Authentication and Authorization
Administer Users and Roles
Purpose
This article provides a summary of assignable roles that are available when creating new users in BloodHound.Creating users
Users are created through Settings Administration Manage Users, and clicking the button Create User. The following properties must be set on each user:| Property | Description |
|---|---|
| Email Address | Text field for the user’s email address. |
| Principal Name | Text field for the username used for logging into BloodHound. Can be the same as email address. |
| First Name | Text field for the user’s first name. |
| Last Name | Text field for the user’s first name. |
| Authentication Method | Drop-down selection for one of the available authentication methods to be used for the user. * Username / Password - Built-in authentication via username and password, supports TOTP-based multifactor authentication. * SAML - SAML 2.0-based Single-Sign-On as described in SAML in BloodHound Enterprise. |
| Initial Password | Text field for the user’s initial password. |
| Force Password Reset? | Selecting this check box forces the user to reset their password on the next logon. Must comply with password requirements: * At least 12 characters long * Contain at least 1 lowercase character, 1 uppercase character, 1 number and 1 special character (!@#$%^&*) |
| Role | Drop-down selection for one the available roles. |
User Role Definitions
BloodHound offers multiple roles for access control. Each user must be assigned one role.| Administrator | Power User | User | Read-only | Upload-only | |
|---|---|---|---|---|---|
| Tenant Administration | |||||
| View, Add, Remove, Modify users | - | - | - | - | |
| View, Add, Remove all API keys | - | - | - | - | |
| View, Add, Remove owned API keys | - | - | |||
| View, Add, Remove SAML provider configurations | - | - | - | - | |
| Clear the BloodHound database | - | - | - | - | |
| View audit log | - | - | - | - | |
| Attack Path Analysis | |||||
| View any available tenant data, including active Attack Paths [BHE], and explore the Graph | - | ||||
| Accept Attack Path Impacted Principals [BHE] | - | - | - | ||
| Modify Tier Zero / High Value Members | - | - | - | ||
| Collector Clients and File Ingest | |||||
| Download collector installation packages | |||||
| View collector client details [BHE] | - | - | |||
| Run collector client on demand scan [BHE] | - | - | - | ||
| Add collector client [BHE] | - | - | - | ||
| Modify collector client [BHE] | - | - | - | ||
| Remove collector client [BHE] | - | - | - | ||
| Regenerate collector client credentials [BHE] | - | - | - | ||
| File ingest | - | - |