Setup System Configurations in Secure Workload

System-level settings are available to you depending on your role. For example, only users with Site Administrator and Customer Support user role, can view the Users option.


Attention

Due to recent GUI updates, some of the images or screenshots used in the user guide may not fully reflect the current design of the product. We recommend using this guide in conjunction with the latest version of the software for the most accurate visual reference.

Create Users and Assign Roles

You can create two types of users:

  • Local Users: These users are created and managed within Secure Workload.

  • LDAP Users: For LDAP configuration, create groups and map users to the associated groups. You can assign the following roles to local or LDAP users.

    • Site Admins: These users have the ability to manage other users, agents, and system configurations. They can view and edit all features and data within Secure Workload.

    • Customer Support: This role provides access to cluster maintenance features but does not allow the modification of user accounts.

    • Scope Owner: These users have abilities specific to a particular scope within the Secure Workload environment.

You can directly add user details of local users and assign roles. For LDAP users, ensure that LDAP is configured, and users are created within the appropriate groups. For more information, see Configure Lightweight Directory Access Protocol.

To access the Users page, from the navigation pane, Site administrators choose Manage > User Access.

The Users page displays the Service Provider users and the users associated with the scope on the page header.

Multitenancy

To support multitenancy, assign users to a root scope. Users with the Owner ability on the root scope manage these users and assigns roles that are associated with the same scope.

Service Provider users are without a scope; users are assigned to roles that allow them to perform actions across root scopes.

Add a User

Before you begin

  • You must be a Scope Owner to add users in Secure Workload.

  • If a user is assigned a scope for multitenancy, only roles that are assigned to the same scope may be selected.


Note

This page is filtered by the scope preference that is selected on the page header.

Procedure

Step 1

If applicable, select the appropriate root scope from the page header.

Step 2

From the navigation pane, choose Manage > User Access > Users.

Step 3

Click Create New User.

The User Details page is displayed.

Step 4

Update the following fields under User Details.

Table 1. User Details Field Descriptions

Field

Description

Email or Username

Enter the email ID of the user. The email addresses are non-case sensitive. If your email contains letters, we use the lowercase version of the letters.

Enter the username of the user; usernames are non-case sensitive and cannot contain @ or spaces.

First Name

Enter the user’s first name.

Last Name

Enter the user’s last name.

Scope

Root scope that is assigned to the user for multitenancy. (Available to Site Admins)

Step 5

Click Next.

Step 6

Under Assign Roles, add or remove assigned roles to the user.

  • Click Add Roles to assign new roles, and then click the Add check box.

    Figure 1. Assigned User Roles
    Assigned User Roles

  • Select the assigned roles, click Edit Assigned Roles, and then click the Remove icon.

  • You can filter the user roles using Name or Tenant.

    Figure 2. Filter User Roles
    Filter User Roles

Step 7

Click Next.

Step 8

Under User Review, review the user details and the assigned roles. Click Create.

If external authentication is enabled, the authentication details are displayed.

After the user is added in Secure Workload, an activation email is sent to the registered email ID to set up the password.

Edit User Details or Roles

Before you begin

You must be a Root Scope Owner to edit users in Secure Workload.


Note

This page is filtered by the scope preference that is selected on the page header.

Procedure

Step 1

If applicable, select the appropriate root scope from the page header.

Step 2

From the navigation pane, choose Manage > User Access > Users.

Step 3

For the required user account, under Actions, click Edit.

The User Details page is displayed.

Step 4

Update the following fields under User Details.

Table 2. User Details Field Descriptions

Field

Description

Email or Username

Update the email ID of the user. The usernames are non-case sensitive and cannot contain @ or spaces in the username.

Note

 

In case of users without an email ID, a Site Admin uses the username of the user. The maximum length of a username is 255 characters.

First Name

Update the user’s first name.

Last Name

Update the user’s last name.

Scope

Root scope that is assigned to the user for multitenancy. (Available to Site Admins)

Reset MFA

If the user has lost their multifactor authentication (MFA) device or is locked out of MFA, then click Reset MFA. MFA of the user is reset in a few minutes.

Resend Activation Email

If a user has not received an activation email or the activation email link has expired, then click Resend Activation Email.

Note

 

Users with username will have the option to update their login ID from a username to an email address, or vice versa. After upgrade, existing users with email address will have the option to update their login ID from email to username.

Step 5

Click Next.

Step 6

Under Assign Roles, add or remove assigned roles to the user.

  • Click Add Roles to assign new roles, and then click the Add check box.

  • Select the assigned roles, click Edit Assigned Roles, and then click the Remove icon.

Step 7

Under User Review, review the user details and the assigned roles. Click Update to update the user account.

If external authentication is enabled, the authentication details are displayed.

Step 8

Click Next.

Deactivating a User Account


Note

To maintain consistency of change log audits, users can only be deactivated, they are not deleted from database.

Before you begin

You must be a Site Admin or Root Scope Owner user.


Note

This page is filtered by the scope preference that is selected on the page header.

Procedure

Step 1

In the navigation bar on the left, click Manage > User Access > Users.

Step 2

If applicable, select the appropriate root scope from the top right of the page.

Step 3

In the row of the account you want to deactivate, click Deactivate button in the right-hand column.

To view deactivated users, toggle Hide Deleted Users button.

Reactivating a User Account

If a user has been deactivated, you can reactivate the user.

Before you begin

You must be a Site Admin or Root Scope Owner user.


Note

This page is filtered by the scope preference that is selected on the page header.

Procedure

Step 1

In the navigation bar on the left, click Manage > User Access > Users.

Step 2

If applicable, select the appropriate root scope from the top right of the page.

Step 3

Toggle Hide Deleted Users to display all users, including deactivated users.

Step 4

For the required deactivated account, click Restore in the right-hand column to reactivate the account.

Change Log – Users

Site Admins and users with the Scope Owner ability on the root scope can view the change logs for each user by clicking on the Change Log icon under the Actions column.

For more information, see Change Log. Root scope owners are restricted to viewing only change log entries for entities belonging to their scope.

Roles

You can restrict access to features and data using role-based access control (RBAC) model.

  • User - someone with login access to Cisco Secure Workload.

  • Role - user created set of capabilities that is assigned to a user.

  • Capability - scope + ability pair

  • Ability - collections of actions

  • Action - low-level user action such as “change workspace name”

Figure 3. Role Model
Role model

A user can have any number of roles. Roles can have any number of capabilities. For example, the “HR Search Engineer” role could have two capabilities: “Read on the HR Scope” to give visibility and context and “Execute on “HR:Search” capability to allow the engineers assigned this role to make specific changes that are related to their applications.

Use the Users page to assign users to the different roles. Roles have several capabilities and you can assign users to any number of roles.

System roles are defined to allow users to get started more quickly. They define different levels of access to all Scopes, that is, all data on the system. These system roles are defined below.

Role

Description

Agent Installer

Provide the ability to manage agents life cycle including install, monitor, upgrade, and convert, but cannot delete agents and access agent config profile.


Note

If required, you can create a SecOps user role to provide the ability to access flows, alerts, vulnerabilities, and forensics events within a specific scope.

Abilities and Capabilities

Roles are made up of capabilities which include a scope and an ability. These define the allowed actions and the set of data that they apply to. For example, the (HR, Read) capability should be read and interpreted as “Read ability on the HR scope”. This capability would allow access to the HR scope and all its children.

Ability

Description

Installer

Install, monitor, and upgrade software agents.

Audit

Global appliance data read support and access to change logs.

Read

Read all data including flows, application, and inventory filters.

Write

Make changes to applications and inventory filters.

Execute

Perform Automatically discover policies run and publish policies for analysis.

Enforce

Enforce policies that are defined in application workspaces that are associated with the given scope.

SecOps Read

Read all flows, alerts, vulnerabilities, and forensics events for the assigned scope.

Important

Abilities are inherited, for example, the Execute ability allows all the Read, Write, and Execute actions.

Important

Abilities apply to the scope and all the scope’s children.

Component-specific Abilities and Capabilities

The following table describes the abilities and capabilities specific to a component.

Table 3. Component-specific abilities and capabilities

Component Name

Installer

Read

Audit

Write

Execute

Enforce

Owner

Security Dashboard

Not Applicable

Yes

Yes

Yes

Yes

Yes

Yes

Scopes and Inventory

Not Applicable

Read-only

Read-only

Read-only

Read-only

Read-only

Yes

Label Management

Not Applicable

Read-only

Read-only

Read-only

Read-only

Read-only

Yes

Inventory Filters

Not Applicable

Read-only

Read-only

Yes

Yes

Yes

Yes
Segmentation

Not Applicable

Read-only

Read-only

Add policies, but cannot publish/enforce them or manage alerts

Add/publish policies, but cannot enforce or manage alerts

Yes

Yes

Enforcement Status

Not Applicable

Yes

Yes

Yes

Yes

Yes

Yes

Policy Templates

Not Applicable

Read-only

Read-only

Read-only

Read-only

Read-only

Yes

Forensic Rules

Not Applicable

Read-only

Read-only

Read-only

Read-only

Read-only

Yes

Traffic

Not Applicable

Yes

Yes

Yes

Yes

Yes

Yes

Alerts

Not Applicable

Yes

Yes

Yes

Yes

Yes

Yes

Vulnerabilities

Not Applicable

Yes

Yes

Yes

Yes

Yes

Yes

Forensics

Not Applicable

Yes

Yes

Yes

Yes

Yes

Yes

Reporting Dashboard

Not Applicable

Yes

Yes

Yes

Yes

Yes

Yes

Agent Install

Yes

Not Applicable

Not Applicable

Not Applicable

Not Applicable

Not Applicable

Yes

Agent Upgrade

Yes

Not Applicable

Not Applicable

Not Applicable

Not Applicable

Not Applicable

Yes

Agent convert to enforcement

Yes

Not Applicable

Not Applicable

Not Applicable

Not Applicable

Not Applicable

Yes

Agent Configure

Read-only

Not Applicable

Not Applicable

Not Applicable

Not Applicable

Not Applicable

Yes

Agent Monitor

Yes

Not Applicable

Not Applicable

Not Applicable

Not Applicable

Not Applicable

Yes

Agent Distribution

Yes

Not Applicable

Not Applicable

Not Applicable

Not Applicable

Not Applicable

Yes

Agent list

Only applicable to the deletion of agents and the generation of tokens for service protection

Not Applicable

Not Applicable

Not Applicable

Not Applicable

Not Applicable

Yes

Alert Conifg

Not Applicable

Read-only

Read-only

Read-only

Read-only

Read-only

Yes

Vitual Appliances

Not Applicable

Read-only

Read-only

Read-only

Read-only

Read-only

Yes

Connectors

Not Applicable

Read-only

Read-only

Read-only

Read-only

Read-only

Yes

Secure Connector

Not Applicable

Read-only

Read-only

Read-only

Read-only

Read-only

Yes

External Orchestrators

Not Applicable

Read-only

Read-only

Read-only

Read-only

Read-only

Yes

Kubernetes

Not Applicable

Not Applicable

Not Applicable

Not Applicable

Not Applicable

Not Applicable

Yes

Roles

Not Applicable

Not Applicable

Not Applicable

Not Applicable

Not Applicable

Not Applicable

Yes

Users

Not Applicable

Not Applicable

Not Applicable

Not Applicable

Not Applicable

Not Applicable

Yes

Licenses

Not Applicable

Not Applicable

Not Applicable

Not Applicable

Not Applicable

Not Applicable

Yes

Change Logs

Not Applicable

Not Applicable

No

Not Applicable

Not Applicable

Not Applicable

Yes

Session Configuration

Not Applicable

Not Applicable

Not Applicable

Not Applicable

Not Applicable

Not Applicable

Yes

Data Tap Admin

Not Applicable

Not Applicable

Not Applicable

Not Applicable

Not Applicable

Not Applicable

Yes

Collection Rules

Not Applicable

Read-only

Read-only

Read-only

Read-only

Read-only

Yes

IP Addresses

Not Applicable

Not Applicable

Not Applicable

Not Applicable

Not Applicable

Not Applicable

Yes

API Key Capabilities

software_download

  • sensor_mangement

  • flow_inventory_query

  • user_role_scope_management

  • user_data_upload

  • app_policy_management

  • external_integration

  • software_download

  • sensor_mangement

  • flow_inventory_query

  • user_role_scope_management

  • user_data_upload

  • app_policy_management

  • external_integration

  • software_download

  • sensor_mangement

  • flow_inventory_query

  • user_role_scope_management

  • user_data_upload

  • app_policy_management

  • external_integration

  • software_download

  • sensor_mangement

  • flow_inventory_query

  • user_role_scope_management

  • user_data_upload

  • app_policy_management

  • external_integration

  • software_download

  • sensor_mangement

  • flow_inventory_query

  • user_role_scope_management

  • user_data_upload

  • app_policy_management

  • external_integration

  • software_download

  • sensor_mangement

  • flow_inventory_query

  • user_role_scope_management

  • user_data_upload

  • app_policy_management

  • external_integration

  • software_download

Menu Access by Role

The menu items that you see and use on the navigation pane depend on the assigned role:

Table 4. Overview Menu

Menu

Option

Tenant Owner

Agent Installer

Overview

Overview

Yes

No
Table 5. Organize Menu

Menu

Option

Tenant Owner

Agent Installer

Organize

Scopes and Inventory

Yes

No

Organize

Use Uploaded Labels

Yes

No

Organize

Inventory Filters

Yes

No
Table 6. Defend Menu

Menu

Option

Tenant Owner

Agent Installer

Defend

Segmentation

Yes

No

Defend

Enforcement Status

Yes

No

Defend

Policy Templates

Yes

No

Defend

Forensic Rules

Yes

No
Table 7. Investigate Menu

Menu

Option

Tenant Owner

Agent Installer

Investigate

Traffic

Yes

No

Alerts

Yes

No

Vulnerabilities

Yes

No

Forensics

Yes

No
Table 8. Reporting Menu

Menu

Option

Tenant Owner

Agent Installer

Reporting

Reporting Dashboard

Yes

No
Table 9. Manage Menu

Menu

Option

Tenant Owner

Agent Installer

Manage

Agents

Yes

Yes

Manage

Alerts Configs

Yes

No

Manage

Change Logs

Yes

No

Manage

Connectors

Yes

No

Manage

External Orchestrators

Yes

No

Manage

Secure Connector

Yes

No

Manage

Virtual Appliances

Yes

No

Manage

Users

Yes

No

Manage

Roles

Yes

No

Manage

Collection Rules

Yes

No

Manage

Session Configuration

Yes

No

Manage

Usage Analytics

Yes

No

Manage

Data Tap Admin

Yes

No

Create a Role

Before you begin

You must have a Site Admin or a Customer Support role.

  1. From the navigation pane, choose Manage > User Access > Roles.

  2. Click Create New Role. The Roles panel appears.

Creating a role using the Create Role Wizard is three-step process.

Procedure

Step 1

  1. Enter the appropriate values in the following fields:

    Field

    Description
    Name

    The name to identify the role.
    Description

    A short description to add context about the role.

  2. Click the Next button to move to the next step or Back to Roles Page to go back to Roles Page.

Step 2

  1. Click the Add Capability button to show the creation form in the top row.

  2. Select scope and ability.

  3. Click the Checkmark button to create a new capability or Cancel button to cancel.

  4. Click Next to review role details or Previous to go back and edit.

Figure 4. Capability Assignment
Capability Assignment

Step 3

  1. Review the role details and capabilities.

  2. Click Create to create role.

Figure 5. Role Review
Role Review

Edit a Role

This section explains how Site Admins and Customer Support users can edit roles.

Before you begin

You must be Site Admin or Customer Support User.

  1. In the navigation bar on the left, click Manage > User Access > Roles.

  2. In the row of the role to edit, click the Edit button in the right-hand column. The Roles panel appears.

Editing a role using the Edit Role Wizard is three-step process.

Procedure

Step 1

  1. Update the name or description if desired.

  2. Click the Next button to move to the next step or Back to Roles Page to go back to Roles Page.

Step 2

  1. Remove any capability as needed. In the row of the capability to delete, click the Delete icon in the right-hand column.

  2. To add, click the Add Capability button to show the creation form in the top row.

  3. Select scope and ability.

  4. Click Next to review role details or Previous to go back and edit.

Step 3

  1. Review the role details and capabilities.

  2. Click Update to create the role or Previous to go back and edit. Changes to role details and capability assignment are saved after Update.

Note

 

Capabilities cannot be edited, they must be deleted and recreated.

Change Log

Site Admins can access the Change Log page under the Manage menu in the navigation bar at the left side of the window. This page displays the most recent changes that are made within Cisco Secure Workload.


Note

Change Log Retention Period: Secure Workload manages change logs for a duration of up to one year on both SaaS and On-premises clusters. An hourly job deletes change logs that exceed a one-year timeframe.

Figure 6. Change Log Page
Change Log Page

The details of each change log entry can be viewed by clicking on the link in the Change At column. This page includes a Before and After snapshot of the fields changed. The fields may include technical names that require some interpretation to understand how they are surfaced elsewhere throughout Secure Workload.

Figure 7. Change Log Details Page
Change Log Details Page

The complete list of changes for an entity can be viewed by clicking the button in the upper-right corner, titled Full log for this <entity type>. This page displays the details of each change. It also includes the Current State of the entity, when available.

Figure 8. Full Change Log for Entity
Full Change Log for Entity

Collection Rules

Site Admins and Customer Support users can access the Collection Rules page under the Manage > Service Settings menu in the navigation bar at the left side of the window. This page displays the hardware collection rules by VRF that is used by switches running the Cisco Secure Workload agent. There is a row in the table for each VRF.

Rules

Click the Edit button on a VRF to modify its collection rules. By default, every VRF is configured with two default catch-all rules, one for IPv4 (0.0.0.0/0 INCLUDE) and one for IPv6 (::/0 INCLUDE). These default rules can be removed, but do so with caution.

Extra include and exclude rules can be added. Enter a valid subnet, select include or exclude, and click Add Rule. The priority of these rules can be adjusted via drag-and-drop. Click-and-hold on a rule in the list and drag it to adjust the order.

Changes may take several minutes to propagate to your switches. Click the Back button in the upper-right corner to return to the VRF list.

Priority

Collection Rules are ordered in decreasing order priority. No longest prefix match is done to determine the priority. The rule appearing first has higher priority over all the subsequent rules. Example:

  1. 1.1.0.0/16 INCLUDE

  2. 1.0.0.0/8 EXCLUDE

  3. 0.0.0.0/0 INCLUDE

In the earlier example, all addresses belonging to 1.0.0.0/8 subnet are excluded except subnet 1.1.0.0/16 which is included.

Another Example with changed order:

  1. 1.0.0.0/8 EXCLUDE

  2. 1.1.0.0/16 INCLUDE

  3. 0.0.0.0/0 INCLUDE

In the above example, all addresses belonging to 1.0.0.0/8 subnet are excluded. Rule number-2 does not get exercised here because of a higher-order rule already defined for its subnet.

Session Configuration

UI User Authentication idle session timeout can be configured here. This config applies to all the users of the appliance. The default idle session duration is 1 hour. The idle session duration can be set within the range of 5 minutes to 24 hours. The session timeout takes effect on a user’s authenticated session when this value is saved.

Site Admins and Customer Support users can access this setting. In the left navigation pane, click Manage > Service Settings > Session Configuration.

Idle Session

For those who are authenticating using a local database, this section explains how failed login attempts may lock the user account:

Procedure

Step 1

Five failed login attempts using email and password result in locking the account.

Note

 

As a security measure against probing, no specific message indicating the lock will be provided in the login interface when trying to sign in a locked account.

Step 2

Lock out interval is set at 30 minutes. After the account is unlocked, use the correct password to log in or initiate password recovery by clicking Forgot password?

Note

 

Once a user is successfully signed in, one hour of inactivity logs out the user. This timeout is configured from Manage > Service Settings > Session Configuration.

Preferences

The Preferences page displays your account details and enables you to update your display preferences, change your landing page, change your password, and configure two-factor authentication.

Change Your Landing Page Preference

To change the page you see when you sign in:

Procedure

Step 1

On the top-right corner of the window, click the user icon and choose User Preferences.

Step 2

Choose a landing page from the drop-down menu. Your preference is saved as the default or home page when you log in. To see the change, click the Secure Workload logo at the top-left corner of the page.

Change a Password

Procedure

Step 1

Click on the user icon in the top-right corner.

Step 2

Select User Preferences.

Step 3

In the Change Password pane, enter your current password in the Old Password field.

Step 4

Enter your new password in the Password field.

Step 5

Re-enter your new password in the Confirm Password field.

Step 6

Click Change Password to submit the change.

Note

 

Password must be 8–128 characters and contain at least one of the each following:

  • Lower case letters ( a b c d . . . )

  • Upper case letters ( A B C D . . . )

  • Numbers (0 1 2 3 4 5 6 7 8 9 )

  • Special characters ( ! " # $ % & ’ ( ) * + , - . / : ; < = > ? @ [ \ ] ^ _ ‘ { | } ~ ), space included

Recovery Codes

Procedure
  Command or Action Purpose

Step 1

Download the recovery codes from the User Preferences page.​

Note

 

Only admins have the ability to generate recovery codes. Note that if external authentication is enabled, recovery code generation is not supported.​

Step 2

Each admin user will have to download their recovery codes after login and will be provided with six recovery codes.​

Step 3

At login, enter the recovery code in the password field. Recovery codes must be used during login in conjunction with the username.

Step 4

When logging in with the username and recovery code as the password, users will be redirected to the password reset screen to set a new password.

Note

 

The used recovery code will no longer be valid for subsequent logins.​ We suggest users regenerate their recovery codes before exhausting all available codes.​

Recover Password

This section explains how to reset your password if you have forgotten the password.

Before you begin

To reset a password, you must have an account. Only a Site Admin has the priviledge to create new accounts.

Procedure

Step 1

Point your browser to the Cisco Secure Workload URL and click the Forgot Password link. The Forgot your password? dialog box is displayed.

Step 2

Step 3

Enter the email ID to which the password must be sent.

Step 4

Click Reset Password.

Password reset instructions are sent to your email.

Note

 

The password recovery procedure using two-factor authentication requires contacting Cisco Technical Assurance Center for a temporary one-time password.

Reset Password

This section explains how to reset password for users without an email ID.


Note

If SMTP is disabled, at login, the Forgot Password button will be disabled for users.

Procedure

Step 1

As a Site Admin, log in to Secure Workload, and from the navigation pane, choose Manage > User Access > Users.

Step 2

Under the Actions column, click the Pencil icon. The User Details page is displayed.

Table 10. User Details Field Descriptions

Field

Description

Email or Username

Enter the username of the user; the usernames are non-case sensitive, but should not contain @ or spaces in the username.

Note

 

As a Site Admin, you can use the username to generate temporary passwords for users who want to recover them.

The maximum length of a username cannot exceed 255 characters.

First Name

Enter the user’s first name.

Last Name

Enter the user’s last name.

Scope

Root scope that is assigned to the user for multitenancy. (Available to site admins)

SSH Public Key

(Optional) Click Import to import an SSH public key or you can import a key later.

Step 3

To generate a temporary password, click Generate Password. Copy the password and share it with users who request them.

Note

 

To reset the password, use the username and the temporary password to login to Secure Workload. After you login, create a permanent password in the Reset password page.

Figure 9. User Details

Step 4

To secure the account, enter the new password in the Reset password page. After resetting the password, enter the username and the newly set password in the login page.

Note

 

New password must meet the following conditions:

  • Length of the password must be at least 8 characters.

  • Password must contain at least one upper-case letter.

  • Password must contain at least one lower-case letter.

  • Password must contain at least number.

  • Password must contain at least one of the special characters: !@#$%^*&-_+={}[/}|\?:;",'

Scopes


Note

The Scopes page is merged with Inventory Search. For more information, see the Scopes and Inventory page.