Introduction
Welcome to Dispel! This guide is intended to assist a new Facility Admin on the Dispel Dashboard. This guide covers the following:
Managing Facilities
Managing Facility Groups
Managing Devices
Managing Access Requests
What is a Facility Admin?
A Facility Admin is a role level within the Dispel dashboard with the permissions necessary to handle day-to-day management of devices and access requests on the dashboard.
These may be Plant Managers responsible for editing ACLs and responding to Access Requests for their Facility or Senior Operations personnel that cover for plant managers outside of normal hours
Managing Facilities
Facilities segment regions into specific sites and allow for more granular control over members and devices within the moving-target defense network.
A Facility Admin can manage their Facility in the following ways:
Creating and removing a Facility
Adding and removing Facility members
Changing Facility member permissions
Approve / deny Access Requests for Facility members
Add and remove users from the Access Approvers list
Configure Facility-level Groups permissions and access
Creating a Facility
To create a Facility, navigate to the "Facilities" tab in the left menu, select "+ Create New Facility," and fill out the form in the right panel. Multiple Facilities can connect up to a single Dispel Region, so there is no limit on the number of Facilities you create per Region.
Removing a Facility
To remove a facility, navigate to the "Facilities" tab in the left menu and select the facility you would like to remove from the list. Select the "Settings" sub-tab for your selected facility and click "Delete Facility". This will remove all access to the devices within this Facility, as well as any Facility Groups associated with it.
Adding a Member to a Facility
There are two primary methods to add a member to a Facility:
Adding the member directly from the Facilities -> Members page
Adding the member to a Facility-level Group
These members can be added to the Facility Group on the Groups page of Dashboard or they can be assigned to a Facility Group during onboarding
We'll go over this more in detail in the Managing Facility Groups section
For now, let's look at adding a member directly to the Facility:
On the Facilities page, navigate to the Members tab on the right and click the Add Member button:
Here, you will have the option to select the permission level of the member(s) you would like to add to the Facility. More on permissions in the next section.
To remove a member from a Facility, navigate to the Members tab of the Facilities page, click the three dots to the right of the member's name, and then click Remove from Facility.
Permission Levels
There are two levels of permissions in a Facility:
Admin - A Facility Admin has the ability to see and manage all Facility members, devices, and accesses. They are also automatically added to the Access Approvers list.
User - A Facility User is restricted to only being able to see and access what they are explicitly given access to. They are only able to see the admins in their Facility, devices they are given permission access to, and their own access requests.
To change a member's permission level, simply click the blue drop-down on the Members tab of the Facilities page for the member in question and select Admin or User.
Access Requests
If your organization has Access Requests enabled, then non-admin users will be required to request access for a determined period of time prior to using a virtual desktop or VPN. Facility admins have the ability to approve these request via email, a direct link to the request, or by the Access Windows page.
Approvers Page
If you navigate to the Settings tab under Facilities, you are able to determine who is an approver of the Access Requests mentioned above. These users will receive request emails and can approve or deny requests on the Access Windows page. These users can be non-admins that are trusted to approve requests in their respective Facility.
They can be added by simply typing their email address and clicking Add members to approvers list. They can be removed by clicking the three dots next to their name and then clicking Remove approver.
By default, any member added to the Access requests page has emails for requests enabled. If a member would like to opt out of request emails, they are able click the blue drop-down menu to the right of their name and click No Email.
Managing Facility Groups
Facility Admins have the ability to create and manage Facility Groups, which allow them to manage a large amount of members of similar permissions with ease.
In regards to managing Facility Groups, a Facility Admin has the ability to:
Create, edit, and delete Facility Groups
Manage the ACLs, permissions, stacks, and members of the Facility Group
Create a Self-Onboarding link that automatically places users in a specific domain into the appropriate Facility Group with the necessary permissions
Creating a Facility Group
Navigate to the Groups tab on dashboard and click Add Group, then click Add Facility Group.
Give the Group a name and description, select which Facility this Group is for, and then click Create Facility Group.
Configuring Access
On the Access page, you are able to determine which Device ACLs are enabled for the members in this Group. Simply select the appropriate ACLs, then click Set ACL Rules
Assigning Permissions
On the Permissions page, you are able to determine the permission level for all members in the Facility Group. You can find an overview of the different permissions levels here.
Assigning Stacks
On the Stacks page, click Add Stacks. From there, select the stacks you'd like to add to the Group and then click Add Stacks.
Assigning Members
On the Members page, click Add Members. From there, select the members you'd like to add to the Group and click Add members and refresh.
Editing Group Name or Description
From the Settings page, you can change the Group name or description, and then click Submit changes and refresh.
Deleting Group
From the Settings page, you can click Delete Group and then confirm Yes, delete Group.
Create Self-Onboarding Links for Members
Facility Admins have the ability to create self-onboarding links for members that allow them to have all the access and permissions they need to jump right into their work after creating their account. These links are tied to certain domains upon creation, so only members with emails ending in the matching domain are allowed to onboard.
To begin, navigate to the Members tab on the left.
From there, click Invite New Member and then Invite Using Invite Links.
On the next page, specify the domain of the allowed users and click Select and Continue. (Use commas to separate domains if there are multiple)
On this next page, select which Facility Groups you will be onboarding these members into and click Select and continue.
On the calendar page, set the duration of time that this link will be usable, then click Select and Continue.
Now, select the language that the invite link will be in. Click Select and continue.
Optionally, you are able to specify a custom name for this link. Click Select and continue.
Here, you can review your Invite Link settings and then click Create Invite Link.
You are now able to copy and paste this link to any members that you would linke to onboard, and they will automatically be granted the permissions of the Group(s) they are assigned to.
Managing Devices
Devices are stored at the Facility level. This allows for organizations to have devices that are segmented into their respective sites instead of having one large pool of devices for the entire moving-target defense network.
In regards to Devices, a Facility Admin has the ability to:
Create, edit, and delete devices
Assign and remove ACL's for members in their Facility
Creating a device
Navigate to the Devices tab on dashboard and click Create
Next, enter the appropriate information for this specific device. (Make and model are optional fields).
At the bottom of the prompt, you will be given the option to add protocols in which you would like to connect to this device.
Enabling and disabling ACLs (Devices Page)
Devices function by enabling specific ports and protocols on a user-by-user basis. These ACLs are set by an admin and will remain inactive until a member's access window is approved. The ACLs are returned to inactive at the end of the access window.
Navigate to Access on the Devices page to view the ACLs for a specific device
Once on this page, you can either click the port / protocol to enable or disable it, or click the three dots on the right-hand column to perform a bulk add / remove.
While non-admins only have access to device ACLs during a given access window, an admin will have access to these ACLs as long as it is enabled for them.
Enabling and Disabling ACLs (Members Page)
This option can be useful if you want to give a specific member ACLs to multiple devices at a time. Navigate to the Members page, select the relevant person, and then click Devices.
Here, you will see all the devices associated with this member. Just like in the Devices page, you are able to add/remove any ACLs you would like them to have here.
Editing a device’s settings after creation
The General tab allows you to change the basic attributes such as the name, make, and model of a device.
The Connection tab allows you to edit the networking information, such as the IP address, the ports, and protocol for those ports.
Managing Access Windows
The Access Windows page allows admins the ability to grant just-in-time access to users and vendors who need to use the Dispel platform - all managed within the web dashboard.
An admin has three options to approve or deny just-in-time access requests:
The admin can use the Access Windows page to approve or deny just-in-time Access Requests
Access Requests can be approved or denied via automatic emails that are sent to the admins and facility access approvers at the time of a request
The user can copy and paste a link that leads directly to the request and send it to their admin or Facility access approver
Alternatively, an Admin can choose to create a pre-approved Access Window for a user so that there is no need for a request / approval cycle.
To read more about the Access Windows feature, see the guide attached below: