After creating a user or group, you can assign it a role. Roles determine the level of access to Twistlock’s data and settings.
Twistlock supports two types of users and groups:
Centrally managed users and groups, defined in your organization’s directory service. With directory services such as Active Directory, OpenLDAP, and SAML providers, you can re-use the identities set up in these systems.
Twistlock users and groups, created and managed from Console.
For centrally managed users groups, roles can be assigned after you integrate your directory service with Twistlock. Roles can be assigned to individual users or to groups. When you assign a role to a group, all members of the group inherit the role. Managing role assignments at the group level is considered a best practice. Groups provide an easier way to manage a large user base, and simpler foundation for building your access control policies.
For Twistlock users and groups, roles are assigned at the user level when the user is created. When you create a Twistlock group, you add Twistlock users to it. Users in this type of group always retain the role they were assigned when they were created.
If you do not have a directory service, such as Active Directory (AD) or Lightweight Directory Access Protocol (LDAP), Twistlock lets you create and manage your own users and groups. When you create a Twistlock user, you can assign it a role, which determines its level of access.
To create a user and assign it a role:
Open Console, and log in with your admin credentials.
Go to Manage > Authentication > Users.
Click Add user.
Enter a username.
Enter a password.
Assign a role.
Click Save.
Collecting users into groups makes it easier to manage your access control rules.
Each user in the group retains his own role to prevent erroneous privilege escalation. |
To create a Twistlock group and add users to it:
Open Console and log in with your admin credentials.
Go to Manage > Authentication > Groups.
Click Add group.
Enter a name for your group.
In the drop down list, select a user.
Click +.
Repeat steps b to c until your group contains all the members you want.
Click *Save:
By default, AD/OpenLDAP/SAML users have user-level access to Console. You can grant a user a different access level by assigning him a role.
If a user is a part of an AD, OpenLDAP, or SAML group, and you have assigned a role to the group, the user inherits the group’s role. |
You have integrated Twistlock with Active Directory, OpenLDAP, or SAML.
Open Console.
Log in with your admin credentials.
Go to Manage > Authentication > Users.
Click Add user.
Enter the username for the user whose role you want to set. For example, if you have integrated Twistlock with Active Directory, enter a UPN.
In the Role drop-down menu, select a role.
Click Save.
You can assign an AD/OpenLDAP/SAML group a role. Members of the group inherit the group’s role. When a user from a group tries to access a resource protected by Twistlock, Twistlock resolves the member’s role on the fly.
If a user is assigned multiple roles, either directly or through group inheritance, then he is granted the rights of the highest role. For example, assume Bruce is part of GroupA and GroupB in Active Directory. In Console, you assign the Administrator role to GroupA and the Auditor role to GroupB. When Bruce logs into Twistlock, he will have Administrator rights. |
The following procedure shows you how to assign a role to an existing AD/OpenLDAP/SAML group:
You have integrated Twistlock with Active Directory, OpenLDAP, or SAML.
Open Console, and log in with your admin credentials.
Go to Manage > Authentication > Groups.
Click Add group.
Specify the name of the group. It should match the group name specified in your directory service.
Check LDAP group.
Select a role.
Click Save.