SSHepherd Documentation
< All Topics
Print

Managing Roles

Overview

Roles in SSHepherd® are the method of providing Users access to Hosts. A Role is a collection of permissions that are granted to the Users that are assigned to that Role.

SSHepherd® currently has 2 built-in roles, an Admin role with full permissions to all Hosts, and a User role that can only see the Hosts they have been granted access to, and create tunnels to those assigned Hosts.

The first account you create after installing the SSHepherd® C3 Server is automatically entered as an Admin and a User.  Please note: SSHepherd® only allows connections to Hosts if the logged in user is a member of a Group that also contains the requested Host. This prevents lateral movement across Hosts.

Roles can be managed from either the Administrator Console or from the command line utilizing the SSHepherd® Control CLI (shepctl).

Roles view in the SSHepherd® Administrator Console

There are two roles in the system:

  1. Admin
  2. User

These two roles have different permission sets (which match the commands that can be run using the shepctl tool).  

Admin Role

The admin role contains the following permissions:

  • add-host
  • attach-recording
  • create-group
  • create-tunnel
  • create-user
  • list-group
  • list-host
  • list-recording
  • list-user-role
  • modify-group
  • modify-user
  • modify-user-role
  • remove-host
  • terminate-tunnel

Note: For bulk management, create-users and group-add-users commands in shepctl utilize the create-user and modify-group roles respectively.

User Role

The user role contains the following permissions:

  • create-tunnel
  • list-host

Assign a role to a user

To assign a role to a user, use the shepctl tool logged in as a user with the admin role:

Where ROLE is either admin or user and where USER is the user name (email) of the user you want to assign the role to.

shepctl --role ROLE --user USER role-add

Remove a role from a user

To remove a role from a user, use the shepctl tool logged in as a user with the admin role:

Where ROLE is either admin or user and where USER is the user name (email) of the user you want to remove the role from.

shepctl --role ROLE --user USER role-del

In This Article