Authentication and Authorization
Administering users and roles
Purpose
This article provides a summary of assignable roles that are available when creating new users in BloodHound.
Creating users
Users are created through Settings Administration Manage Users, and clicking the button Create User.
The following properties must be set on each user:
Property | Description |
---|---|
Email Address | Text field for the user’s email address. |
Principal Name | Text field for the username used for logging into BloodHound. Can be the same as email address. |
First Name | Text field for the user’s first name. |
Last Name | Text field for the user’s first name. |
Authentication Method | Drop-down selection for one of the available authentication methods to be used for the user. * Username / Password - Built-in authentication via username and password, supports TOTP-based multi-factor authentication. * SAML - SAML 2.0-based Single-Sign-On as described in SAML in BloodHound Enterprise. Read more in the article SAML in BloodHound Enterprise. |
Initial Password | Text field for the user’s initial password. |
Force Password Reset? | Selecting this check box forces the user to reset their password on the next logon. Must comply with password requirements: * At least 12 characters long * Contain at least 1 lowercase character, 1 uppercase character, 1 number and 1 special character (!@#$%^&*) |
Role | Drop-down selection for one the available roles. For role access control definitions, see User Role Definitions. |
User Role Definitions
BloodHound offers multiple roles for access control. Each user must be assigned one role.
Administrator | Power User | User | Read-only | Upload-only | |
---|---|---|---|---|---|
Tenant Administration | |||||
View, Add, Remove, and Modify users | - | - | - | - | |
View, Add, Remove, and Modify API keys | - | - | - | - | |
View, Add, or Remove SAML provider configurations | - | - | - | - | |
Clear the BloodHound database | - | - | - | - | |
View audit log | - | - | - | - | |
Attack Path Analysis | |||||
View any available tenant data, including active Attack Paths [BHE], and explore the Graph | - | ||||
Mute Attack Path Impacted Principals [BHE] | - | - | - | ||
Modify Tier Zero / High Value Members | - | - | - | ||
Collector Clients and File Ingest | |||||
Download collector installation packages | X | ||||
View collector client details [BHE] | - | - | |||
Run collector client on demand scan [BHE] | - | - | - | ||
Add collector client [BHE] | - | - | - | ||
Modify collector client [BHE] | - | - | - | ||
Remove collector client [BHE] | - | - | - | ||
Regenerate collector client credentials [BHE] | - | - | - | ||
File ingest | - | - |