Expand Claims and Permissions for Enhanced Dashboard Access

What is a one sentence summary of your feature request?

Improve “Claims” permissions by adding additional Claims and Role configurations to enhance access control and dashboard management capabilities.

Please describe your idea in detail. What is your problem, why do you feel this idea is the best solution, etc.

The current setup for Claims and Permissions in PingCastle limits flexibility and control for users, particularly regarding Dashboard access.

Currently, Dashboards can only be accessed by users with local “Admin” permissions, which restricts non-admin users from utilizing critical features without being granted excessive privileges. Additionally, there is no Claims configuration available for Dashboard access, which undermines the fine-grained access control that Claims are designed to provide.

Furthermore, the existing Claims do not integrate properly with EntraID SSO Configuration, as “Role” Claims or “Group” Claims are ignored despite being present in the user’s Debug Information. This inconsistency creates confusion and potential security risks.

The available Roles—“Viewer,” “Operator,” and “Owner” are insufficient for a diverse range of use cases. By adding new Roles such as “Admin,” “Security Officer,” “Domain Owner,” and the ability to create Custom Roles with Checkbox selections for Permissions/Page Access, the system would enable administrators to tailor access more precisely and securely.

How do you currently solve the challenges you have by not having this feature?

Currently, to provide non-admin users with Dashboard access, I find myself granting them local “Admin” permissions, which exposes them to settings and configurations that they should not have access to. This not only increases security risks but also leads to potential misconfigurations.

The lack of Claims configuration for Dashboard access restricts the ability to enforce least privilege principles, meaning that users must hold more permissions than necessary to perform their tasks. Additionally, dealing with the inconsistencies in Claims and SSO integration has become frustrating, as relying on manual adjustments without the assurance that selected Claims will be honored isn’t scalable or efficient.

Overall, the missing functionality creates operational bottlenecks and complicates user role management, making it clear that improvements in Claims and Permissions are paramount for effective and secure management within PingCastle.

Hi again Philipp,
I should have read this before responding to your other post
This is totally a current pain point for you and other customers and I’m glad to be able to say were already working to resolve some of it!

Entra ID Role Claims
Currently, as i am sure you know, PingCastle doesn’t accept these as the application overrides the received claims. We will be making this a merge of claims rather than overriding all the http://schemas.microsoft.com/ws/2008/06/identity/claims/role claims allowing you to delegate the level of access required directly from Entra ID.

Dashboard Claim
The dashboard claim does also have some bugs we are looking to fix that I forgot to include in your other post. In general permissions on Entities are how you control access to the dashboards as you can see here all permission types on Entities should show the dashboard.

That being said, the bug in question is that it only works for direct permissions and not for claims permissions. The development team are currently looking into this and we will have a solution in the upcoming patch.

Feature: Simplifying Access Management
There are big inconsistencies here as you state with three separate places to set permissions:

• Domains (Individual domains)
• Entities (Groups of domains and specific permissions)
• Product Roles (Admin, Manage Report etc)

It would be great to know if:

• You were aware of all three of these places for permissions?
• You think we should merge permissions screens into a more unified view. I can work with our UX team to come up with some ideas
• You think enhancing the documentation of the product would resolve a lot of your issues?

I will make sure to let you know when we release the new build with the fixes for app roles etc!

Hi Joe,

Yes, fully aware of the Places for Permissions.

I wanted to clarify the current differences between Permissions and Role Permissions in the existing version. As it stands, there is Owner, Operator, and Viewer that can be assigned entities via claims. It’s important to note that a user cannot be assigned the “Operator” role globally; only the Admin role can be assigned through individual user assignments. Other permissions, like “Manage Reports,” are also categorized under individual user assignments but are not included in any claim permission roles such as “Owner,” which can cause additional confusion.

While I find the current individual permission assignments valid for specific cases, I believe that a “User Management” screen under “Configuration” would be more effective for a broader scope, particularly for the Enterprise Edition. This should encompass the existing “user configuration” options for individual account settings, such as updating/enforcing MFA, resetting passwords, changing email addresses, and manual role assignments.

Additionally, a “Role Management” screen would be advantageous for adding custom roles and selecting access options from a single view. It should clearly display the setup of “Entities” to simplify permission assignments. For example, not every operator needs access to the “Maturity Dashboard,” nor does every Security Officer require access to specific reports. Multi-level checkboxes would likely be a standard and effective approach for managing these permissions.

As you mentioned, I’ve observed that the documentation is currently lacking. I previously raised this concern with your team during the onboarding and initial feedback sessions. There is a substantial need to enhance the quality of the documentation. With the upcoming changes related to rebranding and reconfiguration, it would be prudent to update the documentation with each new release.

Philipp

This is great feedback Philipp. Thanks again for the detailed information and explaining the different use cases further.

I absolutely think this is something we will end up doing but may take some time. I will work with the user experience team to see if we can come up with some prototypes over the coming weeks and will keep you updated on potential ideas and progress!

Edit…
Regarding documentation, we will be working to improve this, I promise! I have drafted some replacements for things like authentication providers and the quick installation. Maybe not a thing for right now but if you are ever looking at the documentation and find an issue with it there is a feedback button that submits a ticket direct to our documentation team who will check it out and confirm with me and get the page updated. Netwrix as a whole generally updates documentation for each release but with the PingCastle acquisition there is so much to update.