The Security Policy pane is a user interface which allows ControlUp users within the same organization to delegate administrative tasks by configuring a Security Policy. ControlUp’s Security Policy is a collection of settings that determines which actions can be performed by each ControlUp user. These settings may be different for every folder in the Organization Tree, which allows for segmenting your environment into distinct areas of responsibility.
Note: for a brief beginner’s guide to the ControlUp Security Policy, please refer to the Secure Your Organization chapter.
ControlUp’s Security Policy is dependent upon the Central Configuration Store which is enabled in Enterprise Mode only. In Standalone Mode the Security Policy pane is disabled. For more information regarding ControlUp modes please refer to the “Choose Your ControlUp Mode” chapter.
Note: As a security precaution, you will not be able to modify the Security Policy if you have been disconnected from the Central Configuration Store for more than 24 hours. Should you wish to limit your organizations maximum offline period even further, please contact email@example.com.
Organization Ownership and User Roles
Each ControlUp Organization has a designated owner record, which initially contains the identity of the user who first created this organization. The Organization Owner is a Windows user or group account, who permanently possess the ability to change permissions. Regardless of the changes to the Security Policy, the Organization Owner will always be able to reset the Security Policy to its default settings. You can view the current owner for you organization by clicking the “Manage Roles” button on the Home ribbon of the Security Policy pane:
Upon initial configuration of the ControlUp Security Policy, it is recommended that you configure a restricted Active Directory group as an organization owner. This way you will always have the ability to reset ControlUp’s Security Policy to factory settings, even if the user who originally created the organization cannot be contacted any longer.
ControlUp evaluates administrative permissions according to your currently logged on Windows account. Every ControlUp organization contains a list of roles which determine the actions allowed for each role member. Every ControlUp role has to include at least one Windows user or a security group. By default, the Security Policy includes the following user roles:
- Organization Members – all authenticated ControlUp users in your organization.
- Local Admins – Windows users with local administrative permissions on the managed computers.
These built-in roles are special in the sense that they cannot be deleted or have their membership modified using ControlUp.
The Security Policy pane features a permissions grid, which contains a column for every role and a row for every management action:
New roles may be created by a Roles Manager, which is a built-in right initially granted to the organization’s owner. Upon initial configuration of ControlUp Security Policy, it is recommended that you configure a restricted Active Directory group as a Roles manager. Custom roles are created and managed using the “Manage Roles” button on the Home ribbon of the Security Policy pane:
To create a custom ControlUp role:
- Open the “Manage Roles” screen (using the Home ribbon in the Security Policy pane, or using the “Security Policy Settings” button on the Settings ribbon, or using File menu > Settings > Security Policy)
- Click on “Add New Role” (If the button is greyed out, please ensure your currently logged on Windows user account is a member of the “Roles Manager” group)
- Type a descriptive role name, such as “Help Desk Users”
- Click on “Add Users/Groups” and select the appropriate users or groups from Active Directory domains available to you. Please note that by default, ControlUp only displays group accounts in the search box. In order to display individual user accounts, please select the “Users and Groups” radio button.
After your custom role is created, you should see a new column with the role’s name appear to the right of the existing role columns.
Permissions for Management Actions
The rows in the permissions grid correspond to management actions, which are divided into the following groups:
- Perform organization-wide actions
- Run computer actions
- Run session actions
- Run processes actions
For more details regarding particular permissions, please refer to the “Action Permissions” section below.
Eventually, every ControlUp user may be either allowed or denied access to the management action, depending on their role membership and the location of the managed resource in the organization tree. Every cell in the permissions grid may be in one of the following states:
“Allow” – users in the current role are allowed to run the action, unless they are also members of another role which is configured with a “Deny” entry.
“Not Set” – users in the current role are not allowed to run the action, unless permitted by another role.
“Deny” – users in the current role are never allowed to run the action.
For example, by default, a member of the “Local Admins” is allowed to perform all computer actions on all computers in the organization. This permission is granted since the “Local Admins” role has an “Allow” permission on all computer actions for the root folder, and all subfolders inherit this permission.
Note: the “Apply” button on the Home ribbon of the Security Policy pane commits your changes to the Central Configuration Store. Until this button is clicked, any changes to the Security Policy are not applied.
Security Policy Inheritance
When a ControlUp Organization is first created, the default Security Policy is configured on the root folder of the organization, which bears the organization’s name.
Configuring Security Policy for Subfolders
By default, all of the subfolders under the root folder in your organization tree inherit their Security Policy from the root folder. A marked “Inherit” checkbox near each permission in the grid signifies this. If you would like the Security Policy of a subfolder to be different from its parent folder, you should uncheck this checkbox for the selected permission row.
Once the “Inherit” checkbox is unchecked, you will see a blue “i” sign on the folder, indicating that part of its Security Policy is no longer inherited from the parent folder:
In the above example, the “Chat” permission for the “CU Lab” folder is not inherited from its parent folder, hence the blue “i” icon in the organization tree.
In order to grant a ControlUp user permissions for a management action, you will need the following details:
Folder name – the name of a folder in the organization tree, which contains resources on which you would like to grant the permission. Select the root folder if you would like to grant permissions on computers in the entire organization, otherwise select a subfolder (e.g. Workstations) Note: You may also grant permissions on individual computers by selecting them in the organization tree. However, for manageability reasons it is recommended that you grant permissions on folders only.
Role name – the name of a built-in or custom role to which the user belongs. (e.g. Help Desk Users).
Action name – the name of the management action which you would like to permit (e.g. “Refresh Machine Policy”). You can also grant permissions on an entire action group (e.g. “Run Computer Actions”).
Once you have obtained the details above, click on the desired Folder name in the organization tree on the left, locate the row in the table with the desired Action name in the row name.
If the “Inherit” checkbox for that row is selected, deselect it. If not, click on the cell with the desired Role name in the column header and select “Allow” from the drop-down list.
Click “Apply” on the Home ribbon to save the changes. As a result of the operations in the example above, members of the “Helpdesk” role will have the ability to run the “Refresh Group Policy” action on computers located in the “Workstation” folder.
Note: As with standard Windows permissions, ControlUp “Deny” permissions always override “Allow” permissions. This means that any “Allow” permission applies only if the affected user is not a member of any other role which has a “Deny” permission entry in the same row.
ControlUp’s Security Policy includes two approaches of preventing users from running management actions:
- Implicit Deny – not granting permissions in the first place, or setting the permission to “Not Set”.
- Explicit Deny – settings the permission to “Deny”.
The difference between these two methods is the fact that Explicit Deny overrides any other permission, and the affected users will always be denied access to the action, even if they are members in additional roles which allow access to the same action. Implicit Deny (or “Not Set”) means that users are not allowed to run the management action, unless permitted to another role they are also a member of.
Note: It is considered best practice to use the explicit Deny approach only if you need to configure an exception for an existing rule. For example, “all Local Admins should be able to restart workstations, except for Helpdesk users” is a valid example for explicit Deny. However, a rule such as “Local Admins should not be allowed to restart computers” should be configured by using implicit Deny (“Not Set”) permission only.
There are several methods of restoring the default Security Policy in ControlUp, depending on your needs:
- If there’s a single permission entry which is currently set on a folder and you would like to reset this permission to inherit its parent folder settings, check the “Inherit” checkbox next to that permission and click “Apply” on the Home ribbon.
- If you have a folder with a complete Security Policy you would like to propagate to all its subfolders, then select this folder, click “Reset Inheritance” on the Home ribbon, and then click “Apply” on the Home ribbon. You will need an “Allow” setting in the “Change Permissions” row for the selected folder in order to be able to perform this action.
- If your entire Security Policy is misconfigured and you would like to reset it to factory defaults, click on the “Reset Defaults” button on the Home ribbon. Please note that this operation will also remove any custom user roles you have created. In order to be able to perform this operation, your user account has to be the Organization’s Owner OR a Roles Manager with sufficient permissions to change permissions on the root folder.
This section describes all the permissions configurable in ControlUp.
Perform Organization-wide actions
These actions are performed on objects in ControlUp’s organization tree only, without affecting managed resources such as computers or user sessions. They can also be referred to as “tree actions” since they are executed using the ControlUp Console and include the ability to add or remove computers, create and arrange folders, and change permissions.
Change Permissions – modify the Security Policy for the current folder or computer.
Note: The Organization Owner is always allowed to change permissions, regardless of other settings.
Manage ControlUp Insights Access Settings – modify all settings on the Insights Access tab of the Settings window
Manage User Permissions to ControlUp Insights – modify the per-user permissions to access ControlUp Insights in the Organization Properties window
Manage Data Upload Settings – modify all settings on the Data Upload tab of the Settings window
Edit Stress Settings – modify Stress Level settings for the current folder.
Manage Branch mapping settings - configure the subnet-to-name lookup table on the Branch Mapping tab of the Settings window
Configure Incident Triggers – view and change the configurations of incident triggers in the organization.
Add Computer – add new managed computers to the current folder.
Add Folder – add new folders to the current folder.
Change Folder Description – modify the description field for this folder.
Remove Computer – remove computers from the current folder / remove the current computer.
Remove Folder – remove the current folder.
Rename Folder – rename the current folder.
Run Shared Script-based Actions – globally permits execution of Script-based actions. In addition, the user will need an explicit permission to perform the Script-based Action of choice (see Script-based Actions below).
Run Draft Script-based Actions – permits the creation of new Script-based actions (drafts).
Download and Share Script-based Actions – permits downloading SBAs shared by the community and sharing user-created SBAs with the community.
Manage Script-based Actions – permits managing Script-based Actions for your organization.
View Folder – see the folder in the organization tree. The folder will be invisible to users lacking this permission (not applicable for the root folder, which has to stay visible).
Launch Controllers – switch to the Controllers pane. Without this permission, users cannot launch any controllers. This is a user interface restriction which can be configured on the root folder only.
View Incidents – use the Incidents Pane to display entries recorded in the organizational incidents database. Applies to the entire organization and cannot be changed for subfolders.
View Events – use the Events Pane to display event entries recorded on the managed computers. Applies to the entire organization and cannot be changed for subfolders.
View Hypervisors – View all hypervisor-related objects in the organization (VMs, Hosts, and hypervisor connections). Applies to the entire organization and cannot be changed for subfolders.
Manage Hypervisors – Create, edit and delete hypervisor connections in the organization. Applies to the entire organization and cannot be changed for subfolders.
Run Computer Actions
These actions are performed on the managed computers via the ControlUp Agent. Actions which have an asterisk after the action name are dependent on your currently logged-on Windows user’s rights because they use RPC to access the remote computers.
Monitor Computer – connect to the ControlUp Agent and start gathering performance data.
Change Computer Description – edit the “Description” field for a computer in ControlUp
Event Viewer on Remote Computer – open a new Event Viewer (eventvwr) window, attempting to connect to the remote computer.
RDP to Computer – switch to the Remote Desktop pane and establish an RDP session to the managed computer.
ControlUp Agent Management
The rest of the Computer Actions are performed using the ControlUp Agent on the managed computers. A user who is granted access to agent-based actions is permitted to instruct the ControlUp Agent on the managed computers to perform these actions. The ControlUp Agent on a managed computer will use its Local System account to perform the action unless otherwise specified. For example, when using the “Processes > Run as…” action, the ControlUp user will be able to execute any process accessible by the Local System account. As a side effect, you will not be able to run processes from the network unless you specify valid credentials, since Local System cannot access network locations.
For a full list of agent-based actions, please refer to the chapter regarding My Organization Pane.
Run Session Actions
Actions in this group are invoked using the Sessions view and performed on the managed computers using the ControlUp Agent.
A user who is granted access to these actions will be able to execute them only on user sessions hosted on managed computers affected by the Security Policy you are currently editing. Please note the caption on top of the permissions grid, saying “Security Policy for …”
For more information regarding these actions, please refer to the chapter regarding My Organization Pane.
Run Processes Actions
Actions in this group act upon processes on managed computers and are executed using the ControlUp Agent.
A user who is granted access to these actions will be able to execute them only on processes running on managed computers affected by the Security Policy you are currently editing. Please note the caption on top of the permissions grid, saying “Security Policy for …”
For more information regarding these actions, please refer to the chapter regarding My Organization Pane.