Access Management

Access management involves establishing procedures for creating and managing user accounts, defining access permissions based on job roles or responsibilities, and monitoring user activity to ensure compliance with security policies. This includes managing local user access, where user accounts are created and permissions are assigned based on job roles or responsibilities. It also includes implementing Role-Based Access Control (RBAC) which assigns permissions based on predefined roles, simplifying the management of user access. Additionally, Single Sign-On (SSO) allows enterprise users to use a single set of credentials to access multiple systems. By implementing access management practices such as these, organizations can ensure that only authorized individuals have access to sensitive information.

Local user

Navigate to the top right corner of DataBee portal and click on the configuration icon. Select Access Management from the dropdown menu that appears. The "Access Management" configuration page will be displayed. Select the Users tab. A table with the following columns will be shown:

• ID: The unique identifier for each user account.
• FULL NAME: The name of the user associated with the account.
• USERNAME: The username used to log in to the account.
• LAST LOGIN: The date and time the user last logged in to the account.
• CREATED: The date and time the user account was created.
• ROLE: The user role assigned to the account such as Administrator, Data Engineer, or Analyst.
• STATUS: The current state of the account, whether it is Active or Inactive. Inactive accounts are not permitted to log into DataBee but information related or linked to those accounts is retained by the system.
• ACTIONS: The available actions for each user account, including Edit, Reset Password, and Enable or Disable the account.

Just below the column headings, you will see a filter option. Here, you can type in the keyword you want to filter by, and it shows the user accounts that match your filter keyword.

Note that only users with administrative privileges can manage user accounts in DataBee.

To create a new user account, click on the Create User Account button located below the table. This will take you to the "User Details" page. Fill in the user details such as the First Name, Last Name, Email, Username, and Password, and select the user role from the Role dropdown menu. Click on the Submit button to create a new user account.

To edit an existing user account, click on Edit located in the 'ACTIONS' column of the table. This will take you to the "User Details" page where you can make the necessary changes and click on the Submit button.

Administrators can also reset passwords, and enable or disable user accounts. You can click on Enable or Disable in the 'ACTIONS' column, to enable or disable user accounts. Click on Reset Password located in the 'ACTIONS' column of the table. A confirmation dialog box appears to ensure that you want to reset the password. Click on the OK button to proceed.

Role-based Access Controls

Role-based access controls (RBAC) selectively allow users to use DataBee features based on what functions they perform for the enterprise. This allows enterprises to implement a policy of least privilege access. DataBee has three defined roles (Analyst, Data Engineer, and Administrator) that users can be mapped into. For enterprises using Single Sign-On (i.e., domain-managed user identities) the DataBee UI allows them to map domain groups to DataBee roles. If a domain user is a member of multiple mapped groups, that user will be provided the highest level of permission allowed for any of the groups for which he/she is a member.

DataBee Customer Roles

These roles are available in DataBee and can have multiple common industry job functions mapped onto them.

• Analyst: There are two subtypes of analysts in a security organization: Compliance Analysts and SOC Analysts but for DataBee they share a single role. Compliance Analysts are responsible for measuring, proving, and ensuring an organization's operations and procedures, meet the company's regulatory, and industry compliance standards. Measured on providing the necessary reporting and insights for organizations to enforce compliance standards. SOC Analysts are responsible for monitoring, analyzing, and responding to security issues detected and reported. They are measured on threat response remediation in both time to resolve and thoroughness of resolution.
• Data Engineer: Responsible for the data, platforms, and systems used by Threat Hunting, SOC, and Compliance cybersecurity teams to effectively respond to security incidents. Measured on the ability to deliver solutions that improve cybersecurity teams' response to threats and incidents.
• Administrator: Technical lead responsible for maintaining, and configuring operating systems and platforms. Oversees the use of the DataBee product and has the widest authority within the system.

RBAC Matrix

For each feature a role can have the following permissions:

• "r" for read (i.e., allow GET)
• "w" for write (i.e., allow POST, PUT, and DELETE)
• "r/w" both "r" and "w"

Primary Application

DataBee Web Application Permissions

Single-Sign On

DataBee user accounts can be administered in two ways: local or domain. Security best practice is for customers to use domain accounts and maintain a single local account in case of emergency (some customers may elect to have no local accounts and rely on DataBee Support for enabling emergency access).

Domain account management, also known as Single Sign-On(SSO), allows customers to leverage an identity access management (IAM) system, such as Azure ActiveDirectory, to store and manage user accounts centrally for an entire organization. User accounts are created and credentials managed through the IAM solution instead of DataBee. This includes the use of multifactor authentication (MFA) which will be orchestrated by the tenant's IAM solution. Domain users are placed into one or more groups and those groups are assigned to DataBee roles (see Role-based Access Controls). Interactions with the IAM system are performed over the Security Assertion Markup Language (SAML) protocol. To enable the SAML integration configure SSO in the Access Management configuration section of DataBee.

Navigate to the top right corner of the DataBee portal and click on the configuration icon. Select Access Management from the dropdown menu that appears, and then click on Single Sign-On (SSO). The "Single Sign-On (SSO)" page will be displayed where you can view the SSO connections configured.

Click on the Add Connection button to add a new SSO connection. In the Add Connection dialog box that appears, enter the SSO connection details. 

Details

• Name: a name to identify this SSO connection
• Button Text: the text to be displayed in the login button

Role Mapping

• Administrator Group: select and add the domain groups you wish to map to your administrator group 
• Analyst Group: select and add the domain groups you wish to map to your analyst group
• Data Engineer Group: select and add the domain groups you wish to map to your data engineer group

Identity Management

• Identity Provider: select the Identity Provider from the dropdown menu 
• SAML IDP Metadata: upload the required SAML IDP metadata file by clicking the Attach File button to add the file from your system

Attribute Mapping

You may map the email, family_name, given_name, middle_name, and preferred_username to your domain's name for these fields as defined in your SAML IDP metadata file. Click on the Add Attribute button to browse and add attributes to the mapping.

After entering all the details, click on the Establish Connection button to initiate the SSO connection.

The provisioning of the SAML identity provider will differ depending on your specific configuration. For Azure Active Directory (AzureAD) the general workflow is:

Create an Enterprise Application with the following configuration:

• Enable user sign-in
• Assignment required
• Reply URL (provided by DataBee customer support)

Configure Single sign-on:

• Basic SAML Configuration:
  • Identifier (Entity ID): provided by DataBee customer support
  • Reply URL (Assertion Consumer Service URL): provided by DataBee customer support
• Attributes & Claims:

AzureAD Enterprise Application SAML Configuration

After the Enterprise Application is created download the Federation Metadata XML file. This file will be uploaded when configuring SSO in DataBee. Click Users and groups then click Add user/group. Create groups for each of the roles listed in the 'Primary Application' section above. The names don't have to match exactly. For each group click Members, then Add members to assign users to groups.