Organizational Integration
If your organization provides several web applications, you can apply the multi-user feature of vWAF to distribute the management of the individual web applications to different persons.
The advantage of this approach is that each of those persons is very familiar with the special features and structures of “their” web application, so they’re able to protect it in the most effective way. vWAF integrates seamlessly into existing company structures and doesn’t allow any conflicts of expertise to occur.
Optionally, you can define user groups with limited permissions, such as for monitoring only or for particular tasks.
Typical scenario
In more complex environments with multiple hosts and applications, usually the scenario is as follows:
The administration of vWAF itself is carried out centrally, e.g. by a designated staff member specialized in network security. In particular, this concerns the integration into the IT infrastructure, as well as the management of the web applications being protected and of the persons who are granted access.
The individual web applications are protected decentrally by different designated staff members. These persons only have access to the security configuration of “their” web application.
In addition, sometimes there are also persons who only need to perform very particular tasks and who therefore only need limited access rights.
User groups
In vWAF you can assign users to different user groups:
-
zeusafm Administrator
Has all rights. Can edit the security configuration for all applications without having to be assigned those rights specifically. Sets up new applications and can create new administrators and user groups.
-
Application Administrator
Edits only the security configurations of the applications that were assigned to him/her by the zeusafm Administrator user. Can only view the global vWAF configuration but can’t edit it. For example, can’t add new applications and users. In the navigation area, only sees “his”/“her” applications, which might be only a subset of all the applications protected by vWAF.
-
PCI Auditor
This is a special user group designed for persons who conduct Payment Card Industry (PCI) audits. Users of this group can view the entire configuration except for application- specific log files and application-specific statistics, but they can’t change any configuration settings.
-
User defined user groups
Permissions can be fully customized.
Multiple assignments
A user can be a member of any number of user groups. Each user group grants its specific read/write permissions to the user.
Likewise, an application can have as many Application Administrators as required. To guarantee continuous support in the event of holidays and illnesses, typically at least two persons should be assigned for the management of each application.
Example scenario
A company could map its hosts to the following applications and entrust the administration to several persons:
-
For each application, there are two Application Administrators. The persons “smiller” and “ajohnson” as well as “jsmith” and “rpeters” are each assigned two applications. The persons “awinter” and “tswenson” are responsible only for the “webshop” application.
-
In addition to the Application Administrators, there are also the two staff members “jmccloud” and “rmcdonald”. As a member of the “ zeusafm Administrator” user group they can make system-wide settings and can administrate all applications.
-
As a member of the management department, “ppowers” only wants to monitor email reports for the webshop. For this purpose, a user-defined user group “webshopmonitoring” has been created, and “ppowers” is assigned to just this one group.
| Application | Application Admin | Read/Write permission | Read permission only |
|---|---|---|---|
|
portal |
smiller ajohnson |
smiller ajohnson jmccloud rmcdonald |
|
|
blog |
smiller ajohnson |
smiller ajohnson jmccloud rmcdonald |
|
|
webshop |
awinter tswenson |
awinter tswenson jmccloud rmcdonald |
ppowers |
|
extranet |
jsmith rpeters |
jsmith rpeters jmccloud rmcdonald |
|
|
intranet |
jsmith rpeters |
jsmith rpeters jmccloud rmcdonald |
For more information regarding management of users, see User Management and Group Management.
What happens in the case of simultaneous editing?
When logging in, vWAF always loads the active configuration. If two administrators log in at the same time, each edits a copy of the version at the time they logged in. Each administrator can commit and activate his/her new version. At the end, the version of the administrator who last activated it remains active.