Managing access
runZero supports multiple concurrent users with a variety of roles. Roles can be set per-user on both a default and per-organization basis. The standard roles are administrator, user, billing, annotator, viewer, and no access. There is also a superuser role available to manage global settings.
Where there are multiple roles defined for a user, the access granted is based on most privilege. For example, if a user has user access by being in a group, but admin access assigned directly, they will be given admin privileges.
Available roles
Superuser
The first user created within the runZero console is considered a superuser. This role allows management of global settings like subscriptions and SSO parameters, and is shown as an access level of “everything”.
If you are a superuser, you can promote someone else to be a superuser. To do this, check the row listing them, and click the Promote to superuser button.
If you are using SSO authentication, you should configure at least one superuser with a strong password and MFA that can used as a backup if SSO settings need to be changed in the future.
We strongly recommend having more than one superuser, particularly if you are using MFA. That way if an MFA token is lost or a superuser leaves your organization, another superuser can fix the problem.
Administrator
Administrators can modify any aspect of an organization and have the unique ability to permanently delete bulk data, create additional organizations, and reset settings for other users.
User
Users have full access to an organization and can update sites, modify assets, schedule scans, and generally use most functionality. Users are not permitted to reset other users’ security credentials, bulk delete data, or delete an organization.
Billing
Billing users are unable to see any asset data, but can manage the licensing, billing, and entity settings for the account.
Annotator
Annotators have the same permissions as a viewer, except they have the ability to add tags to assets. Annotators do not have any other write-access within an organization, so they are unable to modify or remove existing tags. Modifications to existing tags must be made by a runZero user or administrator.
Viewer
Viewers have read-only access to an organization. This includes all inventory data and reports. Viewers are not allowed to interact with tasks, modify settings, or update assets. Viewers may not download the runZero CLI or install runZero Explorers, and they do not have access to view API tokens or export tokens.
No Access
The no access role is generally used as a default. Accounts with no access as a default are limited to those organizations where they have been granted access. If no organizations are allowed, the user is limited to managing their own account settings.
The no access global role can be used to create a single-organization user, such as a customer or third-party that needs access to the inventory for a specific organization. For consulting use cases, a single-organization user is a way to provide clients with visibility into their environment at no additional cost.
Another use for the no access role is to set it as the default for the account when you have no limits on who can sign in using an SSO system. You can then wait for the user to sign in and request access, before granting their newly-created account access to the appropriate organizations.
Inviting users
To add a team member, access the Your team page, and use the Invite user button to send an invitation.
The Your team menu entry has several submenus.
-
The first, Users, shows all users in the current client account.
-
The second entry, Restricted, goes to a page listing users who by default have no access to any organization.
-
The next entry is the name of the current organization, as selected from the organization selector at the top of the screen. The page shows only users with access to that organization.
-
The External entry goes to a page where you can invite users from other runZero client accounts.
-
Finally, Groups, lists the user groups available. Groups can be used to set access and permissions users have within each organization.
User details
On the Users page, you can click on a user to view their details page. The user details include a list of their effective access to each organization. These details are split into three sections:
- User access lists access to organizations that has been directly granted to the user.
- Group access lists access to organizations that they are granted because they are in a group that has access to the organization.
- SSO group access similarly lists access from being in a group, but in this case for groups set as a result of SSO group roles.
Directly assigned user permissions can be edited using the gear icon button, either at the right side of the appropriate row of the user listing, or using the button at the top right of their user details page.
While editing user permissions using the gear icon, you are editing the explicit assigned roles. To see the resulting access levels, check the user details page.
Account settings
The Account page is available to superusers. It contains settings which apply to all users and organizations within the account.
Single-sign on (SSO)
runZero supports the implementation of SSO through SAML2. If you use a SAML2-compatible single sign-on (SSO) implementation, the SSO Settings page can be used to configure an Identity Provider (IdP) and allow permitted users to sign in to the runZero console.
Multi-factor authentication (MFA)
runZero supports multi-factor authentication, also known as two-factor authentication or 2FA. Physical hardware keys such as Google TitanKey and Yubico YubiKey are supported via the WebAuthn standard.
You can configure MFA policies for your account via the Account settings page. If multi-factor authentication is required, users who do not have an MFA token set up will be required to set one up when they next sign in. You can choose between requiring this for all users, or only requiring it for non-SSO users. The latter option is useful if your SSO server enforces MFA use.
Once a user registers one or more MFA tokens, they will be required to use one of the tokens every time they sign in.
Note that changing the account settings to not require MFA will not alter the MFA status of existing accounts. Existing accounts will keep any existing MFA tokens they have registered, and will still be required to use one to sign in. To disable MFA for a user, the user must clear the MFA token registration. To do this, they can go to their user settings page and click the red “Unlink” text next to the token ID in the bottom right.
Disabling support access
If you check the box labeled Disable support access to your account, runZero support staff will not be allowed to switch to your account.
If you choose to disable support access, this may make it harder for runZero support to answer any questions you have. In some cases we may need you to turn support access back on so that we can help you.
Idle times and sign in duration
You can set a maximum idle session time in minutes. If set, users whose web browsers don’t access runZero for the specified time period will be considered idle, and signed out.
You can also specify a maximum sign in duration. If set, users will be forced to sign in again regularly, at least once every specified period.
Account API keys
The Account API is a REST API which allows account-level operations such as adding and removing organizations and sites, adding users, and accessing the system event log. The Generate API Key button on the Account page can be used to generate a token which will allow access to the Account API.
License information
The License page shows information about your runZero software license, including how many assets you are licensed for, how many assets you have across all organizations, and when your license renews.
Entity information
The Entity page allows you to update information about the legal entity runZero is licensed to. You should ensure that this information is kept up-to-date if your company changes name or location, as we use the information to calculate taxes and ensure compliance with appropriate regulations.
Audit log
The Audit log page shows a history of all system events relevant to the superuser, such as login events, that are not visible within the organization Events page.