screen will be displayed.
  • The user will be able to view list of all the applications (A).
  • Since the user has permissions to Can Read Groups, the user will be able to view the group that has been assigned to him.
  • The parent groups of the assigned group will also be displayed.
  • Depending on the user privileges and assigned group privileges the list of privileges will be decided automatically.
  • The Can Create Group privilege allows the user to create a group. This option will be available only if a group has been assigned to the user.
  • The new group will be listed under the Parent Group. The user can view group details by clicking on the group name.
  • Since the user has the Can Delete Group and Can Update Group privileges he can remove or update group related details.

Impact of User Administrator Role on Role

This module explains the impact on the roles if the user has been granted the User Administrator Role.

  • The User will be assigned the following permissions:
DescriptionRemarks
Can Create Application RoleThis permission gives you the right to create an application role
Can Create Shared RoleThis permission gives you the right to create a shared role
Can Delete Application RoleThis permission gives you the right to delete a application role
Can Delete Shared RoleThis permission gives you the right to delete a shared role
Can Grant Revoke Application Roles To GroupsThis permission gives you the right to grant or revoke application roles to the groups.
Can Grant Revoke Application Roles To UsersThis permission gives you the right to grant or revoke application roles to the users.
Can Grant Revoke Shared Roles To GroupsThis permission gives you the right to grant or revoke shared roles to the groups
Can Grant Revoke Shared Roles To UsersThis permission gives you the right to grant or revoke shared roles to the users
Can Read Application RoleThis permission gives you the right to read an application role.
Can Read Shared RoleThis permission gives you the right to read a shared role.
Can Read System RoleThis permission gives you the right to read a system role
Can Update Application RoleThis permission gives you the right to update an application role
Can Update Shared RoleThis permission gives you the right to update a shared role
  • Once the user logs in using the assigned mode of authentication, the following screen will be displayed.
  • The user will be able to view list of all the applications (A).
  • The user can create a new role under an application since he has the Can Create Application Role privilege.
  • The new role will be listed under the Application>Roles option. The user can view the role details by clicking on the role name as shown below:
  • Since the user has the Can Read Application Role and Can Update Application Role privilege, the user can view and update role details by clicking on the Application>Role> Rolename.
  • Since the user has also been granted the Can Grant Revoke Application Roles To Users privilege the user can grant/revoke new roles to user using options “Grant role to users”  & “Revoke role from users”  available under tab “Granted User”

Please Note: You can also grant/revoke roles of users Users> Username> Roles> Edit Roles option. Click here (missing link) to know more.

  • Grant role to users: When you select option “Grand role to users” you are provided with a screen to select users to whom the role is to be assigned.

Once the users are successfully assigned to the Group, below message will appear

  • Revoke role from users: When you select option “Revoke role from users” you will be asked for confirmation, as shown below:

Once confirmed by clicking on option “yes” , the role will be successfully revoked and below message will appear:

  • The user can also grant/Revoke the role to the groups, since the user has the Can Grant Revoke Application Roles To Groups privilege.
  • The new role will be listed under the application, the user can select and grant the role.
  • The user can delete the application role since he has the Can Delete Application Role privilege.
  • Additionally the User Administrator has access to manage the Shared Roles.
  • The Can Create Shared Role privilege allows the user to create a new Shared Role.
  • The new role will be listed under the Shared Roles option. The user can view the role details by clicking on the role name as shown below:
  • The user has the privilege to read and update the shared roles information, since he has been granted the Can Read Shared Role and Can Update Shared Role privileges.
  • Since the user has also been granted the Can Grant Revoke Shared Roles To Users privilege the user can edit the granted users option.
  • The user can select and edit the members for the selected role. Click here to know more.
  • The user can also grant the shared role to the groups, since the user has the Can Grant Revoke Shared Roles To Groups privilege.
  • The user can assign the shared role to the group.
  • The user can delete the shared role, since he has the Can Delete Shared Role privilege.
  • The User administrator can just view the System Roles related information, since he has the Can Read System Role privilege.
  • The user can view and update the role details by clicking on the Application>Role> Rolename.

 
Impact of User Administrator Role on Users

This module explains the impact on the user related permissions if the user has been granted a User Administrator Role.

  • The User will be assigned following permissions:
DescriptionRemarks
Can Create UserThis permission gives you the right to create an user
Can Delete UserThis permission gives you the right to delete an user
Can Lock Unlock UserThis permission gives you the right to lock or unlock an user
Can Read UserThis permission gives you the right to read an user
Can Update UserThis permission gives you the right to update an user
  • Once the user logs in using the assigned mode of authentication, the following screen will be displayed.
  • The user will be able to view list of all the applications (A).
  • The user can create a new user, since he has the Can Create User privilege.
  • The user can create a user only under the groups assigned to him.
  • When the user clicks on the new user option following screen will be displayed:
  • Click “OK”  to complete the user creation.
  • The new user account will be created and will be displayed in the Grid on Right side.
  • The user can view the user details by clicking on the user name as shown below:
  • Since the user has the privilege Can Read User and Can Update User, the user will be able to update the user details.
  • The user administrator has the privilege to delete the user, since the user has the Can Delete User privilege.
  • Additionally the user administrator can lock a user or unlock the user accounts since he has the Can Lock Unlock User permission.

See Also:

13.4 Restricted user Administrator

This user can manage users and roles in a given application.
This user type is also allowed to manage users and roles of the applications for which the user is a member of ‘Membership Manager’ role.

  • The Restricted User Administrator will be assigned the restricted user administrator permission set by default.
  • The Restricted User Administrator will be assigned following permissions by default:
DescriptionRemarks
Audit and Reporting\Can Generate DocumentationThis permission gives you the right to generate documentation.
Audit and Reporting\Can Read Event LogThis permission gives you the right to read an Event Log.
Groups\Can Create GroupThis permission gives you the right to create a group.
Groups\Can Delete GroupThis permission gives you the right to delete a group.
Groups\Can Read GroupThis permission gives you the right to read group.
Groups\Can Update GroupThis permission gives you the right to update a group.
Roles\Can Create Application RoleThis permission gives you the right to create an application role
Roles\Can Create Shared RoleThis permission gives you the right to create a shared role
Roles\Can Delete Application RoleThis permission gives you the right to delete application role
Roles\Can Delete Shared RoleThis permission gives you the right to delete shared role
This permission gives you the right to delete shared roleThis permission gives you the right to grant or revoke application roles to groups.
Roles\Can Grant Revoke Application Roles To UsersThis permission gives you the right to grant or revoke application roles to users.
Roles\Can Grant Revoke Shared Roles To GroupsThis permission gives you the right to grant or revoke shared roles to groups.
Roles\Can Grant Revoke Shared Roles To UsersThis permission gives you the right to grant or revoke shared roles to users.
Roles\Can Read Application RoleThis permission gives you the right to read an application role.
Roles\Can Read Shared RoleThis permission gives you the right to read a shared role.
Roles\Can Read System RoleThis permission gives you the right to read a system role.
Roles\Can Update Application RoleThis permission gives you the right to update an application role.
Roles\Can Update Shared RoleThis permission gives you the right to update a shared role.
Users\Can Approve Pending UsersThis permission gives you the right to approve or deny users.
Users\Can Assign Remove Users To GroupsThis permission gives you the right to assign or remove users to the group.
Users\Can Create UserThis permission gives you the right to create an user.
Users\Can Delete UserThis permission gives you the right to delete an user.
Users\Can Lock Unlock UserThis permission gives you the right to lock or unlock an user.
Users\Can Read UserThis permission gives you the right to read an user.
Users\Can Update UserThis permission gives you the right to update an user.
  • To explore the impact of permissions please click on the relevant link below:

 

Impact of Restricted User Administrator Role on Audit and Reporting

This module explains the impact on the audit and reporting if the user has been granted the Restricted User Administrator Role.

  • The User will be assigned following permissions:
DescriptionRemarks
CanGenerateDocumentationThis permission gives you the right to generate documentation.
Can Read Event LogThis permission gives you the right to read an Event Log.
  • When the user logs in using the assigned mode of authentication, the following screen will be displayed.
  • The user will be able to view list of all the applications (A).
  • Since the user has the permissions Can Generate Documentation he can use the Generate Documentation option to generate the documentation for the available entities.
  • Can Read Event Log permission allows access to the event log as shown below:

Impact of Restricted User Administrator Role on Groups

This module explains the impact on the groups if the user has been granted a Restricted User Administrator Role.

  • The User will be assigned the following permissions:
DescriptionRemarks
Can Create GroupThis permission gives you the right to create a group.
Can Delete GroupThis permission gives you the right to delete a group.
Can Read GroupThis permission gives you the right to read group.
Can Update GroupThis permission gives you the right to update a group.
  • When the user logs in using the assigned mode of authentication, the following screen will be displayed.
  • The user will be able to view list of all the applications (A).
  • Since the user has permissions to Can Read Groups, the user will be able to view the group that has been assigned to him.
  • The parent groups of the assigned group will also be displayed.
  • Depending on the user privileges and assigned group privileges the list of privileges will be decided automatically.
  • The Can Create Group privilege allows the user to create a group. This option will be available only if the user has been assigned to a group.
  • The new group will be listed under the Parent Group. The user can view group details by clicking on the group name.
  • Since the user has the Can Delete Group and Can Update Group privileges he can remove or update group related details.

Impact of Restricted User Administrator Role on Roles

This module explains the impact on the roles if the user has been granted a Restricted User Administrator Role.

The users will be allowed to manage only those applications for which the user is a member of ‘Membership Manager’ role.

  • The User will be assigned following permissions:
DescriptionRemarks
Can Create Application RoleThis permission gives you the right to create an application role
Can Create Shared RoleThis permission gives you the right to create a shared role
Can Delete Application RoleThis permission gives you the right to delete application role
Can Delete Shared RoleThis permission gives you the right to delete shared role
Can Grant Revoke Application Roles To GroupsThis permission gives you the right to grant or revoke application roles to groups
Can Grant Revoke Application Roles To UsersThis permission gives you the right to grant or revoke application roles to users
Can Grant Revoke Shared Roles To GroupsThis permission gives you the right to grant or revoke shared roles to groups
Can Grant Revoke Shared Roles To UsersThis permission gives you the right to grant or revoke shared roles to users
Can Read Application RoleThis permission gives you the right to read an application role
Can Read Shared RoleThis permission gives you the right to read a shared role
Can Update Application RoleThis permission gives you the right to update an application role
Can Update Shared RoleThis permission gives you the right to update a shared role
  • When the user logs in using the assigned mode of authentication, the following screen will be displayed:
  • The user will be able to view list of all the applications (A).
  • The user can create a new role under an application (for which he has “Membership Manager” role), since the user has the Can Create Application Role privilege.
  • The new role will be listed under the Application>Roles option. The user can view the role details by clicking on the role name as shown below:
  • Since the user has the Can Read Application Role and Can Update Application Role privilege the user can view and update role details by clicking on Application>Role> Rolename.
  • Since the user has also been granted the Can Grant Revoke Application Roles To Users privilege the user can grant/revoke new roles to user using options “Grant role to users” & “revoke role from users” available under tab “Granted User”

Please Note: You can also grant/revoke roles of users Users> Username> Roles> Edit Roles option. Click here (missing link) to know more.

  • Grant role to users: When you select option “Grant role to users” you are provided with a screen to select users to whom the role is to be assigned.

Once the users are successfully assigned to the Group, below message will appear

  • Revoke role from users: When you select option “Revoke role from users” you will be asked for confirmation, as shown below:

Once confirmed by clicking on option “Yes” , the role will be successfully revoked and below message will appear:

  • The user can also grant the new role to the groups, since the user has the Can Grant Revoke Application Roles To Groups privilege.
  • The new role will be listed under the application, the user can select and grant role.
  • The user can delete the application role since he has the Can Delete Application Role privilege.
  • Additionally the Restricted User Administrator has access to manage the Shared Roles.
  • The Can Create Shared Role privilege allows the user to create a new Shared Role.
  • The new role will be listed under the Shared Roles option. The user can view the role details by clicking on the role name as shown below:
  • The user has the privilege to read shared roles because of the Can Read Shared Role privilege and update information because of the Can Update Shared Role privilege the role details will be displayed in an editable mode.
  • Since the user has also been granted the Can Grant Revoke Shared Roles To Users privilege the user can edit the granted users option.
  • The user can select and edit the members for the selected role. Click here to know more.
  • The user can grant the shared role to the groups, since he has the Can Grant Revoke Shared Roles To Groups privilege.
  • The user can assign the shared role to the group.
  • The user can delete the shared role since he has the Can Delete Shared Role privilege.
  • The Restricted User administrator also has the privilege to view the system roles in read only mode because of the Can Read System Role privilege.

 
Impact of Restricted User Administrator Role on Users

This module explains the impact on the users if the user has been granted a Restricted User Administrator Role.

  • The User will be assigned following permissions:
DescriptionRemarks
Can Create UserThis permission gives you the right to create an user
Can Delete UserThis permission gives you the right to delete an user
Can Lock Unlock UserThis permission gives you the right to lock or unlock an user
Can Read UserThis permission gives you the right to read an user
Can Update UserThis permission gives you the right to update an user
  • When the user logs in using the assigned mode of authentication, the following screen will be displayed.
  • The user will be able to view list of all the applications (A).
  • The user can create a new user because of the Can Create User privilege.
  • The user can create a user only under the groups assigned to him.
  • When the user clicks on the new user option following screen will be displayed.
  • When the user clicks “OK” the new user account will be created and will be displayed in the Grid on Right side.
  • The user can view the user details by clicking on the user name as shown below:
  • Since the user has the privilege Can Read User and Can Update User, the user will be able to update the user details.
  • The restricted user administrator will have the privilege to delete the user, since he has the Can Delete User privilege.
  • Additionally the restricted user administrator can lock an user or unlock user accounts because of the Can Lock Unlock User permission assigned to him.

See Also:

13.5 Developer

This user type has the rights to edit, update & remove the Permission & Permission sets. The users can only create & grant revoke application roles to Groups/ Users.

  • The Developer will be assigned the Developer and Restricted Developer permission sets by default.
  • Depending on the permission sets the Developer will be assigned following permissions by default.
DescriptionRemarks
Developer
Applications\Can Read All ApplicationsThis permission gives you the right to read all applications
Restricted Developer:This user type has permissions to edit applications, permission, user and role of the applications for which the user is the member of ‘Membership manager’ role
Applications\Can Read ApplicationThis permission gives you the right to read applications for which you have the role “Membership Manager”.
Applications\Can Update ApplicationThis permission gives you the right to update an application.
Audit and Reporting\Can Read Event LogThis permission gives you the right to read an Event Log.
Audit and Reporting\Can Read GroupThis permission gives you the right to read group.
Permissions\Can Create PermissionThis permission gives you the right to create a permission.
Permissions\Can Delete PermissionThis permission gives you the right to delete a permission.
Permissions\Can Read PermissionThis permission gives you the right to read a permission.
Permissions\Can Update PermissionThis permission gives you the right to update a permission.
Permission Sets\Can Create Permission SetThis permission gives you the right to create a permission Set.
Permission Sets\Can Delete Permission SetThis permission gives you the right to delete a permission Set.
Permission Sets\Can Grant Revoke Permission Sets To Application RolesThis permission gives you the right to grant or revoke the permission sets of the application roles.
Permission Sets\Can Grant Revoke Permission Sets To Shared RolesThis permission gives you the right to grant or revoke the permission sets of the shared roles.
Permission Sets\Can Read Permission SetThis permission gives you the right to read permission Set.
Permission Sets\Can Update Permission SetThis permission gives you the right to update a permission Set.
Roles\Can Create Application RoleThis permission gives you the right to create an application role.
Roles\Can Grant Revoke Application Roles To GroupsThis permission gives you the right to grant or revoke application roles to groups.
Roles\Can Grant Revoke Application Roles To UsersThis permission gives you the right to grant or revoke application roles to users.
Roles\Can Read Application RoleThis permission gives you the right to read an application role.
Roles\Can Read Shared RoleThis permission gives you the right to read a shared role.
Roles\Can Update Application RoleThis permission gives you the right to update an application role.
  • To explore the impact of permissions please click on the relevant link below:

Impact of Developer Role on Applications

This module explains the impact on the applications if the user has been granted Developer Role.

  • The User will be assigned following permissions:
DescriptionRemarks
Can Read All ApplicationsThis permission gives access to read all applications.
Can Read ApplicationThis permission gives you the right to read applications for which you have the role “Membership Manager”.
Can Update ApplicationThis permission gives you the right to update an application.
  • Once the user logs in using the assigned mode of authentication, the following screen will be displayed:
  • Since the user has permissions to Can Read All Applications and Can Read Application, the Can Read All Applications will override.
  • The user will be able to view list of all the applications (A).
  • The user can click on the Application name to view the application information as shown below:
  • The application information will be available in an editable mode since the user has Can Update Application privilege.
  • The user can update information related to all the applications.

Impact of Developer on Audit and Reporting

This module explains the impact on the audit and reporting if the user has been granted Developer Role.

  • The User will be assigned following permissions:
DescriptionRemarks
Can Read Event LogThis permission gives you the right to read an Event Log.
  • Once the user logs in using the assigned mode of authentication, the following screen will be displayed:
  • The user will be able to view list of all the applications (A).
  • Can Read Event Log permission allows access to view the event log as shown below:

 
Impact of Developer Role on Groups

This module explains the impact on the groups if the user has been granted Developer Role.

  • The User will be assigned following permissions:
DescriptionRemarks
\Groups\CanReadGroupThis permission gives access to read a group for which you have the role “Membership Manager”.
  • Once the user logs in using the assigned mode of authentication, the following screen will be displayed:
  • The user will be able to view list of all the applications (A).
  • Since the user has permissions to Can Read Groups, the user will be able to view the group that has been assigned to the user.
  • The parent groups of the assigned group will also be displayed.
  • The privileges that are available to the user will depend on the user and the group privileges.

Impact of Developer Role on Permissions

This module explains the impact on the permissions if the user has been granted Developer Role.

  • The User will be assigned following permissions:
DescriptionRemarks
Can Create PermissionThis permission gives you the right to create a permission.
Can Delete PermissionThis permission gives you the right to delete a permission.
Can Read PermissionThis permission gives you the right to read a permission.
Can Update PermissionThis permission gives you the right to update a permission.
  • Once the user logs in using the assigned mode of authentication, the following screen will be displayed.
  • The user will be able to view list of all the applications (A).
  • Since the user has permissions to Create, Delete, Read and Update permissions, the user will be able to update existing permission besides having the privilege to create the permission.
  • Additionally the user can manage the other permission related properties using the available options.

Impact of Developer Role on Permission Sets

This module explains the impact on the permission sets if the user has been granted Developer Role.

  • The User will be assigned following permissions:
DescriptionRemarks
Can Create Permission SetThis permission gives you the right to create a permission Set.
Can Delete Permission SetThis permission gives you the right to delete a permission Set.
Can Grant Revoke Permission Sets To Application RolesThis permission gives you the right to grant or revoke the permission sets of the application roles.
Can Grant Revoke Permission Sets To Shared RolesThis permission gives you the right to grant or revoke the permission sets of the shared roles.
Can Read Permission SetThis permission gives you the right to read permission Set.
Can Update Permission SetThis permission gives you the right to update a permission Set.
  • Once the user logs in using the assigned mode of authentication, the following screen will be displayed.
  • The user will be able to view list of all the applications (A).
  • In addition to the privilege to create permission sets, the user has permission to Create, Delete, Read and Update permission sets, and thus will be able to update existing permission sets.
  • Additionally the user can manage the other permission set related properties using the available options. 
  • Since the user has also been granted the Can Grant Revoke Permission Sets to Application Roles privilege the user can Grant permission sets to the selected role as shown below.
  • The user can also grant the permission set to the Shared roles, since the user has Can Grant Revoke Permission Sets to Shared Roles privilege.

 

Impact of Developer Role on Roles

This module explains the impact on the roles if the user has been granted the Developer Role.

  • The User will be assigned following permissions:
DescriptionRemarks
Can Create Application RoleThis permission gives you the right to create an application role.
Can Grant Revoke Application Roles To GroupsThis permission gives you the right to grant or revoke application roles to groups.
Can Grant Revoke Application Roles To UsersThis permission gives you the right to grant or revoke application roles to users.
Can Read Application RoleThis permission gives you the right to read an application role.
Can Read Shared RoleThis permission gives you the right to read a shared role.
Can Update Application RoleThis permission gives you the right to update an application role.
  • Once the user logs in using the assigned mode of authentication, the following screen will be displayed:
  • The user will be able to view list of all the applications (A).
  • The user can create a new role under an application, since the user has Can Create Application Role privilege.
  • The new role will be listed under the Application>Roles option. The user can view the role details by clicking on the role name as shown below:
  • Since the user has also been granted the Can Grant Revoke Application Roles To Users privilege the user can grant/revoke new roles to user using options “grant role to users” & “Revoke role from users”  available under tab “Granted User”

Please Note: You can also grant/revoke roles of users Users> Username> Roles> Edit Roles option. Click here (missing link) to know more.

  • Grant role to users: When you select option “Grant role to users” you are provided with a screen to select users to whom the role is to be assigned.

Once the users are successfully assigned to the Group, below message will appear

  • Revoke role from users: When you select option “Revoke role from users”  you will be asked for confirmation, as shown below:

Once confirmed by clicking on option “YES” , the role will be successfully revoked and below message will appear:

  • The user can also grant the new role to the groups, since the user has Can Grant Revoke Application Roles To Groups privilege.
  • The new role will be listed under the application under which it has been created. The user can select and grant this new role.
  • Since the user has Can Read System Role privilege the system role information will be displayed in read only mode.
  • Since the user has Can Read Shared Role privilege the shared role information will be displayed in read only mode.
  • Additionally the Can Read Special Role privilege will allow the special role information to be displayed in read only mode.
  • Since the user has Can Read Application Role and Can Update Application Role privileges, the user can view and update existing application role information role details.
  • To update the role information click on the role name under Applications> Role.

See Also:

13.6 Restricted Developer

This type of user can create or edit application, permission, user and role of the applications for which the user has been granted ‘Membership Manager’ role.

  • The Restricted Developer will be assigned the restricted developer permission set by default.
  • The Restricted Developer will be assigned following permissions by default for the applications for which he has been granted role:
DescriptionRemarks
Applications\Can Read ApplicationThis permission gives you the right to read applications for which you have the “Membership Manager” role.
Applications\Can Update ApplicationThis permission gives you the right to update an application.
Audit and Reporting\Can Read Event LogThis permission gives you the right to read a Event Log.
Groups\Can Read GroupThis permission gives you the right to read group.
Permissions\Can Create PermissionThis permission gives you the right to create a permission.
Permissions\Can Delete PermissionThis permission gives you the right to delete a permission.
Permissions\Can Read PermissionThis permission gives you the right to read a permission.
Permissions\Can Update PermissionThis permission gives you the right to update a permission.
Permission Sets\Can Create Permission SetThis permission gives you the right to create a permission Set.
Permission Sets\Can Delete Permission SetThis permission gives you the right to delete a permission Set.
Permission Sets\Can Grant Revoke Permission Sets To Application RolesThis permission gives you the right to grant or revoke the permission sets of the application roles.
Permission Sets\Can Grant Revoke Permission Sets To Shared RolesThis permission gives you the right to grant or revoke the permission sets of the shared roles.
Permission Sets\Can Read Permission SetThis permission gives you the right to read permission Set.
Permission Sets\Can Update Permission SetThis permission gives you the right to update a permission Set.
Roles\Can Create Application RoleThis permission gives you the right to create an application role.
Roles\Can Update Application RoleThis permission gives you the right to update an application role.
Roles\Can Grant Revoke Application Roles To GroupsThis permission gives you the right to grant or revoke application roles to groups.
Roles\Can Grant Revoke Application Roles To UsersThis permission gives you the right to grant or revoke application roles to users.
Roles\Can Read Application RoleThis permission gives you the right to read an application role.
Roles\Can Read Shared RoleThis permission gives you the right to read a shared role.
  • To explore the impact of permission please click on the relevant link below:

Please Note: The sections on which the role has no impact has not been listed.

Impact of Restricted Developer Role on Applications

This module explains the impact on the applications if the user has been granted Restricted Developer Role.

  • The User will be assigned following permissions:
DescriptionRemarks
Can Deploy ApplicationThis permission gives you the right to deploy the applications for which you have the” Membership Manager” role.
Can Read ApplicationThis permission gives you the right to read applications for which you have the “Membership Manager” role.
Can Update ApplicationThis permission gives you the right to update an application.
  • Once the user logs in using the assigned mode of authentication, the following screen will be displayed:
  • The applications for which the user has Membership Manager role will be displayed.
  • The user can deploy the application , since the user has the Can Deploy Application permission.
  • Since the user has permissions Can Read Application, when the user clicks on application name the application details (A) will be displayed.
  • The application information will be available in an editable mode since the user has the Can Update Application privilege.
  • The user can update information related to the applications.

Impact of Restricted Developer Role on Audit and Reporting

This module explains the impact on the audit and reporting if the user has been granted Restricted Developer Role.

  • The User will be assigned following permissions:
DescriptionRemarks
Can Read Event LogThis permission gives you the right to read an Event Log.
  • Once the user logs in using the assigned mode of authentication, the following screen will be displayed.
  • The user will be able to view list of all the applications (A) for which he has the Membership Manager role.
  • Can Read Event Log permission allows access to viewing the event log as shown below:

Impact of Restricted Developer Role on Groups

This module explains the impact on the groups if the user has been granted Restricted Developer Role.

  • The User will be assigned following permissions:
DescriptionRemarks
Can Read GroupThis permission gives you the right to read group.
  • Once the user logs in using the assigned mode of authentication, the following screen will be displayed.
  • The user will be able to view list of all the applications (A) for which he has the Membership Manager role. 
  • Since the user has permissions to Can Read Group, the user will be able to view the group that has been assigned to the user.
  • The parent groups of the assigned group will also be displayed.
  • Depending on the user privileges and assigned group privileges the list of privileges will be decided automatically.

Impact of Restricted Developer Role on Permissions

This module explains the impact on the permissions if the user has been granted Restricted Developer Role.

  • The User will be assigned following permissions:
DescriptionRemarks
Can Create PermissionThis permission gives you the right to create a permission.
Can Delete PermissionThis permission gives you the right to delete a permission.
Can Read PermissionThis permission gives you the right to read a permission.
Can Update PermissionThis permission gives you the right to update a permission.
  • Once the user logs in using the assigned mode of authentication, the following screen will be displayed.
  • The user will be able to view list of all the applications (A).
  • Since the user has permissions to Create, Delete, Read and Update permissions, the user will be able to update existing permission besides having the privilege to create the permission.
  • Additionally the user can manage the other permission related properties using the available options.

Impact of Restricted Developer Role on Permission Sets

This module explains the impact on the permission sets if the user has been granted Restricted Developer Role.

  • The User will be assigned following permissions:
DescriptionRemarks
Can Create Permission SetThis permission gives you the right to create a permission Set.
Can Delete Permission SetThis permission gives you the right to delete a permission Set.
Can Grant Revoke Permission Sets To Application RolesThis permission gives you the right to grant or revoke the permission sets of the application roles.
Can Grant Revoke Permission Sets To Shared RolesThis permission gives you the right to grant or revoke the permission sets of the shared roles.
Can Read Permission SetThis permission gives you the right to read permission Set.
Can Update Permission SetThis permission gives you the right to update a permission Set.
  • Once the user logs in using the assigned mode of authentication, the following screen will be displayed
  • The user will be able to view list of all the applications (A) for which he has been granted the Membership Manager Role..
  • Since the user has permissions to Create, Delete, Read and Update permission sets, the user will be able to update existing permission set besides having the privilege to create the permission sets.
  • Additionally the user can manage the other permission set related properties using the available options. 
  • Since the user has also been granted the Can Grant Revoke Permission Sets to Application Roles privilege the user can Grant permission sets to the selected role as shown below.
  • The user can also grant the permission set to the Shared roles , since the user has the Can Grant Revoke Permission Sets to Shared Roles privilege.

Impact of Restricted Developer Role on Roles

This module explains the impact on the roles if the user has been granted Restricted Developer Role.

  • The User will be assigned following permissions:
DescriptionRemarks
Can Create Application RoleThis permission gives you the right to create an application role.
Can Update Application RoleThis permission gives you the right to update an application role.
Can Grant Revoke Application Roles To GroupsThis permission gives you the right to grant or revoke application roles to groups.
Can Grant Revoke Application Roles To UsersThis permission gives you the right to grant or revoke application roles to users.
Can Read Application RoleThis permission gives you the right to read an application role.
Can Read Shared RoleThis permission gives you the right to read a shared role.
  • Once the user logs in using the assigned mode of authentication, the following screen will be displayed.
  • The user will be able to view list of all the applications (A).
  • The user can create a new role under an application, since the user has the Can Create Application Role privilege.
  • The new role will be listed under the Application>Roles option. The user can view the role details by clicking on the role name as shown below:
  • Since the user has the Can Read Application Role and Can Update Application Role privilege, the user can view and update role details.
  • Since the user has also been granted the Can Grant Revoke Application Roles To Users privilege the user can grant/revoke new roles to user using options “Grant role to users”  & “Revoke role from users” available under tab “Granted User”

Please Note: You can also grant/revoke roles of users Users> Username> Roles> Edit Roles option. Click here (missing link) to know more. 

  • Grant role to users: When you select option “Grant role to users” you are provided with a screen to select users to whom the role is to be assigned.

Once the users are successfully assigned to the Group, below message will appear

  • Revoke role from users: When you select option “Revoke role from users” you will be asked for confirmation, as shown below:

Once confirmed by clicking on option “YES” , the role will be successfully revoked and below message will appear:

  • The user can also grant the new role to the groups, since the user has the Can Grant Revoke Application Roles To Groups privilege.
  • The new role will be listed under the application, the user can select and grant role.
  • Though the user can create an application role but has the privilege to just read system roles, since the user has the Can Read Shared Role privilege.
  • Since the user has the Can Read Shared Role privilege the shared role information will be displayed in read only mode.
  • Additionally the Can Read Special Role privilege will allow the special role information to be displayed in read only mode.

See Also:

13.7 Developer Deployer

This type of user can edit applications, permissions, roles and users but not the repository. The user can also deploy the applications.

  • The Developer Deployer will be assigned both the Deployer and Developer permission sets by default.
  • The developer permission set will comprise of both the developer and restricted developer permission sets.
  • Depending on the permission sets the Developer Deployer will be assigned the following permissions by default:
DescriptionRemarks
Deployer
Applications\Can Deploy ApplicationThis permission gives you the right to deploy applications.
Developer Permissions
Applications\Can Read All ApplicationsThis permission gives you the right to read all applications.
Applications\Can Read ApplicationThis permission gives you the right to read applications for which you have the role “Membership Manager”.
Applications\Can Update ApplicationThis permission gives you the right to update an application.
Audit and Reporting\Can Read Event LogThis permission gives you the right to read an Event Log.
Groups\Can Read GroupThis permission gives you the right to read group.
Permissions\Can Create PermissionThis permission gives you the right to create a permission.
Permissions\Can Delete PermissionThis permission gives you the right to delete a permission.
Permissions\Can Read PermissionThis permission gives you the right to read a permission.
Permissions\Can Update PermissionThis permission gives you the right to update a permission.
Permission Sets\Can Create Permission SetThis permission gives you the right to create a permission Set.
Permission Sets\Can Delete Permission SetThis permission gives you the right to delete a permission Set.
Permission Sets\Can Grant Revoke Permission Sets To Application RolesThis permission gives you the right to grant or revoke the permission sets of the application roles.
Permission Sets\Can Grant Revoke Permission Sets To Shared RolesThis permission gives you the right to grant or revoke the permission sets of the shared roles.
Permission Sets\Can Read Permission SetThis permission gives you the right to read permission Set.
Permission Sets\Can Update Permission SetThis permission gives you the right to update a permission Set.
Roles\Can Create Application RoleThis permission gives you the right to create an application role.
Roles\Can Update Application RoleThis permission gives you the right to update an application role.
Roles\Can Grant Revoke Application Roles To GroupsThis permission gives you the right to grant or revoke application roles to groups.
Roles\Can Grant Revoke Application Roles To UsersThis permission gives you the right to grant or revoke application roles to users.
Roles\Can Read Application RoleThis permission gives you the right to read an application role.
Roles\Can Read Shared RoleThis permission gives you the right to read a shared role.
Can Update Application RoleThis permission gives you the right to update an application role.
  • To explore the impact of permission please click on the relevant link below:

Please Note: The sections on which the role has no impact has not been listed

Impact of Developer Deployer Role on Applications

This module explains the impact on the applications if the user has been granted the Developer Deployer Role.

  • The User will be assigned following permissions:
DescriptionRemarks
Can Deploy ApplicationsThis permission gives to the right to deploy the applications.
Can Read All ApplicationsThis permission gives you the right to read all the applications.
Can Read ApplicationThis permission gives you the right to read applications for which you have the role “Membership Manager”.
Can Update ApplicationThis permission gives you the right to update an application.
  • Once the user logs in using the assigned mode of authentication, the following screen will be displayed:
  • The user will be able to view list of all the applications (A).
  • The user can deploy the applications since he has the Can Deploy Applications permission.
  • Since the user has permissions to Can Read All Applications and Can Read Application, the Can Read All Applications will override.
  • The user can click on the Application name to view the application information as shown below:
  • The application information will be available in an editable mode, since the user has the Can Update Application privilege.

Impact of Developer Deployer Role on Audit and Reporting

This module explains the impact on the audit and reporting if the user has been granted the Developer Deployer Role.

  • The User will be assigned following permissions:
DescriptionRemarks
Can Read Event LogThis permission gives you the right to read an Event Log.
  • Once the user logs in using the assigned mode of authentication, the following screen will be displayed:
  • The user will be able to view list of all the applications (A).
  • Can Read Event Log permission allows access to viewing the event log as shown below:

Impact of Developer Deployer Role on Groups

This module explains the impact on the groups if the user has been granted the Developer Deployer Role.

  • The User will be assigned the following permissions:
DescriptionRemarks
\Groups\CanReadGroupThis permission gives access to read a group for which you have the role “Membership Manager”.
  • Once the user logs in using the assigned mode of authentication, the following screen will be displayed:
  • The user will be able to view a list of all the applications (A).
  • Since the user has permissions to Can Read Groups, the user will be able to view the group that has been assigned to the user.
  • The parent groups of the assigned group will also be displayed.
  • Depending on the user privileges and assigned group privileges the list of privileges will be decided automatically.

Impact of Developer Deployer Role on Permissions

This module explains the impact on the permissions if the user has been granted Developer Deployer Role.

  • The User will be assigned following permissions:
DescriptionRemarks
Can Create PermissionThis permission gives you the right to create a permission.
Can Delete PermissionThis permission gives you the right to delete a permission.
Can Read PermissionThis permission gives you the right to read a permission.
Can Update PermissionThis permission gives you the right to update a permission.
  • Once the user logs in using the assigned mode of authentication, the following screen will be displayed:
  • The user will be able to view list of all the applications (A).
  • Since the user has permissions to Create, Delete, Read and Update permissions, the user will be able to update existing permission besides having the privilege to create the permission.
  • Additionally the user can manage the other permission related properties using the available options.

Impact of Developer Deployer Role on Permission Sets

This module explains the impact on the permission sets if the user has been granted the Developer Deployer Role.

  • The User will be assigned the following permissions:
DescriptionRemarks
Can Create Permission SetThis permission gives you the right to create a permission Set.
Can Delete Permission SetThis permission gives you the right to delete a permission Set.
Can Grant Revoke Permission Sets To Application RolesThis permission gives you the right to grant or revoke the permission sets of the application roles.
Can Grant Revoke Permission Sets To Shared RolesThis permission gives you the right to grant or revoke the permission sets of the shared roles.
Can Read Permission SetThis permission gives you the right to read permission Set.
Can Update Permission SetThis permission gives you the right to update a permission Set.
  • Once the user logs in using the assigned mode of authentication, the following screen will be displayed.
  • The user will be able to view list of all the applications (A).
  • Since the user has permissions to Create, Delete, Read and Update permission sets, the user will be able to update existing permission set besides having the privilege to create the permission sets.
  • Additionally the user can manage the other permission set related properties using the available options.
  • Since the user has also been granted the Can Grant Revoke Permission Sets to Application Roles privilege the user can Grant permission sets to the selected role as shown below.
  • The user can also grant the permission set to the Shared roles, since the user has the Can Grant Revoke Permission Sets to Shared Roles privilege.

Impact of Developer Deployer Role on Roles

This module explains the impact on the roles if the user has been granted the Developer Deployer Role.

  • The User will be assigned following permissions:
DescriptionRemarks
Can Create Application RoleThis permission gives you the right to create an application role.
Can Grant Revoke Application Roles To GroupsThis permission gives you the right to grant or revoke application roles to the groups.
Can Grant Revoke Application Roles To UsersThis permission gives you the right to grant or revoke application roles to the users.
Can Read Application RoleThis permission gives you the right to read an application role.
Can Read Shared RoleThis permission gives you the right to read a shared role.
Can Update Application RoleThis permission gives you the right to update an application role.
  • Once the user logs in using the assigned mode of authentication, the following screen will be displayed:
  • The user will be able to view list of all the applications (A).
  • The user can create a new role under an application because he has the Can Create Application Role privilege.
  • The new role will be listed under the Application>Roles option. The user can view the role details by clicking on the role name as shown below:
  • Since the user has also been granted the Can Grant Revoke Application Roles To Users privilege the user can grant/revoke new roles to user using options “Grant role to users” & “Revoke role from users” available under tab “Granted User”

Please Note: You can also grant/revoke roles of users Users> Username> Roles> Edit Roles option. Click here (missing link) to know more.

  • Grant role to users: When you select option “Grant role to users” you are provided with a screen to select users to whom the role is to be assigned.

Once the users are successfully assigned to the Group, below message will appear

  • Revoke role from users: When you select option “Revoke role from users” you will be asked for confirmation, as shown below:
  • Once confirmed by clicking on option “YES” , the role will be successfully revoked and below message will appear:
  • The user can also grant the new role to the groups, since the user has the Can Grant Revoke Application Roles To Groups privilege.
  • The new role will be listed under the application, the user can select and grant role.
  • Though the user can create an application role but has the privilege to just read the system roles because of the Can Read Shared Role privilege.
  • Since the user has Can Read Shared Role privilege the shared role information will be displayed in read only mode.(A)
  • Additionally the Can Read Special Role privilege will allow the special role information to be displayed in read only mode.
  • Since the user has also been granted the Can Grant Revoke Application Roles To Users privilege the user can edit Granted users option.
  • To update the role information click on the role name under the Applications>Role.

See Also:

13.8 Restricted Developer deployer

This type of user can create or edit application, permission, user and role of the applications for which the user has been granted ‘Membership Manager’ role.

  • The Restricted Developer Deployer will be assigned both the Deployer and Restricted Developer permissions sets by default.
  • The Restricted Developer Deployer will be assigned, the following permissions by default:
DescriptionRemarks
Applications\Can Deploy ApplicationThis permission allows deploying application.
Applications\Can Read ApplicationThis permission gives you the right to read an application.
Applications\Can Update ApplicationThis permission gives you the right to update an application.
Applications\Can Update ApplicationThis permission gives you the right to update an application.
Audit and Reporting\Can Read Event LogThis permission gives you the right to read an Event Log.
Permissions\Can Create PermissionThis permission gives you the right to create a permission.
Permissions\Can Delete PermissionThis permission gives you the right to delete a permission.
Permissions\Can Read PermissionThis permission gives you the right to read a permission.
Permissions\Can Update PermissionThis permission gives you the right to update a permission.
Permission Sets\Can Create Permission SetThis permission gives you the right to create a permission Set.
Permission Sets\Can Delete Permission SetThis permission gives you the right to delete a permission set.
Permission Sets\Can Read Permission SetThis permission gives you the right to read a permission set.
Permission Sets\Can Update Permission SetThis permission gives you the right to update a permission set.
Permission Sets\Can Grant Revoke Permission Sets To Application RolesThis permission gives you the right to grant or revoke the permission sets of the application roles.
Permission Sets\Can Grant Revoke Permission Sets To
Shared Roles
This permission gives you the right to grant or revoke the permission sets of the shared roles.
Roles\Can Create Application RoleThis permission gives you the right to create an application role.
Roles\Can Update Application RoleThis permission gives you the right to update an application role.
Roles\Can Grant Revoke Application Roles To GroupsThis permission gives you the right to grant or revoke application roles to groups.
Roles\Can Grant Revoke Application Roles To UsersThis permission gives you the right to grant or revoke application roles to users.
Roles\Can Read Application RoleThis permission gives you the right to read an application role.
Roles\Can Read Shared RoleThis permission gives you the right to read a shared role.
  • To explore the impact of each permission please click on the relevant link below:

Please Note: The sections on which the role has no impact has not been listed

Impact of Restricted Developer Deployer Role on Applications

This module explains the impact on the applications if the user has been granted the Restricted Developer Deployer Role.

  • The User will be assigned the following permissions:
DescriptionRemarks
Can Deploy ApplicationThis permission gives you the right to deploy applications.
Can Read ApplicationThis permission gives you the right to read applications for which you have the role “Membership Manager”.
Can Update ApplicationThis permission gives you the right to update an application.
  • When the user logs in using the assigned mode of authentication, the following screen will be displayed.
  • The applications for which the user has Membership Manager role will be displayed.
  • The user can deploy the application, since the user has the Can Deploy Application permission.
  • Since the user has permissions Can Read Application, when the user clicks on application name the application details (A) will be displayed.
  • The application information will be available in an editable mode, since the user has the Can Update Application privilege.
  • The user can update information related to the applications.

Impact of Restricted Developer Role on Audit and Reporting

This module explains the impact on the audit and reporting if the user has been granted the Restricted Developer Deployer Role.

  • The User will be assigned the following permissions:
DescriptionRemarks
Can Read Event LogThis permission gives you the right to read an Event Log.
  • When the user logs in using the assigned mode of authentication, the following screen will be displayed.
  • The user will be able to view list of all the applications (A) for which he has been granted the Membership Manager Role..
  • Can Read Event Log permission allows access to viewing the event log as shown below:

Impact of Restricted Developer Deployer Role on Groups

This module explains the impact on the groups if the user has been granted the Restricted Developer Deployer Role.

  • The User will be assigned following permissions:
DescriptionRemarks
Can Read GroupThis permission gives you the right to read the group.
  • When the user logs in using the assigned mode of authentication, the following screen will be displayed.
  • The user will be able to view list of all the applications (A) for which he has been granted the Membership Manager Role..
  • Since the user has permissions to Can Read Group, the user will be able to view the group that has been assigned to the user.
  • The parent groups of the assigned group will also be displayed.
  • Depending on the user privileges and assigned group privileges the list of privileges will be decided automatically.

Impact of Restricted Developer Deployer Role on Permissions

This module explains the impact on the permissions if the user has been granted the Restricted Developer Deployer Role.

  • The User will be assigned the following permissions:
DescriptionRemarks
Can Create PermissionThis permission gives you the right to create a permission.
Can Delete PermissionThis permission gives you the right to delete a permission.
Can Read PermissionThis permission gives you the right to read a permission.
Can Update PermissionThis permission gives you the right to update a permission.
  • When the user logs in using the assigned mode of authentication, the following screen will be displayed.
  • The user will be able to view list of all the applications (A).
  • Since the user has permissions to Create, Delete, Read and Update permissions, the user will be able to update existing permission besides having the privilege to create the permission.
  • Additionally the user can manage the other permission related properties using the available options.

Impact of Restricted Developer Deployer Role on Permission Sets

This module explains the impact on the permission sets if the user has been granted the Restricted Developer Deployer Role.

  • The User will be assigned the following permissions:
DescriptionRemarks
Can Create Permission SetThis permission gives you the right to create a permission Set.
Can Delete Permission SetThis permission gives you the right to delete a permission Set.
Can Grant Revoke Permission Sets To Application RolesThis permission gives you the right to grant or revoke the permission sets of the application roles.
Can Grant Revoke Permission Sets To Shared RolesThis permission gives you the right to grant or revoke the permission sets of the shared roles.
Can Read Permission SetThis permission gives you the right to read permission Set.
Can Update Permission SetThis permission gives you the right to update a permission Set.
  • When the user logs in using the assigned mode of authentication, the following screen will be displayed.
  • The user will be able to view list of all the applications (A) for which he has been granted the Membership Manager Role..
  • Since the user has permissions to Create, Delete, Read and Update permission sets, the user will be able to update an existing permission set besides having the privilege to create the permission sets.
  • Additionally the user can manage the other permission set related properties using the available options.
  • Since the user has also been granted the Can Grant Revoke Permission Sets to Application Roles privilege the user can Grant permission sets to the selected role as shown below.
  • The user can also grant the permission set to the Shared roles, since the user has Can Grant Revoke Permission Sets to Shared Roles privilege.

Impact of Restricted Developer Deployer Role on Roles

This module explains the impact on the roles if the user has been granted the Restricted Developer Deployer Role.

  • The User will be assigned the following permissions:
DescriptionRemarks
Can Create Application RoleThis permission gives you the right to create an application role.
Can Update Application RoleThis permission gives you the right to update an application role.
Can Grant Revoke Application Roles To GroupsThis permission gives you the right to grant or revoke application roles to groups.
Can Grant Revoke Application Roles To UsersThis permission gives you the right to grant or revoke application roles to users.
Can Read Application RoleThis permission gives you the right to read an application role.
Can Read Shared RoleThis permission gives you the right to read a shared role.
  • When the user logs in using the assigned mode of authentication, the following screen will be displayed.
  • The user will be able to view list of all the applications (A).
  • The user can create a new role under an application, since the user has the Can Create Application Role privilege.
  • The new role will be listed under the Application>Roles option. The user can view the role details by clicking on the role name as shown below:
  • Since the user has the Can Read Application Role and Can Update Application Role privilege the user can view and update the role details.
  • Since the user has also been granted the Can Grant Revoke Application Roles To Users privilege the user can grant/revoke new roles to user using options “Grant role to users”  & “Revoke role from users” available under tab “Granted User”.

Please Note: You can also grant/revoke roles of users Users> Username> Roles> Edit Roles option. Click here (missing link) to know more.

  • Grant role to users: When you select option “Grant role to users” you are provided with a screen to select users to whom the role is to be assigned.

Once the users are successfully assigned to the Group, below message will appear

  • Revoke role from users: When you select option “Revoke role from users” you will be asked for confirmation, as shown below:

Once confirmed by clicking on option “YES” , the role will be successfully revoked and below message will appear:

  • The user can also grant the new role to the groups, since the user has the Can Grant Revoke Application Roles To Groups privilege.
  • The new role will be listed under the application, the user can select and grant role.
  • Since the user has the Can Read Shared Role privilege the shared role information will be displayed in the read only mode.
  • Additionally the Can Read Special Role privilege will allow the special role information to be displayed in read only mode.

See Also:

13.9 Auditor

This user can access the repository in read only mode, he can also read the log and print the report.

  • The Auditor will be granted the Auditor and Restricted Auditor permission sets by default.
  • Depending on the permission sets the Auditor will be assigned following permissions by default:
DescriptionRemarks
Auditor Permissions
Applications\Can Read All ApplicationsThis permission gives you the right to read all applications.
Users\Can Read All UsersThis permission gives you the right to read all users.
Groups\Can Read All GroupsThis permission gives you the right to read all groups.
Restricted Auditor Permissions: The restricted auditor role will have access to applications for which he has been granted “Membership Manager” role.
Applications\Can Read ApplicationThis permission gives you the right to read applications for which you have the role “Membership Manager”
Audit and Reporting\Can Generate DocumentationThis permission gives you the right to generate documentation.
Audit and Reporting\Can Read Event LogThis permission gives you the right to read an Event Log.
Groups\Can Read GroupThis permission gives you the right to read group.
Users\Can Read UserThis permission gives you the right to read user.
Permissions\Can Read PermissionThis permission gives you the right to read a permission.
Permission Sets\Can Read Permission SetThis permission gives you the right to read a permission set.
Roles\Can Read Application RoleThis permission gives you the right to read an application role.
Roles\Can Read Shared RoleThis permission gives you the right to read a shared role.
Roles\Can Read System RoleThis permission gives you the right to read a system role.

Impact of Auditor Role on Applications

This module explains the impact on the applications if the user has been granted Auditor Role.

  • The User will be assigned following permissions:
DescriptionRemarks
Can Read All ApplicationsThis permission gives access to read all applications.
Can Read ApplicationThis permission gives you the right to read applications for which you have the role “Membership Manager”.
  • Once the user logs in using the assigned mode of authentication, the following screen will be displayed:
  • Since the user has permissions to Can Read All Applications and Can Read Application, the Can Read All Applications will override.
  • The user will be able to view list of all the applications. (A)
  • The user can click on the Application name to view the application information as shown below:
  • Other application related options will be disabled as shown below:

Impact of Auditor Role on Audit and Reporting

This module explains the impact on the audit and reporting if the user has been granted the Auditor Role.

  • The User will be assigned following permissions:
DescriptionRemarks
CanGenerateDocumentationThis permission gives you the right to generate documentation.
Can Read Event LogThis permission gives you the right to read an Event Log.
  • Once the user logs in using the assigned mode of authentication, the following screen will be displayed.
  • The user will be able to view list of all the applications (A).
  • Since the user has permissions to Can Generate Documentation he can use Generate Documentation option to generate documentation of each entity in the Visual Guard console.
  • Can Read Event Log permission allows access to viewing the event log as shown below:

Impact of Auditor Role on Groups

This module explains the impact on the groups if the user has been granted an Auditor Role.

  • The User will be assigned following permissions:
DescriptionRemarks
\Groups\CanReadGroupThis permission gives access to read a group for which you have the role “Membership Manager”.
\Groups\CanReadAllGroupsThis permission gives you the right to read all the groups.
  • Once the user logs in using the assigned mode of authentication, the following screen will be displayed.
  • The user will be able to view list of all the applications (A).
  • Since the user has permissions to Can Read All Groups and Can Read Groups, the Can Read All Groups will override.
  • The user will be able to view list of all the groups.
  • The user cannot rename, remove or add a new group, the options will be disabled as shown below:

Impact of Auditor Role on Permissions

This module explains the impact on the permissions if the user has been granted an Auditor Role.

  • The User will be assigned following permissions:
DescriptionRemarks
Can Read PermissionThis permission gives you the right to read a permission.
  • Once the user logs in using the assigned mode of authentication, the following screen will be displayed.
  • The user will be able to view list of all the applications (A).
  • Since the user has permissions to Read permissions all permission details will be displayed in read only mode. (A)
  • Additionally the options to rename, remove or add a new permission will also be disabled as shown below:

Impact of Auditor Role on Permission Sets

This module explains the impact on the permission sets if the user has been granted an Auditor Role.

  • The User will be assigned following permissions:
DescriptionRemarks
Can Read Permission SetsThis permission gives you the right to read a permission set.
  • Once the user logs in using the assigned mode of authentication, the following screen will be displayed:
  • The user will be able to view list of all the applications (A).
  • Since the user has permissions to Read permission sets all permission set details will be displayed in read only mode. (A)
  • Additionally the options to rename, remove or add a new permission set will also be disabled as shown below:

Impact of Auditor Role on Roles

This module explains the impact on the roles if the user has been granted an Auditor Role.

The User will be assigned following permissions:

DescriptionRemarks
Can Read Application RoleThis permission gives you the right to read an application role.
Can Read Shared RoleThis permission gives you the right to read a shared role.
Can Read System RoleThis permission gives you the right to read a system role.
  • Once the user logs in using the assigned mode of authentication, the following screen will be displayed:
  • The user will be able to view list of all the applications (A).
  • Since the user has Can Read Application Role privilege he can view just the role details.
  • Additional options such as rename, remove or add a new role will be disabled as shown below:
  • Similarly the Can Read Shared Role privilege will allow the user to view the shared role information in read only mode.
  • Additional options such as rename, remove or add a new role will be disabled as shown below:
  • Similarly the Can Read Special Role privilege will allow the user to view the special role information in read only mode.
  • Additional options such as rename, remove or add a new role will be disabled as shown below:

Impact of Auditor Role on Users

This module explains the impact on the users if the user has been granted an Auditor Role.

  • The User will be assigned following permissions:
DescriptionRemarks
Can Read All UsersThis permission gives you the right to read all users
Can Read UserThis permission gives you the right to read user
  • Once the user logs in using the assigned mode of authentication, the following screen will be displayed:
  • The user will be able to view list of all the applications (A).
  • Since the user has both the privileges namely Can Read All Users and Can Read User permissions, Can Read All Users permission will override.
  • Can Read All Users permission will allow the user to view the list of all users.
  • The user can view the user details by clicking on username.
  • All details will be displayed in read only mode.

See Also:

13.10 Restricted Auditor

This user has same privilege as the auditor except that his access is limited to a single application.

The permission allows auditing applications for which the user is a member of the ‘Membership Manager’ role.

  • The Restricted Auditor will be assigned, the following permission set by default:
DescriptionRemarks
Restricted Auditor permissionsThis permission gives you the right to audit applications for which you have the role “Membership Manager”.
  • The Restricted Auditor will be assigned, the following permissions by default:
DescriptionRemarks
Applications\Can Read ApplicationThis permission gives you the right to read applications for which you have the role “Membership Manager”.
Audit and Reporting\Can Generate DocumentationThis permission gives you the right to generate the documentation.
Audit and Reporting\Can Read Event LogThis permission gives you the right to read an Event Log.
Groups\Can Read GroupThis permission gives you the right to read a group.
Groups\Can Read PermissionThis permission gives you the right to read a permission.
Permission Sets\Can Read Permission SetThis permission gives you the right to read a permission set.
Roles\Can Read Application RoleThis permission gives you the right to read an application role.
Roles\Can Read Shared RoleThis permission gives you the right to read a shared role.
Roles\Can Read System RoleThis permission gives you the right to read a system role.
Users\Can Read UseThis permission gives you the right to read a user.

Impact of Restricted Auditor Role on Applications

This module explains the impact on the applications if the user has been granted the Restricted Auditor Role.

  • The User will be assigned following permissions:
DescriptionRemarks
Can Read ApplicationThis permission gives you the right to read applications for which you have the role “Membership Manager”.
  • Once the user logs in using the assigned mode of authentication, the following screen will be displayed:
  • Since the user has permissions to Can Read Application, the user will be able to view the application details in read only format.
  • Once the user clicks on the Application name the application details will be displayed as below:
  • Other application related options will be disabled as shown below:

Impact of Restricted Auditor Role on Audit and Reporting

This module explains the impact on the audit and reporting if the user has been granted the Restricted Auditor Role.

  • The User will be assigned following permissions:
DescriptionRemarks
CanGenerateDocumentationThis permission gives you the right to generate documentation.
Can Read Event LogThis permission gives you the right to read an Event Log.
  • Once the user logs in using the assigned mode of authentication, the following screen will be displayed:
  • The Restricted Auditor Role, do not have permission to view the application list, hence as soon as they Login, they can view the below screen.
  • Since the user has permissions to Can Generate Documentation he can use the Generate Documentation option to generate the documentation.
  • Can Read Event Log permission allows access to viewing the event log as shown below:

Impact of Restricted Auditor Role on Groups

This module explains the impact on the groups if the user has been granted a Restricted Auditor Role.

  • The User will be assigned following permissions:
DescriptionRemarks
\Groups\CanReadGroupThis permission gives access to read a group for which you have the role “Membership Manager”.
  • Once the user logs in using the assigned mode of authentication, the following screen will be displayed:
  • The user will be able to view list of all the applications (A).
  • Since the user has permissions to Can Read Groups he will be able to view the list of groups that are assigned to him.
  • In case a child group is assigned to the user, automatically the parent group will also be displayed.
  • The user will be able to view list of all the groups. (B)
  • Depending on the roles assigned to the user and the group the role with maximum privileges will take effect.
  • For example if the user has role of Restricted Auditor and assigned group has Master Administrator role, the user will be granted Master Administrator role.

Impact of Restricted Auditor Role on Permissions

This module explains the impact on the permissions if the user has been granted a Restricted Auditor Role.

  • The User will be assigned the following permissions:
DescriptionRemarks
Can Read PermissionThis permission gives you the right to read a permission.
  • Once the user logs in using the assigned mode of authentication, the following screen will be displayed:
  • The user will be able to view list of all the applications (A) for which he has the Membership Manager role.
  • Since the user has permissions to Read permissions all permission details will be displayed in read only mode. (A)
  • Additionally the options to rename, remove or add a new permission will also be disabled as shown below:

Impact of Restricted Auditor Role on Permission Sets

This module explains the impact on the permissions if the user has been granted a Restricted Auditor Role.

  • The User will be assigned the following permissions:
DescriptionRemarks
Can Read Permission SetsThis permission gives you the right to read a permission set.
  • Once the user logs in using the assigned mode of authentication, the following screen will be displayed.
  • The user will be able to view a list of all the applications (A) for which he has the Membership Manager role.
  • Since the user has permissions to Read permission sets all permission set details will be displayed in read only mode. (A)
  • Additionally the options to rename, remove or add a new permission set will also be disabled as shown below:

Impact of Restricted Auditor Role on Roles

This module explains the impact on the roles if the user has been granted a Restricted Auditor Role.

  • The User will be assigned the following permissions:
DescriptionRemarks
Can Read Application RoleThis permission gives you the right to read an application role.
Can Read Shared RoleThis permission gives you the right to read a shared role.
Can Read System RoleThis permission gives you the right to read a system role.
  • Once the user logs in using the assigned mode of authentication, the following screen will be displayed:
  • The user will be able to view list of all the applications (A) for which he has the Membership Manager role.
  • Since the user has Can Read Application Role privilege the user can view only the role details of the application for which the user has Membership Manager role.
  • Additional options such as rename, remove or add a new role will be disabled as shown below:
  • Similarly the Can Read Shared Role privilege will allow the user to view the shared role information in read only mode.
  • Additional options such as rename, remove or add a new role will be disabled as shown below:
  • Similarly the Can Read Special Role privilege will allow the user to view the special role information in read only mode.
  • Additional options such as rename, remove or add a new role will be disabled as shown below:

Impact of Restricted Auditor Role on Users

This module explains the impact on the users if the user has been granted a Restricted Auditor Role.

  • The User will be assigned following permissions:
DescriptionRemarks
Can Read UserThis permission gives you the right to read user
  • Once the user logs in using the assigned mode of authentication, the following screen will be displayed.
  • The user will be able to view list of all the applications (A) for which he has the Membership Manager role.
  • Since the user has the Can Read User permission the option will allow the user to view list of all users that belong to the same group as the user.
  • Additionally depending on the group permissions list of users that are listed might vary.
  • For example the current user has restricted auditor permission but if the user group has the Master Administrator role then the list of all the users will be displayed.
  • The user can view the user details by clicking on the username.

See Also:

13.11 MemberShipRole

Visual Guard allows you to manage membership role and manage users and groups assigned to the role.

To view role related details follow the steps below:

  • The Membership Manager Role is displayed under Repository> Application> Roles.
  • To make effect of the Membership Manager you need to change the Membership Access Level available in the application.

See Also: 

13.12 Multiple role assignment

Visual Guard offers 9 predefined roles to the user. The users can be assigned one or more roles simultaneously.

Depending on the assignment the system will automatically decide the level of access.

For example Create a user and grant him two special roles namely Restricted Developer and Auditor.

The list of privileges assigned to the user will be as below:

Restricted DeveloperAuditor
Applicationsø
\Applications\CanReadAllApplicationsø
\Applications\CanReadApplicationø
\Applications\CanUpdateApplicationø
Audit and Reporting
\AuditAndReporting\CanGenerateDocumentationø
\AuditAndReporting\CanReadEventLogøø
Groups
\Groups\CanReadGroupøø
\Groups\CanReadAllGroupsø
Permissions
\Permissions\CanCreatePermissionø
\Permissions\CanDeletePermissionø
\Permissions\CanReadPermissionøø
\Permissions\CanUpdatePermissionø
Permission Sets
\PermissionSets\CanCreatePermissionSetø
\PermissionSets\CanDeletePermissionSetø
\PermissionSets\CanReadPermissionSetøø
\PermissionSets\CanUpdatePermissionSetø
\PermissionSets\CanGrantRevokePermissionSetsToApplicationRolesø
\PermissionSets\CanGrantRevokePermissionSetsToSharedRolesø
Roles
\Roles\CanCreateApplicationRoleø
\Roles\CanUpdateApplicationRoleø
\Roles\CanGrantRevokeApplicationRolesToGroupsø
\Roles\CanGrantRevokeApplicationRolesToUsersø
\Roles\CanReadApplicationRoleøø
\Roles\CanReadSharedRoleøø
\Roles\CanReadSystemRoleø
Users
\Users\CanReadAllUsersø
\Users\CanReadUserø
Domains
\Domains\CanReadDomainø

Impact of Restricted Developer and Auditor Role on Applications

This module explains the impact on the applications if the user has been granted the Restricted Developer and Auditor Role.

  • The User will be assigned following permissions:
DescriptionRemarks
Can Read All ApplicationsThis permission gives access to read all the applications.
Can Read ApplicationThis permission gives you the right to read applications for which you have the role “Membership Manager”.
Can Update ApplicationThis permission gives you the right to update an application.
  • Once the user logs in using the assigned mode of authentication, the following screen will be displayed.
  • Since the user has permissions to Can Read All Applications and Can Read Application, the Can Read All Applications will override.
  • The user will be able to view list of all the applications (A).
  • The user can click on the Application name to view the application information as shown below:
  • The application information will be available in an editable mode, since the user has the Can Update Application privilege.
  • The user can update information related to all the applications.

Impact of Restricted Developer and Auditor Role on Audit and Reporting

This module explains the impact on the audit and reporting if the user has been granted the Restricted Developer and Auditor Role.

  • The User will be assigned following permissions:
DescriptionRemarks
CanGenerateDocumentationThis permission gives you the right to generate documentation.
Can Read Event LogThis permission gives you the right to read an Event Log.
  • Once the user logs in using the assigned mode of authentication, the following screen will be displayed:
  • The user will be able to view list of all the applications (A).
  • Since the user has permissions to Can Generate Documentation he can use Generate Documentation option to generate documentation of each entity in the Visual Guard console.
  • Can Read Event Log permission allows access to viewing the event log as shown below:

Impact of Restricted Developer and Auditor Role on Groups

This module explains the impact on the groups if the user has been granted the Restricted Developer and Auditor Role.

  • The User will be assigned following permissions:
DescriptionRemarks
\Groups\CanReadGroupThis permission gives access to read a group for which you have the role “Membership Manager”.
\Groups\CanReadAllGroupsThis permission gives you the right to read all the groups.
  • Once the user logs in using the assigned mode of authentication, the following screen will be displayed.
  • The user will be able to view list of all the applications (A).
  • Since the user has permissions to Can Read All Groups and Can Read Groups, the Can Read All Groups will override.
  • The user will be able to view list of all the groups.
  • The user cannot rename, remove or add a new group, the options will be disabled as shown below:

Impact of Restricted Developer and Auditor Role on Permissions

This module explains the impact on the permissions if the user has been granted the Restricted Developer and Auditor Role.

  • The User will be assigned the following permissions:
DescriptionRemarks
Can Create PermissionThis permission gives you the right to create a permission.
Can Delete PermissionThis permission gives you the right to delete a permission.
Can Read PermissionThis permission gives you the right to read a permission.
Can Update PermissionThis permission gives you the right to update a permission.
  • Once the user logs in using the assigned mode of authentication, the following screen will be displayed.
  • The user will be able to view list of all the applications (A).
  • The user will have the permission Create Permission as a result the New Permission option will be enabled.
  • Additional permission related privileges that have been assigned to the user comprise of Update and Delete permissions, these privileges allow access to Rename, Remove, and Duplicate options to the user as shown below. 
  • The Can Read Permission allows the user to view the Permission information when the user clicks on the permission name.

Impact of Restricted Developer and Auditor Role on Permission Sets

This module explains the impact on the permission sets if the user has been granted the Restricted Developer and Auditor Role.

  • The User will be assigned the following permissions:
DescriptionRemarks
Can Create Permission SetThis permission gives you the right to create a permission Set.
Can Delete Permission SetThis permission gives you the right to delete a permission Set.
Can Grant Revoke Permission Sets To Application RolesThis permission gives you the right to grant or revoke the permission sets of the application roles.
Can Grant Revoke Permission Sets To Shared RolesThis permission gives you the right to grant or revoke the permission sets of the shared roles.
Can Read Permission SetThis permission gives you the right to read permission Set.
Can Update Permission SetThis permission gives you the right to update a permission Set.
  • Once the user logs in using the assigned mode of authentication, the following screen will be displayed.
  • The user will be able to view list of all the applications (A).
  • The user will have the permission Create Permission Sets as a result the New Permission Set option will be enabled.
  • Additional permission set related privileges that have been assigned to the user comprise of Update and Delete permissions, these privileges allow access to Rename, Remove, and Duplicate options to the user as shown below.
  • The Can Read Permission Set allows the user to view the Permission Set information when the user clicks on the permission name.
  • Additionally the user will also have access to Can Grant Revoke Permission Sets To Application Roles this permission will allow the user to modify the permission sets belonging to the application role.
  • Can Grant Revoke Permission Sets To Application Roles permission allows access to the Edit Permission Set option as shown below:
  • When the user clicks on the Edit Permission Sets he will be able to grant or revoke the permission sets.
  • Can Grant Revoke Permission Sets To Shared Roles permission allows the user to grant or revoke the permission sets listed under the shared role
  • The Edit Permission Set will be available.
  • When the user clicks on Edit Permission Sets he will be able to grant or revoke the permission sets.

Impact of Restricted Developer and Auditor Role on Roles

This module explains the impact on the roles if the user has been granted the Restricted Developer and Auditor Role.

  • The User will be assigned following permissions:
DescriptionRemarks
Can Create Application RoleThis permission gives you the right to create an application role.
Can Update Application RoleThis permission gives you the right to update an application role.
Can Grant Revoke Application Roles To GroupsThis permission gives you the right to grant or revoke application roles to groups.
Can Grant Revoke Application Roles To UsersThis permission gives you the right to grant or revoke application roles to users.
Can Read Application RoleThis permission gives you the right to read an application role.
Can Read System RoleThis permission gives you the right to read a system role.
  • When the user logs in using the assigned mode of authentication, the following screen will be displayed.
  • The user will be able to view list of all the applications (A).
  • The user can create a new role under an application , since the user has the Can Create Application Role privilege.
  • The new role will be listed under the Application>Roles option. The user can view the role details by clicking on the role name as shown below:
  • Since the user has the Can Read Application Role and Can Update Application Role privilege the user can view and update the role details.
  • Since the user has also been granted the Can Grant Revoke Application Roles To Users privilege the user can grant/revoke new roles to user using options “Grant role to users”  & “Revoke role from users” available under tab “Granted User”

Please Note: You can also grant/revoke roles of users Users> Username> Roles> Edit Roles option. Click here to know more.

  • Grant role to users: When you select option “Grant role to users” you are provided with a screen to select users to whom the role is to be assigned.

Once the users are successfully assigned to the Group, below message will appear

  • Revoke role from users: When you select option   you will be asked for confirmation, as shown below:

Once confirmed by clicking on option “Yes” , the role will be successfully revoked and below message will appear:

  • The user can also grant the new role to the groups, since the user has the Can Grant Revoke Application Roles To Groups privilege.
  • The new role will be listed under the application, the user can select and grant role.
  • Since the user has the Can Read System Role privilege the system role information will be displayed in read only mode.
  • Since the user has the Can Read Shared Role privilege the shared role information will be displayed in read only mode. 
  • Additionally the Can Read Special Role privilege will allow the special role information to be displayed in read only mode.

Impact of Restricted Developer and Auditor Role on Users

This module explains the impact on the users if the user has been the granted Restricted Developer and Auditor Role.

  • The User will be assigned following permissions:
DescriptionRemarks
Can Read All UsersThis permission gives you the right to read all users
Can Read UserThis permission gives you the right to read a user
  • When the user logs in using the assigned mode of authentication, the following screen will be displayed.
  • The user will be able to view list of all the applications (A).
  • Since the user has both the privileges Can Read All Users and Can Read User permission, Can Read All Users permission will override.
  • Can Read All Users permission will allow the user to view the list of all users.
  • The user can view the user details by clicking on username.
  • All details will be displayed in the read only mode.

See Also:

14. Database roles

When Visual Guard needs to authenticate a database user, it must be connected to the database.

The database account used to connect to the database must have access to the Visual Guard database objects. This account is specified in the configuration file or provided by the user for Database authentication mode.

Visual Guard offers 4 database roles to the users.

RoleDescription
vg_BasicAccessThis role can be granted to the users that will need to be authenticated by Visual Guard in your application.
vg_UserAdminAccess
This role must be granted to a user account that will need to access the Visual Guard console as User Administrator.

This role allows you to create or edit user accounts and to grant roles to this user.
vg_DeveloperAccessThis role must be granted to a user account that will need to access the Visual Guard console as Developer.

This role allows you to create or edit user accounts, roles, applications, permissions and permission sets.
vg_FullAccessThis role must be granted to user account that will need to access the Visual Guard console as Master administrator.

This role allows you to create or edit all Visual Guard entities and to drop the repository.

14.1 vg_BasicAccess

This role restricts the user account from editing the Visual Guard application.

  • The user with Auditor role and vg_BasicAccess database role will be having the following access:
DescriptionRemarks (in Yes or No)
Access to repository in read only modeYes
Allow to edit applicationNo
Allow to edit Password PolicyNo
Allow to edit roleNo
Allow to read event logYes
Allow to remove repositoryNo
Disallow to edit permissionYes
Disallow to edit permission setYes
Disallow to edit Shared roleYes
Disallow to grant permission set to a roleYes
Disallow to grant role to a userYes
Disallow to grant Visual Guard Permission SetYes
Disallow to grant Visual Guard roleYes
Hide application for which the user is not memberNo
Hide Permission SetsNo
Hide PermissionsNo
Hide Visual Guard ItemsNo
  • The user with Developer role and vg_BasicAccess database role will be having the following access:
DescriptionRemarks (in Yes or No)
Access to repository in read only modeYes
Allow to edit applicationNo
Allow to edit Password PolicyNo
Allow to edit roleNo
Allow to read event logNo
Allow to remove repositoryNo
Disallow to edit permissionYes
Disallow to edit permission setYes
Disallow to edit Shared roleYes
Disallow to grant permission set to a roleYes
Disallow to grant role to a userYes
Disallow to grant Visual Guard Permission SetYes
Disallow to grant Visual Guard roleYes
Hide application for which the user is not memberNo
Hide Permission SetsNo
Hide PermissionsNo
Hide Visual Guard ItemsYes
  • The user with Master Administrator role and vg_BasicAccess database role will be having the following access:
DescriptionRemarks (in Yes or No)
Access to repository in read only modeNo
Allow to edit applicationNo
Allow to edit Password PolicyNo
Allow to edit roleNo
Allow to read event logNo
Allow to remove repositoryNo
Disallow to edit permissionYes
Disallow to edit permission setYes
Disallow to edit Shared roleYes
Disallow to grant permission set to a roleYes
Disallow to grant role to a userYes
Disallow to grant Visual Guard Permission SetYes
Disallow to grant Visual Guard roleYes
Hide application for which the user is not memberNo
Hide Permission SetsNo
Hide PermissionsNo
Hide Visual Guard ItemsNo
  • The user with Restricted Auditor role and vg_BasicAccess database role will be having the following access:
DescriptionRemarks (yes or no)
Access to repository in read only modeYes
Allow to edit applicationNo
Allow to edit Password PolicyNo
Allow to edit roleNo
Allow to read event logNo
Allow to remove repositoryNo
Disallow to edit permissionYes
Disallow to edit permission setYes
Disallow to edit Shared roleYes
Disallow to grant permission set to a roleYes
Disallow to grant role to a userYes
Disallow to grant Visual Guard Permission SetYes
Disallow to grant Visual Guard roleYes
Hide application for which the user is not memberYes
Hide Permission SetsNo
Hide PermissionsNo
Hide Visual Guard ItemsYes
  • The user with Restricted User Administrator role and vg_BasicAccess database role will be having the following access:
DescriptionRemarks (Yes or no)
Access to repository in read only modeYes
Allow to edit applicationNo
Allow to edit Password PolicyNo
Allow to edit roleNo
Allow to read event logNo
Allow to remove repositoryNo
Disallow to edit permissionYes
Disallow to edit permission setYes
Disallow to edit Shared roleYes
Disallow to grant permission set to a roleYes
Disallow to grant role to a userYes
Disallow to grant Visual Guard Permission SetYes
Disallow to grant Visual Guard roleYes
Hide application for which the user is not memberYes
Hide Permission SetsYes
Hide PermissionsYes
Hide Visual Guard ItemsYes
  • The user with User Administrator role and vg_BasicAccess database role will be having the following access:
DescriptionRemarks (yes or no)
Access to repository in read only modeYes
Allow to edit applicationNo
Allow to edit Password PolicyNo
Allow to edit roleNo
Allow to read event logNo
Allow to remove repositoryNo
Disallow to edit permissionYes
Disallow to edit permission setYes
Disallow to edit Shared roleYes
Disallow to grant permission set to a roleYes
Disallow to grant role to a userYes
Disallow to grant Visual Guard Permission SetYes
Disallow to grant Visual Guard roleYes
Hide application for which the user is not memberNo
Hide Permission SetsYes
Hide PermissionsYes
Hide Visual Guard ItemsYes

14.2 vg_userAdminAccess

This role allows you to create or edit user accounts and to grant roles to this user.

  • The user with Auditor role and vg_UserAdminAccess database role will be having the following access:
DescriptionRemarks (Yes or No)
Access to repository in read only modeYes
Allow to edit applicationNo
Allow to edit Password PolicyNo
Allow to edit roleNo
Allow to read event logYes
Allow to remove repositoryNo
Disallow to edit permissionYes
Disallow to edit permission setYes
Disallow to edit Shared roleYes
Disallow to grant permission set to a roleYes
Disallow to grant role to a userYes
Disallow to grant Visual Guard Permission SetYes
Disallow to grant Visual Guard roleYes
Hide application for which the user is not memberNo
Hide Permission SetsNo
Hide PermissionsNo
Hide Visual Guard ItemsNo
  • The user with Developer role and vg_UserAdminAccess database role will be having the following access:
Description Remarks (Yes or No)
Access to repository in read only modeYes
Allow to edit applicationNo
Allow to edit Password PolicyNo
Allow to edit roleYes
Allow to read event logNo
Allow to remove repositoryNo
Disallow to edit permissionYes
Disallow to edit permission setYes
Disallow to edit Shared roleNo
Disallow to grant permission set to a roleNo
Disallow to grant role to a userNo
Disallow to grant Visual Guard Permission SetYes
Disallow to grant Visual Guard roleYes
Hide application for which the user is not memberNo
Hide Permission SetsNo
Hide PermissionsNo
Hide Visual Guard ItemsYes
  • The user with Master Administrator role and vg_UserAdminAccess database role will be having the following access:
Description Remarks (Yes or No)
Access to repository in read only modeNo
Allow to edit applicationNo
Allow to edit Password PolicyNo
Allow to edit roleYes
Allow to read event logYes
Allow to remove repositoryNo
Disallow to edit permissionYes
Disallow to edit permission setYes
Disallow to edit Shared roleNo
Disallow to grant permission set to a roleNo
Disallow to grant role to a userNo
Disallow to grant Visual Guard Permission SetYes
Disallow to grant Visual Guard roleNo
Hide application for which the user is not memberNo
Hide Permission SetsNo
Hide PermissionsNo
Hide Visual Guard ItemsNo
  • The user with Restricted Auditor role and vg_UserAdminAccess database role will be having the following access:
DescriptionRemarks (Yes or No)
Access to repository in read only modeYes
Allow to edit applicationNo
Allow to edit Password PolicyNo
Allow to edit roleNo
Allow to read event logNo
Allow to remove repositoryNo
Disallow to edit permissionYes
Disallow to edit permission setYes
Disallow to edit Shared roleYes
Disallow to grant permission set to a roleYes
Disallow to grant role to a userYes
Disallow to grant Visual Guard Permission SetYes
Disallow to grant Visual Guard roleYes
Hide application for which the user is not memberYes
Hide Permission SetsNo
Hide PermissionsNo
Hide Visual Guard ItemsYes
  • The user with Restricted User Administrator role and vg_UserAdminAccess database role will be having the following access:
DescriptionRemarks (yes or No)
Access to repository in read only modeYes
Allow to edit applicationNo
Allow to edit Password PolicyNo
Allow to edit roleNo
Allow to read event logNo
Allow to remove repositoryNo
Disallow to edit permissionYes
Disallow to edit permission setYes
Disallow to edit Shared roleYes
Disallow to grant permission set to a roleYes
Disallow to grant role to a userNo
Disallow to grant Visual Guard Permission SetYes
Disallow to grant Visual Guard roleYes
Hide application for which the user is not memberYes
Hide Permission SetsYes
Hide PermissionsYes
Hide Visual Guard ItemsYes
  • The user with User Administrator role and vg_UserAdminAccess database role will be having the following access:
DescriptionRemarks (Yes or No)
Access to repository in read only modeYes
Allow to edit applicationNo
Allow to edit Password PolicyNo
Allow to edit roleNo
Allow to read event logNo
Allow to remove repositoryNo
Disallow to edit permissionYes
Disallow to edit permission setYes
Disallow to edit Shared roleYes
Disallow to grant permission set to a roleYes
Disallow to grant role to a userYes
Disallow to grant Visual Guard Permission SetYes
Disallow to grant Visual Guard roleYes
Hide application for which the user is not memberNo
Hide Permission SetsYes
Hide PermissionsYes
Hide Visual Guard ItemsYes

14.3 vg_DeveloperAccess

This role allows you to create or edit user accounts, roles, applications, permissions and permission sets

  • The user with Auditor role and vg_DeveloperAccess database role will be having the following access:
DescriptionRemarks (Yes or No)
Access to repository in read only modeYes
Allow to edit applicationNo
Allow to edit Password PolicyNo
Allow to edit roleNo
Allow to read event logYes
Allow to remove repositoryNo
Disallow to edit permissionYes
Disallow to edit permission setYes
Disallow to edit Shared roleYes
Disallow to grant permission set to a roleYes
Disallow to grant role to a userYes
Disallow to grant Visual Guard Permission SetYes
Disallow to grant Visual Guard roleYes
Hide application for which the user is not memberNo
Hide Permission SetsNo
Hide PermissionsNo
Hide Visual Guard ItemsNo
  • The user with Developer role and vg_DeveloperAccess database role will be having the following access:
DescriptionRemarks (Yes or No)
Access to repository in read only modeYes
Allow to edit applicationYes
Allow to edit Password PolicyYes
Allow to edit roleYes
Allow to read event logNo
Allow to remove repositoryNo
Disallow to edit permissionNo
Disallow to edit permission setNo
Disallow to edit Shared roleNo
Disallow to grant permission set to a roleNo
Disallow to grant role to a userNo
Disallow to grant Visual Guard Permission SetYes
Disallow to grant Visual Guard roleYes
Hide application for which the user is not memberNo
Hide Permission SetsNo
Hide PermissionsNo
Hide Visual Guard ItemsYes
  • The user with Master Administrator role and vg_DeveloperAccess database role will be having the following access:
DescriptionRemarks (Yes or No)
Access to repository in read only modeNo
Allow to edit applicationYes
Allow to edit Password PolicyYes
Allow to edit roleYes
Allow to read event logYes
Allow to remove repositoryNo
Disallow to edit permissionNo
Disallow to edit permission setNo
Disallow to edit Shared roleNo
Disallow to grant permission set to a roleNo
Disallow to grant role to a userNo
Disallow to grant Visual Guard Permission SetNo
Disallow to grant Visual Guard roleNo
Hide application for which the user is not memberNo
Hide Permission SetsNo
Hide PermissionsNo
Hide Visual Guard ItemsNo
  • The user with Restricted Auditor role and vg_DeveloperAccess database role will be having the following access:
DescriptionRemarks (yes or No)
Access to repository in read only modeYes
Allow to edit applicationNo
Allow to edit Password PolicyNo
Allow to edit roleNo
Allow to read event logNo
Allow to remove repositoryNo
Disallow to edit permissionYes
Disallow to edit permission setYes
Disallow to edit Shared roleYes
Disallow to grant permission set to a roleYes
Disallow to grant role to a userYes
Disallow to grant Visual Guard Permission SetYes
Disallow to grant Visual Guard roleYes
Hide application for which the user is not memberYes
Hide Permission SetsNo
Hide PermissionsNo
Hide Visual Guard ItemsYes
  • The user with Restricted User Administrator role and vg_DeveloperAccess database role will be having the following access:
DescriptionRemarks (Yes or No)
Access to repository in read only modeYes
Allow to edit applicationNo
Allow to edit Password PolicyNo
Allow to edit roleNo
Allow to read event logNo
Allow to remove repositoryNo
Disallow to edit permissionYes
Disallow to edit permission setYes
Disallow to edit Shared roleYes
Disallow to grant permission set to a roleYes
Disallow to grant role to a userNo
Disallow to grant Visual Guard Permission SetYes
Disallow to grant Visual Guard roleYes
Hide application for which the user is not memberYes
Hide Permission SetsYes
Hide PermissionsYes
Hide Visual Guard ItemsYes
  • The user with User Administrator role and vg_DeveloperAccess database role will be having the following access:
DescriptionRemarks (Yes or No)
Access to repository in read only modeYes
Allow to edit applicationNo
Allow to edit Password PolicyNo
Allow to edit roleNo
Allow to read event logNo
Allow to remove repositoryNo
Disallow to edit permissionYes
Disallow to edit permission setYes
Disallow to edit Shared roleYes
Disallow to grant permission set to a roleYes
Disallow to grant role to a userYes
Disallow to grant Visual Guard Permission SetYes
Disallow to grant Visual Guard roleYes
Hide application for which the user is not memberNo
Hide Permission SetsYes
Hide PermissionsYes
Hide Visual Guard ItemsYes

14.4 vg_FullAccess

This role allows you to create or edit all Visual Guard entities and to drop the repository.

  • The user with Auditor role and vg_FullAccess database role will be having the following access:
DescriptionRemarks (Yes or No)
Access to repository in read only modeYes
Allow to edit applicationNo
Allow to edit Password PolicyNo
Allow to edit roleNo
Allow to read event logYes
Allow to remove repositoryNo
Disallow to edit permissionYes
Disallow to edit permission setYes
Disallow to edit Shared roleYes
Disallow to grant permission set to a roleYes
Disallow to grant role to a userYes
Disallow to grant Visual Guard Permission SetYes
Disallow to grant Visual Guard roleYes
Hide application for which the user is not memberNo
Hide Permission SetsNo
Hide PermissionsNo
Hide Visual Guard ItemsNo
  • The user with Developer role and vg_FullAccess database role will be having the following access:
DescriptionRemarks (Yes or No)
Access to repository in read only modeYes
Allow to edit applicationYes
Allow to edit Password PolicyYes
Allow to edit roleYes
Allow to read event logNo
Allow to remove repositoryNo
Disallow to edit permissionNo
Disallow to edit permission setNo
Disallow to edit Shared roleNo
Disallow to grant permission set to a roleNo
Disallow to grant role to a userNo
Disallow to grant Visual Guard Permission SetYes
Disallow to grant Visual Guard roleYes
Hide application for which the user is not memberNo
Hide Permission SetsNo
Hide PermissionsNo
Hide Visual Guard ItemsYes
  • The user with Master Administrator role and vg_FullAccess database role will be having the following access:
DescriptionRemarks (Yes or No)
Access to repository in read only modeNo
Allow to edit applicationYes
Allow to edit Password PolicyYes
Allow to edit roleYes
Allow to read event logYes
Allow to remove repositoryYes
Disallow to edit permissionNo
Disallow to edit permission setNo
Disallow to edit Shared roleNo
Disallow to grant permission set to a roleNo
Disallow to grant role to a userNo
Disallow to grant Visual Guard Permission SetNo
Disallow to grant Visual Guard roleNo
Hide application for which the user is not memberNo
Hide Permission SetsNo
Hide PermissionsNo
Hide Visual Guard ItemsNo
  • The user with Restricted Auditor role and vg_FullAccess database role will be having the following access:
DescriptionRemarks (Yes or No)
Access to repository in read only modeYes
Allow to edit applicationNo
Allow to edit Password PolicyNo
Allow to edit roleNo
Allow to read event logNo
Allow to remove repositoryNo
Disallow to edit permissionYes
Disallow to edit permission setYes
Disallow to edit Shared roleYes
Disallow to grant permission set to a roleYes
Disallow to grant role to a userYes
Disallow to grant Visual Guard Permission SetYes
Disallow to grant Visual Guard roleYes
Hide application for which the user is not memberYes
Hide Permission SetsNo
Hide PermissionsNo
Hide Visual Guard ItemsYes
  • The user with Restricted User Administrator role and vg_FullAccess database role will be having the following access:
DescriptionRemarks (Yes or No)
Access to repository in read only modeYes
Allow to edit applicationNo
Allow to edit Password PolicyNo
Allow to edit roleNo
Allow to read event logNo
Allow to remove repositoryNo
Disallow to edit permissionYes
Disallow to edit permission setYes
Disallow to edit Shared roleYes
Disallow to grant permission set to a roleYes
Disallow to grant role to a userNo
Disallow to grant Visual Guard Permission SetYes
Disallow to grant Visual Guard roleYes
Hide application for which the user is not memberYes
Hide Permission SetsYes
Hide PermissionsYes
Hide Visual Guard ItemsYes
  • The user with User Administrator role and vg_FullAccess database role will be having the following access:
DescriptionRemarks (Yes or No)
Access to repository in read only modeYes
Allow to edit applicationNo
Allow to edit Password PolicyNo
Allow to edit roleNo
Allow to read event logNo
Allow to remove repositoryNo
Disallow to edit permissionYes
Disallow to edit permission setYes
Disallow to edit Shared roleYes
Disallow to grant permission set to a roleYes
Disallow to grant role to a userYes
Disallow to grant Visual Guard Permission SetYes
Disallow to grant Visual Guard roleYes
Hide application for which the user is not memberNo
Hide Permission SetsYes
Hide PermissionsYes
Hide Visual Guard ItemsYes

15. Deployment

Visual Guard offers three types of deployment options to facilitate the transfer and configuration of data and settings between repositories. These options are:

  1. VGRepository to another VGRepository: This type of deployment allows you to transfer an entire VGRepository, including its data, configuration, and security settings, to another VGRepository. It enables you to replicate the repository or specific components within a different environment, such as Dev, QA, Pre-Prod, or Prod.
  2. VGApplication deployment: With this deployment option, you can deploy a specific VGApplication from one VGRepository to another. This process involves exporting the application’s data, settings, and security configurations from the source repository and importing them into the target repository. It provides flexibility in deploying individual applications across different environments.
  3. VGRepository Settings to another VGRepository: This deployment type involves transferring the settings of a VGRepository to another repository. It allows you to export and import repository parameters, configurations, and security policies from one VGRepository to another. This ensures consistency in repository settings across multiple environments.

These deployment options in Visual Guard provide flexibility and convenience for managing and transferring repositories, applications, and settings across different environments, enabling efficient replication of configurations and security measures within the Visual Guard framework.

When deploying to a production environment, it is crucial to follow proper procedures and precautions. Here are some recommended steps:

  1. Backup Your Production Repository: Before making any changes to your production environment, create a backup of your repository. This ensures a fallback option in case any issues occur during the deployment process.
  2. Export Security Data from Development Repository: In Visual Guard Console, export the security data (users, roles, permissions) from your development repository. This will create a file containing your security data.
  3. Import Security Data to Production Repository: Switch to your production repository in Visual Guard Console and use the “Import” option to import the file created in the previous step. This will update your production repository with the latest security data from the development repository.
  4. Verify Your Changes: After the import process is complete, carefully review your production repository to ensure that all the changes are correct and complete. Verify that the users, roles, and permissions align with your expectations.
  5. Test Your Production Application: Thoroughly test your production application to ensure that the security features function as expected with the new data.

It is important to note that these steps provide a simplified guide, and the actual deployment process may vary based on your specific environment and requirements. Always refer to the official Visual Guard documentation or consult their support for detailed instructions tailored to your situation.

Additionally, ensure that you adhere to your company’s deployment policies and procedures to maintain the integrity and security of your production environment.

Visual Guard also provides the option to deploy directly to other VGRepositories or create a deploy file for importing into another repository. This allows for convenient deployment across multiple environments.

Directly to another repository

16. Migration

16.1 Migrate to Visual-Guard 2024.X

Migration is a crucial process when upgrading to a newer version of Visual-Guard, a robust Identity and Access Management (IAM) solution. This process involves transferring all security configurations, user data, and settings from the old version to the new one. It requires careful planning and execution to ensure a smooth transition. It’s highly recommended to schedule sessions with Visual-Guard’s technical support team for guidance throughout the migration process.


Requirements

Before starting the migration process, ensure that your system meets the following requirements:

  1. Identity Server: Ensure that you comply with the installation and setup requirements for the Identity Server. You can check the requirements here. .NET 6 and Hosting Bundle 6 should be installed before the session.
  2. WinConsole: Make sure that your system meets the installation requirements for the WinConsole. You can check the requirements here.
  3. WebConsole: Ensure that your system meets the setup requirements for the WebConsole. You can check the requirements here.
  4. .NET Framework: Your system should have the .NET framework 4.7.2 or higher installed.
  5. Application Migration: Migrate all applications (App1, App2, App3) with the .NET framework 4.7.2.
  6. Backups: Take backups of your VG 2020.X repositories.
  7. DBA Attendance: Ensure that a Database Administrator (DBA) attends the session.
  8. Download VG 2024.X: Download the VG 2024.X version.

Migration Steps

  1. Backup: Before starting the migration process, please take a backup of all VG repository databases.
  2. Environment Setup: Set up a parallel environment on a virtual machine and duplicate the environment Windows Server 2022 Build 20348 or later.
  3. VG Installation: Install VG 2024.X in the new environment (VG Winconsole, VG Webconsole, VG identity Server).
  4. Repository Addition: Add the existing repository that was created in VG 2020.X.
  5. Migration and Licensing: Migrate and request a new license.
  6. Upgrade VG Assemblies: Once migration is done, upgrade all VG assemblies in all applications of a repository.
  7. Build Application: Once upgraded, build the application to make sure if everything is fine.
  8. Generate VG Configuration File: Later, generate VG configuration file for each application from Win Console.
  9. Decommission VG 2020.X: Once the migration is done for all repositories and environments, decommission the VG 2019 environments.

16.2 Migrate to Visual-Guard 2020.X

Migration is a crucial process when upgrading to a newer version of Visual-Guard, a robust Identity and Access Management (IAM) solution. This process involves transferring all security configurations, user data, and settings from the old version to the new one. It requires careful planning and execution to ensure a smooth transition. It’s highly recommended to schedule sessions with Visual-Guard’s technical support team for guidance throughout the migration process.


Requirements

Before starting the migration process, ensure that your system meets the following requirements:

  1. Identity Server: Ensure that you comply with the installation and setup requirements for the Identity Server.
    • Please ensure that .Net framework 4.7.2 has been installed on the machine. If not, download it here.
    • Please ensure that .Net Core hosting bundle 2.1 (including the .Net core runtime and IIS Support) has been installed on the machine. If not, download it here.
    • Install the VGIdentityServerSetup. [Link available in the table above]
      1. Doing so, will create a ‘VisualGuardIdentityServer’ website.
      2. It will also create an application pool ‘AspNetCore’ ‘with – .Net CLR Version – “No Managed Code”.
        (If not created, please create it manually)
    • Check the list of websites, select ‘VisualGuardIdentityServer’.
      Go to ‘Advanced Settings’, and select application pool – ‘AspNetCore’.
    • Check ‘permissions’, and assign full permissions to ‘IIS_IUSRS’.
  2. WinConsole: Make sure that your system meets the installation requirements for the WinConsole.
  3. WebConsole: Ensure that your system meets the setup requirements for the WebConsole.
    • Please ensure that .Net Core hosting bundle 3.1 (including the .Net core runtime and IIS Support) has been installed on the machine. If not, download it here.
  4. .NET Framework: Your system should have the .NET framework 4.7.2 or higher installed.
  5. Application Migration: Migrate all applications (App1, App2, App3) with the .NET framework 4.7.2.
  6. Backups: Take backups of your VG 2019 repositories.
  7. DBA Attendance: Ensure that a Database Administrator (DBA) attends the session.
  8. Download VG 2020.3: Download the VG 2020.3 version.

Migration Steps

  1. Backup: Before starting the migration process, please take a backup of all VG repository databases.
  2. Environment Setup: Set up a parallel environment on a virtual machine and duplicate the environment Windows Server 2022 Build 20348 or later.
  3. VG Installation: Install VG 2020.X in the new environment (VG Winconsole, VG Webconsole, VG identity Server).
  4. Repository Addition: Add the existing repository that was created in VG 2019.
  5. Migration and Licensing: Migrate and request a new license.
  6. Upgrade VG Assemblies: Once migration is done, upgrade all VG assemblies in all applications of a repository.
  7. Build Application: Once upgraded, build the application to make sure if everything is fine.
  8. Generate VG Configuration File: Later, generate VG configuration file for each application from Win Console.
  9. Decommission VG 2019: Once the migration is done for all repositories and environments, decommission the VG 2019 environments.

16.3 Update Visual-Guard

Procedure to Update Visual-Guard

  1. Backup the Database: Start by creating a backup of your database. This is a crucial step to ensure that you have a recovery point in case anything goes wrong during the update process.
  2. Uninstall the Current Version of Visual-Guard: Before installing the new version, it’s important to uninstall the current version of Visual-Guard from your system. This ensures a clean installation of the new version and prevents potential conflicts.
  3. Install the Minor Version of Visual-Guard: Download and install the minor version of Visual-Guard in your development environment. It’s always safer to test the new version in a development environment before deploying it to production.
  4. Open the Repository via VGWinconsole: After the installation, open the VGWinconsole, which is a part of Visual-Guard and allows you to manage your security system. Use it to open the repository that you want to update.
  5. Enter the Migration Code: When opening the repository with the new version of Visual-Guard, you will be asked for a migration code. This code is required to migrate your repository to the new version. The default migration code is ‘0000’.
  6. Update Visual-Guard Components: Once the repository is open, you can start updating all the Visual-Guard components. This includes the VGWebConsole, VGServer, and VGIdentityServer. Follow the instructions provided by Visual-Guard for each component to ensure a smooth update process.
  7. Update Visual-Guard Assemblies: After updating the components, proceed to update the Visual-Guard assemblies. These are the building blocks of .NET applications, and updating them ensures that your application can leverage the latest features and security updates provided by Visual-Guard.

Remember to thoroughly test the updated system in the development environment before deploying it to the production environment. This will help you identify and fix any potential issues before they can affect your production environment.