Users and user groups

Users can access the ExtraHop system in three ways: through a set of pre-configured user accounts, through local user accounts configured on the appliance, or through remote user accounts configured on existing authentication servers, such as LDAP, SAML, Radius, and TACACS+.

Local users

This topic is about default and local accounts. See Remote Authentication to learn how to configure remote accounts.

The following accounts are configured by default on ExtraHop systems but do not appear in the list of names on the Users page. These accounts cannot be deleted and you must change the default password upon initial login.
This account provides full system read and write privileges to the browser-based user interface and to the ExtraHop command-line interface (CLI). On physical sensors, the default password for this account is the service tag number on the front of the appliance. On virtual sensors, the default password is default.
The shell account, by default, has access to non-administrative shell commands in the ExtraHop CLI. On physical sensors, the default password for this account is the service tag number on the front of the appliance. On virtual sensors, the default password is default.
Note:The default ExtraHop password for either account when deployed in Amazon Web Services (AWS) and Google Cloud Platform (GCP) is the instance ID of the virtual machine.

Remote Authentication

The ExtraHop system supports remote authentication for user access. Remote authentication enables organizations that have authentication systems such as LDAP (OpenLDAP or Active Directory, for example) to enable all or a subset of their users to log in to the system with their existing credentials.

Centralized authentication provides the following benefits:

  • User password synchronization.
  • Automatic creation of ExtraHop accounts for users without administrator intervention.
  • Management of ExtraHop privileges based on user groups.
  • Administrators can grant access to all known users or restrict access by applying LDAP filters.

Remote users

If your ExtraHop system is configured for SAML or LDAP remote authentication, you can create an account for those remote users. Preconfiguring accounts on the ExtraHop system for remote users enables you to share dashboards and other system customizations with those users before they log in.

If you choose to auto-provision users when you configure SAML authentication, then the user is automatically added to the list of local users when they log in for the first time. However, you can create a remote SAML user account on the ExtraHop system when you want to provision a remote user before that user has logged in to the system. Privileges are assigned to the user by the provider. After the user is created, you can add them to local user groups.

User groups

User groups enable you to manage access to shared content by group instead of by individual user. Dashboards and activity maps can be shared with a user group, and any user who is added to the group automatically has access. You can create a local user group—which can include remote and local users. Alternatively, if your ExtraHop system is configured for remote authentication through LDAP, you can configure settings to import your LDAP user groups.

  • Click Create User Group to create a local group. The user group appears in the list. Then, select the checkbox next to the user group name and select users from the Filter users... drop-down list. Click Add Users to Group.
  • (LDAP only) Click Refresh All User Groups or select multiple LDAP user groups and click Refresh Users in Groups.
  • Click Reset User Group to remove all shared content from a selected user group. If the group no longer exists on the remote LDAP server, the group is removed from the user group list.
  • Click Enable User Group or Disable User Group to control whether any group member can access shared content for the selected user group.
  • Click Delete User Group to remove the selected user group from the system.
  • View the following properties for listed user groups:
    Group Name
    Displays the name of the group. To view the members in the group, click the group name.
    Displays Local or Remote as the type of user group.
    Displays the number of users in the group.
    Shared Content
    Displays the number of user-created dashboards and activity maps that are shared with the group.
    Displays whether the group is enabled or disabled on the system. When the status is Disabled, the user group is considered empty when performing membership checks; however, the user group can still be specified when sharing content.
    Members Refreshed (LDAP only)
    Displays the amount of time elapsed since the group membership was refreshed. User groups are refreshed under the following conditions:
    • Once per hour, by default. The refresh interval setting can be modified on the Remote Authentication > LDAP Settings page.
    • An administrator refreshes a group by clicking Refresh All User Groups or Refresh Users in Group, or programmatically through the REST API. You can refresh a group from the User Group page or from within the Member List page.
    • A remote user logs in to the ExtraHop system for the first time.
    • A user attempts to load a shared dashboard that they do not have access to.

User privileges

Administrators determine the level of access and functionality users have with the ExtraHop system. In addition to setting the privilege level for local users, you can enable options for any user privilege level.

For information about user privileges for the REST API, see the REST API Guide.

For information about remote user privileges, see the configuration guides for LDAP, RADIUS, SAML, and TACACS+.

Privilege Levels

Set the privilege level for your user to determine which areas of the ExtraHop system they can access. Users with unlimited or System Administration privileges can access all areas of the ExtraHop system, including packets, session keys, and detections.

  Unlimited System and Access Administration (Reveal(x) 360 only) System Administration (Reveal(x) 360 only) Full Write Limited Write Personal Write Full Read-Only Restricted Read-Only
Activity Maps  
Create, view, and load shared activity maps Y Y Y Y Y Y Y N
Save activity maps Y Y Y Y Y Y N N
Share activity maps Y Y Y Y Y N N N
View alerts Y Y Y Y Y Y Y Y
Create and modify alerts Y Y Y Y N N N N
Analysis Priorities  
View Analysis Priorities page Y Y Y Y Y Y Y N
Add and modify analysis levels for groups Y Y Y Y N N N N
Add devices to a watchlist Y Y Y Y N N N N
Transfer priorities management Y Y Y Y N N N N
Create a bundle Y Y Y Y N N N N
Upload and apply a bundle Y Y Y Y N N N N
View list of bundles Y Y Y Y Y Y Y N
View and organize dashboards Y Y Y Y Y Y Y Y
Create and modify dashboards Y Y Y Y Y Y N N
Share dashboards Y Y Y Y Y N N N
Note:Machine learning detections require a connection to ExtraHop Cloud Services.

Administrators can configure the Detections Access Control global policy to specify which users can access detections. The privilege level of the user determines the level of access to detections.

View detections Y Y Y Y Y Y Y Y
Acknowledge Detections Y Y Y Y Y Y N N
Modify detection status and notes Y Y Y Y Y N N N
Create and modify investigations Y Y Y Y Y N N N
Create and modify tuning rules Y Y Y Y N N N N
Device Groups Administrators can configure the Device Group Edit Control global policy to specify whether users with limited write privileges can create and edit device groups.
Create and modify device groups Y Y Y Y Y (If the global privilege policy is enabled) N N N
View metrics Y Y Y Y Y Y Y N
Notification Rules  
Create and modify detection notification rules Y Y Y Y N N N N
Create and modify threat briefing notification rules Y Y Y Y N N N N
Records (Explore appliance)  
View record queries Y Y Y Y Y Y Y N
View record formats Y Y Y Y Y Y Y N
Create, modify, and save record queries Y Y Y Y N N N N
Create, modify, and save record formats Y Y Y Y N N N N
Scheduled Reports (Command appliance)  
Create, view, and manage scheduled reports Y Y Y Y Y N N N
Threat Intelligence  
Manage threat collections Y Y Y N N N N N
View threat intelligence information Y Y Y Y Y Y Y N
Create and modify triggers Y Y Y Y N N N N
Administrative Privileges  
Access the ExtraHop Administration settings Y Y Y N N N N N
Connect to other appliances Y Y Y N N N N N
Manage other appliances (Command appliance) Y Y Y N N N N N
Manage users and API access Y Y N N N N N N

Privilege options

The following privilege options can be assigned to users with limited Web UI and API privileges.

Packet and Session Key Access

  • No access
  • Packet slices only
  • Packets only
  • Packets and session keys

Detections Access

  • No access
  • Full access
    • Full access to detections is determined by your privilege level. See the Privilege Levels table to see what level of detections each privilege level can access.
Note:(Reveal(x) Enterprise only) The Detections Access settings appear only if the global privilege policy for detections access control is set to Only specified users can access detections.
Last modified 2024-04-01