Security Policy Overview
    • Dark
      Light
    • PDF

    Security Policy Overview

    • Dark
      Light
    • PDF

    Article Summary

    ControlUp users within the same organization can use the Security Policy pane to delegate administrative tasks by configuring a security policy. The Security Policy is a collection of settings that determine which actions can be performed by each ControlUp role. You assign security settings per role, and can also assign them differently for each folder in the organization tree, enabling you to segment your environment into distinct areas of responsibility.

    To access the Security Policy pane, click the Security Policy tab at the bottom of the Real-Time DX Console:
    8_HowToAccessSecurityPolicyPane

    Organization Ownership and User Roles

    Each ControlUp Organization has a designated owner record, which initially contains the identity of the user who first created the organization, known as the Organization Owner. The Organization Owner is a Windows user or group account that has the permanent ability to change permissions. Regardless of any changes to the Security Policy, the Organization Owner can always reset the Security Policy to the default settings.

    To view your current Organization Owner, in the Security Policy pane, click Manage Roles in the Home ribbon:
    2_SeeCurrentOrgOwner

    During initial configuration of the ControlUp Security Policy, it is recommended to configure a restricted Active Directory group with more than one user as an Organization owner. This enables you to reset the Security Policy to factory settings, even if the user who originally created the Organization can no longer be contacted.

    ControlUp evaluates administrative permissions according to your currently logged-on Windows account. Every ControlUp organization contains a list of roles that determine the permitted actions for each role member. Every ControlUp role must include at least one Windows user or security group.

    By default, the Security Policy includes the following user roles:

    User RoleDescription / Permissions
    Local AdminsWindows users with local administrative permissions on the managed machines
    Organization MembersAll authenticated ControlUp users in your organization
    ControlUp MonitorsRole has no preset permissions
    Automation AdminsRole has only Create Automated Actions permission
    HelpdeskRole has preset connection, credentials, and viewing related action permissions
    ControlUp AdminsRole has preset permissions for all Management Actions

    You can't delete these default roles or modify their membership using ControlUp, however you can grant each role some or all of the Management Actions, depending on the type of role.

    The Security Policy pane features a permissions grid that contains a column for every role and a row for every Management Action. Each Management Action includes a number of action elements, which you can grant permissions to individually. Click + next to a Management Action to display its action elements:
    3_OverviewSecurityPolicyPane

    You can create new roles in the Roles Manager, which is a built-in permission initially granted to the organization’s owner. During initial configuration of the ControlUp Security Policy, we recommend to configure a restricted Active Directory group as a role manager.

    Note

    From version 8.8, every user that is a Login Access Manager is also a Roles Manager.

    Configure Custom Roles and Restrict Actions

    You can create custom roles for different teams or individuals on your network using the Manage Roles window. Active Directory users and groups from any domain or forest configured in ControlUp can be members of these custom groups.

    Note

    As a security precaution, you can not modify the Security Policy if you have been disconnected from the Central Configuration Store for over 24 hours. Should you wish to limit your organizations maximum offline period even further, contact support@controlup.com

    To create a custom ControlUp role:

    1. Click Manage Roles. The Security Settings popup appears:
      1_ManageRoles

    2. Click Add New Role. The Add New Role popup appears.

      Note

      You must be logged in as a Roles Manager. If not, the Add New Role button is grayed out.

    3. Enter a name in the Role Name text box and click Add Users/Groups. The Account Browser popup appears.
      ADdepend

    Note

    If you select a group, the group scope must be either Global or Universal. Domain local group scope isn't supported.

    1. Select the appropriate users or groups from Active Directory domains available and click OK, and you are returned to the Add New Role popup with the selected roles and groups.
      4_NewCustomRole

    Removed AD Dependency
    From version 9.0, you can deploy ControlUp Monitors on machines that are not joined to a local Active Directory (AD) domain. For details, see Removed AD Dependency for Monitors.

    Note

    By default, ControlUp only displays group accounts in the search box. In order to display individual user accounts, select the Users and groups radio button.

    1. Click OK and you return to Security Settings.
    2. Click Apply and the new role is created and appears in the Security Policy pane.

    Default Permissions

    By default, Local Admins are granted permission to perform all Management Actions available in ControlUp. This means that before a user can perform a Management Action, ControlUp checks whether this user’s current Windows account is a member of the local Administrators group on the managed machine. If this validation fails, the Management Action isn't completed.

    Organization Members are allowed to perform organization-wide actions, but not Management Actions. For example, they can see the folder tree, create or modify folders, add or remove machines and connect to machines to see their performance information. However, they can't perform any actions on the managed machines.

    Permissions for Management Actions

    The rows in the permissions grid correspond to Management Actions. For more details regarding particular permissions, see Action Permissions below.

    Every ControlUp user may be either allowed or denied access to a Management Action, depending on their role membership and the location of the managed resource in the organization tree. Each cell in the permissions grid can be in one of the following states:

    Allow. Users in the current role are allowed to run the action unless they are also members of another role that is configured with a Deny set.
    Not Set (or blank). Users in the current role aren't allowed to run the action unless permitted by another role.
    Deny. Users in the current role are never allowed to run the action.
    N/A. The said action doesn't apply to the role. This can't be changed.

    For example, by default, a member of the Local Admins is allowed to perform all machine actions on all machines in the organization. This permission is granted since the Local Admins role has an Allow permission on all machine actions for the root folder, and all subfolders inherit this permission.

    Important

    Once the changes have been made, you MUST click Apply on the Home ribbon of the Security Policy pane to submit your changes to the Central Configuration Store. Until this button is clicked, any changes to the Security Policy aren't applied.

    Security Policy Inheritance

    When a ControlUp organization is first created, the default Security Policy is configured on the root folder of the organization, which has the organization’s name.

    Configuring Security Policy for Subfolders

    By default, all of the subfolders under the root folder in your organization tree inherit their Security Policy from the root folder. A marked Inherit checkbox near each permission in the grid signifies this. If you require the Security Policy of a subfolder to be different from its parent folder, you must uncheck this checkbox for the selected permission row.

    After you uncheck Inherit checkbox, a blue exclamation point icon on the folder, indicating that part of its Security Policy is no longer inherited from the parent folder:
    6_UncheckInheritSetting

    In the above example, the Enable Maintenance Mode Management Action for the "Hypervisors” folder isn't inherited from its parent folder, hence the blue exclamation point icon.

    Granting Permissions

    To grant user permissions for Management Actions, you require the following details:

    1. Folder name. The name of a folder in the organization tree, which contains resources you need to grant permission. Select the root folder if you need to grant permissions on machines in the entire organization, otherwise select a subfolder (e.g. Workstations).

      Note

      You may also grant permissions on individual machines by selecting them in the organization tree. However, for manageability reasons, it is recommended that you grant permissions on folders only.

    2. Role name. The name of a built-in or custom role to which the user belongs. For example Help Desk Users.

    3. Action name. The name of the Management Action which you would like to permit (e.g. Refresh Machine Policy). You can also grant permissions on an entire action group (e.g. Run machine Actions).
      7_SecurityPolicyElements

    4. After you have provided the details above, click on the desired folder name in the organization tree on the left and locate the row in the table with the desired action name in the row name.

    5. If the Inherit checkbox for that row is selected, deselect it. If not, click on the cell with the desired Role name in the column header and select Allow from the drop-down list.

    6. Click Apply on the Home ribbon to save the changes. Members of the Helpdesk role now have the ability to run the Refresh Group Policy action on machines located in the Workstation folder.

    Note

    As with standard Windows permissions, Deny permissions always override Allow permissions. This means that any Allow permission applies only if the affected user is not a member of any other role which has a Deny permission entry in the same row.

    Denying Permissions

    ControlUp’s Security Policy includes two approaches of preventing users from running management actions:

    1. Implicit Deny. Not granting permissions in the first place, or setting the permission to Not Set.

    2. Explicit Deny. Settings the permission to Deny.

    The difference between these two methods is that Explicit Deny overrides any other permission, and the affected users will always be denied access to the action, even if they are members in additional roles that allow access to the same action. Implicit Deny (or Not Set) means that users are not allowed to run the Management Action unless permitted to another role they are also a member of.

    Note

    It is considered best practice to use the Explicit Deny approach only if you need to configure an exception for an existing rule. For example, to enable all Local Admins to restart workstations, except for Helpdesk users, an Explicit Deny is recommended.

    However, to ban Local Admins from restarting machines, it is recommenced to use an implicit Deny (Not Set) permission.

    Resetting Inheritance

    There are several methods of restoring the default Security Policy in ControlUp, depending on your needs:

    • If there’s a single permission entry currently set on a folder and you need to reset this permission to inherit its parent folder settings, select the Inheritcheckbox next to that permission and click Apply on the Home ribbon.
    • If you have a folder with a complete Security Policy that you would like to extend to all its subfolders, select this folder and click Reset Inheritance on the Home ribbon, and then click Apply. You will need an Allow setting in the Change Permissions row for the selected folder to perform this action.
    • If your entire Security Policy is misconfigured and you would like to reset it to factory defaults, click Reset Defaults on the Home ribbon. Note that this operation will also remove any custom user roles you have created. To perform this operation, your user account must be either the Organization’s Owner or a Roles Manager with sufficient permissions to change permissions on the root folder.

    Action Permissions

    This section describes all the permissions configurable in ControlUp.

    Perform Organization-wide Actions

    These actions are performed on objects in the ControlUp’s organization tree only, without affecting managed resources, such as machines or user sessions. They can also be referred to as 'tree actions' since they are executed using the ControlUp Real-Time Console and include the ability to add or remove machines, create and arrange folders, and change permissions.

    Management ActionFunctionality
    Change PermissionsModify the access and management permissions for users in your environment. As a security precaution, the Organization’s Owner/s can always change the permissions
    Change SettingsModify the following settings: Presets, Agent, AD Connections, Schedule, Virtual Expert, and Audit Log settings.
    ControlUp Insights - manage access settingsModify the restrictions applied to user email suffixes and source IPs when connecting to ControlUp Insights. Automatically includes rights granted by the "Manage user permissions for ControlUp Insights" action
    ControlUp Insights - manage user permissionsManage individual user permissions for accessing ControlUp Insights, including inviting new users and modifying existing access permissions
    Manage data upload settingsModify data upload and incident reporting settings on the Data Upload tab of the Settings window
    Use SolveLaunch and use Solve interface for this organization.
    Manage SolveModify Solve settings of this organization
    Edit Stress SettingsModify who is able to edit the Stress Settings
    Manage Branch mapping settingsConfigure the lookup table of client IP addresses to branch office names in the Settings window
    Configure Incident TriggersConfigure Incident Triggers
    Create Automated ActionsCreate Automated Actions
    Add MachineAdd a managed machine to the organizational tree view
    Add FolderAdd a folder in the organizational tree view to arrange similar machines
    Change Folder DescriptionChange the description for a folder
    Remove MachineRemove a managed machine from the organizational tree
    Remove FolderRemove a folder in the organizational tree view
    Rename FolderRename a machine folder in the organizational tree view
    Run shared Script ActionsRun shared Script Actions
    Run draft Script ActionsRun Scripts Actions that are in draft mode
    Download and share Script ActionsDownload and share Script Actions
    Manage Script ActionsManage Script Actions
    View FolderView a folder in the organizational tree view
    Launch ControllersWork in the Controllers pane. This permission is only configurable on the root folder
    View IncidentsView Incidents pane
    View EventsView Events pane
    View All HypervisorsView all hypervisor related objects (VMs, Hosts and hypervisor connections) in this organization
    Manage All HypervisorsCreate, edit and delete hypervisor connections in this organization
    Manage All Cloud ConnectionsCreate, edit and delete cloud connections in this organization
    Manage All EUC EnvironmentsCreate, edit and delete EUC Environments connections in this organization
    Manage All NetScaler AppliancesCreate, edit and delete NetScaler connections in this organization
    Manage All Linux Data CollectorsSpecifies who can manage all LDCs. Only users with this permission can create/edit/remove LDC objects
    Manage application load time settingsConfigure the parameters ControlUp Agent uses when measuring application load times
    Manage MonitorPerform management tasks for ControlUp Monitors
    Manage application title settingsConfigure the parameters ControlUp agent uses to monitor title of active windows
    Manage browser URL settingsConfigure the parameters ControlUp agent uses to monitor URLs of browser processes
    Connect to Data SourceCollect data from an external data source, such as hypervisor, XenDesktop site, public cloud or NetScaler appliance
    Manage Shared CredentialsCreate, edit and delete Shared Credentials in this organization
    Use Shared CredentialsConnect to an organizational tree view connection with Shared Credentials (can be granted only for non-builtin roles)

    Run Host Actions

    Management ActionFunctionality
    Enable Maintenance ModeEnter a certain host into Maintenance Mode
    Disable Maintenance ModeChange the state of a certain host out of Maintenance Mode

    Run Machine Actions

    These actions are performed on the managed machines via the ControlUp Agent.

    Management ActionFunctionality
    Connect to Windows MachineConnect to Windows Machine
    Connect to Linux MachineConnect to Linux Machine
    Change Machine DescriptionChange description for machine
    Event Viewer On Remote MachineOpens the event viewer of the remote machine. This action requires RPC access and valid administrative credentials on the target machine(s)
    RDP to MachineRDP to machine
    Enable Remote Assistance in Group PolicyRemoves the unsolicited remote assistance restriction on the target machine
    Flush DNSFlush DNS on selected machine
    Install Remote Assistance FeatureInstall Remote Assistance Feature

    ControlUp Agent Management

    These actions define how the user role can interact with the ControlUp Agent. All actions require RPC access and valid administrative credentials on the target machines.

    Management ActionFunctionality
    Start Remote AgentStarts the remote agent at the selected machine
    Stop Remote AgentStops the remote agent at the selected machine
    Restart Remote AgentRestarts the remote agent at the selected machine
    Remove Remote AgentRemove the remote agent at the selected machine
    Upgrade/Install Remote AgentUpgrades the remote agent on the selected machine
    Listening Port Remote AgentSet listening port for the remote agent on the selected machine
    Deploy .NET FrameworkDeploy.NET Framework on machines

    VM Power Management

    Management ActionFunctionality
    Shutdown GuestGracefully shuts down the virtual machine
    Force Power off VMForcefully powers off the virtual machine
    Restart GuestGracefully restarts the virtual machine
    Force Reset VMForcefully resets the virtual machine
    Power On VMPowers on the virtual machine on the hypervisor infrastructure

    File System

    Management ActionFunctionality
    Manage File SystemOpens the File System Controller Form
    Monitor File SystemView, analyze and compare file system objects

    Group Policy

    Management ActionFunctionality
    Refresh Machine PolicyRefreshes the machine group policy using the command 'gpudate.exe /target:machine'

    Installed Software

    Management ActionFunctionality
    Display Installed SoftwareDisplay information about currently installed programs
    Display Installed UpdatesDisplay information about currently installed updates

    Processes

    Management ActionFunctionality
    Start Process As UserStarts a new process on the target machine, with the supplied credentials, or with the remote agent credentials
    Enable Process ExecutionEnables a process execution
    Disable Process ExecutionDisables a process execution

    Power Management

    Management ActionFunctionality
    ShutdownShut down the selected machine
    RebootRestart the selected machine
    Wake-On-LANSend a Wake On LAN magic packet to wake up the machine

    Registry

    Management ActionFunctionality
    Import Registry UserImports a registry key from a file.\r\nType a file name or browse for a registry file to import
    Modify User RegistryPerforms registry actions on sessions
    Monitor User RegistryAnalyze and compare registry settings on session in this container

    Services

    Management ActionFunctionality
    Manage ServicesOpens the Services Controller Form and adds the selected machines
    Monitor ServicesAnalyze and compare system services settings on machines in this container

    Citrix Virtual Apps and Desktops

    Management ActionFunctionality
    Enable Maintenance ModeEnter a certain host into Maintenance Mode
    Disable Maintenance ModeChange the state of a certain host out of Maintenance Mode

    VMware Horizon

    Management ActionFunctionality
    Enable Maintenance ModeMark the machine for maintenance. This operation puts the current machine into maintenance mode. This operation applies only to managed machines which do not belong to Instant Clone Engine desktops
    Disable Maintenance ModeMark the machine out of maintenance. This operation takes the current machine out of maintenance mode. This operation applies only to managed machines which do not belong to Instant Clone Engine desktops
    Restart Horizon MachineRestart the machine. This applies only to managed machine
    Recover MachineMark the machine for recovery (This operation applies only to machines belonging to Instant Clone Engine desktops) The machine being recovered must not have any active user session, otherwise this operation would fail
    Enable Connection ServerEnable VMware Horizon Connection Server
    Disable Connection ServerDisable VMware Horizon Connection Server
    Enable RDS ServerEnable VMware Horizon RDS Server
    Disable RDS ServerDisable VMware Horizon RDS Server

    Azure Cloud

    Management ActionFunctionality
    RebootRestart a certain Azure Machine
    StartStart a certain Azure Machine
    StopPower-Off a certain Azure Machine
    Reapply Azure Machine StateReapply a certain Azure Machine
    Deallocate Azure Machine (from 8.6.5)Stop and Deallocate Azure Machine

    Script Actions

    In this category, you see all installed Script actions in your environment. Here you can define which user role can execute a certain script.

    Agent-based Actions

    The rest of the machine actions are performed using the ControlUp Agent on the managed machines. A user that was granted access to agent-based actions is permitted to instruct the ControlUp Agent on the managed machines to perform these actions. The ControlUp Agent on a managed machine will use its Local System account to perform the action unless otherwise specified. For example, when using the “Processes > Run as…” action, the user can execute any process accessible by the Local System account. As a result, you can't run processes from the network unless you specify valid credentials, since Local System can't access network locations.
    For a full list of agent-based actions, see My Organization Pane.

    Run Session Actions

    Actions in this group are invoked using the Sessions view and performed on the managed machines using the ControlUp Agent. A user who is granted access to these actions can execute them only on user sessions hosted on managed machines affected by the Security Policy you are currently editing. Note the caption on top of the permissions grid that reads “Security Policy for …”
    For more information regarding these actions, see My Organization Pane.

    Management ActionFunctionality
    ChatStarts a chat
    Establish a Remote Assistance SessionInitiates a remote control session. For RDP sessions, generates an RAInvitation file and sends it back to the console
    RDP to machineSwitches to Remote Desktop view and establishes an RDP connection
    ShadowStarts an additional session on the target machine, that controls the selected session using the 'Shadow' tool

    Get Session Screenshot

    Management ActionFunctionality
    Without notifiying the userRetrieves the active user session desktop screenshot without a user notification
    With user notificationRetrieves the active user session desktop screenshot with a user notification
    With user approvalRetrieves the active user session desktop screenshot, but asks for the users' approval

    Group Policy

    Management ActionFunctionality
    Remove Group PolicyRemoves explorer Group Policy on the selected session
    Refresh Machine PolicyRefreshes the machine group policy using the command 'gpupdate.exe /target:machine
    Refresh User PolicyRefreshes the user group policy using the command 'gpupdate.exe /target:user

    Installed Software

    Management ActionFunctionality
    Display Installed SoftwareDisplay information about currently installed programs
    Display Installed UpdatesDisplay information about currently installed updates

    Processes

    Management ActionFunctionality
    Run ProcessExecute processes on the managed machine

    Registry

    Management ActionFunctionality
    Import Registry UserImports a registry key from a file.\r\nType a file name or browse for a registry file to import
    Modify User RegistryPerforms registry actions on sessions
    Monitor User RegistryAnalyze and compare registry settings on session in this container

    Remote Desktop Services

    Management ActionFunctionality
    Log Off SessionLogs off a user session without notifing the user. If the selected target is an Account, then all the account sessions on the selected folders will be logged off
    Disconnect SessionDisconnect a user session without notifing the user. If the selected target is an Account, then all the account sessions on the selected folders will be Disconnected
    Send MessageSends a message to the selected sessions
    Send Super MessageSend a rich text message to the selected sessions, including graphics, text formatting and the ability to gain feedback from the user

    VMware Horizon

    Management ActionFunctionality
    Log Off SessionLogs off a session
    Log Off Session ForciblyLogs off a session forcibly. This operation will also log off a locked session
    Disconnect SessionDisconnects a session

    Run Folder Actions

    Citrix Virtual Apps and Desktops

    Management ActionFunctionality
    Enable Maintenance ModeEnter a certain CVAD delivery group into Maintenance Mode
    Disable Maintenance ModeChange the state of a certain CVAD delivery group out of Maintenance Mode
    Enable CVAD delivery groupEnable CVAD delivery group
    Disable CVAD delivery groupDisable CVAD delivery group

    VMware Horizon

    Management ActionFunctionality
    Enable Horizon Pool/FarmEnable VMware Horizon Pool/Farm
    Disable Horizon Pool/FarmDisable VMware Horizon Pool/Farm
    Enable Horizon Pool/Farm provisioningEnable VMware Horizon Pool/Farm provisioning
    Disable VMware Horizon Pool/Farm provisioningDisable Horizon Pool/Farm provisioning

    Run Processes Actions

    Actions in this group act upon processes on managed machines and are executed using the ControlUp Agent.
    A user granted access to these actions can execute them only on processes running on managed machines affected by the Security Policy you are currently editing. Note the caption on top of the permissions grid that reads “Security Policy for …”
    For more information regarding these actions, see My Organization Pane.

    Management ActionFunctionality
    Kill ProcessTerminates the selected process
    Set Process PrioritySet Process Priority
    End ProcessTerminates the selected process gracefully
    Pskill ProcessTerminates the selected process
    Set Process AffinitySet Process Priority

    CPU Throttling

    Management ActionFunctionality
    Start CPU ThrottlingSet a limit for the CPU consumption of the selected process/es
    Stop CPU ThrottlingRemove the set limit for the CPU consumption of the selected process/es

    Run Application Actions

    Citrix Virtual Apps and Desktops

    Management ActionFunctionality
    Enable Published ApplicationEnable Published Application
    Disable Published ApplicationDisable Published Application

    VMware Horizon

    Management ActionFunctionality
    Enable Horizon Application PoolEnable VMware Horizon Application Pool
    Disable Horizon Application PoolDisable VMware Horizon Application Pool

    Was this article helpful?