The Password Policy feature in Visual Guard is a crucial tool for maintaining the security of your applications. It allows administrators to establish rules for password creation, ensuring that all user passwords meet certain standards of complexity and security.

These rules can include requirements such as minimum length, the inclusion of uppercase and lowercase letters, numbers, and special characters. By enforcing a strong password policy, you can significantly reduce the risk of unauthorized access to your applications.

An important aspect of the Password Policy is its dynamic nature. If the policy is changed since a user’s last login and their current password does not comply with the new policy, the user will be prompted to change their password. This ensures that all existing passwords meet the current policy standards, maintaining a high level of security even when policy requirements are updated.

For instance, if the policy is updated to require a minimum of 10 characters and a user’s password is only 8 characters long, they will be asked to update their password to meet the new requirements. This proactive approach to password management helps to keep your applications secure and your users’ data protected.

In summary, the Password Policy feature in Visual Guard is a powerful tool for enhancing the security of your applications. By defining password rules and ensuring compliance with these rules, you can effectively safeguard your applications against unauthorized access.

Benefits

1. Improved Security: A strong password policy helps to protect against unauthorized access and potential data breaches. By enforcing rules such as minimum length, use of special characters, and a mix of uppercase and lowercase letters, you make it more difficult for malicious actors to guess or crack passwords.
2. Consistency: A password policy ensures that all users adhere to the same standards for password creation. This consistency makes it easier to manage user accounts and reduces the risk of weak passwords being exploited.
3. User Awareness: Implementing a password policy helps to educate users about the importance of strong passwords. It encourages them to think more carefully about their password choices, which can lead to better security habits overall.
4. Compliance: Many industries have regulations that require certain security measures, including strong passwords. A password policy can help your organization to meet these compliance requirements.
5. Proactive Protection: With a password policy in place, you’re not just reacting to security issues – you’re proactively taking steps to prevent them. This proactive approach can save your organization time and resources in the long run.

In summary, a password policy is a critical component of a robust security strategy. It not only enhances the protection of your applications and data but also promotes better security practices among your users.

Overview

In addition to providing robust security features, Visual Guard allows secured applications to log custom events within Visual Guard. These custom events provide a way to track and monitor specific activities or occurrences within the application for auditing and analysis purposes.

Adding Custom Events

To add custom events in a Visual Guard-secured application, follow these steps:

1. Identify the specific activities or occurrences that you want to log as custom events.
2. Integrate the Visual Guard logging functionality into your application’s code.
3. Determine the appropriate triggers or conditions for capturing the custom events.
4. When a trigger or condition is met, use the Visual Guard API or logging mechanisms to log the custom event.
5. Include the following metadata in the custom event log:
   • Identification Number: A unique identifier for the event.
   • Title: A concise title or summary of the event.
   • Message: Detailed information or description of the event.
   • Date and Time of Creation: The timestamp when the event was logged.

Supervising Custom Events with VGMonitoring

Visual Guard offers VGMonitoring, a monitoring component that allows you to supervise and analyze custom events logged within Visual Guard. VGMonitoring provides features such as real-time event monitoring, customizable dashboards, and reporting capabilities to gain insights into the logged custom events.

By leveraging VGMonitoring, you can effectively monitor and analyze the custom events for various purposes, including security auditing, performance analysis, and compliance monitoring.

Benefits of Custom Events

By logging custom events within Visual Guard and supervising them with VGMonitoring, you gain several benefits:

• Audit Trail: Custom events provide an audit trail that allows you to track specific actions or occurrences within your application.
• Compliance: Logging custom events can help meet regulatory and compliance requirements by providing a comprehensive record of relevant activities.
• Analysis and Monitoring: VGMonitoring enables you to monitor and analyze the logged custom events in real-time, generate reports, and gain insights into application usage, user behavior, and system performance.

Retrieving and Analyzing Custom Event Logs

Once custom events are logged in Visual Guard and supervised with VGMonitoring, you can retrieve and analyze the event logs using the provided tools and features. This allows you to perform various analysis tasks, such as generating reports, identifying patterns, and detecting anomalies.

Considerations and Best Practices

When working with custom events in Visual Guard and VGMonitoring, keep the following considerations and best practices in mind:

• Event Relevance: Log only the events that are relevant to your application’s security and monitoring needs.
• Data Sensitivity: Ensure that any sensitive data logged in custom events is properly protected and handled in accordance with security and privacy guidelines.
• Log Retention: Define a log retention policy to determine how long custom event logs should be retained for auditing and compliance purposes.
• Integration Testing: Test the custom event logging functionality and VGMonitoring features thoroughly to ensure proper integration and functionality within your application.

How create a new log in Visual-Guard ?

We need to insert own VGEntryLog in Visual-Guard, this log entry can have multiple parameters, later on we will review all operations logging.

How to audit the visual-guard log ?

Repository deployment in Visual Guard refers to the process of deploying security configurations, such as roles, permissions, and user profiles, from a central repository to target environments. This deployment ensures consistency and synchronicity of security settings across different environments, such as development, testing, and production.

What is the the VGDeploy of VGrepository ?

Several customers maintain multiple VGRepositories for various environments such as Dev, Test, PreProd, and Prod. Whenever a developer creates a new User Attribute, it must be deployed to Test, PreProd, and Prod environments. For each attribute, the VGRepository Deploy parameter needs to be checked.

Key Aspects

1. Centralized Management: Security configurations are managed and stored centrally in a repository within Visual Guard, allowing administrators to define and maintain security settings in one location.
2. Version Control: Visual Guard supports versioning of security configurations, enabling administrators to track changes over time and rollback to previous versions if needed.
3. Environment Consistency: By deploying security configurations from a central repository, Visual Guard ensures consistency of security settings across different environments, reducing the risk of configuration drift and ensuring reliable access control.
4. Scalability: Deployment processes are designed to scale effectively as the number of applications, environments, or users grows, ensuring that security configurations remain manageable and consistent across the enterprise.
5. Reliability: By ensuring the timely and accurate deployment of security configurations, Visual Guard facilitates reliable access control, enabling organizations to enforce security policies effectively and mitigate security risks.

Overall, repository deployment in Visual Guard facilitates efficient management and deployment of security configurations, promoting security best practices and ensuring consistent access control across enterprise applications and environments.

Once we deploy a repository, we can also import the deployment configuration files. Importing deployment configuration files refers to the process of loading external files containing predefined settings and configurations related to the deployment of software or applications. These files typically include details such as environment-specific configurations, deployment targets, versioning information, and other parameters necessary for deploying the software effectively. Importing deployment configuration files streamlines the deployment process by providing a standardized way to configure deployment settings, ensuring consistency and accuracy across different environments and deployment scenarios.

A license key is a unique code provided by software vendors to legally authorize and activate a copy of a software product. It helps in preventing unauthorized use and ensures that the software is used in compliance with the licensing terms set by the vendor.

We have 2 type of Visual Guard licenses that we generate for the customer.

• Product License: This is the primary license that activates the comprehensive features of Visual-Guard, including user management, advanced SQL features, auditing, reporting, dynamic permissions, deployment capabilities, and more. It also specifies the number of users, the duration of use, number of installations, distributions. Each VGRepository requires its own Visual-Guard License Key to access the full suite of features.
• MFA License: This secondary license specifically enables the Multi-Factor Authentication (MFA) service within Visual-Guard. The terms of this license, including its duration and the extent of its use across multiple VGRepositories, are determined by the subscription details outlined in your contract. This allows for flexibility and scalability in implementing robust MFA security measures across different repositories within the organization. The MFA license is an annual or monthly subscription, it can be used by one or multiple VGRepositories and is positioned at the same level as the Visual-Guard license, ensuring integrated and comprehensive security management across your systems.

Below are the quick links to the process of requesting for a license.

MFA (Multi-Factor Authentication) is a security protocol that enhances protection by requiring users to provide multiple forms of verification before accessing a system or application. It significantly reduces the risk of unauthorized access by combining something the user knows (like a password) with something the user has (like a smartphone).

What is a Visual Guard MFA? VG has integrated a security framework to enhance the application by adding an additional verification method beyond just passwords. Here a user would be asked to provide an OTP or link that would be sent over an SMS or email. This MFA license is an annual or monthly subscription, it can be used by one or multiple VGRepositories and is positioned at the same level as the Visual-Guard license, ensuring integrated and comprehensive security management across your systems.

We have 2 type of MFA policies:

• Global MFA Policy:  A Global MFA Policy in Visual Guard is a centralized set of rules and settings that define how MFA is applied across all applications and users within an organization.
• Application MFA Policy: Is a specific set of rules and settings that govern the implementation of MFA for a particular application.

• For Oracle Database Installation:
  Visual Guard will create database objects in the schema associated to the specified user account (we recommend
  that you create a specific schema for Visual Guard repository). If your database
  DBA wants to create the database manually, you can find the database creation script
  in the directory <Visual Guard installation directory>\VisualGuardConsole\Database\Oracle. The DBA can use the script “Install.sql” and adapt it to create the database objects. It is necessary to modify the script to change the value <VISUAL_GUARD_SCHEMA>
  by the name of the schema that will contain Visual Guard database objects.
• For SQLServer database Installation:
  Visual Guard will create the database objects in the specified database. The default database name is “visualguarddb”. If The DBA of your database want to create manually the database, you can find the script of database creation in the directory <Visual Guard installation directory>\VisualGuardConsole\Database\SQLServer. The DBA can use the script “Install.sql” and adapt it to create the database objects.

  If the repository creation wizard does not detect the database, Visual Guard will create it.

How to grant access to the Visual Guard repository

• vg_BasicAccess: This role must be granted to a user account that will need to be authenticated by Visual Guard in your application.
• vg_UserAdminAccess: This role must be granted to a user account
  that will need to access the Visual Guard console as User Administrator. This role allows you to create or edit user accounts and to grant roles to this user.
• vg_DeveloperAccess: this role must be granted to a user account
  that will need to access the Visual Guard console as Developer. This role allows you to create or edit user accounts, roles, applications, permissions and permission sets.
• vg_FullAccess: this role must be granted to user account that will need to access the Visual Guard console as Master administrator. This role allows you to create or edit all Visual Guard entities and to drop the repository.

Overview

Visual Guard provides a convenient way to generate application configuration files for securing your applications. These configuration files contain the necessary settings and information required to integrate Visual Guard’s security features into your application, including the information to connect to the VGRepository.

Using the WinConsole or WebConsole

To generate the application configuration files using Visual Guard, follow these steps:

1. Open the Visual Guard WinConsole or WebConsole.
2. Select the specific application for which you want to generate the configuration files.
3. Locate the “Generate Configuration File” operation within the console interface.
4. Execute the “Generate Configuration File” operation.

Purpose of Configuration Files

The generated configuration files serve the following purposes:

• Security Integration: The configuration files contain the necessary settings and information to integrate Visual Guard’s security features into your application. This includes details such as authentication methods, role and permission mappings, and other security-related configurations.
• VGRepository Connection: The configuration files also include the necessary information to connect your application to the VGRepository. This includes the connection details, such as the database server address, credentials, and other relevant information.

Configuration File Output

When you execute the “Generate Configuration File” operation, Visual Guard will generate one or more configuration files specific to your application. These files are typically in XML or other structured formats and may include information such as:

• Security settings, including authentication methods and user management configurations.
• Role and permission mappings for different application functionalities.
• VGRepository connection details, including server address, credentials, and other relevant information.

Integrating Configuration Files

Once you have the generated configuration files, you need to integrate them into your application. The exact integration process may vary depending on your application’s technology stack and development environment. Typically, you would include the configuration files in your application’s build or deployment process and ensure that the application reads and applies the configurations at runtime.

Please consult your application’s documentation or development team for specific instructions on integrating the Visual Guard configuration files into your application and establishing the connection to the VGRepository.

• Overview: VGRepository in SQL Server mode refers to the configuration of Visual-Guard where the repository for storing security data, such as user credentials, permissions, roles, and audit logs, is hosted in a Microsoft SQL Server database.
• Advantages:
  • Scalability: SQL Server provides robust scalability options, making it suitable for handling large volumes of data and high numbers of concurrent users.
  • Performance: SQL Server is known for its high performance, especially in handling complex queries and large datasets, which is essential for efficient security management.
  • Reliability: SQL Server offers strong reliability and data integrity features, ensuring that the security data is consistently managed and maintained.
• Security Management: In this mode, Visual-Guard leverages SQL Server’s capabilities to manage security-related data. This includes user authentication, role-based access control, permission assignments, and audit logging.
• Integration: VGRepository in SQL Server mode seamlessly integrates with the Visual-Guard framework, providing a centralized and secure way to manage security across various applications.
• Maintenance and Backup: Utilizing SQL Server for the repository also simplifies maintenance tasks like backups, restorations, and data migration, thanks to the comprehensive tools and features provided by SQL Server.
• Customization and Extensibility: The SQL Server mode allows for customizations and extensions to the security model, such as defining custom roles, permissions, and security policies tailored to specific organizational needs.

This configuration is particularly beneficial for organizations using Visual-Guard in environments where SQL Server is already an integral part of the IT infrastructure, offering a unified approach to security management and data handling.

Introduction

As databases grow over time, especially those used for logging activities like in Visual-Guard, it becomes crucial to manage and maintain them efficiently. The vg_Log table, which stores log entries, can become quite large and may lead to increased storage demands and potential performance degradation. Regularly cleaning up old data from this table is an essential maintenance task.

The DatabaseCleanUp stored procedure is specifically designed for this purpose. It targets the vg_Log table in a SQL Server database and removes entries that are older than 12 months, based on the DBTimeStamp field. This periodic cleanup helps in managing the database size and ensures that it remains performant and efficient.

This procedure is particularly useful for administrators and database managers who need to keep their SQL Server databases lean and prevent them from becoming bloated with outdated log data. It strikes a balance between retaining necessary log information for a sufficient period and removing outdated data that is no longer useful.

Below is the SQL script for creating the DatabaseCleanUp stored procedure. It’s important to test this script in a controlled environment before deploying it to a production database. Regular backups and careful planning of the cleanup schedule are also recommended to ensure data safety and minimal disruption.

SQL Script

USE [YourDatabaseName]; -- Replace with your actual database name
GO

-- Backup the database before performing cleanup
BACKUP DATABASE [YourDatabaseName] 
TO DISK = 'D:\Backups\YourDatabaseName_Backup.bak' -- Specify your backup path
WITH FORMAT, 
MEDIANAME = 'SQLServerBackups', 
NAME = 'Full Backup of YourDatabaseName';

-- Check if the DatabaseCleanUp procedure already exists and drop it if it does
IF EXISTS (SELECT * FROM sys.objects WHERE object_id = OBJECT_ID(N'[dbo].[DatabaseCleanUp]') AND type in (N'P', N'PC'))
DROP PROCEDURE [dbo].[DatabaseCleanUp]
GO

-- Create the DatabaseCleanUp stored procedure
CREATE PROCEDURE DatabaseCleanUp
AS
BEGIN
    SET NOCOUNT ON;

    -- Delete log entries older than 12 months
    DELETE FROM vg_Log
    WHERE DBTimeStamp < DATEADD(MONTH, -12, GETDATE());

    -- Optional: Reorganize the table and its indexes to reclaim space
    DBCC SHRINKDATABASE(YourDatabaseName); -- Use with caution
END
GO

Important Notes:

1. Backup Location: Replace 'D:\Backups\YourDatabaseName_Backup.bak' with the actual path where you want the backup to be stored.
2. Backup Frequency: This script performs a full backup. Depending on your database size and backup strategy, you might want to consider differential or transaction log backups.
3. Scheduling: Automate this script to run at regular intervals, preferably during low-traffic periods, to minimize impact on database performance.
4. Testing: Always test backup and cleanup scripts in a non-production environment before implementing them in your live system.
5. Monitoring: Regularly monitor the backup process and verify backup files to ensure data integrity.

Introduction

Requirements

Scenario

1. The user connects to the application with the offline mode activated. Visual-Guard will
   automatically save the role or roles that the user has selected in the OfflineStore
2. When Visual-Guard detects that the VGRepository is no longer available and that the offline mode is
   activated, it will load the security settings from the saved copy found in the OfflineStore
3. When Visual-Guard detects that the VGRepository is available again, it will synchronize the Event
   Viewer.

Usage

Implementation

1. Connect to a VGRepository,
2. Select an Application,
3. Select the action “Regenerate the VG configuration file”, (a window will open),
4. Select “User” or “Machine” for the Offline property,
5. Generate the new configuration files for your application,
6. Launch your application with the accessible repository,
7. Sign in as a user and select a role or roles,
8. Close your application.

Using the application

1. Using the application
2. Launch your application,
3. Sign in as the same user,
4. Your application will open (without being connected to the repository),
5. Close your application.

Synchronizing the application with the VGRepository

1. Connect your computer to the network (a connection to the VGRepository will be made automatically)
2. Launch your application,
3. Sign in as any user, Visual-Guard will synchronize the Event Viewers.

Interacting with applications in offline mode

• CheckForOnlineStatus: Allows the repository detection method to be overridden.
• AcceptOfflineMode: Allows rejection of the offline mode even if it has been activated.
• UnableToSaveOffline: This event is launched when there has been a problem saving user data for
  offline mode. The following errors start this event:
  • The OfflineStore is
    currently being used by the same application,
  • The OfflineStore is
    full,
  • There is a connection
    problem while saving user data.

Note
Using the offline mode for ASP applications is not recommended.

Restrictions:

• Offline mode cannot be used with the Visual-Guard API
• Offline mode is not supported with the console
• It is not possible to change a person’s Credentials.

OfflineStore Property:

• None: offline mode is not active,
• User: data will be saved in the current Windows user’s profile,
• Machine: data will be saved to the computer

• Copy the Visual Guard tables and data from the source database to the target database.
  This solution is simple but you can only copy the full content of the repository
  and not a part of this repository because Visual Guard stores its data in a binary format.
• Use the Visual Guard Console. The Visual Guard console provides a Wizard that will
  help you to deploy the full content of your repository or the data corresponding to an application.
  To do that, you must be connected to your source repository then right-click this repository and select the option “Deploy repository…”. This wizard
  enables you to directly deploy your repository into another one or export data
  as a deployment configuration file.
• Use the deployment tool. This tool uses the deployment configuration file exported
  by the console and can be launched as a command line tool. This utility can be used
  to automate your deployment.
• Use the deployment API. You can use this API to integrate your deployment in a custom
  program. The classes used by the deployment are located in the namespace
  Novalys.VisualGuard.Security.Deployment
  (assembly: vg_deployment.exe). You can contact the Visual Guard support, if you need
  more information about this API.

How to use the deployment tool

Deploying the repository for the first time

Deployment and license key

Deployment of the parameters of the repository

Introduction

What are the parameters of the repository?

• Password Policy,
• Membership setting (?require unique email?, ?requires
  password question and answer?, etc),
• Misc (?Supported authentication mode?, ?Allow to
  rename user?, etc).

Export in a configuration file

1. Open Visual Guard,
2. Right click on the repository,
3. Select ?Deploy repository??,
4. Click on next button,
5. Select ?Export data in a deployment configuration file?,
6. Click on ?Next? button,
7. Select ?Deploy parameter of the repository,
8. Click on ?Next? button,
9. Click on ?Finish? button,
10. Save the configuration file.
11. Open the tool ?vg_deployment.exe?,
12. Select the configuration file,
13. Select the type of the repository,
14. Enter the complementary information for the repository,
15. Click on ?Ok? to begin the deployment.

Export directly in a repository

1. Open Visual Guard,
2. Right click on the repository,
3. Select ?Deploy repository??,
4. Click on next button,
5. Select ?Deploy in an existing repository?,
6. Select the repository in the list,
7. Click on ?Next? button,
8. Select ?Deploy parameter of the repository,
9. Click on ?Next? button,
10. Click on ?Finish? button,

Requirements

• To use deployment of the parameters of the repository you must have version 2.8 or higher of Visual-Guard.

Restrictions

• If you want to deploy the properties ? Requires
  unique email? and ?requires Password, question and answer?,
  all the users of the directory have to have an email address and a
  question / response. If one the user don?t have one
  if this information, the deployment will be cancel and a exception will be
  generate.

What is a Global MFA Policy? A Global MFA Policy in Visual Guard is a centralized set of rules and settings that define how MFA is applied across all applications and users within an organization.

Benefits of an MFA Global Policy:

• Enhanced Security: Provides an additional layer of security by requiring multiple forms of verification, reducing the risk of unauthorized access.
• Consistent Enforcement: Ensures that MFA rules are applied uniformly across all users and applications, preventing gaps in security.
• Regulatory Compliance: Helps organizations meet legal and regulatory requirements for strong authentication practices.
• Simplified Management: Centralizes the management of MFA settings, making it easier for administrators to implement and maintain security policies.
• User Assurance: Increases confidence among users that their accounts and data are protected with robust security measures.
• Adaptability: The ability to adjust MFA requirements based on risk and other factors ensures that security measures are both effective and user-friendly.

Detailed Aspects of MFA Global Policy in Visual Guard:

1. Universal Application:
   • Scope: The policy applies across all user accounts and applications managed by Visual Guard, ensuring that every interaction requiring authentication adheres to the MFA requirements.
   • Consistency: It ensures a consistent user experience and security level across different departments and applications within the organization.
2. Authentication Methods:
   • SMS OTP (One-Time Password): Sends a one-time code via SMS to the user’s registered mobile number, which the user must enter to complete the authentication process.
   • TOTP (Time-Based One-Time Password): Uses authenticator apps like Google Authenticator or Microsoft Authenticator to generate a time-based one-time password that refreshes every 30 seconds.
   • Email OTP: Sends a one-time code via email to the user’s registered email address.
3. User Enrollment:
   • Initial Setup: During the first login or account creation, users are guided through the process of setting up their MFA methods.
   • Self-Service Portal: Users can access a self-service portal to manage their MFA settings, such as enrolling in new methods or updating existing ones.
   • Mandatory Enrollment: Ensures all users complete the MFA setup process as a requirement for accessing the system.
4. Compliance and Security:
   • Data Protection: Protects sensitive data by ensuring only authenticated and authorized users can access it.
   • Audit Trails: Maintains detailed logs of all MFA-related activities to support compliance audits and investigations.
5. Configuration Management:
   • Centralized Control: Administrators can manage MFA settings and policies from a central console, making it easier to apply changes across the organization.
   • Policy Updates: Provides tools for updating MFA policies and distributing those updates to all users and applications seamlessly.
   • Customization: Allows customization of MFA settings to meet specific organizational needs.

In summary, the MFA Global Policy in Visual Guard is a critical component for securing access to systems and data, providing robust and consistent multi-factor authentication across the entire organization.

Please refer to the below links to know more about how to use the Global MFA policy.

In today’s digital landscape, securing access to applications and data is more crucial than ever. Visual-Guard offers a complete authentication solution to protect your applications from unauthorized access, ensuring that only authenticated users can access critical resources. This documentation guides you through the basic principles of Visual-Guard authentication, its benefits, and how it can be integrated into your applications.

Principles of Visual-Guard authentication

Visual-Guard enables flexible, secure management of user identities through a variety of authentication methods. Whether you’re developing a web, desktop or mobile application, Visual-Guard integrates seamlessly to deliver a secure and transparent user experience.

Supported authentication methods

• Visual-Guard authentication: Uses credentials such as username and password.
• Windows authentication: Allows users to authenticate via their Windows credentials, integrating authentication within the Microsoft ecosystem.
• Database authentication: Authenticates users by verifying credentials stored in a database.
• External authentication: Integrates third-party identity providers such as OAuth, OpenID Connect, etc.

Benefits of Visual-Guard Authentication

• Enhanced security: Protect your applications by ensuring that only authenticated users have access to sensitive resources.
• Flexibility: Offers a variety of authentication methods to meet the specific needs of each application.
• Easy integration: couples easily with a wide range of technologies and application platforms.
• Centralized management: Enables centralized management of users and authentication policies through the VGRepository.

Visual-Guard authentication integration

Integrating Visual-Guard into your applications is designed to be simple and straightforward, with specific guides for each type of application, whether developed with .NET, Angular, WinForms, WPF, or other frameworks. Visual-Guard provides APIs, libraries and management tools to facilitate this integration, enabling rapid and efficient implementation of authentication.

Conclusion

Visual-Guard authentication is the key to securing your applications and protecting sensitive data. By offering a flexible and robust platform for identity and access management, Visual-Guard ensures that your applications remain secure, while providing an optimal user experience. For more information on integrating Visual-Guard and implementing specific authentication methods, please consult our detailed integration guides.

Visual-Guard’s Multi-Factor Authentication (MFA) represents an essential security solution for companies seeking to strengthen the protection of their applications and data in an increasingly threatened digital environment. This detailed presentation first explores the importance and benefits of implementing MFA, before diving into an understanding of Visual-Guard’s MFA policies, including global and application-specific policies.

Introduction to Multi-Factor Authentication

In today’s environment, where cyber-attacks are becoming more sophisticated, multi-factor authentication is an essential barrier against unauthorized access. By requiring multiple proofs of identity before granting access, MFA minimizes the risk of accounts being compromised, even if credentials are leaked.

Visual-Guard MFA enhances this approach by offering unprecedented flexibility and integration across a multitude of platforms and technologies, ensuring uniform, robust protection for all enterprise applications.

Multiple Authentication Methods:

• SMS/Email OTP: One-time passwords sent via SMS or email.
• Authenticator Apps: Time-based one-time passwords (TOTP) generated by apps like Google Authenticator or Microsoft Authenticator.
• VGMagicLink: VGMagicLink allows for real-time authentication, enabling users to gain access to secured applications immediately after validating a unique link

Benefits of Using VG MFA

1. Enhanced Security: Significantly reduces the risk of unauthorized access by requiring multiple verification factors.
2. Compliance: Helps meet regulatory requirements for strong authentication (e.g., GDPR, HIPAA).
3. User Assurance: Increases user confidence in the security of their accounts and sensitive data.
4. Flexibility: Adaptable to various user needs and organizational policies, offering multiple authentication options.

MFA Policy: Global Vision

The VGMFAGlobal Policy is the foundation of Visual-Guard’s MFA strategy, establishing the authentication methods available within a VGRepository. This policy includes options such as sending secure links and OTPs by email or SMS, enabling administrators to configure an authentication method tailored to the sensitivity and specific requirements of each application.

Key features of VGMFAGlobal Policy include :

Authentication Method Flexibility: Choice between secure links and OTP via email or SMS, offering adaptability to user preferences and security constraints.
Session Scope Information: Defines whether Grace Login applies globally or by application, enabling fine-grained access management.
Session Duration: Allows you to specify a period during which MFA re-authentication is not required, enhancing the user experience without compromising security.

MFAApplicationPolicy enables application-level customization of globally established MFA policies, offering flexibility to meet the unique security needs of each application. Administrators can :

• Select Specific MFA Types: Prioritize an authentication type, such as SMS authentication, suited to the application.
• Customize Grace Login: Define or disable Grace Login to adjust the balance between security and ease of access.
• Adjust MFA Session Duration: Modify the period after which a new MFA authentication is required, offering customized security.
• Manage Access without MFA for Unregistered Users: Allow limited access to users not registered with MFA, easing the transition to enhanced security policies.

By implementing Visual Guard MFA, organizations can strengthen their security posture, protect sensitive information, and comply with industry regulations.

Introducing VGMagicLink

A standout feature of Visual Guard 2024.0 is the introduction of VGMagicLink, a revolutionary technology that enhances the MFA experience. VGMagicLink allows for real-time authentication, enabling users to gain access to secured applications immediately after validating a unique link. This technology offers an alternative to traditional OTP and email link methods, providing a seamless and efficient way to ensure security without compromising on user convenience.

VGMagicLink exemplifies Visual Guard’s commitment to innovation in security, offering users a quick and secure authentication method that aligns with the modern need for immediate and reliable access to applications.

Visual Guard’s Login Flow with Magic Links

The OTP (One-Time Password) feature in Visual Guard enhances security by providing a dynamic, time-sensitive password that can be used only once for authentication purposes. This method significantly reduces the risk of unauthorized access and is especially useful for protecting sensitive operations and transactions.

Key Aspects:

1. Delivery Methods:
   • SMS: OTPs can be sent to the user’s registered mobile phone via SMS.
   • Email: OTPs can be emailed to the user’s registered email address.
2. Security Enhancements:
   • OTPs provide an additional layer of security beyond traditional passwords.
   • They are particularly effective against phishing attacks, keyloggers, and other forms of credential theft.
3. Compliance and Auditing:
   • Using OTPs can help organizations meet regulatory requirements for multi-factor authentication (MFA).
   • Visual Guard logs all OTP authentication attempts, providing an audit trail for security reviews and compliance purposes.

Benefits of OTP in Visual Guard:

• Increased Security: Reduces the risk of unauthorized access by ensuring that each password can only be used once and is valid for a short period.
• User Convenience: Multiple delivery methods offer flexibility and convenience for users.
• Regulatory Compliance: Helps organizations comply with industry standards and regulations that require strong authentication mechanisms.
• Ease of Integration: Can be easily integrated into existing authentication processes without significant changes to the infrastructure.

The TOTP (Time-Based One-Time Password) feature in Visual Guard provides a secure, time-sensitive authentication method that generates unique passwords which are valid only for a short period. This method leverages mobile apps like Google Authenticator and Microsoft Authenticator to enhance security for user logins and sensitive transactions.

Key Aspects:

1. TOTP Generation:
   • Visual Guard generates TOTPs based on a shared secret and the current time.
   • The TOTP changes at regular intervals (typically every 30 seconds), ensuring that each password is only valid for a brief window.
2. Authenticator Apps:
   • Users can use popular authenticator apps like Google Authenticator and Microsoft Authenticator to generate TOTPs.
   • These apps do not require internet connectivity to generate TOTPs, as they use the device’s internal clock.
3. User Enrollment:
   • During the enrollment process, users scan a QR code provided by Visual Guard with their authenticator app.
   • The app stores the shared secret and starts generating TOTPs that can be used for authentication.
4. Integration with Existing Systems:
   • Visual Guard’s TOTP feature integrates seamlessly into existing authentication workflows, providing an additional layer of security without disrupting user experience.
   • It supports various applications and systems, ensuring broad compatibility and ease of use.
5. Security Enhancements:
   • TOTPs significantly reduce the risk of unauthorized access by ensuring that passwords are valid only for a short period.
   • This method is particularly effective against phishing attacks, replay attacks, and other forms of credential theft.
6. Compliance and Auditing:
   • Using TOTPs can help organizations meet regulatory requirements for multi-factor authentication (MFA).
   • Visual Guard logs all TOTP authentication attempts, providing an audit trail for security reviews and compliance purposes.

Benefits of TOTP in Visual Guard:

• Enhanced Security: Provides a robust authentication mechanism that is resistant to common attacks like phishing and keylogging.
• User Convenience: Easily integrates with widely-used authenticator apps, offering a familiar and convenient method for users.
• Regulatory Compliance: Assists organizations in meeting industry standards and regulations requiring strong authentication methods.
• Seamless Integration: Integrates smoothly into existing authentication processes, enhancing security without complicating the user experience.

Minimum Version: VG 2024.1

Configuring Multi-Factor Authentication (MFA) with Active Directory (AD) is a crucial step for organizations looking to enhance their security posture by adding an additional layer of authentication beyond just usernames and passwords. Visual-Guard, with its robust security framework, leverages information synchronized from Active Directory, such as email addresses and cellphone numbers, to facilitate MFA processes. This introduction outlines the essential steps and considerations for integrating MFA with Active Directory using Visual-Guard, ensuring a seamless and secure authentication experience.

Preparing Active Directory & VG for MFA

1. Update User Information: Ensure that user accounts in Active Directory are up-to-date with current email addresses and cellphone numbers. This information is essential for MFA mechanisms like OTP (One-Time Password) via email or SMS.
2. Organizational Units and Groups: Organize users within Active Directory into appropriate Organizational Units (OUs) and groups based on their roles and access needs. This organization aids in managing MFA policies more effectively.
3. Security Permissions: Verify that Visual-Guard has the necessary permissions to read user information from Active Directory. This may involve configuring service accounts with specific read privileges.

Below are the steps to configure Active Directory with MFA (Multifactor Authentication)

Step 1: Go to Settings –> Domains –> Click on Edit, Change the setting of Email Address and Mobile to “Both” so that the user can enroll on any of the verification methods

Step 2: Once you click Ok, you will get a notification to restart the product so that your changes are reflected for the domain.

Step 3: Go to Modules –> VGWindows –> Configure –> Change the synchronization between Visual Guard and Active Directory to Both

Step 4: Once you click Ok, you will get a notification to restart the product so that your changes are reflected for the module.

In Visual Guard the Group Attribute refers to the capability to define and manage additional properties or characteristics associated with user groups or categories beyond basic membership. These attributes provide additional context and flexibility for group management, allowing administrators to capture and store diverse information about groups.

Key Aspects

1. Customization: Users can define custom attributes tailored to their organization’s specific needs, enabling them to capture relevant information unique to their group definitions. This customization ensures that group profiles align with the organization’s structure, policies, and requirements.
2. Flexibility: Administrators can configure various types of attributes, such as text fields, dropdown lists, checkboxes, or date fields, to accommodate different types of data and ensure data integrity.
3. Visibility and Editability: Administrators can control the visibility and editability of group profile attributes based on user roles or permissions, ensuring that sensitive information is appropriately secured and only accessible to authorized personnel.
4. Integration: Group profile attributes can integrate with other systems or applications to synchronize group data across different platforms, streamlining group management processes and ensuring data consistency.
5. Enhanced Group Definition: Group profile attributes enhance group definitions by providing additional context and information about groups, such as departmental affiliations, project assignments, or team roles. This helps administrators better understand and manage groups within the organization.

Structure of the Group Attribute

1. Primary Information which includes;

• Property Name: Identifier for a specific attribute or characteristic of an entity.
• Display Name: Human-readable label used to represent a property or attribute.
• Data type value: Specification defining the type of data stored in a property or attribute i.e
  • String
  • Integer
  • Double
  • Date Time
  • Boolean
  • DropDown List
• Description: Brief explanation or summary providing additional context or details.
• ID: ID, short for “identifier,” is a unique alphanumeric code or label assigned to a specific entity within a system or database.

2. Other Infromation details include;

• Attribute Group Name: Categorization label for grouping related attributes together
• Is Visible: Indicator specifying whether an attribute is visible or hidden in the role interface for e.g if we select PhoneNumber is visible then you will be able to see the phone number details under the shared role profile

Result: Group –> Click on the group –> under profile you will see the Company Name

If you uncheck the Is visible icon the the details will not be visible to you

• Is Required: Flag indicating whether an attribute must be populated with data. e.g if you select the Is required icon then the feature will become a mandatory parameter.

Result: Group -> Click on the group –> under profile you will see the default ‘company name’, if you leave the parameter blank then it will prompt you to enter the details. The page will not be saved unless and until you entered the details.

If you uncheck the Is Required icon the the details will be saved with out any details on the specific parameter.

• Is Search Allowed: Permission setting determining whether an attribute can be used for searching or filtering
• Is ReadOnly for API: Setting determining whether an attribute can be modified via an API or not. is a setting within Visual Guard that specifies whether an attribute associated with a group profile can be modified via an API (Application Programming Interface) or not. When this setting is enabled (set to “readonly”), it restricts the ability to modify the attribute’s value programmatically through API calls. This setting ensures data integrity and security by controlling access to attribute modification functionalities, particularly when changes need to be tightly regulated or restricted to specific user roles or permissions.
• IS ReadOnly for UI: Setting determining whether an attribute is editable in the user interface. is a setting within Visual Guard that determines whether an attribute associated with a group profile can be modified through the user interface (UI) or not. When this setting is enabled (set to “ReadOnly”), it restricts users from modifying the attribute’s value directly via the Visual Guard interface. This setting is useful for ensuring data integrity and security by controlling access to attribute modification functionalities through the UI, particularly when certain attributes should only be modified by administrators or authorized personnel. e.g if we choose the phone number to be ReadOnly for UI then that parameter will be a read only.

Result: Group –> Click on the group –> under profile you will see the company name portion will be ReadOnly and will not be editable.

If you uncheck the Is ReadOnly for UI icon the the parameter will be editable

• Need to save in Log: Specification indicating whether changes to an attribute should be logged for auditing purposes

Overall, the group profile attribute feature enhances the flexibility, granularity, and usability of group management within a user management system, empowering administrators to define and manage groups effectively to meet the organization’s needs and requirements.

In Visual Guard, user attribute refer to the properties or characteristics associated with individual user accounts within the security management system. These attributes provide essential information about users and play a crucial role in defining and managing user profiles

This feature refers to the capability to define and manage additional properties or characteristics associated with user accounts beyond basic login credentials. These attributes provide additional context and flexibility for user management, allowing administrators to capture and store diverse information about users. Examples of user profile attributes include department, job title, email address, phone number, employee ID, and custom fields.

Key aspects of the user profile attribute feature include:

1. Customization: Users can define custom attributes tailored to their organization’s specific needs, enabling them to capture relevant information unique to their user population.
2. Flexibility: Administrators can configure various types of attributes, such as text fields, dropdown lists, checkboxes, or date fields, to accommodate different types of data and ensure data integrity.
3. Visibility and Editability: Administrators can control the visibility and editability of user profile attributes based on user roles or permissions, ensuring that sensitive information is appropriately secured and only accessible to authorized personnel.
4. Integration: User profile attributes can integrate with other systems or applications to synchronize user data across different platforms, streamlining user management processes and ensuring data consistency.
5. Personalization: User profile attributes enable personalized user experiences by allowing applications to tailor content, features, and functionality based on user attributes, preferences, or roles.

Overall, the user profile attribute feature enhances the flexibility, granularity, and usability of user management systems, empowering administrators to capture and leverage additional user information to support various business processes and enhance user experiences.

Introduction

Visual Guard supports various user types to cater to different authentication needs. This documentation provides an overview of the different user types available in Visual Guard.

VGUser

VGUser is the standard user type in Visual Guard. They can be assigned specific roles and permissions to control their access to secured applications.

Windows User

Visual Guard integrates with Windows user accounts for authentication. This allows the application to utilize existing Windows accounts for user management.

Windows By Credential User

Windows By Credential User is a method that allows Visual Guard to authenticate users using specific Windows credentials. This can be useful when you need to verify users based on their Windows account credentials.

Database User

Visual Guard can authenticate users from a database where user information is stored. This is useful when user management is handled through a separate database system.

Okta User

Okta is a popular Identity and Access Management (IAM) service. Visual Guard supports authentication for users who use Okta as their identity provider.

MFA (Multi Factor Authentication) User

MFA (Multi-Factor Authentication) is a security protocol that enhances protection by requiring users to provide multiple forms of verification before accessing a system or application. It significantly reduces the risk of unauthorized access by combining something the user knows (like a password) with something the user has (like a smartphone)

Using User Types

By leveraging these user types in Visual Guard, you can tailor the authentication process to meet your specific requirements. Whether you need to authenticate users through Windows accounts, database systems, or Okta, Visual Guard provides the necessary flexibility to accommodate different user authentication scenarios.

Conclusion

This documentation provides an overview of the user types available in Visual Guard. By leveraging these user types, you can enhance the authentication process and ensure secure access to your applications. For more detailed information on user types and their configuration, please refer to the official Visual Guard documentation available at docs.visual-guard.com or contact the Visual Guard support team.

In Visual Guard, a role attribute refers to a property or characteristic associated with a specific role within the security management system. Role attributes provide additional context or information about roles, enabling administrators to define and manage roles effectively.

The feature refers to the capability to define and manage additional properties or characteristics associated with user roles beyond basic permissions. These attributes provide additional context and flexibility for role management, allowing administrators to capture and store diverse information about roles.

Key Aspects

1. Customization: Users can define custom attributes tailored to their organization’s specific needs, enabling them to capture relevant information unique to their role definitions. This customization ensures that role profiles align with the organization’s structure, policies, and requirements.
2. Flexibility: Administrators can configure various types of attributes, such as text fields, dropdown lists, checkboxes, or date fields, to accommodate different types of data and ensure data integrity.
3. Visibility and Editability: Administrators can control the visibility and editability of role profile attributes based on user roles or permissions, ensuring that sensitive information is appropriately secured and only accessible to authorized personnel.
4. Integration: Role profile attributes can integrate with other systems or applications to synchronize role data across different platforms, streamlining role management processes and ensuring data consistency.
5. Role Definition Enhancement: Role profile attributes enhance role definitions by providing additional context and information about roles, such as departmental affiliations, job responsibilities, or skill requirements. This helps administrators better understand and manage roles within the organization.

Structure of the Role Attribute

1. Primary Information which includes;

• Property Name: Identifier for a specific attribute or characteristic of an entity.
• Display Name: Human-readable label used to represent a property or attribute.
• Data type value: Specification defining the type of data stored in a property or attribute i.e
  • String
  • Integer
  • Double
  • Date Time
  • Boolean
  • DropDown List
• Description: Brief explanation or summary providing additional context or details.
• ID: ID, short for “identifier,” is a unique alphanumeric code or label assigned to a specific entity within a system or database.

2. Other Infromation details include;

• Attribute Group Name: Categorization label for grouping related attributes together
• Is Visible: Indicator specifying whether an attribute is visible or hidden in the role interface for e.g if we select PhoneNumber is visible then you will be able to see the phone number details under the shared role profile

Result: Shared Role or Role –> Click on the role –> under profile you will see the phone number

If you uncheck the Is visible icon the the details will not be visible to you

• Is Required: Flag indicating whether an attribute must be populated with data. e.g if you select the Is required icon then the feature will become a mandatory parameter.

Result: Shared Role / Role –> Click on the role –> under profile you will see the default phone number, if you leave the parameter blank then it will prompt you to enter the details. The page will not be saved unless and until you entered the details.

If you uncheck the Is Required icon the the details will be saved with out any details on the specific parameter

• Is Search Allowed: Permission setting determining whether an attribute can be used for searching or filtering
• Is ReadOnly for API: Setting determining whether an attribute can be modified via an API or not. is a setting within Visual Guard that specifies whether an attribute associated with a group profile can be modified via an API (Application Programming Interface) or not. When this setting is enabled (set to “readonly”), it restricts the ability to modify the attribute’s value programmatically through API calls. This setting ensures data integrity and security by controlling access to attribute modification functionalities, particularly when changes need to be tightly regulated or restricted to specific user roles or permissions.
• IS ReadOnly for UI: Setting determining whether an attribute is editable in the user interface. is a setting within Visual Guard that determines whether an attribute associated with a group profile can be modified through the user interface (UI) or not. When this setting is enabled (set to “ReadOnly”), it restricts users from modifying the attribute’s value directly via the Visual Guard interface. This setting is useful for ensuring data integrity and security by controlling access to attribute modification functionalities through the UI, particularly when certain attributes should only be modified by administrators or authorized personnel. e.g if we choose the phone number to be ReadOnly for UI then that parameter will be a read only.

Result: Shared Role / Role –> Click on the role –> under profile you will see the phone number portion will be ReadOnly and will not be editable.

If you uncheck the Is ReadOnly for UI icon the the parameter will be editable

• Need to save in Log: Specification indicating whether changes to an attribute should be logged for auditing purposes

Overall, the role profile attribute feature enhances the flexibility, granularity, and usability of role management within a user management system, empowering administrators to define and manage roles effectively to meet the organization’s needs and requirements.

An application MFA (Multi-Factor Authentication) policy refers to the set of rules and configurations applied to an application to enforce multi-factor authentication for enhanced security. This policy dictates how and when additional authentication factors, beyond the standard username and password, are required to verify the identity of users accessing the application.

Benefits of an Application MFA Policy:

• Enhanced Security: By requiring multiple forms of verification, MFA significantly reduces the risk of unauthorized access due to compromised credentials.
• Compliance: Helps organizations meet regulatory requirements for strong authentication measures.
• User Assurance: Increases user confidence in the security of their accounts and sensitive data.
• Risk Management: Allows for adaptive authentication based on risk, ensuring that higher-risk actions are better protected.

Key Aspects of MFA Application Policy in Visual Guard:

1. Application-Specific Configuration:
   • Customization: Tailor MFA settings to the unique requirements of each application.
   • Flexibility: Adjust the level and methods of authentication based on the sensitivity and usage patterns of the application.
2. Authentication Methods:
   • SMS OTP (One-Time Password): Sends a one-time code via SMS to the user’s registered mobile number.
   • TOTP (Time-Based One-Time Password): Utilizes authenticator apps like Google Authenticator or Microsoft Authenticator.
   • Email OTP: Sends a one-time code to the user’s registered email address.
3. User Enrollment:
   • Initial Setup: Guides users through the MFA setup process when they first access the application.
   • Self-Service Management: Allows users to manage their MFA settings through a self-service portal within the application.
4. Compliance and Security:
   • Regulatory Compliance: Ensures the application meets regulatory requirements for secure authentication.
   • Audit Trails: Maintains logs of all MFA events specific to the application for compliance and security reviews.
5. Monitoring and Reporting:
   • Real-Time Monitoring: Tracks MFA activities in real-time, providing insights into usage patterns and potential security issues.
   • Detailed Reports: Generates reports on MFA usage, including successful and failed authentication attempts, for security analysis and compliance checks.

Please refer to the below links to know more about how to use the MFA policy.

Application deployment in Visual Guard refers to the process of deploying security configurations, such as roles, permissions, and user profiles, to specific applications or systems within an environment. This deployment ensures that security settings are applied effectively to the target applications, enabling consistent access control and enforcing security policies.

Key aspects of application deployment in Visual Guard include:

1. Targeted Application Configuration: Security configurations are deployed selectively to specific applications or systems within the environment, ensuring that each application receives the appropriate security settings tailored to its requirements.
2. Version Control and Management: Application deployment may involve versioning of security configurations, allowing administrators to track changes over time, revert to previous versions if necessary, and maintain an audit trail of configuration modifications.
3. Integration with Development Lifecycle: Application deployment integrates with the development lifecycle, enabling security configurations to be deployed seamlessly across different stages, such as development, testing, and production.
4. Scalability: Application deployment processes are designed to scale effectively with the organization’s growth and increasing complexity, ensuring that security configurations remain manageable and consistent across a diverse range of applications and systems.
5. Reliable Access Control: By ensuring the timely and accurate deployment of security configurations to target applications, Visual Guard facilitates reliable access control, enabling organizations to enforce security policies effectively and mitigate security risks.

Overall, application deployment in Visual Guard plays a crucial role in ensuring that security configurations are effectively applied to target applications, promoting consistency, reliability, and scalability in access control across enterprise environments.

In Visual Guard, the Identity Client is a component responsible for interacting with the VGIdentity Server to handle user authentication and authorization within applications. It acts as a client-side library or module integrated into the application code to facilitate user authentication, obtain security tokens, and enforce access control policies.

Overall, the Identity Client plays a crucial role in enabling secure and seamless user authentication and access control within Visual Guard-protected applications. It helps enforce authentication and authorization policies, manage user sessions, and provide a smooth user experience while maintaining robust security measures.

Below are the different functionalities that fall under Identity Client configuration

1. Primary Information: Essential data or key details that are fundamental to understanding the application.

• Name: A unique identifier or label assigned to the application
• Platform types: VisualGuard Identity Client configuration supports various platform types for integration with applications, each catering to different use cases and environments. Here’s an explanation of the different platform types:
  • Web Applications (Java, Asp.Net, etc): Software programs or platforms accessed through web browsers, allowing users to interact with services, data, and functionalities over the internet.
  • SPAs (Single Page Application) (Javascript Front end apps, Angular.js, Node.js, etc): Web applications that dynamically update content without reloading the entire page, offering a seamless and responsive user experience similar to desktop applications
  • Native Applications (Mobile/Desktop, Powerbuilder, PowerServer etc): Software programs developed specifically for a particular platform or device, leveraging its native features and capabilities to deliver optimized performance and user experience.
  • Service Applications (Machine to Machine – On behalf of the client, no interactive user is present): Software programs designed to run in the background, providing specific functionalities or performing tasks independently of user interaction, often used to automate processes or manage system resources
• Description: A brief explanation or summary providing additional context or details about the application
• Application type: Classification specifying the nature or purpose of a software application such PowerBuilder, PowerBuilder + PowerServer

2. Identity Resources/Scope: The client specifies the scope of the access requested, which defines the resources and operations the client is allowed to access on behalf of the user. The scope is included in the authorization request.

• VG Activity Date: It requests access for the VGActivityDate information
• VGApplications: It requests access for the list of accessible applications
• VGDeveloper: It requests access for the information for api operations for developers (vgPermissionInfo, vgRoleInfo, vgAppInfo)
• VGIsApproved: It requests access for whether a user is approved user or not
• VGIsLocked: It requests access for whether a user is locked user or not
• VGPermissions: It requests access for the list of accessible permissions
• VGProfile: It requests access for the user profile information (firstname, lastname, email etc.)
• VGRoles: It requests access for the list of accessible roles
• VGToken: It requests access for the VGToken

3. Redirect URIs Information – Uniform Resource Identifiers (URIs): The client specifies one or more redirect URIs where the Identity server will redirect the user after authentication. The redirect URI must be registered with the VisualGuard Identity server during client registration to prevent certain types of attacks, such as authorization code interception.

• Allowed Redirect URIs
• Post Logout URIs
• Is Overwrite URI Information when deployed

• CORS: Refers to Cross-Origin Resource Sharing (CORS), which is a mechanism that allows resources on a web page to be requested from another domain outside the domain from which the resource originated.
  • Allowed cors origin

4. Grant Types: The client specifies the type of authorization grant it will use to obtain access tokens. Common grant types include Authorization Code, Implicit, Resource Owner Password Credentials, and Client Credentials.

• Client credentials: On behalf of a client, no interactive user is present
• Implicit: Normally used for JavaScript applications, where all tokens are transmitted via browser, access token is returned immediately without an extra authorization code exchange step and advanced features like refresh tokens are thus not allowed
• Authorization Code: Provides a way to retrieve tokens on a back-channel as opposed to the browser front-channel
• ResourceOwner Password: It allows to request tokens on behalf of a user by sending the user’s name and password to the token endpoint. This is so called “non-interactive” authentication and is generally not recommended
• Hybrid: It is a combination of the implicit and authorization code flow – it uses combinations of multiple grant types, most typically code id_token. In hybrid flow the identity token is transmitted via the browser channel and contains the signed protocol response along with signatures for other artifacts like the authorization code. This mitigates a number of attacks that apply to the browser channel

5. Secret Keys: This is a piece of confidential information, typically a long string of characters, used for cryptographic purposes, such as encrypting and decrypting data, or for authenticating communication between parties.

• Secret: A confidential string used for cryptographic operations, such as encrypting and decrypting data
• Description: A brief explanation or summary providing additional context or details about the application
• Expiry: The date becomes invalid or no longer usable
• Is override when deployed: Indicating whether a configuration should be replaced with a new value when deployed

Please click on the respective links to create your identity clients

The “Manage Application Attribute” refers to the capability to define and manage additional properties or characteristics associated with applications or software systems within the user management platform. These attributes provide additional context and flexibility for application management, allowing administrators to capture and store diverse information about applications.

Key aspects of the application profile attribute feature include:

1. Customization: Users can define custom attributes tailored to their organization’s specific needs, enabling them to capture relevant information unique to their applications. This customization may include attributes such as application name, description, version, platform compatibility, or metadata relevant to application configuration and management.
2. Visibility and Editability: Administrators can control the visibility and editability of application profile attributes based on user roles or permissions, ensuring that sensitive information is appropriately secured and only accessible to authorized personnel.
3. Integration: Application profile attributes can integrate with other systems or applications to synchronize application data across different platforms, streamlining application management processes and ensuring data consistency.
4. Metadata Management: Application profile attributes enable administrators to manage metadata associated with applications, such as release notes, installation instructions, licensing information, or third-party dependencies, facilitating comprehensive application lifecycle management.

Overall, the application profile attribute feature enhances the flexibility, granularity, and usability of user management systems, empowering administrators to capture and leverage additional application information to support various business processes and enhance application management practices.

Features:

• Name: Identifier or label assigned to the application profile attribute
• Is Encrypted: Flag indicating whether the attribute value is encrypted for security purposes or not
• Is Overwrite when Deployed: Setting determining whether the attribute should be replaced with a new value during deployment
• Edit: Action allowing modification of the application profile attribute
• Delete: Action allowing removal of the application profile attribute

The Visual Guard System Role Permission Matrix page provides a detailed breakdown of the permissions associated with each of the nine predefined roles offered by Visual Guard.

The matrix is a comprehensive guide that outlines the level of access each role has to applications, groups, roles, and users. It covers a wide range of permissions, from creating and deleting applications, groups, and roles, to reading and updating permissions, permission sets, and users.

Visual Guard offers 9 predefined roles to the user. Depending on the user role the amount of access to applications, groups, roles and users will be defined.
The matrix defined below defines the permissions associated with each role.

If you have been granted the Master Administrator role you will have full access to all the resources of the Visual Guard tools

• The Master Administrator will be assigned the following permission sets by default:

• The Master Administrator will be assigned following permissions by default:

See Also:

• Special Roles
• Impact of granting multiple roles (missing mink)
• Special Roles & Permission Matrix

This user can create new user and read only those users which are assigned to the groups assigned to the user. Additionally the user can create group and read only those group(s) which are assigned to logged in user.

The user can grant or revoke the Application, Shared & System roles to Groups/Users.

• The User Administrator will be assigned the User Administrator and Restricted User Administrator permission set by default.
• The User Administrator will be assigned the following permissions by default:

• To explore the impact of permissions please click on the relevant link below:

Please Note: The sections on which the role has no impact has not been listed

Impact of user administrator role on applications

This module explains the impact on the applications if the user has been granted the User Administrator Role.

• The User will be assigned following permissions:

• Once the user logs in using the assigned mode of authentication, the following screen will be displayed.

• The user will be able to view list of all the applications (A).
• Since the user has permissions to Can Read All Applications the user will be able to view the details of all the applications.
• The user can click on the Application name to view the application information as shown below:

• The application information will be available in read only mode.

Impact of User Administrator Role on Audit and Reporting

This module explains the impact on the audit and reporting if the user has been granted the User Administrator Role.

• The User will be assigned the following permissions:

• Once the user logs in using the assigned mode of authentication, the following screen will be displayed.
• The user will be able to view list of all the applications (A).

Since the user has permissions to Can Generate Documentation he can use the Generate Documentation option to generate the documentation of each entity in the Visual Guard console.

• Can Read Event Log permission allows access to viewing the event log as shown below:

Impact of User Administrator Role on Groups

This module explains the impact on the groups if the user has been granted the User Administrator Role.

• The User will be assigned the following permissions:

• Once the user logs in using the assigned mode of authentication, the following screen will be displayed.
• The user will be able to view list of all the applications (A).

• Since the user has permissions to Can Read Groups, the user will be able to view the group that has been assigned to him.
• The parent groups of the assigned group will also be displayed.

• Depending on the user privileges and assigned group privileges the list of privileges will be decided automatically.
• The Can Create Group privilege allows the user to create a group. This option will be available only if a group has been assigned to the user.

• The new group will be listed under the Parent Group. The user can view group details by clicking on the group name.

• Since the user has the Can Delete Group and Can Update Group privileges he can remove or update group related details.

Impact of User Administrator Role on Role

This module explains the impact on the roles if the user has been granted the User Administrator Role.

• The User will be assigned the following permissions:

• Once the user logs in using the assigned mode of authentication, the following screen will be displayed.
• The user will be able to view list of all the applications (A).

• The user can create a new role under an application since he has the Can Create Application Role privilege.

• The new role will be listed under the Application>Roles option. The user can view the role details by clicking on the role name as shown below:

• Since the user has the Can Read Application Role and Can Update Application Role privilege, the user can view and update role details by clicking on the Application>Role> Rolename.
• Since the user has also been granted the Can Grant Revoke Application Roles To Users privilege the user can grant/revoke new roles to user using options “Grant role to users”  & “Revoke role from users”  available under tab “Granted User”

Please Note: You can also grant/revoke roles of users Users> Username> Roles> Edit Roles option. Click here (missing link) to know more.

• Grant role to users: When you select option “Grand role to users” you are provided with a screen to select users to whom the role is to be assigned.

Once the users are successfully assigned to the Group, below message will appear

• Revoke role from users: When you select option “Revoke role from users” you will be asked for confirmation, as shown below:

Once confirmed by clicking on option “yes” , the role will be successfully revoked and below message will appear:

• The user can also grant/Revoke the role to the groups, since the user has the Can Grant Revoke Application Roles To Groups privilege.

• The new role will be listed under the application, the user can select and grant the role.

• The user can delete the application role since he has the Can Delete Application Role privilege.
• Additionally the User Administrator has access to manage the Shared Roles.
• The Can Create Shared Role privilege allows the user to create a new Shared Role.

• The new role will be listed under the Shared Roles option. The user can view the role details by clicking on the role name as shown below:

• The user has the privilege to read and update the shared roles information, since he has been granted the Can Read Shared Role and Can Update Shared Role privileges.
• Since the user has also been granted the Can Grant Revoke Shared Roles To Users privilege the user can edit the granted users option.

• The user can select and edit the members for the selected role. Click here to know more.
• The user can also grant the shared role to the groups, since the user has the Can Grant Revoke Shared Roles To Groups privilege.

• The user can assign the shared role to the group.

• The user can delete the shared role, since he has the Can Delete Shared Role privilege.
• The User administrator can just view the System Roles related information, since he has the Can Read System Role privilege.
• The user can view and update the role details by clicking on the Application>Role> Rolename.

 
Impact of User Administrator Role on Users

This module explains the impact on the user related permissions if the user has been granted a User Administrator Role.

• The User will be assigned following permissions:

• Once the user logs in using the assigned mode of authentication, the following screen will be displayed.
• The user will be able to view list of all the applications (A).

• The user can create a new user, since he has the Can Create User privilege.
• The user can create a user only under the groups assigned to him.

• When the user clicks on the new user option following screen will be displayed:

• Click “OK”  to complete the user creation.
• The new user account will be created and will be displayed in the Grid on Right side.

• The user can view the user details by clicking on the user name as shown below:

• Since the user has the privilege Can Read User and Can Update User, the user will be able to update the user details.
• The user administrator has the privilege to delete the user, since the user has the Can Delete User privilege.
• Additionally the user administrator can lock a user or unlock the user accounts since he has the Can Lock Unlock User permission.

See Also:

• Special Roles 
• Impact of granting multiple roles 
• Special Roles & Permission Matrix

This user can manage users and roles in a given application.
This user type is also allowed to manage users and roles of the applications for which the user is a member of ‘Membership Manager’ role.

• The Restricted User Administrator will be assigned the restricted user administrator permission set by default.
• The Restricted User Administrator will be assigned following permissions by default:

• To explore the impact of permissions please click on the relevant link below:

Impact of Restricted User Administrator Role on Audit and Reporting

This module explains the impact on the audit and reporting if the user has been granted the Restricted User Administrator Role.

• The User will be assigned following permissions:

• When the user logs in using the assigned mode of authentication, the following screen will be displayed.
• The user will be able to view list of all the applications (A).

• Since the user has the permissions Can Generate Documentation he can use the Generate Documentation option to generate the documentation for the available entities.

• Can Read Event Log permission allows access to the event log as shown below:

Impact of Restricted User Administrator Role on Groups

This module explains the impact on the groups if the user has been granted a Restricted User Administrator Role.

• The User will be assigned the following permissions:

• When the user logs in using the assigned mode of authentication, the following screen will be displayed.
• The user will be able to view list of all the applications (A).

• Since the user has permissions to Can Read Groups, the user will be able to view the group that has been assigned to him.
• The parent groups of the assigned group will also be displayed.

• Depending on the user privileges and assigned group privileges the list of privileges will be decided automatically.
• The Can Create Group privilege allows the user to create a group. This option will be available only if the user has been assigned to a group.

• The new group will be listed under the Parent Group. The user can view group details by clicking on the group name.

• Since the user has the Can Delete Group and Can Update Group privileges he can remove or update group related details.

Impact of Restricted User Administrator Role on Roles

This module explains the impact on the roles if the user has been granted a Restricted User Administrator Role.

The users will be allowed to manage only those applications for which the user is a member of ‘Membership Manager’ role.

• The User will be assigned following permissions:

• When the user logs in using the assigned mode of authentication, the following screen will be displayed:
• The user will be able to view list of all the applications (A).

• The user can create a new role under an application (for which he has “Membership Manager” role), since the user has the Can Create Application Role privilege.

• The new role will be listed under the Application>Roles option. The user can view the role details by clicking on the role name as shown below:

• Since the user has the Can Read Application Role and Can Update Application Role privilege the user can view and update role details by clicking on Application>Role> Rolename.
• Since the user has also been granted the Can Grant Revoke Application Roles To Users privilege the user can grant/revoke new roles to user using options “Grant role to users” & “revoke role from users” available under tab “Granted User”

Please Note: You can also grant/revoke roles of users Users> Username> Roles> Edit Roles option. Click here (missing link) to know more.

• Grant role to users: When you select option “Grant role to users” you are provided with a screen to select users to whom the role is to be assigned.

Once the users are successfully assigned to the Group, below message will appear

• Revoke role from users: When you select option “Revoke role from users” you will be asked for confirmation, as shown below:

Once confirmed by clicking on option “Yes” , the role will be successfully revoked and below message will appear:

• The user can also grant the new role to the groups, since the user has the Can Grant Revoke Application Roles To Groups privilege.

• The new role will be listed under the application, the user can select and grant role.

• The user can delete the application role since he has the Can Delete Application Role privilege.
• Additionally the Restricted User Administrator has access to manage the Shared Roles.
• The Can Create Shared Role privilege allows the user to create a new Shared Role.

• The new role will be listed under the Shared Roles option. The user can view the role details by clicking on the role name as shown below:

• The user has the privilege to read shared roles because of the Can Read Shared Role privilege and update information because of the Can Update Shared Role privilege the role details will be displayed in an editable mode.
• Since the user has also been granted the Can Grant Revoke Shared Roles To Users privilege the user can edit the granted users option.

• The user can select and edit the members for the selected role. Click here to know more.
• The user can grant the shared role to the groups, since he has the Can Grant Revoke Shared Roles To Groups privilege.

• The user can assign the shared role to the group.

• The user can delete the shared role since he has the Can Delete Shared Role privilege.
• The Restricted User administrator also has the privilege to view the system roles in read only mode because of the Can Read System Role privilege.

 
Impact of Restricted User Administrator Role on Users

This module explains the impact on the users if the user has been granted a Restricted User Administrator Role.

• The User will be assigned following permissions:

• When the user logs in using the assigned mode of authentication, the following screen will be displayed.
• The user will be able to view list of all the applications (A).

• The user can create a new user because of the Can Create User privilege.
• The user can create a user only under the groups assigned to him.

• When the user clicks on the new user option following screen will be displayed.

• When the user clicks “OK” the new user account will be created and will be displayed in the Grid on Right side.

• The user can view the user details by clicking on the user name as shown below:

• Since the user has the privilege Can Read User and Can Update User, the user will be able to update the user details.
• The restricted user administrator will have the privilege to delete the user, since he has the Can Delete User privilege.
• Additionally the restricted user administrator can lock an user or unlock user accounts because of the Can Lock Unlock User permission assigned to him.

See Also:

• Special Roles
• Impact of granting multiple roles 
• Special Roles & Permission Matrix

This user type has the rights to edit, update & remove the Permission & Permission sets. The users can only create & grant revoke application roles to Groups/ Users.

• The Developer will be assigned the Developer and Restricted Developer permission sets by default.
• Depending on the permission sets the Developer will be assigned following permissions by default.

• To explore the impact of permissions please click on the relevant link below:

Impact of Developer Role on Applications

This module explains the impact on the applications if the user has been granted Developer Role.

• The User will be assigned following permissions:

• Once the user logs in using the assigned mode of authentication, the following screen will be displayed:

• Since the user has permissions to Can Read All Applications and Can Read Application, the Can Read All Applications will override.
• The user will be able to view list of all the applications (A).
• The user can click on the Application name to view the application information as shown below:

• The application information will be available in an editable mode since the user has Can Update Application privilege.
• The user can update information related to all the applications.

Impact of Developer on Audit and Reporting

This module explains the impact on the audit and reporting if the user has been granted Developer Role.

• The User will be assigned following permissions:

• Once the user logs in using the assigned mode of authentication, the following screen will be displayed:
• The user will be able to view list of all the applications (A).

• Can Read Event Log permission allows access to view the event log as shown below:

 
Impact of Developer Role on Groups

This module explains the impact on the groups if the user has been granted Developer Role.

• The User will be assigned following permissions:

• Once the user logs in using the assigned mode of authentication, the following screen will be displayed:
• The user will be able to view list of all the applications (A).

• Since the user has permissions to Can Read Groups, the user will be able to view the group that has been assigned to the user.
• The parent groups of the assigned group will also be displayed.

• The privileges that are available to the user will depend on the user and the group privileges.

Impact of Developer Role on Permissions

This module explains the impact on the permissions if the user has been granted Developer Role.

• The User will be assigned following permissions:

• Once the user logs in using the assigned mode of authentication, the following screen will be displayed.
• The user will be able to view list of all the applications (A).

• Since the user has permissions to Create, Delete, Read and Update permissions, the user will be able to update existing permission besides having the privilege to create the permission.
• Additionally the user can manage the other permission related properties using the available options.

Impact of Developer Role on Permission Sets

This module explains the impact on the permission sets if the user has been granted Developer Role.

• The User will be assigned following permissions:

• Once the user logs in using the assigned mode of authentication, the following screen will be displayed.
• The user will be able to view list of all the applications (A).

• In addition to the privilege to create permission sets, the user has permission to Create, Delete, Read and Update permission sets, and thus will be able to update existing permission sets.
• Additionally the user can manage the other permission set related properties using the available options. 

• Since the user has also been granted the Can Grant Revoke Permission Sets to Application Roles privilege the user can Grant permission sets to the selected role as shown below.

• The user can also grant the permission set to the Shared roles, since the user has Can Grant Revoke Permission Sets to Shared Roles privilege.

Impact of Developer Role on Roles

This module explains the impact on the roles if the user has been granted the Developer Role.

• The User will be assigned following permissions:

• Once the user logs in using the assigned mode of authentication, the following screen will be displayed:
• The user will be able to view list of all the applications (A).

• The user can create a new role under an application, since the user has Can Create Application Role privilege.

• The new role will be listed under the Application>Roles option. The user can view the role details by clicking on the role name as shown below:

• Since the user has also been granted the Can Grant Revoke Application Roles To Users privilege the user can grant/revoke new roles to user using options “grant role to users” & “Revoke role from users”  available under tab “Granted User”

Please Note: You can also grant/revoke roles of users Users> Username> Roles> Edit Roles option. Click here (missing link) to know more.

• Grant role to users: When you select option “Grant role to users” you are provided with a screen to select users to whom the role is to be assigned.

Once the users are successfully assigned to the Group, below message will appear

• Revoke role from users: When you select option “Revoke role from users”  you will be asked for confirmation, as shown below:

Once confirmed by clicking on option “YES” , the role will be successfully revoked and below message will appear:

• The user can also grant the new role to the groups, since the user has Can Grant Revoke Application Roles To Groups privilege.

• The new role will be listed under the application under which it has been created. The user can select and grant this new role.

• Since the user has Can Read System Role privilege the system role information will be displayed in read only mode.
• Since the user has Can Read Shared Role privilege the shared role information will be displayed in read only mode.

• Additionally the Can Read Special Role privilege will allow the special role information to be displayed in read only mode.

• Since the user has Can Read Application Role and Can Update Application Role privileges, the user can view and update existing application role information role details.
• To update the role information click on the role name under Applications> Role.

See Also:

• Special Roles
• Impact of granting multiple roles 
• Special Roles & Permission Matrix

This type of user can create or edit application, permission, user and role of the applications for which the user has been granted ‘Membership Manager’ role.

• The Restricted Developer will be assigned the restricted developer permission set by default.
• The Restricted Developer will be assigned following permissions by default for the applications for which he has been granted role:

• To explore the impact of permission please click on the relevant link below:

Please Note: The sections on which the role has no impact has not been listed.

Impact of Restricted Developer Role on Applications

This module explains the impact on the applications if the user has been granted Restricted Developer Role.

• The User will be assigned following permissions:

• Once the user logs in using the assigned mode of authentication, the following screen will be displayed:

• The applications for which the user has Membership Manager role will be displayed.
• The user can deploy the application , since the user has the Can Deploy Application permission.
• Since the user has permissions Can Read Application, when the user clicks on application name the application details (A) will be displayed.

• The application information will be available in an editable mode since the user has the Can Update Application privilege.
• The user can update information related to the applications.

Impact of Restricted Developer Role on Audit and Reporting

This module explains the impact on the audit and reporting if the user has been granted Restricted Developer Role.

• The User will be assigned following permissions:

• Once the user logs in using the assigned mode of authentication, the following screen will be displayed.
• The user will be able to view list of all the applications (A) for which he has the Membership Manager role.

• Can Read Event Log permission allows access to viewing the event log as shown below:

Impact of Restricted Developer Role on Groups

This module explains the impact on the groups if the user has been granted Restricted Developer Role.

• The User will be assigned following permissions:

• Once the user logs in using the assigned mode of authentication, the following screen will be displayed.
• The user will be able to view list of all the applications (A) for which he has the Membership Manager role. 

• Since the user has permissions to Can Read Group, the user will be able to view the group that has been assigned to the user.
• The parent groups of the assigned group will also be displayed.

• Depending on the user privileges and assigned group privileges the list of privileges will be decided automatically.

Impact of Restricted Developer Role on Permissions

This module explains the impact on the permissions if the user has been granted Restricted Developer Role.

• The User will be assigned following permissions:

• Once the user logs in using the assigned mode of authentication, the following screen will be displayed.
• The user will be able to view list of all the applications (A).

• Since the user has permissions to Create, Delete, Read and Update permissions, the user will be able to update existing permission besides having the privilege to create the permission.
• Additionally the user can manage the other permission related properties using the available options.

Impact of Restricted Developer Role on Permission Sets

This module explains the impact on the permission sets if the user has been granted Restricted Developer Role.

• The User will be assigned following permissions:

• Once the user logs in using the assigned mode of authentication, the following screen will be displayed
• The user will be able to view list of all the applications (A) for which he has been granted the Membership Manager Role..

• Since the user has permissions to Create, Delete, Read and Update permission sets, the user will be able to update existing permission set besides having the privilege to create the permission sets.
• Additionally the user can manage the other permission set related properties using the available options. 

• Since the user has also been granted the Can Grant Revoke Permission Sets to Application Roles privilege the user can Grant permission sets to the selected role as shown below.

• The user can also grant the permission set to the Shared roles , since the user has the Can Grant Revoke Permission Sets to Shared Roles privilege.

Impact of Restricted Developer Role on Roles

This module explains the impact on the roles if the user has been granted Restricted Developer Role.

• The User will be assigned following permissions:

• Once the user logs in using the assigned mode of authentication, the following screen will be displayed.
• The user will be able to view list of all the applications (A).

• The user can create a new role under an application, since the user has the Can Create Application Role privilege.

• The new role will be listed under the Application>Roles option. The user can view the role details by clicking on the role name as shown below:

• Since the user has the Can Read Application Role and Can Update Application Role privilege, the user can view and update role details.
• Since the user has also been granted the Can Grant Revoke Application Roles To Users privilege the user can grant/revoke new roles to user using options “Grant role to users”  & “Revoke role from users” available under tab “Granted User”

Please Note: You can also grant/revoke roles of users Users> Username> Roles> Edit Roles option. Click here (missing link) to know more. 

• Grant role to users: When you select option “Grant role to users” you are provided with a screen to select users to whom the role is to be assigned.

Once the users are successfully assigned to the Group, below message will appear

• Revoke role from users: When you select option “Revoke role from users” you will be asked for confirmation, as shown below:

Once confirmed by clicking on option “YES” , the role will be successfully revoked and below message will appear:

• The user can also grant the new role to the groups, since the user has the Can Grant Revoke Application Roles To Groups privilege.

• The new role will be listed under the application, the user can select and grant role.

• Though the user can create an application role but has the privilege to just read system roles, since the user has the Can Read Shared Role privilege.
• Since the user has the Can Read Shared Role privilege the shared role information will be displayed in read only mode.

• Additionally the Can Read Special Role privilege will allow the special role information to be displayed in read only mode.

See Also:

• Special Roles
• Impact of granting multiple roles (missing link)
• Special Roles & Permission Matrix

This type of user can edit applications, permissions, roles and users but not the repository. The user can also deploy the applications.

• The Developer Deployer will be assigned both the Deployer and Developer permission sets by default.
• The developer permission set will comprise of both the developer and restricted developer permission sets.
• Depending on the permission sets the Developer Deployer will be assigned the following permissions by default:

• To explore the impact of permission please click on the relevant link below:

Please Note: The sections on which the role has no impact has not been listed

Impact of Developer Deployer Role on Applications

This module explains the impact on the applications if the user has been granted the Developer Deployer Role.

• The User will be assigned following permissions:

• Once the user logs in using the assigned mode of authentication, the following screen will be displayed:

• The user will be able to view list of all the applications (A).
• The user can deploy the applications since he has the Can Deploy Applications permission.
• Since the user has permissions to Can Read All Applications and Can Read Application, the Can Read All Applications will override.
• The user can click on the Application name to view the application information as shown below:

• The application information will be available in an editable mode, since the user has the Can Update Application privilege.

Impact of Developer Deployer Role on Audit and Reporting

This module explains the impact on the audit and reporting if the user has been granted the Developer Deployer Role.

• The User will be assigned following permissions:

• Once the user logs in using the assigned mode of authentication, the following screen will be displayed:
• The user will be able to view list of all the applications (A).

• Can Read Event Log permission allows access to viewing the event log as shown below:

Impact of Developer Deployer Role on Groups

This module explains the impact on the groups if the user has been granted the Developer Deployer Role.

• The User will be assigned the following permissions:

• Once the user logs in using the assigned mode of authentication, the following screen will be displayed:
• The user will be able to view a list of all the applications (A).

• Since the user has permissions to Can Read Groups, the user will be able to view the group that has been assigned to the user.
• The parent groups of the assigned group will also be displayed.

• Depending on the user privileges and assigned group privileges the list of privileges will be decided automatically.

Impact of Developer Deployer Role on Permissions

This module explains the impact on the permissions if the user has been granted Developer Deployer Role.

• The User will be assigned following permissions:

• Once the user logs in using the assigned mode of authentication, the following screen will be displayed:
• The user will be able to view list of all the applications (A).

• Since the user has permissions to Create, Delete, Read and Update permissions, the user will be able to update existing permission besides having the privilege to create the permission.
• Additionally the user can manage the other permission related properties using the available options.

Impact of Developer Deployer Role on Permission Sets

This module explains the impact on the permission sets if the user has been granted the Developer Deployer Role.

• The User will be assigned the following permissions:

• Once the user logs in using the assigned mode of authentication, the following screen will be displayed.
• The user will be able to view list of all the applications (A).

• Since the user has permissions to Create, Delete, Read and Update permission sets, the user will be able to update existing permission set besides having the privilege to create the permission sets.
• Additionally the user can manage the other permission set related properties using the available options.

• Since the user has also been granted the Can Grant Revoke Permission Sets to Application Roles privilege the user can Grant permission sets to the selected role as shown below.

• The user can also grant the permission set to the Shared roles, since the user has the Can Grant Revoke Permission Sets to Shared Roles privilege.

Impact of Developer Deployer Role on Roles

This module explains the impact on the roles if the user has been granted the Developer Deployer Role.

• The User will be assigned following permissions:

• Once the user logs in using the assigned mode of authentication, the following screen will be displayed:
• The user will be able to view list of all the applications (A).

• The user can create a new role under an application because he has the Can Create Application Role privilege.

• The new role will be listed under the Application>Roles option. The user can view the role details by clicking on the role name as shown below:

• Since the user has also been granted the Can Grant Revoke Application Roles To Users privilege the user can grant/revoke new roles to user using options “Grant role to users” & “Revoke role from users” available under tab “Granted User”

Please Note: You can also grant/revoke roles of users Users> Username> Roles> Edit Roles option. Click here (missing link) to know more.

• Grant role to users: When you select option “Grant role to users” you are provided with a screen to select users to whom the role is to be assigned.

Once the users are successfully assigned to the Group, below message will appear

• Revoke role from users: When you select option “Revoke role from users” you will be asked for confirmation, as shown below:

• Once confirmed by clicking on option “YES” , the role will be successfully revoked and below message will appear:

• The user can also grant the new role to the groups, since the user has the Can Grant Revoke Application Roles To Groups privilege.

• The new role will be listed under the application, the user can select and grant role.

• Though the user can create an application role but has the privilege to just read the system roles because of the Can Read Shared Role privilege.
• Since the user has Can Read Shared Role privilege the shared role information will be displayed in read only mode.(A)

• Additionally the Can Read Special Role privilege will allow the special role information to be displayed in read only mode.

• Since the user has also been granted the Can Grant Revoke Application Roles To Users privilege the user can edit Granted users option.
• To update the role information click on the role name under the Applications>Role.

See Also:

• Special Roles

• Impact of granting multiple roles 

• Special Roles & Permission Matrix 

This type of user can create or edit application, permission, user and role of the applications for which the user has been granted ‘Membership Manager’ role.

• The Restricted Developer Deployer will be assigned both the Deployer and Restricted Developer permissions sets by default.
• The Restricted Developer Deployer will be assigned, the following permissions by default:

• To explore the impact of each permission please click on the relevant link below:

Please Note: The sections on which the role has no impact has not been listed

Impact of Restricted Developer Deployer Role on Applications

This module explains the impact on the applications if the user has been granted the Restricted Developer Deployer Role.

• The User will be assigned the following permissions:

• When the user logs in using the assigned mode of authentication, the following screen will be displayed.

• The applications for which the user has Membership Manager role will be displayed.
• The user can deploy the application, since the user has the Can Deploy Application permission.
• Since the user has permissions Can Read Application, when the user clicks on application name the application details (A) will be displayed.

• The application information will be available in an editable mode, since the user has the Can Update Application privilege.
• The user can update information related to the applications.

Impact of Restricted Developer Role on Audit and Reporting

This module explains the impact on the audit and reporting if the user has been granted the Restricted Developer Deployer Role.

• The User will be assigned the following permissions:

• When the user logs in using the assigned mode of authentication, the following screen will be displayed.
• The user will be able to view list of all the applications (A) for which he has been granted the Membership Manager Role..

• Can Read Event Log permission allows access to viewing the event log as shown below:

Impact of Restricted Developer Deployer Role on Groups

This module explains the impact on the groups if the user has been granted the Restricted Developer Deployer Role.

• The User will be assigned following permissions:

• When the user logs in using the assigned mode of authentication, the following screen will be displayed.
• The user will be able to view list of all the applications (A) for which he has been granted the Membership Manager Role..

• Since the user has permissions to Can Read Group, the user will be able to view the group that has been assigned to the user.
• The parent groups of the assigned group will also be displayed.

• Depending on the user privileges and assigned group privileges the list of privileges will be decided automatically.

Impact of Restricted Developer Deployer Role on Permissions

This module explains the impact on the permissions if the user has been granted the Restricted Developer Deployer Role.

• The User will be assigned the following permissions:

• When the user logs in using the assigned mode of authentication, the following screen will be displayed.
• The user will be able to view list of all the applications (A).

• Since the user has permissions to Create, Delete, Read and Update permissions, the user will be able to update existing permission besides having the privilege to create the permission.
• Additionally the user can manage the other permission related properties using the available options.

Impact of Restricted Developer Deployer Role on Permission Sets

This module explains the impact on the permission sets if the user has been granted the Restricted Developer Deployer Role.

• The User will be assigned the following permissions:

• When the user logs in using the assigned mode of authentication, the following screen will be displayed.
• The user will be able to view list of all the applications (A) for which he has been granted the Membership Manager Role..

• Since the user has permissions to Create, Delete, Read and Update permission sets, the user will be able to update an existing permission set besides having the privilege to create the permission sets.
• Additionally the user can manage the other permission set related properties using the available options.

• Since the user has also been granted the Can Grant Revoke Permission Sets to Application Roles privilege the user can Grant permission sets to the selected role as shown below.

• The user can also grant the permission set to the Shared roles, since the user has Can Grant Revoke Permission Sets to Shared Roles privilege.

Impact of Restricted Developer Deployer Role on Roles

This module explains the impact on the roles if the user has been granted the Restricted Developer Deployer Role.

• The User will be assigned the following permissions:

• When the user logs in using the assigned mode of authentication, the following screen will be displayed.
• The user will be able to view list of all the applications (A).

• The user can create a new role under an application, since the user has the Can Create Application Role privilege.

• The new role will be listed under the Application>Roles option. The user can view the role details by clicking on the role name as shown below:

• Since the user has the Can Read Application Role and Can Update Application Role privilege the user can view and update the role details.
• Since the user has also been granted the Can Grant Revoke Application Roles To Users privilege the user can grant/revoke new roles to user using options “Grant role to users”  & “Revoke role from users” available under tab “Granted User”.

Please Note: You can also grant/revoke roles of users Users> Username> Roles> Edit Roles option. Click here (missing link) to know more.

• Grant role to users: When you select option “Grant role to users” you are provided with a screen to select users to whom the role is to be assigned.

Once the users are successfully assigned to the Group, below message will appear

• Revoke role from users: When you select option “Revoke role from users” you will be asked for confirmation, as shown below:

Once confirmed by clicking on option “YES” , the role will be successfully revoked and below message will appear:

• The user can also grant the new role to the groups, since the user has the Can Grant Revoke Application Roles To Groups privilege.

• The new role will be listed under the application, the user can select and grant role.

• Since the user has the Can Read Shared Role privilege the shared role information will be displayed in the read only mode.

• Additionally the Can Read Special Role privilege will allow the special role information to be displayed in read only mode.

See Also:

• Special Roles

• Impact of granting multiple roles

• Special Roles & Permission Matrix 

This user can access the repository in read only mode, he can also read the log and print the report.

• The Auditor will be granted the Auditor and Restricted Auditor permission sets by default.
• Depending on the permission sets the Auditor will be assigned following permissions by default:

Impact of Auditor Role on Applications

This module explains the impact on the applications if the user has been granted Auditor Role.

• The User will be assigned following permissions:

• Once the user logs in using the assigned mode of authentication, the following screen will be displayed:

• Since the user has permissions to Can Read All Applications and Can Read Application, the Can Read All Applications will override.
• The user will be able to view list of all the applications. (A)
• The user can click on the Application name to view the application information as shown below:

• Other application related options will be disabled as shown below:

Impact of Auditor Role on Audit and Reporting

This module explains the impact on the audit and reporting if the user has been granted the Auditor Role.

• The User will be assigned following permissions:

• Once the user logs in using the assigned mode of authentication, the following screen will be displayed.
• The user will be able to view list of all the applications (A).

• Since the user has permissions to Can Generate Documentation he can use Generate Documentation option to generate documentation of each entity in the Visual Guard console.

• Can Read Event Log permission allows access to viewing the event log as shown below:

Impact of Auditor Role on Groups

This module explains the impact on the groups if the user has been granted an Auditor Role.

• The User will be assigned following permissions:

• Once the user logs in using the assigned mode of authentication, the following screen will be displayed.
• The user will be able to view list of all the applications (A).

• Since the user has permissions to Can Read All Groups and Can Read Groups, the Can Read All Groups will override.
• The user will be able to view list of all the groups.

• The user cannot rename, remove or add a new group, the options will be disabled as shown below:

Impact of Auditor Role on Permissions

This module explains the impact on the permissions if the user has been granted an Auditor Role.

• The User will be assigned following permissions:

• Once the user logs in using the assigned mode of authentication, the following screen will be displayed.
• The user will be able to view list of all the applications (A).

• Since the user has permissions to Read permissions all permission details will be displayed in read only mode. (A)
• Additionally the options to rename, remove or add a new permission will also be disabled as shown below:

Impact of Auditor Role on Permission Sets

This module explains the impact on the permission sets if the user has been granted an Auditor Role.

• The User will be assigned following permissions:

• Once the user logs in using the assigned mode of authentication, the following screen will be displayed:
• The user will be able to view list of all the applications (A).

• Since the user has permissions to Read permission sets all permission set details will be displayed in read only mode. (A)
• Additionally the options to rename, remove or add a new permission set will also be disabled as shown below:

Impact of Auditor Role on Roles

This module explains the impact on the roles if the user has been granted an Auditor Role.

The User will be assigned following permissions:

• Once the user logs in using the assigned mode of authentication, the following screen will be displayed:
• The user will be able to view list of all the applications (A).

• Since the user has Can Read Application Role privilege he can view just the role details.
• Additional options such as rename, remove or add a new role will be disabled as shown below:

• Similarly the Can Read Shared Role privilege will allow the user to view the shared role information in read only mode.
• Additional options such as rename, remove or add a new role will be disabled as shown below:

• Similarly the Can Read Special Role privilege will allow the user to view the special role information in read only mode.
• Additional options such as rename, remove or add a new role will be disabled as shown below:

Impact of Auditor Role on Users

This module explains the impact on the users if the user has been granted an Auditor Role.

• The User will be assigned following permissions:

• Once the user logs in using the assigned mode of authentication, the following screen will be displayed:
• The user will be able to view list of all the applications (A).

• Since the user has both the privileges namely Can Read All Users and Can Read User permissions, Can Read All Users permission will override.
• Can Read All Users permission will allow the user to view the list of all users.
• The user can view the user details by clicking on username.

• All details will be displayed in read only mode.

See Also:

• Special Roles
• Impact of granting multiple roles
• Special Roles & Permission Matrix

This user has same privilege as the auditor except that his access is limited to a single application.

The permission allows auditing applications for which the user is a member of the ‘Membership Manager’ role.

• The Restricted Auditor will be assigned, the following permission set by default:

• The Restricted Auditor will be assigned, the following permissions by default:

Impact of Restricted Auditor Role on Applications

This module explains the impact on the applications if the user has been granted the Restricted Auditor Role.

• The User will be assigned following permissions:

• Once the user logs in using the assigned mode of authentication, the following screen will be displayed:

• Since the user has permissions to Can Read Application, the user will be able to view the application details in read only format.
• Once the user clicks on the Application name the application details will be displayed as below:

• Other application related options will be disabled as shown below:

Impact of Restricted Auditor Role on Audit and Reporting

This module explains the impact on the audit and reporting if the user has been granted the Restricted Auditor Role.

• The User will be assigned following permissions:

• Once the user logs in using the assigned mode of authentication, the following screen will be displayed:
• The Restricted Auditor Role, do not have permission to view the application list, hence as soon as they Login, they can view the below screen.

• Since the user has permissions to Can Generate Documentation he can use the Generate Documentation option to generate the documentation.

• Can Read Event Log permission allows access to viewing the event log as shown below:

Impact of Restricted Auditor Role on Groups

This module explains the impact on the groups if the user has been granted a Restricted Auditor Role.

• The User will be assigned following permissions:

• Once the user logs in using the assigned mode of authentication, the following screen will be displayed:
• The user will be able to view list of all the applications (A).

• Since the user has permissions to Can Read Groups he will be able to view the list of groups that are assigned to him.
• In case a child group is assigned to the user, automatically the parent group will also be displayed.
• The user will be able to view list of all the groups. (B)

• Depending on the roles assigned to the user and the group the role with maximum privileges will take effect.
• For example if the user has role of Restricted Auditor and assigned group has Master Administrator role, the user will be granted Master Administrator role.

Impact of Restricted Auditor Role on Permissions

This module explains the impact on the permissions if the user has been granted a Restricted Auditor Role.

• The User will be assigned the following permissions:

• Once the user logs in using the assigned mode of authentication, the following screen will be displayed:
• The user will be able to view list of all the applications (A) for which he has the Membership Manager role.

• Since the user has permissions to Read permissions all permission details will be displayed in read only mode. (A)
• Additionally the options to rename, remove or add a new permission will also be disabled as shown below:

Impact of Restricted Auditor Role on Permission Sets

This module explains the impact on the permissions if the user has been granted a Restricted Auditor Role.

• The User will be assigned the following permissions:

• Once the user logs in using the assigned mode of authentication, the following screen will be displayed.
• The user will be able to view a list of all the applications (A) for which he has the Membership Manager role.

• Since the user has permissions to Read permission sets all permission set details will be displayed in read only mode. (A)
• Additionally the options to rename, remove or add a new permission set will also be disabled as shown below:

Impact of Restricted Auditor Role on Roles

This module explains the impact on the roles if the user has been granted a Restricted Auditor Role.

• The User will be assigned the following permissions:

• Once the user logs in using the assigned mode of authentication, the following screen will be displayed:
• The user will be able to view list of all the applications (A) for which he has the Membership Manager role.

• Since the user has Can Read Application Role privilege the user can view only the role details of the application for which the user has Membership Manager role.
• Additional options such as rename, remove or add a new role will be disabled as shown below:

• Similarly the Can Read Shared Role privilege will allow the user to view the shared role information in read only mode.
• Additional options such as rename, remove or add a new role will be disabled as shown below:

• Similarly the Can Read Special Role privilege will allow the user to view the special role information in read only mode.
• Additional options such as rename, remove or add a new role will be disabled as shown below:

Impact of Restricted Auditor Role on Users

This module explains the impact on the users if the user has been granted a Restricted Auditor Role.

• The User will be assigned following permissions:

• Once the user logs in using the assigned mode of authentication, the following screen will be displayed.
• The user will be able to view list of all the applications (A) for which he has the Membership Manager role.

• Since the user has the Can Read User permission the option will allow the user to view list of all users that belong to the same group as the user.
• Additionally depending on the group permissions list of users that are listed might vary.
• For example the current user has restricted auditor permission but if the user group has the Master Administrator role then the list of all the users will be displayed.
• The user can view the user details by clicking on the username.

See Also:

• Special Roles
• Impact of granting multiple roles
• Special Roles & Permission Matrix

Visual Guard allows you to manage membership role and manage users and groups assigned to the role.

To view role related details follow the steps below:

• The Membership Manager Role is displayed under Repository> Application> Roles.

• To make effect of the Membership Manager you need to change the Membership Access Level available in the application.

See Also: 

• View & Revoke User
• View Assigned Groups

Visual Guard offers 9 predefined roles to the user. The users can be assigned one or more roles simultaneously.

Depending on the assignment the system will automatically decide the level of access.

For example Create a user and grant him two special roles namely Restricted Developer and Auditor.

The list of privileges assigned to the user will be as below:

Impact of Restricted Developer and Auditor Role on Applications

This module explains the impact on the applications if the user has been granted the Restricted Developer and Auditor Role.

• The User will be assigned following permissions:

• Once the user logs in using the assigned mode of authentication, the following screen will be displayed.

• Since the user has permissions to Can Read All Applications and Can Read Application, the Can Read All Applications will override.
• The user will be able to view list of all the applications (A).
• The user can click on the Application name to view the application information as shown below:

• The application information will be available in an editable mode, since the user has the Can Update Application privilege.
• The user can update information related to all the applications.

Impact of Restricted Developer and Auditor Role on Audit and Reporting

This module explains the impact on the audit and reporting if the user has been granted the Restricted Developer and Auditor Role.

• The User will be assigned following permissions:

• Once the user logs in using the assigned mode of authentication, the following screen will be displayed:
• The user will be able to view list of all the applications (A).

• Since the user has permissions to Can Generate Documentation he can use Generate Documentation option to generate documentation of each entity in the Visual Guard console.

• Can Read Event Log permission allows access to viewing the event log as shown below:

Impact of Restricted Developer and Auditor Role on Groups

This module explains the impact on the groups if the user has been granted the Restricted Developer and Auditor Role.

• The User will be assigned following permissions:

• Once the user logs in using the assigned mode of authentication, the following screen will be displayed.
• The user will be able to view list of all the applications (A).

• Since the user has permissions to Can Read All Groups and Can Read Groups, the Can Read All Groups will override.
• The user will be able to view list of all the groups.

• The user cannot rename, remove or add a new group, the options will be disabled as shown below:

Impact of Restricted Developer and Auditor Role on Permissions

This module explains the impact on the permissions if the user has been granted the Restricted Developer and Auditor Role.

• The User will be assigned the following permissions:

• Once the user logs in using the assigned mode of authentication, the following screen will be displayed.
• The user will be able to view list of all the applications (A).

• The user will have the permission Create Permission as a result the New Permission option will be enabled.

• Additional permission related privileges that have been assigned to the user comprise of Update and Delete permissions, these privileges allow access to Rename, Remove, and Duplicate options to the user as shown below. 

• The Can Read Permission allows the user to view the Permission information when the user clicks on the permission name.

Impact of Restricted Developer and Auditor Role on Permission Sets

This module explains the impact on the permission sets if the user has been granted the Restricted Developer and Auditor Role.

• The User will be assigned the following permissions:

• Once the user logs in using the assigned mode of authentication, the following screen will be displayed.
• The user will be able to view list of all the applications (A).

• The user will have the permission Create Permission Sets as a result the New Permission Set option will be enabled.

• Additional permission set related privileges that have been assigned to the user comprise of Update and Delete permissions, these privileges allow access to Rename, Remove, and Duplicate options to the user as shown below.

• The Can Read Permission Set allows the user to view the Permission Set information when the user clicks on the permission name.

• Additionally the user will also have access to Can Grant Revoke Permission Sets To Application Roles this permission will allow the user to modify the permission sets belonging to the application role.
• Can Grant Revoke Permission Sets To Application Roles permission allows access to the Edit Permission Set option as shown below:

• When the user clicks on the Edit Permission Sets he will be able to grant or revoke the permission sets.

• Can Grant Revoke Permission Sets To Shared Roles permission allows the user to grant or revoke the permission sets listed under the shared role
• The Edit Permission Set will be available.

• When the user clicks on Edit Permission Sets he will be able to grant or revoke the permission sets.

Impact of Restricted Developer and Auditor Role on Roles

This module explains the impact on the roles if the user has been granted the Restricted Developer and Auditor Role.

• The User will be assigned following permissions:

• When the user logs in using the assigned mode of authentication, the following screen will be displayed.
• The user will be able to view list of all the applications (A).

• The user can create a new role under an application , since the user has the Can Create Application Role privilege.

• The new role will be listed under the Application>Roles option. The user can view the role details by clicking on the role name as shown below:

• Since the user has the Can Read Application Role and Can Update Application Role privilege the user can view and update the role details.
• Since the user has also been granted the Can Grant Revoke Application Roles To Users privilege the user can grant/revoke new roles to user using options “Grant role to users”  & “Revoke role from users” available under tab “Granted User”

Please Note: You can also grant/revoke roles of users Users> Username> Roles> Edit Roles option. Click here to know more.

• Grant role to users: When you select option “Grant role to users” you are provided with a screen to select users to whom the role is to be assigned.

Once the users are successfully assigned to the Group, below message will appear

• Revoke role from users: When you select option   you will be asked for confirmation, as shown below:

Once confirmed by clicking on option “Yes” , the role will be successfully revoked and below message will appear:

• The user can also grant the new role to the groups, since the user has the Can Grant Revoke Application Roles To Groups privilege.

• The new role will be listed under the application, the user can select and grant role.

• Since the user has the Can Read System Role privilege the system role information will be displayed in read only mode.
• Since the user has the Can Read Shared Role privilege the shared role information will be displayed in read only mode. 

• Additionally the Can Read Special Role privilege will allow the special role information to be displayed in read only mode.

Impact of Restricted Developer and Auditor Role on Users

This module explains the impact on the users if the user has been the granted Restricted Developer and Auditor Role.

• The User will be assigned following permissions:

• When the user logs in using the assigned mode of authentication, the following screen will be displayed.
• The user will be able to view list of all the applications (A).

• Since the user has both the privileges Can Read All Users and Can Read User permission, Can Read All Users permission will override.
• Can Read All Users permission will allow the user to view the list of all users.
• The user can view the user details by clicking on username.

• All details will be displayed in the read only mode.

See Also:

• Special Roles
• Impact of granting multiple roles
• Special Roles & Permission Matrix

This role restricts the user account from editing the Visual Guard application.

• The user with Auditor role and vg_BasicAccess database role will be having the following access:

• The user with Developer role and vg_BasicAccess database role will be having the following access:

• The user with Master Administrator role and vg_BasicAccess database role will be having the following access:

• The user with Restricted Auditor role and vg_BasicAccess database role will be having the following access:

• The user with Restricted User Administrator role and vg_BasicAccess database role will be having the following access:

• The user with User Administrator role and vg_BasicAccess database role will be having the following access:

This role allows you to create or edit user accounts and to grant roles to this user.

• The user with Auditor role and vg_UserAdminAccess database role will be having the following access:

• The user with Developer role and vg_UserAdminAccess database role will be having the following access:

• The user with Master Administrator role and vg_UserAdminAccess database role will be having the following access:

• The user with Restricted Auditor role and vg_UserAdminAccess database role will be having the following access:

• The user with Restricted User Administrator role and vg_UserAdminAccess database role will be having the following access:

• The user with User Administrator role and vg_UserAdminAccess database role will be having the following access:

This role allows you to create or edit user accounts, roles, applications, permissions and permission sets

• The user with Auditor role and vg_DeveloperAccess database role will be having the following access:

• The user with Developer role and vg_DeveloperAccess database role will be having the following access: