Managing users on the SES Evolution administration console

Users access the console with their Microsoft Windows accounts which must be on the same Active Directory domain as the backend component. If this is not the case, then a relationship of trust must be established between the domains.

By default, only the super administrator specified during installation can log in to the administration console. He/she can then add other users or groups of users who will be able to log on in turn.

NOTE
If you rename the Windows account of this super administrator, make sure that you have created a user beforehand with the new name in the SES Evolution administration console. Otherwise you will not be able to log in to the console. For further information, refer to the section Adding users on the administration console.

Each user or group is assigned a role that defines their profile and restricts the functionalities available in the administration console. Three roles are available by default: Audit, Helpdesk and Administration. New roles can also be created and customized.

EXAMPLE
You can create an AdministratorsSES Evolution group in Active Directory, add it to SES Evolution, and assign it the Administration role. In this case, all users in the group will automatically have administrative privileges in the SES Evolution console. You will not need to add them individually.

Multiple users can log on simultaneously to consoles managing the same pool.

Only a user with the Administration role is authorized to add other users.

  1. Choose the Backoffice > Users menu, then the Roles tab.
  2. Click Edit in the top banner, then click on Create role.
  3. Enter a name for the role and its description if necessary.
  4. Click on OK. The new role appears in the list. The most restrictive privileges are applied by default.
  5. For each privilege, choose the type of access that you want to grant. Every privilege corresponds to a panel in the administration console. By default, only the panels Deployment, Dashboard and Licenses are accessible.
    The Lock privilege makes it possible to break locks set up by other users on panels in the console. For more information on locks, see Managing simultaneous user connections to consoles administering the same pool.

Only a user with the Administration role is authorized to add other users or groups.

  1. Choose the Backoffice > Users menu, then the Users and groups tab.
  2. Click on Edit in the top banner, then on Add in the Users or Groups area.
    An empty line is displayed.
  3. You can:
    • Click on the icon to the right of the line to select a user/group in the Active Directory.
    • Manually enter an Active Directory user name/group using the syntax DomainName\samAccountName for a user, and samAccountName for a group.
    • Enter a local user name manually.

    SES Evolution checks the validity of the user/group and displays its status on the right. Hover your mouse over the icon in the Status column to obtain more information.

     

  4. Select the role to assign to the user/group:
    • Audit: this role makes it possible to view all panels in the console and edit the settings of the user’s own account, but no other modification and deployment operations are possible. This role is dedicated to log reading and agent monitoring.
    • Help desk: This role holds the same privileges as the Audit role. In addition, it allows the user to respond to challenges and unlocks locked operations. This role is dedicated to the maintenance of the SES Evolution pool.
    • Administration: This role makes it possible to perform all operations accessible in the administration console without restrictions.
    • Custom role
  5. In the Group area, sort the groups by priority using the arrows in the Order column. If a user belongs to more than one group, he or she is assigned the role of the group with the highest priority.

If a user is declared individually AND via a group, the individual user role is assigned.

Multiple users can simultaneously manage the same pool from different hosts.

When a user edits any of the following resources, they will automatically be locked and no other users can edit them:

  • An agent group,
  • A policy,
  • A rule set,
  • A Yara or IoC analysis unit,
  • An agent handler group.

EXAMPLE


  • While user 1 is modifying policy A, user 2 cannot modify it, but they can modify the rule sets contained in policy A, and policy B.
  • While user 1 edits agent group A, user 2 cannot edit it, but may add a new agent group B.

When a user saves or cancels changes, the panel will automatically be unlocked if there are no more objects being edited in this panel.

No user can edit a panel locked by another user. The Edit button in the upper panel is replaced with a padlock. Hover the mouse pointer over the padlock to see who locked the panel and since when. There are three types of padlocks:

Padlock Description
Green  You are editing the resource and it is locked for the other console users. Only users with Locks - Unlock privileges can unlock the resource. In this case, you are informed when you save your modifications.
Orange  The resource is being edited by another user, but you have Locks - Unlock privileges and you can thus unlock the resource to edit it. First ensure that your action is legitimate.
Red  The resource is being edited by another user, and you do not have Locks - Unlock privileges. Therefore, you cannot unlock the resource.

Unlocking a resource can be particularly useful when it accidentally remains in edit mode for example.

As this operation releases the panel and cancels the other user’s changes in progress, it must be used carefully. In this case, the user who held the lock first will be warned when s/he attempts to save changes.

To unlock a panel if you have the appropriate privileges, i.e. if the padlock is orange:

  1. Click on the padlock in the upper banner.
  2. Confirm the operation in the window that appears.