nano SIEM
Settings

Access Control

Access Control

nano provides comprehensive access control through a role-based access control (RBAC) system that manages users, groups, roles, API keys, and SSO integrations. This system ensures secure authentication and fine-grained authorization across all platform features.

Overview

The access control system consists of several interconnected components:

  • Users: Individual accounts with authentication credentials
  • Groups: Collections of users for easier management
  • Roles: Permission sets that define what actions can be performed
  • API Keys: Service-to-service authentication tokens
  • SSO Providers: External identity provider integrations
  • Sessions: Active user login sessions
  • Audit Logs: Complete activity tracking

Users

User management allows you to create and manage individual user accounts with different authentication methods.

User Types

Local Users

  • Created directly in nano
  • Authenticate with email and password
  • Password requirements: minimum 12 characters with mixed case, numbers, and special characters
  • Subject to account lockout policies (5 failed attempts = 15-minute lockout)

SSO Users

  • Created automatically through OIDC provider authentication
  • Cannot change email or password (managed by identity provider)
  • Inherit group memberships from OIDC group mappings

User Status

  • Active: Normal operational status, can log in and access resources
  • Locked: Temporarily locked due to failed login attempts or manual action
  • Disabled: Manually disabled, cannot log in until re-enabled

User Management Actions

  • Create User: Add new local users with initial group assignments
  • Edit User: Update name, email (local users only), password, and group memberships
  • Unlock User: Remove lockout status from temporarily locked accounts
  • Disable/Enable: Manually control user access without deletion
  • Delete User: Permanently remove user account (cannot be undone)

Group Membership

Users can belong to multiple groups, inheriting all roles assigned to those groups. Group membership determines the effective permissions a user has in the system.

Groups

Groups organize users and simplify permission management by allowing role assignments at the group level.

Group Types

System Groups

  • Everyone: Built-in group that all users automatically belong to
  • Cannot be deleted or have their core properties modified
  • Used for system-wide permission assignments

Custom Groups

  • Created by administrators for organizational needs
  • Examples: "Security Analysts", "SOC Managers", "Read-Only Users"
  • Can be freely created, modified, and deleted

Group Management

  • Create Group: Define new groups with descriptive names and role assignments
  • Edit Group: Update group details and role assignments
  • View Members: See all users belonging to a group
  • Delete Group: Remove custom groups (users remain, lose group-based roles)

Role Assignment

Groups can have multiple roles assigned, and all group members inherit these roles. This provides an efficient way to manage permissions for teams or departments.

Roles

Roles define collections of permissions that determine what actions users can perform in the system.

Built-in Roles

Admin

  • Full system access with all permissions
  • Cannot be modified or deleted
  • Includes user management, system configuration, and all feature access

Editor

  • Comprehensive access to security operations
  • Can create, edit, and manage detections, dashboards, and investigations
  • Cannot manage users or system settings

ReadOnly

  • View-only access to security data
  • Can search logs, view dashboards, and read alerts
  • Cannot create or modify any resources

Custom Roles

Create specialized roles tailored to your organization's needs:

  • Security Analyst: Detection creation and alert management
  • Incident Responder: Alert handling and investigation tools
  • Compliance Auditor: Read access with audit log viewing

Permission Categories

Permissions are organized into logical categories:

Search & Analytics

  • search:view - Access search interface
  • search:execute - Run search queries
  • search:save - Save searches and create alerts
  • search:share - Share searches with other users

Dashboards & Visualization

  • dashboards:view - View existing dashboards
  • dashboards:create - Create new dashboards
  • dashboards:edit - Modify dashboard configurations
  • dashboards:delete - Remove dashboards

Detection Management

  • detections:view - View detection rules
  • detections:create - Create new detection rules
  • detections:edit - Modify existing rules
  • detections:delete - Remove detection rules
  • detections:enable - Enable/disable rules
  • detections:promote - Promote rules between environments

Alert Management

  • alerts:view - View security alerts
  • alerts:acknowledge - Acknowledge alerts
  • alerts:close - Close resolved alerts
  • alerts:assign - Assign alerts to users

Data Management

  • parsers:view - View log parsers
  • parsers:create - Create new parsers
  • parsers:edit - Modify parser configurations
  • parsers:delete - Remove parsers
  • parsers:deploy - Deploy parser changes

Enrichment & Intelligence

  • enrichments:view - View enrichment configurations
  • enrichments:configure - Modify enrichment settings
  • lookup:view - Access lookup tables
  • lookup:create - Create lookup tables
  • lookup:edit - Modify lookup data
  • lookup:delete - Remove lookup tables

Risk Analytics

  • risk:view - View risk scores and analytics
  • risk:configure - Configure risk scoring rules
  • risk:clear - Reset risk scores

System Administration

  • settings:view - View system settings
  • settings:system - Modify system configuration
  • settings:retention - Configure data retention
  • settings:ai - Configure AI/ML settings

User & Access Management

  • users:view - View user accounts
  • users:create - Create new users
  • users:edit - Modify user accounts
  • users:delete - Remove users
  • groups:view - View groups
  • groups:create - Create groups
  • groups:edit - Modify groups
  • groups:delete - Remove groups
  • roles:view - View roles
  • roles:create - Create custom roles
  • roles:edit - Modify roles
  • roles:delete - Remove custom roles

API & Integration

  • apikeys:view - View API keys
  • apikeys:create - Create API keys
  • apikeys:delete - Remove API keys

Audit & Compliance

  • audit:view - Access audit logs and compliance reports

Role Management

  • Create Role: Define new roles with specific permission sets
  • Edit Role: Modify role permissions (system roles have restrictions)
  • Delete Role: Remove custom roles (reassign groups first)
  • Permission Selection: Granular control over individual permissions

API Keys

API keys provide secure service-to-service authentication for automated integrations and external tools.

API Key Features

Security

  • Cryptographically secure random generation
  • Only displayed once during creation
  • Stored as hashed values (irreversible)
  • Optional expiration dates
  • Rate limiting support

Permission Control

  • Granular permission assignment
  • Same permission system as user roles
  • Principle of least privilege enforcement

Monitoring

  • Last used timestamp tracking
  • IP address logging
  • Usage analytics

API Key Management

  • Create API Key: Generate new keys with specific permissions and optional expiration
  • Enable/Disable: Control key access without deletion
  • Delete Key: Permanently revoke access (immediate effect)
  • Monitor Usage: Track when and how keys are being used

Best Practices

  • Use descriptive names indicating the key's purpose
  • Set expiration dates for temporary integrations
  • Assign minimal required permissions
  • Regularly audit and rotate keys
  • Monitor usage for anomalies

SSO Integration

Single Sign-On (SSO) integration allows users to authenticate using external identity providers through OpenID Connect (OIDC).

Supported Providers

  • Azure Active Directory: Microsoft's cloud identity service
  • Google Workspace: Google's identity platform
  • Okta: Enterprise identity management
  • Auth0: Universal identity platform
  • Generic OIDC: Any compliant OpenID Connect provider

Provider Configuration

Basic Settings

  • Name: Display name for the provider
  • Slug: URL-safe identifier (used in login URLs)
  • Issuer URL: Provider's OIDC discovery endpoint
  • Client ID: Application identifier from provider
  • Client Secret: Application secret for authentication

Advanced Settings

  • Scopes: Requested user information (openid profile email groups)
  • Group Claim: Token claim containing user groups
  • Enabled/Disabled: Control provider availability

Group Mapping

Map external identity provider groups to local nano groups:

  • OIDC Group: Group name from identity provider
  • Local Group: Corresponding nano group
  • Automatic Assignment: Users inherit group memberships on login

SSO Workflow

  1. User clicks "Login with [Provider]" on login page
  2. Redirected to identity provider for authentication
  3. Provider returns user information and group memberships
  4. nano creates/updates user account automatically
  5. Group mappings applied based on provider groups
  6. User logged in with appropriate permissions

Sessions

Session management provides visibility and control over active user sessions.

Session Information

  • User Details: Name and email of session owner
  • Login Time: When the session was established
  • Last Activity: Most recent session usage
  • IP Address: Source IP of the session
  • User Agent: Browser/client information
  • Expiration: When the session will expire

Session Management

  • View Sessions: List all active sessions across the system
  • Revoke Session: Immediately terminate specific sessions
  • Bulk Revocation: End all sessions for a user
  • Current Session: Identify your own active session

Session Security

  • Automatic Expiration: Sessions expire after 24 hours of inactivity
  • Concurrent Limits: Multiple sessions allowed per user
  • Secure Tokens: Cryptographically secure session identifiers
  • IP Tracking: Monitor for suspicious location changes

Audit Logging

Comprehensive audit logging tracks all access control activities for security and compliance.

Logged Events

Authentication Events

  • User login attempts (success/failure)
  • Password changes and resets
  • Account lockouts and unlocks
  • Session creation and termination

Authorization Events

  • Permission checks and denials
  • Role and group assignments
  • API key usage
  • Administrative actions

Resource Access

  • Data queries and searches
  • Configuration changes
  • File uploads and downloads
  • System setting modifications

Audit Log Details

Each audit entry includes:

  • Timestamp: Precise time of the event
  • User/API Key: Who performed the action
  • Action: What was attempted or completed
  • Resource: What was accessed or modified
  • Result: Success or failure status
  • IP Address: Source of the request
  • User Agent: Client information
  • Additional Details: Context-specific information

Compliance Features

  • Immutable Logs: Audit entries cannot be modified or deleted
  • Long-term Retention: Configurable retention periods
  • Export Capabilities: Generate compliance reports
  • Search and Filter: Find specific events quickly
  • Real-time Monitoring: Immediate visibility into security events

Security Best Practices

User Management

  • Enforce strong password policies
  • Regular access reviews and cleanup
  • Prompt removal of departed users
  • Monitor for suspicious login patterns

Role Design

  • Follow principle of least privilege
  • Create role hierarchies that match organizational structure
  • Regular permission audits
  • Document role purposes and assignments

API Security

  • Rotate API keys regularly
  • Use short expiration periods for temporary access
  • Monitor API key usage patterns
  • Implement rate limiting

SSO Configuration

  • Validate provider certificates
  • Use secure communication channels
  • Regular group mapping reviews
  • Monitor for configuration drift

Monitoring and Alerting

  • Set up alerts for failed authentication attempts
  • Monitor for privilege escalation
  • Track administrative actions
  • Regular audit log reviews

Troubleshooting

Common Issues

User Cannot Login

  • Check user status (active/locked/disabled)
  • Verify group memberships and role assignments
  • Review recent audit logs for clues
  • Test with different browsers/devices

Permission Denied Errors

  • Verify user has required permissions
  • Check group and role assignments
  • Confirm feature-specific permissions
  • Review audit logs for permission checks

SSO Integration Problems

  • Validate provider configuration
  • Check group mapping accuracy
  • Verify network connectivity
  • Review provider-specific logs

API Key Issues

  • Confirm key is enabled and not expired
  • Verify permission assignments
  • Check rate limiting status
  • Validate request format and headers

Getting Help

For additional support with access control configuration:

  • Review audit logs for detailed error information
  • Check system logs for technical issues
  • Consult provider documentation for SSO setup
  • Contact support with specific error messages and context

Settings Overview

Previous Page

Platform Audit Logging

Next Page

Edit this page on GitHub
On this page

On this page

Access Control
Overview
Users
User Types
User Status
User Management Actions
Group Membership
Groups
Group Types
Group Management
Role Assignment
Roles
Built-in Roles
Custom Roles
Permission Categories
Role Management
API Keys
API Key Features
API Key Management
Best Practices
SSO Integration
Supported Providers
Provider Configuration
Group Mapping
SSO Workflow
Sessions
Session Information
Session Management
Session Security
Audit Logging
Logged Events
Audit Log Details
Compliance Features
Security Best Practices
User Management
Role Design
API Security
SSO Configuration
Monitoring and Alerting
Troubleshooting
Common Issues
Getting Help