Permissions in LogonBox enable us to allow users access to certain functions or to delegate a subset of admin rights to an account (for example we might want to delegate rights to manage users but not to change any other configuration items).
This is done by the creation of a Role in Security & Permissions, adding the required permissions and assigning to a user or group.
Below is a list of every permission available on the system and a brief description of what that permission grants access to.
Many of these permissions are broken down in to separate more granular access of Create, Delete, Read and Update.
Create permissions allow you to create new configuration items (i.e create a user, create a new role).
Delete permissions allow you to delete any existing item.
Read permissions grant a read-only view of the configuration area and do not allow any changes to be made.
Update permissions allow the editing of any existing item.
Permissions are split into 2 main areas:
Permissions for users to access things or perform tasks
Permissions to delegate admin rights to areas of the product (this second area can be split again into managing users and general configuration permissions).
| End user permissions | Description |
| Audit Personal | Allows a user to see their own personal event log in My Profile->My Log |
| Authenticator Setup | Adds a widget to the user's dashboard to allow them to set up the LogonBox Authenticator app, which can be used for authentication and password resets |
| Authorize Device | Allows a user to view and authorize devices to run the SSH Desktop Agent software (not used on SSPR), My Profile->Authorized Devices |
| Download Client | Deprecated: Used to allow a user to download the now defunct LogonBox Client |
| Logon | Allows a user to log on to LogonBox |
| Password Change | Allows a user to change their password from My Profile->Change Password |
| Password Personal | Allows a user to create and store their own personal passwords using either the UI or the LogonBox Password Manager browser extension |
| Password Sharing | Allows a user to share a password from the LogonBox Password Manager browser extension |
| Profile Image Read | Allows a user to see and manage a profile image from their user dashboard |
| Profile (Read and Update) | Allows a user to manage My Profile->My Details |
| Security Question Personal | Allows a user to add their own custom questions in My Credentials->Questions |
| User Dashboard View | Adds a personal dashboard for a normal user account in My Account |
| User Key (Create, Delete, Read and Update) | Allows a user acces to view and create private SSH keys in My Profile->Authorized Keys (not used in SSPR) |
| User administration permissions | Description |
| User (Create, Delete, Read and Update) | Grants access to User Directory->Users. Manage all directory users |
| Group (Create, Delete, Read and Update) | Grants access to User Directory->Groups, allows management of directory groups |
| Connector (Create, Delete, Read and Update) | Grants access to Secondary Accounts, allows management of secondary user directories |
| Password Reset | Grants permission to reset a user password from User Directory, requires User Read permission |
| Action (Create, Delete, Read and Update) | Grants access to Business Rules->Action Center. The Action Center is used to authorize account creation requests |
| Security Questions Reset | Grants permission to reset a user's security questions in User Directory, requires User Update permission |
| User Credentials Reset | Grants permission to reset a User's profile in User Directory, requires User Update permission |
| User Impersonate | Grants Ability to Impersonate a user from User Directory->Users to see what permissions and pages a user account can view |
| User Lock | Grants ability to lock a user account from User Directory->Users |
| User Unlock | Grants ability to unlock a user account from User Directory->Users |
| Yubico (Create, Delete, Read and Update) | Grants ability to manage and assign Yubikeys to users in User Directory->Users |
| System administration permissions | Description |
| Account Template (Create, Delete, Read and Update) | Grants access to Secondary Accounts->Account Templates, which are used to configure automatic account linking between Primary and Secondary user directories |
| Audit Filter (Create, Delete, Read and Update) | Grants access to Audit Log->Filters. Filters are used in the Audit Log to filter events |
| Audit Read | Grants access to Audit Log->Logs, the system events log |
| Automation (Create, Delete, Read and Update) | Grants access to Automations. An automation can be used to run a task on a schedule or on demand |
| Banned Password (Create, Delete, Read and Update) | Grants access to Banned Passwords, were you can see the banned password list, or add new passwords to check against |
| Brand (Read and Update) | Grants access to Appearance to change the look of the UI |
| Certificate (Create, Delete, Read and Update) | Grants access to Certificates, allows management of SSL and SAML certificates |
| Configuration (Read and Update) | Grants access to configuration options for many of the other areas of the product. E.g If you add Connectors permission, this will grant access to Connector Options |
| Features (Read and Update) | Grants access to Updates, Features & Licensing, to manage and install features |
| Folder (Create, Delete, Read and Update) | Not used on any current products |
| Geo Restriction (Create, Delete, Read and Update) | Grants access to Networking->Geo Restrictions, allows management of access via geographical location |
| Html Template (Create, Delete, Read and Update) | Grants access to Messages->HTML Templates for use in email messages. Requires Message Read permission |
| IP Restriction (Create, Delete, Read and Update) | Grants access to Networking->IP Restrictions, allows mangement of access via IP |
| JWT Service (Create, Delete, Read and Update) | Grants access to Identity Services->JWT |
| Logon Time (Create, Delete, Read and Update) | Grants access to Security & Permissions->Logon Times to define which times users are allows to log on to the system |
| Message (Create, Delete, Read and Update) | Grants access to Messages->Message Templates to manage system email message templates |
| Password (Create, Delete, Read and Update) | Grants access to the Passwords, the password vault |
| Password Policy (Create, Delete, Read and Update) | Grants access to Security & Permissions->Password Policies to view and override password policies |
| Perf Item (Create, Delete, Read and Update) | Not used on any current products |
| Realm (Create, Delete, Read and Update) | Grants access to Realms to manage other realms. Requires permissions on sub realms and Switch Realm permission. |
| Role Attribute (Create, Delete, Read and Update) | Not used on any current products |
| Role (Create, Delete, Read and Update) | Grants access to Security & Permissions->Roles, to change role memberships and permissions |
| Route (Create, Delete, Read and Update) | Grants access to Networking->Routes to manage Secure Node routes |
| SAML Service (Create, Delete, Read and Update) | Grants access to Identity Services->SAML |
| SSH Interface (Create, Delete, Read and Update) | Grants access to read SSH interface configuration |
| Scheme (Create, Delete, Read and Update) | Grants access to Authentication Flows->Schemes to manage authentication flows on the system |
| Script (Create, Delete, Read and Update) | Not used on any current products |
| Secure Node (Create, Delete, Read and Update) | Grants access to Networking->Secure Nodes to manage any Secure Nodes connected to the system |
| Security Question (Create, Delete, Read and Update) | Grants access to Authentication Flows->Questions to manage global security questions |
| Service Key (Create, Delete, Read and Update) | Grants access to Networking->Service Keys for Secure Node management |
| Session (Delete and Read) | Grants access to the Sessions menu |
| Switch Realm | Grants admin ability to switch between realms |
| System | Grants full System Administrator rights, can manage every setting |
| System Administration | Grants full System Administrator rights, can manage every setting |
| Tenant Domain (Create, Delete, Read and Update) | Grants access to Cloud Services->Tenant Domains (cloud only) |
| Tenant Domain Manage | Grants ability to manage cloud tenants |
| Trigger (Create, Delete, Read and Update) | Grants access to Triggers to allow the system to react to events |
| User Attribute (Create, Delete, Read and Update) | Grants access to User Directory->User Attributes. Manage AD and custom user attributes |
| User Delegation (Create, Delete, Read and Update) | Grants access to Security & Permissions->Delegations to control subsets of users to manage |
| Webhook (Create, Delete, Read and Update) | Grants access to Webhooks, have the server listen on a URL for incoming requests |
