Assigning Access Roles to Users or Groups

Archer allows creating one or more access roles. Each access role is mapped to a list of permissions that grant the user rights to perform certain tasks and create, read, update, and/or delete Archer entities. It is recommended that you limit privilege abuse and conflict of interests by configuring access roles that provide separation of duties.

Immediately after installation, it is recommended that you configure access roles as follows:

• Create a new access role with no rights and make it the default role. Grant additional roles to users as needed for appropriate access in Archer.
• Create read-only roles that can be used by an auditor. It is recommended that these roles only have permissions to view reports, configurations, and logs.
• Create a new Security Administrator role that has full rights to Access Control. Grant the Security Administrator role access rights to managing roles.
• Configure access roles to grant non-administrative users only the rights they need for each task based on their role in the organization. You can grant multiple access roles to each user. It is recommended that these roles do not have permission to view or modify security configuration.

It is recommended that you review users’ task permissions on a routine basis to ensure that each user is granted the correct task permissions.

Access roles are cumulative and can be assigned to users, groups, and users with more than one access role.

For example, one access role grants create, read, and update privileges in the Policies applications and another access role grants only delete privileges. A user who is assigned both access roles has create, read, update, and delete (CRUD) privileges in the Policies applications.

Role Assignment by Group or User

Archer allows access roles to be assigned to users through group membership or directly to user accounts. It is recommended that you assign permissions through group membership and not directly through user accounts.

You can assign access roles to users in either of the following ways.

Assign an access role to a user

1. Open the user account to which you want to assign an access role.

   1. From the menu bar, click .
   2. Under Access Control, click Users.
   3. Select the user account.
2. Click the Roles tab.
3. Click Lookup.
4. In the Available list, expand the Roles tree, and click the access role to assign.

   Note: To search for a specific role, enter the role name in the Find field and, if applicable, select the type from the adjacent list. Click . The results of your search appear in the Available list in the Search Results node.

5. Click OK.

6. Click Save or Save and Close.

   • To apply the changes and continue working, click Save.
   • To save and exit, click Save and Close.

Assign an access role to a user group

The group that you are assigning to the access role must exist.

If you associate a user group with an access role and the group contains subgroups, the subgroups are not automatically associated with the access role. To associate subgroups with an access role, you must also select the subgroups.

1. Open the access role to which you want to assign a user group.

   1. From the menu bar, click .
   2. Under Access Control, click Access Roles.
   3. Select the access role.

2. In the Group Assignments section, click Assign to Group.
3. From the Available list, expand Groups, and select the group or groups to which you want to assign the access role. You can also use the Search field to search for a specific group.

4. Click Save or Save and Close.

   • To apply the changes and continue working, click Save.
   • To save and exit, click Save and Close.

Unassign an access role from a user account

You only can remove roles in which the Assignment Method is set to Manual.

1. Open the user account from which you want to unassign an access role.

   1. From the menu bar, click .
   2. Under Access Control, click Users.
   3. Select the user account.
2. Click the Roles tab.
3. From the Selected list, click to remove the applicable access role from the user.

4. Click Save or Save and Close.

   • To apply the changes and continue working, click Save.
   • To save and exit, click Save and Close.