Skip to content

Policy Management Walk Through

In this tutorial / walk through, we'll step you through an example IAM scenario. We're going to create a team as shown in the figure below which represents the IAM resources we'll be creating. We'll be creating VECTR database resources along with groups, policies, and users. A group is a collection of users who have similar responsibilities. Each group can have multiple users and each user can be in more than one group, although the figure doesn't illustrate that. You can't put groups inside other groups. You use policies to grant permissions to groups.

IAM Example IAM Example

Permission Matrix

The following table outlines the resource permission matrix. We'll use this matrix to define our policies and determine the appropriate permission for each group.

Group Resource Permission
Admins GoldStandard read, write
Admins SAMPLE_PURPLE read, write
ContentCreators GoldStandard read, write
ContentCreators SAMPLE_PURPLE read, write
PurpleTeam GoldStandard read
PurpleTeam SAMPLE_PURPLE read, write

At first glance, it may seem that we need to create three policies to provide the permissions that we need. Let's go over some default policies that ship with VECTR to see how we can utilize them for our use case:

  • Users belonging to the Admins built-in group already has full access to all resources in VECTR.
  • We can use the GoldStandardFullAccess built-in policy to give the ContentCreators group read and write access to GoldStandard.
  • Adding all of our users to the BasicAccess built-in group will provide read access to GoldStandard.

With this information on hand, we only need to create a single policy that provides read and write access on our SAMPLE_PURPLE database. We'll cover how to do this as well as steps to perform the rest of our tasks in the sections below.

Overview

To goal of this tutorial is to create the groups, policies, and users to implement our example scenario and provide the permissions which we've outlined in the permission matrix above. In our example, the team has a single administrator, content creators who are responsible for creating our purple team playbook, and a group of people that will be conducting the purple team assessment.

Everyone needs some level of access to the GoldStandard database which contains template data for the purple team assessment. Additionally, everyone needs to be able to read and write to the database (SAMPLE_PURPLE) that will be used to record the assessment.

Now that we know what permissions and databases we need to have access to, let's review the list of tasks to achieve our goal:

  • Create a user and add that user to the Admins group
  • Using this administrator user:
    • Create the sample SAMPLE_PURPLE database
    • Create policies
    • Create groups and assign policies to the group
    • Create users and assign them to groups

Create an Administrator User

As a best practice, do not use the VECTR root user for your day-to-day tasks. Instead, create a new user for each person that requires administrative permissions.

  1. Log into VECTR as the root user.
  2. From the left navigation, choose Administration Access Management.
  3. Click on the Users tab.
  4. Click on Create New User.
  5. Provide the following:
    • Full Name. This can be a real name or a "friendly/display name".
    • Username. This is the sign-in name for the application. Username can contain alphanumeric, plus (+), period (.), at sign (@), underscore (_), and hyphen (-) characters.
    • Password. Provide a password of your choosing. To toggle password visibility, click the icon.
  6. Click Next.
  7. Click on the Add to Group tab. Select Admins.
  8. Click Save.
  9. Log out and then log back in using your new user account.

Note

Each subsequent section below will assume that you are already logged into VECTR with your administrator user.


Create a Database Resource

We'll create a VECTR database that will be used to record our purple team assessments. For an overview on what a database is, head over to Important Concepts.

  1. Click on the database icon at the upper right of the VECTR toolbar.
  2. Click Select Session Database.
  3. Click on the icon.
  4. Enter SAMPLE_PURPLE as the database name.
  5. Click Submit.
  6. Select SAMPLE_PURPLE if it's not already selected.
  7. Click Done.

Create Policies

Using the permission matrix defined in the table above, we'll create a set of policies that will enforce the permissions we've defined.

Create a Policy that Allows read and write access to SAMPLE_PURPLE

  1. From the left navigation, choose Administration Access Management.
  2. Click on the Policies tab.
  3. Click on Create New Policy.
  4. Select User or Group Based.
  5. Click Next.
  6. Enter policy information:
    • Policy Name: PurpleTeamEditorPolicy
    • Description: Policy that allows read and write access for purple team related databases.
  7. Click Next.
  8. Create a rule for your policy:
    • Resources. Select SAMPLE_PURPLE.
    • Actions. Select read and write.
  9. Click Save.

Create Groups

Again, we'll refer to the permission matrix to figure out the policies that our groups will need. As a best practice, you want to assign the least number of permissions to a group to provide the necessary access to the specific group.

Create the ContentCreators Group

Based on our permission matrix, the only unique permission that this group needs is the ability to read and write to GoldStandard. The other permissions can be given through other groups and/or policies. This should make a little more sense when you get to creating the users.

  1. From the left navigation, choose Administration Access Management.
  2. Click on the Groups tab.
  3. Click Create New Group.
  4. Provide the following:
    • Group Name: ContentCreators
    • Description: Group for our purple team content creators.
  5. Click Next.
    • We'll skip this step as we don't have any users yet.
  6. Click Next.
  7. Select the following policies:
    • GoldStandardFullAccess
  8. Click Save.

Create the PurpleTeam Group

When you are creating groups that will give access to specific databases, it is best practice to add the ListDatabase and TagManagement built-in policies as these provide access to common actions performed on a database. Specifically, the ListDatabase and TagManagement policies provide the ability for users to list databases in which they have access to, and the ability to create and edit tags, respectively.

  1. From the left navigation, choose Administration Access Management.
  2. Click on the Groups tab.
  3. Click Create New Group.
  4. Provide the following:
    • Group Name: PurpleTeam
    • Description: Group for those who will be conducting purple team assessments.
  5. Click Next.
    • We'll skip this step as we don't have any users yet.
  6. Click Next.
  7. Select the following policies:
    • ListDatabases
    • PurpleTeamEditorPolicy
    • TagManagement
  8. Click Save.

Create Users

We'll first walk you through how to create a new user and then identify the specific groups each user should belong to.

How to Create a New User

Follow these steps for creating each of our example users:

  1. From the left navigation, choose Administration Access Management.
  2. Click on the Users tab.
  3. Click on Create New User.
  4. Enter a full name, username, and password. For the full name and username, use the name from our diagram. Enter any value for the password.
  5. Click Next.
  6. Click on the Add to Group tab. Select the groups based on the table mapping shown below.
  7. Click Save.

User and Group Mapping

User Groups
Joni BasicAccess, ContentCreators, PurpleTeam
Lidia BasicAccess, ContentCreators, PurpleTeam
Patti BasicAccess, PurpleTeam
Lee BasicAccess, PurpleTeam
Nestor BasicAccess, PurpleTeam
Joan BasicAccess, PurpleTeam

Wrap Up

Now that you've walked through an example IAM scenario, you can use these same techniques to determine the permissions needed for each member of your team that uses VECTR. Remember that the built-in groups and policies provide many of the basic permissions needed to access VECTR, we recommend that you use these in your IAM implementations.