Security Policy Pane - Version 8.1.5 and Above
  • Dark
    Light
  • PDF

Security Policy Pane - Version 8.1.5 and Above

  • Dark
    Light
  • PDF

The Security Policy pane allows ControlUp users within the same organization to delegate administrative tasks by configuring a security policy. The Security Policy is a collection of settings that determine which actions can be performed by each ControlUp role.

These security settings are assigned per role and may also be assigned differently for every folder in the organization tree, which enables segmenting your environment into distinct areas of responsibility.

The Security Policy Pane is accessible by clicking on the Security Policy tab at the bottom of the Real-Time Console.
8_HowToAccessSecurityPolicyPane

Default Permissions

By default, Local Admins are granted permission to perform all management actions available in ControlUp. This means that before a ControlUp user can perform a management action, ControlUp checks whether this user’s current Windows account is a member of the local Administrators group on the managed computer. If this validation fails, the management action is not completed.

Organization members are allowed to perform organization-wide actions but not management actions. For example, they can see the folder tree, create or modify folders, add or remove computers and connect to computers to see their performance information, however, they cannot perform any actions on the managed computers.

Configure Custom Roles and Restrict Actions

You can create custom roles for different teams or individuals on your network using the Manage Roles window. Active Directory users and groups from any domain or forest configured in ControlUp may be members of these custom groups.

Note

As a security precaution, you can not modify the Security Policy if you have been disconnected from the Central Configuration Store for more than 24 hours. Should you wish to limit your organizations maximum offline period even further, contact support@controlup.com

Organization Ownership and User Roles

Each ControlUp Organization has a designated owner record, which initially contains the identity of the user who first created the Organization. The Organization Owner is a Windows user or group account that has the permanent ability to change permissions. Regardless of the changes to the Security Policy, the Organization Owner can always reset the Security Policy to the default settings.

You can view the current owner for your organization by clicking Manage Roles button in the Home ribbon of the Security Policy pane:
2_SeeCurrentOrgOwner

Upon initial configuration of the ControlUp Security Policy, it is recommended to configure a restricted Active Directory group with more than one user as an Organization owner. This enables you to reset the Security Policy to factory settings, even if the user who originally created the Organization cannot be contacted any longer.

ControlUp evaluates administrative permissions according to your currently logged-on Windows account. Every ControlUp organization contains a list of roles that determine the permitted actions for each role member. Every ControlUp role must include at least one Windows user or security group. By default, the Security Policy includes the following user roles:

User Role Description / Permissions
Local Admins Windows users with local administrative permissions on the managed machines.
Organization Members All authenticated ControlUp users in your organization.
ControlUp Monitors Role has no preset permissions.
Automation Admins Role has only Create Automated Actions permission.
Helpdesk Role has preset connection, credentials, and vewing related action permissions.
ControlUp Admins Role has preset permissions for all Management Actions.

These default roles cannot be deleted or have their membership modified using ControlUp, however, each role can be granted some or all of the Management Actions, depending on the type of role.

The Security Policy pane features a permissions grid, which contains a column for every role and a row for every management action. Each management action includes a number of action elements, which can have permissions granted for them individually. Click the + next to a Management Action to display its action elements.
3_OverviewSecurityPolicyPane

You can create new roles in the Roles Manager, which is a built-in permission initially granted to the organization’s owner. Upon initial configuration of the ControlUp Security Policy, we recommend to configure a restricted Active Directory group as a role manager.

To create a custom ControlUp role:

  1. Click the Manage Roles screen from the Home ribbon in the Security Policy pane, and the Security Settings popup appears.
    1_ManageRoles

  2. Click Add New Role and the Add New Role popup appears.

    Note

    You must be logged in as a Roles Manager. If not, the button is grayed out and not clickable.

  3. Enter a name in the Role Name text box and click Add Users/Groups and the Account Browse popup appears.
    5_ADSelectionNewCustomRole

  4. Select the appropriate users or groups from Active Directory domains available and click OK, and you are returned to the Add New Role popup with the selected roles and groups.
    4_NewCustomRole

Note

By default, ControlUp only displays group accounts in the search box. In order to display individual user accounts, select the Users and groups radio button.

  1. Click OK and you are returned to the Security Settings popup.
  2. Click Apply and the new role is created and shown in the Security Policy pane.

Permissions for Management Actions

The rows in the permissions grid correspond to management actions. For more details regarding particular permissions, refer to the Action Permissions section below.

Every ControlUp user may be either allowed or denied access to a management action, depending on their role membership and the location of the managed resource in the organization tree. Every cell in the permissions grid may be in one of the following states:

Allow – users in the current role are allowed to run the action unless they are also members of another role that is configured with a Deny set.
Not Set (or blank) – users in the current role are not allowed to run the action unless permitted by another role.
Deny – users in the current role are never allowed to run the action.
N/A - the said action does not apply to the role. This cannot be changed.

For example, by default, a member of the Local Admins is allowed to perform all computer actions on all machines in the organization. This permission is granted since the Local Admins role has an Allow permission on all computer actions for the root folder, and all subfolders inherit this permission.

Important

Once the changes have been made, you MUST click Apply on the Home ribbon of the Security Policy pane to submit your changes to the Central Configuration Store. Until this button is clicked, any changes to the Security Policy are not applied.

Security Policy Inheritance

When a ControlUp organization is first created, the default Security Policy is configured on the root folder of the organization, which bears the organization’s name.

Configuring Security Policy for Subfolders

By default, all of the subfolders under the root folder in your organization tree inherit their Security Policy from the root folder. A marked Inherit checkbox near each permission in the grid signifies this. If you would like the Security Policy of a subfolder to be different from its parent folder, you must uncheck this checkbox for the selected permission row.

Once the Inherit checkbox is unchecked, a blue exclamation point icon on the folder, indicating that part of its Security Policy is no longer inherited from the parent folder:
6_UncheckInheritSetting

In the above example, the Enable Maintenance Mode management action for the "Hypervisors” folder is not inherited from its parent folder, hence the blue exclamation point icon in the folder in the organization tree.

Granting Permissions

To grant ControlUp user permissions for management actions, you need the following details:

  1. Folder name. The name of a folder in the organization tree, which contains resources you would like to grant permission. Select the root folder if you would like to grant permissions on machines in the entire organization, otherwise select a subfolder (e.g. Workstations)

    Note

    You may also grant permissions on individual machines by selecting them in the organization tree. However, for manageability reasons, it is recommended that you grant permissions on folders only.

  2. Role name. The name of a built-in or custom role to which the user belongs. For example Help Desk Users.

  3. Action name. The name of the management action which you would like to permit (e.g. Refresh Machine Policy). You can also grant permissions on an entire action group (e.g. Run Computer Actions).
    7_SecurityPolicyElements

Once you have obtained the details above, click on the desired folder name in the organization tree on the left and locate the row in the table with the desired action name in the row name.

If the Inherit checkbox for that row is selected, deselect it. If not, click on the cell with the desired Role name in the column header and select Allow from the drop-down list.

Click Apply on the Home ribbon to save the changes. As a result of the operations in the example above, members of the Helpdesk role have the ability to run the Refresh Group Policy action on machines located in the Workstation folder.

Note

As with standard Windows permissions, Deny permissions always override Allow permissions. This means that any Allow permission applies only if the affected user is not a member of any other role which has a Deny permission entry in the same row.

Denying Permissions

ControlUp’s Security Policy includes two approaches of preventing users from running management actions:

  1. Implicit Deny. Not granting permissions in the first place, or setting the permission to Not Set.

  2. Explicit Deny. Settings the permission to Deny.

The difference between these two methods is that Explicit Deny overrides any other permission, and the affected users will always be denied access to the action, even if they are members in additional roles that allow access to the same action. Implicit Deny (or Not Set) means that users are not allowed to run the management action unless permitted to another role they are also a member of.

Note

It is considered best practice to use the Explicit Deny approach only if you need to configure an exception for an existing rule.

For example, to enable all Local Admins to restart workstations, except for Helpdesk users, an Explicit Deny is recommended.

However, to ban Local Admins from restarting machines, it is recommenced to use an implicit Deny (Not Set) permission.

Resetting Inheritance

There are several methods of restoring the default Security Policy in ControlUp, depending on your needs:

  • If there’s a single permission entry currently set on a folder and you would like to reset this permission to inherit its parent folder settings, check the Inherit checkbox next to that permission and click Apply on the Home ribbon.
  • If you have a folder with a complete Security Policy that you would like to extend to all its subfolders, select this folder and click Reset Inheritance on the Home ribbon, and then click Apply on the Home ribbon. You will need an Allow setting in the Change Permissions row for the selected folder in order to be able to perform this action.
  • If your entire Security Policy is misconfigured and you would like to reset it to factory defaults, click Reset Defaults on the Home ribbon. Note that this operation will also remove any custom user roles you have created. In order to be able to perform this operation, your user account must be the Organization’s Owner OR a Roles Manager with sufficient permissions to change permissions on the root folder.

Action Permissions

This section describes all the permissions configurable in ControlUp.

Perform Organization-wide Actions

These actions are performed on objects in the ControlUp’s organization tree only, without affecting managed resources, such as machines or user sessions. They can also be referred to as 'tree actions' since they are executed using the ControlUp Real-Time Console and include the ability to add or remove machines, create and arrange folders, and change permissions.

Management Action Functionality
Change Permissions Modify the access and management permissions for users in your environment. As a security precaution, the Organization’s Owner/s can always change the permissions
Change Settings Modify the following settings: Presets, Agent, AD Connections, Schedule, Virtual Expert, and Audit Log settings.
ControlUp Insights - manage access settings Modify the restrictions applied to user email suffixes and source IPs when connecting to ControlUp Insights. Automatically includes rights granted by the "Manage user permissions for ControlUp Insights" action
ControlUp Insights - manage user permissions Manage individual user permissions for accessing ControlUp Insights, including inviting new users and modifying existing access permissions
Manage data upload settings Modify data upload and incident reporting settings on the Data Upload tab of the Settings window
Use Solve Launch and use Solve interface for this organization.
Manage Solve Modify Solve settings of this organization
Edit Stress Settings Modify who is able to edit the Stress Settings
Manage Branch mapping settings Configure the lookup table of client IP addresses to branch office names in the Settings window
Configure Incident Triggers Configure Incident Triggers
Create Automated Actions Create Automated Actions
Add Machine Add a managed machine to the organizational tree view
Add Folder Add a folder in the organizational tree view to arrange similar machines
Change Folder Description Change the description for a folder
Remove Machine Remove a managed machine from the organizational tree
Remove Folder Remove a folder in the organizational tree view
Rename Folder Rename a machine folder in the organizational tree view
Run shared Script Actions Run shared Script Actions
Run draft Script Actions Run Scripts Actions that are in draft mode
Download and share Script Actions Download and share Script Actions
Manage Script Actions Manage Script Actions
View Folder View a folder in the organizational tree view
Launch Controllers Work in the Controllers pane. This permission is only configurable on the root folder
View Incidents View Incidents pane
View Events View Events pane
View All Hypervisors View all hypervisor related objects (VMs, Hosts and hypervisor connections) in this organization
Manage All Hypervisors Create, edit and delete hypervisor connections in this organization
Manage All Cloud Connections Create, edit and delete cloud connections in this organization
Manage All EUC Environments Create, edit and delete EUC Environments connections in this organization
Manage All NetScaler Appliances Create, edit and delete NetScaler connections in this organization
Manage All Linux Data Collectors Specifies who can manage all LDCs. Only users with this permission can create/edit/remove LDC objects
Manage application load time settings Configure the parameters ControlUp Agent uses when measuring application load times
Manage Monitor Perform management tasks for ControlUp Monitors
Manage application title settings Configure the parameters ControlUp agent uses to monitor title of active windows
Manage browser URL settings Configure the parameters ControlUp agent uses to monitor URLs of browser processes
Connect to Data Source Collect data from an external data source, such as hypervisor, XenDesktop site, public cloud or NetScaler appliance
Manage Shared Credentials Create, edit and delete Shared Credentials in this organization
Use Shared Credentials Connect to an organizational tree view connection with Shared Credentials (can be granted only for non-builtin roles)

Run Host Actions

Management Action Functionality
Enable Maintenance Mode Enter a certain host into Maintenance Mode
Disable Maintenance Mode Change the state of a certain host out of Maintenance Mode

Run Machine Actions

These actions are performed on the managed machines via the ControlUp Agent. Actions that have an asterisk after the action name are dependent on your currently logged-on Windows user’s rights because they use RPC to access the remote machines.

Management Action Functionality
Connect to Windows Machine Connect to Windows Machine
Connect to Linux Machine Connect to Linux Machine
Change Machine Description Change description for machine
Event Viewer On Remote Machine Opens the event viewer of the remote machine. This action requires RPC access and valid administrative credentials on the target machine(s)
RDP to Machine RDP to machine
Enable Remote Assistance in Group Policy Removes the unsolicited remote assistance restriction on the target machine
Flush DNS Flush DNS on selected machine
Install Remote Assistance Feature Install Remote Assistance Feature

ControlUp Agent Management

These actions define how the user role can interact with the ControlUp Agent. All actions require RPC access and valid administrative credentials on the target machines.

Management Action Functionality
Start Remote Agent Starts the remote agent at the selected machine
Stop Remote Agent Stops the remote agent at the selected machine
Restart Remote Agent Restarts the remote agent at the selected machine
Remove Remote Agent Remove the remote agent at the selected machine
Upgrade/Install Remote Agent Upgrades the remote agent on the selected machine
Listening Port Remote Agent Set listening port for the remote agent on the selected machine
Deploy .NET Framework Deploy.NET Framework on machines

VM Power Management

Management Action Functionality
Shutdown Guest Gracefully shuts down the virtual machine
Force Power off VM Forcefully powers off the virtual machine
Restart Guest Gracefully restarts the virtual machine
Force Reset VM Forcefully resets the virtual machine
Power On VM Powers on the virtual machine on the hypervisor infrastructure

File System

Management Action Functionality
Manage File System Opens the File System Controller Form
Monitor File System View, analyze and compare file system objects

Group Policy

Management Action Functionality
Refresh Machine Policy Refreshes the machine group policy using the command 'gpudate.exe /target:Computer'

Installed Software

Management Action Functionality
Display Installed Software Display information about currently installed programs
Display Installed Updates Display information about currently installed updates

Processes

Management Action Functionality
Start Process As User Starts a new process on the target machine, with the supplied credentials, or with the remote agent credentials
Enable Process Execution Enables a process execution
Disable Process Execution Disables a process execution

Power Management

Management Action Functionality
Shutdown Shut down the selected machine
Reboot Restart the selected machine
Wake-On-LAN Send a Wake On LAN magic packet to wake up the machine

Registry

Management Action Functionality
Import Registry User Imports a registry key from a file.\r\nType a file name or browse for a registry file to import
Modify User Registry Performs registry actions on sessions
Monitor User Registry Analyze and compare registry settings on session in this container

Services

Management Action Functionality
Manage Services Opens the Services Controller Form and adds the selected machines
Monitor Services Analyze and compare system services settings on machines in this container

Citrix Virtual Apps and Desktops

Management Action Functionality
Enable Maintenance Mode Enter a certain host into Maintenance Mode
Disable Maintenance Mode Change the state of a certain host out of Maintenance Mode

VMware Horizon

Management Action Functionality
Enable Maintenance Mode Mark the machine for maintenance. This operation puts the current machine into maintenance mode. This operation applies only to managed machines which do not belong to Instant Clone Engine desktops
Disable Maintenance Mode Mark the machine out of maintenance. This operation takes the current machine out of maintenance mode. This operation applies only to managed machines which do not belong to Instant Clone Engine desktops
Restart Horizon Machine Restart the machine. This applies only to managed machine
Recover Machine Mark the machine for recovery (This operation applies only to machines belonging to Instant Clone Engine desktops) The machine being recovered must not have any active user session, otherwise this operation would fail
Enable Connection Server Enable VMware Horizon Connection Server
Disable Connection Server Disable VMware Horizon Connection Server
Enable RDS Server Enable VMware Horizon RDS Server
Disable RDS Server Disable VMware Horizon RDS Server

Azure Cloud

Management Action Functionality
Reboot Restart a certain Azure Machine
Start Start a certain Azure Machine
Stop Power-Off a certain Azure Machine
Reapply Azure Machine State Reapply a certain Azure Machine
Deallocate Azure Machine (from 8.6.5) Stop and Deallocate Azure Machine

Script Actions

In this category, you see all installed Script actions in your environment. In here you can define which user role can execute a certain script.

Agent-based Actions

The rest of the Computer Actions are performed using the ControlUp Agent on the managed machines. A user that was granted access to agent-based actions is permitted to instruct the ControlUp Agent on the managed machines to perform these actions. The ControlUp Agent on a managed machine will use its Local System account to perform the action unless otherwise specified. For example, when using the “Processes > Run as…” action, the ControlUp user can execute any process accessible by the Local System account. As a side effect, you cannot run processes from the network unless you specify valid credentials since Local System cannot access network locations.
For a full list of agent-based actions, refer to the My Organization Pane article.

Run Session Actions

Actions in this group are invoked using the Sessions view and performed on the managed machines using the ControlUp Agent.
A user who is granted access to these actions can execute them only on user sessions hosted on managed machines affected by the Security Policy you are currently editing. Note the caption on top of the permissions grid that reads “Security Policy for …”
For more information regarding these actions, refer to the My Organization Pane article.

Management Action Functionality
Chat Starts a chat
Establish a Remote Assistance Session Initiates a remote control session. For RDP sessions, generates an RAInvitation file and sends it back to the console
RDP to machine Switches to Remote Desktop view and establishes an RDP connection
Shadow Starts an additional session on the target machine, that controls the selected session using the 'Shadow' tool

Get Session Screenshot

Management Action Functionality
Without notifiying the user Retrieves the active user session desktop screenshot without a user notification
With user notification Retrieves the active user session desktop screenshot with a user notification
With user approval Retrieves the active user session desktop screenshot, but asks for the users' approval

Group Policy

Management Action Functionality
Remove Group Policy Removes explorer Group Policy on the selected session
Refresh Machine Policy Refreshes the machine group policy using the command 'gpupdate.exe /target:Computer
Refresh User Policy Refreshes the user group policy using the command 'gpupdate.exe /target:user

Installed Software

Management Action Functionality
Display Installed Software Display information about currently installed programs
Display Installed Updates Display information about currently installed updates

Processes

Management Action Functionality
Run Process Execute processes on the managed machine

Registry

Management Action Functionality
Import Registry User Imports a registry key from a file.\r\nType a file name or browse for a registry file to import
Modify User Registry Performs registry actions on sessions
Monitor User Registry Analyze and compare registry settings on session in this container

Remote Desktop Services

Management Action Functionality
Log Off Session Logs off a user session without notifing the user. If the selected target is an Account, then all the account sessions on the selected folders will be logged off
Disconnect Session Disconnect a user session without notifing the user. If the selected target is an Account, then all the account sessions on the selected folders will be Disconnected
Send Message Sends a message to the selected sessions
Send Super Message Send a rich text message to the selected sessions, including graphics, text formatting and the ability to gain feedback from the user

VMware Horizon

Management Action Functionality
Log Off Session Logs off a session
Log Off Session Forcibly Logs off a session forcibly. This operation will also log off a locked session
Disconnect Session Disconnects a session

Run Folder Actions

Citrix Virtual Apps and Desktops

Management Action Functionality
Enable Maintenance Mode Enter a certain CVAD delivery group into Maintenance Mode
Disable Maintenance Mode Change the state of a certain CVAD delivery group out of Maintenance Mode
Enable CVAD delivery group Enable CVAD delivery group
Disable CVAD delivery group Disable CVAD delivery group

VMware Horizon

Management Action Functionality
Enable Horizon Pool/Farm Enable VMware Horizon Pool/Farm
Disable Horizon Pool/Farm Disable VMware Horizon Pool/Farm
Enable Horizon Pool/Farm provisioning Enable VMware Horizon Pool/Farm provisioning
Disable VMware Horizon Pool/Farm provisioning Disable Horizon Pool/Farm provisioning

Run Processes Actions

Actions in this group act upon processes on managed machines and are executed using the ControlUp Agent.
A user granted access to these actions can execute them only on processes running on managed machines affected by the Security Policy you are currently editing. Note the caption on top of the permissions grid that reads “Security Policy for …”
For more information regarding these actions, refer to the My Organization Pane article.

Management Action Functionality
Kill Process Terminates the selected process
Set Process Priority Set Process Priority
End Process Terminates the selected process gracefully
Pskill Process Terminates the selected process
Set Process Affinity Set Process Priority

CPU Throttling

Management Action Functionality
Start CPU Throttling Set a limit for the CPU consumption of the selected process/es
Stop CPU Throttling Remove the set limit for the CPU consumption of the selected process/es

Run Application Actions

Citrix Virtual Apps and Desktops

Management Action Functionality
Enable Published Application Enable Published Application
Disable Published Application Disable Published Application

VMware Horizon

Management Action Functionality
Enable Horizon Application Pool Enable VMware Horizon Application Pool
Disable Horizon Application Pool Disable VMware Horizon Application Pool

Was this article helpful?