Use the template tool and these best practices for users and permissions to maximize the security and manageability of permissions for your ControlUp users. ControlUp recommends that you follow these best practices to ensure that users can perform only those actions that are applicable to their roles. Permissions and roles are set in the Real-Time Console in the Security Policy Pane.
General information for working in the Security Policy Pane can be found here: Security Policy Pane - Version 8.1.5 and Above.
Security Policy Planning Template
You can find a detailed planning template listing all permissions that can be set in the spreadsheet here. You can use this template as a draft for before setting those permissions in the Real-Time Console Security Policy Pane. The benefits of planning your roles and permissions with this planning template before setting permissions in the console include:
- The spreadsheet is fully searchable.
- All items are expanded by default.
- You can visually see the impact that setting a permission may have on other permissions. For example, if you set Deny on a set of permissions, you can see that the same Deny is inherited by other groups of permissions.
- Test your settings ahead of time before implementing in the console.
To get the most of this template spreadsheet, make a copy to your own location either online or locally, and edit it as follows:
- In the Google Sheets menu, select File > Make a copy to save it to a location in your Google Drive. Or you can select File > Download and select a file type to save it locally.
- If you want to specify different permissions for different folders in your organization that you don't want inherited from the root folder, duplicate the spreadsheet for each folder: click the spreadsheet name at the bottom and then select Duplicate.
You can now use this spreadsheet as a planning template to set permissions for different roles on your different folders. Follow your selections in this template when working in the Real-Time Console Security Policy Pane.
Best Practices Overview
Best Practice #1 – Set a group of users as organization owners instead of a user
Only specific users can set and change permissions for other users. These users are called organization owners. This role is powerful and it is important to know who is assigned to this role. By default, the user who created the organization automatically becomes the organization owner.
It is best practice to configure a dedicated Active Directory group that contains only those users who should be allowed to set ControlUp related permissions. This prevents any single point of failure, for example when the original organization owner cannot be contacted anymore.
Check the Change Organization Owner article to see how to change the organization owner.
Best Practice #2 – Create Additional User Roles to Better Organize Permissions
Make sure that ControlUp users receive only those permissions that are needed to fulfill a specific task. Managing such permissions can be a complex task, especially in bigger organizations.
By default, the ControlUp Real-Time Console automatically creates a set of user roles which are:
- Local Admins
- Organization Members
- ControlUp Monitors
- Automation Admins
- ControlUp Admins
It is a best practice to create additional roles for different teams or individuals.
Check the How to create a custom ControlUp role section to learn how to add additional roles to the ControlUp Security Pane.
Best Practice #3 - Configure Organization Members to Access the ControlUp Platform to "Not Set"
The Organization Members role is analogous to the Everyone group in Windows. By default, all organization members are allowed to access the ControlUp platform.
It is a best practice to set all permissions for the Organization Members role to Not Set.
Check the Granting permissions section to see how to set the permission Not Set to a specific role.
Best Practice #4 - Create a Dedicated User Role for Monitors
It is best practice to create a dedicated role for the monitor service. Set permissions for these actions to Allow.
- Connect to Windows Machine
- Connect to Linux Machine
Check the Set Roles for Subfolders section to learn more about how to set permissions for a specific subfolder.
Best Practice #5 – Restrict Manage Script Actions Permission
Users with the Manage Script Actions permission can write and import their own scripts. This may cause harm to any machine that is reachable from the ControlUp Real-Time Console.
It is a best practice to allow only ControlUp Admins to manage script actions.
Check the Set Roles for Subfolders section to see how to set permissions for a specific subfolder.
Best Practice #6 – Create a "View Only" Role
Grant read-only permissions to users who should only view objects in the Real-Time Console without the ability to modify them.
Check the Security Policy - View Only Role article to see how to configure a "View Only" security role.