Control Access Using Roles

Use the SDK to create and configure the roles that control the permissions of your users and API keys. For example as part of your automated process for deploying Deep Security Manager, your code can create the various roles that are suitable for the tasks that users perform, or that you perform using the API.

Note:

Roles should provide the minimal rights that users or your code require to perform their tasks.

For background information about roles, see Define roles for users in the Deep Security Help Center.

The following classes enable you to interact with roles:

  • AdministratorRolesApi: Create, modify, delete, search, describe, and list roles
  • Role: Represents a role and provides access to role properties
  • Rights classes: Several classes that represent access rights for Deep Security resources. For example, ComputerRights defines rights for interacting with computers, and ScheduledTaskRights defines rights for interacting with scheduled tasks.

See also Obtain a role ID.

General steps

Use the following general steps to create or modify a role:

  1. Create a Role object and configure the properties:
    • Provide a name to identify the role and, optionally, a description
    • (Optional) Identify the computers and policies that the role can access
    • (Optional) Add rights objects that dictate which tasks the role can perform on the computers and policies that it can access.
  2. Create an AdministratorsRoleApi object and use it to create or modify the role on Deep Security Manager.

When you create a role, by default it has read access to all computers and policies, enables users to change their own password, and allows access to the Deep Security Manager console.

The following JSON represents an example data structure of a Role object. The data structure is useful for understanding how to configure the role's access rights:

  • The allComputers and allPolicies items control access to all computers and policies. If either are falsecomputerIDs and policyIDs items hold the IDs of the computers and policies that can be accessed
  • The rights item and its descendants correspond with the various rights classes that define access rights to Deep Security resources. To make this example concise, deeper levels of rights items are not shown.
{
    "name": "Auditor",
    "description": "",
    "urn": "urn:tmds:identity:us-east-ds-1:41342:role/Auditor",
    "immutable": false,
    "canOnlyManipulateUsersWithEqualOrLesserRights": false,
    "allComputers": true,
    "allPolicies": true,
    "allowUserInterface": true,
    "allowWebService": true,
    "rights": {
        "platformRights": {...},
        "antiMalwareRights": {...},
        "webReputationRights": {...},
        "firewallRights": {...},
        "intrusionPreventionRights": {...},
        "integrityMonitoringRights": {...},
        "logInspectionRights": {...},
        "applicationControlRights": {...},
        "hostedServiceRights": {...}
    },
    "ID": 2
}

To see the complete data structure of a Role object, see the response for the Describe an Administrator Role operation in the API Reference.

See the following example code: Python, JavaScript, Java