Welcome to Dispel! This guide is intended to assist a new Facility Admin on the Dispel Dashboard. This guide covers the following:

A Facility Admin is a role level within the Dispel dashboard with the permissions necessary to handle day-to-day management of devices and access requests on the dashboard.

These may be Plant Managers responsible for editing ACLs and responding to Access Requests for their Facility or Senior Operations personnel that cover for plant managers outside of normal hours

Facilities segment regions into specific sites and allow for more granular control over members and devices within the moving-target defense network.

A Facility Admin can manage their Facility in the following ways:

There are two primary methods to add a member to a Facility:

For now, let's look at adding a member directly to the Facility:

On the Facilities page, navigate to the Members tab on the right and click the Add Member button:

Here, you will have the option to select the permission level of the member(s) you would like to add to the Facility. More on permissions in the next section.

There are two levels of permissions in a Facility:
​
​Admin - A Facility Admin has the ability to see and manage all Facility members, devices, and accesses. They are also automatically added to the Access Approvers list.

User - A Facility User is restricted to only being able to see and access what they are explicitly given access to. They are only able to see the admins in their Facility, devices they are given permission access to, and their own access requests.

If your organization has Access Requests enabled, then non-admin users will be required to request access for a determined period of time prior to using a virtual desktop or VPN. Facility admins have the ability to approve these request via email, a direct link to the request, or by the Access Windows page.

If you navigate to the Settings tab under Facilities, you are able to determine who is an approver of the Access Requests mentioned above. These users will receive request emails and can approve or deny requests on the Access Windows page. These users can be non-admins that are trusted to approve requests in their respective Facility.

They can be added by simply typing their email address and clicking Add members to approvers list. They can be removed by clicking the three dots next to their name and then clicking Remove approver.

By default, any member added to the Access requests page has emails for requests enabled. If a member would like to opt out of request emails, they are able click the blue drop-down menu to the right of their name and click No Email.

Facility Admins have the ability to create and manage Facility Groups, which allow them to manage a large amount of members of similar permissions with ease.

In regards to managing Facility Groups, a Facility Admin has the ability to:

Navigate to the Groups tab on dashboard and click Add Group, then click Add Facility Group.

Give the Group a name and description, select which Facility this Group is for, and then click Create Facility Group.

On the Access page, you are able to determine which Device ACLs are enabled for the members in this Group. Simply select the appropriate ACLs, then click Set ACL Rules

On the Permissions page, you are able to determine the permission level for all members in the Facility Group. You can find an overview of the different permissions levels here.

On the Stacks page, click Add Stacks. From there, select the stacks you'd like to add to the Group and then click Add Stacks.

On the Members page, click Add Members. From there, select the members you'd like to add to the Group and click Add members and refresh.

From the Settings page, you can change the Group name or description, and then click Submit changes and refresh.

From the Settings page, you can click Delete Group and then confirm Yes, delete Group.

Facility Admins have the ability to create self-onboarding links for members that allow them to have all the access and permissions they need to jump right into their work after creating their account. These links are tied to certain domains upon creation, so only members with emails ending in the matching domain are allowed to onboard.

To begin, navigate to the Members tab on the left.

From there, click Invite New Member and then Invite Using Invite Links.

On the next page, specify the domain of the allowed users and click Select and Continue. (Use commas to separate domains if there are multiple)

On this next page, select which Facility Groups you will be onboarding these members into and click Select and continue.

On the calendar page, set the duration of time that this link will be usable, then click Select and Continue.

Now, select the language that the invite link will be in. Click Select and continue.

Optionally, you are able to specify a custom name for this link. Click Select and continue.

Here, you can review your Invite Link settings and then click Create Invite Link.

You are now able to copy and paste this link to any members that you would linke to onboard, and they will automatically be granted the permissions of the Group(s) they are assigned to.

Devices are stored at the Facility level. This allows for organizations to have devices that are segmented into their respective sites instead of having one large pool of devices for the entire moving-target defense network.

In regards to Devices, a Facility Admin has the ability to:

Navigate to the Devices tab on dashboard and click Create

Next, enter the appropriate information for this specific device. (Make and model are optional fields).

At the bottom of the prompt, you will be given the option to add protocols in which you would like to connect to this device.

Devices function by enabling specific ports and protocols on a user-by-user basis. These ACLs are set by an admin and will remain inactive until a member's access window is approved. The ACLs are returned to inactive at the end of the access window.

Navigate to Access on the Devices page to view the ACLs for a specific device

Once on this page, you can either click the port / protocol to enable or disable it, or click the three dots on the right-hand column to perform a bulk add / remove.

While non-admins only have access to device ACLs during a given access window, an admin will have access to these ACLs as long as it is enabled for them.

This option can be useful if you want to give a specific member ACLs to multiple devices at a time. Navigate to the Members page, select the relevant person, and then click Devices.

Here, you will see all the devices associated with this member. Just like in the Devices page, you are able to add/remove any ACLs you would like them to have here.
​

The General tab allows you to change the basic attributes such as the name, make, and model of a device.

The Connection tab allows you to edit the networking information, such as the IP address, the ports, and protocol for those ports.

The Access Windows page allows admins the ability to grant just-in-time access to users and vendors who need to use the Dispel platform - all managed within the web dashboard.
​

An admin has three options to approve or deny just-in-time access requests:

Alternatively, an Admin can choose to create a pre-approved Access Window for a user so that there is no need for a request / approval cycle.

To read more about the Access Windows feature, see the guide attached below: